efir369999/montana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
montana/Монтана-Протокол/Код/AUDIT.md

48 KiB
Raw Permalink Blame History

Montana Reference Implementation — Audit Package

Spec target: Montana v35.23.0 (2026-05-02) — см. VERSION.md Last verified: 2026-05-02 (M1-F + M2 + M3 + M4 + M5 audit prep + M6 transport closure + critic-fix bundle 13 findings + Phase C.0-C.4 e2e two-node communication) Audit-ready status: M1 + M2 + M3 + M4 + M5 layers — READY FOR EXTERNAL AUDIT (13 крейтов, ~11190 LOC, 255 invariants, 40/40 findings closed: 20 internal + 8 external #3 (M3-A-1..M3-A-5 + F-5 + AUDIT-sync) + 2 external #3 VERIFIED (P-C-1 F-19 reopen + P-C-2 audit history) + 10 external #4 (M4-MED-1/2 + M4-LOW-3..7 + M5-LOW-8 + M4-INFO-10) + spec v33→v34 monetary refactor + spec v34 → v35.3.2 patch series)

TL;DR — что готово к внешнему аудиту

Layer Готов? Крейты LOC Tests + invariants Open findings
M1 foundational (cryptography + identity recovery) READY mt-codec, mt-crypto, mt-crypto-native, mt-mnemonic ~2000 100+ unit + 13 security + 51 NIST KAT byte-exact 0 (12/12 closed)
M2 state foundation (consensus state primitives) READY mt-merkle, mt-genesis, mt-state, mt-timechain 1821 95+ unit + 60 determinism invariants 0 (4/4 closed)
M3 apply_proposal layer (account operations + emission + state transition) READY mt-account 2556 89 unit + 29 determinism invariants 0 (3/3 internal closed: M3-1/M3-2/M3-3 + 10/10 external #3+VERIFIED closed: M3-A-1..M3-A-5 / F-5 / M3-A-3 / AUDIT-sync / P-C-1 F-19 reopen / P-C-2 history; M2-3/M2-13 superseded v34 monetary refactor)
M4 consensus mechanics (lottery + proposal acceptance + node admission) READY mt-lottery, mt-consensus, mt-entry 3858 187 unit + 85 determinism invariants 0 (1/1 internal closed: M4-1; 7/7 external #4 closed: M4-MED-1/2 + M4-LOW-3..7 + M4-INFO-10)
M5 persistence (filesystem state + proposal archive + crash recovery) READY mt-store 955 27 unit + 17 determinism invariants 0 (manual scan clean; v34 monetary refactor удалила MonetaryState persistence)
Cross-implementation conformance READY Domain registry sync (spec ↔ code, см. VERSION.md) NIST ACVP 66 byte-exact (KeyGen 50 + SigGen 15 + ctx-equivalence 1) + Recovery flow 0 (F-1 spec patch closed)
M6 network layer (wire format + transport + IBT + Dandelion + mesh + SF) READY mt-net, mt-net-transport ~3300 110 unit + 14 transport (включая 3 e2e two-node) 0 (P-C1..P-C8 critic-fix bundle закрыт)
M9 conformance suite READY mt-conformance ~150 2 unit byte-exact verify 0 (envelope A1-A3 + PoW F1-F2 + IBT B1)
M7 Fast Sync TODO mt-sync (не реализовано)
M8 Node binary (montana-node SPEC_DEVIATIONS rewrite) 🔄 in progress montana-node ~600 partial DEV-001..009 open

Audit firm engagement: возможен прямо сейчас на полный scope M1 + M2 + M3 + M4 + M5 + M6 (15 крейтов = 13 предыдущих + mt-net + mt-net-transport + mt-conformance). M7 Fast Sync + M8 montana-node binary — defer to отдельной audit фазы.

iOS application audit: см. отдельный package iOS/Apps/Montana/AUDIT.md — Phase 2 in progress, требует Phase 2.1+ implementation (4-6 недель) перед external firm engagement.

TL;DR — M6 Phase C closure (2026-05-02)

mt-net-transport (~470 LOC) — libp2p-based transport layer:

  • src/codec.rs — MontanaCodec для libp2p request-response с MAX_PROTOCOL_PAYLOAD_BYTES enforcement (Genesis Decree authoritative bound)
  • src/behaviour.rs — MontanaBehaviour wrapper (request-response для FastSync/PeerList/BatchLookup/RangeSubscribe; one-way gossip — Phase C.5+)
  • src/transport.rs — build_swarm() helper с TCP→TLS 1.3 (rustls)→Noise→Yamux upgrade chain
  • src/ibt_upgrade.rs — classify_proof() для access level determination (Node/Candidate/Account)
  • tests/e2e_two_node_handshake.rs — Manual Validation Gate scenario 6 PASS (Ping/Pong через full transport chain)
  • tests/e2e_proposal_exchange.rs — scenario 7 PASS (synthetic Proposal payload + 512 KiB boundary test)

mt-conformance (~150 LOC) — M9 standalone test vectors crate для cross-implementation verification:

  • VectorEnvelope (A1/A2/A3 byte-exact)
  • VectorIbtSeed (B1 после P-C2 rename mt-tunnel→mt-tunnel-online)
  • VectorPow (F1/F2 target derivation)
  • Public API: all_envelope_vectors(), all_pow_vectors(), ibt_b1_online_proof()

Capability checklist [C-5] для libp2p 0.56.0: 8/8 PASS (TCP+TLS 1.3+Noise+Yamux+Swarm primitives; async tokio; rustls + snow constant-time; Linux+macOS+Windows; IPFS+Filecoin+Polkadot 5+ years production; MIT/Apache 2.0; ~120 transitive deps acceptable за изоляцию через own crate).

1. Audit Chain

Hybrid Rust + C architecture для cryptography (M1). Pure Rust для state foundation (M2). Three layers, each auditable independently.

M1 — Foundational cryptography + identity recovery

Layer 1 — Rust shim (own audit responsibility)

Crate Path Lines (exact) Scope
mt-codec crates/mt-codec/src/lib.rs ~290 Canonical encoding traits + Domain separators registry (32 domains, sync с актуальным spec target из VERSION.md byte-exact). Все consensus hash compositions через explicit domain separator + NUL byte (SHA-256(domain ‖ 0x00 ‖ parts) self-delimiting per P1 external finding).
mt-crypto crates/mt-crypto/src/lib.rs 662 Public API: PublicKey, SecretKey, Signature, Mlkem*, keypair_from_seed, keypair_from_seed_mlkem, sign, verify, hash, sha256_raw. CryptoError enum + Result<_, CryptoError> API. Heap-allocated SK через Box<[u8; N]> + mlock против swap-out + Drop+zeroize для secret types. Все 7 unsafe blocks с // SAFETY: комментариями: 4 FFI sites (keypair_from_seed, sign, verify, keypair_from_seed_mlkem) + 3 mlock/munlock (Drop for SecretKey, alloc_locked_secret_box, Drop for MlkemSecretKey). Test-only keypair() через OS CSPRNG (getrandom).
mt-crypto-native (Rust binding) crates/mt-crypto-native/src/lib.rs 49 extern "C" декларации FFI к Layer 2. Только pub const константы и FFI signatures, никакой логики. Включает mt_sign_mldsa_ctx для FIPS context support.
mt-mnemonic crates/mt-mnemonic/src 937 24-word mnemonic recovery flow: PBKDF2-HMAC-SHA-256 (iter=2²⁰), HKDF-Expand per-role derivation, ML-DSA seed (32B) + ML-KEM seed (64B) generation. Wordlist binding SHA-256 verified.

Layer 2 — Own thin C wrapper (own audit responsibility)

File Lines (exact) Scope
crates/mt-crypto-native/csrc/mt_crypto.c 457 Wrapping OpenSSL EVP_PKEY API: mt_keypair_from_seed_mldsa, mt_keypair_from_seed_mlkem, mt_sign_mldsa, mt_sign_mldsa_ctx (FIPS context support), mt_verify_mldsa, mt_self_test. Использует OSSL_PKEY_PARAM_ML_DSA_SEED (FIPS 204 §3.1 ξ ∈ B³²) и OSSL_PKEY_PARAM_ML_KEM_SEED (FIPS 203 §6.1 d ‖ z, 64B) для deterministic KeyGen. OSSL_SIGNATURE_PARAM_DETERMINISTIC=1 для FIPS 204 Algorithm 2 deterministic Sign.
crates/mt-crypto-native/csrc/mt_crypto.h 67 C API declarations + размеры primitives + 13 status codes (1 success + 12 errors).
crates/mt-crypto-native/build.rs 45 Vendored OpenSSL build через openssl-src, cc::Build с -Wall -Wextra -Wpedantic -Werror, cross-compile корректность через CARGO_CFG_TARGET_OS.

Total own audit surface (Layer 1 + Layer 2): 1280 lines (662 Rust shim + 49 FFI bindings + 457 C wrapper + 67 C header + 45 build script). Verify counts:

cd "<repo-root>" && wc -l crates/mt-crypto/src/lib.rs crates/mt-crypto-native/src/lib.rs crates/mt-crypto-native/csrc/mt_crypto.c crates/mt-crypto-native/csrc/mt_crypto.h crates/mt-crypto-native/build.rs

Layer 3 — Underlying production C library (vendor audit responsibility)

Component Version Source Audit history
OpenSSL 3.5.5 LTS openssl-src 300.5.5+3.5.5 — vendored, byte-pinned exact version OpenSSL Foundation governance, FIPS 140-3 validated, decades production deployment в TLS world (Apache HTTP, nginx, OpenSSH, Linux kernel, …), supported до April 2030 (LTS)

Layer 3 НЕ в нашем audit scope — auditor проверяет только наш способ использования OpenSSL EVP API (Layer 2), не реализацию самих ML-DSA/ML-KEM/SHA-256.

M2 — State foundation (audit-ready 2026-04-26)

Crate Path Lines Scope Audit findings
mt-merkle crates/mt-merkle/src/lib.rs 474 Sparse Merkle Tree (depth 256), empty_internal() precomputed cache (OnceLock), leaf_hash/internal_hash (SHA-256 domain-separated через mt-codec::domain), SparseMerkleTree::insert/root через BTreeMap для canonical iteration order, verify_proof для inclusion + absence proofs. 0 unsafe blocks. 0 panic!. 0 f32/f64. 0 SystemTime/RNG. BTreeMap не HashMap. Pass 1-12 clean (manual scan); 10 automated determinism invariants
mt-genesis crates/mt-genesis/src/lib.rs 353 Genesis Decree + ProtocolParams SSOT (4094B encoded), genesis_app_id() (SHA-256 domain-separated), genesis_params() через OnceLock (singleton, thread-safe), compute_genesis_state_hash(). Const emission_moneta = 13 × 10⁹ nɈ per spec v34+. 0 unsafe. 0 panic. Только read-only constants + deterministic hash. Pass 1-12 clean; automated determinism invariants
mt-state crates/mt-state/src/lib.rs 647 AccountTable (2059B records) / NodeTable (2098B) / CandidatePool (2082B) через BTreeMap<id, Record> + SparseMerkleTree, derive_account_id / derive_node_id (SHA-256 domain-separated), compute_state_root (SHA-256 of node_root ‖ candidate_root ‖ account_root), is_active predicate. 0 unsafe. 0 panic! 0 HashMap (BTreeMap canonical sort). 0 f64. Pass 1-12 clean; automated determinism invariants
mt-timechain crates/mt-timechain/src/lib.rs 347 TimeChain VDF (vdf_step = SHA-256^d, vdf_verify re-computes), next_d Adaptive D через participation-ratio feedback (integer permille per [I-9]), cemented_bundle_aggregate(W, node_ids) per [I-8] Network-Bound Unpredictability (3 ветви: genesis 0×32, empty marker, sorted node_ids hash). 0 unsafe. 0 panic. 0 HashMap. 0 f64. Все integer арифметика per [I-9]. Pass 1-12 clean; 19 automated determinism invariants

Total M2 audit surface: 1821 lines code + 60 automated determinism invariants.

M3 — apply_proposal layer (audit-ready 2026-04-27)

Crate Path Lines Scope Audit findings
mt-account crates/mt-account/src/lib.rs 2556 4 user opcodes (Transfer 0x02 / ChangeKey 0x03 / Anchor 0x04 / TransferActivation 0x0A) с byte-exact canonical encoding (TRANSFER_SIZE / CHANGE_KEY_SIZE / ANCHOR_SIZE / TRANSFER_ACTIVATION_SIZE). validate_* для каждого opcode (full validation per spec table). apply_* с checked arithmetic (checked_sub/checked_add + descriptive panic для protocol invariant breach). op_hash через R2 SHA-256(mt-op ‖ signed_scope), signature excluded. settle_window(cemented_ops) сортирует по op_hash lex asc. apply_proposal orchestrates Steps 2/3.5/3.6/4 (steps 1, 3a, 3b stubbed → M4 mt-entry). apply_emission зачисляет EMISSION_moneta (const) operator-у winner-узла. reward_moneta(params) = params.emission_moneta, supply_moneta(W) = emission × (W+1) closed-form. build_genesis_state + genesis_state_root для bootstrap. 0 unsafe. 0 panic! без protocol invariant justification. 0 HashMap. 0 f64. 0 SystemTime. Pass 1-12 clean; automated determinism invariants

Total M3 audit surface: 2556 lines code + 29 automated determinism invariants.

M4 — Consensus mechanics (audit-ready 2026-04-27)

Crate Path Lines Scope Audit findings
mt-lottery crates/mt-lottery/src/lib.rs 1715 BundledConfirmation R1/R2 (signed_scope + bundle_hash через mt-bundle domain), VdfReveal R1/R2 (mt-vdf-reveal domain), compute_endpoint lottery formula (mt-lottery domain) с [I-8] cemented_bundle_aggregate(W-2) binding, validate_bundle/validate_reveal с full structural + signature verification, log2_q64 (Q64.64 fixed-point integer log с degree-3 Remez minimax polynomial, max error 2^-10.62, binding coefficients B0..B3), ln_q64, weighted_ticket_node u128 integer division, determine_winner argmin canonical rule (ticket asc, class asc, id lex asc), quorum 67% ceiling integer formula (67×X+99)/100, is_cemented. 0 unsafe. 0 panic!. 2 controlled expect() (try_into на slice длины 16 — protocol invariant). 0 HashMap. 0 f64. 0 SystemTime. M4-1 closure (Vec.len() as u16 silent truncation → BundleError::TooManyOps/TooManyReveals + validate cap + debug_assert defense-in-depth); 34 automated determinism invariants
mt-consensus crates/mt-consensus/src/lib.rs 1089 ProposalHeader R1/R2 (3722 B fixed-size, 17 полей, signed_scope без signature, mt-proposal domain), validate_header (a-f структурные правила: fallback_depth ≥ 1, window_index = prev+1, protocol_version monotone + ≤ local_max, proposer registered + Mldsa65 suite, signature verify), canonical_proposer / fallback_proposer (Lookback Leadership: proposer_W = winner_{W-2}; genesis bootstrap; cascade by depth), compute_control_set (filter cemented_window > prev AND ≤ W, sort by (window asc, op_hash lex asc)), validate_proposer_is_canonical / validate_bundles_threshold / validate_included_reveals / validate_winner (Canonical acceptance), finalization_status (Cemented/Rejected per is_cemented), leader_penalty_excluded_node. 0 unsafe. 0 panic. 0 prod unwrap/expect. 0 HashMap. 0 f64. 0 SystemTime. Pass 1-12 clean (manual scan); 27 automated determinism invariants
mt-entry crates/mt-entry/src/lib.rs 1054 NodeRegistration R1/R2 (5344 B, opcode 0x11, mt-nodereg domain), validate_noderegistration (3 структурные правила: suite supported, signature verify, node_id unique в Node Table + Candidate Pool, operator account exists + не is_node_operator), candidate_vdf_init per [I-8] (mt-candidate-vdf-init domain composing T_r + cba(W-2) + node_id), compute_expiry_window 3τ₂, apply_candidate_expiry (apply_proposal Step 3a), selection_slots (1% cap через ADMISSION_DIVISOR=130), selection_sort_key (mt-selection domain), rank_candidates_for_selection (canonical sort), apply_selection_event (apply_proposal Step 3b: insert into Node Table + mark operator + remove from Candidate Pool), required_vdf_length (Adaptive VDF integer permille per [I-9]), nr_sort_key (mt-nodereg-sort domain), apply_noderegistrations_batch (apply_proposal Step 1: incremental sort+apply с pending growth). 0 unsafe. 0 panic. 0 prod unwrap/expect. 0 HashMap. 0 f64. Pass 1-12 clean; 24 automated determinism invariants

Total M4 audit surface: 3858 lines code + 85 automated determinism invariants. Domain separators: mt-bundle, mt-vdf-reveal, mt-lottery, mt-proposal, mt-nodereg, mt-candidate-vdf-init, mt-selection, mt-nodereg-sort — все consensus-critical hash compositions через canonical domains (per [I-8] + [I-10] SSOT).

M5 — Persistence (audit-ready 2026-04-27)

Crate Path Lines Scope Audit findings
mt-store crates/mt-store/src/lib.rs 955 Filesystem-backed state persistence (pure std::fs, без RocksDB/sled — minimum deps): FsStore::open (создаёт proposals/ subdirectory), save/load AccountTable / NodeTable / CandidatePool через canonical_encode/decode pair (round-trip byte-exact verified), Proposal archive (proposals/{window:020}.bin, archive_proposal + get_proposal_by_window byte-exact decode), Crash recovery (meta_last_cemented.bin u64 LE; verify_consistency проверяет что meta-указанный proposal существует в archive — иначе StoreError::NotFound), Pruning (prune_proposals_before удаляет файлы window < threshold). Все decode_X функции проверяют bytes.len() != EXPECTED_SIZE ДО чтения (StoreError::CorruptedLength). 0 unsafe. 0 panic. 0 prod unwrap/expect. 0 HashMap. 0 f64. Pass 1-12 clean; automated determinism invariants

Total M5 audit surface: 955 lines code + 17 automated determinism invariants.

M3 + M4 + M5 orchestration ordering (важно для каллера):

  1. M3: settle_window(account_table, cemented_user_ops, window_w) — apply cemented user ops к state
  2. M4: apply_noderegistrations_batch (Step 1) → apply_candidate_expiry (Step 3a) → apply_selection_event (Step 3b) — node admission flow
  3. M3: apply_proposal(account_table, node_table, candidate_pool, input, params) — Steps 2 (emission) → 3.5 (chain_length++) → 3.6 (checkpoint rotation) → 4 (state_root)
  4. M5: archive_proposal(header)save_meta_last_cemented(window)save_account_table / save_node_table / save_candidate_pool — persist на disk

Settle разделено от apply_proposal (M3 design choice); steps 1/3a/3b делегированы M4 mt-entry. M5 finalization атомарность через meta-pointer pattern (если crash между archive и meta — verify_consistency detects).

M3 apply_proposal orchestration ordering (важный invariant для каллера):

  1. settle_window(account_table, cemented_user_ops, window_w) — apply cemented ops к state (Transfer/Anchor/ChangeKey/TransferActivation) ДО apply_proposal
  2. apply_proposal(account_table, node_table, candidate_pool, input, params) — Steps 2 (emission) → 3.5 (chain_length++) → 3.6 (checkpoint rotation) → 4 (state_root)

Settle разделено от apply_proposal по design — orchestration ordering invariant виден каллеру explicitly, скрытие в одной функции рискует silent fork. Документировано в module-level comment перед pub fn apply_proposal.

2. Conformance Proofs

NIST FIPS 204/203 byte-exact conformance (M1)

66 differential test cases vs NIST CAVP ACVP-Server published vectors:

Test Source Cases Status
ML-DSA-65 KeyGen byte-exact NIST ACVP-Server gen-val/json-files/ML-DSA-keyGen-FIPS204 25 PASS
ML-KEM-768 KeyGen byte-exact NIST ACVP-Server gen-val/json-files/ML-KEM-keyGen-FIPS203 25 PASS
ML-DSA-65 SigGen deterministic external pure (1 empty + 14 non-empty context, 0..255B) NIST ACVP-Server gen-val/json-files/ML-DSA-sigGen-FIPS204 tgId=3 15 PASS
mt_sign_mldsamt_sign_mldsa_ctx (empty ctx) equivalence own correctness check 1 PASS

Reproduction:

cd "<repo-root>" && cargo test -p mt-crypto-native --test nist_acvp_kat -- --nocapture

Fixtures location: crates/mt-crypto-native/tests/fixtures/nist_acvp/

SHA-256 NIST FIPS 180-4 conformance (M1)

Test Source Status
SHA-256("abc") == ba7816bf...15ad FIPS 180-4 §B.1 PASS (in mt-crypto/src/lib.rs::tests::hash_nist_vector_abc)

Internal correctness baselines (M1)

Test Path Status
ML-DSA-65 zero-seed deterministic baseline crates/mt-crypto-native/tests/regression_baselines.rs PASS
ML-KEM-768 zero-seed + ones-seed deterministic baselines same PASS
ML-DSA-65 sign roundtrip + tamper detection same PASS
5 mt-mnemonic KAT vectors (entropy → mnemonic → master_seed → per-role keypair) crates/mt-mnemonic/tests/keygen_vectors.rs PASS
End-to-end recovery flow (entropy → identity round-trip) crates/mt-mnemonic/tests/e2e_recovery.rs PASS
mt_crypto::self_test() (KeyGen determinism + Sign/Verify + KAT 1 byte-exact conformance check) crates/mt-crypto/src/lib.rs PASS

Security invariants (M1, Pass 17 enforcement через automated tests)

Regression detection для security-critical properties — если будущий рефакторинг ломает invariant, тест fails в CI ДО merge.

Invariant Test Status
SecretKey: !Clone (no accidental copies) crates/mt-crypto/tests/security_invariants.rs::secret_key_is_not_clone
MlkemSecretKey: !Clone same::mlkem_secret_key_is_not_clone
SecretKey: !PartialEq (no timing leak via ==) same::secret_key_no_partial_eq_to_prevent_timing_leak
MlkemSecretKey: !PartialEq same::mlkem_secret_key_no_partial_eq_to_prevent_timing_leak
SecretKey heap-allocated (size = pointer) same::secret_key_is_heap_allocated
MlkemSecretKey heap-allocated same::mlkem_secret_key_is_heap_allocated
SecretKey имеет Drop impl same::secret_key_needs_drop
MlkemSecretKey имеет Drop impl same::mlkem_secret_key_needs_drop
FFI fills SK с non-zero bytes same::secret_key_filled_by_ffi_keygen
FFI fills MlkemSK с non-zero bytes same::mlkem_secret_key_filled_by_ffi_keygen
No println!/log::* macros на SK bytes в lib коде same::no_println_or_log_on_secret_bytes_in_lib_code
PublicKey: Clone (sanity — public material clone-able) same::public_key_can_be_cloned
Signature: Clone (sanity) same::signature_can_be_cloned

13/13 security invariants PASS.

Determinism invariants (M2 — все 4 crates)

Automated regression detection per [I-3] determinism + [I-9] integer arithmetic + [I-10] SSOT + [I-8] Network-Bound Unpredictability.

Crate Test file Cases Status
mt-merkle tests/determinism_invariants.rs 10 PASS (empty_internal determinism + level uniqueness, leaf/internal hash determinism, internal_hash order-sensitivity, SMT empty root + insertion-order-independent root, root-changes-on-insert, type sizes)
mt-genesis tests/determinism_invariants.rs 7 PASS (genesis_app_id determinism, genesis_params singleton stable pointer, ProtocolParams encoded size constant + encoding determinism, compute_genesis_state_hash determinism + dependence on state_root, SSOT singleton consistency)
mt-state tests/determinism_invariants.rs PASS (derive_account_id / derive_node_id determinism + dependence + cross-distinctness, ACCOUNT/NODE/CANDIDATE_RECORD_SIZE matches encoded, encoding determinism, AccountTable/NodeTable/CandidatePool insertion-order-independent root, compute_state_root determinism + order-sensitivity + dependence на каждый input root, is_active boundary at 2×τ₂ inclusive + saturating_sub safety, WINNER_CLASS_NODE SSOT, empty tables consistent root, insert/remove inverse)
mt-timechain tests/determinism_invariants.rs 19 PASS (vdf_step zero=identity + determinism + dependence на iterations и prev, vdf_verify accept/reject correct/wrong claim/iteration count, vdf_chain composition associative, next_d dead-zone unchanged + above-high-increases + below-low-decreases + determinism, cemented_bundle_aggregate window<2 = genesis zero, empty marker distinct from non-empty, change-on-window/node_ids, canonical sort input-order independence per [I-8])

60/60 M2 invariants PASS.

Spec ↔ Code byte-exact alignment (M0+M1+M2)

Verified per critic audit (commit 9387900):

Проверка Spec value Code value Status
ML-DSA-65 pubkey size 1952B PUBLIC_KEY_SIZE = 1952
ML-DSA-65 secretkey 4032B SECRET_KEY_SIZE = 4032
ML-DSA-65 signature 3309B SIGNATURE_SIZE = 3309
ML-DSA-65 seed 32B KEYPAIR_SEED_SIZE = 32
ML-KEM-768 ek 1184B MLKEM_PUBLIC_KEY_SIZE = 1184
ML-KEM-768 dk 2400B MLKEM_SECRET_KEY_SIZE = 2400
ML-KEM-768 seed 64B (d‖z) MLKEM_SEED_SIZE = 64
AccountRecord size 2059B ACCOUNT_RECORD_SIZE = 2059
NodeRecord size 2098B NODE_RECORD_SIZE = 2098
CandidateRecord size 2082B CANDIDATE_RECORD_SIZE = 2082
ProposalHeader size 3722B PROPOSAL_HEADER_SIZE = 3722
ProtocolParams size 4094B (spec v34) PARAMS_ENCODED_SIZE = 4094
Sparse Merkle Tree depth 256 TREE_DEPTH = 256
Emission pin 13 Ɉ const per окно emission_moneta = 13_000_000_000
Domain registry sync (32 domains) spec list code mt-codec const list

Security Cards per crypto primitive (M1)

Каждый primitive с secret material имеет detailed Security Card в docs/security-cards.md. Cards covered:

Primitive Card Status
SecretKey (ML-DSA-65) Card 1 — 8/8 Pass 17 checks closed closed
MlkemSecretKey (ML-KEM-768) Card 2 — 8/8 closed closed
keypair_from_seed (ML-DSA KeyGen) Card 3 — heap+mlock+stack hygiene closed closed
keypair_from_seed_mlkem (ML-KEM KeyGen) Card 4 — heap+mlock+stack hygiene closed closed
sign (ML-DSA-65 deterministic) Card 5 — 8/8 closed closed
verify (ML-DSA-65) Card 6 — no secret material, minimal card closed

3. Threat Model & Scope Boundaries

In scope — что аудитор должен проверить

M1 — cryptography + identity:

  1. FFI memory safety — Layer 1 unsafe blocks (4 sites), buffer sizes, pointer validity
  2. OpenSSL EVP API misuse — параметры EVP_PKEY_CTX_set_params, error handling, EVP_DigestSignInit determinism flag
  3. Secret hygieneDrop+zeroize для SecretKey/MlkemSecretKey, no Clone/Copy на secret types, no leak в logs/dumps, heap-allocated bytes (Box) с mlock против swap-out, stack hygiene — FFI пишет напрямую в heap-allocated locked Box, никаких stack temporary buffers с secret bytes (см. docs/security-cards.md Cards 1-6)
  4. Result API correctnesssign/keypair_from_seed corruption resistance: malformed SK через from_array(arbitrary_bytes)Err(CryptoError::InvalidSecretKey), не panic
  5. Deterministic semantics — FIPS 204 Algorithm 2 deterministic Sign correctly invoked via OSSL_SIGNATURE_PARAM_DETERMINISTIC=1 (consensus determinism per Montana [I-3])
  6. Recovery flow correctness — mnemonic → master_seed (PBKDF2-HMAC-SHA-256) → per-role HKDF derivation → byte-exact reproducible identity (Montana spec sections "Ключи → Мнемоника и seed", "Per-role key derivation")
  7. Cross-compile correctness — build.rs использует CARGO_CFG_TARGET_OS env var (не cfg!(target_os))
  8. Reproducible builds — Docker container с pinned base image (debian:bookworm-slim@sha256:40b107342c492725bc7aacbe93a49945445191ae364184a6d24fedb28172f6f7), byte-identical между независимыми runs (CI gate reproducible_release)

M2 — state foundation: 9. Sparse Merkle Tree correctness — empty_internal level uniqueness + cache consistency + verify_proof для inclusion + absence proofs 10. Genesis Decree SSOT — ProtocolParams singleton consistency, encoded size invariance под struct changes, frozen constants 11. State table determinism — BTreeMap canonical sort guarantee для AccountTable / NodeTable / CandidatePool, insertion-order-independent state_root 12. Account/Node ID derivation — SHA-256 domain-separated через mt-codec::ACCOUNT / ::NODE registry, cross-distinctness same pubkey 13. Monetary policy correctness — const emission reward_moneta = EMISSION_moneta = 13 × 10⁹ nɈ per spec «Эмиссия», closed-form supply_moneta(W) = EMISSION_moneta × (W + 1) 14. TimeChain VDF correctness — vdf_step composition associativity, vdf_verify byte-exact against re-computed chain 15. Adaptive D feedback — next_d dead-zone semantics + integer permille arithmetic per [I-9] 16. cemented_bundle_aggregate per [I-8] — Network-Bound Unpredictability через canonical sort node_ids + window binding, защита от input-order grinding

Out of scope — НЕ предмет этого аудита

  1. OpenSSL internal correctness — вне scope; ответственность OpenSSL Foundation. Аудитор может предположить FIPS 204/203 Algorithm 1/2/16 implementations OpenSSL корректны (audited+deployed at scale)
  2. Consensus protocol correctness M3-M5 — отдельные layers (mt-account, mt-consensus, mt-lottery, mt-entry, mt-store) — internal-tested 255+ tests green, но не audit-prepared (TODO для следующих audit phases)
  3. Network protocol — M6+ (mt-net не существует)
  4. Application layer — отдельный workspace в будущем (Juno agent, messaging, файловое хранилище)
  5. Hardware side-channel attacks — software-only assumption; embedded deployment audit отдельный

Known limitations (deferred с обоснованием)

  1. Genesis bootstrap ceremony pending (M2-1 finding из external audit Claude Opus 4.7 #2) — 4 поля ProtocolParams хранят placeholder zeros и финализируются только при Genesis ceremony перед mainnet:

    • bootstrap_account_pubkey: [0u8; PUBLIC_KEY_SIZE]
    • bootstrap_node_pubkey: [0u8; PUBLIC_KEY_SIZE]
    • target_zero: [0u8; 32] (initial VDF target)
    • genesis_content_data_hash: [0u8; 32]

    Severity: блокер mainnet, НЕ блокер аудита кода. Layout / encoding / SSOT / singleton корректны и audit-ready. Финализация = выбор seed, генерация keypairs через mt_crypto::keypair_from_seed, безопасное хранение privkey (multi-party ceremony либо single trusted party — design decision автора).

    Programmatic check: mt_genesis::is_genesis_bootstrap_finalized(params) -> bool для operator deployment scripts. Test bootstrap_keypairs_finalized остаётся #[ignore] до ceremony, после ceremony — снимается ignore. Pre-ceremony test is_genesis_bootstrap_finalized_pre_ceremony_returns_false явно фиксирует текущее состояние.

    Closure path: Genesis ceremony plan — отдельный milestone в ROADMAP.md перед mainnet.

  2. Sign with non-empty context — текущий mt_sign_mldsa API не принимает context parameter, использует empty context (соответствует Montana usage pattern, но не FIPS 204 full API surface). NIST ACVP cases с context bytes (14/15 в external pure deterministic group) не проверяются. Closure path: расширить FFI signature, когда понадобится FIPS context support (M6+).

  3. Verify NIST KAT — отдельный test set для FIPS 204 SigVer не добавлен в этой session (sign-baseline + sign-NIST KAT byte-exact match косвенно подтверждает Verify correctness через round-trip, но direct Verify NIST KAT остаётся как enhancement).

  4. ML-KEM-768 Encapsulate/Decapsulate NIST KAT — текущий M1-F scope только KeyGen (Encapsulate/Decapsulate понадобятся в M6+ application layer encryption). NIST KAT для encapDecap имеется в fixtures dir, тесты добавляются когда понадобится.

4. Build & Reproduction

Toolchain

rustc 1.70+ (pinned via rust-toolchain.toml)
Cargo workspace
OpenSSL 3.5.5 LTS (vendored через openssl-src)

Optional security audit tooling (для Step H verification)

cargo install cargo-audit --locked

Один раз на audit machine. После — команда cargo audit доступна.

Build from source

cd "<repo-root>"
cargo build --all --release

Все 4 обязательные проверки CI:

cargo fmt --all -- --check
cargo clippy --all-targets -- -D warnings
cargo test --all
cargo build --all --release

Reproducible release build (Docker)

Prerequisites: Docker ≥ 20.10 installed and running, ~30 минут wall-clock для двух clean builds, ~5 GB free disk.

docker build --file docker/release-build.dockerfile --tag montana-release:audit .

CI gate reproducible_release (см. .github/workflows/ci.yml) выполняет два независимых build с --no-cache, asserts byte-identity hashes на каждом push в main. Auditor может верифицировать через CI history без локального запуска (избегая Docker prerequisite).

Run audit-relevant tests

M1 NIST ACVP KAT (cross-implementation conformance):

cd "<repo-root>" && cargo test -p mt-crypto-native --test nist_acvp_kat -- --nocapture

M1 Internal correctness baselines:

cd "<repo-root>" && cargo test -p mt-crypto-native --test kat_independent -- --nocapture
cd "<repo-root>" && cargo test -p mt-crypto -- --nocapture
cd "<repo-root>" && cargo test -p mt-mnemonic --test keygen_vectors -- --nocapture
cd "<repo-root>" && cargo test -p mt-mnemonic --test e2e_recovery -- --nocapture

M1 Security invariants (Pass 17):

cd "<repo-root>" && cargo test -p mt-crypto --test security_invariants -- --nocapture

M2 Determinism invariants:

cd "<repo-root>" && cargo test -p mt-merkle --test determinism_invariants -- --nocapture
cd "<repo-root>" && cargo test -p mt-genesis --test determinism_invariants -- --nocapture
cd "<repo-root>" && cargo test -p mt-state --test determinism_invariants -- --nocapture
cd "<repo-root>" && cargo test -p mt-timechain --test determinism_invariants -- --nocapture

Полный M1+M2 audit chain:

cd "<repo-root>" && cargo test -p mt-codec -p mt-crypto-native -p mt-crypto -p mt-mnemonic -p mt-merkle -p mt-genesis -p mt-state -p mt-timechain

5. Audit History

Date Audit Findings Closure
2026-04-27 Spec bump v33.1.6 → v34.0.0 — major monetary policy refactor (geometric step-up baseline → const linear emission) Architectural simplification, не security audit findings ProtocolParams удалены 4 поля (r_genesis_moneta, monetary_epoch_windows, inflation_num, inflation_den) + добавлен emission_moneta: u128 = 13×10⁹ nɈ. PARAMS_ENCODED_SIZE 4118 → 4094. mt-state удалена MonetaryState struct + carry-recurrence machinery. mt-account apply_emission упрощён: reward = params.emission_moneta const, monetary_epoch_tick удалён. supply_moneta(W) = E × (W+1) closed-form O(1) — eliminates class of bugs (epoch boundary off-by-one, carry overflow). 288/288 affected tests PASS. Driver: упрощение audit surface для production firm engagement.
2026-04-27 External audit #4 Claude Opus 4.7 (1M context) — incremental M4+M5 scope (mt-lottery, mt-consensus, mt-entry, mt-store) — independent SHA-256 oracle (Python hashlib) cross-check 4 hash compositions + ad-hoc ln_q64 mathematical verification (T141253) 10 findings (0 CRITICAL/HIGH, 2 MEDIUM, 5 LOW, 3 INFO); score 8.5/10; 325/325 M4+M5 tests PASS под single-core/single-process All 10 findings closed конструкцией. Commits: cb81d4c M4-MED-1 window_index u32→u64 unification (spec v33.1.4→v33.1.5), f46d48a M4-LOW-7 3 hardcoded const → ProtocolParams [C-1] SSOT (spec v33.1.5→v33.1.6 + admission_divisor field), 64cefca M4-MED-2 validate_winner genesis-aware contract docs, 53ba832 M4-LOW-3 log2_q64 panic-free byte extraction, e8450bb M4-LOW-4 checked_add validate_header window monotone, c41f043 M4-LOW-5 saturating_mul quorum, 845d74d M4-LOW-6 positive functional tests TooManyOps/TooManyReveals, bcf5e9b M5-LOW-8 cleanup orphan .tmp at FsStore::open + anti-regression test, 022c5ff M4-INFO-10 canonical_proposer degraded-mode docs.
2026-04-27 External audit #3 VERIFIED Claude Opus 4.7 (1M context) — incremental M3 mt-account scope + полная zero-trust verification закрытий M1/M2 + fresh NIST CAVP source download (T124438; supersedes incomplete first pass T121239 в которой аудитор по собственному признанию срезал углы). 785/785 cargo test --all PASS. 10 findings: 8 из incomplete first pass (1 HIGH M3-A-4, 3 LOW M3-A-1/M3-A-2/F-5, 4 INFO M3-A-3/M3-A-5/M3-A-7/M3-A-8) + 2 из VERIFIED pass (P-C-1 F-19 reopen HIGH, P-C-2 audit history sync MEDIUM). Score 8.5/10; expected 9/10 после P-C-1 + P-C-2. All 10 findings closed конструкцией. Commits: 4c14685 M3-A-4 ValidationContext, 047cc45 M3-A-1+M3-A-2 checked arithmetic, 66df1a1 M3-A-5+F-5 docs/telemetry TODO, e61c479 M3-A-3 binding test vector, 5d3506c Cargo.lock sync, b96085d P-C-1 SAFETY convention для 4 const-cast sites + Rust shim cross-references, <this> P-C-2 audit history sync. 131 tests PASS в mt-account (96 unit + 35 determinism); 4 anti-regression теста (validate_dispatcher cooldown enforcement, apply_chain_length overflow panic, apply_checkpoint_rotation underflow panic, genesis_candidate_root binding empty_internal(256)).
2026-04-26 External audit #2 Claude Opus 4.7 (1M context) — incremental M2 scope (mt-merkle, mt-genesis, mt-state, mt-timechain) 17 findings (1 HIGH M2-1 Genesis bootstrap pubkeys placeholder, 5 MEDIUM, 11 LOW/INFO); score 8/10; 60/60 determinism invariants verified M2-3 + M2-13 изначально закрыты в M3 milestone (binding test pin 41/40 + MonetaryState в compute_state_root). Superseded spec bump v33.1.6 → v34.0.0 monetary policy refactor (geometric step-up → const linear emission): pin 41/40 inflation_num/den и MonetaryState carry-recurrence удалены как artifacts old policy. Новые equivalent invariants: reward_moneta(W) = EMISSION_moneta const closed-form, supply_moneta(W) = EMISSION × (W+1) linear closed-form. M2-1 re-classified как known limitation (mainnet deployment blocker, не code audit blocker). Остальные documentation-only findings закрыты в audit-package iterations.
2026-04-26 External audit #1 Claude Opus 4.7 (1M context) — initial M1 layer (mt-crypto, mt-crypto-native, mt-mnemonic) — independent NIST CAVP source download + byte-exact verification 19 findings (3 HIGH + 4 MEDIUM + 12 LOW/INFO); score 8/10; 0 cryptographic vulnerabilities 14/19 closed конструкцией (commit 6ff26b3 + closure доделан в b96085d для F-19): F-2 cargo fmt clean, F-3 stale RustCrypto refs cleanup, F-4 SAFETY comments к 3 mlock/munlock blocks, F-5 расширенный SAFETY-комментарий, F-6 keypair() переход на OS CSPRNG (getrandom), F-7 zeroize intermediate PBKDF2/HKDF/HMAC buffers, F-8 SigGen NIST KAT расширен 1→15 cases с новым mt_sign_mldsa_ctx API, F-9 rename kat_independent → regression_baselines, F-12 split_whitespace вместо split(' '), F-18 cc parallel feature removed, F-19 const-cast OpenSSL convention в SAFETY (изначально incomplete; полностью закрыт b96085d после VERIFIED audit reopen). 5 deferred с явным rationale (F-10 NIST в self_test, F-14 formal constant-time, F-15 cargo-fuzz infrastructure, F-16 threshold sigs M6+, F-17 serde_json dev-dep — auditor сам "не приоритетно"). Expected score после closure: 9/10.
2026-04-26 M0+M1+M2 critic spec-vs-code audit (Протокол/Код/CRITIC.md v1.6.0) — verification полного соответствия кода M0/M1/M2 спеке v33.1.2 4 findings (F-1 mt-recovery-fingerprint domain spec drift, F-2 stale VERSION.md Implementation field, F-3 false positive snyат критиком, F-4 controlled halts documentation) All 4 closed (commit 9387900): F-1 spec patch v33.1.2 → v33.1.3 (Domain registry sync), F-2 VERSION.md updated на «M0..M5 closed», F-4 audit-checklist §K Controlled halts section
2026-04-26 M1-F audit package critic review (Протокол/Код/CRITIC.md v1.4.0) — verification of AUDIT.md + reproduction commands + claims accuracy 5 findings (F-A1..F-A5) — все documentation-only, не security All 5 closed: F-A1 unsafe count 3→4 (verify added in list), F-A2 cargo audit verified+install instructions, F-A3 line counts exact (568/40/375/56/45=1084), F-A4 print_sk gate accurately described (env var M1_DUMP_SK=1), F-A5 Docker reproduction prerequisites added
2026-04-26 M1-F internal critic audit (Протокол/Код/CRITIC.md v1.4.0) 7 findings (F-1..F-7) 6 closed конструкцией, F-3 closed через NIST ACVP differential testing — all 7 closed. Commits: 9f2ba93 (F-4 cross-compile), 71896f6 (F-6 separate error codes), 3333738 (F-1 zeroize), e1164ad (F-2 Result API + F-5 cfg-gate keypair + F-7 implicit), 6b7ff30 (F-3 NIST KAT)
2026-04-26 M2 batch 2+3 audit prep — manual critic Pass 1-12 для mt-state + mt-timechain 0 findings (manual scan clean) 24 + 19 automated determinism invariants добавлены
2026-04-26 M2 batch 1 audit prep — manual critic Pass 1-12 для mt-merkle + mt-genesis 0 findings (manual scan clean) 10 + 7 automated determinism invariants добавлены
2026-04-21 External critic finding — domain separation prefix-collision 5 findings (P1-P5) All closed: NUL separator pattern, SK leak gate, label coherence, empty_internal binding, stale RECOVERY disclosure. Commit d762cec, spec v29.13.0.

Audit-ready status (2026-04-27): zero open code-side findings в M1 + M2 + M3 layers across 3 independent external audits (T201805 + T232707 + T124438 by Claude Opus 4.7 1M; T124438 — VERIFIED replacement of incomplete first-pass T121239). Total cumulative 46 findings across audits — all code-side closed конструкцией; deferred items explicitly classified (M2-1 Genesis bootstrap pubkeys = mainnet deployment, не code audit; F-14/F-15 formal verification + fuzzing = post-MVP scope). M3 score 8.5/10 → 9/10 ready после P-C-1 + P-C-2 closures (commits b96085d + this). Documentation accuracy verified through 3 incremental audits включая VERIFIED zero-trust pass. Cross-implementation conformance verified через spec ↔ code byte-exact alignment + independent NIST CAVP source download (65 KAT cases byte-exact с fresh source 2026-04-27).

6. Spec & Documentation

Document Path Scope
Protocol spec см. VERSION.md (Spec target / Spec path) — авторитетный источник Полный protocol specification, источник истины
App spec Протокол/Montana App v3.9.2.md (актуальный на дату; см. историю VERSION.md) Application layer specification
Architect role CLAUDE.md Code architect role definition (v1.12.0)
Critic role CRITIC.md Code critic role definition (v1.6.0 — Pass 17 Security Card mandatory)
Roadmap ROADMAP.md Implementation roadmap, milestones, status
Spec version SSOT VERSION.md Single source of truth для spec target version
Pre-audit checklist docs/audit-checklist.md 11 категорий self-attestation (A-K) + reproduction one-liners для аудитора + sign-off table
Security Cards docs/security-cards.md Pass 17 mandatory Security Cards для 6 crypto primitives

7. Pre-audit self-attestation

Перед началом external audit — см. docs/audit-checklist.md для полного 11-категорийного чеклиста.

M1 + M2 final closure self-attestation (2026-04-26):

Findings closure:

  • Все 7 M1-F audit findings закрыты конструкцией (F-1..F-7)
  • Все 5 audit-package findings закрыты (F-A1..F-A5)
  • Все 4 M0+M1+M2 critic spec-vs-code findings закрыты (F-1..F-4)
  • Total: 16/16 findings closed, 0 открытых блокеров

Conformance:

  • NIST ACVP differential testing PASS (51/51 KAT byte-exact)
  • Spec ↔ code byte-exact alignment verified (16 ключевых constants/sizes table)
  • Domain registry sync (актуальный spec target ↔ mt-codec, см. VERSION.md)

Security:

  • 13/13 security invariants PASS (Pass 17 enforcement)
  • 6/6 Security Cards заполнены и closed (docs/security-cards.md)
  • Heap+mlock+zeroize для secret types verified

Determinism:

  • 60/60 M2 determinism invariants PASS
  • 0 HashMap (real usage) в consensus path; BTreeMap canonical sort
  • 0 SystemTime/Instant::now/RNG в consensus path
  • 0 f32/f64 в consensus path

Build & CI:

  • cargo audit clean (verified 2026-04-26: 0 vulnerabilities, 0 warnings, 39 deps)
  • cargo fmt --all -- --check clean
  • cargo clippy --all-targets -- -D warnings clean
  • cargo test --all 564+ PASS / 0 FAIL
  • cargo build --all --release clean
  • Reproducible builds verified through CI gate reproducible_release

Documentation:

  • Public API stable (mt-crypto types/signatures unchanged через M1-E + M1-F migrations)
  • Audit chain documented (Layer 1/2/3 explicit, exact line counts)
  • Threat model documented (in/out of scope explicit)
  • Known limitations documented с closure path
  • Reproduction commands verified working (each one tested 2026-04-26)
  • Documentation accuracy verified through critic review of audit package itself

Contact

Audit findings, questions, reports — fork репозиторий, open PR с patch + reproduction instructions.

Architect role + critic role files в репозитории — peer-reviewable methodology.