Hasty Briefsbeta

Bilingual

AI Meets Cryptography 1: What AI Found in Cloudflare's Circl

4 hours ago
  • #cryptography vulnerabilities
  • #AI security auditing
  • #open source security
  • zkSecurity built zkao, an AI audit agent designed to continuously find bugs in code until no AI-detectable ones remain.
  • An audit of Cloudflare's CIRCL library found seven real bugs, including critical issues in threshold RSA and attribute-based encryption, all now fixed.
  • Bugs included: float64 precision loss, DLEQ forgery, BLS missing message distinctness, DLEQ soundness break via sign collision, HPKE PSK bypass, int64 overflow in Lagrange coefficients, and CP-ABE access-control break.
  • AI severity ratings often misaligned with confirmed severity, highlighting challenges in impact assessment due to unseen downstream use.
  • Model performance varied; Claude Opus 4.6 found most bugs initially, but roles reversed with newer models like GPT-5.4, emphasizing model-agnostic approaches.
  • AI tends to gather multiple issues without chaining them into exploits, a gap zkao aims to address through improved processes.
  • The team emphasizes human-in-the-loop validation to ensure trustworthy reports and avoid AI spam, with ongoing improvements in automated triage.