cryptography on The Trail of Bits Blog

Introducing constant-time support for LLVM to protect cryptographic code

Tue, 02 Dec 2025 07:00:00 -0500

Trail of Bits developed constant-time coding support for LLVM that prevents compilers from breaking cryptographic implementations vulnerable to timing attacks, introducing the __builtin_ct_select family of intrinsics that preserve constant-time properties throughout compilation.

We found cryptography bugs in the elliptic library using Wycheproof

Tue, 18 Nov 2025 07:00:00 -0500

Trail of Bits discovered and disclosed two vulnerabilities in the widely used elliptic JavaScript library that could allow signature forgery or prevent valid signature verification, with one vulnerability still unfixed after the 90-day disclosure window.

How we avoided side-channels in our new post-quantum Go cryptography libraries

Fri, 14 Nov 2025 07:00:00 -0500

We’ve released open-source Go implementations of ML-DSA and SLH-DSA.

The cryptography behind electronic passports

Fri, 31 Oct 2025 07:00:00 -0400

This blog post describes how electronic passports work, the threats within their threat model, and how they protect against those threats using cryptography. It also discusses the implications of using electronic passports for novel applications, such as zero-knowledge identity proofs.

Vulnerabilities in LUKS2 disk encryption for confidential VMs

Thu, 30 Oct 2025 07:00:00 -0400

Trail of Bits is disclosing vulnerabilities in confidential computing systems that use LUKS2 for disk encryption. These vulnerabilities allow attackers with access to storage disks to extract confidential data and modify contents.

Building secure messaging is hard: A nuanced take on the Bitchat security debate

Fri, 18 Jul 2025 07:00:00 -0400

The release of Bitchat last week was met with a mixture of glowing praise and sharp criticism. Both extremes bear some truth, but they also miss the mark and reveal gaps in how we discuss security in emerging products.

What we learned reviewing one of the first DKLs23 libraries from Silence Laboratories

Tue, 10 Jun 2025 07:00:00 -0400

In October 2023, we audited Silence Laboratories’ DKLs23 threshold signature scheme (TSS) library—one of the first production implementations of this then-novel protocol that uses oblivious transfer (OT) instead of traditional Paillier cryptography. Our review uncovered serious flaws that could enable key destruction attacks, which Silence Laboratories promptly fixed.

A deep dive into Axiom’s Halo2 circuits

Fri, 30 May 2025 07:00:00 -0400

Over two audits in 2023, we reviewed a blockchain system developed by Axiom that allows computing over the entire history of Ethereum, all verified by zero-knowledge proofs (ZKPs) on-chain using ZK-verified elliptic curve and SNARK recursion operations. This system is built using the Halo2 framework—a complex, emerging technology that presents many challenges when building a secure application, including potential under-constrained issues resulting from its low-level API.

The cryptography behind passkeys

Wed, 14 May 2025 07:00:00 -0400

This post will examine the cryptography behind passkeys, the guarantees they do or do not give, and interesting cryptographic things you can do with them, such as generating cryptographic keys and storing certificates.

Sneak peek: A new ASN.1 API for Python

Fri, 18 Apr 2025 09:00:00 -0400

We’re working on integrating an ASN.1 API into PyCA Cryptography,
built on top of the same Rust ASN.1 implementation already used by
Cryptography’s X.509 APIs.

Best practices for key derivation

Tue, 28 Jan 2025 09:00:18 -0500

Key derivation is essential in many cryptographic applications, including key exchange, key management, secure communications, and building robust cryptographic primitives. But it’s also easy to get wrong: although standard tools exist for different key derivation needs, our audits often uncover improper uses of these tools that could compromise key security. Flickr’s API […]

Celebrating our 2024 open-source contributions

Thu, 23 Jan 2025 09:00:30 -0500

While Trail of Bits is known for developing security tools like Slither, Medusa, and Fickling, our engineering efforts extend far beyond our own projects. Throughout 2024, our team has been deeply engaged with the broader security ecosystem, tackling challenges in open-source tools and infrastructure that security engineers rely on every day. This year, our engineers […]

Friends don’t let friends reuse IVs

Fri, 13 Sep 2024 09:00:54 -0400

If you’ve encountered cryptography software, you’ve probably heard the advice to never use an IV twice—in fact, that’s exactly where the other common name, nonce (number used once), comes from. Depending on the cryptography involved, a reused nonce can reveal encrypted messages, or even leak your secret key! But common knowledge may not cover every […]

“YOLO” is not a valid hash construction

Wed, 21 Aug 2024 09:00:51 -0400

Among the cryptographic missteps we see at Trail of Bits, “let’s build our own tool out of a hash function” is one of the most common. Clients have a problem along the lines of “we need to hash a bunch of different values together” or “we need a MAC” or “we need […]

We wrote the code, and the code won

Thu, 15 Aug 2024 07:50:31 -0400

Earlier this week, NIST officially announced three standards specifying FIPS-approved algorithms for post-quantum cryptography. The Stateless Hash-Based Digital Signature Algorithm (SLH-DSA) is one of these standardized algorithms. The Trail of Bits cryptography team has been anticipating this announcement, and we are excited to share an announcement of our own: we built an open-source pure-Rust implementation of SLH-DSA, which has been merged into RustCrypto.

Cloud cryptography demystified: Google Cloud Platform

Mon, 05 Aug 2024 09:00:03 -0400

This post, the second in our series on cryptography in the cloud, provides an overview of the cloud cryptography services offered within Google Cloud Platform (GCP): when to use them, when not to use them, and important usage considerations. Stay tuned for future posts covering other cloud services. At Trail of Bits, […]

Our crypto experts answer 10 key questions

Thu, 25 Jul 2024 09:00:36 -0400

Cryptography is a fundamental part of electronics and the internet that helps secure credit cards, cell phones, web browsing (fingers crossed you’re using TLS!), and even top-secret military data. Cryptography is just as essential in the blockchain space, with blockchains like Ethereum depending on hashes, Merkle trees, and ECDSA signatures, among other […]

Announcing AES-GEM (AES with Galois Extended Mode)

Fri, 12 Jul 2024 09:00:35 -0400

Today, AES-GCM is one of two cipher modes used by TLS 1.3 (the other being ChaCha20-Poly1305) and the preferred method for encrypting data in FIPS-validated modules. But despite its overwhelming success, AES-GCM has been the root cause of some catastrophic failures: for example, Hanno Böck and Sean Devlin exploited nonce misuse to […]

Quantum is unimportant to post-quantum

Mon, 01 Jul 2024 09:00:01 -0400

You might be hearing a lot about post-quantum (PQ) cryptography lately, and it’s easy to wonder why it’s such a big deal when nobody has actually seen a quantum computer. But even if a quantum computer is never built, new PQ standards are safer, more resilient, and more flexible than their classical […]

Disarming Fiat-Shamir footguns

Mon, 24 Jun 2024 09:00:38 -0400

The Fiat-Shamir transform is an important building block in zero-knowledge proofs (ZKPs) and multi-party computation (MPC). It allows zero-knowledge proofs based on interactive protocols to be made non-interactive. Essentially, it turns conversations into documents. This ability is at the core of powerful technologies like SNARKs and STARKs. Useful stuff! But the Fiat-Shamir […]

Themes from Real World Crypto 2024

Tue, 18 Jun 2024 09:00:27 -0400

In March, Trail of Bits engineers traveled to the vibrant (and only slightly chilly) city of Toronto to attend Real World Crypto 2024, a three-day event that hosted hundreds of brilliant minds in the field of cryptography. We also attended three associated events: the Real World Post-Quantum Cryptography (RWPQC) workshop, the Fully Homomorphic Encryption (FHE) […]

A peek into build provenance for Homebrew

Tue, 14 May 2024 09:00:05 -0400

Last November, we announced our collaboration with Alpha-Omega and OpenSSF to add build provenance to Homebrew. Today, we are pleased to announce that the core of that work is live and in public beta: homebrew-core is now cryptographically attesting to all bottles built in the official Homebrew CI. You […]

Announcing two new LMS libraries

Fri, 26 Apr 2024 09:00:32 -0400

The Trail of Bits cryptography team is pleased to announce the open-sourcing of our pure Rust and Go implementations of Leighton-Micali Hash-Based Signatures (LMS), a well-studied NIST-standardized post-quantum digital signature algorithm. If you or your organization are looking to transition to post-quantum support for digital signatures, both of these implementations have been […]

Cryptographic design review of Ockam

Tue, 05 Mar 2024 09:00:38 -0500

In October 2023, Ockam hired Trail of Bits to review the design of its product, a set of protocols that aims to enable secure communication (i.e., end-to-end encrypted and mutually authenticated channels) across various heterogeneous networks. A secure system starts at the design […]

Circomspect has been integrated into the Sindri CLI

Mon, 26 Feb 2024 09:00:02 -0500

Our tool Circomspect is now integrated into the Sindri command-line interface (CLI)! We designed Circomspect to help developers build Circom circuits more securely, particularly given the limited tooling support available for this novel programming framework. Integrating this tool into a development environment like that provided by Sindri is a significant step toward […]

Breaking the shared key in threshold signature schemes

Tue, 20 Feb 2024 09:30:37 -0500

Today we are disclosing a denial-of-service vulnerability that affects the Pedersen distributed key generation (DKG) phase of a number of threshold signature scheme implementations based on the Frost, DMZ21, GG20, and GG18 protocols. The vulnerability allows a single malicious participant to surreptitiously raise the threshold required to reconstruct the shared key, which […]

Cloud cryptography demystified: Amazon Web Services

Wed, 14 Feb 2024 09:00:06 -0500

This post, part of a series on cryptography in the cloud, provides an overview of the cloud cryptography services offered within Amazon Web Services (AWS): when to use them, when not to use them, and important usage considerations. Stay tuned for future posts covering other cloud services. At Trail of Bits, we […]

Chaos Communication Congress (37C3) recap

Fri, 02 Feb 2024 09:00:01 -0500

Last month, two of our engineers attended the 37th Chaos Communication Congress (37C3) in Hamburg, joining thousands of hackers who gather each year to exchange the latest research and achievements in technology and security. Unlike other tech conferences, this annual gathering focuses on the interaction of technology and society, covering such topics as politics, entertainment, […]

We build X.509 chains so you don’t have to

Thu, 25 Jan 2024 09:00:22 -0500

For the past eight months, Trail of Bits has worked with the Python Cryptographic Authority to build cryptography-x509-verification, a brand-new, pure-Rust implementation of the X.509 path validation algorithm that TLS and other encryption and authentication protocols are built on. Our implementation is fast, standards-conforming, and memory-safe, giving the Python ecosystem a modern […]

Celebrating our 2023 open-source contributions

Wed, 24 Jan 2024 09:00:22 -0500

At Trail of Bits, we pride ourselves on making our best tools open source, such as Slither, PolyTracker, and RPC Investigator. But while this post is about open source, it’s not about our tools… In 2023, our employees submitted over 450 pull requests (PRs) that were merged into non-Trail of Bits repositories. This demonstrates our […]

Tag, you’re it: Signal tagging in Circom

Tue, 02 Jan 2024 09:00:01 -0500

We at Trail of Bits perform security reviews for a seemingly endless stream of applications that use zero-knowledge (ZK) proofs. While fast new arithmetization and folding libraries like Halo2, Plonky2, and Boojum are rapidly gaining adoption, Circom remains a mainstay of ZK circuit design. We’ve written about Circom safety before in the […]

We’ve added more content to ZKDocs

Tue, 26 Dec 2023 09:00:59 -0500

We’ve updated ZKDocs with four new sections and additions to existing content. ZKDocs provides explanations, guidance, and documentation for cryptographic protocols that are otherwise sparingly discussed but are used in practice. As such, we’ve added four new sections detailing common protocols that previously lacked implementation guidance: The Inner Product Argument (IPA), which […]

Catching OpenSSL misuse using CodeQL

Fri, 22 Dec 2023 09:00:35 -0500

I’ve created five CodeQL queries that catch potentially potent bugs in the OpenSSL libcrypto API, a widely adopted but often unforgiving API that can be misused to cause memory leaks, authentication bypasses, and other subtle cryptographic issues in implementations. These queries—which I developed during my internship with my mentors, Fredrik Dahlgren and […]

A trail of flipping bits

Mon, 18 Dec 2023 08:30:16 -0500

Trusted execution environments (TEE) such as secure enclaves are becoming more popular to secure assets in the cloud. Their promise is enticing because when enclaves are properly used, even the operator of the enclave or the cloud service should not be able to access those assets. However, this leads to […]

Publishing Trail of Bits’ CodeQL queries

Wed, 06 Dec 2023 08:30:25 -0500

We are publishing a set of custom CodeQL queries for Go and C. We have used them to find critical issues that the standard CodeQL queries would have missed. This new release of a continuously updated repository of CodeQL queries joins our public Semgrep rules and Automated Testing Handbook in an effort […]

Adding build provenance to Homebrew

Mon, 06 Nov 2023 08:00:37 -0500

This is a joint post with Alpha-Omega—read their announcement post as well! We’re starting a new project in collaboration with Alpha-Omega and OpenSSF to improve the transparency and security of Homebrew. This six-month project will bring cryptographically verifiable build provenance to homebrew-core, allowing end users and companies to prove that Homebrew’s packages come from the official Homebrew CI/CD.

Don’t overextend your Oblivious Transfer

Wed, 20 Sep 2023 08:00:53 -0400

We found a vulnerability in a threshold signature scheme that allows an attacker to recover the signing key of threshold ECDSA implementations that are based on Oblivious Transfer (OT). A malicious participant of the threshold signing protocols could perform selective abort attacks during the OT extension subprotocol, recover the secret […]

A mistake in the bulletproofs paper could have led to the theft of millions of dollars

Wed, 02 Aug 2023 07:00:30 -0400

We discovered a critical vulnerability in Incognito Chain that would allow an attacker to mint arbitrary tokens and drain user funds. Incognito offers confidential transactions through zero-knowledge proofs, so an attacker could have stolen millions of dollars of shielded funds without ever being detected or identified. The vulnerability stemmed from an insecure […]

Real World Crypto 2023 Recap

Tue, 16 May 2023 09:54:43 -0400

Last month, hundreds of cryptographers descended upon Tokyo for the first Real World Crypto Conference in Asia. As in previous years, we dispatched a handful of our researchers and engineers to present and attend the conference. What sets RWC apart from other conferences is that it strongly emphasizes research, collaborations, and advancements in cryptography that […]

Circomspect has more passes!

Tue, 21 Mar 2023 08:00:24 -0400

TL;DR: We have released version 0.8.0 of Circomspect, our static analyzer and linter for Circom. Since our initial release of Circomspect in September 2022, we have added five new analysis passes, support for tags, tuples, and anonymous components, links to in-depth descriptions of each identified issue, and squashed a […]

Announcing a stable release of sigstore-python

Fri, 13 Jan 2023 10:00:58 -0500

Read the official announcement on the Sigstore blog as well! Trail of Bits is thrilled to announce the first stable release of sigstore-python, a client implementation of Sigstore that we’ve been developing for nearly a year! This work has been graciously funded by Google’s Open Source Security Team (GOSST), who we’ve also […]

Keeping the wolves out of wolfSSL

Thu, 12 Jan 2023 08:00:17 -0500

Trail of Bits is publicly disclosing four vulnerabilities that affect wolfSSL: CVE-2022-38152, CVE-2022-38153, CVE-2022-39173, and CVE-2022-42905. The four issues, which have CVSS scores ranging from medium to critical, can all result in a denial of service (DoS). These vulnerabilities have been discovered automatically using the novel protocol fuzzer tlspuffin. This blog post […]

Specialized Zero-Knowledge Proof failures

Tue, 29 Nov 2022 07:30:56 -0500

Zero-knowledge (ZK) proofs are useful cryptographic tools that have seen an explosion of interest in recent years, largely due to their applications to cryptocurrency. The fundamental idea of a ZK proof is that a person with a secret piece of information (a cryptographic key, for instance) can prove something about the secret […]

We sign code now

Tue, 08 Nov 2022 07:30:15 -0500

Sigstore announced the general availability of its free and ecosystem-agnostic software signing service two weeks ago, giving developers a way to sign, verify and protect their software projects and the dependencies they rely on. Trail of Bits is absolutely thrilled to be a part of the project, and we spoke about our […]

It pays to be Circomspect

Thu, 15 Sep 2022 00:00:43 -0400

In October 2019, a security researcher found a devastating vulnerability in Tornado.cash, a decentralized, non-custodial mixer on the Ethereum network. Tornado.cash uses zero-knowledge proofs (ZKPs) to allow its users to privately deposit and withdraw funds. The proofs are supposed to guarantee that each withdrawal can be matched against a […]

Themes from Real World Crypto 2022

Tue, 03 May 2022 07:00:04 -0400

Last week, over 500 cryptographers from around the world gathered in Amsterdam for Real World Crypto 2022, meeting in person for the first time in over two years. As in previous years, we dispatched a handful of our researchers and engineers to attend the conference, listen to talks, and schmooze observe the […]

Amarna: Static analysis for Cairo programs

Wed, 20 Apr 2022 07:00:04 -0400

We are open-sourcing Amarna, our new static analyzer and linter for the Cairo programming language. Cairo is a programming language powering several trading exchanges with millions of dollars in assets (such as dYdX, driven by StarkWare) and is the programming language for StarkNet contracts. But, not unlike other languages, it has its […]

The Frozen Heart vulnerability in PlonK

Mon, 18 Apr 2022 07:00:01 -0400

In part 1 of this blog post, we disclosed critical vulnerabilities that break the soundness of multiple implementations of zero-knowledge proof systems. This class of vulnerability, which we dubbed Frozen Heart, is caused by insecure implementations of the Fiat-Shamir transformation that allow malicious users to forge proofs for random statements. In part […]

The Frozen Heart vulnerability in Bulletproofs

Fri, 15 Apr 2022 07:00:52 -0400

In part 1 of this series, we disclosed critical vulnerabilities that break the soundness of multiple implementations of zero-knowledge proof systems. This class of vulnerability, which we dubbed Frozen Heart, is caused by insecure implementations of the Fiat-Shamir transformation that allow malicious users to forge proofs for random statements. In part 2, […]

The Frozen Heart vulnerability in Girault’s proof of knowledge

Thu, 14 Apr 2022 07:00:32 -0400

Coordinated disclosure of vulnerabilities affecting Girault, Bulletproofs, and PlonK

Wed, 13 Apr 2022 07:00:00 -0400

Trail of Bits is publicly disclosing critical vulnerabilities that break the soundness of multiple implementations of zero-knowledge proof systems, including PlonK and Bulletproofs. These vulnerabilities are caused by insecure implementations of the Fiat-Shamir transformation that allow malicious users to forge proofs for random statements. We’ve dubbed this class of vulnerabilities Frozen Heart. […]

Part 2: Improving crypto code in Rust using LLVM’s optnone

Tue, 01 Feb 2022 07:00:25 -0500

Let’s implement crypto! Welcome to the second part of our posts on the challenges of implementing constant-time Rust code. Part 1 discussed challenges with constant-time implementations in Rust and WebAssembly and how optimization barriers can mitigate risk. The Rust crypto community has responded with several approaches, and in this post, we will […]

Part 1: The life of an optimization barrier

Wed, 26 Jan 2022 07:00:35 -0500

Many engineers choose Rust as their language of choice for implementing cryptographic protocols because of its robust security guarantees. Although Rust makes safe cryptographic engineering easier, there are still some challenges to be aware of. Among them is the need to preserve constant-time properties, which ensure that, regardless of the input, code […]

Disclosing Shamir’s Secret Sharing vulnerabilities and announcing ZKDocs

Tue, 21 Dec 2021 07:00:04 -0500

Trail of Bits is publicly disclosing two bugs that affect Shamir’s Secret Sharing implementation of Binance’s threshold signature scheme library (tss-lib) and most of its active forks. Here is the full list of affected repositories: Binance’s tss-lib Clover Network’s threshold-crypto Keep Network’s keep-ecdsa Swingby’s tss-lib THORchain’s tss-lib ZenGo X’s […]

Serving up zero-knowledge proofs

Fri, 19 Feb 2021 06:59:31 -0500

Zero-knowledge (ZK) proofs are gaining popularity, and exciting new applications for this technology are emerging, particularly in the blockchain space. So we’d like to shine a spotlight on an interesting source of implementation bugs that we’ve seen—the Fiat Shamir transformation. A ZK proof can be either interactive, where the […]

Reverie: An optimized zero-knowledge proof system

Mon, 14 Dec 2020 07:50:27 -0500

Zero-knowledge proofs, once a theoretical curiosity, have recently seen widespread deployment in blockchain systems such as Zcash and Monero. However, most blockchain applications of ZK proofs make proof size and performance tradeoffs that are a poor fit for other use-cases. In particular, these protocols often require an elaborate trusted setup phase and optimize for proof […]

ECDSA: Handle with Care

Thu, 11 Jun 2020 07:50:20 -0400

The elliptic curve digital signature algorithm (ECDSA) is a common digital signature scheme that we see in many of our code reviews. It has some desirable properties, but can also be very fragile. For example, LadderLeak was published just a couple of weeks ago, which demonstrated the feasibility of key recovery with a side channel […]

Detecting Bad OpenSSL Usage

Fri, 29 May 2020 07:50:06 -0400

OpenSSL is one of the most popular cryptographic libraries out there; even if you aren’t using C/C++, chances are your programming language’s biggest libraries use OpenSSL bindings as well. It’s also notoriously easy to mess up due to the design of its low-level API. Yet many of these mistakes fall into […]

Verifying Windows binaries, without Windows

Wed, 27 May 2020 07:50:31 -0400

TL;DR: We’ve open-sourced a new library, μthenticode, for verifying Authenticode signatures on Windows PE binaries without a Windows machine. We’ve also integrated it into recent builds of Winchecksec, so that you can use it today to verify signatures on your Windows executables! As a library, μthenticode aims to be a breeze to integrate: It’s written […]

Reinventing Vulnerability Disclosure using Zero-knowledge Proofs

Thu, 21 May 2020 07:50:27 -0400

We, along with our partner Matthew Green at Johns Hopkins University, are using zero-knowledge (ZK) proofs to establish a trusted landscape in which tech companies and vulnerability researchers can communicate reasonably with one another without fear of being sabotaged or scorned. Over the next four years, we will push the state of the art in […]

Themes from Real World Crypto 2020

Thu, 23 Jan 2020 07:00:07 -0500

Over 642 brilliant cryptographic minds gathered for Real World Crypto 2020, an annual conference that brings together cryptographic researchers with developers implementing cryptography in the wild. Overall, RWC 2020 was an impressive conference that demonstrated some amazing work. Here we explore three major themes that emerged: Crypto bugs are everywhere…Whether it’s a somewhat unsurprising Bleichenbacher […]

Exploiting the Windows CryptoAPI Vulnerability

Thu, 16 Jan 2020 11:28:34 -0500

On Tuesday, the NSA announced they had found a critical vulnerability in the certificate validation functionality on Windows 10 and Windows Server 2016/2019. This bug allows attackers to break the validation of trust in a wide variety of contexts, such as HTTPS and code signing. Concerned? Get the important details and see if you’re vulnerable […]

How safe browsing fails to protect user privacy

Wed, 30 Oct 2019 07:00:57 -0400

Recently, security researchers discovered that Apple was sending safe browsing data to Tencent for all Chinese users. This revelation has brought the underlying security and privacy guarantees of the safe browsing protocol under increased scrutiny. In particular, safe browsing claims to protect users by providing them with something called k-anonymity. In this post we’ll show […]

Multi-Party Computation on Machine Learning

Fri, 04 Oct 2019 10:13:15 -0400

During my internship this summer, I built a multi-party computation (MPC) tool that implements a 3-party computation protocol for perceptron and support vector machine (SVM) algorithms. MPC enables multiple parties to perform analyses on private datasets without sharing them with each other. I defveloped a technique that lets three parties obtain the results of machine […]

Crypto 2019 Takeaways

Wed, 11 Sep 2019 06:50:16 -0400

This year’s IACR Crypto conference was an excellent blend of far-out theory and down-to-earth pragmatism. A major theme throughout the conference was the huge importance of getting basic cryptographic primitives right. Systems ranging from TLS servers and bitcoin wallets to state-of-the-art secure multiparty computation protocols were broken when one small sub-component was either chosen poorly […]

Rewriting Functions in Compiled Binaries

Mon, 02 Sep 2019 06:50:31 -0400

As a summer intern at Trail of Bits, I’ve been working on building Fennec, a tool to automatically replace function calls in compiled binaries that’s built on top of McSema, a binary lifter developed by Trail of Bits. The Problem Let’s say you have a compiled binary, but you […]

Better Encrypted Group Chat

Tue, 06 Aug 2019 06:50:24 -0400

Broadly, an end-to-end encrypted messaging protocol is one that ensures that only the participants in a conversation, and no intermediate servers, routers, or relay systems, can read and write messages. An end-to-end encrypted group messaging protocol is one that ensures this for all participants in a conversation of three or more people. End-to-end encrypted group […]

Seriously, stop using RSA

Mon, 08 Jul 2019 06:50:43 -0400

Here at Trail of Bits we review a lot of code. From major open source projects to exciting new proprietary software, we’ve seen it all. But one common denominator in all of these systems is that for some inexplicable reason people still seem to think RSA is a good cryptosystem to use. Let me save […]

State of the Art Proof-of-Work: RandomX

Tue, 02 Jul 2019 06:50:11 -0400

RandomX is a new ASIC and GPU-resistant proof-of-work (PoW) algorithm originally developed for Monero, but potentially useful in any blockchain using PoW that wants to bias towards general purpose CPUs. Trail of Bits was contracted by Arweave to review this novel algorithm in a two person-week engagement and provide guidance on alternate parameter selection. But […]

Leaves of Hash

Mon, 17 Jun 2019 06:50:58 -0400

Trail of Bits has released Indurative, a cryptographic library that enables authentication of a wide variety of data structures without requiring users to write much code. Indurative is useful for everything from data integrity to trustless distributed systems. For instance, developers can use Indurative to add Binary Transparency to a package manager — so users […]

Performing Concolic Execution on Cryptographic Primitives

Mon, 01 Apr 2019 07:50:55 -0400

For my winternship and springternship at Trail of Bits, I researched novel techniques for symbolic execution on cryptographic protocols. I analyzed various implementation-level bugs in cryptographic libraries, and built a prototype Manticore-based concolic unit testing tool, Sandshrew, that analyzed C cryptographic primitives under a symbolic and concrete environment. Sandshrew is a first step […]

What Application Developers Need To Know About TLS Early Data (0RTT)

Mon, 25 Mar 2019 09:00:23 -0400

TLS 1.3 represents the culmination of over two decades of experience in deploying large-scale transport security. For the most part it simplifies and improves the security of TLS and can act as a drop-in replacement for TLS 1.2. However, one new feature in the protocol represents a significant security risk to some existing applications: TLS […]

What do La Croix, octonions, and Second Life have in common?

Wed, 02 Jan 2019 06:50:33 -0500

This year for CSAW CTF, Trail of Bits contributed two cryptography problems. In the first problem, you could combine two bugs to break DSA much like the Playstation 3 firmware hackers. The other challenge–-weirder and mathier–-was split into two parts: one for the qualifiers, one in finals. This challenge, “Holywater,” was some of the most fun I’ve ever had making a CTF problem.

CSAW CTF Crypto Challenge: Breaking DSA

Mon, 17 Dec 2018 06:50:42 -0500

The Trail of Bits cryptographic services team contributed two cryptography CTF challenges to the recent CSAW CTF. Today we’re going to cover the easier one, titled “Disastrous Security Apparatus – Good luck, ‘k?” This problem involves the Digital Signature Algorithm (DSA) and the way an apparently secure algorithm can be made entirely insecure through surprising […]

We crypto now

Wed, 07 Nov 2018 06:50:17 -0500

Building and using cryptographic libraries is notoriously difficult. Even when each component of the system has been implemented correctly (quite difficult to do), improperly combining these pieces can lead to disastrous results. Cryptography, when rolled right, forms the bedrock of any secure application. By combining cutting-edge mathematics and disciplined software engineering, modern crypto-systems guarantee data and communication privacy.

A Guide to Post-Quantum Cryptography

Mon, 22 Oct 2018 06:50:12 -0400

For many high-assurance applications such as TLS traffic, medical databases, and blockchains, forward secrecy is absolutely essential. It is not sufficient to prevent an attacker from immediately decrypting sensitive information. Here the threat model encompasses situations where the adversary may dedicate many years to the decryption of ciphertexts after their collection. One potential way forward […]

Introduction to Verifiable Delay Functions (VDFs)

Fri, 12 Oct 2018 06:50:10 -0400

Finding randomness on the blockchain is hard. A classic mistake developers make when trying to acquire a random value on-chain is to use quantities like future block hashes, block difficulty, or timestamps. The problem with these schemes is that they are vulnerable to manipulation by miners. For example, suppose we are trying to run an […]

Fault Analysis on RSA Signing

Tue, 14 Aug 2018 12:39:52 -0400

This spring and summer, as an intern at Trail of Bits, I researched modeling fault attacks on RSA signatures. I looked at an optimization of RSA signing that uses the Chinese Remainder Theorem (CRT) and induced calculation faults that reveal private keys. I analyzed fault attacks at a low level rather than in […]

You could have invented that Bluetooth attack

Wed, 01 Aug 2018 07:05:38 -0400

A serious bluetooth bug has received quite a bit of attention lately. It’s a great find by Biham and Newman. Given BLE’s popularity in the patch-averse IoT world, the bug has serious implications. And yet, it’s remarkably clean and simple. Unlike many elliptic curve bugs, an average human can totally understand the bug and how […]

Start using the Secure Enclave Crypto API

Tue, 28 Jun 2016 07:50:42 -0400

tl;dr – Tidas is now open source. Let us know if your company wants help trying it out. When Apple quietly released the Secure Enclave Crypto API in iOS 9 (kSecAttrTokenIDSecureEnclave), it allowed developers to liberate their users from the annoyance of strong passwords or OAuth. That is, if the developers could make do without […]

Apple can comply with the FBI court order

Wed, 17 Feb 2016 02:42:34 -0500

Earlier today, a federal judge ordered Apple to comply with the FBI’s request for technical assistance in the recovery of the San Bernadino gunmen’s iPhone 5C. Since then, many have argued whether these requests from the FBI are technically feasible given the support for strong encryption on iOS devices. Based on my initial reading of […]

Let’s Encrypt the Internet

Tue, 05 Jan 2016 07:50:59 -0500

We’re excited to announce our financial support for Let’s Encrypt, the open, automated and free SSL Certificate Authority (CA) that went into public beta on December 3. With so much room for improvement in the CA space, Let’s Encrypt offers a refreshing, promising vision of encrypting the web. Expensive SSL certificates are holding back Internet […]

Hardware Side Channels in the Cloud

Tue, 21 Jul 2015 07:50:01 -0400

At REcon 2015, I demonstrated a new hardware side channel which targets co-located virtual machines in the cloud. This attack exploits the CPU’s pipeline as opposed to cache tiers which are often used in side channel attacks. When designing or looking for hardware based side channels – specifically in the cloud – I analyzed a […]

Analyzing the MD5 collision in Flame

Mon, 11 Jun 2012 15:59:47 -0400

One of the more interesting aspects of the Flame malware was the MD5 collision attack that was used to infect new machines through Windows Update. MD5 collisions are not new, but this is the first attack discovered in the wild and deserves a more in-depth look. Trail of Bits is uniquely qualified to perform this […]