{"id":51578771,"url":"https://github.com/systemslibrarian/crypto-lab-syndrome-drain","last_synced_at":"2026-07-11T03:32:25.789Z","repository":{"id":364676163,"uuid":"1268807993","full_name":"systemslibrarian/crypto-lab-syndrome-drain","owner":"systemslibrarian","description":"Browser-based demo of multi-instance security degradation in code-based KEMs — BIKE, HQC, and Classic McEliece eroding below NIST Level 1 as one public key is reused across many session keys. Computes effective bit-security from published parameters and the DOOM syndrome-decoding formulas of ePrint 2026/517. No attack simulation. No backends. ","archived":false,"fork":false,"pushed_at":"2026-06-28T02:05:47.000Z","size":872,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-28T02:18:54.904Z","etag":null,"topics":["bike","classic-mceliece","code-based-cryptography","crypto-lab","cryptography","doom","hqc","kem","key-rotation","multi-instance-security","nist-pqc","post-quantum","syndrome-decoding"],"latest_commit_sha":null,"homepage":"https://systemslibrarian.github.io/crypto-lab-syndrome-drain/","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/systemslibrarian.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-14T00:45:12.000Z","updated_at":"2026-06-28T02:05:51.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/systemslibrarian/crypto-lab-syndrome-drain","commit_stats":null,"previous_names":["systemslibrarian/crypto-lab-syndrome-drain"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/systemslibrarian/crypto-lab-syndrome-drain","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/systemslibrarian%2Fcrypto-lab-syndrome-drain","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/systemslibrarian%2Fcrypto-lab-syndrome-drain/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/systemslibrarian%2Fcrypto-lab-syndrome-drain/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/systemslibrarian%2Fcrypto-lab-syndrome-drain/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/systemslibrarian","download_url":"https://codeload.github.com/systemslibrarian/crypto-lab-syndrome-drain/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/systemslibrarian%2Fcrypto-lab-syndrome-drain/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35350133,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-11T02:00:05.354Z","response_time":104,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bike","classic-mceliece","code-based-cryptography","crypto-lab","cryptography","doom","hqc","kem","key-rotation","multi-instance-security","nist-pqc","post-quantum","syndrome-decoding"],"created_at":"2026-07-11T03:32:25.290Z","updated_at":"2026-07-11T03:32:25.782Z","avatar_url":"https://github.com/systemslibrarian.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# crypto-lab-syndrome-drain\n\n## What It Is\n\nSyndrome Drain is an educational visualizer for the result in\n[May \u0026 Sá Diogo, IACR ePrint 2026/517](https://eprint.iacr.org/2026/517) —\n**Multi-Instance Security Degradation of Code-Based KEMs**. Code-based KEMs rest on\n**syndrome decoding**. *Decoding One Out of Many* (DOOM, Sendrier) says that\nholding `M` syndromes for the same key lets you decode one of them about **√M\nfaster** — a saving of ½·log₂(M) bits. When a single public key is reused to\nderive **D** session keys, an attacker assembles many syndromes at once: **≈ n·D**\nfor BIKE (its quasi-cyclic ring donates `n` per session), and **≈ D** for HQC and\nClassic McEliece. The effective security therefore *drains* with D. For NIST\nLevel‑1 parameters it falls below the 143‑bit floor at roughly **D = 2¹¹\n(BIKE‑1)**, **2²¹ (mceliece3488‑64)**, and **2³⁴ (HQC‑1)** — so **public keys must\nbe rotated on a schedule tied to session volume.** This lab **computes** effective\nbit-security from published NIST Level‑1 parameters and the paper's √D degradation\nlaw; it runs **no attack** — no decoding, no DOOM execution, no random numbers.\nEvery number on screen is real arithmetic you can audit in\n[`src/model.ts`](src/model.ts) and [`PAPER-NOTES.md`](PAPER-NOTES.md). Built with\nVite + TypeScript, no backend.\n\n## When to Use It\n\n- Use it to understand **multi-instance security degradation** — how reusing one code-based KEM public key across many sessions erodes effective bit-security.\n- Use it to plan **key-rotation policy** — the rotation calculator turns a session rate into a rotation cadence with realistic traffic-scenario presets.\n- Use it to see **why BIKE drains faster** than HQC or Classic McEliece (the `n·D` vs `D` syndrome-count mechanism), and why ML-KEM/Kyber is not hit the same way.\n- Do NOT read the on-screen numbers as a break of code-based crypto — it is a teaching visualizer of an asymptotic √D model, runs no attack, and per-instance hardness is intact; verify before relying.\n\n## Live Demo\n\n**[systemslibrarian.github.io/crypto-lab-syndrome-drain](https://systemslibrarian.github.io/crypto-lab-syndrome-drain/)**\n\nThe page is layered for progressive disclosure: a **TL;DR** card up top, a **live security‑level meter** that gives the qualitative \"is it OK?\" glance as you drag D, an interactive **erosion chart** (slider for D, preset jump buttons for each crossover, three live curves, the red floor line, both modeled and paper‑stated crossover markers, and a live readout table), a **DOOM mechanism** explainer with live syndrome counts, a **key‑rotation policy calculator** with realistic traffic‑scenario presets, a **Common misconceptions** FAQ (including why ML‑KEM/Kyber isn't hit the same way), a **Parameters \u0026 sources** drill‑down where every number cites the paper plus a copy‑pasteable **\"verify it yourself\"** block, and an honest **Known Gaps** panel. Every model‑derived number carries an inline **\"idealized √D model\"** badge, and the chart plots two crossover markers per scheme (a filled dot for the model, a hollow diamond for the paper's full‑ISD table) so the model‑vs‑reality distinction is native to the UI. You can deep‑link a specific reuse count with `?d=` (log₂ of D), e.g. `…/?d=21`.\n\n## What Can Go Wrong\n\n- **Reusing one public key across many sessions** — effective security drains by ½·log₂(D) bits; high-volume reuse can push a Level‑1 key below the 143‑bit floor.\n- **BIKE reuses are worse** — its quasi-cyclic structure donates ≈ n syndromes per session (≈ n·D total), so BIKE‑1 crosses the floor far sooner (~D = 2¹¹) than HQC or McEliece.\n- **No rotation schedule** — without rotating keys on a cadence tied to session volume, accumulated syndromes silently erode the security margin over time.\n- **Conflating the idealized √D model with reality** — for mceliece3488‑64 the simple √D law (~2¹⁷) and the paper's full‑ISD table (2²¹) disagree, because McEliece's real ISD slope (~0.39) is shallower than the ½ the law assumes; trusting one number blindly misstates the margin.\n- **Assuming all PQ KEMs degrade equally** — this effect is specific to code-based syndrome decoding; structured-lattice KEMs like ML-KEM are not hit the same way.\n\n## Real-World Usage\n\n- **Code-based KEMs in PQC** — BIKE, HQC, and Classic McEliece are the code-based candidates from the NIST post-quantum process; HQC was selected for standardization.\n- **Key-rotation policy** — the result argues directly for rotating code-based KEM public keys on a schedule tied to how many sessions each key derives.\n- **Conservative / long-term deployments** — Classic McEliece is favored where decades-old, well-studied hardness assumptions matter, despite very large public keys.\n- **Hybrid post-quantum key exchange** — code-based KEMs are deployed alongside classical exchanges so security holds if either component survives.\n\n## How to Run Locally\n\n```bash\ngit clone https://github.com/systemslibrarian/crypto-lab-syndrome-drain\ncd crypto-lab-syndrome-drain\nnpm install\nnpm run dev\n```\n\n## Related Demos\n\n- [crypto-lab-mceliece-gate](https://systemslibrarian.github.io/crypto-lab-mceliece-gate/) — Classic McEliece with Goppa codes, one of the KEMs whose multi-instance margin is modeled here.\n- [crypto-lab-hqc-vault](https://systemslibrarian.github.io/crypto-lab-hqc-vault/) — HQC, the Reed-Muller/Reed-Solomon code-based KEM selected by NIST.\n- [crypto-lab-bike-vault](https://systemslibrarian.github.io/crypto-lab-bike-vault/) — BIKE, the QC-MDPC KEM whose quasi-cyclic structure makes its drain fastest.\n- [crypto-lab-hqc-timing](https://systemslibrarian.github.io/crypto-lab-hqc-timing/) — an HQC BCH-decoder timing oracle and the case for constant-time decoding.\n- [crypto-lab-hqc-timing-break](https://systemslibrarian.github.io/crypto-lab-hqc-timing-break/) — a cache-timing soft-ISD attack on HQC, another angle on code-based KEM security.\n\n## The model (honest by construction)\n\n`effectiveSecurityBits(D) = T₁ − ½·log₂(D)`, anchored on each scheme's published\nsingle‑instance MMT bit complexity `T₁` (the attacker's best variant, pure‑time\nmetric). The `n·D` vs `D` syndrome counts are shown as the *mechanism*; because\n`n` is a constant it is a fixed offset already folded into `T₁`, so it is not\napplied twice (doing so would break the published 2³⁴ crossover — see\n[`src/model.test-notes.md`](src/model.test-notes.md)).\n\n`crossoverD()` computes each crossover from the model **and** cross‑checks it\nagainst the paper's full‑ISD tables. They agree for HQC and BIKE; for\n**mceliece3488‑64 they differ** (modeled ≈2¹⁷ vs paper 2²¹, because McEliece's\nreal ISD slope ≈0.39 is shallower than the ½ the law assumes). The demo shows\n**both** and flags the gap rather than silently trusting one.\n\n## Develop\n\n```bash\nnpm test         # vitest — guards the model against regression\nnpm run build    # tsc --noEmit \u0026\u0026 vite build  →  dist/\nnpm run preview  # serve the production build\n```\n\nNo runtime dependencies; TypeScript + Vite only. The pure computation core\n([`src/model.ts`](src/model.ts)) has no DOM access and is deterministic — same\ninput, same output, no `Math.random`, no `Date`, no network. Its invariants\n(D=1 ⇒ T₁, crossover ordering, the model‑vs‑paper agreement flags, no `n·D`\ndouble‑counting, D\u003c1 throws) are pinned by [`src/model.test.ts`](src/model.test.ts)\nand run in CI ([`.github/workflows/ci.yml`](.github/workflows/ci.yml)).\n\n## Deploy\n\nPushes to `main` build and publish to **GitHub Pages** via\n[`.github/workflows/deploy.yml`](.github/workflows/deploy.yml). The Vite `base`\nis `/crypto-lab-syndrome-drain/` to match the repo path.\n\n## Accessibility \u0026 mobile\n\nBuilt mobile‑first and to WCAG AA intent: semantic landmarks, a skip link,\nkeyboard‑operable controls with a visible focus ring, `aria-live` readouts and a\nfull screen‑reader text description of the chart, generous touch targets,\n`prefers-reduced-motion` and `prefers-contrast` support, and tables that reflow\ninto cards on narrow screens. Dark is the default theme; the toggle persists to\n`localStorage`.\n\n## Sources\n\n- Alexander May \u0026 Gabriel Sá Diogo, *Multi-Instance Security Degradation of\n  Code-Based KEMs*, IACR ePrint **2026/517**.\n- N. Sendrier, *Decoding One Out of Many*, PQCrypto 2011 (DOOM).\n- Esser, May, Zweydinger, *McEliece needs a break*, EUROCRYPT 2022 (MMT‑DOOM).\n- Official Level‑1 parameter sets: HQC‑1, BIKE‑1, mceliece3488‑64.\n\nTranscribed values and per‑number citations live in\n[`PAPER-NOTES.md`](PAPER-NOTES.md).\n\n## Disclaimer\n\n*Educational use. Numbers are computed from published parameters; this is\nasymptotic multi-instance degradation, not a break of syndrome decoding.\nPer-instance hardness is intact. No warranties — verify before relying.*\n\n---\n\n*One of 120+ browser demos in the [Crypto Lab](https://crypto-lab.systemslibrarian.dev/) suite.*\n\n*\"So whether you eat or drink or whatever you do, do it all for the glory of God.\" — 1 Corinthians 10:31*\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsystemslibrarian%2Fcrypto-lab-syndrome-drain","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsystemslibrarian%2Fcrypto-lab-syndrome-drain","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsystemslibrarian%2Fcrypto-lab-syndrome-drain/lists"}