What is cache attestation?

Cache attestation is the practice of cryptographically signing every cached entry with post-quantum digital signatures. When data is written to a Cachee instance, the engine generates a 58-byte H33-74 receipt signed by three independent signature families: ML-DSA-65 (lattice-based), FALCON-512 (NTRU lattice-based), and SLH-DSA (hash-based). When data is read, the receipt is verified before the result is returned. A signed cache entry is a provable fact -- not data that might have been tampered with. Cache poisoning attacks fail because the forged data cannot produce a valid receipt.

Why sign cache entries?

Traditional caches are black boxes with no integrity guarantees. You put data in. You get data back. You hope it was not poisoned. Cache poisoning is a well-documented attack vector where an attacker inserts a malicious value into the cache, and every consumer trusts it because the cache has no way to verify authenticity. Signing cache entries solves this: every SET produces a cryptographic receipt, and every GET verifies it. Poisoned data fails verification and is rejected before it reaches the application. This is critical for financial audit trails, healthcare records, regulatory evidence, and any system where cache integrity is a compliance requirement.

What algorithms are used for cache attestation?

Cachee uses three independent post-quantum signature families: ML-DSA-65 (Module Lattice Digital Signature Algorithm, NIST standard, based on MLWE lattice hardness, 3,309-byte signatures), FALCON-512 (Fast Fourier Lattice-based Compact Signatures over NTRU, based on NTRU lattice hardness, 656-byte signatures), and SLH-DSA (Stateless Hash-based Digital Signature Algorithm, based on hash function security, 17,088-byte signatures). These three families rely on three independent mathematical hardness assumptions. Breaking one does not weaken the others. An attacker must break all three simultaneously to forge a cache attestation.

Can anyone verify a signed cache entry?

Yes. Cachee provides the cachee-verify CLI tool that verifies a signed cache entry against its H33-74 receipt and the three post-quantum signatures. Verification requires no network connection, no Cachee account, no API key, and no trust in H33 or any third party. The verification is entirely local and cryptographic. The public verification keys are embedded in the Cachee Archive Bundle (CAB), which is a self-contained verification package of approximately 24KB. Anyone with the CAB file and the cachee-verify tool can independently confirm that a cached result is authentic and untampered.

ML-DSA-65 FALCON-512 SLH-DSA Cache Poisoning Eliminated

Cache Attestation

Every cache entry is signed by three post-quantum families.
A signed cache entry is a provable fact -- not data that might have been tampered with.
Cache poisoning requires breaking three independent mathematical assumptions simultaneously.

58B

H33-74 Receipt Size

PQ Signature Families

~24KB

CAB Bundle Size

Trust Dependencies

Definition

Cache attestation is the practice of cryptographically signing every cached entry with post-quantum digital signatures. Every SET produces a 58-byte H33-74 receipt signed by three independent signature families: ML-DSA-65 (lattice), FALCON-512 (NTRU lattice), and SLH-DSA (hash-based). Every GET verifies the receipt before returning the result. Poisoned data fails verification and is rejected. A signed cache entry is a provable fact -- not data that might have been tampered with.

The Problem

Traditional Caches Are Black Boxes

You put data in. You get data back. You hope nothing changed it in between.

Traditional Cache

Application writes value

↓

Cache stores it (no integrity check)

↓

Attacker poisons the entry

↓

Application reads poisoned value

↓

Consumer trusts it (no way to verify)

Every consumer gets the poisoned value. No detection. No audit trail.

Attested Cache (Cachee)

Application writes value

↓

Cachee signs with 3 PQ families

↓

58-byte H33-74 receipt stored

↓

On read: verify receipt, then return

Poisoned data fails verification. Rejected before reaching the application.

Cache poisoning is not theoretical. It is a documented attack vector in Redis, Memcached, and CDN caches. The attacker does not need to break encryption -- they only need write access to the cache. Without attestation, every consumer downstream trusts the poisoned value because they have no mechanism to verify it.

The Solution

Three Families. Three Hardness Assumptions.

Breaking one signature family does not weaken the attestation. An attacker must break all three simultaneously -- three independent mathematical bets.

🔒

ML-DSA-65

Module Lattice Digital Signature Algorithm. Based on the hardness of Module Learning With Errors (MLWE). NIST standard. 3,309-byte signatures. Successor to Dilithium.

🔐

FALCON-512

Fast Fourier Lattice-based Compact Signatures over NTRU. Based on the hardness of Short Integer Solution over NTRU lattices. 656-byte signatures. Distinct mathematical basis from ML-DSA.

🔑

SLH-DSA

Stateless Hash-based Digital Signature Algorithm. Based on the security of hash functions (SHA3). No lattice assumptions at all. 17,088-byte signatures. Minimal cryptanalytic attack surface.

Must break all three to forge a cache attestation

These are three independent hardness assumptions. MLWE lattice problems, NTRU lattice problems, and hash function preimage resistance are mathematically unrelated. A quantum algorithm that breaks MLWE does not help against NTRU. A hash function weakness does not help against either lattice family. The attestation survives as long as any one of the three families remains unbroken.

Family	Hardness Assumption	Signature Size	Sign Time	Verify Time
ML-DSA-65	MLWE (lattice)	3,309 B	~0.2 ms	~0.1 ms
FALCON-512	NTRU lattice (SIS)	656 B	~0.5 ms	~0.05 ms
SLH-DSA	Hash (SHA3)	17,088 B	~5 ms	~0.3 ms
Total (3 families)	Three independent bets	21,053 B	~5.7 ms	~0.45 ms

Signing is a write-path cost (5.7ms, amortized over batch). Verification is a read-path cost (0.45ms). Both are dwarfed by the computation they attest -- a STARK verification at 25 microseconds, an FHE computation at 100 milliseconds. The attestation overhead is noise relative to the value it protects.

The Receipt

58 Bytes. Everything You Need.

The H33-74 receipt is a compact, self-describing attestation that travels with every cached entry. 58 bytes of metadata that prove authenticity.

32B

11B

Version (1B) -- receipt format version

Timestamp (8B) -- nanosecond-precision creation time

SHA3-256 (32B) -- hash of the cached value

ML-DSA prefix (2B) -- signature family identifier

FALCON prefix (2B) -- signature family identifier

SLH-DSA prefix (2B) -- signature family identifier

Flags (11B) -- hardware class, computation type, batch ID

Total: 58 bytes -- compact, self-describing, versioned

The receipt does not contain the full signatures -- those are stored in the Cachee Archive Bundle (CAB). The receipt contains only the prefixes needed to identify which signature algorithms were used and to locate the full signatures for verification. This keeps the per-entry overhead at 58 bytes while supporting full independent verification.

Verification Package

The Cachee Archive Bundle (CAB)

Self-Contained Verification

A CAB is a self-contained package that includes everything needed to verify a cached result independently. No network connection. No Cachee account. No API key. No trust in H33 or any third party. Download the CAB, run cachee-verify, get a cryptographic answer.

Component	Size	Purpose
Cached result	Variable	The actual cached value (bytes to KB)
H33-74 receipt	58 B	Compact attestation metadata
ML-DSA-65 signature	3,309 B	Lattice-based signature
FALCON-512 signature	656 B	NTRU lattice-based signature
SLH-DSA signature	17,088 B	Hash-based signature
Public verification keys	~2,500 B	All three family public keys
Computation fingerprint	32 B	SHA3-256 provenance digest
Total CAB	~24 KB	Everything needed for independent verification

The CAB is designed for offline verification, archival, and regulatory compliance. A financial auditor receives a CAB file and can verify it on an air-gapped machine. A court can verify a cached result years after the Cachee instance that produced it has been decommissioned. The math does not expire.

Live Demo

cachee-verify in Action

cachee-verify

$ cachee-verify audit:trade_settlement_q4_2026.cab

--- H33-74 Receipt ---

Version: 1

Timestamp: 2026-05-02T14:23:07.847291Z

Value hash: a7c3f9e2...b41d (SHA3-256)

HW class: Deterministic

--- Signature Verification ---

ML-DSA-65: VALID (3,309 bytes, MLWE lattice)

FALCON-512: VALID (656 bytes, NTRU lattice)

SLH-DSA: VALID (17,088 bytes, hash-based)

All 3 signatures valid. Result is authentic and untampered.

Verified offline. No network. No account. No trust required.

Try it: brew install cachee && cachee-verify --help

Independence

We Do Not Need to Exist for Your Data to Be Trusted

This is the independence argument, and it is the most important property of cache attestation.

If H33 ceases to operate tomorrow, every CAB file ever produced remains independently verifiable. The verification does not call home. It does not check a license server. It does not require a subscription. The cachee-verify tool is open-source and statically linked. The cryptographic algorithms are NIST standards. The public keys are embedded in the CAB.

Compare this to any other integrity mechanism that depends on a vendor's API, certificate authority, or cloud service. When the vendor disappears, the integrity guarantee disappears with it. Cache attestation is different. The integrity is in the math, not in the vendor.

Vendor-Dependent Integrity

Calls home

Verification requires vendor API

TLS certificates expire. API keys are revoked. Cloud services shut down. When the vendor disappears, the integrity guarantee disappears. Every verification is a dependency on someone else's uptime.

Cache Attestation

Self-contained

Verification requires only math

Public keys embedded in the CAB. Algorithms are NIST standards. Verification tool is open-source. Works offline, air-gapped, on any platform. The math does not expire. The math does not need a subscription.

Applications

Where Cache Attestation Matters

💰

Financial Audit Trails

SOX and SOC 2 require provenance for computed financial results. Every cached trade settlement, risk calculation, and compliance check carries a cryptographic receipt that auditors can verify independently.

📋

Regulatory Evidence

When a regulator asks "prove this computation happened and the result was not altered," the CAB file is the answer. Verifiable on an air-gapped machine, years after the fact.

🛒

Supply Chain Integrity

Every cached provenance check -- origin verification, certification validation, chain-of-custody query -- is signed. A compromised cache cannot inject false supply chain data.

🏥

Healthcare Record Caching

HIPAA requires integrity controls on cached patient data. Every cached lab result, diagnosis, and medication check is attested. Tampering is detected before the data reaches a clinician.

📜

Legal Document Verification

Cached contract analyses, compliance verdicts, and legal research results carry cryptographic receipts. Admissible as evidence because the verification is deterministic and vendor-independent.

🛡

Confidential Computing

Multi-party computation results cached and signed. Each party can verify independently that the cached result matches the computation they participated in. No trusted third party required.

Security Analysis

What Cache Attestation Prevents

Cache poisoning is the most common attack against caching infrastructure. It takes many forms, and attestation defends against all of them.

Attack	How It Works	Without Attestation	With Attestation
Direct cache poisoning	Attacker writes malicious value to cache	Succeeds -- no integrity check	Rejected -- no valid receipt
Man-in-the-middle	Attacker intercepts and modifies cached value in transit	Succeeds -- cache returns modified value	Rejected -- hash mismatch
Stale data injection	Attacker replays an old cached value after it was updated	Succeeds -- no version check	Rejected -- timestamp mismatch
Cross-tenant contamination	Tenant A's cached data served to Tenant B	Depends on namespace isolation	Rejected -- fingerprint includes tenant context
Quantum forgery (future)	Quantum computer forges a classical digital signature	All classical signatures broken	Three PQ families -- quantum-resistant by design

Under the Hood

The Attestation Pipeline

When you execute a SET command with Cachee, the following sequence executes in the write path:

        // Write path: SET key value
Compute SHA3-256(value)             // 32-byte content hash
Build computation fingerprint       // input + function + params + version + HW
Construct H33-74 receipt (58 bytes)  // version + timestamp + hash + prefixes + flags
Sign receipt with ML-DSA-65        // 3,309-byte signature
Sign receipt with FALCON-512       // 656-byte signature
Sign receipt with SLH-DSA          // 17,088-byte signature
Store value + receipt + signatures  // single atomic write

// Read path: GET key
Retrieve value + receipt             // from cache
Verify SHA3-256(value) == receipt.hash // content integrity
Verify ML-DSA-65 signature          // lattice check
Verify FALCON-512 signature          // NTRU lattice check
Verify SLH-DSA signature             // hash-based check
All pass? Return value               // safe to use
Any fail? Reject and delete entry    // poisoned data eliminated
    

Signing happens on the write path (5.7ms total). Verification happens on the read path (0.45ms total). For hot cache entries accessed thousands of times, the amortized cost of attestation approaches zero -- you sign once and verify many times.

Scale

Batch Attestation: One Signature Per 32 Entries

For high-throughput workloads, Cachee supports batch attestation. Instead of signing each cache entry individually, a Merkle tree is built over a batch of entries, and the three PQ families sign the Merkle root once.

Individual Attestation

32x

32 sign operations for 32 entries

Each entry gets its own signature triplet. 32 entries = 96 signatures = 182.4ms of signing time. Full per-entry provenance. Best for low-volume, high-value workloads.

Batch Attestation

1 sign operation for 32 entries

Merkle tree over 32 entries. One root signature. Each entry carries a Merkle proof (~160 bytes) to the signed root. 5.7ms for the batch. Individual entries still independently verifiable via Merkle inclusion proof.

Batch attestation is the default for high-throughput workloads (biometric auth at 1.6M+ ops/sec, STARK verification caching, ML inference results). Individual attestation is available when per-entry provenance is required (financial settlements, legal documents, healthcare records).

Install

Get Started

brew tap h33ai-postquantum/tap && brew install cachee
cachee init && cachee start

# Every SET is automatically attested
SET audit:trade_q4 "settlement:confirmed" FP <fingerprint_hex>

# Every GET is automatically verified
GETVERIFIED audit:trade_q4

# Export CAB for offline verification
cachee export-cab audit:trade_q4 --output trade_q4.cab

# Verify anywhere, offline, no account needed
cachee-verify trade_q4.cab

Attestation is on by default. Every SET is signed. Every GET is verified. No configuration needed. For batch attestation, use the --batch flag or configure the batch size in cachee.toml.

Every cached result should be a provable fact. Not a hope.

Install Cachee Computation Fingerprinting

Deep Dives

→Computation Fingerprinting: Prove What Was Computed →FHE Caching: Cache Homomorphic Encryption Outputs →ZK Caching: Cache STARK and SNARK Verification →FALCON vs Dilithium vs SPHINCS+: Which PQ Family to Cache →What is Verifiable Computation Caching? →Post-Quantum Key Sizes Reference