Trail of Bits

Cryptography

Protocols, primitives & implementations

Overview

We audit cryptographic protocols and implementations across zero-knowledge proofs, MPC, post-quantum, and the classical primitives underpinning modern systems. Our cryptographers publish original cryptanalysis, build static-analysis tooling like Circomspect, and maintain ZKDocs — the reference for zero-knowledge proof systems.

Half the team has PhDs in cryptography; the other half ships production cryptographic code in Rust, Go, and C. Every engagement gets both.

Why work with Trail of Bits

  • 01

    Math meets implementation

    PhD cryptographers and senior software engineers staff every engagement. The math is checked against the code, and the code is checked against the threat model — so design flaws don't survive the review and implementation bugs don't survive the math.

  • 02

    We publish everything

    Methodologies, tools, misuse patterns — they all end up in public reports, papers, or open-source repos. ZKDocs, Circomspect, our CodeQL crypto rules, and our weak Fiat-Shamir cryptanalysis are free for the industry to use, and free for your team to learn from.

  • 03

    Deliverables your team can run with

    Every engagement ships fixes you can drop into CI — Semgrep and CodeQL rules tuned to your code, fuzzing harnesses for cryptographic boundaries, and short- and long-term SDLC recommendations your team can act on after we leave.

Services & deliverables

Cryptographic Design Assessment

Service

Cryptography is uniquely sensitive to design flaws, which can lead to severe vulnerabilities that are often subtle and hard to detect without specialized knowledge. Our team, skilled in theoretical and applied cryptography, assesses your design documents before you begin implementation, helping you avoid costly mistakes and rebuilds.

01
Algorithm security evaluation & parameter optimization
02
Design goal clarification & threat model development
03
Integration of automated cryptographic protocol verification tools
04
End-to-end encryption design validation & best practices

Cryptographic Code Assessment

Service

Our team has extensive experience assessing standardized cryptography and cryptosystems. For each NIST standard, we maintain internal guidance and checklists for common vulnerabilities and misuse of these algorithms. Whether you're building an encrypted hard drive, public key infrastructure, end-to-end encryption protocols, or cutting-edge cryptographic applications, our team can help you.

01
Zero-knowledge proof system assessment & vulnerability detection
02
Multi-party computation & threshold signature scheme analysis
03
Cloud cryptography service optimization & security hardening
04
Hardware-based cryptography configuration & access control
05
Rust & Go cryptography implementation security assessment

Cryptographic Engineering

Service

We specialize in engineering secure cryptographic solutions tailored to your unique requirements. Our approach involves producing detailed specifications and implementing products with comprehensive documentation, safe APIs, and thorough testing.

01
Complete cryptographic solution design & implementation
02
Legacy system enhancement with modern security features
03
Multi-language support including Rust, Go, C/C++, Python & TypeScript
04
Comprehensive specification writing & documentation
05
Mandatory peer code review by cryptography experts

Case study: Navigating zkEVM Challenges

Service

Scroll, a company extending Ethereum's capabilities through zero-knowledge (ZK) technology and EVM compatibility faced the challenge of auditing its zkEVM circuits. Recognizing the need for advanced expertise and impactful recommendations, Scroll turned to Trail of Bits for several key reasons:

Learn how our comprehensive approach and expert insights empowered Scroll to strengthen their ZK circuit security and development practices.

01
Advanced expertise in ZK circuits.
02
Impactful recommendations that enhance your SDLC.
03
Instructions on implementing tools and custom Semgrep rules into your CI.

What ships with every engagement

Most pen-test firms hand you a PDF and walk away. Every Trail of Bits engagement ships a deliverable set your engineering team can plug into their workflow on day one and keep using long after we're gone.

Deliverable Trail of Bits Status Quo

Written findings report

Severity, difficulty, and exploit scenario for every finding.

Short- and long-term SDLC recommendations

Not just bug fixes — process changes that prevent the next class of bug.

Codebase maturity evaluation

Structured review of testing, documentation, access controls, and supply-chain hygiene.

Exploit PoCs + code artifacts

Runnable demonstrations for each finding so your engineers can reproduce and verify fixes.

Sometimes

CI-ready Semgrep / CodeQL rules

Custom static-analysis rules tuned to the patterns we found in your code.

Fuzzing harnesses

Cryptographic-boundary fuzzers you keep running after we leave.

LLM and Claude-skill harnesses

Agent skills and prompts to help your team triage findings and pre-flight the next review.

Live walkthrough + fix-review retest

We read out findings in person and re-test patches when they land.

Sometimes

Open publication of generalizable findings

Novel issues turn into public research so the whole industry benefits.

Comparison based on the standard published deliverables of the major application-security firms as of May 2026.

Public work

Public Crypto assessments

Browse library →
Public engagements
59
Person-weeks logged
334
Distinct groups
2
With effort reported
59

Recent public engagements

Date Engagement Client / group Effort
Apr 2026 Ripple Labs XRP Ledger Confidential Transfer Cryptography Reviews 6 wks
Mar 2026 Open Home Foundation SecureTar v3 Cryptography Reviews 1 wk
Mar 2026 Anza BLS Signatures Cryptography Reviews 1 wk
Feb 2026 NEAR One Robust ECDSA Cryptography Reviews 6.4 wks
Feb 2026 DV Labs Charon Pedersen DKG Cryptography Reviews 2 wks
Jan 2026 Anza Token-2022 Confidential Transfer, Cryptography Cryptography Reviews 7 wks
Jan 2026 Calyx Institute HSM Provisioning Ceremony Scripts Cryptography Reviews 1 wk
Jan 2026 BSV Blockchain TS-SDK Cryptography Reviews 6 wks
Jan 2026 Bron Labs MCP Library Cryptography Reviews 8 wks
Dec 2025 NEAR One Confidential Key Derivation Cryptography Reviews 4 wks

Get in touch

Book a technical office hours session

Book a complimentary one-hour meeting with one of our engineers to dive into a challenging technical issue, explore tooling options, and gain valuable insights directly from our experts. This session is purely technical — no sales talk, just a focused discussion that showcases our depth, talent, and capabilities.

Book a Session