The OSTIF Audit of Monero CLSAG is Complete! – Results

OSTIF, working with the Monero Community, the Monero development team, Monero Research Lab and Sweetwater Asset Consulting, has completed our latest security review of Monero CLSAG.

Image by https://github.com/MrMon0cle

Concise Linkable Spontaneous Anonymous Group signatures are a new variant of Monero’s current MLSAG (Multilayered Linkable Spontaneous Anonymous Group signature) scheme. Overall, it promises to further reduce the size of Monero signatures while maintaining all of the privacy characteristics of Monero.

JP Aumasson and Antony Vennard conducted a two phase review of CLSAG. First, they reviewed the theoretical construction presented in the Monero CLSAG paper by Brandon Goodell, Sarang Noether, and Arthur Blue. The latest version is published here:  https://eprint.iacr.org/2019/654.pdf Second, they reviewed the code as it will be implemented in Monero to ensure that the implementation maintains the security properties that the paper establishes. Additionally, the CLSAG code was reviewed for general code errors that could lead to security issues.

Because of this audit, the foundational design of CLSAG has improved through improvements to the formal paper, and peer review has verified that the overall security of the scheme is reasonably sound and ready for live use.

Review of the CLSAG Paper

Proofs in cryptography are similar to proofs in mathematics, where security properties that are assumed must have prior work that confirms that the assumption made by the researchers is true. You build new ideas on these base assumptions to create something new and novel, and previous proofs support your novel construction’s claims be it for security, privacy, anonymity, unforgeability, or other functionality that you seek.  The findings from Jean-Philippe and Antony led to many improvements to the paper for academic rigor. This includes problems like unsupported security assumptions, readability issues,  and properly defining the definitions of terms. These are largely issues with an academic proof that would not affect the strength of CLSAG, however, the paper serves as a blueprint for building a novel signature scheme, and errors in proofs can lead to unforeseen weaknesses in the design and implementation phases of the code.

“We have a good confidence that the construction proposed satisfies the intended security goals, yet a moderate confidence that the proofs are entirely valid.”

After the edits to the CLSAG paper, the auditors are more confident that CLSAG has strong, valid, security proofs.

Overall the team found that CLSAG is well constructed for its use-case in Monero. Some gaps were identified that may affect the overall security strength of the scheme, but the audit team found that the security is likely “strong enough” to thwart any attempts to break the signature scheme.

Review of the CLSAG Implementation in Monero

Monero CLSAG’s code was reviewed using both static and dynamic analysis, meaning JP and Antony both manually reviewed the code and used automated tools to search for additional potential problems (like cppCheck, CodeQL, and clang-tidy).

Overall, the team found no major issues with the implementation. Suggestions were made to improve the design in a future version of CLSAG, such as using built-in features of C++ to securely erase data from memory after its use.

“Overall, we believe the code implements the CLSAG scheme as desired accurately and
provides a high level security.”

The audit team found that the code is clean, easy to read, and well designed. Additionally, the CLSAG code reuses well-tested and well-understood components in its design. Lastly, the code is also well commented for understanding error-handling. Being a C++ application, the authors recommend extending Monero’s current unit-testing and fuzzing to include CLSAG’s code to further check for general C++ problems like null pointer errors, bounds checking, memory handling, and error handling.

Only two recommendations were made by the reviewers:

key struct misuse prevention

The reviewers recommend an improved technique to ensure that secure memory erasure takes place after data is used and no longer required.

Unnecessary code duplication

There are two functions in CLSAG that perform nearly-identical functions and can be combined. This is to further simplify code as a best practice and does not impact security, privacy, or performance.

The CLSAG Audit Paper

As always, all of OSTIF’s sponsored research is available, in full, for free. Consider supporting our work through donating to OSTIF and encouraging your company to sponsor OSTIF’s security research. We would like to extend a special thank you to the Monero community for funding this project and assisting with OSTIF’s operational expenses.

The full paper is available here: https://ostif.org/wp-content/uploads/2020/07/ostif-clsag-audit-final-public.pdf