Encoding

Amino

Tendermint uses the proto3 derivative Amino for all data structures. Think of Amino as an object-oriented proto3 with native JSON support. The goal of the Amino encoding protocol is to bring parity between application logic objects and persistence objects.

Please see the Amino specification for more details.

Notably, every object that satisfies an interface (eg. a particular kind of p2p message, or a particular kind of pubkey) is registered with a global name, the hash of which is included in the object’s encoding as the so-called “prefix bytes”.

We define the func AminoEncode(obj interface{}) []byte function to take an arbitrary object and return the Amino encoded bytes.

Byte Arrays

The encoding of a byte array is simply the raw-bytes prefixed with the length of the array as a UVarint (what proto calls a Varint).

For details on varints, see the protobuf spec.

For example, the byte-array [0xA, 0xB] would be encoded as 0x020A0B, while a byte-array containing 300 entires beginning with [0xA, 0xB, ...] would be encoded as 0xAC020A0B... where 0xAC02 is the UVarint encoding of 300.

Hashing

Tendermint uses SHA256 as its hash function. Objects are always Amino encoded before being hashed. So SHA256(obj) is short for SHA256(AminoEncode(obj)).

Public Key Cryptography

Tendermint uses Amino to distinguish between different types of private keys, public keys, and signatures. Additionally, for each public key, Tendermint defines an Address function that can be used as a more compact identifier in place of the public key. Here we list the concrete types, their names, and prefix bytes for public keys and signatures, as well as the address schemes for each PubKey. Note for brevity we don’t include details of the private keys beyond their type and name, as they can be derived the same way as the others using Amino.

All registered objects are encoded by Amino using a 4-byte PrefixBytes that uniquely identifies the object and includes information about its underlying type. For details on how PrefixBytes are computed, see the Amino spec.

In what follows, we provide the type names and prefix bytes directly. Notice that when encoding byte-arrays, the length of the byte-array is appended to the PrefixBytes. Thus the encoding of a byte array becomes <PrefixBytes> <Length> <ByteArray>. In other words, to encode any type listed below you do not need to be familiar with amino encoding. You can simply use below table and concatenate Prefix || Length (of raw bytes) || raw bytes ( while || stands for byte concatenation here).

Type Name Prefix Length Notes
PubKeyEd25519 tendermint/PubKeyEd25519 0x1624DE64 0x20
PubKeySecp256k1 tendermint/PubKeySecp256k1 0xEB5AE987 0x21
PrivKeyEd25519 tendermint/PrivKeyEd25519 0xA3288910 0x40
PrivKeySecp256k1 tendermint/PrivKeySecp256k1 0xE1B0F79B 0x20
PubKeyMultisigThreshold tendermint/PubKeyMultisigThreshold 0x22C1F7E2 variable

Example

For example, the 33-byte (or 0x21-byte in hex) Secp256k1 pubkey 020BD40F225A57ED383B440CF073BC5539D0341F5767D2BF2D78406D00475A2EE9 would be encoded as EB5AE98721020BD40F225A57ED383B440CF073BC5539D0341F5767D2BF2D78406D00475A2EE9

Key Types

Each type specifies it’s own pubkey, address, and signature format.

Ed25519

TODO: pubkey

The address is the first 20-bytes of the SHA256 hash of the raw 32-byte public key:

  1. address = SHA256(pubkey)[:20]

The signature is the raw 64-byte ED25519 signature.

Secp256k1

TODO: pubkey

The address is the RIPEMD160 hash of the SHA256 hash of the OpenSSL compressed public key:

  1. address = RIPEMD160(SHA256(pubkey))

This is the same as Bitcoin.

The signature is the 64-byte concatenation of ECDSA r and s (ie. r || s), where s is lexicographically less than its inverse, to prevent malleability. This is like Ethereum, but without the extra byte for pubkey recovery, since Tendermint assumes the pubkey is always provided anyway.

Multisig

TODO

Other Common Types

BitArray

The BitArray is used in some consensus messages to represent votes received from validators, or parts received in a block. It is represented with a struct containing the number of bits (Bits) and the bit-array itself encoded in base64 (Elems).

  1. type BitArray struct {
  2.     Bits  int
  3.     Elems []uint64
  4. }

This type is easily encoded directly by Amino.

Note BitArray receives a special JSON encoding in the form of x and _ representing 1 and 0. Ie. the BitArray 10110 would be JSON encoded as "x_xx_"

Part

Part is used to break up blocks into pieces that can be gossiped in parallel and securely verified using a Merkle tree of the parts.

Part contains the index of the part (Index), the actual underlying data of the part (Bytes), and a Merkle proof that the part is contained in the set (Proof).

  1. type Part struct {
  2.     Index int
  3.     Bytes []byte
  4.     Proof SimpleProof
  5. }

See details of SimpleProof, below.

MakeParts

Encode an object using Amino and slice it into parts. Tendermint uses a part size of 65536 bytes.

  1. func MakeParts(block Block) []Part

Merkle Trees

For an overview of Merkle trees, see wikipedia

We use the RFC 6962 specification of a merkle tree, with sha256 as the hash function. Merkle trees are used throughout Tendermint to compute a cryptographic digest of a data structure. The differences between RFC 6962 and the simplest form a merkle tree are that:

1) leaf nodes and inner nodes have different hashes. This is for “second pre-image resistance”, to prevent the proof to an inner node being valid as the proof of a leaf. The leaf nodes are SHA256(0x00 || leaf_data), and inner nodes are SHA256(0x01 || left_hash || right_hash).

2) When the number of items isn’t a power of two, the left half of the tree is as big as it could be. (The largest power of two less than the number of items) This allows new leaves to be added with less recomputation. For example:

  1.    Simple Tree with 6 items           Simple Tree with 7 items
  3.               *                                  *
  4.              / \                                / \
  5.            /     \                            /     \
  6.          /         \                        /         \
  7.        /             \                    /             \
  8.       *               *                  *               *
  9.      / \             / \                / \             / \
  10.     /   \           /   \              /   \           /   \
  11.    /     \         /     \            /     \         /     \
  12.   *       *       h4     h5          *       *       *       h6
  13.  / \     / \                        / \     / \     / \
  14. h0  h1  h2 h3                      h0  h1  h2  h3  h4  h5

MerkleRoot

The function MerkleRoot is a simple recursive function defined as follows:

  1. // SHA256(0x00 || leaf)
  2. func leafHash(leaf []byte) []byte {
  3.     return tmhash.Sum(append(0x00, leaf...))
  4. }
  6. // SHA256(0x01 || left || right)
  7. func innerHash(left []byte, right []byte) []byte {
  8.     return tmhash.Sum(append(0x01, append(left, right...)...))
  9. }
  11. // largest power of 2 less than k
  12. func getSplitPoint(k int) { ... }
  14. func MerkleRoot(items [][]byte) []byte{
  15.     switch len(items) {
  16.     case 0:
  17.         return nil
  18.     case 1:
  19.         return leafHash(leafs[0])
  20.     default:
  21.         k := getSplitPoint(len(items))
  22.         left := MerkleRoot(items[:k])
  23.         right := MerkleRoot(items[k:])
  24.         return innerHash(left, right)
  25.     }
  26. }

Note: MerkleRoot operates on items which are arbitrary byte arrays, not necessarily hashes. For items which need to be hashed first, we introduce the Hashes function:

  1. func Hashes(items [][]byte) [][]byte {
  2.     return SHA256 of each item
  3. }

Note: we will abuse notion and invoke MerkleRoot with arguments of type struct or type []struct. For struct arguments, we compute a [][]byte containing the amino encoding of each field in the struct, in the same order the fields appear in the struct. For []struct arguments, we compute a [][]byte by amino encoding the individual struct elements.

Simple Merkle Proof

Proof that a leaf is in a Merkle tree is composed as follows:

  1. type SimpleProof struct {
  2.         Total int
  3.         Index int
  4.         LeafHash []byte
  5.         Aunts [][]byte
  6. }

Which is verified as follows:

  1. func (proof SimpleProof) Verify(rootHash []byte, leaf []byte) bool {
  2.     assert(proof.LeafHash, leafHash(leaf)
  4.     computedHash := computeHashFromAunts(proof.Index, proof.Total, proof.LeafHash, proof.Aunts)
  5.     return computedHash == rootHash
  6. }
  8. func computeHashFromAunts(index, total int, leafHash []byte, innerHashes [][]byte) []byte{
  9.     assert(index < total && index >= 0 && total > 0)
  11.     if total == 1{
  12.         assert(len(proof.Aunts) == 0)
  13.         return leafHash
  14.     }
  16.     assert(len(innerHashes) > 0)
  18.     numLeft := getSplitPoint(total) // largest power of 2 less than total
  19.     if index < numLeft {
  20.         leftHash := computeHashFromAunts(index, numLeft, leafHash, innerHashes[:len(innerHashes)-1])
  21.         assert(leftHash != nil)
  22.         return innerHash(leftHash, innerHashes[len(innerHashes)-1])
  23.     }
  24.     rightHash := computeHashFromAunts(index-numLeft, total-numLeft, leafHash, innerHashes[:len(innerHashes)-1])
  25.     assert(rightHash != nil)
  26.     return innerHash(innerHashes[len(innerHashes)-1], rightHash)
  27. }

IAVL+ Tree

Because Tendermint only uses a Simple Merkle Tree, application developers are expect to use their own Merkle tree in their applications. For example, the IAVL+ Tree - an immutable self-balancing binary tree for persisting application state is used by the Cosmos SDK

JSON

Amino

Amino also supports JSON encoding - registered types are simply encoded as:

  1. {
  2.   "type": "<amino type name>",
  3.   "value": <JSON>
  4. }

For instance, an ED25519 PubKey would look like:

  1. {
  2.   "type": "tendermint/PubKeyEd25519",
  3.   "value": "uZ4h63OFWuQ36ZZ4Bd6NF+/w9fWUwrOncrQsackrsTk="
  4. }

Where the "value" is the base64 encoding of the raw pubkey bytes, and the "type" is the amino name for Ed25519 pubkeys.

Signed Messages

Signed messages (eg. votes, proposals) in the consensus are encoded using Amino.

When signing, the elements of a message are re-ordered so the fixed-length fields are first, making it easy to quickly check the type, height, and round. The ChainID is also appended to the end. We call this encoding the SignBytes. For instance, SignBytes for a vote is the Amino encoding of the following struct:

  1. type CanonicalVote struct {
  2.     Type      byte
  3.     Height    int64            `binary:"fixed64"`
  4.     Round     int64            `binary:"fixed64"`
  5.     BlockID   CanonicalBlockID
  6.     Timestamp time.Time
  7.     ChainID   string
  8. }

The field ordering and the fixed sized encoding for the first three fields is optimized to ease parsing of SignBytes in HSMs. It creates fixed offsets for relevant fields that need to be read in this context. For more details, see the signing spec. Also, see the motivating discussion in #1622.