This draft prepares a public audit report for Blend (message encapsulation, signatures, KEM/KDF, PoQ/PoSel proofs, vouchers). We applied the checklist below to the Blend codebase and recorded issues & fixes with references to upstream GitHub issues.
Methodology (checklist applied)
1) Library & Dependency Review
- [x] List all external crypto crates (arkworks, jubjub/ed25519, x25519-dalek/curve25519-dalek, blake2, rand_core/getrandom, subtle, zeroize, etc.).
- [ ] Confirm versions are maintained; check RUSTSEC advisories.
- [ ] Ensure
default-features/features are consistent (no accidental std/nightly assumptions in release).
- [ ] Verify
no_std posture if relevant; confirm constant-time backends are enabled.
- [x] Ensure
zeroize or equivalent is available where private material lives in memory.
2) Hashing, Domain Separation & Commitments
- [x] Compression vs Sponge: For fixed-arity 2→1, ensure Compression is used; for variable-length, use Sponge with SAFE padding.
- [x] DSTs: Registry documenting unique DSTs per context:
- PoQ randomness, PoSel randomness, KDFs, Nullifiers, Vouchers, Merkle (leaf vs internal), Key tags, Message binding.
- [x] Check no misuse of sponge capacity/rate; no reusing state across logically distinct domains.
3) Keys & KDFs (message/src/crypto/keys.rs)
- [x] Key types: long-term vs ephemeral (NEK/EEK), curve choices (Ed25519/X25519 etc.) align with spec.
- [x] Derivations: HKDF/Expand or Poseidon2-KDFs—document inputs and DSTs; no key/nonce re-use across roles.
- [x] Zeroization: private keys, shared secrets, KDF intermediates; use
zeroize(OnDrop) where feasible.
- [ ] Serialization: canonical encodings, reject non-canonical forms (e.g., small-order points, non-canonical field encodings).
- [x] Upgrade path: version tags embedded with derived keys for future rotation.
4) Signatures (message/src/crypto/signatures.rs)
- [x] Curve and scheme: consistent with spec security level (Ed25519/EdDSA or other); constant-time implementation.