Discussion summary
A discussion about a cryptography bug involving floating point operations in Cloudflare's CIRCL library, highlighting potential security risks and algorithm implications.
What the discussion says
- Some users are surprised to see floats used in cryptography.
- Concerns about rounding errors and security implications.
- Mention of algorithms like Falcon that use floating point.
- Appreciation for the transparency of the bug report.
“This one lives in CIRCL's threshold RSA implementation... float64 has a 53-bit mantissa.”
“The bug highlights risks of using floats in cryptographic code.”
Comments
Hacker News
Wow.
I mean I know djb managed at some point to coax an x86 CPU floating point unit to perform weird integer operations to speed up some of his algorithms, but I would never have expected people to use floats the "intended way" to implement crypto algorithms.
by ur-whale
https://github.com/cloudflare/circl/commit/f7d2180d6a77cfb28...
by dboreham
this is numerical methods 101, i.e. why 1+1 != 2
I'm a bit surprised that this is from cloudflare. Anybody from CF care to comment? Is this like prototype/super skunkworks code that somehow made it through?
by xarope
Now, I wouldn’t necessarily mean I deem it bad practice in security contexts since again, I don’t know. But if an expert doesn’t consider those things, I would be surprised (and a little scared).
by klabb3
https://keymaterial.net/2026/05/13/so-you-want-to-deploy-fn-... talks about FN-DSA and has a section about how it's require to hand-implement floats to get constant-time operations.
by mcpherrinm
1. Could you expand on this? "That human-in-the-loop step still matters a lot, because AI candidate findings are cheap while trustworthy reports are not." Roughly how many candidate reports did the LLMs create vs the eventual 7 true vulnerabilities?
2. As I was reading "CP-ABE access-control break via AND-share bug" I thought "why wasn't this caught with a test?", which was going to be my question but clicking through to the commit (thanks for that too btw) I see there was a regression test added: https://github.com/cloudflare/circl/commit/def2fd35b8535b0b8... but I'm wondering why there isn't a test further up the stack that is simply checking "can't decrypt if the required attribute isn't present"? Seems similar to those situations where nobody thought to test an auth system for "user can't log in when they present the wrong password"!! Perhaps I'm missing some subtlety though.
3. This is probably a dumb question, but I wasn't sure (even after reading the linked article on zkao) exactly what zkao actually is. One description seems to be "a system for continuously running an LLM audit pass on a codebase". But that can't be right because this article talks about running it on the LLM-found vulnerability reports. Is it an LLM? (but better than the frontier LLMs?) Anyway, bit confused and would appreciate some clarity.
by dboreham
by wbl
by baby
Join the discussion
Write your take first — we'll ask for email only when you're ready to publish.
- Hacker News
- People do crypto using floats these days?
Wow.
I mean I know djb managed at some point to coax an x86 CPU floating point unit to perform weird integer operations to speed up some of his algorithms, but I would never have expected people to use floats the "intended way" to implement crypto algorithms.
by ur-whale - Well, no. That's the bug. The fix is to "not do that", although one does wonder what the original author was smoking!
https://github.com/cloudflare/circl/commit/f7d2180d6a77cfb28...
by dboreham - Yes, this was a bit of a surprise to read when dealing with crypto: "This one lives in CIRCL's threshold RSA implementation... float64 has a 53-bit mantissa... the result is silently rounded before it is ever cast back to an integer. "
this is numerical methods 101, i.e. why 1+1 != 2
I'm a bit surprised that this is from cloudflare. Anybody from CF care to comment? Is this like prototype/super skunkworks code that somehow made it through?
by xarope - Im not a security engineer at all and I have an instant gut reaction to floats in regular code. ”How big can this get? Is it deserialized? What arithmetic ops are happening? Any risk of rounding error propagation?” etc.
Now, I wouldn’t necessarily mean I deem it bad practice in security contexts since again, I don’t know. But if an expert doesn’t consider those things, I would be surprised (and a little scared).
by klabb3 - So, in this case it wasn't correct to do so, but there is actually a current algorithm which uses floating point: Falcon (aka FN-DSA).
https://keymaterial.net/2026/05/13/so-you-want-to-deploy-fn-... talks about FN-DSA and has a section about how it's require to hand-implement floats to get constant-time operations.
by mcpherrinm - If the author is here: thanks for that, interesting read, and also nice to note the absence of a marketing name for the bugs. If you have time, couple (edit: three) questions:
1. Could you expand on this? "That human-in-the-loop step still matters a lot, because AI candidate findings are cheap while trustworthy reports are not." Roughly how many candidate reports did the LLMs create vs the eventual 7 true vulnerabilities?
2. As I was reading "CP-ABE access-control break via AND-share bug" I thought "why wasn't this caught with a test?", which was going to be my question but clicking through to the commit (thanks for that too btw) I see there was a regression test added: https://github.com/cloudflare/circl/commit/def2fd35b8535b0b8... but I'm wondering why there isn't a test further up the stack that is simply checking "can't decrypt if the required attribute isn't present"? Seems similar to those situations where nobody thought to test an auth system for "user can't log in when they present the wrong password"!! Perhaps I'm missing some subtlety though.
3. This is probably a dumb question, but I wasn't sure (even after reading the linked article on zkao) exactly what zkao actually is. One description seems to be "a system for continuously running an LLM audit pass on a codebase". But that can't be right because this article talks about running it on the LLM-found vulnerability reports. Is it an LLM? (but better than the frontier LLMs?) Anyway, bit confused and would appreciate some clarity.
by dboreham - The ability to decrypt depends on figuring out that the sharing scheme has your pieces covered, and knowing that you have in fact covered the right thing because of a bug like this is hard to do. There are some ways to test the sharing scheme that might have caught this, and looking at example shares carefully should have, but it's a bit more subtle to make generic tests.by wbl
- I work on www.zkao.io so I can expand on this: it's basically like an audit, you click a button and ~9h later you get a report with findings. It's supposed to be better at finding bugs (especially cryptographic bugs) than frontier models AND it's supposed to be better at discarding false positives.by baby
Related stories
Cloudflare Meerkat - Globally distributed consensus
blog.cloudflare.com · 69 points · 8 comments
Decoding the obfuscated bash script on a Uniqlo t-shirt
tris.sherliker.net · 1072 points · 181 comments
StreetComplete: Fixing OpenStreetMap, one tiny quest at a time
streetcomplete.app · 761 points · 182 comments
Every new car sold in the European Union must include a driver monitoring camera
allaboutcookies.org · 737 points · 969 comments
Chat Control 1.0 and 2.0 Explained
fightchatcontrol.eu · 645 points · 238 comments
Microsoft fire idTech team at Id software
gamefromscratch.com · 597 points · 533 comments