zolfa
/
tendermint
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 221 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7085 Commits
183 Branches
291 MiB
Tree: f2351dc758
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f2351dc758'
${ noResults }
tendermint/docs/architecture/adr-010-crypto-changes.md

75 lines
2.7 KiB
Raw Normal View History

adr-010-crypto-changes
7 years ago
fixes from review
6 years ago
adr-010-crypto-changes
7 years ago
fixes from review
6 years ago
adr-010-crypto-changes
7 years ago
 
  1. # ADR 010: Crypto Changes

  2. 

  3. ## Context

  4. 

  5. Tendermint is a cryptographic protocol that uses and composes a variety of cryptographic primitives.
  6. 

  7. After nearly 4 years of development, Tendermint has recently undergone multiple security reviews to search for vulnerabilities and to assess the the use and composition of cryptographic primitives.
  8. 

  9. ### Hash Functions

  10. 

  11. Tendermint uses RIPEMD160 universally as a hash function, most notably in its Merkle tree implementation.
  12. 

  13. RIPEMD160 was chosen because it provides the shortest fingerprint that is long enough to be considered secure (ie. birthday bound of 80-bits).
  14. It was also developed in the open academic community, unlike NSA-designed algorithms like SHA256.
  15. 

  16. That said, the cryptographic community appears to unanimously agree on the security of SHA256. It has become a universal standard, especially now that SHA1 is broken, being required in TLS connections and having optimized support in hardware.
  17. 

  18. ### Merkle Trees

  19. 

  20. Tendermint uses a simple Merkle tree to compute digests of large structures like transaction batches
  21. and even blockchain headers. The Merkle tree length prefixes byte arrays before concatenating and hashing them.
  22. It uses RIPEMD160.
  23. 

  24. ### Addresses

  25. 

  26. ED25519 addresses are computed using the RIPEMD160 of the Amino encoding of the public key.
  27. RIPEMD160 is generally considered an outdated hash function, and is much slower
  28. than more modern functions like SHA256 or Blake2.
  29. 

  30. ### Authenticated Encryption

  31. 

  32. Tendermint P2P connections use authenticated encryption to provide privacy and authentication in the communications.
  33. This is done using the simple Station-to-Station protocol with the NaCL Ed25519 library.
  34. 

  35. While there have been no vulnerabilities found in the implementation, there are some concerns:
  36. 

  37. - NaCL uses Salsa20, a not-widely used and relatively out-dated stream cipher that has been obsoleted by ChaCha20
  38. - Connections use RIPEMD160 to compute a value that is used for the encryption nonce with subtle requirements on how it's used
  39. 

  40. ## Decision

  41. 

  42. ### Hash Functions

  43. 

  44. Use the first 20-bytes of the SHA256 hash instead of RIPEMD160 for everything
  45. 

  46. ### Merkle Trees

  47. 

  48. TODO
  49. 

  50. ### Addresses

  51. 

  52. Compute ED25519 addresses as the first 20-bytes of the SHA256 of the raw 32-byte public key
  53. 

  54. ### Authenticated Encryption

  55. 

  56. Make the following changes:
  57. 

  58. - Use xChaCha20 instead of xSalsa20 - https://github.com/tendermint/tendermint/issues/1124
  59. - Use an HKDF instead of RIPEMD160 to compute nonces - https://github.com/tendermint/tendermint/issues/1165
  60. 

  61. ## Status

  62. 

  63. ## Consequences

  64. 

  65. ### Positive

  66. 

  67. - More modern and standard cryptographic functions with wider adoption and hardware acceleration
  68. 

  69. ### Negative

  70. 

  71. - Exact authenticated encryption construction isn't already provided in a well-used library
  72. 

  73. ### Neutral

  74. 

  75. ## References