Olm is an implementation of the Double Ratchet cryptographic ratchet in C++.
In September 2016, Matrix, along with financial support from the Open Technology Fund, engaged NCC Group’s Cryptography Services Practice to perform a targeted review of their cryptographic library Olm. The review covered two major components of the Olm library: the double ratchet used for peer-to-peer communications, and Megolm, the group ratcheting mechanism. Matrix has produced several reference implementations that make use of the Olm library including the client-server SDK for JavaScript, matrix js-sdk. Matrix-js-sdk was not reviewed during the engagement; however, certain remediations to issues were applied to this implementation and not Olm.
The review covered the 1.3.0 release of the Olm library. Two consultants performed the engagement over a span of two weeks (September 19 to September 30, 2016) and consisted of 15 person-days of effort. A follow-up review of fixes was performed over the latter half of October.
NCC Group’s evaluation focused on issues specific to double ratchets used in secure messaging applications, general cryptographic concerns, and potential vulnerabilities introduced by the C programming environment.
The full audit can be found below.
