Third Party Audit (by Cure53)
Monocypher has been audited by Cure53 in June 2020.
After spending six days on the Monocypher scope during this June 2020 project, two members of the Cure53 team can confirm that the provided C code held well to their scrutiny. Few findings with limited severities evidence a good security premise of Monocypher. What is more, the code is exceptionally clean and demonstrates a clear focus on security features. It relates to typical targets around embedded environments, for instance by avoiding unnecessary memory allocations.
The findings highlight some exceptions linked to undocumented behavior (MON-01-001) and a minor lack of rigor in test vectors (MON-01-004). Beyond these, no serious issues were found in the Monocypher code itself. However, some issues were spotted in the cryptographic library design (see MON-01-005 and MON-01-002). Finally, the Monokex protocol suite’s specification was found to be lacking critical details on the behavior of its Message Authentication Codes (MON-01-006). In the same realm, Cure53 also points out the necessity to justify its relatively bareboned key derivation mechanism (MON-01- 003).
In conclusion, while the Monocypher code is well-written and supported by clean, documented code and a suitable amount of test vectors, the high-level design of the Monocypher’s developer-exposed API could use more refinement (MON-01-005), as could the specification of the Monokex suite of protocols (MON-01-006, MON-01-003). Since no issues of High- or Critical-severity could be spotted in the timeframe available for this audit, Cure53 concludes this 2020 assessment on a positive note.
Cure53 would like to thank Loup Vaillant-David who maintains Monocypher for his excellent project coordination, support and assistance, both before and during this assignment. Special gratitude needs to be extended to Open Technology Fund Washington for sponsoring this project.
I personally would like to thank Cure53 for their care and professionalism. Working with them was a pleasure. Also big thanks to the Open Technology Fund for financing the audit.