Our team includes PhD-level cryptographers who have spent years developing and cryptanalyzing complex cryptographic protocols (for example, see our published analysis and contributions to the EDHOC protocol). At the same time, we aren't solely academics. Half of our team comes from a traditional software and security background. We bring the best of both worlds; we know math, theory, software, and real-world systems.
Book a complimentary one-hour meeting with one of our engineers to dive into a challenging technical issue,
explore tooling options, and gain valuable insights directly from our experts. This session is purely
technical—no sales talk, just a focused discussion that showcases our depth, talent, and capabilities.
Cryptography is uniquely sensitive to design flaws, which can lead to severe vulnerabilities that are often subtle and hard to detect without specialized knowledge. Our team, skilled in theoretical and applied cryptography, assesses your design documents before you begin implementation, helping you avoid costly mistakes and rebuilds.
Comprehensive initial analysis
Our initial manual assessment focuses on understanding the system, identifying "low-hanging fruit" issues, and evaluating design choices. We examine algorithm security, parameter choices, and threat models to help ensure the design aligns with standard practices. We aim to clarify design goals and create reasonable threat models if they don't already exist.
In-depth analysis and clarification
Building on the initial understanding, we develop clarifying questions to discuss with you. These questions address underspecified areas and inconsistencies and refine threat models or design goals.
Tailored analysis for different systems
Our analysis is tailored for diverse systems, from traditional cryptographic systems like end-to-end encryption (E2EE) to completely novel cryptographic protocols. For systems like E2EE systems, we have extensive experience verifying their design goals and know the best design practices for key management, forward secrecy handling of images and files, and many more. For novel cryptographic protocols, we assess underlying assumptions and security proofs and enhance clarity, accuracy, and soundness to instill confidence in the protocol.
Automated analysis with powerful tools
In parallel with manual assessments, we integrate powerful cryptographic protocol verification tools such as Verifpal, ProVerif, CryptoVerif, and Tamarin. These tools automate the identification of known cryptographic attacks and verify specific properties.
Explore Our Design Assessments: Public Report for ZeroTier
Our team has extensive experience assessing standardized cryptography and cryptosystems. For each NIST standard, we maintain internal guidance and checklists for common vulnerabilities and misuse of these algorithms; we know what bugs to look for and how to find them. Whether you're building an encrypted hard drive, public key infrastructure, end-to-end encryption (E2EE) protocols, or any other standardized cryptography application, our team can help you.In addition to more standard and traditional cryptosystems, our team also prides itself on being experts in the cutting edge areas of cryptography, such as the following:
Zero-knowledge proofs
We have extensive experience assessing systems that leverage zero-knowledge proofs (ZKPs), including privacy coins, virtual machines, and frameworks like Circom, Halo2, and others. For each of these systems, we know the biggest threats and common mistakes to look for. For instance, for privacy coins, we look for Fiat-Shamir issues, input validation issues, violation of theoretical assumptions, specification and implementation discrepancies, etc.
Threshold signature schemes and multi-party computation
Multi-party computation (MPC) systems, and threshold signature schemes (TSS) in particular, are plagued with critical vulnerabilities. Assessing these systems effectively requires expertise in the theory underlying the protocols and low-level software (as many of these issues are subtle). We maintain an internal list of known vulnerabilities (and potential variants) against all major TSS and MPC protocols.
Novel and E2EE protocols
When tackling new protocols, we leverage our knowledge of similar protocols to inform our analysis. We have extensive experience designing and analyzing protocols, so we know how to formalize security notions, go beyond common assumptions, and formally prove security. When applicable, we commonly use formal verification tools such as Verifpal to quickly understand and analyze novel protocols. Over the past few years, E2EE has been a big trend in the industry, and our team has developed specialized expertise in designing and securing these systems.
Cloud cryptography
Our cloud cryptography assessments focus on high-level considerations, assessing whether systems use cloud cryptography services as intended and recommending efficiency gains. We emphasize avoiding insecure practices and offer ongoing guidance specific to various cloud cryptography platforms.
Hardware-based cryptography
We assess configurations for security concerns, restrict privileged access, and optimize resource usage in hardware-based cryptography systems. Our internal guidance includes high-level considerations for cryptographic hardware generally, as well as low-level guidance for specific hardware platforms.
Rust and Go cryptography
Our entire Assurance practice has extensive experience working with Rust and Go. We maintain internal checklists and comprehensive guidance for securing Rust and Go codebases, and the cryptography team regularly leverages these insights in our security assessments. However, we don’t just assess code; we have also built several tools and implemented multiple complex cryptographic protocols in both Rust and Go. We know how to write code securely, efficiently, and idiomatically, and we use this to inform our security assessments.
Explore Our Comprehensive Code Assessment: Public Report for SimpleX
We specialize in engineering secure cryptographic solutions tailored to your unique requirements. Our approach involves producing detailed specifications and implementing products with comprehensive documentation, safe APIs, and thorough testing. We offer four service variants:
Security software engineering
Cryptographic software is just like any other software, so building it securely requires the same knowledge of security engineering as any other software.
Languages we support
Specification writing
We understand the importance of clear and comprehensive documentation. We know what topics need to be included, what level of detail is required, and how to incorporate your design requirements.
Mandatory peer code reviews
Every line of code written in our cryptographic engineering projects is assessed by another member of the cryptography team who did not write that code. This helps ensure that every codebase produced in our engineering projects has a security posture comparable with any other codebase our team has assessed. These internal checks and balances are considered part of our development process and are not an additional charge to the service.
Scroll, a company extending Ethereum’s capabilities through zero-knowledge (ZK) technology and EVM compatibility faced the challenge of auditing its zkEVM circuits. Recognizing the need for advanced expertise and impactful recommendations, Scroll turned to Trail of Bits for several key reasons:
Learn how our comprehensive approach and expert insights empowered Scroll to strengthen their ZK circuit security and development practices.
Our Cryptography team develops and maintains multiple open-source tools, such as Tlspuffin and Circomspect, which we use in our internal assessments. We have also created custom rules for CodeQL. View our custom CodeQL rules on GitHub.
We are committed to sharing our knowledge with the community. We share our research and expertise whenever possible through our blog and in research papers. One of our most recent publications is Weak Fiat-Shamir attacks against modern proof systems.
Our cryptography team has developed and continues to maintain ZKDocs, offering comprehensive, detailed, and interactive documentation focused on ZKP systems and related cryptographic primitives.
Unlike many firms that follow a predefined checklist that limits the scope and capabilities, our assessments don't look to check boxes but discover the root causes of security weaknesses identified. This approach allows us to provide nuanced, actionable insights that do more than fix the immediate problems—they also enhance the system's overall resilience and security for the future. By focusing on the root causes and broader implications of security vulnerabilities, we empower our clients to not just respond to bugs but to develop stronger, more resilient software design, development, and coding practices.
Read our assessment of AleoWe are dedicated to the advancement, adoption, and research of emerging cryptography .
A consortium of developers and practitioners of multiparty computation (MPC), committed to accelerating market awareness and adoption of MPC to increase the security and privacy of online services.
The Post Quantum Cryptography Alliance (PQCA) is an open and collaborative initiative dedicated to driving the advancement and adoption of post-quantum cryptography.
We believe in the power of collaboration and the synthesis of knowledge across various fields to deliver unparalleled services to our clients. Our diverse company lines are not isolated silos of expertise. Instead, they represent a spectrum of capabilities that we seamlessly blend to meet the unique needs of each project.