Two Standards, One Lattice: How ML-KEM and ML-DSA Would Break
ML-KEM and ML-DSA rest on one hard problem, Module-LWE, measured by one ruler. Here is how that ruler would slip -- and why one slip debits both standards.
Permalink1. We Escaped Shor by Making One Bet
We escaped Shor by making a single bet. RSA and elliptic curves fell to a quantum algorithm that hunts for hidden periodic structure, and lattice problems replaced them precisely because they seem to offer no such structure to hunt. In August 2024 the US National Institute of Standards and Technology (NIST) finished the job, publishing ML-KEM as FIPS 203 for key establishment [1] and ML-DSA as FIPS 204 for signatures [2]. The celebrations were real. But they skipped an uncomfortable question: if a quantum computer cannot break the replacements the way it broke the originals, how would they break?
The honest answer is: not with a bang. ML-KEM and ML-DSA are two products of one assumption, the Module Learning-With-Errors problem, and the strength of that assumption is not proven. It is measured -- read off a single ruler that lattice cryptographers argue about openly. The likely failure is not a dramatic event but that ruler slipping, a few bits at a time, as attacks improve. And because both standards are pinned to the same ruler, one slip debits both at once.
Two standards, one lattice, one ruler. ML-KEM and ML-DSA do not have two security stories; they have one -- Module-LWE -- read off a single ruler, the core-SVP block size that lattice reduction must reach. The realistic break is that ruler slipping a few bits at a time, and because both standards read the same ruler, one slip debits both at once. A sudden break would have to come from the one thing the ruler does not price: the algebra of the cyclotomic ring.
That lens sorts the whole threat surface into three routes, in descending order of likelihood. First and most probable is erosion: lattice reduction gets a little better, the ruler reads a few bits lower, and the published margins thin. This has already happened once in miniature, and it is the route this article says you should expect.
The second is the quantum route everyone fears -- a "Shor for lattices" that would collapse the margin all at once. It has been claimed exactly once, and retracted within days. The third is the wildcard: a structural attack on the extra algebra of the cyclotomic ring, the one surface the ruler does not even try to price. Low probability, high impact, genuinely contested.
To see how the ruler slips, we first have to see where the hardness came from -- and why "noisy linear algebra" survived the very tools that killed RSA.
2. Where the Hardness Comes From
In 1996, at IBM's Almaden Research Center, Miklos Ajtai proved something that sounds too good to be true: certain random lattice problems are as hard as the worst case of a related problem [3]. For a cryptographer, that is the dream.
Normally, a randomly generated key gives no guarantee you did not pick an easy instance. Ajtai's worst-case-to-average-case reduction says these lattice problems are different: a random instance is not a roll of the dice -- it inherits the difficulty of the hardest instance that exists. Build your keys on that, and breaking your average key would mean breaking the worst-case problem everyone believes is hard.
The set of all integer combinations of a fixed set of basis vectors -- a regular, infinite grid of points in -dimensional space. The same lattice has infinitely many bases. The hard problems live in the gap between a "good" basis (short, nearly perpendicular vectors) and a "bad" one (long, skewed vectors) that generate the identical grid.
The grid has a catch that makes it useful. Given a "bad" basis, simple questions become brutal.
Given a basis for a lattice, find the shortest non-zero vector in it. In high dimension, with a bad basis, no efficient algorithm is known -- and the best ones we have get exponentially slower as the dimension grows. Cryptographic hardness is quoted relative to how hard SVP is in the relevant dimension.
Ajtai's foundation was beautiful. The cryptosystems built directly on it were not. The first generation broke almost as fast as it was proposed. The Ajtai-Dwork scheme was provably hard but shipped megabyte-sized keys, and Nguyen and Stern broke it at its proposed parameters in 1998 [4]. The Goldreich-Goldwasser-Halevi scheme followed the tempting "publish a bad basis, decrypt with a secret good basis" template. Phong Nguyen broke it in 1999 by noticing that its special error distribution leaked a congruence, recovering plaintext outright at four of the five proposed dimensions and most of it at the fifth [5].
The lesson was expensive and permanent: hiding a good basis is not enough, because the structure you use to decrypt is structure an attacker can find. The hardness was real; the packaging was hopeless.
The fix arrived in 2005, and it changed the shape of the field. Oded Regev introduced Learning With Errors.
Recover a secret vector from many noisy linear samples , where each is public and random and each is a small secret error. Without the errors this is a linear system you solve by Gaussian elimination. With them, it is believed hard. LWE is "linear algebra where every equation is slightly, deliberately wrong."
Regev's construction did two things at once. It made the noise intrinsic -- the hardness no longer depended on hiding a clever basis, but came from the errors themselves -- and it came with a quantum worst-case-to-average-case reduction connecting a random LWE key to the worst case of standard lattice problems [6]. That word "quantum" is deliberate: Regev's reduction was tuned for a post-quantum world from the start.
It also points at the deeper reason lattices replaced RSA and elliptic curves. Shor's algorithm breaks RSA and Diffie-Hellman because those problems hide a periodic structure that a quantum Fourier transform can extract. LWE exposes no such period. This is the one-line reason lattices were chosen for the post-quantum standards: a period-finding or hidden-subgroup quantum algorithm has nothing to grab onto in the geometry of short vectors. Section 7 makes this precise. The very feature that makes LWE resist Shor is that its hardness is geometric, not arithmetic.
You can feel why the noise is load-bearing with a tiny numerical example.
// A toy LWE instance mod q. Recover the secret s from samples (a, b).
const q = 97;
const s = [42, 15, 8]; // the secret we must recover
const dot = (a, b) => a.reduce((t, x, i) => t + x * b[i], 0);
const A = [[12, 5, 33],[7, 88, 1],[54, 2, 19]]; // 3 public random rows
// Case 1: no noise. b = A s mod q. Gaussian elimination recovers s exactly.
const clean = A.map(a => ((dot(a, s) % q) + q) % q);
console.log("clean samples b =", clean);
// With 3 equations and 3 unknowns and NO error, solving is instant and exact.
// Case 2: add a small error e in {-1,0,1} to each equation.
const e = [1, -1, 1];
const noisy = A.map((a, i) => ((((dot(a, s) + e[i]) % q) + q) % q));
console.log("noisy samples b =", noisy);
// Now the linear system is INCONSISTENT with the true s: every naive solve
// that assumes e = 0 returns a different, wrong vector. The attacker must
// search over which tiny error vector was added -- and in real dimensions
// (n = 256 and up) that search is the hard lattice problem itself.
console.log("difference caused by e =", noisy.map((b, i) => b - clean[i])); Press Run to execute.
Three equations in three unknowns is trivial. The standards use dimensions in the hundreds, and the error turns "solve the system" into "find a suspiciously short vector in a lattice built from the system" -- which is SVP wearing a disguise. That disguise is the entire security story. The rest of this article is about how sharp the disguise really is.
LWE did not appear from nowhere; it was the turning point of a forty-year accretion, and seeing that lineage explains why the eventual break is an endpoint, not a surprise.
Diagram source
flowchart LR
A["LLL basis reduction, 1982"] --> B["Ajtai worst-case hardness, 1996"]
B --> C["Regev LWE, 2005"]
C --> D["Ring-LWE, 2010"]
D --> E["Module-LWE, 2015"]
E --> F["Kyber and Dilithium, 2017-2018"]
F --> G["FIPS 203 and FIPS 204, 2024"] The oldest box on that diagram, the LLL algorithm of 1982, is not a footnote [7]. It is the ancestor of every attack in this article: the first efficient method to take a bad basis and grind it into a better one. LWE was hard and clean, but its keys were quadratic in the security parameter -- far too heavy to ship in a TLS handshake. The fix was to add structure. And structure, it turns out, is exactly where the danger lives.
3. Building the Spine: From LWE to Module-LWE
The efficiency move came in 2010, and it came with a bill the field is still arguing about. Vadim Lyubashevsky, Chris Peikert, and Oded Regev introduced Ring-LWE, which shrinks LWE's quadratic keys to quasi-linear by pouring all the algebra into a single polynomial ring [8]. Instead of storing a full random matrix , you store one polynomial and let the ring's multiplication generate the matrix. Multiplication becomes a number-theoretic transform, the same fast-Fourier trick that makes the schemes practical on a phone. Keys drop from megabytes to kilobytes. Without this step there is no shippable post-quantum handshake.
But look at what changed. In plain LWE the matrix is fully random -- every entry independent. In Ring-LWE that matrix is generated by one polynomial, so its entries are locked together in a rigid, algebraic way. That relatedness is exactly what makes the scheme fast. It is also what has divided lattice cryptography ever since: does the ring structure only buy speed, or does it also buy the attacker a shortcut?
Daniel Bernstein and the NTRU Prime team have argued for years that the extra structure is an under-appreciated risk, and they built their alternative to avoid the most structured ring choices [9]. The design teams and NIST bet the other way. Section 8 weighs that dispute; for now, note only that it is real and unresolved.
The standards did not take either extreme. They took the middle, on purpose.
LWE instantiated over a rank- module of a polynomial ring: instead of one big structured polynomial (Ring-LWE) or a fully random matrix (plain LWE), you use a small matrix of ring elements at module rank (square for ML-KEM; rectangular -- such as or -- for ML-DSA). It is the deliberate middle ground -- most of Ring-LWE's speed, but the single-ring symmetry diluted across components. This is the shared spine of both FIPS standards.
Damien Stehle and Adeline Langlois gave this middle ground its worst-case-to-average-case reduction in 2015, proving that module lattices inherit the same style of hardness guarantee Ajtai and Regev had established for their settings [10]. That reduction is what lets the designers treat Module-LWE as a trustworthy foundation rather than an ad-hoc compromise. The rank becomes a dial: turn it up and you dilute the ring structure toward plain LWE (safer, heavier); turn it down toward and you recover Ring-LWE (faster, more structured). The hedge is built into the assumption itself.
The Short Integer Solution problem over modules: find a short, non-zero combination of given ring vectors that sums to zero. It is a "find a short collision" problem, dual in flavor to Module-LWE's "recover a short secret." ML-DSA depends on Module-SIS for unforgeability; ML-KEM does not carry this assumption at all.
Module-SIS is the second load-bearing assumption, and it matters for the asymmetry at the heart of this article: it is carried by the signature and not by the key-encapsulation mechanism. Both schemes then live in the same specific algebraic home.
The ring that both standards build on: polynomials of degree below 256, with coefficients modulo , reduced whenever the degree reaches 256 by the rule . Because is a power of two, this is a "power-of-two cyclotomic" ring -- the most efficient choice, and the one whose extra algebra is the wildcard's attack surface.
Diagram source
flowchart LR
A["Plain LWE: fully random matrix, no ring structure, safest, keys too heavy to ship"] --> B["Module-LWE: small matrix of ring elements, structure diluted across rank k, the tuned middle"]
B --> C["Ring-LWE: one polynomial generates everything, fastest, most structured"] The through-line from 1998 is worth naming, because the worry is as old as the efficiency trick. NTRU, published in 1998 by Hoffstein, Pipher, and Silverman, was the original "put the lattice in a polynomial ring to make it fast" cryptosystem [11]. It is simultaneously the ancestor of every ring-based scheme here and the origin of the recurring worry that ring structure buys the attacker something. Its descendants include the Falcon signature, whose different spine we meet in Section 4. The field has known since NTRU that ring structure is a bargain with two sides. Module-LWE is the current answer to "how much structure dare we cash in?"
Module-LWE is the single object both FIPS standards are built on: same ring, same core problem, two products. Which raises the question that defines this whole article. If they share one foundation, do they share one failure?
4. Two Standards, One Assumption
Lay the two standards side by side and they resolve into one. ML-KEM, the key-encapsulation mechanism in FIPS 203, rests on Module-LWE alone, over the ring with modulus , and offers three parameter sets at module ranks 2, 3, and 4 [1]. ML-DSA, the signature in FIPS 204, rests on Module-LWE and Module-SIS, over the same ring but with a different, much larger modulus , and signs using Fiat-Shamir with aborts [2]. Same spine, different parameters.
| Property | ML-KEM (FIPS 203) | ML-DSA (FIPS 204) |
|---|---|---|
| Purpose | Key encapsulation | Digital signatures |
| Core hardness | Module-LWE | Module-LWE + Module-SIS |
| Ring | ||
| Modulus | 3329 | 8380417 |
| Module ranks | 2 / 3 / 4 (square ) | grows with level (rectangular ) |
| Signing structure | not applicable | Fiat-Shamir with aborts |
| Extra structural route | decryption failure | SelfTargetMSIS forgery |
| A Module-LWE break yields | the decryption key | the signing key (universal forgery) |
The table's most important row is the third from the bottom, and it hides in plain sight. Both public keys are, essentially, the same object: a Module-LWE sample , a structured matrix times a short secret plus a small error. For ML-KEM the public key is literally such a sample, and recovering is recovering the decryption key.
For ML-DSA the public key is the same shape, and recovering the short secret is recovering the signing key -- which lets an attacker forge any signature at will. In both cases the attack is one thing: solve search-Module-LWE, find the short secret hiding in the sample. This is the mechanism the whole article turns on.
Correlated failure. Because each public key is a Module-LWE sample read off the same ruler, a single advance in lattice reduction against Module-LWE debits both standards at once -- the key-encapsulation mechanism and the signature together. It is not two independent bets. It is one bet, made twice.
The correlation is real, but it is one-directional, and precision here matters. A Module-LWE or lattice-reduction advance hits both schemes. But each scheme also carries one extra structural route the other does not share. ML-DSA has a second forgery path through its extra assumption; ML-KEM has a second path through decryption failures. Neither of those extra routes touches the other scheme, and because the two standards use different moduli, ranks, and noise, the same reduction advance erodes them by different amounts. "Correlated" does not mean "identical."
Diagram source
flowchart TD
A["Module-LWE hardness, the shared spine"] --> B["ML-KEM public key, a Module-LWE sample"]
A --> C["ML-DSA public key, a Module-LWE sample"]
R["A lattice-reduction advance"] --> A
B --> D["Recover the ML-KEM decryption key"]
C --> E["Recover the ML-DSA signing key, universal forgery"]
C --> F["Extra ML-DSA route: SelfTargetMSIS forgery"]
B --> G["Extra ML-KEM route: decryption-failure attack"] To see why ML-DSA's forgery route is separate, you need its signing template.
ML-DSA's signature method. It builds a signature the Fiat-Shamir way -- commit, hash the message to derive a challenge, respond -- but then rejection-samples: any candidate signature whose distribution would leak information about the secret key is thrown away ("abort") and the signer retries. The published signatures are therefore distributed independently of the signing key, so the only structural way to forge is to solve the underlying short-vector problem directly.
Vadim Lyubashevsky introduced the "with aborts" idea in 2009 [12] and made it a trapdoor-free lattice signature in 2012 [13]; ML-DSA is its standardized descendant [14] [15]. The rejection step is why forging ML-DSA reduces to a specific hard problem, called SelfTargetMSIS, rather than to "study enough signatures until the key leaks." That closed door matters, because it was wide open in an earlier generation.
5. The Ruler: How the Margin Is Measured
Here is the uncomfortable truth behind every "128-bit security" claim you have ever read about these schemes: there is no proof of it. There is a measurement, taken with a model that the people who built it will happily tell you is simplified and conservative. To understand how ML-KEM and ML-DSA would break, you have to meet the ruler that says how strong they are today.
The best known attacks all reduce to lattice reduction, and the workhorse is BKZ, the block-wise reduction introduced by Schnorr and Euchner in 1994 [20].
Block Korkine-Zolotarev reduction improves a lattice basis by repeatedly calling a subroutine -- an "SVP oracle" -- that solves the shortest-vector problem exactly inside projected blocks of consecutive basis vectors. A larger block size produces shorter vectors and can break harder instances, but the oracle's cost grows sharply with . Concrete security is quoted as "the block size that BKZ must reach to solve this instance."
The whole security estimate then collapses onto the cost of one oracle call. The cheapest known way to run that oracle is lattice sieving, and in 2016 Becker, Ducas, Gama, and Laarhoven pinned its cost: a sieve solves SVP in a block of size in time using memory [21]. That exponent, , is one of the most consequential constants in modern cryptography. The conservative way to price a whole attack is to charge for just that single most expensive call and ignore everything else.
The deliberately pessimistic (for the defender) cost model that prices an entire lattice attack at the cost of one SVP-oracle call at the required block size: classical, quantum. It ignores the many other operations a real attack needs, the cost of memory, and any structure the ring might offer. Because it charges the attacker so little, a scheme that looks secure under core-SVP has margin to spare -- but the number is a modeling choice, not a theorem.
The model originated with the NewHope proposal in 2016 [22]. It was operationalized by the LWE estimator of Albrecht, Player, and Scott, which turns a parameter set into a predicted block size and bit-cost [23]; its maintained successor is the tool NIST parameters are checked against [24]. The estimator is open source. Anyone can install it and re-read the ruler for any parameter set -- which is exactly why the margin is a public, moving number rather than a vendor secret. You can feel the ruler directly: the bit-cost is just the exponent, so a block size and a constant are all you need.
// Core-SVP prices an attack at ONE sieve-oracle call at block size beta.
// The base-2 log of the cost is simply constant * beta, so the exponent
// IS the bit-security number. No astronomically large integers needed.
const bits = (constant, beta) => (constant * beta).toFixed(1);
const beta = 406; // ML-KEM-512's required block size
console.log("ML-KEM-512, beta =", beta);
console.log("classical core-SVP 0.292*beta =", bits(0.292, beta), "bits");
console.log("quantum core-SVP 0.265*beta =", bits(0.265, beta), "bits");
console.log("refined quantum sieve 0.2570 =", bits(0.2570, beta), "bits");
// Now watch the ruler SLIP. Shave the classical constant a hair, from 0.292
// to 0.280 -- the kind of change a better sieve could deliver -- and see how
// many bits of "security" evaporate from the same, unchanged lattice.
console.log("if the constant drops to 0.280:", bits(0.280, beta), "bits");
console.log("bits lost from a 0.012 change =", (bits(0.292,beta) - bits(0.280,beta)).toFixed(1)); Press Run to execute.
Run it and the classical figure lands near -- the pure core-SVP number for ML-KEM-512. Now notice what the last two lines show: nudging the exponent constant by twelve thousandths erases almost five bits from an unchanged lattice. The ruler is not carved in stone. Its markings move whenever someone finds a better sieve. That is the entire thesis in one code block.
And the disagreement is not hypothetical. The same ML-KEM-512 lattice reads wildly differently depending on which model you trust.
| Cost model for ML-KEM-512 | Reads as | What it actually counts |
|---|---|---|
| Pure core-SVP | about | one sieve-oracle call, at [24] |
| Estimator default (ring operations) | about | ring operations across the whole attack, not just one call |
| NIST gate model | to | logical gates with the cost of memory access priced in |
One lattice. Three models. Tens of bits apart. NIST's own Kyber-512 analysis concedes the spread openly, estimating that the real gate count "would range from to " depending on how you model memory [25]. That range is not a rounding error; it is the margin the thesis says is slipping, written down as a live interval by the standardizer itself.
That reframes the entire question the article opened with. We were looking for the dramatic moment a scheme "cracks." There may never be one. There is a number, and it drifts.
The debate over how to read the ruler is public and pointed. Daniel Bernstein has argued that NIST's Kyber-512 accounting mixes up its arithmetic.
"NIST's primary error ... boils down to nonsensically multiplying two costs that should have been added." -- Daniel J. Bernstein, on the Kyber-512 gate-count dispute
One precaution before we watch the ruler move, because two different quantities share the same number. The sieving exponent describes the cost of sieving in the full sieve dimension ; the core-SVP figure describes one oracle call in a block of size . They share the constant because both are sieving, but they measure different objects. Conflating them is a classic way to misread the ruler by hundreds of bits. Sieving is not the only oracle, either: the older approach, enumeration, runs in time with only polynomial memory [27]. Sieving wins on time at cryptographic block sizes, which is why the standards are set against it -- but the "best" oracle is itself a moving research target, another reason the ruler is provisional.
Concretely, the trusted way to read the ruler is the primal attack.
Diagram source
flowchart TD
A["Public key: a Module-LWE sample"] --> B["Embed it into a lattice whose shortest vector encodes the secret"]
B --> C["Run BKZ with block size beta"]
C --> D["Each step calls the sieve SVP oracle, cost 2 to the 0.292 beta"]
D --> E["At large enough beta, the short secret vector appears"]
E --> F["Recover the secret: decryption key or signing key"] The primal attack embeds the public key into a lattice engineered so its shortest vector is the secret, then reduces until that vector surfaces [23]. It is the binding constraint -- the number NIST fixes parameters against -- because it relies on no fragile statistical distinguisher, only on reaching the block size. A ruler that is a debated model rather than a proof has one defining property: it moves. And it has moved before.
6. The Likely Break: Erosion
The break already had a rehearsal. In 2022 a research unit of the Israeli Defense Forces known as MATZOV published an improved dual lattice attack and reported that it shaved measurable margin off the very schemes NIST was about to standardize [28]. No scheme collapsed. No key was recovered. A number moved on a spreadsheet -- and that is exactly what the likely break looks like.
"Combining these improvements considerably reduces the security levels of Kyber, Saber and Dilithium ... bringing them below the thresholds defined by NIST." -- MATZOV, Report on the Security of LWE, 2022
Read that quote against the thesis. One attack, aimed at the shared Module-LWE spine, moved both Kyber (now ML-KEM) [29] and Dilithium (now ML-DSA) at once. That is correlated failure in miniature: not a metaphor, a measurement. And it moved them by different amounts, because their parameters differ -- exactly the one-directional, unequal correlation Section 4 predicted.
MATZOV was not a bolt from the blue. It was the latest step in a cryptanalysis lineage that has been quietly moving the ruler for forty years.
| Advance | Year | Effect on the ruler |
|---|---|---|
| LLL basis reduction | 1982 | first efficient reduction; makes weak bases tractable |
| BKZ with enumeration | 1990s-2011 | block reduction; oracle cost |
| Lattice sieving (BDGL16) | 2016 | cheaper oracle, -- the modern classical constant |
| Improved dual attack (MATZOV) | 2022 | dual sieving plus an FFT distinguisher; thins Kyber-512 below a clean 128 |
Each row lowered the block size an attacker needs, or the cost per block -- which is the same thing as lowering the bit-security the ruler reports. None of them "broke" anything. All of them moved the number.
But honesty about erosion cuts both ways, and the MATZOV figure is itself contested. In 2023, Ducas and Pulles examined the dual-attack family and found its success-probability heuristics internally inconsistent in some regimes -- a "waterfall-floor" behavior in which the predicted advantage is, in their words, presumably significantly overestimated [30].
So the precedent is solid: dual attacks improved and the estimates dropped. The exact magnitude of the drop is a live, disputed number. This is why any specific bit-count in this debate must name its model and source -- and why "the margin is a moving estimate" is more accurate than any single figure.
Optional detour: how a dual attack works, and why its size is contested
The dual attack does not look for the short secret directly. It works in the dual lattice: it guesses part of the secret, then uses short vectors of the dual lattice as a statistical distinguisher -- run through a fast Fourier transform over the guessed coordinates -- to test whether the guess was right. MATZOV's contribution was a faster way to produce those dual vectors (dual sieving) and a sharper distinguisher [28]. The catch Ducas and Pulles identified is that the standard heuristic for the distinguisher's success probability is internally inconsistent: in some regimes it predicts a probability that a more careful analysis contradicts, producing the tell-tale "waterfall-floor" curve, so the claimed advantage is likely overstated [30]. This is why the direction of the erosion is trusted but the magnitude is not, and why the primal attack -- which has no such fragile distinguisher -- remains the number parameters are actually fixed against.
There is also a large, reassuring gap between the theory and what anyone can actually do. The primal attack on ML-KEM-512 needs a block size of about [24]. The public record for a solved shortest-vector challenge, tracked on the SVP Challenge Hall of Fame, stands near dimension 210 [31]. The distance between "the block size the ruler says you need" and "the block size anyone has ever reached" is the practical safety margin -- and it is enormous. The reference sieving implementations that hold those records are highly optimized and public [32], which makes the record a meaningful ceiling rather than a guess. Erosion is real, but the frontier of the achievable is far below the frontier of the estimated.
The key-encapsulation mechanism carries one more erosion axis of its own, and it is purely structural -- a property of the parameters, not of any particular program. ML-KEM's decryption is not guaranteed to succeed: there is a tiny probability that Module-LWE noise plus the rounding in ciphertext compression pushes a coordinate across a decoding boundary, and the recovered key is wrong.
The design fixes this by parameter choice. The round-3 Kyber specification targets decryption-failure probabilities of , , and for the three levels -- all comfortably below -- and the modulus was chosen partly to keep that probability negligible [33].
Why does this matter for a break? Because decryption failures leak. D'Anvers, Guo, and collaborators showed that observed failures can be turned into full secret-key recovery [34]; "failure boosting" uses precomputation to hunt for failure-inducing ciphertexts [35]; failures cluster, so one found failure makes the next more likely [36]; and "directional" boosting exploits that clustering, so the cost is dominated by finding the first failure [37].
It is a genuine structural attack surface -- and at the standardized parameters it is closed, because those same analyses find the required number of oracle queries sits above any practical limit thanks to the conservative [35]. It is the mirror image of ML-DSA's extra forgery route: real, scheme-specific, and neutralized by the parameter margin, not by luck.
That insight organizes the rest of the threat surface. Erosion is the likely route; two tail risks would not be gradual at all.
Diagram source
flowchart TD
A["How Module-LWE would break"] --> B["Erosion: better lattice reduction (LIKELY)"]
A --> C["Quantum: a Shor for lattices (FEARED)"]
A --> D["Ring: cyclotomic structural attack (WILDCARD)"]
B --> B2["Gradual: the ruler slips a few bits at a time"]
C --> C2["Sudden and total, but so far unrealized"]
D --> D2["Sudden and total, low probability, high impact"] One boundary marker before we go on. None of this section is about KyberSlash. That family of timing and division side channels is an implementation leak -- a bug in how a particular program computes, not a weakness in the mathematics -- and it belongs to the empirical sibling, "How ML-KEM Breaks in Real Life." Erosion is the likely structural break. Take the quantum tail risk next, because it is the one everyone fears.
7. The Quantum Axis: Feared, Not Realized
The nightmare has a name -- "a Shor for lattices" -- and for about a week in April 2024 it looked like it had arrived. Yilei Chen posted a claimed polynomial-time quantum algorithm for LWE [38]. Had it held, it would have implied a quantum polynomial-time solver for standard lattice problems within an approximation factor of -- close enough to matter, and built on genuinely new machinery: a complex-Gaussian construction its author called a "Karst wave," driven through a windowed quantum Fourier transform. For a few days the post-quantum transition held its breath.
Then it broke -- the claim, not the schemes. Within days, Hongxun Wu and Thomas Vidick identified a fatal error in Step 9, and Chen retracted the result himself.
"Step 9 of the algorithm contains a bug, which I don't know how to fix ... the claim of showing a polynomial time quantum algorithm for solving LWE ... does not hold." -- Yilei Chen, retraction note, 2024
Set the fear against what quantum computers actually buy against lattices, which is modest. Quantum sieving speeds up the SVP oracle from to about , later refined to roughly [39]. That is a discount on the exponent, not a change in kind -- and it assumes cheap, large-scale quantum RAM that does not exist. It shaves bits; it does not collapse the problem. The refined quantum constant is why the higher parameter sets keep a comfortable margin even against an idealized quantum sieve.
Why does the big speedup keep not arriving? Because the structure Shor exploits is simply not present.
That leaves only Grover's algorithm, and it is not a structural break at all. Wu and Vidick found the Step-9 bug in Chen's algorithm independently and within days, which is itself a sign of how carefully the community watches this line of work. Separately, Grover's algorithm offers a generic square-root speedup on brute-force key search -- effectively halving the security level in the exponent -- which the standards simply absorb by choosing larger parameters. It is named once and set aside, because it applies to every cryptosystem equally and exploits nothing about lattices. Grover turns a search into a one; the parameter sets are sized so that even after that discount the key-search cost stays out of reach. It is a reason the numbers are what they are, not a route to a break.
Quantum is the feared route that keeps not arriving. The other tail risk is quieter, older, and the one the ruler literally cannot price: the algebra of the ring itself.
8. The Wildcard: The Cyclotomic Ring
The core-SVP ruler measures one thing: how hard it is to find a short vector by generic lattice reduction. It does not measure whether the algebra of the ring offers a shortcut that reduction never sees. That unpriced surface is the wildcard, and intellectual honesty demands steelmanning the people who worry about it, because they have been right before.
Ring structure has been cashed in for real attacks. In 2016, Cramer, Ducas, Peikert, and Regev showed a quantum polynomial-time (classically sub-exponential) algorithm that recovers short generators of principal ideals in cyclotomic fields -- a structural shortcut that plain lattice reduction does not find [42]. The same year, Albrecht, Bai, and Ducas broke "overstretched" NTRU by projecting the problem into a subfield, exploiting ring structure that appears when the modulus is very large [43].
Neither attack touches ML-KEM or ML-DSA at their standardized parameters -- the first needs principal ideals with unusually short generators, the second a modulus far larger than the standards use -- but both prove the general point: structure is not free, and sometimes the attacker gets to spend it. This is why Daniel Bernstein and the NTRU Prime team argue the cyclotomic choice is an under-appreciated risk and deliberately avoid the most structured rings in their own designs [9].
Now the counterweight, weighed just as fairly. First, Module-LWE was chosen partly to dilute exactly this risk: spreading the problem across a rank- module reduces the single-ring symmetry an algebraic attack would exploit. Second, at the standardized parameters, no known algebraic attack beats generic sieving -- the ideal and subfield attacks live in regimes the standards specifically avoid.
Third, and most concretely, the newest analysis points the other way. In 2025, Ducas, Engelberts, and de Perthuis studied module-lattice reduction directly and found that for the power-of-two cyclotomic ring -- exactly the ring ML-KEM and ML-DSA use -- the module structure gives the attacker no free reduction in block size [44]. If anything it costs a little: their module-BKZ prediction needs a block size larger by roughly . The ring the standards chose is, by this measure, a slight disadvantage to the attacker, not a gift.
The power-of-two choice is deliberate and load-bearing. Bernstein's NTRU Prime avoids power-of-two cyclotomics on principle, precisely because other cyclotomic fields carry more exploitable algebra. And the 2025 module-reduction analysis finds that non-power-of-two cyclotomic fields can yield a sub-exponential module-BKZ gain, whereas the power-of-two ring yields none [44]. The standards picked the ring that gives the attacker the least algebraic help, not the most.Put the three routes on one page and the wildcard sits where it belongs.
| Route | Likelihood | Impact | Best evidence it is real | Counterweight |
|---|---|---|---|---|
| Erosion (better reduction) | Likely | Gradual, partial | MATZOV 2022 moved the published margin | Huge gap: needed vs SVP record near 210 [24] [31] |
| Quantum (a Shor for lattices) | Feared | Sudden, total | Chen 2024 attempt using new machinery | Retracted in days; quantum sieve is only a modest discount |
| Ring (cyclotomic structure) | Wildcard | Sudden, total | Ideal and subfield attacks on adjacent variants | Diluted by modules; no free block-size at power-of-two (2025) |
The honest reading of that table is not "relax." It is "the two catastrophic routes are unrealized and actively fenced off, while the likely route is gradual and observable." That asymmetry is the entire risk posture of lattice cryptography.
NIST reads it the same way, and hedged accordingly. In March 2025 it selected the code-based key-encapsulation mechanism HQC as a backup to ML-KEM [45], explicitly as insurance against a systemic weakness in lattices [46]. That is not a vote of no confidence in ML-KEM; it is a standardizer refusing to make the entire post-quantum transition depend on a single hard problem.
The ring wildcard is low-probability, high-impact -- and honestly labeled as such. But naming it forces a deeper and more uncomfortable question. How much of any of this is actually proven?
9. What Is Actually Proven
Here is the honest accounting, and it is more humbling than the marketing suggests. Lattice hardness is unproven -- and, in a precise sense, it cannot be proven to the standard people quietly assume it meets.
Start with the ceiling. The approximate shortest-vector problem relevant to cryptography -- GapSVP with an approximation factor around -- was shown by Aharonov and Regev in 2005 to lie in [49]. That single fact has a large consequence: a problem in is very unlikely to be NP-hard, because if it were, the polynomial hierarchy would collapse. So lattice cryptography can never be founded on NP-completeness. The dream of "as hard as the hardest problems in NP" is off the table by a theorem.
The flip side is just as sobering: a genuine proof that these problems are hard would prove and settle the biggest open question in computer science. Nobody expects that proof. Security rests on the failure of decades of effort to find an efficient algorithm, not on a lower bound.
Then there are the reductions everyone points to -- Ajtai's, Regev's, Langlois and Stehle's. They are real and they are beautiful, but read their quantifiers carefully.
An asymptotic hardness result says a problem is hard "for all large enough ," with unspecified constants. A concrete security claim says a specific instance -- , -- costs a specific number of operations to break. The worst-case-to-average-case reductions for lattices are asymptotic. They guarantee that some sufficiently large parameter is hard; they do not pin the bit-security of the exact parameters a standard ships.
This is the gap the ruler papers over, and it has two halves. First, the reductions are asymptotic: they never certify specifically, so the concrete strength of the standardized parameters is an estimate, not a corollary.
Second, even the estimate trusts a heuristic. The provable cost of solving SVP is around , but concrete security is quoted using the heuristic sieving cost that the estimator actually runs [21]. The number protecting your data is the smaller, unproven one. Both halves point the same way: concrete lattice security is a carefully argued belief, propped up by a conservative model, not a theorem.
This is the same epistemic position RSA has always occupied -- on a younger assumption. RSA's security was never proven either; it rests on the enduring failure to factor efficiently. Lattice security rests on the enduring failure to reduce lattices efficiently. The difference is only age and exposure: factoring has been hammered for decades longer than Module-LWE has existed. "Believed hard, and watched closely" is the honest label for both.
That reframing turns the open problems from anxieties into a research agenda, and they are worth stating as the questions they are. Is there a large quantum speedup for lattices -- a working version of what Chen 2024 reached for? Is the cyclotomic ring structure exploitable at cryptographic sizes, or does the power-of-two choice hold? And how tight is the core-SVP model really -- what is the true cost of one sieve call, once memory and data movement are honestly priced? Each of these is being worked on in the open, and the answer to each moves the ruler.
None of this means ML-KEM and ML-DSA are weak. It means their strength is a measured, moving, human judgment rather than a settled fact -- which is exactly why what you do with them on Monday matters.
10. What to Do on Monday
If the ruler moves, engineering to a single fixed number is the wrong instinct. Engineer for headroom, and engineer for change. Five moves follow directly from everything above.
Prefer the higher parameter set for anything long-lived. ML-KEM offers levels 512, 768, and 1024; ML-DSA offers a matching ladder up to ML-DSA-87 [1] [2]. The smallest set, Kyber-512, is where the margin debate is sharpest, so for data that must stay secret for a decade, choose ML-KEM-1024 and the high ML-DSA level and buy yourself bits the estimator cannot easily erase. Even the design team's conservative reading places the middle set, Kyber-768, near AES-192 and treats it as the sensible default [26].
Deploy in hybrid. Run the post-quantum key exchange alongside a classical one (X25519 or a P-curve) and combine both secrets, so a break of the lattice problem is not a single point of failure -- the classical layer still stands, and vice versa. This is the mainstream transition posture for exactly the reason this article gives: correlated failure across the lattice standards means a lattice break is systemic, and a non-lattice layer is the cheapest insurance against it.
Build crypto-agility. The lesson of the moving ruler is that today's parameters are a snapshot. Architect so that swapping a parameter set -- or an entire algorithm -- is a configuration change, not a rewrite. The sibling articles on crypto-agility and the post-quantum toolkit go deeper here; the one-line version is that agility is the property that lets you re-read the ruler and act on it.
Watch the estimator, not the headlines. The break, if it comes the likely way, will show up first as a revised number in a tool most people never look at. The teams that will migrate calmly are the ones already tracking that number.
These are not the moves of a field in crisis. They are the moves of a field that has learned to live with a believed-hard problem, and to read its ruler honestly.
11. Frequently Asked Questions, and a Closing Thought
Frequently asked questions
Is ML-KEM or ML-DSA broken?
No. At the standardized parameters, no public attack recovers a key or forges a signature. What is happening is measurement, not breakage: cryptanalysts refine the estimated cost of the best attacks, and the numbers drift. The 2022 MATZOV result thinned the estimated margin of the smallest Kyber set, but even its magnitude is contested, and the block size a real attack needs remains far beyond anything ever demonstrated [28] [30].
Does a quantum computer break these the way it breaks RSA?
No, and that is the entire reason they were chosen. Shor's algorithm breaks RSA and elliptic curves by finding hidden periodic structure over a commutative group; lattice problems do not expose that structure, and the one explicit bridge to a hidden-subgroup problem lands on the non-commutative dihedral group that Shor's method does not solve [40]. The only known quantum advantage against lattices is a modest speedup of the sieving oracle [41].
Does Grover's algorithm break them?
Only in the weak, generic sense that it speeds up brute-force search everywhere. Grover turns a cost of into , so it effectively halves the exponent of a key search -- a discount the parameter sizes already absorb. It exploits nothing specific to lattices and is not a structural break.
What does correlated failure really mean, and is it symmetric?
Both standards rest on Module-LWE, so a single lattice-reduction advance debits both at once -- that is the correlation. It is one-directional and unequal: the two schemes use different moduli and ranks, so the same advance erodes them by different amounts, and ML-DSA carries an extra forgery route through Module-SIS that ML-KEM does not share [2]. The key-encapsulation mechanism, in turn, has its own extra route through decryption failures [34]. Shared spine, not identical schemes.
Is a bigger modulus or more ring structure automatically safer?
No. Security bits come from the cost of lattice reduction, not from a larger modulus, and more ring structure can add attack surface rather than remove it -- an overly large modulus is exactly what makes overstretched-NTRU breakable [43]. The standards chose the power-of-two cyclotomic ring because it gives the attacker the least algebraic help [44], not because bigger is better.
Isn't KyberSlash a break?
No. KyberSlash is an implementation timing leak -- a flaw in how specific software computed, not in the mathematics of Module-LWE. It is real and it mattered, but it lives outside this article's structural scope. The empirical sibling, "How ML-KEM Breaks in Real Life," covers that whole family of implementation attacks.
What should I actually deploy today?
For long-lived data, prefer the higher parameter sets (ML-KEM-1024, a high ML-DSA level) [1] [2]. Deploy post-quantum key exchange in hybrid with a classical algorithm so a lattice break is not a single point of failure, build crypto-agility so you can swap parameters or algorithms as a configuration change, and keep a non-lattice backstop such as SLH-DSA or HQC in your portfolio [48] [46].
So return to the question the celebrations skipped. If a quantum computer cannot break ML-KEM and ML-DSA the way it broke RSA, how would they break? The answer, assembled piece by piece, is a single sentence: two standards, one lattice, one ruler. They share the Module-LWE spine, and their strength is not proven but measured, on a core-SVP ruler that the field argues about in the open. The likely break is that ruler slipping a few bits at a time as reduction improves -- and because both standards read the same ruler, one slip debits both at once.
The evidence lines up behind that reading. Erosion is not hypothetical: MATZOV already moved the margin once, and the only debate is by how much. The feared quantum collapse remains unrealized -- the best attempt was retracted within days over a bug at Step 9. The structural wildcard, the algebra of the cyclotomic ring, is genuinely unpriced by the ruler, but the newest analysis finds the power-of-two ring gives the attacker no free reduction, and NIST hedged anyway by standardizing code-based HQC.
The verdict is not "broken." It is "believed hard, conservatively measured, and watched closely" -- the same position RSA has long occupied, on a much younger assumption.
Which is why the honest way to end is not with a warning but with a recalibration. If the break comes the likely way, it will not be a morning when the internet stops working. It will be a line in a changelog -- a revised constant in a tool most people never open, moving the ruler a few bits and asking, quietly, whether it is time to turn the parameter dial again.
Study guide
Key terms
- Module-LWE
- The shared hard problem under both ML-KEM and ML-DSA: LWE over a rank-k module of a polynomial ring, the tuned middle ground between unstructured LWE and Ring-LWE.
- Module-SIS
- A short-collision problem over modules; ML-DSA's extra assumption for unforgeability, which ML-KEM does not carry.
- Core-SVP model
- The conservative cost model that prices a whole lattice attack at one sieve-oracle call: 2^(0.292 beta) classical, 2^(0.265 beta) quantum. A debated measurement, not a proof.
- Block size beta
- The BKZ parameter that sets how large a projected block the SVP oracle must solve; security is quoted as the beta an attack must reach.
- Correlated failure
- Because both standards read the same Module-LWE ruler, one reduction advance debits both at once; one-directional and unequal across the two schemes.
- Cyclotomic ring
- The ring Z_q[X]/(X^256+1) both standards use; its extra algebra is the unpriced wildcard attack surface, chosen as a power-of-two form to minimize the attacker's algebraic help.
- Fiat-Shamir with aborts
- ML-DSA's signing method: rejection-sample any transcript that would leak the key, so signatures are distributed independently of the signing key.
- Erosion
- The likely break: better lattice reduction lowers the estimated bit-security a few bits at a time, as MATZOV 2022 demonstrated in miniature.
Comprehension questions
Why does a single advance against Module-LWE threaten both ML-KEM and ML-DSA at once?
Each public key is essentially a Module-LWE sample, so both are read off the same core-SVP ruler; a reduction advance lowers both estimates, though by different amounts because their parameters differ.
Why is core-SVP called a measurement rather than a proof?
It is a deliberately conservative cost model with debated constants; the same ML-KEM-512 lattice reads 2^118, 2^143.8, or 2^135 to 2^165 depending on the model, so the number moves as models and attacks improve.
Why does Shor's algorithm not break lattice schemes?
Shor exploits hidden periodic structure over commutative groups; lattice problems expose no such period, and the one bridge to a hidden-subgroup problem lands on the non-commutative dihedral group Shor cannot solve.
What happened with the Chen 2024 quantum LWE claim?
It claimed a polynomial-time quantum algorithm for LWE but was retracted within days over a fatal Step-9 bug identified by Wu and Vidick; it is the strongest recent evidence that no quantum lattice break exists yet.
Why did the standards choose the power-of-two cyclotomic ring?
The 2025 module-reduction analysis finds it gives the attacker no free block-size reduction, whereas other cyclotomic fields can yield a sub-exponential gain; the module structure also dilutes the exploitable ring symmetry.
In what precise sense is lattice hardness unproven?
Approximate SVP sits in NP intersect coNP, so it cannot be NP-hard, and the worst-case-to-average-case reductions are asymptotic; concrete security is a believed-hard judgment resting on a heuristic cost model, not a theorem.
References
- (2024). FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard. https://csrc.nist.gov/pubs/fips/203/final - ML-KEM standard; security tied to Module-LWE; parameter sets 512/768/1024. ↩
- (2024). FIPS 204: Module-Lattice-Based Digital Signature Standard. https://csrc.nist.gov/pubs/fips/204/final - ML-DSA standard; Module-LWE plus Module-SIS via Fiat-Shamir with aborts. ↩
- (1996). Generating hard instances of lattice problems. https://doi.org/10.1145/237814.237838 - Worst-case to average-case reduction; the SIS problem. ↩
- (1998). Cryptanalysis of the Ajtai-Dwork Cryptosystem. https://doi.org/10.1007/BFb0055731 - Practical attack on Ajtai-Dwork parameters; a deployment dead end. ↩
- (1999). Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from Crypto 97. https://doi.org/10.1007/3-540-48405-1_18 - Error-congruence trick breaks GGH; ends the hide-a-good-basis template. ↩
- (2009). On lattices, learning with errors, random linear codes, and cryptography. https://doi.org/10.1145/1568318.1568324 - Defines LWE with a quantum worst-case reduction; parent of Ring/Module-LWE. ↩
- (1982). Factoring polynomials with rational coefficients. https://doi.org/10.1007/BF01457454 - The LLL algorithm; first polynomial-time lattice basis reduction. ↩
- (2010). On Ideal Lattices and Learning with Errors over Rings. https://doi.org/10.1007/978-3-642-13190-5_1 - Ring-LWE; quasi-linear keys by concentrating algebra in one ring. ↩
- (2023). Analyzing the cost of Kyber-512 (Counting correctly). https://blog.cr.yp.to/20231003-countcorrectly.html - The multiplied-not-added critique of NIST Kyber-512 gate counting. ↩
- (2015). Worst-case to average-case reductions for module lattices. https://doi.org/10.1007/s10623-014-9938-4 - Formalizes Module-LWE and Module-SIS; the shared spine of both standards. ↩
- (1998). NTRU: A ring-based public key cryptosystem. https://doi.org/10.1007/BFb0054868 - First practical ring-based lattice cryptosystem; origin of the ring-structure worry. ↩
- (2009). Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures. https://doi.org/10.1007/978-3-642-10366-7_35 - The signature template of ML-DSA. ↩
- (2012). Lattice Signatures without Trapdoors. https://doi.org/10.1007/978-3-642-29011-4_43 - The direct trapdoor-free ancestor of Dilithium/ML-DSA. ↩
- (2018). CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme. https://doi.org/10.13154/tches.v2018.i1.238-268 - Dilithium became ML-DSA; adds a Module-SIS forgery route. ↩
- (2024). CRYSTALS-Dilithium. https://pq-crystals.org/dilithium/index.shtml - Design team recommends Dilithium3 and hybrid mode. ↩
- (2020). Falcon: Fast-Fourier Lattice-based Compact Signatures over NTRU. https://falcon-sign.info/falcon.pdf - Falcon = GPV framework + NTRU lattices + fast-Fourier sampling; a different signature spine from ML-DSA. ↩
- (2008). Trapdoors for Hard Lattices and New Cryptographic Constructions. https://doi.org/10.1145/1374376.1374407 - The GPV Gaussian preimage sampler / hash-and-sign framework used by Falcon. ↩
- (2006). Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures. https://doi.org/10.1007/11761679_17 - Recovers the secret basis from signature transcripts -- the total-break failure mode of deterministic NTRUSign/GGH signing. ↩
- (2012). Learning a Zonotope and More: Cryptanalysis of NTRUSign Countermeasures. https://doi.org/10.1007/978-3-642-34961-4_27 - Defeats the perturbation countermeasures for NTRUSign; motivates provably basis-independent (GPV) sampling. ↩
- (1994). Lattice basis reduction: Improved practical algorithms and solving subset sum problems. https://doi.org/10.1007/BF01581144 - BKZ reduction; the tunable block size beta the ruler reads. ↩
- (2016). New directions in nearest neighbor searching with applications to lattice sieving. https://web.archive.org/web/20231206171942id_/https://eprint.iacr.org/2015/1128 - Heuristic sieving at 2^(0.292 beta); the constant the margin is computed from. ↩
- (2016). Post-quantum Key Exchange -- A New Hope. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/alkim - Introduces the core-SVP cost model (2^0.292 beta classical, 2^0.265 beta quantum). ↩
- (2015). On the concrete hardness of Learning with Errors. https://doi.org/10.1515/jmc-2015-0016 - The lattice-estimator methodology; the ruler as a reproducible calculation. ↩
- (2024). lattice-estimator. https://github.com/malb/lattice-estimator - The reference tool: Kyber512 beta=406, rop ~2^143.8, rough usvp ~2^118.6. ↩
- (2023). Kyber-512 FAQ. https://csrc.nist.gov/csrc/media/Projects/post-quantum-cryptography/documents/faq/Kyber-512-FAQ.pdf - NIST defends Kyber-512 Category 1; gate count could range 2^135 to 2^165. ↩
- (2024). CRYSTALS-Kyber. https://pq-crystals.org/kyber/index.shtml - Design team recommends Kyber-768 and hybrid mode. ↩
- (2011). BKZ 2.0: Better Lattice Security Estimates. https://doi.org/10.1007/978-3-642-25385-0_1 - Refined BKZ cost model behind modern estimates. ↩
- (2022). Report on the Security of LWE: Improved Dual Lattice Attack. https://zenodo.org/records/6412487 - Improved dual/FFT attack thinning Kyber/Dilithium margins; the erosion precedent. ↩
- (2018). CRYSTALS-Kyber: A CCA-Secure Module-Lattice-Based KEM. https://doi.org/10.1109/EuroSP.2018.00032 - Kyber (ring X^256+1, q=3329, ranks 2/3/4) became ML-KEM. ↩
- (2023). Does the Dual-Sieve Attack on Learning with Errors even Work?. https://web.archive.org/web/20250130130524id_/https://eprint.iacr.org/2023/302 - Dual-sieve success probabilities presumably significantly overestimated (waterfall-floor). ↩
- (2024). SVP Challenge Hall of Fame. https://www.latticechallenge.org/svp-challenge/ - Public SVP record is dimension 210 (Jintai Ding and Ziyu Zhao). ↩
- (2019). The General Sieve Kernel and New Records in Lattice Reduction (G6K). https://github.com/fplll/g6k - Practical state-of-the-art sieving implementation holding public records. ↩
- (2021). CRYSTALS-Kyber Algorithm Specifications and Supporting Documentation (Round 3). https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf - Decryption-failure targets delta = 2^-139 / 2^-164 / 2^-174, all below 2^-128; q=3329 chosen partly to keep delta negligible. ↩
- (2019). Decryption Failure Attacks on IND-CCA Secure Lattice-Based Schemes. https://doi.org/10.1007/978-3-030-17259-6_19 - Turns observed decryption failures into full secret-key recovery; multi-target regime. ↩
- (2019). On the Impact of Decryption Failures on the Security of LWE/LWR Based Schemes. https://web.archive.org/web/20250417003627id_/https://eprint.iacr.org/2018/1089 - Failure boosting via precomputation; for the NIST candidates the required oracle queries are above practical limits due to conservative parameters. ↩
- (2020). Decryption Failure Is More Likely After Success. https://doi.org/10.1007/978-3-030-44223-1_12 - Decryption failures cluster -- a failure is more likely after a prior success. ↩
- (2020). (One) Failure Is Not an Option: Bootstrapping the Search for Failures in Lattice-Based Encryption Schemes. https://web.archive.org/web/20260107050739id_/https://eprint.iacr.org/2019/1399 - Directional failure boosting: once one failing ciphertext is found, previously-found failures accelerate the next. ↩
- (2024). Quantum Algorithms for Lattice Problems (retracted). https://web.archive.org/web/20250118095123id_/https://eprint.iacr.org/2024/555 - Claimed quantum LWE algorithm, retracted within days over a Step-9 bug. ↩
- (2021). Lattice sieving via quantum random walks. https://arxiv.org/abs/2105.05608 - Best quantum SVP-sieving exponent 2^(0.2570 beta); a discount, not a break. ↩
- (2004). Quantum Computation and Lattice Problems. https://arxiv.org/abs/cs/0304005 - Solves unique-SVP assuming a dihedral (non-abelian) hidden-subgroup algorithm -- the bridge is to a group Shor does not solve. ↩
- (2016). A Decade of Lattice Cryptography. https://web.archive.org/web/20241127022955/https://eprint.iacr.org/2015/939 - Field survey grounding SIS, LWE, and their ring-based variants. ↩
- (2016). Recovering Short Generators of Principal Ideals in Cyclotomic Rings. https://doi.org/10.1007/978-3-662-49896-5_20 - Ring structure is sometimes exploitable; basis of the ring wildcard. ↩
- (2016). A Subfield Lattice Attack on Overstretched NTRU Assumptions. https://doi.org/10.1007/978-3-662-53018-4_6 - Overstretched (very large modulus) NTRU broken by subfield attacks. ↩
- (2025). Predicting Module-Lattice Reduction. https://arxiv.org/abs/2510.10540 - Power-of-two cyclotomic ring gives no free block-size reduction; the ring counterweight. ↩
- (2025). HQC Announced as a Fourth-Round Selection. https://csrc.nist.gov/News/2025/hqc-announced-as-a-4th-round-selection - HQC selected as the code-based KEM backup to ML-KEM. ↩
- (2025). Status Report on the Fourth Round of the NIST Post-Quantum Cryptography Standardization Process (NIST IR 8545). https://csrc.nist.gov/pubs/ir/8545/final - March 2025 selection of code-based HQC as a hedge against systemic lattice risk. ↩
- (2024). Post-Quantum Cryptography Project. https://csrc.nist.gov/projects/post-quantum-cryptography - Official program overview of the 2024 PQC standards. ↩
- (2024). FIPS 205: Stateless Hash-Based Digital Signature Standard. https://doi.org/10.6028/NIST.FIPS.205 - SLH-DSA, the non-lattice hash-based signature backstop. ↩
- (2005). Lattice problems in NP intersect coNP. https://doi.org/10.1145/1089023.1089025 - Approximate SVP within root-n lies in NP and coNP; very unlikely NP-hard. ↩