hush-v3.tex

% Dedicated to Craig Leto
\documentclass{article}
\RequirePackage{amsmath}
\RequirePackage{bytefield}
\RequirePackage{graphicx}
\RequirePackage{newtxmath}
\RequirePackage{mathtools}
\RequirePackage{xspace}
\RequirePackage{url}
\RequirePackage{changepage}
\RequirePackage{enumitem}
\RequirePackage{tabularx}
\RequirePackage{hhline}
\RequirePackage[usestackEOL]{stackengine}
\RequirePackage{comment}
\RequirePackage{needspace}
\RequirePackage[nobottomtitles]{titlesec}
\RequirePackage[hang]{footmisc}
\RequirePackage{xstring}
\RequirePackage[unicode,bookmarksnumbered,bookmarksopen,pdfview=Fit]{hyperref}
\RequirePackage{cleveref}
\RequirePackage{nameref}

\RequirePackage[style=alphabetic,maxbibnames=99,dateabbrev=false,urldate=iso8601,backref=true,backrefstyle=none,backend=biber]{biblatex}
\addbibresource{hush.bib}

% Fonts
\RequirePackage{lmodern}
\RequirePackage{quattrocento}
\RequirePackage[bb=ams]{mathalfa}

% Quattrocento is beautiful but doesn't have an italic face. So we scale
% New Century Schoolbook italic to fit in with slanted Quattrocento and
% match its x height.
\renewcommand{\emph}[1]{\hspace{0.15em}{\fontfamily{pnc}\selectfont\scalebox{1.02}[0.999]{\textit{#1}}}\hspace{0.02em}}

% While we're at it, let's match the tt x height to Quattrocento as well.
\let\oldtexttt\texttt
\let\oldmathtt\mathtt
\renewcommand{\texttt}[1]{\scalebox{1.02}[1.07]{\oldtexttt{#1}}}
\renewcommand{\mathtt}[1]{\scalebox{1.02}[1.07]{$\oldmathtt{#1}$}}

\newcommand{\zsendmany}{\textbf{z\_sendmany}}

% bold but not extended
\newcommand{\textbnx}[1]{{\fontseries{b}\selectfont #1}}


\crefformat{footnote}{#2\footnotemark[#1]#3}

\DeclareLabelalphaTemplate{
  \labelelement{\field{citekey}}
}

\DefineBibliographyStrings{english}{
  page  = {page},
  pages = {pages},
  backrefpage = {\mbox{$\uparrow$ p\!}},
  backrefpages = {\mbox{$\uparrow$ p\!}}
}

\setlength{\oddsidemargin}{-0.25in}
\setlength{\textwidth}{7in}
\setlength{\topmargin}{-0.75in}
\setlength{\textheight}{9.2in}
\setlength{\parindent}{0ex}
\renewcommand{\arraystretch}{1.4}
\overfullrule=2cm

\setlength{\footnotemargin}{0.6em}
\setlength{\footnotesep}{2ex}
\addtolength{\skip\footins}{3ex}

\renewcommand{\bottomtitlespace}{8ex}

% Use rubber lengths between paragraphs to improve default pagination.
% https://tex.stackexchange.com/questions/17178/vertical-spacing-pagination-and-ideal-results
\setlength{\parskip}{1.5ex plus 1pt minus 1pt}

\setlist[enumerate]{before=\vspace{-1ex}}
\setlist[itemize]{itemsep=0.5ex,topsep=0.2ex,before=\vspace{-1ex},after=\vspace{1.5ex}}

\newlist{formulae}{itemize}{3}
\setlist[formulae]{itemsep=0.2ex,topsep=0ex,leftmargin=1.5em,label=,after=\vspace{1.5ex}}

\newcommand{\docversion}{Whitepaper Version 1.0}
\newcommand{\termbf}[1]{\textbf{#1}\xspace}
\newcommand{\Hushlist}{\termbf{HushList}}
\newcommand{\HushList}{\termbf{HushList}}
\newcommand{\Hushlists}{\termbf{HushLists}}
\newcommand{\HushLists}{\termbf{HushLists}}

\newcommand{\doctitle}{Hush Version 3}
\newcommand{\leadauthor}{Duke Leto}

\newcommand{\keywords}{anonymity, freedom of speech, cryptographic protocols,\
electronic commerce and payment, financial privacy, proof of work, zero knowledge\
zk-SNARKs, HushList, cryptoconditions, smart contracts, 51\% attack, double spend attack}

\hypersetup{
  pdfborderstyle={/S/U/W 0.7},
  pdfinfo={
    Title={\doctitle, \docversion},
    Author={\leadauthor},
    Keywords={\keywords}
  }
}

\makeatletter
\renewcommand*{\@fnsymbol}[1]{\ensuremath{\ifcase#1\or \dagger\or \ddagger\or
    \mathsection\or \mathparagraph\else\@ctrerr\fi}}
\makeatother

\renewcommand{\sectionautorefname}{\S\!}
\renewcommand{\subsectionautorefname}{\S\!}
\renewcommand{\subsubsectionautorefname}{\S\!}
\renewcommand{\subparagraphautorefname}{\S\!}
\newcommand{\crossref}[1]{\autoref{#1}\, \emph{`\nameref*{#1}\kern -0.05em'} on p.\,\pageref*{#1}}

\newcommand{\nstrut}[1]{\texorpdfstring{#1\rule[-.2\baselineskip]{0pt}{\baselineskip}}{#1}}
\newcommand{\nsection}[1]{\section{\nstrut{#1}}}
\newcommand{\nsubsection}[1]{\subsection{\nstrut{#1}}}
\newcommand{\nsubsubsection}[1]{\subsubsection{\nstrut{#1}}}

\newcommand{\introlist}{\needspace{15ex}}
\newcommand{\introsection}{\needspace{30ex}}

\mathchardef\mhyphen="2D

% http://tex.stackexchange.com/a/309445/78411
\DeclareFontFamily{U}{FdSymbolA}{}
\DeclareFontShape{U}{FdSymbolA}{m}{n}{
    <-> s*[.4] FdSymbolA-Regular
}{}
\DeclareSymbolFont{fdsymbol}{U}{FdSymbolA}{m}{n}
\DeclareMathSymbol{\smallcirc}{\mathord}{fdsymbol}{"60}

\makeatletter
\newcommand{\hollowcolon}{\mathpalette\hollow@colon\relax}
\newcommand{\hollow@colon}[2]{
  \mspace{0.7mu}
  \vbox{\hbox{$\m@th#1\smallcirc$}\nointerlineskip\kern.45ex \hbox{$\m@th#1\smallcirc$}\kern-.06ex}
  \mspace{1mu}
}
\makeatother
\newcommand{\typecolon}{\;\hollowcolon\;}

% We just want one ampersand symbol from boisik.
\DeclareSymbolFont{bskadd}{U}{bskma}{m}{n}
\DeclareFontFamily{U}{bskma}{\skewchar\font130 }
\DeclareFontShape{U}{bskma}{m}{n}{<->bskma10}{}
\DeclareMathSymbol{\binampersand}{\mathbin}{bskadd}{"EE}

\newcommand{\hairspace}{~\!}
\newcommand{\hparen}{\hphantom{(}}

\newcommand{\hfrac}[2]{\scalebox{0.8}{$\genfrac{}{}{0.5pt}{0}{#1}{#2}$}}


\RequirePackage[usenames,dvipsnames]{xcolor}
% https://en.wikibooks.org/wiki/LaTeX/Colors#The_68_standard_colors_known_to_dvips
\newcommand{\todo}[1]{{\color{Sepia}\sf{TODO: #1}}}

\newcommand{\changedcolor}{magenta}
\newcommand{\setchanged}{\color{\changedcolor}}
\newcommand{\changed}[1]{\texorpdfstring{{\setchanged{#1}}}{#1}}

% terminology

\newcommand{\term}[1]{\textsl{#1}\kern 0.05em\xspace}
\newcommand{\titleterm}[1]{#1}
\newcommand{\quotedterm}[1]{``~\!\!\term{#1}''}
\newcommand{\conformance}[1]{\textbnx{#1}\xspace}

\newcommand{\Zcash}{\termbf{Zcash}}
\newcommand{\Hush}{\termbf{Hush}}
\newcommand{\Zerocash}{\termbf{Zerocash}}
\newcommand{\Bitcoin}{\termbf{Bitcoin}}
\newcommand{\CryptoNote}{\termbf{CryptoNote}}
\newcommand{\ZEC}{\termbf{ZEC}}
\newcommand{\ZEN}{\termbf{ZEN}}
\newcommand{\ZCL}{\termbf{ZCL}}
\newcommand{\KMD}{\termbf{KMD}}
\newcommand{\BTCH}{\termbf{BTCH}}
\newcommand{\BTCP}{\termbf{BTCP}}
\newcommand{\ZAU}{\termbf{ZAU}}
\newcommand{\VOT}{\termbf{VOT}}
\newcommand{\BTCZ}{\termbf{BTCZ}}
\newcommand{\LTZ}{\termbf{LTZ}}
\newcommand{\HUSH}{\termbf{HUSH}}
\newcommand{\zatoshi}{\term{zatoshi}}
\newcommand{\puposhi}{\term{puposhi}}
\newcommand{\zcashd}{\textsf{zcashd}\,}
\newcommand{\hushd}{\textsf{hushd}\,}

\newcommand{\MUST}{\conformance{MUST}}
\newcommand{\MUSTNOT}{\conformance{MUST NOT}}
\newcommand{\SHOULD}{\conformance{SHOULD}}
\newcommand{\SHOULDNOT}{\conformance{SHOULD NOT}}
\newcommand{\ALLCAPS}{\conformance{ALL CAPS}}

\newcommand{\note}{\term{note}}
\newcommand{\notes}{\term{notes}}
\newcommand{\Note}{\titleterm{Note}}
\newcommand{\Notes}{\titleterm{Notes}}
\newcommand{\dummy}{\term{dummy}}
\newcommand{\dummyNotes}{\term{dummy notes}}
\newcommand{\DummyNotes}{\titleterm{Dummy Notes}}
\newcommand{\commitmentScheme}{\term{commitment scheme}}
\newcommand{\commitmentTrapdoor}{\term{commitment trapdoor}}
\newcommand{\commitmentTrapdoors}{\term{commitment trapdoors}}
\newcommand{\trapdoor}{\term{trapdoor}}
\newcommand{\noteCommitment}{\term{note commitment}}
\newcommand{\noteCommitments}{\term{note commitments}}
\newcommand{\NoteCommitment}{\titleterm{Note Commitment}}
\newcommand{\NoteCommitments}{\titleterm{Note Commitments}}
\newcommand{\noteCommitmentTree}{\term{note commitment tree}}
\newcommand{\NoteCommitmentTree}{\titleterm{Note Commitment Tree}}
\newcommand{\noteTraceabilitySet}{\term{note traceability set}}
\newcommand{\noteTraceabilitySets}{\term{note traceability sets}}
\newcommand{\joinSplitDescription}{\term{JoinSplit description}}
\newcommand{\joinSplitDescriptions}{\term{JoinSplit descriptions}}
\newcommand{\JoinSplitDescriptions}{\titleterm{JoinSplit Descriptions}}
\newcommand{\sequenceOfJoinSplitDescriptions}{\changed{sequence of} \joinSplitDescription\changed{\term{s}}\xspace}
\newcommand{\joinSplitTransfer}{\term{JoinSplit transfer}}
\newcommand{\joinSplitTransfers}{\term{JoinSplit transfers}}
\newcommand{\JoinSplitTransfer}{\titleterm{JoinSplit Transfer}}
\newcommand{\JoinSplitTransfers}{\titleterm{JoinSplit Transfers}}
\newcommand{\joinSplitSignature}{\term{JoinSplit signature}}
\newcommand{\joinSplitSignatures}{\term{JoinSplit signatures}}
\newcommand{\joinSplitSigningKey}{\term{JoinSplit signing key}}
\newcommand{\joinSplitVerifyingKey}{\term{JoinSplit verifying key}}
\newcommand{\joinSplitStatement}{\term{JoinSplit statement}}
\newcommand{\joinSplitStatements}{\term{JoinSplit statements}}
\newcommand{\JoinSplitStatement}{\titleterm{JoinSplit Statement}}
\newcommand{\joinSplitProof}{\term{JoinSplit proof}}
\newcommand{\statement}{\term{statement}}
\newcommand{\zeroKnowledgeProof}{\term{zero-knowledge proof}}
\newcommand{\ZeroKnowledgeProofs}{\titleterm{Zero-Knowledge Proofs}}
\newcommand{\provingSystem}{\term{proving system}}
\newcommand{\zeroKnowledgeProvingSystem}{\term{zero-knowledge proving system}}
\newcommand{\ZeroKnowledgeProvingSystem}{\titleterm{Zero-Knowledge Proving System}}
\newcommand{\ppzkSNARK}{\term{preprocessing zk-SNARK}}
\newcommand{\provingKey}{\term{proving key}}
\newcommand{\zkProvingKeys}{\term{zero-knowledge proving keys}}
\newcommand{\verifyingKey}{\term{verifying key}}
\newcommand{\zkVerifyingKeys}{\term{zero-knowledge verifying keys}}
\newcommand{\joinSplitParameters}{\term{JoinSplit parameters}}
\newcommand{\JoinSplitParameters}{\titleterm{JoinSplit Parameters}}
\newcommand{\arithmeticCircuit}{\term{arithmetic circuit}}
\newcommand{\rankOneConstraintSystem}{\term{Rank 1 Constraint System}}
\newcommand{\primary}{\term{primary}}
\newcommand{\primaryInput}{\term{primary input}}
\newcommand{\primaryInputs}{\term{primary inputs}}
\newcommand{\auxiliaryInput}{\term{auxiliary input}}
\newcommand{\auxiliaryInputs}{\term{auxiliary inputs}}
\newcommand{\fullnode}{\term{full node}}
\newcommand{\fullnodes}{\term{full nodes}}
\newcommand{\anchor}{\term{anchor}}
\newcommand{\anchors}{\term{anchors}}
\newcommand{\UTXO}{\term{UTXO}}
\newcommand{\UTXOs}{\term{UTXOs}}
\newcommand{\block}{\term{block}}
\newcommand{\blocks}{\term{blocks}}
\newcommand{\header}{\term{header}}
\newcommand{\headers}{\term{headers}}
\newcommand{\blockHeader}{\term{block header}}
\newcommand{\blockHeaders}{\term{block headers}}
\newcommand{\Blockheader}{\term{Block header}}
\newcommand{\BlockHeader}{\titleterm{Block Header}}
\newcommand{\blockVersionNumber}{\term{block version number}}
\newcommand{\blockVersionNumbers}{\term{block version numbers}}
\newcommand{\Blockversions}{\term{Block versions}}
\newcommand{\blockTime}{\term{block time}}
\newcommand{\blockHeight}{\term{block height}}
\newcommand{\blockHeights}{\term{block heights}}
\newcommand{\genesisBlock}{\term{genesis block}}
\newcommand{\transaction}{\term{transaction}}
\newcommand{\transactions}{\term{transactions}}
\newcommand{\Transactions}{\titleterm{Transactions}}
\newcommand{\transactionFee}{\term{transaction fee}}
\newcommand{\transactionFees}{\term{transaction fees}}
\newcommand{\transactionVersionNumber}{\term{transaction version number}}
\newcommand{\transactionVersionNumbers}{\term{transaction version numbers}}
\newcommand{\Transactionversion}{\term{Transaction version}}
\newcommand{\coinbaseTransaction}{\term{coinbase transaction}}
\newcommand{\coinbaseTransactions}{\term{coinbase transactions}}
\newcommand{\CoinbaseTransactions}{\titleterm{Coinbase Transactions}}
\newcommand{\transparent}{\term{transparent}}
\newcommand{\xTransparent}{\term{Transparent}}
\newcommand{\Transparent}{\titleterm{Transparent}}
\newcommand{\transparentValuePool}{\term{transparent value pool}}
\newcommand{\deshielding}{\term{deshielding}}
\newcommand{\shielding}{\term{shielding}}
\newcommand{\shielded}{\term{shielded}}
\newcommand{\shieldedXTN}{\term{shielded} $ t \rightarrow z $ transaction}
\newcommand{\shieldedXTNs}{\term{shielded} $ t \rightarrow z $ transactions}
\newcommand{\shieldedNote}{\term{shielded note}}
\newcommand{\shieldedNotes}{\term{shielded notes}}
\newcommand{\xShielded}{\term{Shielded}}
\newcommand{\Shielded}{\titleterm{Shielded}}
\newcommand{\blockchain}{\term{block chain}}
\newcommand{\blockchains}{\term{block chains}}
\newcommand{\mempool}{\term{mempool}}
\newcommand{\treestate}{\term{treestate}}
\newcommand{\treestates}{\term{treestates}}
\newcommand{\nullifier}{\term{nullifier}}
\newcommand{\nullifiers}{\term{nullifiers}}
\newcommand{\xNullifiers}{\term{Nullifiers}}
\newcommand{\Nullifier}{\titleterm{Nullifier}}
\newcommand{\Nullifiers}{\titleterm{Nullifiers}}
\newcommand{\nullifierSet}{\term{nullifier set}}
\newcommand{\NullifierSet}{\titleterm{Nullifier Set}}
% Daira: This doesn't adequately distinguish between zk stuff and transparent stuff
\newcommand{\paymentAddress}{\term{payment address}}
\newcommand{\paymentAddresses}{\term{payment addresses}}
\newcommand{\viewingKey}{\term{viewing key}}
\newcommand{\viewingKeys}{\term{viewing keys}}
\newcommand{\spendingKey}{\term{spending key}}
\newcommand{\spendingKeys}{\term{spending keys}}
\newcommand{\payingKey}{\term{paying key}}
\newcommand{\transmissionKey}{\term{transmission key}}
\newcommand{\transmissionKeys}{\term{transmission keys}}
\newcommand{\keyTuple}{\term{key tuple}}
\newcommand{\notePlaintext}{\term{note plaintext}}
\newcommand{\notePlaintexts}{\term{note plaintexts}}
\newcommand{\NotePlaintexts}{\titleterm{Note Plaintexts}}
\newcommand{\notesCiphertext}{\term{transmitted notes ciphertext}}
\newcommand{\incrementalMerkleTree}{\term{incremental Merkle tree}}
\newcommand{\merkleRoot}{\term{root}}
\newcommand{\merkleNode}{\term{node}}
\newcommand{\merkleNodes}{\term{nodes}}
\newcommand{\merkleHash}{\term{hash value}}
\newcommand{\merkleHashes}{\term{hash values}}
\newcommand{\merkleLeafNode}{\term{leaf node}}
\newcommand{\merkleLeafNodes}{\term{leaf nodes}}
\newcommand{\merkleInternalNode}{\term{internal node}}
\newcommand{\merkleInternalNodes}{\term{internal nodes}}
\newcommand{\MerkleInternalNodes}{\term{Internal nodes}}
\newcommand{\merklePath}{\term{path}}
\newcommand{\merkleLayer}{\term{layer}}
\newcommand{\merkleLayers}{\term{layers}}
\newcommand{\merkleIndex}{\term{index}}
\newcommand{\merkleIndices}{\term{indices}}
\newcommand{\zkSNARK}{\term{zk-SNARK}}
\newcommand{\zkSNARKs}{\term{zk-SNARKs}}
\newcommand{\libsnark}{\term{libsnark}}
\newcommand{\memo}{\term{memo field}}
\newcommand{\memos}{\term{memo fields}}
\newcommand{\Memos}{\titleterm{Memo Fields}}
\newcommand{\keyAgreementScheme}{\term{key agreement scheme}}
\newcommand{\KeyAgreement}{\titleterm{Key Agreement}}
\newcommand{\keyDerivationFunction}{\term{Key Derivation Function}}
\newcommand{\KeyDerivation}{\titleterm{Key Derivation}}
\newcommand{\encryptionScheme}{\term{encryption scheme}}
\newcommand{\symmetricEncryptionScheme}{\term{authenticated one-time symmetric encryption scheme}}
\newcommand{\SymmetricEncryption}{\titleterm{Authenticated One-Time Symmetric Encryption}}
\newcommand{\signatureScheme}{\term{signature scheme}}
\newcommand{\pseudoRandomFunction}{\term{Pseudo Random Function}}
\newcommand{\pseudoRandomFunctions}{\term{Pseudo Random Functions}}
\newcommand{\PseudoRandomFunctions}{\titleterm{Pseudo Random Functions}}

% conventions
\newcommand{\bytes}[1]{\underline{\raisebox{-0.22ex}{}\smash{#1}}}
\newcommand{\zeros}[1]{[0]^{#1}}
\newcommand{\bit}{\mathbb{B}}
\newcommand{\Nat}{\mathbb{N}}
\newcommand{\PosInt}{\mathbb{N}^+}
\newcommand{\Rat}{\mathbb{Q}}
\newcommand{\typeexp}[2]{{#1}\vphantom{)}^{[{#2}]}}
\newcommand{\bitseq}[1]{\typeexp{\bit}{#1}}
\newcommand{\byteseqs}{\typeexp{\bit}{8\mult\Nat}}
\newcommand{\concatbits}{\mathsf{concat}_\bit}
\newcommand{\listcomp}[1]{[~{#1}~]}
\newcommand{\for}{\text{ for }}
\newcommand{\from}{\text{ from }}
\newcommand{\upto}{\text{ up to }}
\newcommand{\downto}{\text{ down to }}
\newcommand{\squash}{\!\!\!}
\newcommand{\caseif}{\squash\text{if }}
\newcommand{\caseotherwise}{\squash\text{otherwise}}
\newcommand{\sorted}{\mathsf{sorted}}
\newcommand{\length}{\mathsf{length}}
\newcommand{\mean}{\mathsf{mean}}
\newcommand{\median}{\mathsf{median}}
\newcommand{\clamp}[2]{\mathsf{clamp\,}_{#1}^{#2}}
\newcommand{\Lower}{\mathsf{lower}}
\newcommand{\Upper}{\mathsf{upper}}
\newcommand{\bitlength}{\mathsf{bitlength}}
\newcommand{\size}{\mathsf{size}}
\newcommand{\mantissa}{\mathsf{mantissa}}
\newcommand{\ToCompact}{\mathsf{ToCompact}}
\newcommand{\ToTarget}{\mathsf{ToTarget}}
\newcommand{\hexint}[1]{\mathbf{0x{#1}}}
\newcommand{\dontcare}{\kern -0.06em\raisebox{0.1ex}{\footnotesize{$\times$}}}
\newcommand{\ascii}[1]{\textbf{``\texttt{#1}"}}
\newcommand{\Justthebox}[2][-1.3ex]{\;\raisebox{#1}{\usebox{#2}}\;}
\newcommand{\hSigCRH}{\mathsf{hSigCRH}}
\newcommand{\hSigLength}{\mathsf{\ell_{hSig}}}
\newcommand{\hSigType}{\bitseq{\hSigLength}}
\newcommand{\EquihashGen}[1]{\mathsf{EquihashGen}_{#1}}
\newcommand{\CRH}{\mathsf{CRH}}
\newcommand{\CRHbox}[1]{\SHA\left(\Justthebox{#1}\right)}
\newcommand{\SHA}{\mathtt{SHA256Compress}}
\newcommand{\SHAName}{\term{SHA-256 compression}}
\newcommand{\FullHash}{\mathtt{SHA256}}
\newcommand{\FullHashName}{\mathsf{SHA\mhyphen256}}
\newcommand{\Blake}[1]{\mathsf{BLAKE2b\kern 0.05em\mhyphen{#1}}}
\newcommand{\BlakeGeneric}{\mathsf{BLAKE2b}}
\newcommand{\FullHashbox}[1]{\FullHash\left(\Justthebox{#1}\right)}
\newcommand{\setof}[1]{\{{#1}\}}
\newcommand{\range}[2]{\{{#1}\,..\,{#2}\}}
\newcommand{\minimum}{\mathsf{min}}
\newcommand{\maximum}{\mathsf{max}}
\newcommand{\floor}[1]{\mathsf{floor}\!\left({#1}\right)}
\newcommand{\trunc}[1]{\mathsf{trunc}\!\left({#1}\right)}
\newcommand{\ceiling}[1]{\mathsf{ceiling}\left({#1}\right)}
\newcommand{\vsum}[2]{\smashoperator[r]{\sum_{#1}^{#2}}}
\newcommand{\vxor}[2]{\smashoperator[r]{\bigoplus_{#1}^{#2}}}
\newcommand{\xor}{\oplus}
\newcommand{\band}{\binampersand}
\newcommand{\mult}{\cdot}
\newcommand{\rightarrowR}{\buildrel{\scriptstyle\mathrm{R}}\over\rightarrow}
\newcommand{\leftarrowR}{\buildrel{\scriptstyle\mathrm{R}}\over\leftarrow}

\newcommand{\JoinSplit}{\text{\footnotesize\texttt{JoinSplit}}}

\newcommand{\affiliation}{\hairspace$^\dagger$\;}
\newcommand{\affiliationDuke}{\hairspace$^\ddagger$\;}

\begin{document}

\title{\doctitle \\
\Large \docversion}
\author{
\Large \leadauthor\hairspace\thanks{\;duke@leto.net , duke.leto.net, @dukeleto, 8DFC BF8E 5A4D 8019 , https://keybase.io/dukeleto}
}
\date{\today}
\maketitle

\renewcommand{\abstractname}{}
\vspace{-8ex}
\begin{abstract}
\normalsize \noindent \textbf{Abstract.}

\Hush started as a source code fork of the \Zcash 1.0.8 codebase. Hush was
    originally called "Zdash" and mined a genesis block on Nov 17, 2016.  The
    latest version of \Hush migrates to a new codebase based on Komodo and Zcash
    2.0.x with a new genesis block mined on April 14th 2019, while keeping the
    emission schedule as close as possible to the original intentions. Latest
    details can be found at https://myhush.org .

\begin{quote}
A beginning is the time for taking the most delicate care that the balances are correct.

    -- "Manual of Muad'Dib" by the Princess Irulan
\end{quote}

\vspace{2.5ex}
\noindent \textbf{Keywords:}~ \StrSubstitute[0]{\keywords}{,}{, }.
\end{abstract}

\vspace{-10ex}
\phantomsection
\addcontentsline{toc}{section}{\Large\nstrut{Contents}}

\renewcommand{\contentsname}{}
% http://tex.stackexchange.com/a/182744/78411
\renewcommand{\baselinestretch}{0.85}\normalsize
\tableofcontents
\renewcommand{\baselinestretch}{1.0}\normalsize
\newpage

\nsection{Introduction}
\nsection{Things Staying The Same}

\begin{itemize}
\item 21M total supply
\item Block reward = 12.5 \HUSH
\item Block time = 150 seconds
\item Halving interval = every 210,000 blocks
\item Delayed-Proof-Of-Work
\item EquiHash PoW params (N,K)=(200,9)
\end{itemize}

\nsection{Things Changing}

\begin{itemize}
    \item New Genesis Block
    \item Sprout Disabled
    \item First Sprout-Free Chain, with Only Sapling Shielded Transactions
    \item Replace Zcash (\ZEC) with Komodo (\KMD) as upstream
    \item New main Github repo
    \item Addition of 10\% Founders Reward
    \item Address prefix change (t1,t3 becomes R,b)
    \item RPC port is now 18031
    \item P2P port is now 18030
    \item Enable CryptoConditions (Custom Consensus)
    \item Improved Difficulty Adjustment Algorithm (LWMA-jl777)
    \item Block Size increase to 4MB
    \item Shielding Rule
    \item TLS Support
\end{itemize}

\begin{quote}
    Governments can be useful to the governed only so long as inherent tendencies toward tyranny are restrained.
            - The Stolen Journals
\end{quote}

\nsection{New Genesis Block}

The new \HUSH v3 mainnet genesis block has block hash:

06c3269d065d19960ba2aac92daad182f24961043b8e279a64a3c0298d4bf7ed

and occured at unix Epoch time 1555263294.

Additional useful metadata that can be used to verify you have the correct \HUSH
genesis block:

"nextblockhash": "0a3bcdd57276c1a07aa657992967fb0c64cd12d489bde85223058381cb58d95d"

"anchor": "59d2cde5e65c1414c32ba54f0fe4bdb3d67618125286e6a191317917c812c6d7",

"merkleroot": "e8e1f9136c134cddfc20ae3bcecbd8c28981a1a80f03797e609c4a0ca8f69f95",

"finalsaplingroot": "3e49b5f954aa9d3545bc6c37744661eea48d7c34e3000d82b7f0010c30f4c2fb",

This block can be viewed in a more user-friendly manner at:

https://explorer.myhush.org/block/06c3269d065d19960ba2aac92daad182f24961043b8e279a64a3c0298d4bf7ed

\nsection{First Sprout-Free Sapling Blockchain}

\HUSH is proud to be the very first blockchain to enforce only Sapling
transaction from the very beginning! \HUSH enables Sapling at Block 1, which
means no Sprout UTXOs will ever exist on our new blockchain. This removes any
future risk of Sprout bugs/CVEs and drastically reduces the maintenance cost
going forward, as Sprout code and Sapling code are different codepaths and so
supporting Sprout at least doubles the amount of code to maintain.

No other blockchain has started as a pure Sapling chain, all other existing
\cite{Zcash} source code forks have transitioned from Sprout to Sapling.

Most closely aligned to Hush is our sister coin Pirate (ARRR), which was the
very first coin to disable normal transparent transactions (only coinbase and
notarizations) and was one of the first coins to transition away from Sprout to
Sapling. The decision for \HUSH to disable support for old Sprout coins, after a
certain block height, was inspired by Pirate: https://pirate.black

\nsection{10\% Founders Reward}

\HUSH v3 adds a 10\% Founders Reward, in perpetuity, until block rewards end.
This is approximately 5.5 million blocks or about 30 years.

The Founders Reward is paid out every block in vout[1] to a single address
of type "pubkeyhash":

    RHushEyeDm7XwtaTWtyCbjGQumYyV8vMjn

with scriptPubKey

    76a9145eb10cf64f2bab1b457f1f25e658526155928fac88ac

Initially the Founders Reward is 1.25 \HUSH, starting at Block 129 until the first
halving on the new chain at Block 340000.

In order to help transition, there will be a period of 128 blocks of zero block
reward, which enables the new mainnet to be started just before our snapshot
block, ready for miners to switch over. This also allows mining necessary blocks
to start the chain and dispersing funds without developers unfarily earning many
of the early block rewards. This corresponds to roughly 6hrs but our block times
are not expected to converge to 150 seconds for a few days, so it is a rough
estimate.

\nsection{New Upstream: Komodo}

\HUSH is no longer directly a source code fork of Zcash (\ZEC), it is now a fork
of \cite{Komodo} (\KMD). Since \KMD itself is a fork of \ZEC, this means we gain an
immense amount of code and features, and all the development velocity of jl777.
As an example, during the development of \HUSH v3, over the course of a few weeks,
about 20,000 lines of code was changed in upstream Komodo repo, adding many
features and fixing various bugs.

We expect to see the developement velocity of the \HUSH community greatly
increase, since we will now essentially have jl777 constantly doing low-level
blockchain internals coding, which frees up other developer resources to work
on wallets, explorers, HushList protocol and applications which sit on top
of the RPC interface.

\HUSH v3 is a source code fork of the jl777/komodo git repository and lives at

    https://github.com/MyHush/hush3

As of Block 500,000, the legacy Hush network and codebase is unsupported.  The
network is not being forcibly turned off, those that want are free to use it,
and use any encrypted data they may have in memo fields.

\nsection{CryptoConditions}

CryptoConditions are UTXO-based smart contracts and also an IETF standard:

    https://tools.ietf.org/html/draft-thomas-crypto-conditions-04

Hush will enable the following CryptoConditions initially, and plans to enable
others as time goes on:

\begin{itemize}
    \item Heir - cryptocoin inheritance
    \item Gateway - tokenized representations of foreign blockchain assets
    \item Oracle - bridge off-chain data on-chain
    \item Channel - instant payments in a trustless environment
    \item Faucet - blockchain faucet
\end{itemize}

These features will allow for an entire ecosystem of decentralized applications
(dApps) to be built on top of \HUSH, which integrate with HushList protocol as
well as cross-chain integrations with other Komodo asset chains that have
cryptoconditions enabled.

\nsection{Hush v1-v2 Total Supply Bug}

\begin{quote}
To save one from a mistake is a gift of paradise.
    - Stilgar to Lady Jessica
\end{quote}

The original Hush devs added the original pre-mine in such a way that Hush would
have a supply greater than the intended 21,000,000 after about 30 years. This
fact was discovered in the process of emulating the current Hush supply curve
(halving interval) on our new Komodo-based chain. This bug will be corrected on
our new chain (Hush v3) by ceasing block rewards when total supply hits 21M
coins, as intended.

As a reminder, NONE of the current Hush team received any the original 0.76\%
(160,000 \HUSH) pre-mine. All of the original Hush developers who received the
reward have long since left the project.

The current Hush chain (version 2) will attain a supply of 21,000,000 coins at
Block 5922239 which will have a Block Reward of 0.09765625 \HUSH. This happens
between the 7th and 8th halvings.

But because the original devs of Hush added a pre-mine of 160,000 \HUSH in blocks
1 through 4, the current Hush supply curve will continue past the 21M supply
mark until Block 26039999 when supply is 21159937.4895 \HUSH and the last block
reward of 1 satoshi is awarded just before the 31st halving.

The core issue is that blocks 1 through 4 had a block reward of 40,000 each
instead of 12.5 each in the GetBlockSubsidy() function defined in main.cpp, but
the overall emission schedule was not modified to take this into account.

This mistake would eventually lead to an extra 159,937.4895 \HUSH of total supply
beyond the intended totaly supply of 21M, which would happen after about 30
years, between the 7th and 8th halvings.

This bug in the supply curve of Hush will be fixed during the migration to a
Komodo asset chain, where we can use ac\_end=N to specify a block when block
rewards should cease. This will allow us to enforce the intended 21M total
supply of Hush.

To calculate the value of ac\_end for the new Hush chain:

ac\_end = 5922239 - (number of blocks in old Hush chain) - (zero block reward transition period)
ac\_end = 5922239 - 500000 - 128
ac\_end = 5422111

To clarify, Hush will have a consensus rule that block rewards stop at block
5422111 which will enforce a total supply of 21M coins.

\nsection{New Blockchain Size}

The Hush blockchain will essentially be compressed, down from its current size
of about 3.4GB to a few megabytes. This is related to the fact that there are
about 30,000 unique addresses on the Hush blockchain which contain funds.

This compression will greatly improve the user experience of new Hush users,
which can install and sync a full node in just a few minutes.

\nsection{Delayed Proof-Of-Work}

\begin{quote}
    May thy knife chip and shatter.
        - Fremen saying of ill will against an adversary
\end{quote}

\HUSH will continue to have Delayed Proof-of-Work as protection against 51\%
attacks and double spend attack prevention. No other technology is proven
in production like \cite{DPoW}.

The first DPoW transaction occured at Apr 14, 2019 10:38:10 PM Eastern Time
on the new \HUSH mainnet :

https://explorer.myhush.org/tx/e73105092bbf01694af250f8ef89aa38d955856a5a3496e3336eaca59492b29f

The current implementation of DPoW in Hush v2 was tested in a test attack. A
large amount of hashrate was rented at NiceHash, and a 51\% attack was
attempted, which would re-organized a notarized block. The attack repeatedly
failed and wasted a large amount of BTC of the simulated attacker.

\HUSH v3 will be migrating to the core DPoW implementation of Komodo itself,
instead of relying on the implementation that was ported from Komodo to the
Hush v2 codebase. This further increases \HUSH development velocity and reduces
our maintenance burden to merge upstream code.

\nsection{Cryptopia Attack}

Delayed-Proof-of-Work had been implemented in Hush in early 2018 but took many
months to finish testing and be pushed to mainnet. During this time, an
enterprising attacker probably saw that their window to attack \HUSH was closing.

This attacker performed a series of 51\% and double spend attacks against
Cryptopia, between August 28th and September 21st 2018 It was designed to use
amounts small enough to evade daily limits or fraud detection.

There were dozens of block reorganizations longer than branchLen=2, the largest
being a reorganization of:

\begin{quote}

At Fri, 21 Sep 2018 07:00:50 GMT the 46 block subchain:

00000009abdccd07615216765b17f99fbfc50e4106efe7bee2e4ca22810b0fa3..

000000028afb1daccbd0ac17d8685deeb0d072fdc5d4609209dd68675f873611

was orphaned and replaced by the 45 block subchain:

00000009abdccd07615216765b17f99fbfc50e4106efe7bee2e4ca22810b0fa3..

000000038aadc3d77ae6df320e51168e6215f9abe62b65b51633715f719773bc

\end{quote}

Note that the above block hashes must be looked up on a legacy \HUSH block
explorer such as :

https://explorer.hush.zelcore.io

Additionally, the orphaned blocks will not be in the main chain and only will
exist as an orphaned blocks on nodes which originally saw that invalidated chain.

Via blockchain analysis and detailed transaction logs from Cryptopia, who gave
us details about which addresses the attacker was using, it was determined that
the following addresses are owned by the Cryptopia Double Spend Attacker, with
old \HUSH v2 addresses on the left and new \HUSH v3 addresses on the right.

\begin{quote}

t1bEBr1LdBQtHun7B5L82R65FgpWyyWFx8L = RSdmvBomouuGP9RUc5J2NoJYCRnVqT3j5V

t1KttMaacGw17oFitV448TGfwM2yovm4g6Q = RBJURm3kuS26Gd3C1oE8QyuDreFKpkNT2Z

\end{quote}

The first address owns 651000 \HUSH and the second owns 29279.8 \HUSH on the
legacy \HUSH v2 chain which was not dispersed to the equivalent addresses on the
new \HUSH v3 mainnet. These funds currently remain in the \HUSH Founders Reward
wallet and will be used to reimburse all who were stolen from at Cryptopia,
which will enable \HUSH trading to resume. Any remaining funds will be used for
additional exchange listings.

\nsection{Immutability of \HUSH v2 + v3}

Please note that the immutability of the legacy Hush mainnet or new Hush v3
mainnet was never compromised. The \cite{Bitcoin} Protocol was observed strictly and
Hush did not do what other coins have done in similar situations which is to
actually backdoor the Bitcoin Protocol itself, and make it such that certain
pubkeys can make transactions which they shouldn't, to spend funds which were
lost or stolen, etc. This was deemed unacceptable, for obvious moral, security
and financial reasons.

Instead, we have chosen to keep our original intentions, which is that we do
not believe that forcibly turning off peoples nodes is right. So people on the
legacy Hush chain are free to continue using it. They should note, that the
Sprout Inflation bug is still waiting to be exploited there and that DPoW is no
longer active (the last notarization was Block 501080), so 51\% attackers have a
playground.

Every user of Hush gets to decide if they choose to keep using the v2 or v3
chain and no user is forced to use either. This way embraces decentralization
at the very core, since we do not force our choices upon our users. They
get to decide which chain goes forward.

\nsection{Sprout Inflation Bug Playground}

Let it be known that \HUSH v2 mainnet is considered a Sprout Inflation bug
playground, and there is a bounty of 500 \HUSH for a script which makes it
trivial to exploit the Sprout inflation bug and generate arbitrary amounts
of funds inside of a Sprout zaddr.

Developers and information security researchers are directed here for more
info:

https://github.com/MyHush/hush3/issues/7

\nsection{Dispersing Funds To The New Mainnet: Swapping Airdrop}

This process is sometimes called an "airdrop" because the technical process of
sending funds to addresses is the same, but \HUSH v3 is technically a "coin
swap", since we do not support our legacy chain.

A total of 3127 transactions with "sendmany" were made to complete sending funds
to 31,267 unique addresses which contained funds on the Hush v2 blockchain as
of the snapshot block of 500,000. The average address had about 200 \HUSH while
the median address had 1 \HUSH.

This data was extracted via the "getsnapshot" RPC which I helped write for
Komodo and ported to Hush v2. Additionally I ported the -stopat CLI param
from Komodo to Hush v2, so that the full node could be stopped at an arbitrary
block height while still able to answer RPC requests.

Full data is available here:

https://github.com/MyHush/hush3/blob/duke/contrib/snapshot/snapshot\_500000.json

The actual script used to disperse funds can be found here:

https://github.com/MyHush/hush3/blob/duke/contrib/snapshot/airdrop\_hush3.sh

71326 \HUSH was locked into old Sprout addresses and are stuck on the legacy Hush
chain, no longer in circulating supply.  Due to this fact the new \HUSH v3 was
created with an initial supply of 6178674 \HUSH and not 6250000 HUSH, 21M \HUSH
will never exist on our new chain. The new \HUSH v3 chain will have a max supply
of 20928674 \HUSH. To clarify, 71,326 \HUSH of the total supply of Hush was in
Sprout addresses and will never exist on the current chain, the total supply of
Hush is still 21M, but it's split between two chains.


\nsection{Shielding Rule}

Previously Hush inherited the rule about shielding coinbase before sending to a
transparent address. Now that Hush is based on Komodo, this rule no longer
exists, which means mining pools can send newly mined coinbase funds directly to
pooled miners.

The rule was well-intentioned, but it did not result in real privacy
improvements, since 95\% of all ZEC is still in transparent addresses, and
people move amounts through zaddrs instead of keeping funds in them, in such
a way as to make transactions easy to link.

Hush will take the stance of educating users to the risks of transparent addresses,
constantly, and make shielded operations the default in all GUI wallets.

Additionally, since shielding is so fast now, and various service providers are
now supporting Sapling shielded addresses, we encourage users to hold funds in
Sapling zaddrs by default and only use transparent addresses when necessary,
such as exchanges that only support transparent addresses.

\nsection {Sapling-Enabled HushList}

The HushList protocol whitepaper

https://github.com/leto/hushlist/blob/master/whitepaper/protocol.pdf

describes a protcol which sits on top of the Zcash Protocol, utilizing the memo
field as 512 bytes of encrypted storage in every transaction. At the time, only
Sprout was available and the fact that one shielded transaction could take 45
minutes and gigabytes of RAM, meant HushList protocol was theoretically
interesting but not immediately practical.

Now that Sapling shielded transactions run in seconds with megabytes not
gigabytes of RAM usage, HushList protocol can be upgraded to take advantag of
new Sapling features and actually be implemented by GUI wallets and other
applications.

HushList protocol has immense implications for many people who are persecuted
for their beliefs or their knowledge and many other reasons. It is an immense
upgrade in technology for whistleblowers, allowing for many flexible workflows.

Additionally, \HUSH will be researching how CryptoCondition Smart Contracts can
be integrated with HushList protocol.  The stage has already been set for this
by defining a custom "-ac\_cclib" called "hush3" in our chain paramaters. This
will allow Hush to define custom UTXO smart contracts specific to our chain.

\nsection{Sapling Addresses Vs. Sprout Addresses}

Althought they both start with "z" the similarity between Sprout and Sapling ends
there. An example of a new Sapling address is:

zs1g0v8l777tjcuwp8y2wwve46vfpwp669yhl026jrn2rwl7jdjh3jvgc0503t3cuhj457s5km2k0p

It has a prefix of "zs" instead of "zc" and you will note it contains all
lowercase characters.  Additionally it has characters which are not in Base58,
such as a lower case "l", unlike all transaprent Bitcoin/Zcash addresses and
Sprout shielded addresses.

This is because Sapling addresss are in BECH32 format, and are case insensitive,
so this address is in every way equivalent to the above address:

zs1G0V8L777TJCUWP8Y2WWVE46VFPWP669YHL026JRN2RWL7JDJH3JVGC0503T3CUHJ457S5KM2K0P


\nsection{Future Directions}

The \HUSH team is furiously working on releasing a multi-platform GUI full
node wallet which will support HushList operations such as uploading a
file to the \HUSH blockchain or anonymously post to a HushList.

\HUSH will benefit from all the recent work being done by radix42 on ARMv8
support for Komodo and all asset chains. This will allow Hush to run
full nodes on most modern mobile phones, tablets and embedded devices.
Coupled with a GUI mobile app, this will allow people to have the full
power of a \HUSH full node in their pocket.

Custom \HUSH hardware wallets are also being researched.

Branded \HUSH ASICs is another option that will be pursued if the community shows
interest. Currently HUSH is compatible with all known Zcash ASICs, such as Bitmain
Z9 mini, Z9, Z11 and  Innosilicon A9, A9+ and A9++.

\nsection{Special Thanks}

Special thanks to jl777 and the greater Komodo community for inspiring a new
generation of cypherpunks to innovate outside the constraints of Bitcoin Core
and Zcash Core communities.

Special thanks to radix42, Savior Of The Memo Field, for mentoring me in my
early days as a cryptocoin dev.

Special thanks to Satoshi Nakamoto for starting all this fun.

\nsection{References}

\begingroup
\hfuzz=2pt
\renewcommand{\section}[2]{}
\renewcommand{\emph}[1]{\textit{#1}}
\printbibliography
\endgroup

\end{document}