tendermint/docs/architecture/adr-015-crypto-encoding.md

# ADR 015: Crypto encoding

## Context

We must standardize our method for encoding public keys and signatures on chain.
Currently we amino encode the public keys and signatures.
The reason we are using amino here is primarily due to ease of support in
parsing for other languages.
We don't need its upgradability properties in cryptosystems, as a change in
the crypto that requires adapting the encoding, likely warrants being deemed
a new cryptosystem.
(I.e. using new public parameters)

## Decision

### Public keys

For public keys, we will continue to use amino encoding on the canonical
representation of the pubkey.
(Canonical as defined by the cryptosystem itself)
This has two significant drawbacks.
Amino encoding is less space-efficient, due to requiring support for upgradability.
Amino encoding support requires forking protobuf and adding this new interface support
option in the langauge of choice.

The reason for continuing to use amino however is that people can create code
more easily in languages that already have an up to date amino library.
It is possible that this will change in the future, if it is deemed that
requiring amino for interacting with tendermint cryptography is unneccessary.

The arguments for space efficiency here are refuted on the basis that there are
far more egregious wastages of space in the SDK.
The space requirement of the public keys doesn't cause many problems beyond
increasing the space attached to each validator / account.

The alternative to using amino here would be for us to create an enum type.
Switching to just an enum type is worthy of investigation post-launch.
For referrence, part of amino encoding interfaces is basically a 4 byte enum
type definition.
Enum types would just change that 4 bytes to be a varuint, and it would remove
the protobuf overhead, but it would be hard to integrate into the existing API.

### Signatures

Signatures should be switched to be `[]byte`.
Spatial efficiency in the signatures is quite important,
as it directly affects the gas cost of every transaction,
and the throughput of the chain.
Signatures don't need to encode what type they are for (unlike public keys)
since public keys must already be known.
Therefore we can validate the signature without needing to encode its type.

When placed in state, signatures will still be amino encoded, but it will be the
primitive type `[]byte` getting encoded.

#### Ed25519

Use the canonical representation for signatures.

#### Secp256k1

There isn't a clear canonical representation here.
Signatures have two elements `r,s`.
These bytes are encoded as `r || s`, where `r` and `s` are both exactly
32 bytes long, encoded big-endian.
This is basically Ethereum's encoding, but without the leading recovery bit.

## Status

Implemented

## Consequences

### Positive

- More space efficient signatures

### Negative

- We have an amino dependency for cryptography.

### Neutral

- No change to public keys
lint markdown docs using a stop-words and write-good linters (#2195) * lint docs with write-good, stop-words * remove package-lock.json * update changelog * fix wrong paragraph formatting * fix some docs formatting * fix docs format * fix abci spec format 2018-08-27 00:33:46 -07:00			`# ADR 015: Crypto encoding`
adr: Encoding for cryptography at launch (#2121) 2018-08-01 15:19:21 -07:00
			`## Context`

lint markdown docs using a stop-words and write-good linters (#2195) * lint docs with write-good, stop-words * remove package-lock.json * update changelog * fix wrong paragraph formatting * fix some docs formatting * fix docs format * fix abci spec format 2018-08-27 00:33:46 -07:00			`We must standardize our method for encoding public keys and signatures on chain.`
adr: Encoding for cryptography at launch (#2121) 2018-08-01 15:19:21 -07:00			`Currently we amino encode the public keys and signatures.`
			`The reason we are using amino here is primarily due to ease of support in`
			`parsing for other languages.`
			`We don't need its upgradability properties in cryptosystems, as a change in`
			`the crypto that requires adapting the encoding, likely warrants being deemed`
			`a new cryptosystem.`
			`(I.e. using new public parameters)`

			`## Decision`

			`### Public keys`

			`For public keys, we will continue to use amino encoding on the canonical`
			`representation of the pubkey.`
			`(Canonical as defined by the cryptosystem itself)`
			`This has two significant drawbacks.`
			`Amino encoding is less space-efficient, due to requiring support for upgradability.`
			`Amino encoding support requires forking protobuf and adding this new interface support`
			`option in the langauge of choice.`

			`The reason for continuing to use amino however is that people can create code`
			`more easily in languages that already have an up to date amino library.`
			`It is possible that this will change in the future, if it is deemed that`
			`requiring amino for interacting with tendermint cryptography is unneccessary.`

			`The arguments for space efficiency here are refuted on the basis that there are`
			`far more egregious wastages of space in the SDK.`
			`The space requirement of the public keys doesn't cause many problems beyond`
			`increasing the space attached to each validator / account.`

			`The alternative to using amino here would be for us to create an enum type.`
			`Switching to just an enum type is worthy of investigation post-launch.`
			`For referrence, part of amino encoding interfaces is basically a 4 byte enum`
			`type definition.`
			`Enum types would just change that 4 bytes to be a varuint, and it would remove`
			`the protobuf overhead, but it would be hard to integrate into the existing API.`

			`### Signatures`

			Signatures should be switched to be `[]byte`.
			`Spatial efficiency in the signatures is quite important,`
			`as it directly affects the gas cost of every transaction,`
			`and the throughput of the chain.`
			`Signatures don't need to encode what type they are for (unlike public keys)`
			`since public keys must already be known.`
			`Therefore we can validate the signature without needing to encode its type.`

			`When placed in state, signatures will still be amino encoded, but it will be the`
			primitive type `[]byte` getting encoded.

			`#### Ed25519`
lint markdown docs using a stop-words and write-good linters (#2195) * lint docs with write-good, stop-words * remove package-lock.json * update changelog * fix wrong paragraph formatting * fix some docs formatting * fix docs format * fix abci spec format 2018-08-27 00:33:46 -07:00
adr: Encoding for cryptography at launch (#2121) 2018-08-01 15:19:21 -07:00			`Use the canonical representation for signatures.`

			`#### Secp256k1`
lint markdown docs using a stop-words and write-good linters (#2195) * lint docs with write-good, stop-words * remove package-lock.json * update changelog * fix wrong paragraph formatting * fix some docs formatting * fix docs format * fix abci spec format 2018-08-27 00:33:46 -07:00
adr: Encoding for cryptography at launch (#2121) 2018-08-01 15:19:21 -07:00			`There isn't a clear canonical representation here.`
			Signatures have two elements `r,s`.
(Squash this) Be more explicit about the exact encoding of the secp signature 2018-08-02 23:27:16 -07:00			These bytes are encoded as `r \|\| s`, where `r` and `s` are both exactly
			`32 bytes long, encoded big-endian.`
adr: Encoding for cryptography at launch (#2121) 2018-08-01 15:19:21 -07:00			`This is basically Ethereum's encoding, but without the leading recovery bit.`

			`## Status`

crypto/secp256k1: Fix signature malleability, adopt more efficient en… (#2239) * crypto/secp256k1: Fix signature malleability, adopt more efficient encoding This removes signature malleability per ADR 14, and makes secp match the encoding in ADR 15. * (squash this) add lock 2018-08-27 22:32:54 -07:00			`Implemented`
adr: Encoding for cryptography at launch (#2121) 2018-08-01 15:19:21 -07:00
			`## Consequences`

			`### Positive`
lint markdown docs using a stop-words and write-good linters (#2195) * lint docs with write-good, stop-words * remove package-lock.json * update changelog * fix wrong paragraph formatting * fix some docs formatting * fix docs format * fix abci spec format 2018-08-27 00:33:46 -07:00
			`- More space efficient signatures`
adr: Encoding for cryptography at launch (#2121) 2018-08-01 15:19:21 -07:00
			`### Negative`
lint markdown docs using a stop-words and write-good linters (#2195) * lint docs with write-good, stop-words * remove package-lock.json * update changelog * fix wrong paragraph formatting * fix some docs formatting * fix docs format * fix abci spec format 2018-08-27 00:33:46 -07:00
			`- We have an amino dependency for cryptography.`
adr: Encoding for cryptography at launch (#2121) 2018-08-01 15:19:21 -07:00
			`### Neutral`
lint markdown docs using a stop-words and write-good linters (#2195) * lint docs with write-good, stop-words * remove package-lock.json * update changelog * fix wrong paragraph formatting * fix some docs formatting * fix docs format * fix abci spec format 2018-08-27 00:33:46 -07:00
			`- No change to public keys`