The development of a cryptographic product, from a whiteboard protocol to an industrial grade implementation, is a long and complex process. Our experts will help you avoid common (and less common) pitfalls at any stage of the development.
Related technology
Post-Quantum Cryptography
You are not prepared.
One day, quantum computers will become a reality. When that day comes, RSA, Elliptic Curves and many other fundamental cryptographic primitives will become obsolete. Post-Quantum Cryptography offers secure alternatives and we can help you get ready.
Related services
Certification
Let us help to get your security certificate.
Are you really sure that your security solution is ready to cope with the real world? Are you certain that your in-house design will survive the scrutiny of expert cryptographers?
CryptoExperts offers externalized R&D and consulting services in a wide variety of security areas. We can perform an in-depth design and security analysis of your application, spot the cryptographic misconceptions, propose appropriate alternatives and help you to achieve a successful security certification.
Design
Security by design is not an abstract concept.
Beware of alleged "military grade secure" products. It is one thing to encrypt with AES-256 or to sign with CRYSTALS-Dilithium, doing it correctly is a different kettle of fish.
We can help you build innovative products that require any standard or advanced cryptographic tools, such as elliptic curves, identity-based encryption, post-quantum signatures, e-cash, and many others.
Related research projects
KLEPTOMANIAC
Despite the emergence of post-quantum schemes, the RSA cryptosystem and the Diffie-Hellman key exchange protocol in finite fields are still widely deployed. The main cryptanalytic tool for assessing the hardness of their underlying mathematical problems (e.g., integer factorization) is the Number Field Sieve (NFS) algorithm. The main objective of the KLEPTOMANIAC project is to investigate it further to evaluate as accurately as possible the security of these common asymmetric schemes.
VERISICC
Verifying side-channel countermeasures with automatic tools.
The VERISICC project aims to build automatic tools to verify and generate proven masked cryptographic implementations. These tools will allow industrial people to develop secure and efficient implementations and to certification bodies to quickly and accurately verify the implementations submitted to an evaluation.
Analysis of Cryptographic Algorithms and Protocols
Are you aware of all the latest cryptography advances? We certainly are. And we put our expertise at your service to evaluate any cryptographic algorithm or protocol your engineers chose to include in your product. Does it require one of those new lightweight block ciphers? Or perhaps, a lightning fast signature algorithm? You name it.
We extract a cryptographic model from the specifications of the applicative architecture and identify the threat model that best captures your security expectations. Based on the latest advances of cryptanalysis techniques and/or using security proving, we then provide a quantitative security level assessment (a.k.a. number of bits of security) as to how well the security solution effectively resists the identified security threats.
We provide a quantitative security level assessment.
Cryptographic algorithms and protocols are the heart of your security product, so you should choose them wisely. We can help you make the right choice, confirm that you did, or suggest (tailor-made) alternatives.
Code Review
Writing code is hard. Writing secure code is even harder. Writing secure cryptographic code is an art. Our experts can help you review your code to make sure it is bullet proof. Whether it is high level Java code for your Android app, Swift or Objective-C code for your iOS app, Rust, Python, C, or assembly code on dedicated hardware, we can help.
We do not restrict to bug finding. We provide recommendation concerning the architecture, APIs and style. We let you know whether the implementation really conforms to the security requirements you aim for.
Are you compliant with the SEI CERT Coding Standards? Want to find out? Contact us now!
Randomness Analysis
Any cryptographic algorithm requires randomness at some point. And it’s better be good! Even the most advanced cryptosystem will eventually fail when associated with a bad TRNG or PRNG, putting at risk the full stack of security measures you carefully crafted. Hopefully, we’ve got you covered.
There are many ways to test the quality of a random number generator. When the source code of the generator is available, CryptoExperts can perform a full source code review, together with a quality and performance analysis (see below). When you don’t have access to the source code (or don’t want to disclose it), there are still many empirical tests that can be performed.
Many generators output (pseudo)random bits. CryptoExperts has developed its own statistical test suite, made of 15+ statistical tests, carefully chosen for their complementarity. Our tests include all those recommended by the NIST’s Special Publication 800-22, which is the de facto standard in the field, but also Diehard tests. CryptoExperts has further developed its own suite of generic tests, that apply in many different scenarios, and chances are we already encountered yours.
While good statistical properties are a must-have for randomness in cryptographic applications, they are not sufficient! Cryptographic randomness must be unpredictable and this unpredictability comes at the price of using the right cryptographic pseudorandom generators. In case of any doubt, we can audit your design and implementation and track any security weaknesses.
Side Channel Analysis
A secure cryptosystem does not make a secure cryptographic implementation. Security-related or cryptographic code often leaves the door open to a number of practical side-channel attacks that are hardly taken into account at the specification level (microarchitectural attacks, timing attacks, physical attacks enabling key recovery such as side channels and fault injection, security-impacting bugs, internal trapdoors and kleptographic hacks).
Rich in its participation in several French and European projects in this field, CryptoExperts has developed a deep expertise in the area of side-channel analysis and efficient security countermeasures. Given low-level specifications and/or software code, we let you know whether your implementation really conforms to the identified security requirements or not.
Find out whether your security product, application or architecture is worth your investments.