Project Wycheproof tests crypto libraries against known attacks.
Project Wycheproof is named after
Mount Wycheproof, the smallest
mountain in the world. The main motivation for the project is to have a goal
that is achievable. The smaller the mountain the more likely it is to be able to
climb it.
[!NOTE]
Hello RWC 2024 attendees and others! Wycheproof recently moved to community
maintenance thanks to the shared efforts of Google and C2SP.
We are still working to update the README and documentation,
but we welcome your feedback and look forward to your contributions!
If you want to contribute, please read CONTRIBUTING and send
us pull requests. You can also report bugs or request new tests.
Project Wycheproof contains test vectors that can be used to test crypto
libraries against known attacks.
Unfortunately, in cryptography, subtle mistakes can have catastrophic
consequences, and we found that libraries fall into such implementation
pitfalls much too often and for much too long. Good implementation guidelines,
however, are hard to come by: understanding how to implement cryptography
securely requires digesting decades’ worth of academic literature. We recognize
that software engineers fix and prevent bugs with unit testing, and we found
that cryptographic loopholes can be resolved by the same means.
These observations have prompted us to develop Project Wycheproof, a collection
of test vectors that detect known weaknesses or check for expected behaviors of
some cryptographic algorithm. Project Wycheproof provides test vectors for most
cryptographic algorithms, including RSA, elliptic curve crypto and
authenticated encryption. Our cryptographers have systematically surveyed the
literature and implemented most known attacks. We have over 80 test cases which
have uncovered more than 40 bugs. For example, we found that we
could recover the private key of widely-used DSA and ECDHC implementations.
While we are committed to develop vectors for as many attacks as possible,
Project Wycheproof is by no means complete. Passing the test vectors does not
imply that the library is secure, it just means that it is not vulnerable to the
attacks that Project Wycheproof’s vectors test for. Cryptographers are also
constantly discovering new attacks. Nevertheless, with Project Wycheproof
developers and users now can check their libraries against a large number of
known attacks, without having to spend years reading academic papers or become
cryptographers themselves.
For more information on the goals and strategies of Project Wycheproof, please
check out our documentation.
Project Wycheproof has test vectors for the most popular crypto algorithms,
including
The test vectors detect whether a library is vulnerable to many attacks,
including
Historically Wycheproof also included test harnesses (e.g. for Java and
Javascript cryptography implementations) that tested a variety of attacks
directly against implementations. Since transitioning to community support
these harnesses have been removed (but still exist in git
history for interested parties at cd27d64). Our current focus is on
implementation-agnostic test vectors.
Here are some of the notable vulnerabilities that are uncovered by
Project Wycheproof’s vectors, or test runners:
OpenJDK’s SHA1withDSA leaks private keys > 1024 bits
Bouncy Castle’s ECDHC leaks private keys
Project Wycheproof was originally created and maintained by: