Owner: @Mehmet @Daniel Kashepava

Reviewers:

Purpose & scope

This draft aims to prepare a public audit report for Nomos covering cryptographic code in NomosDA (KZG+RS) components. We applied the checklist below across selected files in nomos-da/kzgrs and nomos-da/kzgrs-backend, documented concrete findings, and proposed remediations. Where possible, we link to upstream issues/PRs and note current status.

Methodology (checklist applied)

Library & Dependency Review

• [x] Identify all external cryptographic libraries used (arkworks etc.).
• [x] Check if library versions are up to date and still maintained.
• [x] Verify that security advisories for dependencies are addressed.
• [x] Ensure consistent use of the same library across components (no redundant/conflicting libs).

Hashing & Commitment Schemes

• [x] Confirm correct parameterization of hash functions (Poseidon2, BLAKE2b).
• [x] Verify domain separation is applied properly (unique DSTs, field fitting).
• [x] Ensure constants are generated deterministically and documented.
• [x] Audit Merkle/MMR implementations for collision resistance and proof correctness.
• [x] Check for misuse of sponge capacity/rate parameters.

Signature Schemes

• [x] Curve choice vs security level.
• [x] Nonce generation (deterministic/RFC6979 or secure RNG; zeroize).
• [x] (De)serialization malleability/replay.