{"id":51578797,"url":"https://github.com/systemslibrarian/crypto-lab-broken-trust","last_synced_at":"2026-07-11T03:32:26.799Z","repository":{"id":364886140,"uuid":"1269553170","full_name":"systemslibrarian/crypto-lab-broken-trust","owner":"systemslibrarian","description":"Browser-based demo of multi-instance security degradation in code-based KEMs — BIKE, HQC, and Classic McEliece eroding below NIST Level 1 as one public key is reused across many session keys. Computes the bit-security loss from key reuse and visualizes the crossover where the multi-target advantage breaches the Level 1 floor.","archived":false,"fork":false,"pushed_at":"2026-06-23T02:38:43.000Z","size":316,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-23T04:17:02.747Z","etag":null,"topics":["bike","classic-mceliece","code-based-cryptography","crypto-lab","cryptography","cryptography-education","hqc","kem","multi-instance-security","nist-pqc","post-quantum-cryptography"],"latest_commit_sha":null,"homepage":"https://systemslibrarian.github.io/crypto-lab-broken-trust/","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/systemslibrarian.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-14T21:18:47.000Z","updated_at":"2026-06-23T02:38:47.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/systemslibrarian/crypto-lab-broken-trust","commit_stats":null,"previous_names":["systemslibrarian/crypto-lab-broken-trust"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/systemslibrarian/crypto-lab-broken-trust","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/systemslibrarian%2Fcrypto-lab-broken-trust","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/systemslibrarian%2Fcrypto-lab-broken-trust/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/systemslibrarian%2Fcrypto-lab-broken-trust/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/systemslibrarian%2Fcrypto-lab-broken-trust/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/systemslibrarian","download_url":"https://codeload.github.com/systemslibrarian/crypto-lab-broken-trust/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/systemslibrarian%2Fcrypto-lab-broken-trust/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35350133,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-11T02:00:05.354Z","response_time":104,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bike","classic-mceliece","code-based-cryptography","crypto-lab","cryptography","cryptography-education","hqc","kem","multi-instance-security","nist-pqc","post-quantum-cryptography"],"created_at":"2026-07-11T03:32:26.238Z","updated_at":"2026-07-11T03:32:26.793Z","avatar_url":"https://github.com/systemslibrarian.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# crypto-lab-broken-trust\n\n## What It Is\n\n\u003e Leak **one bit** of ML-DSA's per-signature masking randomness and the secret\n\u003e subkey becomes the **bottom of a hill you can roll down** — no lattice\n\u003e reduction. This demo lets you *watch* a toy version descend, next to the\n\u003e real-scale numbers from IACR ePrint 2026/472. It runs **no attack** on real\n\u003e ML-DSA.\n\nAn **educational reconstruction** of Carsten Schubert, Niklas Julius Müller,\nJean-Pierre Seifert, and Marian Margraf, *\"Descent into Broken Trust: Uncovering\nML-DSA Subkeys with Scarce Leakage and Local Optimization\"*\n([IACR ePrint 2026/472](https://eprint.iacr.org/2026/472)).\n\nThe primitive is **ML-DSA / CRYSTALS-Dilithium** (FIPS 204), the primary NIST\npost-quantum signature standard. ML-DSA uses **rejection sampling** so released\nsignatures are statistically independent of the secret key — that independence is\nthe defense. The attack line (Liu et al., Damm et al.) shows the defense collapses\nonce an attacker learns **even one bit of the per-signature masking randomness**:\neach leaked bit becomes an **informative relation** on a secret subkey. The paper\nthen (1) builds a **verification routine** that scores a candidate subkey using\n*only* those relations — zero exactly at the true key, no lattice reduction — and\n(2) descends that score with a **multi-tier hill-climbing optimizer**. It recovers\nsubkeys from **5,000–35,000 relations** (a **37–68× reduction** over prior work)\nand still succeeds at **~45% leaked-bit noise**.\n\nThis repo is a **hybrid**:\n\n- A **live, in-browser toy engine** (`src/model.ts`) — dimension-8, integer\n  coefficients — that you can actually watch descend: the violation score falling\n  tier by tier to zero, with relation-count and noise sliders. It recovers a toy\n  key **the demo generated itself**, purely to make the *dynamics* visible.\n- A **paper-data overlay** (`src/paperData.ts`) that replays the paper's measured\n  real-scale results so the toy is shown to be a faithful miniature, not a cartoon.\n\nIt is **leakage-assisted subkey recovery via local optimization** — a\n**leakage + optimization** result, **not a fault-injection attack**, and **not** an\nattack tool. No real ML-DSA key, no real signatures, no captured side channel. The\nhonesty bridge is explicit throughout: every **toy · illustrative** number is\nbadged distinctly from every **paper-measured** number.\n\n\u003e ℹ️ **Provenance.** The paper figures are transcribed from the **full text**\n\u003e (Tables 1–4) into [`src/paperData.ts`](src/paperData.ts) and pinned by tests — the\n\u003e exact per-set, per-leakage-index relation counts (Table 2 → the 5,000–35,000 band),\n\u003e the 37.0/42.8/68.5× reductions (Table 3), and the noisy-setting results (Table 4).\n\u003e The IACR PDF is Cloudflare-gated and is **not redistributed in this repo**; see\n\u003e `PAPER-NOTES.md` for the full transcription and `BUILD-NOTES.md` for the details.\n\n### What you can explore\n\n- **Guided tour** that walks the three-act story (Independence → Leakage → Optimization)\n  and drives the demo for you — auto-offered on first visit, or `?tour=1`.\n- **Live descent visualizer** — relation-count, noise, and seed sliders, play/step/reset,\n  shaded tier bands, a **coefficient lock-in** animation, and an optional alternate-run overlay.\n- **Interactive score-landscape heatmap** — *click a cell (or press “New start”) to start the\n  climb anywhere*, hover for the exact score, with a colorblind-safe **viridis** scale + legend\n  and the descent path drawn as a rolling particle.\n- **Relation microscope** (one leaked relation as a concrete object) and a **no-leakage vs.\n  leakage** contrast.\n- **Run-N-trials** — success rate + a steps-to-recover histogram (the toy's own mirror of the\n  paper's 10/10 methodology).\n- **Paper-scale replay tabs** and **visualized results** — a log-scale reduction bar chart and a\n  Table 2 heatmap grid — plus an **Implications \u0026 Defenses** section and an explicit\n  **toy ↔ paper mapping**.\n- **Deep-linkable state** with a **Copy link** button, dark/light theme, keyboard + screen-reader\n  support, colorblind-safe palettes, and `prefers-reduced-motion` support throughout.\n\n## When to Use It\n\n- To build intuition for **why one leaked masking bit is catastrophic** even though\n  rejection sampling hides the key in the clean case.\n- To *see* the core idea — **the secret sits at the global minimum of a score you\n  can evaluate without the key** — as a descending curve, not just prose.\n- As a teaching aid for **local optimization / hill-climbing cryptanalysis** and for\n  the distinction between a demo's qualitative dynamics and a paper's quantitative\n  scale.\n- Do NOT treat it as a security assessment or attack tool: it assesses no real system, recovers **no** real key, and is a teaching demo, not production code.\n\n## Live Demo\n\n**[systemslibrarian.github.io/crypto-lab-broken-trust](https://systemslibrarian.github.io/crypto-lab-broken-trust/)**\n\nFirst-time visitors are offered a short **guided tour** (or start it anytime from the\nTL;DR, or via `?tour=1`). State is deep-linkable via the query string, e.g.\n`?seed=1\u0026rels=4000\u0026noise=0` reproduces a clean descent; raise `noise` past the toy's\nceiling to watch it stall. The **Copy link** button grabs the URL for the current state.\n\n## What Can Go Wrong\n\n- Leaking even a single bit of the per-signature masking randomness — for example through a side channel — turns each signature into an informative relation on a secret subkey, and the rejection-sampling independence that protects ML-DSA in the clean case no longer holds.\n- Because a candidate subkey can be scored using only the leaked relations (zero at the true key, no lattice reduction required), any implementation that leaks must assume the secret sits at a findable global minimum.\n- The recovery tolerates substantial noise on the leaked bits (the cited paper still succeeds at ~45% noise), so an implementation that is only \"mostly\" constant-time or partially leaky is not safe.\n- Mistaking the toy engine's qualitative dynamics for real-scale cost: the in-browser run recovers a dimension-8 key the demo generated itself, not a real ML-DSA key, and the paper's relation counts and reduction factors are the load-bearing numbers.\n\n## Real-World Usage\n\n- ML-DSA (FIPS 204) is the primary NIST post-quantum digital signature standard, intended for code signing, firmware updates, certificates, and protocol authentication.\n- It is being integrated into TLS, PKI, and software-supply-chain trust as a post-quantum replacement for (or hybrid alongside) classical signatures like Ed25519 and RSA.\n- The masking-randomness side-channel concern this demo illustrates is exactly why constant-time, leakage-resistant implementations are emphasized for deployed ML-DSA and lattice signatures generally.\n\n## How to Run Locally\n\n```bash\ngit clone https://github.com/systemslibrarian/crypto-lab-broken-trust\ncd crypto-lab-broken-trust\nnpm install\nnpm run dev\n```\n\n## Related Demos\n- [crypto-lab-dilithium-seal](https://systemslibrarian.github.io/crypto-lab-dilithium-seal/) — the ML-DSA / FIPS 204 signature scheme this demo attacks, shown in normal operation.\n- [crypto-lab-dilithium-reject](https://systemslibrarian.github.io/crypto-lab-dilithium-reject/) — ML-DSA rejection sampling, the very defense whose leakage this demo exploits.\n- [crypto-lab-lattice-fault](https://systemslibrarian.github.io/crypto-lab-lattice-fault/) — fault injection against ML-KEM/ML-DSA, a sibling lattice-cryptanalysis demo.\n- [crypto-lab-lwe-hints](https://systemslibrarian.github.io/crypto-lab-lwe-hints/) — recovering lattice secrets from partial hints, the same \"scarce-leakage\" theme.\n- [crypto-lab-syndrome-drain](https://systemslibrarian.github.io/crypto-lab-syndrome-drain/) — another post-quantum cryptanalysis demo in the suite's attacks family.\n\n## Build \u0026 Test\n\n```bash\nnpm test        # run the pinned toy invariants + paper-transcription guards\nnpm run build   # production build into dist/\nnpm run preview # preview the production build\n```\n\nRequires Node 20+. No runtime dependencies.\n\n## Part of the Crypto-Lab Suite\n\nThis is one of the **crypto-lab** demos — small, auditable, single-result\neducational tools in a shared house style (Vite + TypeScript, a pure deterministic\n`src/model.ts`, pinned tests, progressive-disclosure UI, dark default, honesty\nbadges). It is a sibling of `crypto-lab-lwe-hints`, `crypto-lab-syndrome-drain`,\nand others in the suite.\n\n---\n\n*One of 120+ browser demos in the [Crypto Lab](https://crypto-lab.systemslibrarian.dev/) suite.*\n\n*\"So whether you eat or drink or whatever you do, do it all for the glory of God.\" — 1 Corinthians 10:31*\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsystemslibrarian%2Fcrypto-lab-broken-trust","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsystemslibrarian%2Fcrypto-lab-broken-trust","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsystemslibrarian%2Fcrypto-lab-broken-trust/lists"}