AI Meets Cryptography 1: What AI Found in Cloudflare's Circl
5 hours ago
- #cryptography vulnerabilities
- #AI security auditing
- #open source security
- zkSecurity built zkao, an AI audit agent designed to continuously find bugs in code until no AI-detectable ones remain.
- An audit of Cloudflare's CIRCL library found seven real bugs, including critical issues in threshold RSA and attribute-based encryption, all now fixed.
- Bugs included: float64 precision loss, DLEQ forgery, BLS missing message distinctness, DLEQ soundness break via sign collision, HPKE PSK bypass, int64 overflow in Lagrange coefficients, and CP-ABE access-control break.
- AI severity ratings often misaligned with confirmed severity, highlighting challenges in impact assessment due to unseen downstream use.
- Model performance varied; Claude Opus 4.6 found most bugs initially, but roles reversed with newer models like GPT-5.4, emphasizing model-agnostic approaches.
- AI tends to gather multiple issues without chaining them into exploits, a gap zkao aims to address through improved processes.
- The team emphasizes human-in-the-loop validation to ensure trustworthy reports and avoid AI spam, with ongoing improvements in automated triage.