Legion ZK Auth implements zero-knowledge authentication with the following guarantees:
- ZK Proof System: Halo2 PLONK (no trusted setup)
- Soundness Error: 2^-128 (forgery probability)
- Hash Functions: Blake3 (credentials), Poseidon (circuit)
- Curves: Pasta (Pallas/Vesta)
- Key Derivation: BIP-39 (24-word mnemonic)
- User Anonymity: 1 of 2^20 (1,048,576) users
- Device Anonymity: 1 of 2^10 (1,024) devices per user
- Hardware Binding: WebAuthn TPM/Secure Enclave
- Zero-Knowledge: Server never learns identity
- β Replay Attacks: Prevented by nullifiers + timestamps
- β Session Theft: Prevented by linkability tag binding
- β Credential Stuffing: BIP-39 entropy + rate limiting
- β Timing Attacks: Constant-time operations in circuit
- β Sybil Attacks: Device binding + nullifier tracking
DO NOT open public GitHub issues for security vulnerabilities.
Instead, email: security@yourdomain.com
Include:
- Description of vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will respond within 48 hours.
- Always use HTTPS (required for WebAuthn)
- Set Redis password (
requirepassin redis.conf) - Run as non-root user (systemd User=legion)
- Restrict file permissions (chmod 700 /var/lib/legion/data)
- Enable firewall (only 80/443 open)
- Configure rate limiting (nginx limit_req)
- Monitor logs (journalctl -u legion -f)
- Regular backups (RocksDB + Redis)
- Use k=16 minimum in production (k=12/14 for testing only)
- Verify HTTPS before authentication
- Clear localStorage on logout
- Validate server responses
- Validate all inputs (hex strings, field elements)
- Check timestamp freshness (Β±10 minutes for k=16/18)
- Verify nullifier uniqueness (prevent replay)
- Enforce session TTL (Redis expiration)
- Log authentication attempts (audit trail)
- Circuit size: 2^16 = 65,536 rows
- Proof time: ~4 minutes
- Proof size: ~3.5 KB
- Security level: 128-bit
- Soundness error: 2^-128
- Circuit size: 2^18 = 262,144 rows
- Proof time: ~15 minutes
- Proof size: ~4 KB
- Security level: 128-bit
- Soundness error: 2^-128
| Date | Auditor | Scope | Status |
|---|---|---|---|
| 2025-01 | Internal | Full system review | β Passed |
- Code review completed
- Dependencies audited (
cargo audit) - Secrets not in code
- HTTPS certificate valid
- Redis secured
- Rate limiting configured
- Monitoring setup
- Penetration testing
- Load testing
- Log monitoring active
- Backup strategy tested
- Incident response plan
- Security updates scheduled
We follow a 90-day disclosure timeline:
- Day 0: Vulnerability reported
- Day 1-7: Acknowledge and validate
- Day 7-30: Develop and test fix
- Day 30-60: Deploy fix to production
- Day 60-90: Public disclosure (coordinated)
We appreciate security researchers who help improve Legion:
- Responsible disclosure
- Coordinated timeline
- Public acknowledgment (with permission)
- Security: nantha.ponmudi@gmail.com
- GitHub: https://github.com/deadends/legion