Ethan Buchman
7 years ago
1 changed files with 76 additions and 0 deletions
Split View
Diff Options
+ 76
- 0
docs/architecture/adr-010-crypto-changes.md
View File
| @ -0,0 +1,76 @@ | |||
| # ADR 010: Crypto Changes | |||
| ## Context | |||
| Tendermint is a cryptographic protocol that uses and composes a variety of cryptographic primitives. | |||
| After nearly 4 years of development, Tendermint has recently undergone multiple security reviews to search for vulnerabilities and to assess the the use and composition of cryptographic primitives. | |||
| ### Hash Functions | |||
| Tendermint currently uses RIPEMD160 universally as a hash function, most notably in its Merkle tree implementation. | |||
| RIPEMD160 was chosen because it provides the shortest fingerprint that is long enough to be considered secure (ie. birthday bound of 80-bits). | |||
| It was also developed in the open academic community, unlike NSA-designed algorithms like SHA256. | |||
| That said, the cryptographic community appears to unanimously agree on the security of SHA256. It has become a universal standard, especially now that SHA1 is broken, being required in TLS connections and having optimized support in hardware. | |||
| ### Merkle Trees | |||
| Tendermint uses a simple Merkle tree to compute digests of large structures like transaction batches | |||
| and even blockchain headers. The Merkle tree length prefixes byte arrays before concatenating and hashing them. | |||
| It uses RIPEMD160. | |||
| ### Addresses | |||
| ED25519 addresses are computed using the RIPEMD160 of the Amino encoding of the public key. | |||
| ### Authenticated Encryption | |||
| Tendermint P2P connections use authenticated encryption to provide privacy and authentication in the communications. | |||
| This is done using the simple Station-to-Station protocol with the NaCL Ed25519 library. | |||
| While there have been no vulnerabilities found in the implementation, there are some concerns: | |||
| - NaCL uses Salsa20, a not-widely used and relatively out-dated stream cipher that has been obsoleted by ChaCha20 | |||
| - Connections use RIPEMD160 to compute a value that is used for the encryption nonce with subtle requirements on how it's used | |||
| ## Decision | |||
| ### Hash Functions | |||
| Use the first 20-bytes of the SHA256 hash instead of RIPEMD160 for everything | |||
| ### Merkle Trees | |||
| TODO | |||
| ### Addresses | |||
| Compute ED25519 addresses as the first 20-bytes of the SHA256 of the raw 32-byte public key | |||
| ### Authenticated Encryption | |||
| Make the following changes: | |||
| - Use xChaCha20 instead of xSalsa20 - https://github.com/tendermint/tendermint/issues/1124 | |||
| - Use an HKDF instead of RIPEMD160 to compute nonces - https://github.com/tendermint/tendermint/issues/1165 | |||
| ## Status | |||
| ## Consequences | |||
| ### Positive | |||
| - More modern and standard cryptographic functions with wider adoption and hardware acceleration | |||
| ### Negative | |||
| - Exact authenticated encryption construction isn't already provided in a well-used library | |||
| ### Neutral | |||
| ## References | |||