1) Library & Dependency Review

• [ ] List all external crypto crates (arkworks, jubjub/ed25519, x25519-dalek/curve25519-dalek, blake2, rand_core/getrandom, subtle, zeroize, etc.).
• [ ] Confirm versions are maintained; check RUSTSEC advisories.
• [ ] Ensure default-features/features are consistent (no accidental std/nightly assumptions in release).
• [ ] Verify no_std posture if relevant; confirm constant-time backends are enabled.
• [ ] Ensure zeroize or equivalent is available where private material lives in memory.

2) Hashing, Domain Separation & Commitments

• [ ] Compression vs Sponge: For fixed-arity 2→1, ensure Compression is used; for variable-length, use Sponge with SAFE padding.
• [ ] DSTs: Registry documenting unique DSTs per context:
  • PoQ randomness, PoSel randomness, KDFs, Nullifiers, Vouchers, Merkle (leaf vs internal), Key tags, Message binding.
• [ ] Merkle/MMR used in Blend paths: verify leaf vs internal domain separation (avoid structural collisions).
• [ ] Check no misuse of sponge capacity/rate; no reusing state across logically distinct domains.

3) Keys & KDFs (message/src/crypto/keys.rs)

• [ ] Key types: long-term vs ephemeral (NEK/EEK), curve choices (Ed25519/X25519 etc.) align with spec.
• [ ] Derivations: HKDF/Expand or Poseidon2-KDFs—document inputs and DSTs; no key/nonce re-use across roles.
• [ ] Zeroization: private keys, shared secrets, KDF intermediates; use zeroize(OnDrop) where feasible.
• [ ] Serialization: canonical encodings, reject non-canonical forms (e.g., small-order points, non-canonical field encodings).
• [ ] Upgrade path: version tags embedded with derived keys for future rotation.

4) Signatures (message/src/crypto/signatures.rs)

• [ ] Curve and scheme: consistent with spec security level (Ed25519/EdDSA or other); constant-time implementation.
• [ ] Nonce policy: deterministic (RFC6979-style) or high-quality randomness; no nonce reuse; no bias.