Decide what to do with ed25519 in SDK #8543
Replies: 11 comments 45 replies
-
For the record: I already expressed in other places. Instead it's more interesting to use |
Beta Was this translation helpful? Give feedback.
-
cc: @marbar3778 , @aaronc , @ethanfrey , |
Beta Was this translation helpful? Give feedback.
-
I had proposed what I thought was a simple solution which is basically:
Is that not acceptable? |
Beta Was this translation helpful? Give feedback.
-
People here, what do you think - how important it is to adding |
Beta Was this translation helpful? Give feedback.
-
I also think ed25519 is a bad choice for user signatures. |
Beta Was this translation helpful? Give feedback.
-
To resolve this discussion, I propose: Let's implement an |
Beta Was this translation helpful? Give feedback.
-
I think before promoting Ed25519, there needs to be an officially supported HD derivation strategy. There are multiple options out there but none seems to be fully convincing. SLIP-0010 seems to be a safe bet, but only supports hardened derivation. Cardano developed their own algorithm, a few other have been proven to be insecure. But I think a user should know that when exporting their secret recovery phrase from one client and importing it to another one, funds are accessible. |
Beta Was this translation helpful? Give feedback.
-
This seems to be a dead topic, yet I wanted to ask what'd it take to revive it/get it eligible for review. The benefit of Ed25519, beyond the raw performance, is sane multisig. This enables everything from custody solutions to atomic swaps with no additional code or trust assumptions (assuming the chain being swapped with has the necessary primitives, as Bitcoin/Ethereum do). It seems the discussion may have stalled on HDKD discussions? I'm not entirely sure why that's needed. Personally, I see the benefit of EdDSA, beyond the raw performance, being in higher level protocols, not user-land (though sure, performance is always nice). It also sounds like there's legacy code which is annoying. I ask the fault of legacy not prevent the progress here. The other possible discussion would be to skip Ed25519 for Ristretto via schnorrkel (which has an audited Go implementation). |
Beta Was this translation helpful? Give feedback.
-
To date, I guess there is no support of signing and verifying TX using ed25519? Thanks |
Beta Was this translation helpful? Give feedback.
-
Context
SDK has it's own implementation of
ed25519
which is compatible with Tendermint one and extends it forproto.Message
. We need it to serialize keys (mainly the public keys) in many SDK structures.ed25519
however is not supported in SDK user land - antehandlers don't validateed25519
keys. One of the reason is the security concern discussed in ADR-28.In ADR-28 we designed an address scheme for all addressable accounts. In #8415 we wanted to update the SDK's
ed25519.PubKey.Address
method according to ADR-28. However this causes problems:ed25519
keys to SDKed25519
Current state (0.42)
We decided to not support
ed25519
in the app user land and updated the package docs.Followups
Inspect Tendermint ed25519 updates
ed25519.PubKey.Address
is an option (probably not)proto.Message
compatible - with this we won't need to keep theed25519
wrapper in SDK. Also other applications, which will need to importcrypto/keys
packages will have a better choice - they will not need to import whole Tendermint or SDK if they just need to do signatures.Future of
ed25519
without updating TendermintIf we want to have
ed25519
in SDK user land without modifying Tendermint, then we have to provide it with a new type, not viaed25519.PubKey
/ed25519.PrivKey
(unless we decide to update Tendermint). So one would need to create a new type (or a new package) implementinged25519
andproto.Message
and make the Address method compatible with ADR-28.Other idea is to discourage
ed25519
in SDK user land and use something else.ed25519 Private Keys
Today, the
ed25519
private keys are not used at all: keyring doesn't support them, and they have no use in SDK. However they are defined, and, based on the above description, can only be used for tendermint ed25519. Hence, the currented25519
private key is totally deprecated and shouldn't be used. However there is a problem with removing it - because it would break proto1.0
versioning promise.Beta Was this translation helpful? Give feedback.
All reactions