EDIT 18 May 2020:
I have created a ZCS proposal for the audit for discussion!
We’ve been scoping out various audit firms. The ones that seem to be the most promising are Trail of Bits and SmartDEC.
Trail of Bits are pretty top notch guys. They’re the peeps who are auditing Zoom right now and they’ve done a lot of blockchain work (Parity) plus have the necessary cryptographers. They’re my first choice. A decent audit with them would cost around 64k USD though there’s some flexibility depending on the level of thoroughness. The call with Dan Guido was a very fruitful one.
SmartDEC came recommended from Beam and Grin++. They’re much more competitive in rates but communication with them has been rather patchy. Beam and Grin spoke highly of them but another contact whom I trust says that they basically have a checklist that they go through. We are still waiting for a quote from them (the last time they went silent for a month).
Least Authority are pretty good as well (they audited Zcash and ProgPOW) but cost wise they’re the highest. For the price, Trail of Bits seems to be a better bet.
The purpose of the audit is two fold
a) To give us comfort that Lelantus and its implementation is secure
b) To meet requirements for big exchanges that often require a software audit.
I personally feel that Trail of Bits will meet both of these requirements. Some money can be saved if we focus only on the implementation and not the cryptography. SmartDEC was indicating that they would probably not have capacity to audit the cryptography.
There are other firms we also approached but didn’t really feel assured from our communications that they knew their stuff.
This costs money and while the core team does have reserves, it is a bit risky to use this lest the bear market extends.
We have received offers to get in new ‘seed investors’ but personally I rather we not as we are just moving past that. We can take a loan possibly but it would be good to partially raise some funds from the community.
What is everyone’s thoughts on this? What would make you want to donate? Would special exclusive merchandise for you make it more attractive?
My name is Nym Seddon, am a security researcher focused on privacy-enhancing blockchain projects and cryptography software. IMHO, if budget is a concern, hire a firm with professional cryptographers to specifically audit only the cryptographic specification. It is much easier, and you will find many more firms, that are able to validate that the implementation matches the specification.
Recently, I performed a pro-bono audit of Monero’s CLSAG algorithm. Since I am not yet a cryptographic/cryptanalytic expert (that’s the goal), chose instead to focus on verifying their implementation against the white paper. I have experience working with and breaking cryptographic implementations, but do not consider myself to be at the level of a professional cryptanalyst (have more experience auditing software).
Would be happy to offer my services pro-bono here as well. This is not to discourage hiring other firms to audit the implementation at market prices, I highly recommend doing that as well. Merely offering to help as an auxiliary audit to help inform audits by subsequent firms.
First of all welcome to the Zcoin forum and I’m absolutely delighted you decided to post this. We always welcome technical people especially those that are passionate about privacy/cryptography.
We would gladly have you perform an auxiliary audit of the Lelantus code. If it’s easier, let us know whether you would like to join our developer Slack to discuss this. We are quite close to having an initial working implementation of Lelantus but would like to have our other senior developers look at it and refactor/refine it before putting it out for audit but if you want a preliminary look first (with the above caveats), you’ll be more than welcome.
Our Lelantus paper has actually been revised to make it easier to read but we’re putting our final touches on it before updating it on eprint and can share it with you. We can arrange a call with @ajivanyan (Zcoin’s cryptographer) as well should you want a brief overview of it.
Currently Trail of Bits and SmartDEC are preparing more detailed quotes + scope and will update the proposal as we go along. I’m also still seeking additional quotes from Gotham Consulting and maybe Cure53.de.
Hey Nym. I am the author of Lelantus and great to hear from you. Let me know if you need any help or more information for evaluating the Lelantus protocol before even looking at the code.
I appreciate the offer for preview of the implementation and paper, however, would prefer to work with the published material when it is ready. Would feel horrible if anything was leaked from my machines being compromised, or something similar.
Very excited for this work, and appreciate the advances in applied cryptography you all are pushing forward.
Ah no worries about compromising since it’s the same material just rearranged for clarity and incorporating the solution to the self spend issue for direct anonymous payments which was also already published on lelantus.io!
After seeing Nym’s first post I feel distinctly under qualified to participate in this discussion! Welcome to the project Nym, great to have people with your skills and interest joining the community.
My point of view is this. The most expensive is often the cheapest in the long run. The cost of an inflation bug or security flaw in the cryptography has the potential to wipe many millions of dollars off the value of the coin in the future (I’m speculating here obviously ) obiviously we would prefer to be rid of that possibility now,almost whatever the cost!
Do these firms have any kind of professional indemnity insurance? What is the recourse, if any, to them if it can be proven later that they have done sloppy work? If there is none then I could offer you a very good rate to audit the code . . .
Lastly, small point but relevant one, a leopard doesn’t change its spots. If a firm are being flakey and not getting back to you when they are looking to win some business, they are very likely to get more communicative once the contract has been signed!
My vote is for Trail of Bits because I trust Reuben (and his judgment) and it is a cool name.
) obiviously we would prefer to be rid of that possibility now,almost whatever the cost!