Our team has extensive experience assessing standardized cryptography and cryptosystems. For each NIST standard, we maintain
internal guidance and checklists for common vulnerabilities and misuse of these algorithms; we know what bugs to look
for and how to find them. Whether you're building an encrypted hard drive, public key infrastructure, end-to-end encryption
(E2EE) protocols, or any other standardized cryptography application, our team can help you.In addition to more standard
and traditional cryptosystems, our team also prides itself on being experts in the cutting edge areas of cryptography,
such as the following:
Zero-knowledge proofs
We have extensive experience assessing systems that leverage zero-knowledge proofs (ZKPs), including privacy coins,
virtual machines, and frameworks like Circom, Halo2, and others. For each of these systems, we know the biggest threats
and common mistakes to look for. For instance, for privacy coins, we look for Fiat-Shamir issues, input validation issues,
violation of theoretical assumptions, specification and implementation discrepancies, etc.
Threshold signature schemes and multi-party computation
Multi-party computation (MPC) systems, and threshold signature schemes (TSS) in particular, are plagued with critical
vulnerabilities. Assessing these systems effectively requires expertise in the theory underlying the protocols and
low-level software (as many of these issues are subtle). We maintain an internal list of known vulnerabilities
(and potential variants) against all major TSS and MPC protocols.
Novel and E2EE protocols
When tackling new protocols, we leverage our knowledge of similar protocols to inform our analysis. We have extensive experience
designing and analyzing protocols, so we know how to formalize security notions, go beyond common assumptions, and
formally prove security. When applicable, we commonly use formal verification tools such as Verifpal to quickly understand
and analyze novel protocols. Over the past few years, E2EE has been a big trend in the industry, and our team has developed
specialized expertise in designing and securing these systems.
Cloud cryptography
Our cloud cryptography assessments focus on high-level considerations, assessing whether systems use
cloud cryptography services as intended and recommending efficiency gains. We emphasize avoiding insecure
practices and offer ongoing guidance specific to various cloud cryptography platforms.
Hardware-based cryptography
We assess configurations for security concerns, restrict privileged access, and optimize resource usage in hardware-based
cryptography systems. Our internal guidance includes high-level considerations for cryptographic hardware
generally, as well as low-level guidance for specific hardware platforms.
Rust and Go cryptography
Our entire Assurance practice has extensive experience working with Rust and Go. We maintain internal checklists
and comprehensive guidance for securing Rust and Go codebases, and the cryptography team regularly leverages these
insights in our security assessments. However, we don’t just assess code; we have also built several tools and
implemented multiple complex cryptographic protocols in both Rust and Go. We know how to write code securely,
efficiently, and idiomatically, and we use this to inform our security assessments.
Explore Our Comprehensive Code Assessment: Public Report for SimpleX