Logo PTI Logo FedCSIS

Proceedings of the 20th Conference on Computer Science and Intelligence Systems (FedCSIS)

Annals of Computer Science and Information Systems, Volume 43

DivCrypt: A Structured Framework for Validating Cryptographic Implementations

DOI: http://dx.doi.org/10.15439/2025F6805

Citation: Proceedings of the 20th Conference on Computer Science and Intelligence Systems (FedCSIS), M. Bolanowski, M. Ganzha, L. Maciaszek, M. Paprzycki, D. Ślęzak (eds). ACSIS, Vol. 43, pages 747752 ()

Full text

Abstract. This paper introduces the DivCrypt framework, a~step-by-step guidance for validation of cryptographic implementations. The core idea is to decompose the evaluated implementation into components across complexity layers and validate each component through a structured five-step process. DivCrypt is not intended to replace existing standards, but rather to serve as a practical audit playbook. It can be easily adopted by evaluators in formal certification processes, researchers conducting security audits, and developers performing internal testing. The framework is also intended to encourage creators of novel, non-standardized cryptographic constructs to publish and maintain DivCrypt-aligned knowledge base. Such contributions, including test vectors and known implementation vulnerabilities, would support not only the application of DivCrypt, but also benefit the broader research and development community.

References

  1. International Organization for Standardization, “ISO/IEC 15408: Information security, cybersecurity and privacy protection - Evaluation criteria for IT security,” International Organization for Standardization, Tech. Rep., 2022. [Online]. Available: https://www.commoncriteriaportal.org
  2. International Society of Automation, “ISA/IEC 62443: Security for industrial automation and control systems,” IEC Central Office, Tech. Rep., 2019. [Online]. Available: https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards
  3. International Organization for Standardization, “ISO/IEC 19790: Security Requirements for Cryptographic Modules,” International Organization for Standardization, Tech. Rep. ISO/IEC 19790, 2025. [Online]. Available: https://www.iso.org/standard/82423.html
  4. SOG-IS Crypto Working Group, “Crypto Evaluation Scheme: Agreed Cryptographic Mechanisms,” Senior Official Group Information Security Systems, Tech. Rep., 2023. [Online]. Available: https://www.sogis.eu/documents/cc/crypto/ SOGIS-Agreed-Cryptographic-Mechanisms-1.3.pdf
  5. International Organization for Standardization, “ISO/IEC 24759: Test Requirements for Cryptographic Modules,” International Organization for Standardization, Tech. Rep. ISO/IEC 24759, 2025. [Online]. Available: https://www.iso.org/standard/82424.html
  6. SOG-IS Crypto Working Group, “Crypto Evaluation Scheme: Harmonised Cryptographic Evaluation Procedures,” Senior Official Group Information Security Systems, Tech. Rep., 2020. [Online]. Available: https://www.sogis.eu/documents/cc/crypto/202203-hep-draft16.pdf
  7. National Institute of Standards and Technology, “Module-Lattice-Based Key-Encapsulation Mechanism Standard,” National Institute of Standards and Technology, Gaithersburg, MD, Tech. Rep. NIST FIPS 203, Aug. 2024. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf
  8. National Institute of Standards and Technology, “Module-Lattice-Based Digital Signature Standard,” National Institute of Standards and Technology, Gaithersburg, MD, Tech. Rep. NIST FIPS 204, Aug. 2024. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf
  9. “ZKDocs.” [Online]. Available: https://www.zkdocs.com/
  10. D. J. Bernstein, N. Duif, T. Lange, P. Schwabe, and B.-Y. Yang, “High-speed high-security signatures,” Journal of Cryptographic Engineering, vol. 2, no. 2, pp. 77–89, Sep. 2012. [Online]. Available: http://link.springer.com/10.1007/s13389-012-0027-1
  11. D. Rogowski, “Software Implementation of Common Criteria Related Design Patterns,” in Proceedings of the 2013 Federated Conference on Computer Science and Information Systems, M. P. M. Ganzha, L. Maciaszek, Ed. Kraków: IEEE, 2013, pp. pages 1135–1140. [Online]. Available: https://annals-csis.org/Volume_1/pliks/210.pdf
  12. L. Chen, D. Moody, A. Regenscheid, and A. Robinson, “NIST FIPS 186-5: Digital Signature Standard (DSS),” National Institute of Standards and Technology (U.S.), Gaithersburg, MD, Tech. Rep. NIST FIPS 186-5, Feb. 2023. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf
  13. “Wycheproof,” May 2025, original-date: 2016-11-08T20:56:25Z. [Online]. Available: https://github.com/C2SP/wycheproof
  14. “Cryptofuzz,” Jun. 2025, original-date: 2024-11-25T19:31:28Z. [Online]. Available: https://github.com/MozillaSecurity/cryptofuzz
  15. “Valgrind.” [Online]. Available: https://valgrind.org/
  16. S. Josefsson and I. Liusvaara, “Edwards-Curve Digital Signature Algorithm (EdDSA),” RFC Editor, Tech. Rep. RFC8032, Jan. 2017, issue: 8032 Num Pages: 60 Series: Request for Comments Published: RFC 8032. [Online]. Available: https://www.rfc-editor.org/info/rfc8032
  17. D. J. Bernstein, S. Josefsson, T. Lange, P. Schwabe, and B.-Y. Yang, “EdDSA for more curves,” 2015, published: Cryptology ePrint Archive, Paper 2015/677. [Online]. Available: https://eprint.iacr.org/2015/677
  18. “ACVP EdDSA Algorithm JSON Specification.” [Online]. Available: https://pages.nist.gov/ACVP/draft-celi-acvp-eddsa.html
  19. D. J. Bernstein, N. Duif, T. Lange, P. Schwabe, and B.-Y. Yang, “Ed25519 software.” [Online]. Available: https://ed25519.cr.yp.to/software.html
  20. S. D. Galbraith, “CRYPTREC Review of EdDSA,” Mathematics Department, University of Auckland, Auckland, New Zealand, Tech. Rep. CRYPTREC EX-3003-2020, 2020. [Online]. Available: https: //www.cryptrec.go.jp/exreport/cryptrec-ex-3003-2020.pdf
  21. “novifinancial/ed25519-speccheck,” Apr. 2025, original-date: 2020-07-28T21:44:25Z. [Online]. Available: https://github.com/novifinancial/ed25519-speccheck
  22. J. Brendel, C. Cremers, D. Jackson, and M. Zhao, “The Provable Security of Ed25519: Theory and Practice,” in 2021 IEEE Symposium on Security and Privacy (SP). San Francisco, CA, USA: IEEE, May 2021, pp. 1659–1676. [Online]. Available: https://ieeexplore.ieee.org/document/9519456/
  23. Centro Criptologico Nacional, “CCN-STIC 2100: Cryptographic Mechanisms Evaluation Methodology,” 2025. [Online]. Available: https://oc.ccn.cni.es/en/types-of-certification/crytpologic-certification/criteria-and-methodologies
  24. International Organization for Standardization, “ISO/IEC 18367: Information technology - Security techniques - Cryptographic algorithms and security mechanisms conformance testing,” International Organization for Standardization, Tech. Rep., 2016. [Online]. Available: https://www.iso.org/standard/62286.html
  25. “SageMath,” Jun. 2025. [Online]. Available: https://github.com/sagemath/sage
  26. “CodeChecker,” Jul. 2025. [Online]. Available: https://github.com/Ericsson/codechecker
  27. “National Institute of Standards and Technology,” Apr. 2025, last Modified: 2025-06-04T08:37-04:00. [Online]. Available: https://www.nist.gov/
  28. Federal Office for Information Security, “BSI TR-02102-1: Cryptographic Mechanisms - Recommendations and Key Lengths,” 2025. [Online]. Available: https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/ Technische-Richtlinien/TR-nach-Thema-sortiert/tr02102/tr02102_node.html
  29. Spanish Data Protection Agency, “Guidelines for the validation of cryptographic systems in data protection processing,” 2023. [Online]. Available: https://www.aepd.es/guides/guidelines-validation-cryptographic-systems-data-protection-processing. pdf
  30. The European Committee for Standardization, “EN 17640: Fixed-time cybersecurity evaluation methodology for ICT products,” CEN and CENELEC, Tech. Rep. EN 17640, 2022.
  31. National Institute of Standards and Technology, “NIST FIPS 140-3: Security Requirements for Cryptographic Modules,” National Institute of Standards and Technology, Gaithersburg, MD, Tech. Rep. NIST FIPS 140-3, Apr. 2019. [Online]. Available: https: //nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf
  32. French Cybersecurity Agency, “Methods For Carrying Out Cryptographic Analysis And Random Number Evaluations,” 2015. [Online]. Available: https://cyber.gouv.fr/sites/default/files/2022-08/ANSSI-CC-CRY-P-01-Modalites-pour-la-realisation-des-analyses-crypto_v003_EN%5B3%5D.pdf
  33. “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),” 2016. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679-20160504
  34. D. J. Bernstein, “ChaCha, a variant of Salsa20,” 2008. [Online]. Available: https://cr.yp.to/chacha/chacha-20080128.pdf
  35. E. Ben-Sasson, I. Bentov, Y. Horesh, and M. Riabzev, “Scalable, transparent, and post-quantum secure computational integrity,” Cryptology {ePrint} Archive, Tech. Rep. 2018/046, 2018. [Online]. Available: https://eprint.iacr.org/2018/046