|
|
|
@ -2,31 +2,37 @@ |
|
|
|
|
|
|
|
## What is Sietch? |
|
|
|
|
|
|
|
Sietch is a new set of RPC functionality and consensus rules related to |
|
|
|
Sietch is the codename for a new set of RPC functionality and consensus rules related to |
|
|
|
using shielded funds. Shielded transaction creation is modified above |
|
|
|
the level of the Zcash Protocol itself, no changes to that |
|
|
|
layer are made. This preserves compatibility with all existing Zcash protocol |
|
|
|
ecosystem software. |
|
|
|
layer are made. Additionally, there are no changes at how the RPC layer |
|
|
|
is used, i.e. Sietch is implemented in hushd internals and existing software |
|
|
|
which uses `hush-cli` and/or the RPC interface are not required to change |
|
|
|
in any way. This preserves compatibility with all existing Zcash protocol |
|
|
|
ecosystem software at a very low level. |
|
|
|
|
|
|
|
Sietch defines certain wallet and transction conditions that must be |
|
|
|
upheld for transactions to be accepted by the network as well as making all clients have |
|
|
|
new default behavior that is more privacy-preserving. |
|
|
|
new default behavior that is more privacy-preserving. This involves both |
|
|
|
new wallet behavior that is non-consensus and also new consensus rules. |
|
|
|
|
|
|
|
Sietch does not modify anything about Zcash internals such as zk-SNARKs, |
|
|
|
cryptographic primitives or changing any of the deep math involved, such |
|
|
|
as Elliptic Curves parameters or other deep cryptographic machinery. |
|
|
|
cryptographic primitives or changing any of the deep zero knowledge math involved, such |
|
|
|
as Elliptic Curves parameters or other cryptographic machinery. |
|
|
|
|
|
|
|
Any Zcash Protocol coin could adopt this "upgrade" to plain Zcash Protocol, |
|
|
|
Any Zcash Protocol coin could adopt this "upgrade" to Sietch-enabled Hush Protocol, |
|
|
|
though it should be noted that Hush was the first pure Sapling Zcash Protocol |
|
|
|
coin and so our implementation ignores Sprout JoinSplits, since we thankfully |
|
|
|
have none on our v3 mainnet. Supporting Sprout would not be complex and is |
|
|
|
left as an exercise to the interested privacy coin. |
|
|
|
coin and so our implementation ignores Sprout zaddrs. This is because we thankfully |
|
|
|
have no Sprout zaddrs or transactions on our v3 mainnet. |
|
|
|
Sietch is compatible with older sprout zaddrs and supporting |
|
|
|
it is left as an exercise to the interested privacy coin. |
|
|
|
|
|
|
|
## How is Sietch implemented? |
|
|
|
|
|
|
|
Sietch is written in C++ and mostly lives inside the hushd full node, which means |
|
|
|
all GUI wallets can benefit from it. Some features in the future |
|
|
|
may b implemented at the GUI wallet level. The goal is that the user does not need |
|
|
|
Sietch is written in C++ and inside the hushd full node code, which means |
|
|
|
all existing code that interacts with hush can benefit *with no changes*. |
|
|
|
Some optional/advanced features in the future |
|
|
|
may be implemented at the GUI wallet level. The goal is that the user does not need |
|
|
|
to think or do anything different, to have more privacy when |
|
|
|
making transactions. |
|
|
|
|
|
|
|
@ -37,7 +43,8 @@ transaction as they always have, via the same exact RPC methods and parameters. |
|
|
|
From the perspective of the average GUI wallet user, It Just Works. |
|
|
|
There are no additional mandatory steps for the user when sending |
|
|
|
each transaction. No mandatory wallet maintenance will be needed |
|
|
|
to keep their privacy. The same goes for exchanges, mining pools and all Hush users. |
|
|
|
to keep their privacy. No confusing options to "get right" on each transaction. |
|
|
|
The same goes for exchanges, mining pools and all Hush users. |
|
|
|
No changes at all are required by end users to enable Sietch, other than upgrading |
|
|
|
to compatible Hush software. |
|
|
|
|
|
|
|
@ -47,7 +54,12 @@ Hush is dedicated to all future privacy features being defaulted to ON instead |
|
|
|
of asking our users to opt-in to privacy, which we know is a fools errand. |
|
|
|
|
|
|
|
Users will not have to opt-in to Sietch and there will be no way to turn off |
|
|
|
the functionality. |
|
|
|
the functionality. Additionally, Sietch will be enabled on mainet as an opt-in feature |
|
|
|
at first, as a first wave of adoption and for testing. When all Hush users have updated |
|
|
|
to software with Sietch-enabled Hush protocol, a new consensus rule will go into effect |
|
|
|
which will prevent older non-Sietch clients. Additionally, Hush will increase it's |
|
|
|
PROTOCOL\_VERSION with the Sietch feature, which will also allow Sietch-enabled Hush nodes |
|
|
|
to effeciently block potentially malicious non-Sietch hushd clients at the p2p level. |
|
|
|
|
|
|
|
## What are the goals of Sietch? |
|
|
|
|
|
|
|
@ -55,9 +67,10 @@ the functionality. |
|
|
|
* Allow people to make zaddr xtns safely/privately without thinking about |
|
|
|
metadata leakage or advanced techniques |
|
|
|
* Prevent average users from making some blockchain operations which give out too much metadata |
|
|
|
* Break some assumptions which many blockchain analyst software uses |
|
|
|
* Break assumptions in blockchain analyst software |
|
|
|
* Require blockchain analysts to write new software |
|
|
|
* Increase the privacy of all funds in the shielded pool |
|
|
|
* Increase computational cost of current blockchain analysis |
|
|
|
* Increase the privacy of all funds in the Hush shielded pool |
|
|
|
* Introduce non-determinism to counter ITM/Metaverse style metadata attacks |
|
|
|
|
|
|
|
## What are the limitations/downsides of Sietch? |
|
|
|
@ -123,7 +136,10 @@ extremely expensive. It limits it to searching for linkability metadata in only |
|
|
|
additional supporting metadata, effectively raising the bar for attack and removing many potential attackers |
|
|
|
who do not have sufficient resources. In pre-Sietch code, the ITM attack can potentially research very long chains, |
|
|
|
dozens, hundreds and perhaps thousands of transactions in length, with commodity hardware. |
|
|
|
Sietch exponenentially increases the cost of doing this, in RAM, CPU and running-time. |
|
|
|
Sietch exponenentially increases the cost of doing this, in RAM, CPU and running-time. Either an attacker would |
|
|
|
need botnet or supercomputer-level resources to attack the same length chains as pre-Sietch code, or more likely, |
|
|
|
de-anonymizing attackers will focus on studying short linkability chains with a lot of additional metadata from |
|
|
|
timing analysis, amount analysis and potentially passive or active dust attacks. |
|
|
|
|
|
|
|
|
|
|
|
### Non-determinism |
|
|
|
@ -131,6 +147,6 @@ Sietch exponenentially increases the cost of doing this, in RAM, CPU and running |
|
|
|
|
|
|
|
Combinatorial explosion can only protect us so much. It is only one layer of defense. |
|
|
|
|
|
|
|
When adding zutxos, to break the ITM/Metaverse metadata attacks at a deep level, we much break a deep assumption |
|
|
|
When adding zutxos, to break the ITM/Metaverse metadata attacks at a deep level, we must break a deep assumption |
|
|
|
that is baked deep into Bitcoin: determinism. |
|
|
|
|
|
|
|
|
