Skip to content
This repository has been archived by the owner on Feb 23, 2022. It is now read-only.

RFC: adopt zip 215 #144

Merged
merged 9 commits into from
Nov 5, 2020
Merged
Show file tree
Hide file tree
Changes from 7 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions rfc/003-ed25519-verification.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
# RFC 003: Ed25519 Verification

## Changelog

- August 21, 2020: initialized

## Author(s)

- Marko (@marbar3778)

## Context

Ed25519 keys are the only supported key types for Tendermint validators currently. Tendermint-Go wraps the ed25519 key implementation from the go standard library. As more clients are implemented to communicate with the canonical Tendermint implementation (Tendermint-Go) different implementations of ed25519 will be used. Due to [RFC 8032](https://www.rfc-editor.org/rfc/rfc8032.html) not guaranteeing implementation compatibility, Tendermint clients must to come to an agreement of how to guarantee implementation compatibility. [Zcash](https://z.cash/) has multiple implementations of their client and have identified this as a problem as well. The team at Zcash has made a proposal to address this issue, [Zcash improvement proposal 215](https://zips.z.cash/zip-0215).

## Proposal

- Tendermint-Go would adopt [hdevalence/ed25519consensus](https://github.com/hdevalence/ed25519consensus).
- This library is implements `ed25519.Verify()` in accordance to zip-215. Tendermint-go will continue to use `crypto/ed25519` for signing and key generation.

- Tendermint-rs would adopt [ed25519-zebra](https://github.com/ZcashFoundation/ed25519-zebra)
- related [issue](https://github.com/informalsystems/tendermint-rs/issues/355)

Signature verification is one of the major bottlenecks of Tendermint-go, batch verification can not be used unless it has the same consensus rules, ZIP 215 makes verification safe in consensus critical areas.

This change constitutes a breaking changes, therefore must be done in a major release. No changes to validator keys or operations will be needed for this change to be enabled.

This change has no impact on signature aggregation. To enable this signature aggregation Tendermint will have to use a different curve i.e [BLS](https://en.wikipedia.org/wiki/Boneh%E2%80%93Lynn%E2%80%93Shacham). Secondly, this change will enable safe batch verification for the Tendermint-Go client. Batch verification for the rust client is already supported in the library being used.
tac0turtle marked this conversation as resolved.
Show resolved Hide resolved

As part of the acceptance of this proposal it would be best to contract or discuss with a third party the process of conducting a security review of the go library.

## Status

Proposed

## Consequences

### Positive

- Consistent signature verification across implementations
- Enable safe batch verification

### Negative

#### Tendermint-Go

- Third_party dependency
- library has not gone through a security review.
- unclear maintenance schedule

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In re: this line and the comment made by @tessr here: #144 (comment) ,

Anything we know about proposed plans regarding the future of this new library (e.g., is Filippo and/or Google going to take it over? I couldn't quite track the conversation here).

as far as I know there are no current plans to upstream the library to Filippo or Google, so definitely don't count on that.

The maintenance aspect of that library is definitely a weak point. I'm not a Go expert and I'm only casually familiar with its ecosystem (e.g., I had no idea how to publish a package and I'm still not sure I did it right), so ideally someone who has those skills could help with that (or take it over).

That said, once the library is complete I think that it should require very little maintenance, because it has a tiny API surface, and it solves a problem with a fixed specification (ZIP215).

What has to happen for it to be complete? Basically there are two changes. First, it should be changed to use https://pkg.go.dev/filippo.io/edwards25519 internally, now that that library exists. Second, I'd like it to support batch verification with an init-update-finalize style API like ed25519-zebra. Currently this isn't scoped out on the repo's roadmap because I've been pretty busy, and I'm not sure when I would have time to make those changes, but I'd be happy to mentor someone else who'd like to have a go at making them.

- Fragmentation of the ed25519 key for the go implementation, verification is done using a third party library while the rest
uses the go standard library

### Neutral

tac0turtle marked this conversation as resolved.
Show resolved Hide resolved
## References

[It’s 255:19AM. Do you know what your validation criteria are?](https://hdevalence.ca/blog/2020-10-04-its-25519am)
2 changes: 2 additions & 0 deletions rfc/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,3 +23,5 @@ Some RFC's will be presented at a Tendermint Dev Session. If you are an outside
## Table of Contents

[001-block-retention](./001-block-retention.md)
[002-nonzero-genesis](./002-nonzero-genesis.md)
[003-ed25519-verification](./003-ed25519-verification.md)