{ "_comment": "Hand-curated benchmark cases for the Lattice Cryptography Aiwiki classifier (v0.2). 56 cases. Lock target: gate_accuracy=1.000 and bill_recall=1.000.", "version": "0.2", "cases": [ { "id": "B01_albrecht_player_scott", "proposal": "Update to the lattice-estimator (Albrecht-Player-Scott) incorporating revised BKZ-2.020 cost model with refined sieve-dimension estimates for ML-KEM-512.", "expected_bills": [1], "expected_meta_costs": [], "expected_gates": [] }, { "id": "B01_espitau_wallet_concrete_bkz", "proposal": "Espitau-Wallet 2024 concrete-BKZ analysis. Tighter block-size β bounds with G6K sieving; cost still super-polynomial at FIPS 203 standard parameters.", "expected_bills": [1], "expected_meta_costs": ["M3"], "expected_gates": [] }, { "id": "B01_son_cheon_quantum_inspired", "proposal": "Quantum-inspired BKZ variant with sieving-with-walks heuristic. Concrete cost remains super-polynomial at ML-KEM-512.", "expected_bills": [1], "expected_meta_costs": ["M3"], "expected_gates": [] }, { "id": "B02_matzov_dual_attack", "proposal": "MATZOV 2024 dual-attack refinement using guess-and-sieve tradeoff. Block-size β reduced; classical lattice cost LOWERED by ~2^3 cycles.", "expected_bills": [2], "expected_meta_costs": [], "expected_gates": [] }, { "id": "B02_pouly_dual_lattice", "proposal": "Pouly-Roth-Sotakova 2024 dual-lattice attack tuning. Asymptotic-only improvement; no concrete crossover at standard ML-KEM parameters.", "expected_bills": [2], "expected_meta_costs": ["M3"], "expected_gates": [] }, { "id": "B03_hybrid_attack_v3", "proposal": "Hybrid Attack v3: Tightening the Howgrave-Graham/Buhler-Joux Bound for ML-KEM. Meet-in-the-middle plus lattice attack with refined hybrid bound.", "expected_bills": [3], "expected_meta_costs": [], "expected_gates": [] }, { "id": "B04_falcon_arm_power_analysis", "proposal": "Power analysis of Falcon FN-DSA-512 on ARM Cortex-M4 with floating-point side-channel leak. Embedded cryptanalysis on tamper-resistant target.", "expected_bills": [4], "expected_meta_costs": ["M4"], "expected_gates": [] }, { "id": "B04_dilithium_emfi_fault", "proposal": "EMFI fault injection on ML-DSA-44 reference implementation. Voltage-glitch fault adversary recovers signing key fragments. Attack on specific impl, not the standardized algorithm.", "expected_bills": [4], "expected_meta_costs": ["M4", "M6"], "expected_gates": [] }, { "id": "B04_kyber_cache_timing", "proposal": "Cache-timing attack on Kyber-768 using Flush+Reload primitive. Side-channel adversary recovers session key.", "expected_bills": [4], "expected_meta_costs": ["M4"], "expected_gates": [] }, { "id": "B05_cve_falcon_fpylll", "proposal": "CVE-2024-39682 — Falcon FN-DSA Fpylll bug class in liboqs reference implementation. Specific buggy implementation; algorithm-level security holds. Requires CVE-style patch.", "expected_bills": [5], "expected_meta_costs": ["M6"], "expected_gates": [] }, { "id": "B06_agps_quantum_sieve", "proposal": "AGPS-style quantum sieving update. Albrecht-Gheorghiu-Postlethwaite-Schanck quantum walk on SVP. Asymptotic-only analysis assumes resource-unbounded ideal qubits. Cost remains super-polynomial at standard parameters.", "expected_bills": [6], "expected_meta_costs": ["M3", "M5"], "expected_gates": [] }, { "id": "B06_laarhoven_grover_lwe", "proposal": "Laarhoven-Mariano-Mantz quantum sieve refinement. Grover applied to LWE; asymptotic-only speedup, requires unbounded coherence.", "expected_bills": [6], "expected_meta_costs": ["M3", "M5"], "expected_gates": [] }, { "id": "B07_yilei_chen_2024", "proposal": "Yilei Chen 2024 LWE polynomial-time quantum attack claim. Polynomial-time quantum algorithm for Module-LWE. Conditional on Module-LWE hardness assumption being false. Assumes resource-unbounded ideal qubits.", "expected_bills": [7], "expected_meta_costs": ["M2", "M5"], "expected_gates": [] }, { "id": "B07_classical_polytime_lwe", "proposal": "Hypothetical: a classical polynomial-time attack on LWE that breaks ML-KEM-512 at standard parameters. (No actual paper triggers this in 2024-2026.)", "expected_bills": [7], "expected_meta_costs": [], "expected_gates": [] }, { "id": "B08_overstretched_ntru", "proposal": "Cramer-Ducas-Wesolowski follow-up on overstretched NTRU. Cyclotomic ideal short-vector attack exploits algebraic structure.", "expected_bills": [8], "expected_meta_costs": [], "expected_gates": [] }, { "id": "B08_module_lwe_structure", "proposal": "Module-LWE structure exploit using cyclotomic ideal-SVP. Attack specific to algebraic structure of ML-KEM/Kyber.", "expected_bills": [8], "expected_meta_costs": [], "expected_gates": [] }, { "id": "B09_isd_decoding", "proposal": "Information-set-decoding (ISD) attack via Module-LWE-to-decoding reduction. Stern/Prange-class generic decoding applied to ML-KEM-512.", "expected_bills": [9], "expected_meta_costs": [], "expected_gates": [] }, { "id": "B10_bdd_attack_mlwe", "proposal": "Bounded-distance-decoding (BDD) attack on Module-LWE. BDD-radius < q/4 at toy parameters; super-polynomial at FIPS 203 standard parameters.", "expected_bills": [10], "expected_meta_costs": ["M3"], "expected_gates": [] }, { "id": "B11_concrete_quantum_kyber", "proposal": "Concrete quantum advantage on FIPS 203 ML-KEM-512: AGPS-style speedup at deployment scale. Asymptotic-only; assumes resource-unbounded quantum hardware.", "expected_bills": [11], "expected_meta_costs": ["M3", "M5"], "expected_gates": [] }, { "id": "B12_signature_malleability_dilithium", "proposal": "Signature malleability of Dilithium ML-DSA-44 via ciphertext non-uniqueness. Statistical distinguisher with negligible advantage at standard parameters.", "expected_bills": [12], "expected_meta_costs": [], "expected_gates": [] }, { "id": "B13_reduction_tightness_mlwe", "proposal": "Reduction-tightness analysis: concrete-vs-asymptotic gap in MLWE → ML-KEM. Loose reduction does not yet break standard parameters.", "expected_bills": [13], "expected_meta_costs": [], "expected_gates": [] }, { "id": "B14_reduction_loss_security_margin", "proposal": "Reduction-loss exploit closing the security margin via non-trivial-reduction sub-instances of MLWE. Concrete reduction loss break of standard parameters. (Hypothetical — no 2024-2026 paper triggers this cleanly.)", "expected_bills": [14], "expected_meta_costs": [], "expected_gates": [] }, { "id": "B15_kem_reuse_oracle", "proposal": "KEM-reuse oracles in hybrid TLS 1.3 — extended Tamarin model with concrete bounds. Adversary observing N hybrid handshakes against a long-lived ML-KEM-768 keypair.", "expected_bills": [15], "expected_meta_costs": [], "expected_gates": [] }, { "id": "B15_alpn_stripping_pq_tls", "proposal": "Hybrid TLS downgrade via ALPN-stripping middleboxes. Middlebox strips PQ-named-group from ClientHello; client falls back to X25519. Affects X25519MLKEM768 in deployed TLS 1.3.", "expected_bills": [15], "expected_meta_costs": [], "expected_gates": [] }, { "id": "B15_dnssec_pq_hybrid", "proposal": "Post-quantum DNSSEC: ML-DSA hybrid root-zone signing analysis. Identifies hybrid combiner stripping vulnerabilities and EDNS0 size limit issues.", "expected_bills": [15], "expected_meta_costs": [], "expected_gates": [] }, { "id": "B15_composite_signature_stripping", "proposal": "Composite signature schemes for code-signing: ML-DSA + Ed25519 stripping in Sigstore. draft-ietf-lamps-pq-composite-sigs analysis. Composite KEM stripping vulnerability.", "expected_bills": [15], "expected_meta_costs": [], "expected_gates": [] }, { "id": "B15_zero_rtt_downgrade", "proposal": "ZX25519MLKEM768 zero-RTT downgrade attacks in TLS 1.3 0-RTT. Replay-window vulnerability in PQ resumption.", "expected_bills": [15], "expected_meta_costs": [], "expected_gates": [] }, { "id": "B15_clienthello_dos", "proposal": "PQ-TLS DoS amplification: ClientHello bombing via ML-KEM ciphertext expansion. Amplification factor ~3.5x against TLS-over-UDP. Hybrid combiner failure.", "expected_bills": [15], "expected_meta_costs": [], "expected_gates": [] }, { "id": "B15_liboqs_short_circuit_cve", "proposal": "CVE-2024-39682: liboqs hybrid combiner short-circuit. Hybrid KEM combiner returns when classical half succeeds, skipping the PQ verification. Specific buggy implementation requiring CVE-style patch.", "expected_bills": [15], "expected_meta_costs": ["M6"], "expected_gates": [] }, { "id": "B16_hosoyamada_quantum_mitm", "proposal": "Hosoyamada-Sasaki Quantum Meet-in-the-Middle for Both Factorization and Lattice Reduction. Quantum MITM technique applied as a cross-cryptosystem subroutine spanning RSA and lattice. Asymptotic-only; assumes ideal qubits.", "expected_bills": [16], "expected_meta_costs": ["M3", "M5"], "expected_gates": [] }, { "id": "B16_chia_dual_joint_grover_shor", "proposal": "Chia-Dual 2025 Joint Grover-Shor Hybrid Subroutines: A Cross-Cryptosystem Analysis. Theoretical paper exploring whether Grover-on-LWE and Shor-on-Z* share quantum-resource profiles. Requires unbounded coherence.", "expected_bills": [16], "expected_meta_costs": ["M5"], "expected_gates": [] }, { "id": "B16_joint_quantum_walk_rsa_lattice", "proposal": "Hybrid quantum cryptanalysis spanning RSA and lattice: shared subroutines via Quantum Walk. Algorithmic paper proposing a quantum-walk subroutine that accelerates BOTH modular GCD (RSA) AND closest-vector queries (ML-KEM). Asymptotic-only speedup.", "expected_bills": [16], "expected_meta_costs": ["M3"], "expected_gates": [] }, { "id": "B16_shamir_shor_hybrid_2026", "proposal": "Shamir-Shor-Hybrid 2026: Joint Quantum-Classical Hybrid Cryptanalysis. A 2026 Comparative Framework spanning RSA and lattice. Resource-unbounded quantum assumptions.", "expected_bills": [16], "expected_meta_costs": ["M5"], "expected_gates": [] }, { "id": "M1_toy_lwe_only", "proposal": "Lattice attack succeeds at toy-LWE parameters (n=64, q=257). Does not extend to standardized ML-KEM-512.", "expected_bills": [], "expected_meta_costs": ["M1"], "expected_gates": [] }, { "id": "M1_round3_kyber_vs_fips203", "proposal": "Attack on Round-3 Kyber-512 (different from FIPS 203 ML-KEM-512). Variant parameter-set; out-of-scope for standardized algorithm.", "expected_bills": [], "expected_meta_costs": ["M1"], "expected_gates": [] }, { "id": "M2_module_lwe_conditional", "proposal": "Module-LWE-conditional security reduction. Hardness conditional on Module-LWE assumption. Hypothesis-conditional speedup.", "expected_bills": [], "expected_meta_costs": ["M2"], "expected_gates": [] }, { "id": "M2_qrom_conditional", "proposal": "Security analysis under QROM assumption. Result conditional on ROM/QROM oracle model.", "expected_bills": [], "expected_meta_costs": ["M2"], "expected_gates": [] }, { "id": "M3_asymptotic_only", "proposal": "Asymptotic-only improvement to BKZ constants. No concrete crossover at standard parameters.", "expected_bills": [], "expected_meta_costs": ["M3"], "expected_gates": [] }, { "id": "M5_resource_unbounded_quantum", "proposal": "Resource-unbounded quantum hardware assumption. Assumes ideal qubits, unbounded coherence, unlimited depth.", "expected_bills": [], "expected_meta_costs": ["M5"], "expected_gates": [] }, { "id": "M5_30M_logical_qubits", "proposal": "30M logical qubits required for the proposed attack — infeasible at any near-term hardware milestone.", "expected_bills": [], "expected_meta_costs": ["M5"], "expected_gates": [] }, { "id": "M6_pqclean_specific_bug", "proposal": "Implementation-specific bug in pqclean reference code. Requires CVE-style patch. Not the standardized reference.", "expected_bills": [], "expected_meta_costs": ["M6"], "expected_gates": [] }, { "id": "M7_falcon_fpga_thermo_floor", "proposal": "Hardware-Thermodynamic Cost Floor for Falcon Mass Signing on FPGA. Falcon's signing energy is ~3.4× ML-DSA's at Cat-I parameters. Engineering economics; no algorithm-level cryptanalysis.", "expected_bills": [], "expected_meta_costs": ["M7"], "expected_gates": [] }, { "id": "G1_theoretical_construction", "proposal": "Theoretical-construction paper proves a tight reduction MLWE → ML-KEM. No attack claim.", "expected_bills": [], "expected_meta_costs": [], "expected_gates": ["G1"] }, { "id": "G2_lattice_estimator_release", "proposal": "Lattice-estimator release update with new BKZ-cost tooling. No attack claim, just tooling-paper.", "expected_bills": [], "expected_meta_costs": [], "expected_gates": ["G2"] }, { "id": "G2_blaster_release", "proposal": "BLASter release: new lattice reduction software with G6K-class sieving primitives. Estimator release.", "expected_bills": [], "expected_meta_costs": [], "expected_gates": ["G2"] }, { "id": "G3_aws_kms_pq_migration", "proposal": "AWS KMS post-quantum migration deployment report. TLS PQC integration with X25519MLKEM768 default. No attack claim.", "expected_bills": [], "expected_meta_costs": [], "expected_gates": ["G3"] }, { "id": "G3_browser_rollout_telemetry", "proposal": "Mozilla Firefox PQC TLS 1.3 telemetry: deployment report on browser-side rollout. Engineering paper; no attack claim.", "expected_bills": [], "expected_meta_costs": [], "expected_gates": ["G3"] }, { "id": "DUAL_B6_M5_quantum_lwe", "proposal": "Quantum-LWE attack via Grover applied to LWE. AGPS-class quantum sieve. Resource-unbounded ideal qubits.", "expected_bills": [6], "expected_meta_costs": ["M5"], "expected_gates": [] }, { "id": "DUAL_B11_M3_M5", "proposal": "Concrete quantum advantage at standard parameters of FIPS 203 ML-KEM-512. Cost in asymptotic regime; assumes ideal qubits.", "expected_bills": [11], "expected_meta_costs": ["M3", "M5"], "expected_gates": [] }, { "id": "DUAL_B7_M2_M5", "proposal": "Polynomial-time quantum attack on Module-LWE conditional on Module-LWE hardness being false. Assumes unbounded coherence.", "expected_bills": [7], "expected_meta_costs": ["M2", "M5"], "expected_gates": [] }, { "id": "TRIPLE_B4_M4_M6", "proposal": "Side-channel attack on Falcon liboqs implementation via power-analysis. Side-channel adversary on specific buggy implementation; algorithm-level holds.", "expected_bills": [4], "expected_meta_costs": ["M4", "M6"], "expected_gates": [] }, { "id": "DUAL_B16_M3_M5", "proposal": "Cross-cryptosystem quantum subroutine: shared-subroutine speedup spanning RSA and lattice. Asymptotic only; resource-unbounded ideal qubits.", "expected_bills": [16], "expected_meta_costs": ["M3", "M5"], "expected_gates": [] }, { "id": "B15_RFC9794_engineering", "proposal": "RFC 9794 hybrid PQ KEM definition for IPsec/IKEv2. Standardized hybrid combiner specification. Includes hybrid TLS combiner constructs.", "expected_bills": [15], "expected_meta_costs": [], "expected_gates": [] }, { "id": "B6_grover_aes_falcon", "proposal": "Quantum sieve via Grover on SVP applied to Falcon FN-DSA-512. AGPS-class analysis. Asymptotic-only.", "expected_bills": [6], "expected_meta_costs": ["M3"], "expected_gates": [] }, { "id": "B1_BLASter_concrete", "proposal": "Concrete BKZ analysis using BLASter sieving primitive. β block-size at FIPS 203 ML-KEM-512 yields cost = 2^151 cycles.", "expected_bills": [1], "expected_meta_costs": [], "expected_gates": [] }, { "id": "B12_distinguisher_kyber", "proposal": "Statistical distinguisher attack on ML-KEM ciphertexts — IND-CPA distinguishing oracle with negligible advantage at standard parameters.", "expected_bills": [12], "expected_meta_costs": [], "expected_gates": [] }, { "id": "B8_ideal_svp_cyclotomic", "proposal": "Ideal-SVP attack on cyclotomic number field. Exploits algebraic structure of Module-LWE; principal ideal short-vector recovery.", "expected_bills": [8], "expected_meta_costs": [], "expected_gates": [] } ] }