CIPHER: Cryptographic Insecurity Profiling via Hybrid Evaluation of Responses
Max Manolov, Tony Gao, Siddharth Shukla, Cheng-Ting Chou, Ryan Lagasse
TL;DR
The paper tackles the risk of cryptographic insecurity in LLM-generated Python code by introducing CIPHER, a standardized benchmark that uses insecure/neutral/secure prompt triplets, a cryptography-focused vulnerability taxonomy, and line-level evidence to profile vulnerability incidence. It provides a reproducible scoring pipeline and applies it to seven widely used LLMs, showing consistently high vulnerability rates even under explicit secure prompting, thus revealing limits to prompt-based security steering. The work situates CIPHER within related efforts on LLM evaluation and crypto API misuse, emphasizing controlled prompting, taxonomy-driven judgments, and scalable, argument-based scoring. By releasing the dataset and pipeline, the authors offer a practical foundation for ongoing measurement and improvement of cryptographic safety in code-generation systems.
Abstract
Large language models (LLMs) are increasingly used to assist developers with code, yet their implementations of cryptographic functionality often contain exploitable flaws. Minor design choices (e.g., static initialization vectors or missing authentication) can silently invalidate security guarantees. We introduce CIPHER(\textbf{C}ryptographic \textbf{I}nsecurity \textbf{P}rofiling via \textbf{H}ybrid \textbf{E}valuation of \textbf{R}esponses), a benchmark for measuring cryptographic vulnerability incidence in LLM-generated Python code under controlled security-guidance conditions. CIPHER uses insecure/neutral/secure prompt variants per task, a cryptography-specific vulnerability taxonomy, and line-level attribution via an automated scoring pipeline. Across a diverse set of widely used LLMs, we find that explicit ``secure'' prompting reduces some targeted issues but does not reliably eliminate cryptographic vulnerabilities overall. The benchmark and reproducible scoring pipeline will be publicly released upon publication.
