AI Meets Cryptography 1: What AI Found in Cloudflare's Circl
duha
102 points
12 comments
July 07, 2026
Related Discussions
Found 5 related stories in 1082.4ms across 14,015 title embeddings via pgvector HNSW
- AI Meets Cryptography 2: What AI Found in OpenVM's ZkVM duha · 90 pts · July 17, 2026 · 73% similar
- Cloudflare's AI Platform: an inference layer designed for agents nikitoci · 264 pts · April 16, 2026 · 59% similar
- AI Is Tipping the Scales Toward Hackers After Mythos Release thywis · 14 pts · April 11, 2026 · 55% similar
- Google finds first AI-developed zero-day that bypasses 2FA pkaeding · 11 pts · May 13, 2026 · 54% similar
- AI Cybersecurity After Mythos: The Jagged Frontier evelinag · 12 pts · April 09, 2026 · 54% similar
Discussion Highlights (2 comments)
ur-whale
People do crypto using floats these days? Wow. I mean I know djb managed at some point to coax an x86 CPU floating point unit to perform weird integer operations to speed up some of his algorithms, but I would never have expected people to use floats the "intended way" to implement crypto algorithms.
dboreham
If the author is here: thanks for that, interesting read, and also nice to note the absence of a marketing name for the bugs. If you have time, couple (edit: three) questions: 1. Could you expand on this? "That human-in-the-loop step still matters a lot, because AI candidate findings are cheap while trustworthy reports are not." Roughly how many candidate reports did the LLMs create vs the eventual 7 true vulnerabilities? 2. As I was reading "CP-ABE access-control break via AND-share bug" I thought "why wasn't this caught with a test?", which was going to be my question but clicking through to the commit (thanks for that too btw) I see there was a regression test added: https://github.com/cloudflare/circl/commit/def2fd35b8535b0b8... but I'm wondering why there isn't a test further up the stack that is simply checking "can't decrypt if the required attribute isn't present"? Seems similar to those situations where nobody thought to test an auth system for "user can't log in when they present the wrong password"!! Perhaps I'm missing some subtlety though. 3. This is probably a dumb question, but I wasn't sure (even after reading the linked article on zkao) exactly what zkao actually is. One description seems to be "a system for continuously running an LLM audit pass on a codebase". But that can't be right because this article talks about running it on the LLM-found vulnerability reports. Is it an LLM? (but better than the frontier LLMs?) Anyway, bit confused and would appreciate some clarity.