A Hitchhiker's Guide to Cryptography Code Audit

Abstract. The rapidly evolving landscape of cryptography introduces growing complexities which make secure code implementation very challenging. This is especially problematic in the fast-moving Web3 world, but also in privacy-sensitive applications and secure communications. In this context, not only does understanding cryptographic theory matter, but so does the effective implementation and auditing of cryptographic code. In this talk, which is a condensed version of our CCAW+CTF workshop accepted as affiliated event at Eurocrypt 2024, we will discuss the art of cryptographic code audit, based on our experience as cryptographers and auditors. We will start with explaining what a code audit is and how it works in practice from a business perspective. We will follow with a methodology, and a categorization of common pitfalls and vulnerabilities usually found in our audits, accompanied by real-world examples and code. Some of our findings have impacted big providers of crypto libraries and have been presented at top conferences.

Suggested reading: https://eurocrypt.iacr.org/2024/affiliated.php