$crypto_{lib}$: Comparing and selecting cryptography libraries (long version of EICC 2022 publication)

TL;DR

The paper introduces the $crypto_{lib}$ index, a systematic tool for decision-makers to evaluate and select the most suitable cryptography library based on multiple attributes tailored to specific use cases.

Contribution

It develops and validates a comprehensive index with 15 attributes, enabling structured and repeatable cryptography library selection.

Findings

The $crypto_{lib}$ index effectively differentiates libraries based on tailored attributes.

The index was demonstrated with Bouncy Castle and Tink, showing practical applicability.

Decision-makers can systematically choose libraries aligned with their project needs.

Abstract

Selecting a library out of numerous candidates can be a laborious and resource-intensive task. We present the $crypto_{lib}$ index, a tool for decision-makers to choose the best fitting cryptography library for a given context. To define our index, 15 library attributes were synthesized from findings based on a literature review and interviews with decision-makers. These attributes were afterwards validated and weighted via an online survey. In order to create the index value for a given library, the individual attributes are assessed using given evaluation criteria associated with the respective attribute. As a proof of concept and to give a practical usage example, the derivation of the $crypto_{lib}$ values for the libraries Bouncy Castle and Tink are shown in detail. Overall, by tailoring the weighting of the $crypto_{lib}$ attributes to their current use case, decision-makers are enabled to systematically select a cryptography library fitting best to their software project at hand in a guided, repeatable and reliable way.