github.com/pokt-network/tendermint@v0.32.11-0.20230426215212-59310158d3e9/docs/architecture/adr-010-crypto-changes.md

github.com/pokt-network/tendermint@v0.32.11-0.20230426215212-59310158d3e9/docs/architecture/adr-010-crypto-changes.md (about)

     1  # ADR 010: Crypto Changes
     2  
     3  ## Context
     4  
     5  Tendermint is a cryptographic protocol that uses and composes a variety of cryptographic primitives.
     6  
     7  After nearly 4 years of development, Tendermint has recently undergone multiple security reviews to search for vulnerabilities and to assess the the use and composition of cryptographic primitives.
     8  
     9  ### Hash Functions
    10  
    11  Tendermint uses RIPEMD160 universally as a hash function, most notably in its Merkle tree implementation.
    12  
    13  RIPEMD160 was chosen because it provides the shortest fingerprint that is long enough to be considered secure (ie. birthday bound of 80-bits).
    14  It was also developed in the open academic community, unlike NSA-designed algorithms like SHA256.
    15  
    16  That said, the cryptographic community appears to unanimously agree on the security of SHA256. It has become a universal standard, especially now that SHA1 is broken, being required in TLS connections and having optimized support in hardware.
    17  
    18  ### Merkle Trees
    19  
    20  Tendermint uses a simple Merkle tree to compute digests of large structures like transaction batches
    21  and even blockchain headers. The Merkle tree length prefixes byte arrays before concatenating and hashing them.
    22  It uses RIPEMD160.
    23  
    24  ### Addresses
    25  
    26  ED25519 addresses are computed using the RIPEMD160 of the Amino encoding of the public key.
    27  RIPEMD160 is generally considered an outdated hash function, and is much slower
    28  than more modern functions like SHA256 or Blake2.
    29  
    30  ### Authenticated Encryption
    31  
    32  Tendermint P2P connections use authenticated encryption to provide privacy and authentication in the communications.
    33  This is done using the simple Station-to-Station protocol with the NaCL Ed25519 library.
    34  
    35  While there have been no vulnerabilities found in the implementation, there are some concerns:
    36  
    37  - NaCL uses Salsa20, a not-widely used and relatively out-dated stream cipher that has been obsoleted by ChaCha20
    38  - Connections use RIPEMD160 to compute a value that is used for the encryption nonce with subtle requirements on how it's used
    39  
    40  ## Decision
    41  
    42  ### Hash Functions
    43  
    44  Use the first 20-bytes of the SHA256 hash instead of RIPEMD160 for everything
    45  
    46  ### Merkle Trees
    47  
    48  TODO
    49  
    50  ### Addresses
    51  
    52  Compute ED25519 addresses as the first 20-bytes of the SHA256 of the raw 32-byte public key
    53  
    54  ### Authenticated Encryption
    55  
    56  Make the following changes:
    57  
    58  - Use xChaCha20 instead of xSalsa20 - https://github.com/tendermint/tendermint/issues/1124
    59  - Use an HKDF instead of RIPEMD160 to compute nonces - https://github.com/tendermint/tendermint/issues/1165
    60  
    61  ## Status
    62  
    63  ## Consequences
    64  
    65  ### Positive
    66  
    67  - More modern and standard cryptographic functions with wider adoption and hardware acceleration
    68  
    69  ### Negative
    70  
    71  - Exact authenticated encryption construction isn't already provided in a well-used library
    72  
    73  ### Neutral
    74  
    75  ## References