Skip to content

Instantly share code, notes, and snippets.

@leto

leto/hush-sapcon.md

Last active May 17, 2020 12:17
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save leto/5e785c146d0582de273906551b455e8b to your computer and use it in GitHub Desktop.
Save leto/5e785c146d0582de273906551b455e8b to your computer and use it in GitHub Desktop.
Download ZIP
Hush Sapling Consolidation Changes
Raw
hush-sapcon.md

Hush Sapling Consolidation

This will describe how Hush Sapling consolidation is different from the original implementation by CryptoForge of ZER.

  • fee=0 is not used unconditionally, it's only used when it's required, such as consolidating zutxos less than 1 txfee
    • Hush uses the heuristic "if the zutxo is less than 1 default txfee, use fee=0" very strategically, because it makes all zutxos under 1 tx fee look similar.
    • If instead we did "use a fee just small enough", that would leak more metadata
    • After extensive research into all the options, the above seems to leak the least metadata on the chain as a whole
    • It does leak metadata in that you can identify fee=0 transactions as being likely to be "dust" being consolidated
    • Since this value metadata leakage is about dust, it seems to be optimizing for least valuable metadata leakage
    • The alternative of not being able to do active zutxo merging because the fee leaks a bit of metadata seems worse to me, because then the node is opened up to large classes of other attacks.
  • schedule of how often consolidations happen was changed to a randomly chosen value between 5-10 blocks
  • the max number of input arity the ztx can have is 8 in hush, to create a situation where we can say that our anonset can only increase or stay the same
  • the original value of 45 leaks too much info given new data on input/output arity attacks
  • Sietch was added to sapcon so consolidations do not concentrate all value metadata into one zutxo, they spread it into 8
  • This makes most Hush Sapling Consolidations look just like a normal Hush tx of a person spending a few inputs
  • some rare exceptions get caught and handled better, related to invalid transactions
    • The original implementation has a small bug where if the consolidation tx is built incorrectly, it's still possible that is added to the wallet and then is rejected by the mempool, creating an inconsistent wallet.dat
  • a lot more logging

One final note is that Sapling Consolidation is very healthy for a chain if implemented as above, it protects against many active dust attacks, keeps wallets small and fast and makes backing up wallet.dat's take up less space.

The experience of Hush is that we see about 80% size reduction in wallet.dat for consolidation=1 and deletetx=1 adds about another 10% of savings. Both together can reduce the size of wallet.dat by 90% !

All Hush exchanges are instructed to use Sapling Consolidation, as well as mining pools and we have not had any bugs reported yet. I will say that it took me many months to understand Forge's code but when I finally did, it's a lovely design. It does a lot of things itself which is why it is so efficient.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment