From d7f4c170379bbd023ff268308c5a4e9ddfcf9d9d Mon Sep 17 00:00:00 2001 From: Marko Baricevic Date: Thu, 20 Aug 2020 12:17:59 +0200 Subject: [PATCH 1/8] initlized rfc 003 for zip 215 --- rfc/003-ed25519-verification.md | 44 +++++++++++++++++++++++++++++++++ rfc/README.md | 2 ++ 2 files changed, 46 insertions(+) create mode 100644 rfc/003-ed25519-verification.md diff --git a/rfc/003-ed25519-verification.md b/rfc/003-ed25519-verification.md new file mode 100644 index 00000000..e27ec20c --- /dev/null +++ b/rfc/003-ed25519-verification.md @@ -0,0 +1,44 @@ +# RFC 003: Ed25519 Verification + +## Changelog + +- {date}: initialized + +## Author(s) + +- Marko (@marbar3778) + +## Context + +Tendermint uses ed25519 in consensus critical ways. As more clients begin appearing which implement the Tendermint spec (tendermint-rs) an agreement on ed25519 signature verification is needed. + +[RFC 8032](https://www.rfc-editor.org/rfc/rfc8032.html) leaves space for interpretation for signature validity. This becomes a problem when a different implementation is trying to verify a signature then the one that was used to generate it. + +## Proposal + +The [Zcash](https://z.cash/) team has identified this as a problem for their client and have written libraries in various languages to help address this. [Zcash improvement proposal 215](https://zips.z.cash/zip-0215) outlines the specification of the approach for signature validity. ZIP 215 explicitly defines the criteria for signature validation. + +- Tendermint-go would adopt [hdevalence/ed25519consensus](https://github.com/hdevalence/ed25519consensus). +- Tendermint-rs would adopt [ed25519-zebra](https://github.com/ZcashFoundation/ed25519-zebra) + - related [issue](https://github.com/informalsystems/tendermint-rs/issues/355) + +As signature verification is one of the major bottlenecks of Tendermint-go, if ZIP 215 is adopted batch verification of signatures will be safe in consensus critical areas. + +## Status + +Proposed + +## Consequences + +### Positive + +- Batch verification +- Signature verification across implementations + +### Negative + +### Neutral + +## References + +> Are there any relevant PR comments, issues that led up to this, or articles referenced for why we made the given design choice? If so link them here! diff --git a/rfc/README.md b/rfc/README.md index ef91e9d3..9405b3fb 100644 --- a/rfc/README.md +++ b/rfc/README.md @@ -23,3 +23,5 @@ Some RFC's will be presented at a Tendermint Dev Session. If you are an outside ## Table of Contents [001-block-retention](./001-block-retention.md) +[002-nonzero-genesis](./002-nonzero-genesis.md) +[003-ed25519-verification](./003-ed25519-verification.md) From 282e2328158549b3102890324a90b43cc2528f9b Mon Sep 17 00:00:00 2001 From: Marko Baricevic Date: Fri, 21 Aug 2020 13:47:39 +0200 Subject: [PATCH 2/8] reword rfc --- rfc/003-ed25519-verification.md | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/rfc/003-ed25519-verification.md b/rfc/003-ed25519-verification.md index e27ec20c..8f2c9b47 100644 --- a/rfc/003-ed25519-verification.md +++ b/rfc/003-ed25519-verification.md @@ -2,7 +2,7 @@ ## Changelog -- {date}: initialized +- August 21, 2020: initialized ## Author(s) @@ -10,15 +10,12 @@ ## Context -Tendermint uses ed25519 in consensus critical ways. As more clients begin appearing which implement the Tendermint spec (tendermint-rs) an agreement on ed25519 signature verification is needed. - -[RFC 8032](https://www.rfc-editor.org/rfc/rfc8032.html) leaves space for interpretation for signature validity. This becomes a problem when a different implementation is trying to verify a signature then the one that was used to generate it. +Ed25519 keys are the only supported key types for Tendermint validators currently. Tendermint-Go wraps the ed25519 key implementation from the go standard library. As more clients are implemented to communicate with the canonical Tendermint implementation (Tendermint-Go) different implementations of ed25519 will be used. Due to [RFC 8032](https://www.rfc-editor.org/rfc/rfc8032.html) not guaranteeing implementation compatibility, Tendermint clients must to come to an agreement of how to guarantee implementation compatibility. [Zcash](https://z.cash/) has multiple implementations of their client and have identified this as a problem as well. The team at Zcash has made a proposal to address this issue, [Zcash improvement proposal 215](https://zips.z.cash/zip-0215). ## Proposal -The [Zcash](https://z.cash/) team has identified this as a problem for their client and have written libraries in various languages to help address this. [Zcash improvement proposal 215](https://zips.z.cash/zip-0215) outlines the specification of the approach for signature validity. ZIP 215 explicitly defines the criteria for signature validation. - -- Tendermint-go would adopt [hdevalence/ed25519consensus](https://github.com/hdevalence/ed25519consensus). +- Tendermint-Go would adopt [hdevalence/ed25519consensus](https://github.com/hdevalence/ed25519consensus). + - This library is implemented as an extension of the go standard library one. - Tendermint-rs would adopt [ed25519-zebra](https://github.com/ZcashFoundation/ed25519-zebra) - related [issue](https://github.com/informalsystems/tendermint-rs/issues/355) From 8dedd0599221d72f632396375a2ffd159fe85408 Mon Sep 17 00:00:00 2001 From: Marko Baricevic Date: Mon, 31 Aug 2020 10:59:42 +0200 Subject: [PATCH 3/8] add negative for go tendermint --- rfc/003-ed25519-verification.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/rfc/003-ed25519-verification.md b/rfc/003-ed25519-verification.md index 8f2c9b47..f639cdec 100644 --- a/rfc/003-ed25519-verification.md +++ b/rfc/003-ed25519-verification.md @@ -15,9 +15,9 @@ Ed25519 keys are the only supported key types for Tendermint validators currentl ## Proposal - Tendermint-Go would adopt [hdevalence/ed25519consensus](https://github.com/hdevalence/ed25519consensus). - - This library is implemented as an extension of the go standard library one. + - This library is implemented as an extension of the go standard library one. - Tendermint-rs would adopt [ed25519-zebra](https://github.com/ZcashFoundation/ed25519-zebra) - - related [issue](https://github.com/informalsystems/tendermint-rs/issues/355) + - related [issue](https://github.com/informalsystems/tendermint-rs/issues/355) As signature verification is one of the major bottlenecks of Tendermint-go, if ZIP 215 is adopted batch verification of signatures will be safe in consensus critical areas. @@ -34,6 +34,12 @@ Proposed ### Negative +#### Tendermint-Go + +- Additional dependency +- Fragmentation of the ed25519 key for the go implementation, verification is done using a third party library while the rest + uses the go standard library + ### Neutral ## References From 8170d3519a3d66eeb19f34185212f035fefe86ed Mon Sep 17 00:00:00 2001 From: Marko Baricevic Date: Wed, 16 Sep 2020 16:05:12 +0200 Subject: [PATCH 4/8] add more detail on breakingness and what this change enables --- rfc/003-ed25519-verification.md | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/rfc/003-ed25519-verification.md b/rfc/003-ed25519-verification.md index f639cdec..cfeb25eb 100644 --- a/rfc/003-ed25519-verification.md +++ b/rfc/003-ed25519-verification.md @@ -21,6 +21,10 @@ Ed25519 keys are the only supported key types for Tendermint validators currentl As signature verification is one of the major bottlenecks of Tendermint-go, if ZIP 215 is adopted batch verification of signatures will be safe in consensus critical areas. +The change has been recommended to be done in a major release. Although it is not a breaking change if this change were to be rolled out in a minor release a node could construct signatures which could only be verified by nodes which have received updates to the verification function. + +This change will have no impact on signature aggregation because to enable this feature Tendermint will have to use a different curve i.e [BLS](https://en.wikipedia.org/wiki/Boneh%E2%80%93Lynn%E2%80%93Shacham). Secondly, this change will enable safe batch verification for the Tendermint-Go client. Batch verification for the rust client is already supported in the library being used. + ## Status Proposed @@ -29,14 +33,17 @@ Proposed ### Positive -- Batch verification -- Signature verification across implementations +- Consistent signature verification across implementations + +#### Tendermint-Go + +- Enable safe batch verification ### Negative #### Tendermint-Go -- Additional dependency +- Third_party dependency, the library has not gone through a security review. - Fragmentation of the ed25519 key for the go implementation, verification is done using a third party library while the rest uses the go standard library From b0f659f131763b73ca823d00388856f625defaa9 Mon Sep 17 00:00:00 2001 From: Marko Baricevic Date: Wed, 16 Sep 2020 16:14:23 +0200 Subject: [PATCH 5/8] add proposal for sec review --- rfc/003-ed25519-verification.md | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/rfc/003-ed25519-verification.md b/rfc/003-ed25519-verification.md index cfeb25eb..4842375d 100644 --- a/rfc/003-ed25519-verification.md +++ b/rfc/003-ed25519-verification.md @@ -15,16 +15,19 @@ Ed25519 keys are the only supported key types for Tendermint validators currentl ## Proposal - Tendermint-Go would adopt [hdevalence/ed25519consensus](https://github.com/hdevalence/ed25519consensus). - - This library is implemented as an extension of the go standard library one. + - This library is implemented as an extension of the go standard library. + - - Tendermint-rs would adopt [ed25519-zebra](https://github.com/ZcashFoundation/ed25519-zebra) - related [issue](https://github.com/informalsystems/tendermint-rs/issues/355) As signature verification is one of the major bottlenecks of Tendermint-go, if ZIP 215 is adopted batch verification of signatures will be safe in consensus critical areas. -The change has been recommended to be done in a major release. Although it is not a breaking change if this change were to be rolled out in a minor release a node could construct signatures which could only be verified by nodes which have received updates to the verification function. +The change has been recommended to be done in a major release. Although it is not a breaking change if this change were to be rolled out in a minor release a node could construct signatures which could only be verified by nodes which have received updates to the verification function resulting in a possible network halt. This change will have no impact on signature aggregation because to enable this feature Tendermint will have to use a different curve i.e [BLS](https://en.wikipedia.org/wiki/Boneh%E2%80%93Lynn%E2%80%93Shacham). Secondly, this change will enable safe batch verification for the Tendermint-Go client. Batch verification for the rust client is already supported in the library being used. +As part of the acceptance of this proposal it would be best to contract or discuss with a third party the process of conducting a security review of the go library. + ## Status Proposed @@ -38,12 +41,15 @@ Proposed #### Tendermint-Go - Enable safe batch verification + - This has not yet been implemented. ### Negative #### Tendermint-Go -- Third_party dependency, the library has not gone through a security review. +- Third_party dependency + - library has not gone through a security review. + - unclear maintenance schedule - Fragmentation of the ed25519 key for the go implementation, verification is done using a third party library while the rest uses the go standard library From 7d96f21d4ecfb3c8e9d96bf403ab1b1649b86d82 Mon Sep 17 00:00:00 2001 From: Marko Baricevic Date: Tue, 20 Oct 2020 14:39:26 +0200 Subject: [PATCH 6/8] address comments --- rfc/003-ed25519-verification.md | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/rfc/003-ed25519-verification.md b/rfc/003-ed25519-verification.md index 4842375d..c55d8024 100644 --- a/rfc/003-ed25519-verification.md +++ b/rfc/003-ed25519-verification.md @@ -15,16 +15,16 @@ Ed25519 keys are the only supported key types for Tendermint validators currentl ## Proposal - Tendermint-Go would adopt [hdevalence/ed25519consensus](https://github.com/hdevalence/ed25519consensus). - - This library is implemented as an extension of the go standard library. - - + - This library is implements `ed25519.Verify()` in accordance to zip-215. Tendermint-go will continue to use `crypto/ed25519` for signing and key generation. + - Tendermint-rs would adopt [ed25519-zebra](https://github.com/ZcashFoundation/ed25519-zebra) - related [issue](https://github.com/informalsystems/tendermint-rs/issues/355) -As signature verification is one of the major bottlenecks of Tendermint-go, if ZIP 215 is adopted batch verification of signatures will be safe in consensus critical areas. +Signature verification is one of the major bottlenecks of Tendermint-go, batch verification can not be used unless it has the same consensus rules, ZIP 215 makes verification safe in consensus critical areas. -The change has been recommended to be done in a major release. Although it is not a breaking change if this change were to be rolled out in a minor release a node could construct signatures which could only be verified by nodes which have received updates to the verification function resulting in a possible network halt. +This change constitutes a breaking changes, therefore must be done in a major release. No changes to validator keys or operations will be needed for this change to be enabled. -This change will have no impact on signature aggregation because to enable this feature Tendermint will have to use a different curve i.e [BLS](https://en.wikipedia.org/wiki/Boneh%E2%80%93Lynn%E2%80%93Shacham). Secondly, this change will enable safe batch verification for the Tendermint-Go client. Batch verification for the rust client is already supported in the library being used. +This change has no impact on signature aggregation. To enable this signature aggregation Tendermint will have to use a different curve i.e [BLS](https://en.wikipedia.org/wiki/Boneh%E2%80%93Lynn%E2%80%93Shacham). Secondly, this change will enable safe batch verification for the Tendermint-Go client. Batch verification for the rust client is already supported in the library being used. As part of the acceptance of this proposal it would be best to contract or discuss with a third party the process of conducting a security review of the go library. @@ -37,11 +37,7 @@ Proposed ### Positive - Consistent signature verification across implementations - -#### Tendermint-Go - - Enable safe batch verification - - This has not yet been implemented. ### Negative @@ -57,4 +53,4 @@ Proposed ## References -> Are there any relevant PR comments, issues that led up to this, or articles referenced for why we made the given design choice? If so link them here! +[It’s 255:19AM. Do you know what your validation criteria are?](https://hdevalence.ca/blog/2020-10-04-its-25519am) From 3c183b2a3eeb03a2a91f3ea10b5ae54b8b9cb227 Mon Sep 17 00:00:00 2001 From: Marko Baricevic Date: Thu, 22 Oct 2020 13:04:08 +0200 Subject: [PATCH 7/8] amend signature aggrgation info --- rfc/003-ed25519-verification.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rfc/003-ed25519-verification.md b/rfc/003-ed25519-verification.md index c55d8024..0c66a340 100644 --- a/rfc/003-ed25519-verification.md +++ b/rfc/003-ed25519-verification.md @@ -24,7 +24,7 @@ Signature verification is one of the major bottlenecks of Tendermint-go, batch v This change constitutes a breaking changes, therefore must be done in a major release. No changes to validator keys or operations will be needed for this change to be enabled. -This change has no impact on signature aggregation. To enable this signature aggregation Tendermint will have to use a different curve i.e [BLS](https://en.wikipedia.org/wiki/Boneh%E2%80%93Lynn%E2%80%93Shacham). Secondly, this change will enable safe batch verification for the Tendermint-Go client. Batch verification for the rust client is already supported in the library being used. +This change has no impact on signature aggregation. To enable this signature aggregation Tendermint will have to use different keys (sr25519, BLS). Secondly, this change will enable safe batch verification for the Tendermint-Go client. Batch verification for the rust client is already supported in the library being used. As part of the acceptance of this proposal it would be best to contract or discuss with a third party the process of conducting a security review of the go library. From df4076d120556c1ab35e3dfd15f3dd39e79a8d49 Mon Sep 17 00:00:00 2001 From: Marko Date: Wed, 4 Nov 2020 11:01:54 +0100 Subject: [PATCH 8/8] Update rfc/003-ed25519-verification.md Co-authored-by: Robert Zaremba --- rfc/003-ed25519-verification.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rfc/003-ed25519-verification.md b/rfc/003-ed25519-verification.md index 0c66a340..140717b0 100644 --- a/rfc/003-ed25519-verification.md +++ b/rfc/003-ed25519-verification.md @@ -24,7 +24,7 @@ Signature verification is one of the major bottlenecks of Tendermint-go, batch v This change constitutes a breaking changes, therefore must be done in a major release. No changes to validator keys or operations will be needed for this change to be enabled. -This change has no impact on signature aggregation. To enable this signature aggregation Tendermint will have to use different keys (sr25519, BLS). Secondly, this change will enable safe batch verification for the Tendermint-Go client. Batch verification for the rust client is already supported in the library being used. +This change has no impact on signature aggregation. To enable this signature aggregation Tendermint will have to use different signature schema (Schnorr, BLS, ...). Secondly, this change will enable safe batch verification for the Tendermint-Go client. Batch verification for the rust client is already supported in the library being used. As part of the acceptance of this proposal it would be best to contract or discuss with a third party the process of conducting a security review of the go library.