Cryptographic assumptions are the bedrock of blockchain security. They are unproven but widely accepted mathematical conjectures that underpin protocols like digital signatures, zero-knowledge proofs, and consensus mechanisms. Common examples include the discrete logarithm problem (used in ECDSA), the RSA assumption, and the knowledge-of-exponent assumption. Before deploying or auditing a system, you must identify and critically assess these assumptions. A flawed or inappropriate assumption can render an entire protocol insecure, regardless of the elegance of its code.
LABS
Guides
How to Review Cryptographic Assumptions
A step-by-step framework for developers and auditors to systematically evaluate the cryptographic assumptions underlying blockchain protocols, smart contracts, and zero-knowledge proof systems.
Chainscore © 2026
introduction
FOUNDATIONS
How to Review Cryptographic Assumptions
A systematic guide for developers and auditors to evaluate the security foundations of blockchain protocols and cryptographic systems.
Start your review by mapping the protocol's cryptographic primitives to their core assumptions. For a zk-SNARK circuit, this involves checking the underlying elliptic curve pairing and the specific knowledge soundness assumption (e.g., q-PKE, q-PDH). For a consensus mechanism like Proof-of-Stake, you must evaluate the economic assumptions about rational actor behavior and the cryptographic assumptions in the signature scheme (BLS, EdDSA). Document each assumption, its role in the system, and any known attacks or reductions in security proofs. Resources like the IACR ePrint archive are essential for finding the latest cryptanalysis.
Next, evaluate the real-world validity of each assumption. Consider the adversarial model: is the assumption secure against a quantum adversary, or only a classical one? Assess the security parameter (e.g., 128-bit security) and whether the implementation's parameters (curve size, key length) achieve it. For example, using the secp256k1 curve provides ~128-bit security against classical computers but is broken by Shor's algorithm on a sufficiently large quantum computer. Scrutinize any novel or "custom" assumptions, as they lack the decades of peer review that established ones like DDH enjoy.
Finally, analyze the composition of assumptions. Systems often layer multiple cryptographic building blocks; their security is only as strong as the weakest link. Use formal verification tools or manual reasoning to check that the security proofs compose correctly. For instance, a privacy-preserving transaction might combine a commitment scheme, a range proof, and a signature. You must verify that the assumptions of these components do not conflict and that their combined use doesn't create new attack vectors. This process transforms a list of ingredients into a coherent understanding of the system's overall security posture.
prerequisites
PREREQUISITES AND SCOPE
How to Review Cryptographic Assumptions
A guide to systematically evaluating the security foundations of blockchain protocols and cryptographic primitives.
Cryptographic assumptions are the foundational, unproven beliefs upon which the security of a protocol rests. Common examples include the discrete logarithm problem (DLP) being hard for elliptic curve groups like secp256k1, or the collision resistance of hash functions like SHA-256. Before analyzing a system's implementation, you must first identify and scrutinize these core assumptions. This review determines the theoretical security ceiling; a flaw in an assumption is a fundamental vulnerability no amount of code can fix. The process involves mapping the protocol's security claims to specific, well-defined mathematical problems.
This guide assumes you have a working knowledge of public-key cryptography, hash functions, and zero-knowledge proofs. Familiarity with complexity theory (P vs. NP, polynomial-time reductions) is essential for understanding security proofs. You should be comfortable reading academic papers from conferences like CRYPTO or Eurocrypt. We will not cover basic cryptographic concepts from scratch. The scope is focused on the review methodology: how to deconstruct a whitepaper, trace security guarantees to their assumptions, and evaluate their plausibility against current cryptanalytic research.
The review process follows a structured path. First, extract formal claims from the protocol documentation, distinguishing between security theorems and heuristic arguments. Second, identify the underlying primitives (e.g., digital signatures, commitments, SNARKs) and their specific instantiation (e.g., EdDSA with Curve25519, Poseidon hash). Third, map each primitive to its hardness assumption, such as the Computational Diffie-Hellman (CDH) assumption for certain encryption schemes. This creates a dependency graph of assumptions that support the entire protocol.
Next, assess the state of cryptanalysis for each assumption. Consult recent publications from the IACR ePrint archive and standardization bodies like NIST. For example, when reviewing a post-quantum scheme, you must evaluate its reliance on problems like Learning With Errors (LWE) or multivariate equations. Consider the age and scrutiny of the assumption; well-studied problems like integer factorization have decades of analysis, while newer lattice-based assumptions have less historical resilience.
Finally, evaluate assumption stacking and reduction tightness. A protocol that chains multiple assumptions (e.g., "security requires both DLP and the Random Oracle Model") has a larger attack surface. Analyze the cryptographic reductions in security proofs: a loose reduction means the protocol is less secure than the underlying problem. Document your findings clearly, stating which assumptions are standard and well-trusted versus novel and speculative. This structured approach provides a rigorous foundation for any security audit or investment due diligence in Web3.
key-concepts
FOUNDATIONS
Core Cryptographic Assumption Types
Understanding the security of modern blockchain systems requires evaluating the underlying cryptographic assumptions. This guide categorizes the major types and their real-world implications for protocol design and auditing.
06
Review Methodology & Trade-offs
A practical framework for evaluating assumptions in a protocol audit or design review.
- Identify the Stack: Map each cryptographic component (signatures, commitments, proofs) to its core assumption.
- Assess Trust Hierarchy: Weaker, long-studied assumptions (DL, LWE) are preferable to newer, more complex ones.
- Model Dependency: Note if security is proven in the Standard Model, ROM, or AGM. ROM proofs require extra scrutiny of the hash function's real-world properties.
- Quantify Security: Look for concrete security parameters (e.g., 128-bit classical security, claimed quantum security level).
The strongest systems minimize reliance on the strongest assumptions.
review-framework
A METHODOLOGY FOR AUDITORS
The Five-Step Review Framework
A systematic approach for evaluating the security of cryptographic assumptions in blockchain protocols and smart contracts.
Cryptographic assumptions form the bedrock of blockchain security. Before deploying a protocol that relies on a novel proof system, signature scheme, or encryption method, you must rigorously assess its underlying assumptions. The Five-Step Review Framework provides a structured methodology for this critical task. It moves from understanding the formal definition to evaluating real-world implementation risks, ensuring no critical vulnerability is overlooked. This process is essential for auditors, protocol designers, and security researchers.
Step 1: Formalize the Assumption. Begin by precisely defining the cryptographic assumption in mathematical terms. What computational problem must be hard? For example, the Discrete Logarithm Problem (DLP) assumes that, given g and g^x mod p, it is computationally infeasible to find x. Document the exact security game: the adversary's capabilities (chosen-plaintext, chosen-ciphertext) and win condition. Ambiguity here is a direct path to flawed security proofs. Reference established standards like those from NIST or academic literature.
Step 2: Analyze Known Attacks. Research the historical and current cryptanalysis of the assumption. Has there been progress on solving the underlying problem? For instance, review the timeline of attacks on the SHA-1 hash function. Examine relevant academic papers on IACR ePrint and track any proposed quantum attacks. Evaluate the concrete security level: an assumption "broken" in 2^90 operations is not the same as one broken in 2^30. This step contextualizes the theoretical security within the practical threat landscape.
Step 3: Review the Security Proof. A protocol's security is only as strong as its reduction proof. Scrutinize how the protocol's security is formally reduced to the hardness of the stated assumption. Check for gaps: does the proof model account for all relevant adversary behaviors in your system's context? Look for common pitfalls like the use of random oracles in a non-idealized setting or overly restrictive adversary models. A proof missing a key attack vector, like front-running, provides false assurance.
Step 4: Assess Parameter Selection. Cryptographic security often depends on correctly chosen parameters. For elliptic curve cryptography, this means verifying the curve is safe (e.g., using secp256k1 or a verified curve like BLS12-381) and that the field size provides the intended bit security. For zk-SNARKs, check that the trusted setup ceremony was conducted properly and the SRS is secure. Incorrect parameters can reduce security from 128 bits to 80 bits or less, making attacks feasible.
Step 5: Evaluate Implementation Risks. Finally, bridge theory and practice. How is the assumption implemented in code? Review for side-channel vulnerabilities (timing attacks, power analysis), randomness failures, and protocol misuse. A theoretically sound signature scheme is worthless if the private key is generated with a weak PRNG like Math.random(). Use tools like libsodium for audited implementations. This step confirms the system's real-world resilience against exploitation.
CRYPTOGRAPHIC PRIMITIVES
Common Assumptions: Security and Maturity
Comparison of widely-used cryptographic assumptions based on their security confidence, attack history, and typical use cases.
| Assumption | Security Confidence | Well-Studied | Quantum-Resistant | Common Use Case |
|---|---|---|---|---|
Discrete Logarithm (DLP) | Very High | ECDSA, DSA | ||
Integer Factorization (IFP) | Very High | RSA Encryption | ||
Elliptic Curve DLP (ECDLP) | Very High | Secp256k1 (Bitcoin, Ethereum) | ||
Pairing-Based (e.g., BLS) | High | BLS Signatures, ZK-SNARKs | ||
Lattice-Based (e.g., LWE) | Medium-High | Post-Quantum Cryptography | ||
Multivariate Quadratic (MQ) | Medium | Post-Quantum Signatures | ||
Code-Based (e.g., McEliece) | Medium | Post-Quantum Encryption | ||
Hash-Based (e.g., SPHINCS+) | High | Post-Quantum Signatures |
CRYPTOGRAPHIC SECURITY
Case Studies: Reviewing Real Assumptions
Cryptographic assumptions are the foundational, unproven beliefs upon which blockchain security rests. This guide examines real-world case studies to help developers and auditors critically evaluate these assumptions in protocols like Ethereum, Solana, and ZK-Rollups.
A cryptographic assumption is a mathematical conjecture believed to be true, forming the security foundation for cryptographic primitives. For example, the Elliptic Curve Discrete Logarithm Problem (ECDLP) underpins ECDSA signatures used in Bitcoin and Ethereum. If this assumption is broken, an attacker could forge signatures and steal funds.
These assumptions are critical because:
- They are not proven. Security relies on the computational difficulty of the problem.
- They have real-world implications. A broken assumption can collapse an entire blockchain's security model.
- They evolve. Quantum computing threatens assumptions like ECDLP and RSA, driving post-quantum cryptography research.
Developers must understand which assumptions their chosen primitives (e.g., SNARKs, VDFs, BLS signatures) depend on to assess long-term viability.
implementation-risks
CRYPTOGRAPHIC REVIEW
Implementation Risks and Side-Channels
A practical guide to identifying and mitigating vulnerabilities that arise from flawed cryptographic implementations, not just theoretical weaknesses.
Cryptographic review extends beyond verifying the correctness of a mathematical proof. The primary risk is often in the implementation—the translation of a secure algorithm into buggy code. Common failure points include improper random number generation, timing side-channels, and incorrect handling of edge cases. For example, using a non-cryptographically secure pseudo-random number generator (CSPRNG) like Math.random() for key generation can make secrets predictable. A robust review must scrutinize the actual code paths, library choices, and environmental assumptions.
Side-channel attacks exploit information leaked during computation, not the algorithm's output. The most prevalent type is a timing attack, where variations in execution time reveal secret data. Consider a naive string comparison for password verification: if (userInput === secret). This loops and returns false on the first mismatched character, allowing an attacker to statistically deduce the secret character-by-character. The fix is to use a constant-time comparison function, such as crypto.timingSafeEqual in Node.js or a dedicated library, which always takes the same time to execute regardless of input.
Reviewing cryptographic assumptions requires validating all inputs and dependencies. A library might be secure in theory but compromised if it trusts unvalidated caller inputs or depends on a deprecated protocol version. For instance, an Elliptic Curve Digital Signature Algorithm (ECDSA) implementation must enforce that the k nonce is truly random for each signature; reusing k leads to private key extraction. Auditors should check for hardcoded secrets, insecure default parameters, and the use of outdated algorithms like SHA-1 or RSA with weak key sizes (<2048 bits).
Practical review involves examining the integration points. How are keys stored and managed? Is sensitive data properly zeroized from memory after use? Code that calls libsodium or OpenSSL can still be vulnerable if it mishandles buffers or fails to check return codes. A structured approach involves: - Auditing the choice of primitive (e.g., ChaCha20-Poly1305 vs. AES-GCM). - Verifying the construction (e.g., using HMAC, not a plain hash, for key derivation). - Testing for compiler optimization side-effects. Tools like ctgrind can help detect timing leaks.
Finally, document the threat model explicitly. What is the asset being protected? Against what adversary? This clarifies which side-channels are in scope (e.g., local attacker vs. remote timing). A guide without a defined threat model is incomplete. Always reference authoritative sources like NIST guidelines and audit reports from reputable firms. The goal is to ensure the implementation is as resilient as the theory it's based upon.
audit-tools
CRYPTOGRAPHIC ASSUMPTIONS
Tools for Analysis and Testing
Reviewing cryptographic assumptions is a critical step in protocol security. These tools and frameworks help developers formally analyze, test, and verify the foundational math behind blockchain systems.
06
Simulation-Based Security Proofs
This is a conceptual framework, not a single tool. Simulation-based security is the gold standard for proving protocols secure under composition. It involves constructing a simulator to show that an adversary learns nothing beyond the protocol's output.
- Key Use: Analyzing the security of multi-party computation (MPC) protocols or privacy-preserving smart contracts.
- Process: Model the real-world protocol and an ideal functionality, then prove they are computationally indistinguishable.
CRYPTOGRAPHIC ASSUMPTIONS
Frequently Asked Questions
Common questions and clarifications for developers working with cryptographic primitives, security models, and protocol design.
Cryptographic assumptions are categorized by the type of problem they pose to an adversary.
Computational assumptions state that a specific computational task is hard to perform. For example, the Discrete Logarithm Problem (DLP) assumes that, given a generator g and g^x in a cyclic group, it is computationally infeasible to compute the exponent x. The security of ECDSA and Diffie-Hellman relies on this.
Decisional assumptions state that it is hard to distinguish between two distributions. The Decisional Diffie-Hellman (DDH) assumption posits that the tuples (g, g^a, g^b, g^{ab}) and (g, g^a, g^b, g^c) are computationally indistinguishable, where c is random. This is stronger than the computational version (CDH) and is crucial for semantic security in encryption schemes like ElGamal.
Choosing the right model impacts protocol efficiency and provable security guarantees.
resource-links
Essential Resources and References
Reviewing cryptographic assumptions requires more than high-level protocol descriptions. These resources help developers and auditors validate threat models, hardness assumptions, parameter choices, and real-world security margins before relying on cryptography in production systems.
04
Cryptographic Review Checklists
Structured cryptographic review checklists help ensure assumptions are explicitly stated and testable.
A strong checklist should force answers to questions like:
- What exact hardness assumptions are required for security?
- Are there reductions, or is security heuristic?
- Does the scheme rely on algebraic group properties that change across curves or fields?
- What breaks under adaptive adversaries or partial key exposure?
- Are parameters chosen for current or future security margins?
Teams such as Protocol Labs and large security audit firms publish internal checklists that are often referenced in public write-ups. Adapting these frameworks helps standardize reviews and prevents missing hidden assumptions that only appear in formal proofs.
conclusion
CRYPTOGRAPHIC REVIEW
Conclusion and Next Steps
A systematic approach to reviewing cryptographic assumptions is a critical skill for protocol designers and security researchers. This guide has outlined the key steps, from identifying core primitives to analyzing their security proofs. The final step is to integrate this review into your development and audit workflow.
The process of reviewing cryptographic assumptions is not a one-time audit but an ongoing practice. For any new protocol or smart contract, you should create a cryptographic specification document. This document should explicitly list every cryptographic primitive used (e.g., BLS12-381 pairing, Keccak256, Ed25519), the security assumption it relies on (e.g., ECDLP, ROM), and the context of its use (e.g., signature verification in a bridge, commitment in a rollup). This creates a clear map for both internal review and external auditors.
Integrate assumption review into your development lifecycle. Before major releases, conduct a focused cryptographic threat modeling session. Ask: Have any new primitives been introduced? Have existing primitives been used in a novel way that might weaken their assumptions? For example, using a signature scheme designed for single-signer contexts in a multi-signature wallet without a proven security proof for that setting is a common pitfall. Tools like ZKP Threat Model templates can provide a structured starting point.
Stay informed about cryptographic advancements. The field evolves constantly; assumptions considered strong today may be weakened by new research tomorrow. Follow publications from conferences like CRYPTO, Eurocrypt, and the IACR. Subscribe to mailing lists for projects like libsnark or ZCash for updates on elliptic curve security and zero-knowledge proof systems. This proactive monitoring is essential for long-term protocol security.
For hands-on practice, start by reviewing the cryptography of a well-documented project. Analyze the Uniswap V4 Hooks technical documentation or the Aztec Protocol zk-zkRollup architecture. Trace the cryptographic components, identify their assumptions, and evaluate the provided security arguments. Engaging with open-source communities on forums like the Ethereum Research forum allows you to discuss assumptions and edge cases with experts.
Your next step should be to formalize this knowledge. Consider contributing to or conducting a cryptographic review for an open-source Web3 project. Many smaller projects lack dedicated cryptographers and would benefit from a systematic analysis. Document your findings clearly, distinguishing between theoretical assumption breaks and practical implementation risks. This real-world experience is invaluable and strengthens the security of the entire ecosystem.