Quarkslab's team performed a cryptographic and security assessment of the Monero Research Lab’s new Proof-of-Work algorithm, called RandomX [1]. RandomX is a proof-of-work algorithm that is optimized for general-purpose CPUs. RandomX uses random code execution together with several memory-hard techniques to minimize the efficiency advantage of specialized hardware. We only found minor inconsistencies and formulated a few recommendations. These recommendations are mainly relevant when using alternative configurations but they are of less importance with the current configuration and usage of RandomX. The full report of the assessment can be found at the following address: [2]
Introduction
With the support of the Open Source Technology Improvement Fund, Monero Research Lab ordered four independent security reviews of its new Proof-of-Work algorithm RandomX. Quarkslab security review was conducted once the reports of the three previous reviews were available ([ToB], [Kud] and [X41]). The evaluation was spread over about three weeks for a total of 32 days with three engineers. To maximize the value of a fourth review, Quarkslab focused part of its efforts into:
the analysis of a few areas less covered by previous reports,
the analysis of the previous reports, the responses of Monero Research Lab, and the subsequent changes in the code and in the specifications.
Scope
The primary goals of such audit are to verify that:
the implementation of the protocol is well respected,
there are no vulnerabilities,
criterias for a proof of work are met.
Criteria for a proof of work algorithm are :
Optimization-free: there is no algorithmic speed-up that allows one to calculate the hash faster than the reference algorithm.
Progress-free: proof of work calculation does not depend on the history of previous calculations.
Approximation-free: it is not possible to achieve speed-up larger than the inverse rate of invalid hashes
The evaluation that Quarkslab undertook included the four following steps:
Global understanding of the specifications and RandomX components (5 days).
Checking that the RandomX specifications are cryptographically secured and do not allow algorithmic optimizations (10 days).
Validating that the code matches the specifications + vulnerability analysis (10 days).
Verifying that implementation is "optimization free" (7 days).
Results
We only found minor inconsistencies and formulated a few recommendations. These recommendations are mainly relevant when using alternative configurations but they are of less importance with the current configuration and usage of RandomX.
Conclusion
Despite a highly complex and radically new subject, the documentation and code of RandomX were of very high quality. All the attack paths we could think of had already been taken into account or at least studied in the previous audits. Then we reviewed the previous reports, the Monero Research Lab replies and their subsequent code changes. We agreed with them.
Moreover, we didn't find any significant optimization of the proof-of-work algorithm, even with approximations.
The full report of the assessment can be found at the following address: [2]
We would like to thank OSTIF and Monero research Lab for making this assessment possible.
In particular, we would like to thank Howard Chu and Tevador for their availability, responsiveness and cooperation.
[1] | https://github.com/tevador/RandomX |
[2] | (1, 2) Full report of the assessment |
[Kud] | J.-P. Aumasson, RandomX Security Audit, July 2019. https://github.com/hyc/RandomxAudits/blob/master/Report-Kudelski-20190702.pdf |
[ToB] | P. Kehrer, W. Song and E. Sultanik, RandomX Security Assesment, May 2019. https://github.com/hyc/RandomxAudits/blob/master/Report-TrailOfBits.pdf |
[X41] | E. Sesterhenn, G. Kopf, L. Merino, S. Bazanski and M. Vervier, RandomX Audit, July 2019. https://github.com/hyc/RandomxAudits/blob/master/Report-X41-20190705.pdf |