hush
/
sietch
8
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity
Browse Source

So many things have gone down since this was written

master
Duke Leto 3 years ago
parent
2742083cdf
commit
cd472e0136
1 changed files with 14 additions and 6 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 20
      README.md

20
README.md
View File

@ -182,14 +182,19 @@ in the future, would need to learn about Sietch.
Yes, Sietch can be metadata-attacked itself!
TLDR: Worst case is that an attacker steals wallet.dat files and does an immense amount of work to reduce privacy back to pre-Sietch levels, using the ITM attack.
This research became [Attacking Zcash Protocol For Fun And Profit](https://attackingzcash.com)
At first there was a single Sietch implementation of 200 zaddrs that were fixed. If the wallet.dat owning those zaddrs were stolen, that could be used to delete all the Sietch "privacy dust" from the transaction graph, making the job of blockchain analysts and/or ITM attackers much easier. This theoretical attack is what prompted dynamic Sietch addresses and also a better way of generating zaddrs inside SDL: using BIP39 seed-phrases to generate a single zaddr and then delete the seed phrase. This method leaves no wallet.dat on disk to steal and the private key material for the zaddr only existed in memory a short time.
Currently in production are 200 static zaddrs in `hushd` and 10,000 static (BIP39-derived) zaddrs in `SDL`. The dynamic
Sietch zaddr code for `hushd` is complete and can be [viewed here](https://git.hush.is/hush/hush3/src/branch/master/src/sietch.h).
It's currently being performance tested as it does some exotic things.
At first there was a single Sietch implementation of 200 zaddrs that were fixed. If the wallet.dat owning those zaddrs were stolen, that could be used to delete all the Sietch "privacy dust" from the transaction graph, making the job of blockchain analysts and/or ITM attackers much easier. This theoretical attack is what prompted dynamic Sietch addresses and also a better way of generating zaddrs inside SDL: using [HIP39](https://git.hush.is/hush/hips/src/branch/master/hip-0039.md) seed-phrases to generate a single zaddr and then delete the seed phrase. This method leaves no wallet.dat on disk to steal and the private key material for the zaddr only existed in memory a short time.
There is no wallet.dat to steal to recover data about Sietch zoutputs for 10,000 of the 10,200 zaddrs currently in the combined Sietch zaddr pool, so this attack is no longer viable. Dynamic Sietch zaddrs will make the entire process much more secure by preventing analysts/attackers from even knowing the zaddrs that could potentially be a Sietch output. These dynamic Sietch zaddrs will be generated at run-time and private keys never even written to disk, nor part of the `hdseed` of any wallet.dat in the case of `SDL`.
Additionally, each zaddr is not linkable to each other since they were derived from different seedphrases. SDL uses this method in production currently.
Originally, `hushd` used 200 static zaddrs and SDL 10,000 static (HIP39-derived) zaddrs in `SDL`. hushd generates random public keys to derive each zaddr,
achieving unlinkability while avoiding the added cost of generating seedphrases.
There is no wallet.dat to steal to recover data for most Sietch zoutputs. This leaves a dead-end in blockchain analysis software, that prevents algorithms from being effective.
Dynamic Sietch zaddrs make the entire process much more secure by preventing analysts/attackers from even knowing the zaddrs that could potentially be a Sietch output. These dynamic Sietch zaddrs are generated at run-time and private keys never even written to disk, nor part of the `hdseed` of any wallet.dat in the case of `SDL`.
## Conclusions
@ -201,4 +206,7 @@ This is why both techniques complement each other and have a greater privacy imp
## Current Implementations
There are currently 4(!) implementations of Sietch in Hush world, 2 inside of `hushd` internals and 2 for `SilentDragonLite` which uses raw transactions and not the RPC interface of `z_sendmany`. Each of the 2 implementations has a static (drawing from a fixed pool of Sietch zaddrs) and a dynamic version (dynamically generating Sietch zaddrs at run-time). Currently the static implementations are in production as of `Hush 3.3.0` and `SilentDragonLite 1.1.3` and dynamic versions are mostly complete and undergoing performance testing.
Dynamic Sietch addresses are in production in both hushd and SDL currently. More blockchain history uses the
new dynamic addresses, so any attacks against the first implementations have been mitigated.
Originally there were 4(!) implementations of Sietch in Hush world, 2 inside of `hushd` internals and 2 for `SilentDragonLite` which uses raw transactions and not the RPC interface of `z_sendmany`. Each of the 2 implementations has a static (drawing from a fixed pool of Sietch zaddrs) and a dynamic version (dynamically generating Sietch zaddrs at run-time). The static implementations went into production as of `Hush 3.3.0` and `SilentDragonLite 1.1.3`

Write Preview
Loading…
Cancel
Save