English

An Empirical Security Evaluation of LLM-Generated Cryptographic Rust Code

Cryptography and Security 2026-05-01 v1 Software Engineering

Abstract

Developers and organizations are using Large Language Models (LLMs) to generate security-critical code more frequently than ever, including cryptographic solutions for their products. This study presents an empirical evaluation of cryptographic security in 240 Rust code samples for two crypto algorithms (AES-256-GCM and ChaCha20-Poly1305) generated by three LLMs (Gemini 2.5 Pro, GPT-4o, and DeepSeek Coder) using four different prompt strategies. For each successfully compiled code sample, CodeQL static analysis and our rule-based crypto-specific analyzer were used to detect vulnerabilities, which are also associated with Common Weakness Enumeration (CWE). The evaluation results revealed that only 23.3% of the generated code samples were successfully compiled. Among the compiled code, CodeQL produced only two false positives, while our rule-based crypto-specific analyzer identified vulnerabilities in 57% of the compiled samples with zero false positives. This demonstrates that general-purpose analysis tools are insufficient for code validation for the experimented crypto algorithms. The compilation success of the two algorithms varied significantly (AES-256-GCM 34.2% versus ChaCha20-Poly1305 12.5%), showing a gap in code generation capabilities. While model choice had no significant effect on compilation success, prompt strategy significantly influenced outcomes (P = 0.002), with chain-of-thought prompting performing 5 times worse than zero-shot. All three models exhibit systematic failures, including nonce reuse and API hallucinations.

Keywords

Cite

@article{arxiv.2604.27001,
  title  = {An Empirical Security Evaluation of LLM-Generated Cryptographic Rust Code},
  author = {Mohamed Elsayed and Kenneth Fulton and Jeong Yang},
  journal= {arXiv preprint arXiv:2604.27001},
  year   = {2026}
}

Comments

10 pages, 2 figures , EASE 2026-The 6th International Workshop on Software Security Engineering

R2 v1 2026-07-01T12:42:01.816Z