In September 2016, Matrix, along with financial support from the Open Technology Fund, engaged NCC Group’s Cryptography Services Practice to perform a targeted review of their cryptographic library Olm. The review covered two major components of the Olm library: the double ratchet used for peer-to-peer communications, and Megolm, the group ratcheting
mechanism. Matrix has produced several reference implementations that make use of the Olm library including the client-server SDK for JavaScript, matrixjs-sdk.2 Matrix-js-sdk was not reviewed during the engagement; however, certain remediations to issues were applied to this implementation and not Olm. The review covered the 1.3.0 release of the Olm library.
Two consultants performed the engagement over a span of two weeks (September 19 to September 30, 2016) and consisted of 15 person-days of effort. A follow-up review of fixes was performed over the latter half of October.
The Public Report for this review may be downloaded below:
