| Hi tptacek, We know that thorough review does not happen instantly.
I want to let you know that we have bounties and funds available for doing code review.
https://shadowproject.io/en/bounties * That's indeed true, we will be including the IV in the HMAC. Will be patched in our next version. Thank you! * ChaPoly by TweetNaCl - dearly noted. The thing is, libs need compatibility with our curve. TweetNaCl only supports Ed25519 :/ * secp256k1 is correct. * Do you have any references to the "exploding like a pipe bomb" problem? We're using the ECDSA from the bitcoins secp256k1 library - which is constant time and should be secure enough. Function: RecoverCompact() We initially paid for a cryptographic review but the guy, whom we know by real name, disappeared from the planet. We're scouting for cryptographers willing to do code reviews, for a payment ofcourse. If you're capable and interested then you should reach out to us on GitHub or Slack! We do appreciate you doing this in your free time, so we're sending Bitcoin tips to whoever makes good suggestions. Please post your Bitcoin address if you'd like to receive some. --- Most code is inherited from Bitcoin, custom code with cryptography: smessage.cpp, ringsig.cpp and stealth.cpp |
It is OK that you don't know the best curve to use, or that an IV needs to be included in your MAC.
What is not OK is shipping privacy code to users without understanding this stuff. You don't get to learn this stuff on the job. Sorry. I know it's not fair. But to do otherwise would be even less fair to your users.
First be sure of your crypto. Then set up the bug bounty.
You can donate mine, for the MAC bug (which is severe), to Partners In Health.