CL
Stateless Passwords
Phantom Vault
Derive any password from a master passphrase using HMAC-DRBG. Nothing stored, nothing synced, nothing left behind to breach.
PBKDF2-SHA-256 HMAC-DRBG Rejection Sampling
Backdoored RNG
Corrupted Oracle
A live Dual_EC_DRBG backdoor demo showing state recovery and future-output prediction while standard statistical tests still appear clean.
Dual_EC_DRBG HMAC-DRBG ChaCha20-DRBG P-256
CSPRNG
DRBG Arena
HMAC_DRBG, CTR_DRBG, and Hash_DRBG with state visualizers, seeding, reseeding, and live NIST SP 800-22 statistical tests. The correct-case companion to Corrupted Oracle.
HMAC_DRBG CTR_DRBG Hash_DRBG NIST SP 800-90A
Quantum Key Distribution
BB84
Quantum key distribution with photon polarization, basis sifting, QBER eavesdropper detection, and privacy amplification before AES-256-GCM message encryption.
Photon Polarization Basis Sifting QBER Privacy Amplification
Post-Quantum Cryptanalysis
Shor
Modular period finding with QFT and continued fractions to recover integer factors, showing why RSA, ECC, and Diffie-Hellman must migrate to post-quantum alternatives.
Shor's Algorithm Period Finding QFT RSA Factorization
Post-Quantum Cryptanalysis
Grover
Amplitude amplification and oracle phase kickback for symmetric-key search, with live probability oscillation and concrete key-size impact (AES-128 to AES-256).
Grover's Algorithm Amplitude Amplification Phase Kickback AES Key Search
Cryptanalysis
Model Breach
A HiAE threat-model case study showing candidate enumeration, MITM state recovery, and guess-and-determine attacks when assumptions drift from deployment reality.
Threat Modeling Candidate Enumeration MITM Recovery Guess-and-Determine
Asymmetric Encryption
Iron Letter
ECIES P-256 and RSA-OAEP compared side by side with live timing, key-size tradeoffs, and a simple sealed-letter mental model.
ECIES P-256 RSA-OAEP AES-256-GCM
Deniable Encryption
Shadow Vault
One container, two passphrases, two messages. A practical demonstration of plausible deniability, forensic ambiguity, and browser-first UX around serious primitives.
Argon2id ChaCha20-Poly1305 SHA-256
Zero-Knowledge Proofs
ZK Proof Lab
Six exhibits from Ali Baba cave to zk-SNARK intuition, with real Schnorr arithmetic, commitments, and replayable transcripts instead of vague metaphors.
Schnorr SHA-256 Commitments Fiat-Shamir zk-SNARK
Zero-Knowledge Proofs
STARK Tower
AIR constraints, FRI polynomial commitments, and end-to-end Fibonacci proof. No trusted setup, post-quantum secure. The protocol behind StarkNet, StarkEx, and Risc Zero.
zk-STARK AIR Constraints FRI Post-Quantum
Zero-Knowledge Proofs
SNARK Arena
Groth16 vs PLONK — trusted setup ceremonies, proof size comparison, the toxic waste problem, and production deployments in Zcash, Polygon zkEVM, WorldID, and zkLogin.
Groth16 PLONK Trusted Setup zk-SNARK
Homomorphic Encryption
Blind Oracle
A server computes on encrypted values without seeing the plaintext. A concise, live introduction to FHE using TFHE-rs.
⚡ The one exceptionThis is the lab's single demo with a live backend — a Rust/TFHE-rs server adds your two encrypted numbers homomorphically and still mathematically cannot read them.
FHE TFHE-rs Rust Encrypted Compute
Homomorphic Encryption
CKKS Lab
Approximate FHE for encrypted floating-point arithmetic, homomorphic neural network inference, rescaling, and the complete FHE trilogy (TFHE + BGV/BFV + CKKS).
CKKS RLWE Approximate FHE Encrypted Inference
Homomorphic Encryption
FHE Arena
BGV/BFV integer FHE — homomorphic addition and multiplication, live noise budget visualizer, relinearization, SIMD batching, and real-world deployments in private genomics and encrypted databases.
BGV/BFV RLWE Noise Budget SIMD Batching
Encrypted Morse
Dad Mode Morse
AES-GCM encrypted messaging delivered as Morse code with audio playback and browser decoding. Intentionally playful, still grounded in real primitives.
AES-256-GCM Argon2id HKDF-SHA-256 Ed25519
Library Privacy
Patron Shield
Information-theoretic private information retrieval applied to catalog privacy. A direct bridge from library ethics to concrete mathematical guarantees.
IT-PIR XOR Secret Sharing Chor et al. 1995
Verifiable Secret Sharing
VSS Gate
Feldman VSS and Pedersen VSS — verifiable secret sharing with live cheating dealer detection, commitment verification, and the layer beneath FROST and threshold wallets.
Feldman VSS Pedersen VSS Commitment Verification Cheating Detection
Secure MPC
Garbled Gate
Yao’s Garbled Circuits — gate-by-gate garbling, oblivious transfer for input wires, and the Millionaire’s Problem solved end-to-end. The foundational two-party MPC protocol.
Garbled Circuits Oblivious Transfer Free XOR Two-Party MPC
Secure MPC
Silent Tally
Five hospitals compute a combined enrollment total without revealing any individual counts, demonstrating additive-homomorphic MPC in the browser.
Shamir SSS GF(2^61-1) Lagrange Interpolation Additive Homomorphism
Threshold Signatures
FROST Threshold
A browser-based FROST (RFC 9591) walkthrough where any qualified signer subset can produce one standard Ed25519 signature without key reassembly.
FROST (RFC 9591) Ed25519 Nonce Commitments VSS Commitments
Post-Quantum Signatures
Dilithium Seal
CRYSTALS-Dilithium (ML-DSA) digital signatures in the browser. Generate lattice-based key pairs, sign documents, and verify — all post-quantum safe.
ML-DSA FIPS 204 CRYSTALS-Dilithium Lattice
Forward-Secret Messaging
Ratchet Wire
A live walkthrough of the Double Ratchet protocol powering Signal-style messaging, with per-message key derivation and forward secrecy guarantees.
Double Ratchet X25519 HKDF AES-256-GCM
Post-Quantum KEM
Kyber Vault
CRYSTALS-Kyber (ML-KEM) key encapsulation in the browser. Encapsulate, decapsulate, and compare lattice-based key exchange against classical ECDH.
ML-KEM FIPS 203 CRYSTALS-Kyber Lattice AES-256-GCM
Block Cipher
Iron Serpent
The Serpent block cipher — AES finalist with a deeper security margin. Avalanche analysis, a security-margin (round-count) view, and side-by-side AES comparison.
Serpent AES-256 SPN
Block Cipher
World Ciphers
Camellia (Japan), ARIA (South Korea), SM4 (China), and Kuznyechik (Russia) side by side with AES. Encrypt/decrypt playgrounds, S-box analysis, and geopolitical compliance context.
Camellia ARIA SM4 Kuznyechik
Secret Sharing
Shamir Gate
Split a secret into shares using Shamir's Secret Sharing and reconstruct with any qualified threshold subset. Polynomial interpolation made tangible.
Shamir SSS Lagrange Interpolation GF(p)
Historical Cipher
Dead Sea Cipher
Substitution and polyalphabetic ciphers from Atbash to Vigenère, through to modern AES-256-GCM. Encode, decode, and explore classical cryptanalysis.
Substitution Vigenère Atbash
Hash-Based Signatures
SPHINCS+ Ledger
Stateless hash-based signatures (SLH-DSA) in the browser. A post-quantum signing scheme that relies only on the security of hash functions.
SLH-DSA FIPS 205 SPHINCS+ SHA-256 WOTS+
Differential Cryptanalysis
Biham Lens
A live differential cryptanalysis attack on a toy SPN cipher — the technique co-invented by Biham and Shamir that broke reduced-round DES. DDT visualization and last-round key recovery.
Differential Cryptanalysis SPN DDT Chosen-Plaintext
Hybrid Key Exchange
Hybrid Wire
X25519 + ML-KEM-768 hybrid post-quantum key exchange as deployed in Chrome 124+ and Cloudflare. Six-step handshake visualization and encrypted chat.
X25519 ML-KEM-768 HKDF-SHA256 AES-256-GCM
Downgrade Attacks
Downgrade Wire
Strip X25519MLKEM768 from a TLS 1.3 ClientHello and watch two PQ-capable endpoints agree on classical X25519 — then turn on the Finished MAC and watch transcript binding abort the same strip.
TLS 1.3 Transcript Binding X25519MLKEM768 Downgrade
Hash Functions
Babel Hash
SHA-256, SHA3-256, and BLAKE3 side by side with live avalanche visualization, length extension attack demo, and HMAC defense.
SHA-256 SHA3-256 BLAKE3 HMAC
Block Cipher Modes
AES Modes
ECB, CBC, CTR, GCM, and CCM with live padding oracle attack. Real WebCrypto operations, ECB penguin visualization, and authenticated encryption comparison.
AES AES-GCM AES-CBC Authenticated Encryption
Public-Key Cryptography
Educational RSA
Step-by-step RSA on real small numbers — key generation, encryption, decryption, and signatures — then watch a weak key get factored in milliseconds while a 2048-bit key holds. Real BigInt math, no backend.
RSA Key Generation Modular Exponentiation OAEP
Public-Key Cryptography
RSA Forge
Textbook RSA, OAEP, PSS signatures, and live attacks including small exponent and Bleichenbacher PKCS#1 v1.5 padding oracle. Real WebCrypto operations.
RSA OAEP PSS PKCS#1
Elliptic Curves
Curve Lens
Point addition, scalar multiplication, and live ECDH across P-256, Curve25519, and secp256k1. Real field arithmetic visualized step by step.
ECC Curve25519 ECDH P-256
Elliptic Curves
Point Arithmetic
Drag P and Q to see the chord-and-tangent group law, flip ℝ↔𝔽ₚ to run the identical exact arithmetic, then step double-and-add and feel why the ECDLP is hard.
Group Law Chord-and-Tangent Scalar Mult secp256k1
Asynchronous Key Agreement
X3DH Wire
The asynchronous handshake behind Signal. Real X25519 arithmetic, four DH operations, and HKDF-SHA-256 key derivation — no backends, no simulated math.
X3DH X25519 HKDF-SHA-256 Signal Protocol
Noise Protocol Framework
Noise Pipe
NN, XX, IK, and IKpsk2 handshake patterns with real X25519 arithmetic, live transport encryption, and a WireGuard deep dive.
X25519 HKDF WireGuard Handshake Patterns
Message Authentication
MAC Race
HMAC, CMAC, Poly1305, and GHASH compared with live length extension attack, timing attack, and nonce reuse demonstrations. Real WebCrypto operations.
HMAC CMAC Poly1305 GHASH
Key Derivation
KDF Chain
HKDF, PBKDF2, scrypt, and Argon2id compared side by side with live parameter tuning, real timing measurements, and a KDF decision tree.
HKDF PBKDF2 scrypt Argon2id
Format-Preserving Encryption
Format Ward
FF1 and FF3-1 live tokenization of credit cards, SSNs, and phone numbers. Real AES-256 Feistel rounds per NIST SP 800-38G.
FF1 FF3-1 AES-256 Tokenization
CBC Padding Oracle
Padding Oracle
Full Vaudenay 2002 chosen-ciphertext attack with real AES-CBC, byte-by-byte plaintext recovery, and coverage of ASP.NET, Lucky Thirteen, and POODLE.
AES-CBC PKCS#7 Vaudenay 2002 POODLE
Timing Side-Channel
Timing Oracle
String comparison leakage, HMAC verification timing, RSA private key bit leakage, and cache-timing attacks with real performance.now() measurements.
Timing Attack HMAC RSA Cache-Timing
Post-Quantum KEM
McEliece Gate
The oldest post-quantum KEM (1978). Binary Goppa codes, visceral 261KB public key visualization, and four-way comparison against ML-KEM, BIKE, and HQC.
Classic McEliece Goppa Codes Post-Quantum
Post-Quantum KEM
Frodo Vault
Conservative post-quantum KEM using plain LWE with no ring structure. LWE from first principles, error distribution, and side-by-side comparison against ML-KEM.
FrodoKEM LWE Lattice Post-Quantum
Code-Based KEM
BIKE Vault
Code-based post-quantum KEM using QC-MDPC codes, Black-Gray-Flip decoding, and side-by-side comparison against ML-KEM. NIST Round 4 alternate candidate.
BIKE QC-MDPC Post-Quantum KEM
Code-Based KEM
HQC Vault
Hamming Quasi-Cyclic post-quantum KEM with Reed-Muller/Reed-Solomon decoding, and three-way comparison against BIKE and ML-KEM.
HQC Reed-Muller Reed-Solomon Post-Quantum
Post-Quantum Signatures
Falcon Seal
Compact NTRU lattice signatures with Fast Fourier Sampling, side-by-side comparison against ML-DSA and SLH-DSA, and implementation security warnings.
Falcon FN-DSA NTRU FFT Sampling Post-Quantum
Stream Cipher
ChaCha20 Stream
Quarter-round stepper, keystream visualizer, nonce reuse attack demo, and encrypt/decrypt playground. ARX design, no AES-NI required.
ChaCha20 ARX Nonce Reuse Keystream
Digital Signatures
Ed25519 Forge
Keypair generation, signing, and signature verification — deterministic nonces, tamper detection, the ZIP215 cofactor pitfall, and 64-byte compact signatures.
Ed25519 EdDSA Deterministic Nonces ZIP215 Cofactor
Hash Construction
Hash Zoo
SHA-256 vs SHA3-256 vs BLAKE3 internals — live avalanche analysis, Merkle-Damgård/sponge/tree construction diagrams, and timing benchmarks.
SHA-256 SHA3-256 BLAKE3 Merkle-Damgård
Hash Functions
World Hashes
SM3 (China), Streebog (Russia), and Kupyna (Ukraine) alongside SHA-256 and SHA-3. Five-way simultaneous hashing, avalanche analysis, and cryptographic sovereignty context.
SM3 Streebog Kupyna SHA-256
KDF Benchmarks
KDF Arena
Live timing and memory comparison of HKDF, PBKDF2, scrypt, and Argon2id with adjustable cost parameters and bar chart visualization.
HKDF PBKDF2 scrypt Argon2id
MAC Primitive
Poly1305 MAC
Polynomial evaluation over GF(2¹³⁰−5), constant-time tag verification, key-reuse attack visualizer, and Polynomial Stepper.
Poly1305 GF(2¹³⁰−5) Key-Reuse Attack Polynomial Stepper
Oblivious Transfer
OT Gate
1-of-2 Oblivious Transfer using the Simplest OT protocol (Chou-Orlandi 2015) over Curve25519 with real Edwards25519 group arithmetic and AES-256-GCM encryption. Foundational primitive for secure MPC.
Simplest OT Chou-Orlandi 2015 Edwards25519 AES-256-GCM
Stateful Hash-Based Signatures
LMS Ledger
LMS/HSS stateful hash-based signatures (NIST SP 800-208) — W-OTS+ key state grid, one-time key reuse attack with real forgery demo, and CNSA 2.0 firmware signing context.
LMS HSS W-OTS+ NIST SP 800-208
Merkle Trees
Merkle Vault
Build Merkle trees up to 16 leaves with real SHA-256, generate O(log n) inclusion proofs, tamper any leaf and watch the root change. Git, Bitcoin, and Certificate Transparency walkthroughs.
SHA-256 Merkle Tree Inclusion Proofs Certificate Transparency
Nonce Misuse Resistance
Nonce Guard
AES-GCM vs AES-GCM-SIV comparison — live nonce reuse attack showing keystream XOR recovery and GHASH key extraction, synthetic IV construction, and misuse-resistance comparison. RFC 8452.
AES-GCM AES-GCM-SIV RFC 8452 Synthetic IV
Pairing Cryptography
Pairing Gate
BLS12-381 bilinear pairing — BLS signature sign/verify with real @noble/curves arithmetic, signature aggregation visualizer (up to 100 signers → 1 proof), and rogue key attack demo. Powers Ethereum 2.0 and Zcash.
BLS12-381 BLS Signatures Signature Aggregation Rogue Key Attack
IT-PIR
Oblivious Shelf
2-server XOR Private Information Retrieval (Chor et al. 1995) — a patron retrieves any book from a 16-item catalog without the server learning which one was requested. Step-by-step query walkthrough and privacy audit.
XOR PIR Chor et al. 1995 2-Server PIR Privacy Audit
Steganography
Stego Suite
LSB substitution, DCT-domain hiding, and adaptive embedding with live chi-squared steganalysis. Hide the message, not just the content.
LSB DCT Adaptive Embedding Chi-Squared Steganalysis
Threshold ECDSA
GG20 Wallet
GG20 threshold ECDSA — Paillier encryption, distributed key generation, and joint signing without any party holding the full private key. The protocol behind Fireblocks and Coinbase MPC.
GG20 Paillier secp256k1 Distributed Key Generation
Password Hashing
Bcrypt Forge
Bcrypt anatomy, cost factor benchmarking, timing-safe verification, and a real-world breach simulation. The workhorse password hash, dissected.
bcrypt Blowfish Cost Factor Timing-Safe
Blind Signatures
Blind Sign
Chaum RSA blind signatures and Schnorr EC blind signatures — anonymous e-cash, private voting, and unlinkability proofs. The signer signs without seeing the message.
Chaum RSA Schnorr EC e-Cash Unlinkability
Commitment Schemes
Commit Gate
Hash commitments and Pedersen commitments — binding, hiding, sealed-bid auction, and homomorphic addition. The primitive beneath ZKPs, MPC, and VSS.
Hash Commitment Pedersen Binding & Hiding Homomorphic
PKI & Certificates
PKI Chain
X.509 certificate chains, trust store validation, CA compromise cascades, Certificate Transparency with Merkle inclusion proofs, and post-quantum migration to ML-DSA.
X.509 Certificate Transparency CA Compromise ML-DSA
Protocol Composition
Protocol Compose
MAC-then-Encrypt vs Encrypt-then-MAC, padding oracle attack, CRIME, and the composition failures that drove TLS 1.3. Safe primitives composed unsafely break everything.
MAC-then-Encrypt Encrypt-then-MAC CRIME TLS 1.3
Ring Signatures
Ring Sign
LSAG ring signatures — key image linkability, double-spend detection, group signatures with manager opening, and Monero transaction privacy. Sign as one-of-many without revealing which.
LSAG Key Image Group Signatures Monero
Threshold Decryption
Threshold Decrypt
ElGamal over P-256 — distributed key generation, verifiable partial decryptions with NIZK proofs, and t-of-n combination without any party holding the full private key.
ElGamal P-256 NIZK Proofs t-of-n
Steganography
J-UNIWARD
JPEG steganography via Universal Wavelet Relative Distortion — adaptive DCT coefficient embedding that minimizes wavelet-domain detectability. The state-of-the-art in content-adaptive JPEG steganography.
J-UNIWARD DCT Wavelet Distortion Adaptive Embedding
Quantum Threat
Harvest Vault
HNDL pressure, Mosca's theorem, migration windows, and concrete post-quantum planning for the systems being recorded today and decrypted later.
HNDL Mosca's Theorem Q-Day Timeline PQC Migration
Post-Quantum Isogeny
Isogeny Gate
Elliptic-curve isogenies with a toy CSIDH over GF(419), supersingular graph walks, the Castryck-Decru break of SIDH, and the surviving branches of the field in SQIsign.
SIDH CSIDH SQIsign Castryck-Decru
Post-Quantum Side-Channel
Lattice Fault
Implementation attacks on lattice PQC: NTT power leakage, rejection-sampling fault bypass, KyberSlash timing, and faulty KECCAK seed injection. The math survives; sloppy implementations do not.
ML-KEM ML-DSA KyberSlash Fault Injection
Post-Quantum Cryptanalysis
LLL Break
Step-by-step LLL and BKZ lattice reduction with Gram-Schmidt views, Lovasz condition checks, and a toy LWE primal attack that shows why Kyber-sized parameters do not fall the same way.
LLL BKZ Gram-Schmidt Toy LWE
Post-Quantum Signatures
MPCitH Sign
Post-quantum signatures from MPC-in-the-Head with additive secret sharing, SHA-256 commitments, Merkle proofs, Fiat-Shamir, and hidden-view challenges over a toy PERK-style witness.
MPC-in-the-Head Fiat-Shamir SHA-256 Commitments Merkle Proofs
Password-Authenticated Key Exchange
OPAQUE Gate
RFC 9807 OPAQUE aPAKE with live OPRF blind/evaluate/unblind flow, credential-envelope handling, 3DH mutual authentication, and server-breach simulation showing the password never reaches the server.
OPAQUE OPRF 3DH HKDF
Verifiable Randomness
VRF Gate
ECVRF prove/verify, Wesolowski VDF repeated squaring, and a RANDAO-plus-VDF beacon simulation that shows how verifiable randomness resists last-reveal manipulation.
ECVRF P-256 Wesolowski VDF RANDAO RFC 9381
Authenticated Encryption
AEGIS Gate
AEGIS-256 from the CFRG draft with AES round-function state updates, six-register sponge flow, tag derivation, and official test-vector verification in the browser.
AEGIS-256 AES Round Function 6-State Sponge Test Vectors
Lightweight Cryptography
Ascon
NIST's lightweight cryptography standard with Ascon-AEAD128, Ascon-Hash256, avalanche analysis, and side-by-side comparison against AES-GCM and ChaCha20-Poly1305.
Ascon-AEAD128 Ascon-Hash256 Lightweight Crypto IoT
High-Security Curves
Curve448
X448 key exchange and Ed448 signatures side by side with Curve25519 and Ed25519, covering the 224-bit security tier for long-lived keys.
X448 Ed448 RFC 7748 RFC 8032
ML-DSA Internals
Dilithium Reject
An ML-DSA rejection-sampling lab with live acceptance histograms, rejection-reason breakdowns, and the signing-time tradeoff that keeps lattice signatures secure.
ML-DSA Rejection Sampling FIPS 204 Timing Tradeoffs
Digital Signatures
ECDSA Forge
ECDSA on secp256k1 and P-256 with sign/verify workflows, RFC 6979 deterministic nonces, and the classic nonce-reuse private-key recovery attack.
ECDSA secp256k1 RFC 6979 Nonce Reuse
Public-Key Encryption
ElGamal Plain
Taher ElGamal's 1985 scheme with fresh ephemeral randomness, multiplicative homomorphism, and ciphertext rerandomization across toy and RFC 3526 groups.
ElGamal RFC 3526 Group 14 Homomorphism Re-randomization
Migration Planning
Harvest Timeline
A harvest-now-decrypt-later risk simulator built around the Mosca inequality, CRQC scenarios, organization profiles, and the operational cost of waiting to migrate.
Mosca Inequality CRQC Scenarios Cost of Delay PQC Migration
Post-Quantum Signatures
HAWK
An educational HAWK lab covering integer-only lattice signatures, discrete Gaussian sampling over Z, and the NIST Round 2 additional-signatures landscape.
HAWK Lattice Signatures Gaussian Sampling NIST Round 2
Post-Quantum Side-Channel
HQC Timing Break
A full-decryption oracle attack on HQC showing how compiler rewrites break constant-time Reed-Muller decoding and expose key recovery through cache timing.
HQC Cache Timing Reed-Muller Soft-ISD
Composite Signatures
Hybrid Sign
Ed25519 plus ML-DSA-65 hybrid signatures per the IETF LAMPS composite-signature draft, framed as defense in depth for long-lived authenticity.
Ed25519 ML-DSA-65 Composite Signatures IETF LAMPS
Identity-Based Encryption
IBE Gate
Boneh-Franklin identity-based encryption on BLS12-381 with setup, private-key extraction, encrypt/decrypt flow, and an honest look at the escrow tradeoff.
Boneh-Franklin BLS12-381 Identity-Based Encryption Key Escrow
Post-Quantum Side-Channel
KyberSlash
A KyberSlash timing-attack lab for ML-KEM, covering secret-dependent division, vulnerable compression paths, the Barrett-reduction fix, and live attack simulation.
ML-KEM KyberSlash Timing Attack Barrett Reduction
Hash-Based Signatures
LMS/XMSS
State-managed hash-based signatures with LM-OTS, Merkle trees, and hierarchical composition, showing where LMS, HSS, and XMSS fit in practice.
LMS LM-OTS HSS NIST SP 800-208
Lattice Cryptography
NTRU Classic
The original 1996 NTRU lattice cryptosystem with polynomial-ring arithmetic from scratch and the historical path from classic NTRU to modern post-quantum design.
NTRU Polynomial Rings Lattice EESS#1
Access-Pattern Privacy
ORAM Vault
A Path ORAM walkthrough with tree buckets, stash growth, position-map updates, and adversary-view visualization for cloud access-pattern hiding.
Path ORAM Position Map Stash Access Patterns
Additive Homomorphic Encryption
Paillier Gate
Paillier's additive homomorphic cryptosystem with encrypt/decrypt, tallying without decryption, and direct links to voting systems and GG20 threshold ECDSA.
Paillier Additive HE Private Voting Aggregation
Migration Operations
PQ Rotation
A post-quantum migration planner for hybrid certificates, multi-jurisdiction timelines, rolling key rotation, canary deployment, and rollback strategy.
Hybrid X.509 CNSA 2.0 Key Rotation Migration Planner
Post-Quantum TLS
PQ TLS Handshake
TLS 1.3 with the X25519MLKEM768 hybrid handshake, including byte-level framing, full key schedule derivation, and comparison against classical X25519.
TLS 1.3 X25519MLKEM768 Key Schedule Hybrid PQC
Private Set Intersection
PSI Gate
Classic DH-PSI over ristretto255 with RFC 9380 hash-to-curve, showing how two parties learn their overlap (and each other's set size) and nothing more.
DH-PSI ristretto255 Hash-to-Curve Contact Discovery
Post-Quantum KEM
Scloud+ Vault
China's conservative LWE-based KEM with ternary secrets, BW32 lattice coding, and a faithful but simplified browser model of the ePrint 2024/1306 design.
Scloud+ LWE KEM BW32 Coding Ternary Secrets
Threshold Signatures
Threshold ML-DSA
A two-party demo of distributed post-quantum signing that produces real FIPS 204 ML-DSA signatures; key-non-reconstruction is illustrated, not enforced.
Threshold ML-DSA Distributed Signing Two-Party Post-Quantum
Envelope Encryption
Envelope KMS
RFC 3394/5649 AES key wrap, DEK/KEK hierarchy, KMS-style key rotation, re-wrap without plaintext exposure, and a hash-chained audit log — the architecture behind AWS KMS and Google Cloud KMS.
RFC 3394 AES Key Wrap DEK/KEK Key Rotation
Zero-Knowledge Range Proofs
Bulletproofs
ZK range proofs using Bulletproofs on ristretto255 — 64-bit Pedersen commitments, aggregate proofs over multiple ranges, the inner-product argument, and a tamper-rejection demo.
Bulletproofs ristretto255 Range Proofs Inner-Product Argument
Lattice Attack
Nonce Lattice
ECDSA nonce-bias lattice attack on secp256k1 and P-256 — Hidden Number Problem construction, in-browser LLL reduction, and byte-for-byte private-key recovery from biased nonces.
ECDSA Hidden Number Problem LLL Reduction secp256k1
Authentication Protocol
Kerberos v5
RFC 4120 Kerberos v5 — Needham-Schroeder origins, Lowe attack, full AS/TGS/AP exchange flow, AES-256-CTS-HMAC-SHA1-96 ticket encryption, and clock-skew replay defense.
RFC 4120 Needham-Schroeder Lowe Attack AES-256-CTS
Group Messaging Security
MLS Group
RFC 9420 Messaging Layer Security — TreeKEM ratchet tree, epoch key schedule, member add/remove/update operations, and group application messaging with forward secrecy guarantees.
MLS (RFC 9420) TreeKEM Epoch Key Schedule Forward Secrecy
Zero-Knowledge Proofs
ZK Arena
A side-by-side comparison playground for zk-SNARK and zk-STARK proof systems — setup phases, proving overhead, verification cost, and the tradeoff space between Groth16, PLONK, and STARKs.
zk-SNARK zk-STARK Proof Systems Comparison
Few-Time Signatures
Jevil
A hash-based few-time signature scheme over the Goldilocks field using Lagrange interpolation — bounded-use signing with reusable verification keys.
Jevil Hash-Based Goldilocks Field Lagrange Interpolation
Post-Quantum Side-Channel
Ciphertext Mirror
An ML-KEM side-channel walkthrough — manipulating ciphertexts through the Fujisaki-Okamoto transform, LDPC decoder behavior, and NTT blinding countermeasures.
ML-KEM FO Transform LDPC Decoder NTT Blinding
Post-Quantum Side-Channel
HQC Timing
HQC's BCH decoder leaks timing — observe how constant-time mitigations reshape the attack surface against the standardized code-based KEM.
HQC BCH Decoder Timing Oracle Constant-Time
Post-Quantum Overview
PQ Families
A guided tour of the five post-quantum problem families — lattice, code-based, hash-based, multivariate, and isogeny — with the assumptions, history, and standardization status of each.
Lattice Code-Based Hash-Based Multivariate Isogeny
Key Exchange Overview
Key Exchange
A walkthrough of key exchange across history and protocol families — from Diffie-Hellman to modern hybrid post-quantum handshakes, with shared assumptions and threat models per era.
Diffie-Hellman ECDH X25519 ML-KEM
Decentralized Trust
Web of Trust
A PGP-style trust graph — sign each other's keys, walk introduction chains, observe how trust flows (and breaks) without a central authority.
PGP OpenPGP GnuPG Key Signing Trust Graph
Passkeys & Authentication
WebAuthn
Passwordless authentication via FIDO2 / WebAuthn — assertion verification, origin binding, signature counters, and the journey from passwords to passkeys.
WebAuthn FIDO2 Passkeys Assertion
Secure Shell Handshake
SSH Handshake
SSH transport-layer handshake and TOFU host-key pinning — ephemeral X25519 / ECDH, Ed25519 signatures over the exchange hash, and known_hosts change detection across StrictHostKeyChecking modes.
X25519 Ed25519 TOFU known_hosts
HD Wallet Mechanics
Bitcoin Wallet
Bitcoin wallet pipeline in the browser — secp256k1 keys to P2PKH and P2WPKH addresses via HASH160, plus BIP-39 mnemonics, PBKDF2 seed stretching, and BIP-32 hardened child derivation.
secp256k1 BIP-32 BIP-39 Bech32
Rotor Machine
Enigma Forge
Full mechanical Enigma — rotors with double-stepping, plugboard, and reflector — plus the crib-based Bombe break that exploits the flaw that no letter ever maps to itself.
Enigma Rotors Plugboard Bombe
Polyalphabetic Cipher
Vigenère Break
Encrypt and decrypt with a repeating-key Vigenère cipher, then recover the key length with Kasiski examination and the index of coincidence and solve each column by frequency analysis.
Vigenère Kasiski Examination Index of Coincidence Frequency Analysis
Perfect Secrecy
OTP Vault
One-time pad encryption with provable perfect secrecy, then the two-time-pad break: XOR two ciphertexts under a reused key and crib-drag to recover both plaintexts.
One-Time Pad Perfect Secrecy Two-Time Pad Crib Dragging
Hash Collisions
Collision Vault
Verify real published MD5 and SHA-1 collision pairs — SHAttered, identical-prefix, chosen-prefix — live in the browser, then watch SHA-256 and SHA-3 resist the same attack.
MD5 SHA-1 SHAttered Chosen-Prefix Collision
Token Forgery
JWT Forge
Paste or generate a JWT, tamper with claims, and swap algorithms to watch alg:none and HS/RS key-confusion attacks succeed against a vulnerable verifier and fail against a correct one.
JWT JWS alg:none HS/RS Key Confusion
Entanglement-Based QKD
E91
Ekert's entanglement-based QKD: measure entangled pairs, run the CHSH Bell test, and derive a key from aligned bases. |S|≈2.83 proves security; an eavesdropper drags it toward the classical bound, so the key is discarded.
E91 Entanglement CHSH Bell Test QKD
Hybrid PQC
Hybrid Guide
A guide to hybrid post-quantum key exchange — a KEM combiner pairs X25519 with ML-KEM-768 so the session key holds as long as either half survives. Break each component to see the hedge.
KEM Combiner X25519 ML-KEM-768 X-Wing
Multivariate Signatures
Multivariate UOV
A real Unbalanced Oil-and-Vinegar scheme over GF(256) signs and verifies in the browser, showing how fixing the vinegar variables turns the MQ trapdoor into a linear solve — plus the 2022 Beullens attack that broke Rainbow.
UOV GF(256) MQ Problem Beullens Attack
Lattice Cryptanalysis
LWE Hints
Explores approximate-hint LWE secret recovery on sparse ternary secrets — counts how many hints collapse the lattice problem. Computes hint counts; runs no attack. ePrint 2026/1081.
LWE Sparse Ternary Secrets Approximate Hints Lattice
Multi-Instance Degradation
Syndrome Drain
How code-based KEMs erode below NIST Level 1 when one public key derives many session keys — DOOM lets an attacker decode one of D syndromes √D faster. Computes effective security and when to rotate keys.
DOOM BIKE HQC Classic McEliece
Leakage Cryptanalysis
Broken Trust
Leak one bit of ML-DSA's per-signature masking randomness and the secret subkey becomes the bottom of a hill you can roll down — no lattice reduction. Watch a toy version descend beside real-scale numbers from ePrint 2026/472.
ML-DSA Bit Leakage Hill-Climbing Subkey Recovery
Bitcoin Script
Bitcoin Script
Step a real P2PKH spend through the Script stack machine — valid, wrong-key, forged-signature, and tampered scenarios, with real secp256k1 and HASH160. No backend.
secp256k1 P2PKH ECDSA Stack Machine
Diffie-Hellman + MITM
DH MITM
Interactive Diffie-Hellman key exchange, then a live man-in-the-middle attack on the unauthenticated channel that shows why raw DH needs authentication. Real modular arithmetic. No backend.
Diffie-Hellman Modular Arithmetic MITM Key Exchange
Hybrid Key Exchange & Signatures
Hybrid PQC
Compare classical, post-quantum, and hybrid key exchange and signatures side by side, then break one half and watch the hybrid survive. Real X25519, ML-KEM-768, Ed25519, ML-DSA-65. No backend.
X25519 ML-KEM-768 Ed25519 ML-DSA-65
Merkle Inclusion Proofs
Merkle Proofs
Build a tree, generate inclusion proofs, recompute the root hash by hash, then replay the RFC 6962 second-preimage and CVE-2012-2459 duplicate-leaf attacks. Real SHA-256. No backend.
SHA-256 Merkle Proof RFC 6962 CVE-2012-2459
PAKE Family
PAKE Gate
Tour SRP-6a, J-PAKE, CPace, and Dragonfly (RFC 7664) side by side — a shared key forms from a low-entropy password that never crosses the wire, plus a server-breach toggle and the Dragonblood side-channel.
SRP-6a J-PAKE CPace Dragonfly
Threshold Crypto Compared
Shamir vs FROST
Compare Shamir secret sharing against FROST signatures side by side — watch Shamir reassemble the key in memory while FROST signs without it ever existing. Real GF(256) and Ed25519. No backend.
Shamir SSS FROST Ed25519 GF(256)
RSW Time-Lock
Time-Lock Puzzle
Seal a message that only sequential squaring can open, then reveal the creator's instant trapdoor that collapses the delay. Real BigInt and AES-256-GCM. No backend.
RSW Sequential Squaring AES-256-GCM Trapdoor
Timing Side-Channel
Timing Side-Channel
Recover a hidden secret one byte at a time from an early-exit comparison, then watch a constant-time compare flatten the leak. Real performance.now() measurements. No backend.
Timing Attack Constant-Time Side-Channel Secret Compare
TLS 1.3 Walkthrough
TLS Handshake
Step through X25519 key exchange, Ed25519 authentication, the HKDF key schedule, and AES-GCM records, with a MITM attack that gets blocked. Real WebCrypto. No backend.
TLS 1.3 X25519 Ed25519 AES-GCM
Verifiable Delay Function
VDF
Repeated modular squaring in an RSA group with a Wesolowski short proof — watch sequential work accrue one squaring at a time, confirm parallel workers don't help, then verify instantly and reveal the trapdoor.
VDF Wesolowski Modular Squaring Randomness Beacon
PKI & Certificates
Chain of Trust
X.509 path building vs RFC 5280 validation on a real cross-signed ECDSA hierarchy — build chains yourself, watch a naive builder fail a valid leaf, and see valid signatures rejected.
X.509 RFC 5280 ECDSA P-256 nameConstraints
KEM Misuse
KEM Trap
Real ML-KEM-768 decapsulation never fails loudly — flip a ciphertext bit and watch a caller that drops the return code or skips key confirmation turn implicit rejection into an oracle.
ML-KEM-768 FIPS 203 FO Transform Implicit Rejection
Clock-Dependent Security
Time Trust
Real Ed25519, HMAC, and X.509 verification driven by one movable clock — drag NOW and watch certificates, JWTs, TOTP codes, and replay caches change their verdicts about bytes that never change.
Ed25519 X.509 JWT TOTP
Nonce Reuse
Nonce Collision
Reuse one nonce under one key across AES-CTR, AES-GCM, ChaCha20-Poly1305, and AES-CBC — crib-drag plaintext out of XOR'd ciphertexts and forge tags the real verifiers accept.
AES-GCM ChaCha20-Poly1305 Forbidden Attack Crib Dragging
Signature Canonicalization
Signed Bytes
Real Ed25519 over JSON — a signature binds an exact byte string, never the parsed meaning. Break key order, Unicode, and duplicate keys, then watch JCS canonicalization fix some and refuse others.
Ed25519 JCS RFC 8785 Parser Differential Unicode NFC
Hybrid Encryption
HPKE Envelope
RFC 9180 with every stage exposed — a KEM, a KDF, and an AEAD composed into one scheme; edit the info string or AAD and watch the real AEAD reject.
DHKEM X25519 HKDF-SHA256 AES-GCM RFC 9180
TLS Privacy
Blind Hello
TLS 1.3 encrypts everything except the hostname it announces first — seal the ClientHello with real HPKE and see exactly what ECH hides, what it can't, and why it needs encrypted DNS.
TLS 1.3 ECH HPKE SNI
Metadata Privacy
Blind Relay
Oblivious HTTP splits knowledge between a relay that sees your address and a gateway that sees your request — flip the collusion toggle and watch the guarantee evaporate.
OHTTP HPKE Binary HTTP RFC 9458
Key Transparency
Key Mirror
A key directory that lies to one user and tells the truth to another — then the append-only Merkle log, consistency proofs, and gossip that make the lie detectable.
Merkle Tree VRF Ed25519 KEYTRANS
Password-Authenticated KX
SPAKE Gate
SPAKE2 and SPAKE2+ on the same password, side by side — indistinguishable until the server database leaks, then one impersonation costs nothing and the other forces an offline crack.
SPAKE2 SPAKE2+ P-256 PAKE
Proactive Secret Sharing
Reshare Circle
Refresh threshold shares into a new epoch: every old share becomes garbage, the public key never changes, and the secret is never reconstructed along the way.
Shamir Feldman VSS HJKY 1995 Mobile Adversary
Randomness Failures
Entropy Collapse
Restore two copies of a VM snapshot and watch an honest, standards-conformant HMAC_DRBG emit identical session keys from both — the seed, not the generator, is the whole game.
HMAC_DRBG Seed Provenance VM Cloning Nonce Reuse
Key Commitment
Salamander
Build one AES-GCM ciphertext that decrypts to two different valid plaintexts under two different keys — both tags verify, because AEAD never promised they couldn't.
AES-GCM GHASH GF(2^128) Message Franking
Proof Forgery
Frozen Heart
Forge a Schnorr zero-knowledge proof the real verifier accepts — because the Fiat-Shamir challenge hash left one transcript field out of its input.
Fiat-Shamir Schnorr ristretto255 NIZK
Anonymous Credentials
Credential Veil
BBS+ selective disclosure over BLS12-381 — the issuer signs six fields once; the holder reveals any subset, unlinkably every time, and proves over-18 without a birth date.
BBS+ Selective Disclosure Unlinkability Range Proof
Power Side-Channel
Power Trace
Recover an AES-128 key byte from power consumption alone. The cipher is correct and constant-time, yet CPA and DPA walk the key out through the power rail. Simulated traces, real statistics.
CPA DPA AES-128 Hamming Weight
Symbolic Analysis
Protocol Checker
A Dolev-Yao symbolic model checker that rediscovers Lowe's attack on Needham-Schroeder live — found by searching, not by being told — then closes the seventeen-year-old flaw in one edit.
Dolev-Yao Symbolic Model Needham-Schroeder Unification
Quantum RNG
Quantum Entropy
A biased beam-splitter QRNG, Shannon vs min-entropy on the same stream, von Neumann debiasing, and a real Toeplitz extractor with Leftover Hash Lemma accounting and NIST SP 800-90B health tests.
QRNG Min-Entropy Toeplitz Extractor SP 800-90B
Malicious-Secure MPC
SPDZ Forge
SPDZ over F_p (2^61−1) — additive shares, Beaver triples, and information-theoretic MACs. Tamper with a share and semi-honest MPC swallows the lie while SPDZ aborts, even with a dishonest majority.
SPDZ Beaver Triples SPDZ MACs Dishonest Majority
Broadcast Encryption
Traitor Trace
Naor-Naor-Lotspiech subset-cover over a 16-leaf tree — one ciphertext for all subscribers, revoke a member without rekeying anyone, and trace a leaked decoder back to its builder. Real AES-256-GCM.
NNL Subset-Cover Broadcast Encryption Traitor Tracing AES-256-GCM