# ADR 010: Crypto Changes ## Context Tendermint is a cryptographic protocol that uses and composes a variety of cryptographic primitives. After nearly 4 years of development, Tendermint has recently undergone multiple security reviews to search for vulnerabilities and to assess the the use and composition of cryptographic primitives. ### Hash Functions Tendermint uses RIPEMD160 universally as a hash function, most notably in its Merkle tree implementation. RIPEMD160 was chosen because it provides the shortest fingerprint that is long enough to be considered secure (ie. birthday bound of 80-bits). It was also developed in the open academic community, unlike NSA-designed algorithms like SHA256. That said, the cryptographic community appears to unanimously agree on the security of SHA256. It has become a universal standard, especially now that SHA1 is broken, being required in TLS connections and having optimized support in hardware. ### Merkle Trees Tendermint uses a simple Merkle tree to compute digests of large structures like transaction batches and even blockchain headers. The Merkle tree length prefixes byte arrays before concatenating and hashing them. It uses RIPEMD160. ### Addresses ED25519 addresses are computed using the RIPEMD160 of the Amino encoding of the public key. RIPEMD160 is generally considered an outdated hash function, and is much slower than more modern functions like SHA256 or Blake2. ### Authenticated Encryption Tendermint P2P connections use authenticated encryption to provide privacy and authentication in the communications. This is done using the simple Station-to-Station protocol with the NaCL Ed25519 library. While there have been no vulnerabilities found in the implementation, there are some concerns: - NaCL uses Salsa20, a not-widely used and relatively out-dated stream cipher that has been obsoleted by ChaCha20 - Connections use RIPEMD160 to compute a value that is used for the encryption nonce with subtle requirements on how it's used ## Decision ### Hash Functions Use the first 20-bytes of the SHA256 hash instead of RIPEMD160 for everything ### Merkle Trees TODO ### Addresses Compute ED25519 addresses as the first 20-bytes of the SHA256 of the raw 32-byte public key ### Authenticated Encryption Make the following changes: - Use xChaCha20 instead of xSalsa20 - https://github.com/tendermint/tendermint/issues/1124 - Use an HKDF instead of RIPEMD160 to compute nonces - https://github.com/tendermint/tendermint/issues/1165 ## Status Implemented ## Consequences ### Positive - More modern and standard cryptographic functions with wider adoption and hardware acceleration ### Negative - Exact authenticated encryption construction isn't already provided in a well-used library ### Neutral ## References