cosmjs icon indicating copy to clipboard operation
cosmjs copied to clipboard
verified publisher icon cosmos

Remove wallet encryption features and ed25519 crypto

Open webmaster128 opened this issue 2 years ago • 1 comments

CosmJS was designed to be used for secure key storage required by wallets, but I am not aware of a user who uses CosmJS for that. Removing the following features would reduce maintenance cost and bundle size:

  • [ ] Remove Argon2 implementation (required for deriving encryption keys from a password)
  • [ ] Remove symmetric encryption (Xchacha20poly1305Ietf)
  • [ ] Remove all Ed25519 crypto

This affects {Direct,}Secp256k1{Hd,}Wallet.{serialize,deserialize}. Users of those features would need to implement secure key storage on their own.

As a result, we don't need the libsodium-wrappers-sumo dependency anymore (big Wasm blob) and remove a lot of code to maintain.

Closes

  • https://github.com/cosmos/cosmjs/issues/1478
  • https://github.com/cosmos/cosmjs/issues/1031
  • https://github.com/cosmos/cosmjs/issues/584
  • https://github.com/cosmos/cosmjs/issues/903 / https://github.com/cosmos/cosmjs/pull/906

webmaster128 avatar Sep 20 '23 06:09 webmaster128

maybe you can just remove useless stuff like: bn.js, elliptic, libsodium-wrappers, and replace it with noble/{curves,ciphers}, which would allow to keep all the features, reduce bundle size massively, switch from wasm to js, and implement zip215 support

paulmillr avatar Sep 20 '23 22:09 paulmillr

Can either removing encryption or just doing #1031 #1585 be on the roadmap for 0.35?

The two libsodium packages together are more than 37% of the bundled size of stargate.

https://bundlephobia.com/package/@cosmjs/[email protected]

@stablelib/xchacha20poly1305 is much smaller.

https://bundlephobia.com/package/@stablelib/[email protected]

dynst avatar Jul 12 '25 18:07 dynst

Libsodium was refactored away which is great. Thanks everyone for those efforts!

I don't see how a pure-JS implementation of Argon2 can ever give us sufficient speed for production grade software. So even after heavy modernization of dependencies we still have a Wasm blob from hash-wasm in here. And that is a feature no web app needs but only wallets need.

In any case there are two topics in this ticket which we should split:

  • Removal of wallet encryption is in #1796
  • Removal of Ed25519 crypto is not a priority right now. If it becomes one, it should get its own ticket.

Cosing here

webmaster128 avatar Oct 22 '25 20:10 webmaster128