Categories
Important! Other Bitcointalk News

Nxt Crypto Review Completed

Two days ago, BCT user Jesse James, also known as DoctorEvil, finished his review of the implementation of Curve25519 in Nxt.

Jesse James may be known to some, as he has already uncovered a security flaw in Nxt and reported it instead of taking advantage of it.

Here is the summary of his review, again with the relevant links from Jesse James:

“I spent some quality time reviewing the core crypto NXT relies on.  As part of my review I re-implemented the relevant algorithms https://gist.github.com/doctorevil/9521126 using a different approach in a different language to make sure I understood everything deeply.  Although the implementation NXT uses doesn’t follow certain algorithm specifications to the letter, the deviations noted (motivated by simplicity and/or performance) seemed reasonable and in general nothing stuck out as a red flag.  There was one bug in the signature generation function (that NXT is aware of and currently working around) for which I’ve provided a patch (or more precisely tweaked BloodyRookie’s proposed patch).  It should be should be safe for devs to incorporate this patch at their convenience.

Review: https://gist.github.com/doctorevil/9521116

Code: https://gist.github.com/doctorevil/9521126

I have had difficulty making this post, as describing the importance is outside my competence, so I decided to ask one of our resident technical people, chanc3r, who is also a member of the Nxt Infrastructure Committee to explain it to me.

Here is what he mailed back to me:

Like many other crypto’s SHA-256 of a ‘brain wallet passphrase’ are used to generate the private key for a given account..

In the case of NXT, Curve25519+EC-KDSA as originally designed by Daniel Bernstein is additionally used by NXT to generate the public key for the account.

The original implementation of Curve25519 in x86 assembler has been lost and NXT originally used a port from C to Java to implement the Curve25519 encryption, the accuracy of the C-port was unknown due to th missing assembler sources.

It has been a source of concern that there is no direct link between the original Curve25519 specification paper and the Java implementation used within NXT.

Therefore the NXT community commissioned an audit of the current implementation against the original specification written by Dr Bernstein.

The results of this audit by Jesse James are now available, a summary of this is shown below and the full audit report can be found here https://gist.github.com/doctorevil/9521116

1. The choice of NXT developers of this cryptographic scheme is suitable for this purpose.
2. The implementation has a number of valid deviations/improvements from the original Curve25519 specification
3. NXT is immune as a result of this implementation to signature malleability.
4. The audit included a new Curve25519 implementation in Python from the original papers, this implementation and the NXT Java implementation agree exactly on key output when tested verifying the accuracy of the NXT Curve25519 implementation.

In summary the implementation of Curve25519 is an accurate translation of the specification of its designer Dr Daniel Bernstein and is a suitable choice for the use-cases that NXT requires.

Share this post!

Categories
Important!

Voting for the Nxt Funding Committees is nearly over!

Just wanted you all to know that in eight hours voting for the members of the Nxt Funding Committees will end.

These committees will each administer around 2,8 million Nxt from the unclaimed Nxt the will be put to use for technical development, infrastructural development and marketing efforts.

YOUR VOTE COUNTS!

You can apply to user rickyjames for a ballot and vote.

240 people have already voted. Please take the time to influence the course of Nxt by your vote.

You can find the statements by the nominees in this thread.

Thank you for your efforts!

Share this post!

Categories
Important!

Nxt source code released a month early!

In a surprise move, Nxt client developer Jean-Luc has released the Nxt source code a month earlier than planned today. The original release date was planned to be the 3rd of April.

You can find the post here.

The source code can be found at https://bitbucket.org/JeanLucPicard/nxt/.

The Master branch is still 0.7.6, develop is 0.8.3 plus latest unreleased changes.

Share this post!

Categories
Important!

Update to 0.5.12 NOW!

Please update to 0.5.12, a critical bug in 0.5.11 has been fixed!

http://www.nxtcrypto.org/nxt-coin/client-download