You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

75 lines
2.7 KiB

  1. # ADR 010: Crypto Changes
  2. ## Context
  3. Tendermint is a cryptographic protocol that uses and composes a variety of cryptographic primitives.
  4. After nearly 4 years of development, Tendermint has recently undergone multiple security reviews to search for vulnerabilities and to assess the the use and composition of cryptographic primitives.
  5. ### Hash Functions
  6. Tendermint uses RIPEMD160 universally as a hash function, most notably in its Merkle tree implementation.
  7. RIPEMD160 was chosen because it provides the shortest fingerprint that is long enough to be considered secure (ie. birthday bound of 80-bits).
  8. It was also developed in the open academic community, unlike NSA-designed algorithms like SHA256.
  9. That said, the cryptographic community appears to unanimously agree on the security of SHA256. It has become a universal standard, especially now that SHA1 is broken, being required in TLS connections and having optimized support in hardware.
  10. ### Merkle Trees
  11. Tendermint uses a simple Merkle tree to compute digests of large structures like transaction batches
  12. and even blockchain headers. The Merkle tree length prefixes byte arrays before concatenating and hashing them.
  13. It uses RIPEMD160.
  14. ### Addresses
  15. ED25519 addresses are computed using the RIPEMD160 of the Amino encoding of the public key.
  16. RIPEMD160 is generally considered an outdated hash function, and is much slower
  17. than more modern functions like SHA256 or Blake2.
  18. ### Authenticated Encryption
  19. Tendermint P2P connections use authenticated encryption to provide privacy and authentication in the communications.
  20. This is done using the simple Station-to-Station protocol with the NaCL Ed25519 library.
  21. While there have been no vulnerabilities found in the implementation, there are some concerns:
  22. - NaCL uses Salsa20, a not-widely used and relatively out-dated stream cipher that has been obsoleted by ChaCha20
  23. - Connections use RIPEMD160 to compute a value that is used for the encryption nonce with subtle requirements on how it's used
  24. ## Decision
  25. ### Hash Functions
  26. Use the first 20-bytes of the SHA256 hash instead of RIPEMD160 for everything
  27. ### Merkle Trees
  28. TODO
  29. ### Addresses
  30. Compute ED25519 addresses as the first 20-bytes of the SHA256 of the raw 32-byte public key
  31. ### Authenticated Encryption
  32. Make the following changes:
  33. - Use xChaCha20 instead of xSalsa20 - https://github.com/tendermint/tendermint/issues/1124
  34. - Use an HKDF instead of RIPEMD160 to compute nonces - https://github.com/tendermint/tendermint/issues/1165
  35. ## Status
  36. ## Consequences
  37. ### Positive
  38. - More modern and standard cryptographic functions with wider adoption and hardware acceleration
  39. ### Negative
  40. - Exact authenticated encryption construction isn't already provided in a well-used library
  41. ### Neutral
  42. ## References