[ReidZB]

Typically, cryptographic primitives (like block ciphers, hash functions, KDFs, etc) are written in C. Bugs are caught solely by the use of a sharp mind and careful reading.

There are really two reasons for this: (1) optimization is a really big deal; some impls go so far as to have asm for specific architectures or use architecture-specific features like SSE2 and (2) there really isn't very much code for a cryptographic primitive, typically <=1000 lines. (e.g., see https://github.com/khovratovich/Argon2/tree/master/Argon2i/r...).

Once a simple reference implementation is hand-checked, it can be used to generate comprehensive test vectors for other implementations.

This isn't my area of expertise, but I believe there's some research in applied crypto for implementation verification. I know https://github.com/GaloisInc/cryptol is a language that's supposed to help in that regard, but I don't know offhand who all uses that.

[technion]

The other reason for C is that the reference implementation is generally expected to eventually have bindings for every other language - a new standard won't flourish if you find out it's hard access to it in your choice of language.

If you can also write an implementation in something such as Haskell, verifying the input/output between the two implementations is a great way to assure it works as expected.