<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Parag Mali - tag: cryptanalysis</title><description>Posts tagged cryptanalysis.</description><link>https://paragmali.com/</link><language>en-US</language><lastBuildDate>Sun, 19 Jul 2026 05:08:42 GMT</lastBuildDate><atom:link href="https://paragmali.com/tags/cryptanalysis/rss.xml" rel="self" type="application/rss+xml"/><item><title>How Falcon Would Break: NTRU Lattices and the Structure Nobody Fully Trusts</title><link>https://paragmali.com/blog/how-falcon-would-break-ntru-lattices-and-the-structure-nobod/</link><guid isPermaLink="true">https://paragmali.com/blog/how-falcon-would-break-ntru-lattices-and-the-structure-nobod/</guid><description>Falcon is NIST&apos;s smallest post-quantum signature and its only lattice one still in draft. A structural case for why its likeliest break is NTRU-specific.</description><pubDate>Sat, 18 Jul 2026 00:00:00 GMT</pubDate><content:encoded>
**Falcon is the smallest signature NIST chose for the post-quantum era, and the only lattice one still in draft.** Its security rests on three assumptions. Two are provably solid; one -- the NTRU quotient $h = g/f$ -- is not. This is the argument that when Falcon eventually breaks, the crack most likely starts in that NTRU structure: not from Shor (which cannot touch it), not from the transcript leak that broke its ancestor (which Falcon provably closes), but from the one assumption Falcon cannot insure. &quot;Most likely&quot; is a ranked judgment, and the safety margin behind it is thinner than you would expect.
&lt;h2&gt;1. The One Standardized Signature Nobody Fully Trusts&lt;/h2&gt;
&lt;p&gt;Falcon is the smallest signature NIST chose for the post-quantum era. A Falcon-512 signature is 666 bytes and its public key is 897 bytes -- roughly the classical security of RSA-2048 [@falcon-spec]. It is also the only one of NIST&apos;s lattice signatures still stuck in draft. &lt;a href=&quot;https://paragmali.com/blog/one-event-three-assumptions-five-answers-a-field-guide-to-th/&quot; rel=&quot;noopener&quot;&gt;ML-DSA and SLH-DSA&lt;/a&gt; were finalized as FIPS 204 and FIPS 205 in 2024, while FN-DSA -- Falcon&apos;s standardized name -- remains a draft as of mid-2026 [@nist-pqc] [@fips-206-status]. And it is the only standardized signature whose core hardness assumption has a published regime where it simply collapses [@ducas-vanwoerden-2021].&lt;/p&gt;
&lt;p&gt;Here is the detail that should make you lean in. Pierre-Alain Fouque co-designed Falcon [@falcon-spec]. He is also a co-author of the attack that maps where NTRU&apos;s collapse begins [@kirchner-fouque-2017]. The person who helped build the trapdoor also helped chart its fault line. That is not a scandal. It is the tell.&lt;/p&gt;
&lt;p&gt;So this article asks the diagnostic question of the &lt;em&gt;How It Would Break&lt;/em&gt; series: when Falcon eventually cracks, where does the crack start? The answer, argued before any math, is that the likeliest &lt;strong&gt;structural&lt;/strong&gt; break is NTRU-specific -- a sharper exploitation of the ratio $h = g/f$, or a downward push of a documented failure boundary toward Falcon&apos;s own parameters.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; Among all the ways Falcon&apos;s own mathematics could fail, the most likely structural break is NTRU-specific. It ranks above a generic lattice-reduction advance (which threatens every lattice scheme equally, so is not Falcon&apos;s alone) and above the transcript leakage that broke Falcon&apos;s ancestor (which Falcon provably closes). This is a ranked judgment, not a documented break -- and earning that ranking is the whole point of the article.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Three hypotheses will compete for the title of &quot;Falcon&apos;s likeliest crack.&quot; Hypothesis A is the NTRU-specific advance -- the thesis. Hypothesis B is a generic improvement to lattice reduction that would hit Dilithium and Kyber too. Hypothesis C is the transcript leak that felled NTRUSign. By the end you will see why A wins the &lt;em&gt;structural, Falcon-specific&lt;/em&gt; question, why B is the larger but non-specific existential risk, and why C is already closed.&lt;/p&gt;

flowchart LR
    A[&quot;NTRU 1996: public key is the ratio g/f&quot;] --&amp;gt; B[&quot;NTRUSign 2003: deterministic good-basis signing&quot;]
    B --&amp;gt; C[&quot;Nguyen-Regev 2006: the transcript reveals the key&quot;]
    C --&amp;gt; D[&quot;GPV 2008: provable Gaussian sampling&quot;]
    D --&amp;gt; E[&quot;Falcon 2017: GPV over NTRU, fast-Fourier sampled&quot;]
    E --&amp;gt; F[&quot;Overstretched NTRU 2016-2021: a documented cliff&quot;]
    F --&amp;gt; G[&quot;Draft FIPS 206: where does the crack start?&quot;]

Falcon -- Fast-Fourier Lattice-based Compact signatures over NTRU, standardized as FN-DSA -- is a hash-and-sign digital signature over an NTRU lattice. Its private key is a short trapdoor basis; its public key is the single ring element $h = g/f$; signing samples a short discrete-Gaussian preimage of the hashed message [@falcon-spec]. It produces the smallest signatures of any standardized lattice scheme and is draft FIPS 206 as of mid-2026 [@fips-206-status].
&lt;p&gt;One fence, stated once: this is a structural analysis. Side channels, Falcon&apos;s floating-point sampler, fault and power attacks, RNG failures, and protocol misuse attack the &lt;em&gt;code&lt;/em&gt;, not the mathematics. They belong to this article&apos;s empirical sibling, &lt;em&gt;How the NIST Finalists Broke: Rainbow in a Weekend, SIKE in an Afternoon, and the Graveyard of Post-Quantum Candidates&lt;/em&gt;, and appear here only to mark the boundary. This is Part 7 of the series.&lt;/p&gt;
&lt;p&gt;To see why the crack starts in the NTRU structure, you first have to see what Falcon actually is -- and why its smallness is not free.&lt;/p&gt;
&lt;h2&gt;2. What Falcon Actually Is: GPV Hash-and-Sign over an NTRU Lattice&lt;/h2&gt;
&lt;p&gt;Every signature scheme is a way to prove you know a secret without revealing it. Falcon&apos;s way is to be the only person on earth who can find a &lt;em&gt;short&lt;/em&gt; vector in one particular lattice.&lt;/p&gt;
&lt;p&gt;Start with the public key. It is a single element of a polynomial ring, $h = g/f$, where $f$ and $g$ are two short secret polynomials and the division happens modulo a prime $q = 12289$ [@falcon-spec] [@falcon-wiki]. That element $h$ pins down a lattice -- the NTRU lattice -- in which the secret pair $(f, g)$ is an unusually short vector. The private key is a &lt;em&gt;short basis&lt;/em&gt; of that lattice, built from $(f, g)$ and a completing pair. Anyone with the short basis can solve a hard-looking geometry problem cheaply; anyone without it cannot.&lt;/p&gt;

A signature design in which the signer hashes the message to a target point, then uses a secret trapdoor to produce a short value that maps to that target. Verification recomputes the target and checks the value is short and consistent. It contrasts with challenge-response (Fiat-Shamir) designs, which build a signature from an interactive identification protocol made non-interactive [@gpv-2008].
&lt;p&gt;To sign a message, Falcon hashes it (with a random salt) to a target point $c$ in the lattice&apos;s ambient space, then samples a short preimage $(s_1, s_2)$ satisfying $s_1 + s_2 h = c$, with both parts small. That sampling step is the heart of the scheme. Falcon draws the preimage from a &lt;strong&gt;discrete Gaussian&lt;/strong&gt; using a fast-Fourier tree walk over the ring&apos;s recursive structure -- the operation the designers call ffSampling, which runs in $O(n \log n)$ time [@dlp-2014] [@falcon-spec].The FFT tree mirrors the tower of subfields inside the cyclotomic ring: descend it once, sampling one Gaussian coordinate per node, and you have drawn a short preimage without ever forming a full basis matrix.&lt;/p&gt;
&lt;p&gt;To verify, anyone recomputes $s_1 = c - s_2 h$ from the public $h$ and checks that $|(s_1, s_2)|$ falls below a fixed norm bound. The compact half of the signature, $s_2$, plus the salt, is all that travels.&lt;/p&gt;

A probability distribution that gives each lattice point a weight that decays like a bell curve in its distance from a chosen center. Sampling it yields short lattice vectors. Its essential property for Falcon: if the Gaussian is wide enough relative to the basis quality, the output distribution depends only on the lattice and target, not on which basis produced it [@gpv-2008].

sequenceDiagram
    participant M as Message
    participant S as Signer (secret short basis)
    participant T as ffSampling tree
    participant V as Verifier (public h only)
    M-&amp;gt;&amp;gt;S: hash message plus salt to a coset point c
    S-&amp;gt;&amp;gt;T: request a short preimage of c
    T--&amp;gt;&amp;gt;S: discrete-Gaussian preimage s1, s2
    Note over S,T: output is short and provably basis-independent
    S-&amp;gt;&amp;gt;V: send signature, the salt and compact s2
    V-&amp;gt;&amp;gt;V: recompute s1 from c and h, check the norm is small
&lt;p&gt;The numbers are the reason Falcon exists. At Falcon-512 the public key is 897 bytes and the signature 666 bytes; at Falcon-1024 they are 1793 and 1280 bytes [@falcon-spec]. Its nearest standardized rival at the low end of the security range, ML-DSA-44, needs a 1312-byte key and a 2420-byte signature [@fips-204]. Falcon wins on size by a wide margin, and the win comes from NTRU.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Both standardized lattice signatures defeat transcript leakage, by different routes. Falcon uses &lt;strong&gt;hash-and-sign&lt;/strong&gt; with a provable discrete-Gaussian sampler, so the output law is independent of the secret basis. ML-DSA (Dilithium) uses &lt;strong&gt;Fiat-Shamir with aborts&lt;/strong&gt;: it builds a challenge-response proof and applies rejection sampling so the transcript distribution is independent of the secret [@fips-204]. Same goal, two mechanisms -- and only one of them needs the NTRU quotient.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;That contrast runs through the rest of the article. ML-DSA rests on Module-LWE; Falcon rests on NTRU. They live over the same kind of polynomial ring, yet one is routinely called the conservative choice and the other the aggressive one. Everything rests on a single asymmetry: with the short trapdoor you can sample these tiny preimages; without it, finding a short vector that maps to $c$ is the NTRU lattice problem, believed hard.FALCON is a backronym: &lt;strong&gt;FA&lt;/strong&gt;st-Fourier &lt;strong&gt;L&lt;/strong&gt;attice-based &lt;strong&gt;CO&lt;/strong&gt;mpact signatures over &lt;strong&gt;N&lt;/strong&gt;TRU [@falcon-spec]. Because the trapdoor lives in the NTRU lattice specifically, it is NTRU -- not &quot;a lattice&quot; in the abstract -- that stands trial here.&lt;/p&gt;
&lt;p&gt;There is one more guarantee to bank. With a genuine discrete Gaussian, Falcon&apos;s key stays statistically hidden even after roughly $2^{64}$ signatures from a single key -- a leakage bound it inherits directly from the underlying proof, discussed in Section 5 [@falcon-spec].That $2^{64}$ figure is a structural, information-theoretic bound on transcript leakage for a true Gaussian. Whether a floating-point implementation emits a true Gaussian is a separate, out-of-scope question, flagged at the boundary in Section 6.&lt;/p&gt;
&lt;p&gt;That compact public key $h = g/f$ is a ratio -- and a ratio is a very particular thing to hand an attacker. To see the handle it creates, we have to go back to 1996.&lt;/p&gt;
&lt;h2&gt;3. Where the Handle Comes From: NTRU and the Quotient&lt;/h2&gt;
&lt;p&gt;In 1996, three Brown University mathematicians -- Jeffrey Hoffstein, Jill Pipher, and Joseph Silverman -- circulated a public-key system built not on factoring or discrete logs but on arithmetic in a polynomial ring. They wanted something far faster than RSA, and they got it. NTRU was published at the Third Algorithmic Number Theory Symposium in 1998 [@ntru-1998]. Hoffstein would, two decades later, be a co-author of Falcon [@falcon-spec]. The line from that ring to the smallest post-quantum signature is short and direct.&lt;/p&gt;
&lt;p&gt;Here is the move that matters for everything after. NTRU works in a polynomial ring and makes its public key a &lt;em&gt;ratio&lt;/em&gt; of two secret elements: $h = g/f$, computed as $g \cdot f^{-1}$ modulo a prime $q$ [@ntru-1998]. Both $f$ and $g$ are &lt;em&gt;short&lt;/em&gt; -- their coefficients are tiny. Their quotient $h$ is not short; it looks like a uniform random element of the ring. To recover the secret is to recover the short $(f, g)$ from the innocuous-looking $h$. That is the NTRU problem.The original 1998 NTRU used the convolution ring $\mathbb{Z}[x]/(x^N - 1)$ with $N$ prime [@ntru-1998]. Falcon keeps the same $g/f$ quotient idea but instantiates it over the power-of-two cyclotomic ring $\mathbb{Z}_q[x]/(x^n + 1)$, with $n = 512$ or $1024$ and $q = 12289$ [@falcon-wiki]. The dense-sublattice argument is identical for both rings, so the difference is historical precision, not a change in the mechanism.&lt;/p&gt;

The lattice of all pairs of ring elements $(u, v)$ with $v \equiv u \cdot h \pmod q$. Because $h = g/f$ implies $f \cdot h \equiv g$, the secret pair $(f, g)$ lives inside this lattice, and it is one of the shortest vectors there since $f$ and $g$ are short. Recovering a shortest vector recovers the key [@ntru-1998].
&lt;p&gt;Publishing a ratio is not the same as publishing two independent random-looking numbers. The quotient ties $g$ to $f$ through $h$, and that tie is geometric: it plants inside the NTRU lattice a &lt;strong&gt;dense sublattice&lt;/strong&gt;, a region unusually rich in short vectors, spanned by ring-shifts of the secret $(f, g)$. This is the object the entire thesis turns on. Module-LWE -- the assumption under Dilithium and Kyber -- builds its public data differently and does not expose this same handle. Two schemes, the same ring, but only one hands the attacker a ratio.&lt;/p&gt;

The NTRU lattice is the set of pairs of ring elements $(u, v)$ with $v$ congruent to $u \cdot h$ modulo $q$. Each ring element carries $n$ coefficients, so a pair has $2n$ coordinates: a $2n$-dimensional lattice. The secret satisfies $f \cdot h \equiv g$, so $(f, g)$ sits inside it, and it is short because $f$ and $g$ are short. Finding it is a shortest-vector problem in dimension $2n$.
&lt;p&gt;You can watch the quotient hide its secret. The toy below works in a tiny eight-dimensional ring with Falcon&apos;s real modulus. It picks two short secrets, forms the public ratio, and confirms the relation $f \cdot h \equiv g$ -- yet the published $h$ is smeared across the whole range $[0, q)$.&lt;/p&gt;
&lt;p&gt;{`
// NTRU public key in the ring R = Z_q[x]/(x^n + 1).
// The secret is a SHORT pair (f, g); the public key is the ratio h = g/f.
// h looks like uniform noise mod q, yet it hides the short (f, g).
// Recovering (f, g) from h is the NTRU lattice problem: trivial at n = 8,
// believed hard at Falcon&apos;s n = 512.
const q = 12289;   // Falcon&apos;s modulus (prime, 12*1024 + 1)
const n = 8;       // a tiny ring, so every coefficient is printable&lt;/p&gt;
&lt;p&gt;const mod = (a, m) =&amp;gt; ((a % m) + m) % m;
const invMod = (a, m) =&amp;gt; {           // scalar inverse via extended Euclid
  let [o, r] = [mod(a, m), m], [os, s] = [1, 0];
  while (r !== 0) { const k = Math.floor(o / r);
    [o, r] = [r, o - k * r]; [os, s] = [s, os - k * s]; }
  return mod(os, m);
};
const polyMul = (a, b) =&amp;gt; {          // negacyclic convolution: x^n = -1
  const o = new Array(n).fill(0);
  for (let i = 0; i &amp;lt; n; i++) for (let j = 0; j &amp;lt; n; j++) {
    const k = i + j, c = a[i] * b[j];
    if (k &amp;lt; n) o[k] = mod(o[k] + c, q); else o[k - n] = mod(o[k - n] - c, q);
  } return o;
};
const deg = p =&amp;gt; { let d = p.length - 1; while (d &amp;gt; 0 &amp;amp;&amp;amp; p[d] === 0) d--; return d; };
const trim = p =&amp;gt; { const c = p.slice(); while (c.length &amp;gt; 1 &amp;amp;&amp;amp; c[c.length-1] === 0) c.pop(); return c; };
const divmod = (a, b) =&amp;gt; {           // polynomial division over Z_q
  const rem = a.slice(), db = deg(b), lead = invMod(b[db], q);
  const quo = new Array(Math.max(1, rem.length)).fill(0);
  for (let i = rem.length - 1; i &amp;gt;= db; i--) { if (rem[i] === 0) continue;
    const fct = mod(rem[i] * lead, q); quo[i - db] = fct;
    for (let j = 0; j &amp;lt;= db; j++) rem[i - db + j] = mod(rem[i - db + j] - fct * b[j], q);
  } return [trim(quo), trim(rem)];
};
const polyInv = f =&amp;gt; {               // inverse in Z_q[x]/(x^n + 1)
  let r0 = new Array(n + 1).fill(0); r0[0] = 1; r0[n] = 1;
  let r1 = trim(f.slice()), t0 = [0], t1 = [1];
  while (deg(r1) &amp;gt; 0 || r1[0] !== 0) {
    const [quo, rem] = divmod(r0, r1);
    const qt = new Array(quo.length + t1.length).fill(0);
    for (let i = 0; i &amp;lt; quo.length; i++) for (let j = 0; j &amp;lt; t1.length; j++)
      qt[i + j] = mod(qt[i + j] + quo[i] * t1[j], q);
    const tn = new Array(Math.max(t0.length, qt.length)).fill(0);
    for (let i = 0; i &amp;lt; tn.length; i++) tn[i] = mod((t0[i] || 0) - (qt[i] || 0), q);
    [r0, r1] = [r1, rem]; [t0, t1] = [t1, trim(tn)];
  }
  if (deg(r0) !== 0) return null;    // f not invertible; try another f
  const sc = invMod(r0[0], q), o = new Array(n).fill(0);
  for (let i = 0; i &amp;lt; t0.length; i++) o[i] = mod(t0[i] * sc, q);
  return o;
};&lt;/p&gt;
&lt;p&gt;const f = [1, 1, -1, 0, 1, -1, 0, -1];   // short secret (ternary)
const g = [-1, 0, 1, 1, 0, -1, 1, 0];    // short secret (ternary)&lt;/p&gt;
&lt;p&gt;const h = polyMul(g, polyInv(f));          // public key: the ratio g/f
console.log(&quot;secret f (short) :&quot;, f.join(&quot;, &quot;));
console.log(&quot;secret g (short) :&quot;, g.join(&quot;, &quot;));
console.log(&quot;public h = g/f   :&quot;, h.join(&quot;, &quot;));
console.log(&quot;-&amp;gt; h is spread across [0, &quot; + q + &quot;): it looks uniform, but (f, g) are tiny.&quot;);
const ctr = x =&amp;gt; x &amp;gt; q/2 ? x - q : x;  // center into (-q/2, q/2]
const gCheck = polyMul(f, h).map(ctr);     // recompute g = f * h to prove the relation
console.log(&quot;verify f*h == g  :&quot;, gCheck.join(&quot;, &quot;), &quot;(equals g)&quot;);
`}&lt;/p&gt;
&lt;p&gt;In one dimension a ratio modulo $q$ is easy to invert -- rational reconstruction reads off small numerator and denominator in moments. NTRU&apos;s hardness comes from doing this with $n$ coefficients at once, where the short $(f, g)$ is buried in a $2n$-dimensional lattice and only the best reduction algorithms have any chance of digging it out.Falcon&apos;s modulus is $q = 12289 = 12 \cdot 1024 + 1$, chosen so the number-theoretic transform (a fast ring multiplication) has the roots of unity it needs. The value comes from the specification and standard parameter descriptions [@falcon-wiki].&lt;/p&gt;

flowchart TD
    A[&quot;Secret: two short polynomials f and g&quot;] --&amp;gt; B[&quot;Publish h, the ratio of g over f, mod q&quot;]
    B --&amp;gt; C[&quot;h defines the NTRU lattice of dimension 2n&quot;]
    C --&amp;gt; D[&quot;The pair f, g is an unusually short vector in it&quot;]
    C --&amp;gt; E[&quot;The quotient plants a dense sublattice&quot;]
    E --&amp;gt; F[&quot;A structural handle Module-LWE does not expose&quot;]

A sublattice of the NTRU lattice that is unusually rich in short vectors, created by the $g/f$ quotient structure and spanned by ring-shifts of the secret. When the modulus $q$ is large relative to the dimension $n$, this sublattice becomes so short that ordinary lattice reduction discovers it far below the generic cost -- the mechanism behind the overstretched-NTRU attacks of Section 8 [@kirchner-fouque-2017].
&lt;p&gt;A ratio you publish is a door you cannot fully close. The first people to walk through it were not attacking NTRU encryption at all. They were attacking NTRU&apos;s &lt;em&gt;signature&lt;/em&gt; -- and they walked away with the key.&lt;/p&gt;
&lt;h2&gt;4. NTRUSign and the Break That Defines the Design&lt;/h2&gt;
&lt;p&gt;The first NTRU signature verified perfectly, ran fast, and fit in a handful of bytes. It was also fatally, provably insecure -- and the reason has nothing to do with a bug.&lt;/p&gt;
&lt;p&gt;The idea came from a 1997 template by Goldreich, Goldwasser, and Halevi (GGH): a lattice has many bases, some useful and some useless, and that gap is a trapdoor [@ggh-1997].&lt;/p&gt;

A lattice has infinitely many bases for the same set of points. A *good* basis is short and nearly orthogonal, so it solves closest-vector problems cheaply. A *bad* basis spans the identical lattice but is long and skewed, and it does not. Publish the bad basis, keep the good one: everyone can verify, only the holder can sign [@ggh-1997].
&lt;p&gt;NTRUSign, in 2003, made this compact by using the NTRU lattice, whose basis is a few ring elements rather than a full matrix [@ntrusign-2003]. To sign, it hashed the message to a target point and used the secret good basis to round to the nearest lattice vector; the short difference was the signature. Fast, tiny, and correct. And deterministic -- the same message always rounded the same way. That determinism was the wound.&lt;/p&gt;
&lt;p&gt;Think about what each signature reveals. Rounding a target with the secret basis lands you inside the basis&apos;s &lt;strong&gt;fundamental parallelepiped&lt;/strong&gt; -- the tilted box you get by taking the basis vectors as edges. Every signature is one point drawn from that box. Collect a few thousand and their &lt;em&gt;shape&lt;/em&gt; emerges; collect enough and the box&apos;s edges are simply visible, and the edges are the secret basis vectors.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Deterministic good-basis signing turns every signature into a sample from the secret fundamental parallelepiped. The signatures are not leaking information &lt;em&gt;about&lt;/em&gt; the key in some indirect way -- their distribution literally &lt;em&gt;is&lt;/em&gt; the secret box. Enough of them, and the secret is not deduced but read off [@nguyen-regev-2006].&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;In 2006 Phong Nguyen and Oded Regev made this precise and devastating. They cast key recovery as finding the directions in which the signature cloud is flattest -- a fourth-moment (kurtosis) minimization solved by a gradient descent, the same shape of computation as independent-component analysis. From roughly 90,000 signatures they recovered the NTRUSign secret key outright [@nguyen-regev-2006].The ~90,000-signature figure is the original NTRUSign-251 experiment; later analysis cut the sample count and went on to defeat the countermeasures [@nguyen-regev-2006] [@ducas-nguyen-2012]. This was not brute force and not a quantum computer. It was statistics applied to a leak that was baked into the design.&lt;/p&gt;

Correctness is not security -- a hash-and-sign lattice signature can bleed its key through its own transcript.
&lt;p&gt;NTRUSign&apos;s authors tried to save it. They added &lt;em&gt;perturbations&lt;/em&gt; to blur the parallelepiped into a more complicated shape, a zonotope (the Minkowski sum of several segments), hoping to hide the edges. In 2012 Leo Ducas and Nguyen extended the moment method with a covariance-gradient refinement and learned the zonotope too [@ducas-nguyen-2012]. The patch bought a little sample complexity and nothing else.&lt;/p&gt;
&lt;p&gt;This was not the first NTRU-signature dead end, either: the earlier NSS design of 2001 leaked its key almost immediately [@nss-2001], and GGH&apos;s own encryption had already fallen to Nguyen in 1999 [@nguyen-ggh-1999]. GGH-style objects bleed structure; that was becoming a pattern.&lt;/p&gt;
&lt;p&gt;The lesson was total, and it reshaped the field. You cannot obfuscate your way out of an information-theoretic leak. A hash-and-sign lattice signature must leak &lt;em&gt;nothing&lt;/em&gt; about which basis produced it, and &quot;nothing&quot; has to be a theorem, not a hope. This is the first of our three hypotheses for how Falcon breaks -- Hypothesis C, transcript leakage -- raised here so the next section can show how Falcon shuts it. Everything that made NTRUSign attractive survives in Falcon: the NTRU lattice, the compact keys, the hash-and-sign shape. Only the fatal part was cut out.&lt;/p&gt;
&lt;p&gt;And two years before NTRUSign&apos;s perturbation patch even fell, someone had already shown exactly how to prove a signature leaks nothing.&lt;/p&gt;
&lt;h2&gt;5. The Fix Was a Theorem: GPV and Provable Gaussian Sampling&lt;/h2&gt;
&lt;p&gt;The answer to NTRUSign was not a cleverer patch. It was a proof.&lt;/p&gt;
&lt;p&gt;In 2008 Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan published a general framework for trapdoors on hard lattices, and with it the repair for the entire NTRUSign class [@gpv-2008]. The change is one word: stop &lt;em&gt;rounding&lt;/em&gt;, start &lt;em&gt;sampling&lt;/em&gt;. Instead of deterministically snapping a target to the nearest lattice point, draw a preimage from a discrete Gaussian centered on the target, using the secret basis only as a sampling aid.&lt;/p&gt;

Given many random elements of a ring or vector space, find a short, nonzero integer combination of them that sums to zero. It is believed hard on average. Forging a GPV signature reduces to SIS: a forgery is exactly a short solution that the forger should not be able to produce without the trapdoor [@gpv-2008].
&lt;p&gt;The magic is in the width. If the Gaussian is wider than the basis&apos;s longest Gram-Schmidt vector, the distribution of the output depends only on the lattice and the target -- and &lt;em&gt;not&lt;/em&gt; on which basis did the sampling.GPV&apos;s sampler is a randomized nearest-plane walk, the Klein sampler: descend the Gram-Schmidt-orthogonalized basis and draw one discrete-Gaussian coordinate per step. The width must exceed the basis&apos;s longest Gram-Schmidt vector for the independence proof to hold [@gpv-2008]. A good basis and a bad basis, fed the same target, produce statistically identical signatures. So the transcript that gave away NTRUSign now gives away nothing.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; For a genuine discrete Gaussian, GPV&apos;s output law is a function of the lattice and the target alone; the trapdoor cancels. A transcript is therefore independent of the secret basis in the information-theoretic sense: there is nothing to learn from it, no matter how many signatures an adversary gathers. This is why transcript leakage -- Hypothesis C -- is not Falcon&apos;s likely break. It is closed by a theorem [@gpv-2008].&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;This is also where lattice signatures earn a word they wear with pride. GPV&apos;s security &lt;em&gt;reduces&lt;/em&gt; to SIS, and SIS in the relevant settings enjoys something NTRU does not.&lt;/p&gt;

A proof that solving *random* instances of a problem is at least as hard as solving the *worst imaginable* instance of a related lattice problem. It converts &quot;we tried and could not break this random key&quot; into &quot;breaking a random key would solve a problem believed hard in the absolute worst case.&quot; It is the strongest structural insurance a lattice scheme can carry, because it rules out weak-key classes by construction [@peikert-decade-2016].
&lt;p&gt;Keep that definition in your pocket. It is the hinge of the whole thesis, and it will swing in Section 7.&lt;/p&gt;

flowchart LR
    subgraph D[&quot;Design chain, each fix answers the last break&quot;]
      G1[&quot;GGH and NTRUSign, deterministic rounding&quot;] --&amp;gt; G2[&quot;GPV 2008, provable Gaussian sampling&quot;]
      G2 --&amp;gt; G3[&quot;Falcon, GPV over NTRU&quot;]
    end
    subgraph K[&quot;Attack chain, where each break lands&quot;]
      A1[&quot;Transcript geometry, parallelepiped and zonotope&quot;]
      A2[&quot;NTRU structure, overstretched dense sublattice&quot;]
    end
    A1 -. closed by .-&amp;gt; G2
    A2 -. still open, aimed at .-&amp;gt; G3
&lt;p&gt;There is a catch, and it is the reason GPV alone is not a product. Sampling over a &lt;em&gt;general&lt;/em&gt; lattice needs the full Gram-Schmidt basis in memory and costs on the order of $n^2$ time and space, with signatures and keys to match [@gpv-2008]. GPV is not a broken scheme; it is the &lt;em&gt;correct&lt;/em&gt; scheme, too heavy to deploy as written. It was outgrown, not defeated -- a distinction worth holding onto, because it is the opposite of what happened to NTRUSign.&lt;/p&gt;
&lt;p&gt;So the state of play by 2008 was strange and specific. Cryptographers had a signature that provably leaked nothing, backed by a reduction to SIS, and it was too slow and too large to use. They had, separately, a lattice with tiny keys and a fast ring structure -- NTRU -- carrying an assumption nobody could prove. GPV told you &lt;em&gt;what&lt;/em&gt; to sample. It did not tell you how to do it small and fast. The lattice that answered that question was the one with the handle.&lt;/p&gt;
&lt;h2&gt;6. Falcon: GPV, NTRU Compactness, and a Tree You Can Walk in n log n&lt;/h2&gt;
&lt;p&gt;Take the theorem that fixes the leak. Instantiate it over the lattice with the smallest keys in the business. Sample its Gaussian by walking a tree in $O(n \log n)$. That is Falcon -- and its genius is also its single uninsured bet.&lt;/p&gt;
&lt;p&gt;The missing engine arrived in 2014, when Ducas, Lyubashevsky, and Prest built a discrete-Gaussian sampler that exploits the recursive tower of the cyclotomic ring [@dlp-2014]. Instead of storing and walking a full Gram-Schmidt basis, it descends a binary &quot;Falcon tree,&quot; sampling one Gaussian coordinate per node. The generic GPV sampler&apos;s $n^2$ cost collapses to $n \log n$, and the full-matrix key shrinks to a few ring elements. Bolt this sampler onto GPV, run it over the NTRU lattice, and you have Falcon, submitted to NIST in 2017 [@falcon-spec].&lt;/p&gt;
&lt;p&gt;Key generation shows how tightly the pieces fit. Falcon samples short secrets $f$ and $g$, then solves the NTRU equation $fG - gF = q$ for a completing pair $(F, G)$; the secret basis is built from all four, and the public key is the familiar single element $h = g/f$ [@falcon-spec]. Signing draws a short preimage with ffSampling; verification checks a norm. The result is the smallest footprint of any standardized lattice signature [@falcon-spec].&lt;/p&gt;
&lt;p&gt;Now count what Falcon has actually insured. Deterministic leakage: closed, because ffSampling emits a true discrete Gaussian, and GPV&apos;s theorem then makes the transcript independent of the trapdoor, with key leakage negligible past $2^{64}$ signatures from one key [@falcon-spec] [@gpv-2008]. Large keys and slow signing: closed, by NTRU compactness and the FFT tree. Falcon is the scheme that fixed every wound its ancestors died of.&lt;/p&gt;
&lt;p&gt;Except one.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; Falcon&apos;s smallness is not free. GPV&apos;s proof closes the transcript leak, and NTRU&apos;s ring structure closes the size and speed problems -- but the very choice of NTRU reintroduces the one bet the entire lineage could never insure: an assumption with a dense-sublattice handle and no worst-case-to-average-case reduction at Falcon&apos;s parameters. Every other risk got insured. This one got concentrated.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;That is the shift worth pausing on. It is tempting to read Falcon as simply a well-engineered, compressed signature -- smaller is better, end of story. But by closing the transcript branch and shrinking the generic exposure, the compression funnels nearly all of Falcon&apos;s remaining structural risk onto a single assumption. Its safety is not spread across three independent bets. It rides on one.&lt;/p&gt;
&lt;p&gt;The field&apos;s own hedge against this bet is HAWK, a Falcon-class hash-and-sign that removes the $g/f$ quotient entirely and works over the integers. Two of the NTRU-Fatigue authors co-designed it -- an institutional tell that Section 12 returns to [@hawk-2022].&lt;/p&gt;
&lt;p&gt;Before we press on that assumption, one honest boundary marker.&lt;/p&gt;

Falcon&apos;s ffSampling uses floating-point arithmetic to walk the FFT tree. Specifying it for safe, constant-time execution across platforms is genuinely hard, and that difficulty -- not any mathematical weakness -- is the reason FIPS 206 trails FIPS 204 and 205 [@fips-206-status]. Sampler timing leaks, fault injection, and RNG failures are real attacks, but they attack the *code*, not the mathematics, and they belong to the empirical sibling. This article draws its line right here and does not step over it. When we say &quot;structural,&quot; we mean the math, and the math has not yet spoken about $q = 12289$.
&lt;p&gt;There is a temptation to treat the draft status as the story -- &quot;Falcon is late, so Falcon is shaky.&quot; That gets it backwards. The lateness is an implementation problem about a sampler. The structural question is entirely separate, and it is more interesting: Falcon could ship tomorrow with a flawless constant-time sampler and still rest on the least-insured assumption in the standardized lattice family.&lt;/p&gt;
&lt;p&gt;It could not prove that the lattice it stands on is hard. To see why that gap is unique to Falcon -- why the same is not said of Dilithium, which lives over the same kind of ring -- compare the bet Falcon made to the bet Dilithium made.&lt;/p&gt;
&lt;h2&gt;7. The Least Conservative Bet: NTRU Versus Module-LWE&lt;/h2&gt;
&lt;p&gt;Both Falcon and Dilithium live over the same kind of polynomial ring. So why do cryptographers call one of them the conservative choice and the other the aggressive one?&lt;/p&gt;
&lt;p&gt;The lazy answer is &quot;NTRU has more algebraic structure.&quot; That answer is wrong, and getting it right is the center of this article. NTRU and Module-LWE are built over the &lt;em&gt;same&lt;/em&gt; class of rings; neither has &quot;more ring&quot; than the other. The difference that matters is precise, and it has exactly two parts.&lt;/p&gt;

The assumption beneath Dilithium (ML-DSA) and Kyber: given a random matrix over a module and noisy linear equations in a secret, recover the secret. Module-LWE carries an *asymptotic* worst-case-to-average-case reduction to hard module-lattice problems, so breaking random keys is anchored to worst-case lattice hardness -- an anchor NTRU at Falcon&apos;s parameters does not have [@fips-204] [@peikert-decade-2016] [@langlois-stehle-2015].
&lt;p&gt;&lt;strong&gt;First difference: the public key is a quotient.&lt;/strong&gt; Module-LWE publishes noisy products; NTRU publishes the ratio $h = g/f$. As Section 3 showed, that ratio plants a dense sublattice -- an extra geometric handle that the overstretched attacks will grab. Module-LWE&apos;s public data does not expose that same handle [@peikert-decade-2016].&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Second difference: the reduction gap.&lt;/strong&gt; Module-LWE has a worst-case-to-average-case reduction in its parameter regime; NTRU &lt;em&gt;at Falcon&apos;s parameters&lt;/em&gt; has none [@peikert-decade-2016] [@langlois-stehle-2015]. This is the structural insurance policy from Section 5, and Dilithium holds it while Falcon does not. That policy is worth reading precisely, though, because it is weaker than the slogan &quot;Dilithium is proven&quot; suggests.&lt;/p&gt;

The reduction is genuine insurance, not a trophy, and reading it precisely matters. What it buys: solving *random* Module-LWE keys is provably at least as hard as approximating a worst-case problem over *every* module lattice of that rank, which rules out a hidden class of secretly weak random keys [@langlois-stehle-2015] [@regev-jacm-2009]. What it does not buy comes in three parts. First, it is *asymptotic and non-tight* -- it constrains the family as $n$ grows, not the concrete bit-security at ML-DSA-44&apos;s exact numbers, which are still set by the lattice estimator rather than by the theorem [@peikert-decade-2016]. Second, Regev&apos;s original reduction is *quantum*; the known classical routes cost either an exponentially large modulus [@peikert-stoc-2009] or a dimension-increasing detour [@blprs-stoc-2013], so the clean, tight statement stays quantum [@regev-jacm-2009]. Third, the textbook reduction assumes *Gaussian* secrets, while ML-DSA samples its secret coefficients *uniformly* from a small range and rejection-samples, so it does not apply verbatim to the deployed distribution [@dilithium-tches-2018]. Discount all three, and the anchor is still strictly more than NTRU has at $q = 12289$, which is none at all. That is why &quot;least conservative&quot; is a precise placement of Falcon on a map, not name-calling.

The route Dilithium takes to leak-freedom: build a signature from an interactive identification protocol, make it non-interactive by hashing the commitment into the challenge, and use rejection sampling (&quot;aborts&quot;) so the published transcript&apos;s distribution is independent of the secret. It is the counterpart of Falcon&apos;s Gaussian sampler -- a different answer to the same leakage problem [@fips-204].
&lt;p&gt;Line the standardized signatures up and the trade becomes visible.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Property&lt;/th&gt;
&lt;th&gt;Falcon-512 (FN-DSA)&lt;/th&gt;
&lt;th&gt;ML-DSA-44 (Dilithium)&lt;/th&gt;
&lt;th&gt;SLH-DSA (SPHINCS+)&lt;/th&gt;
&lt;th&gt;HAWK-512&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Design&lt;/td&gt;
&lt;td&gt;GPV hash-and-sign over NTRU&lt;/td&gt;
&lt;td&gt;Fiat-Shamir with aborts over Module-LWE&lt;/td&gt;
&lt;td&gt;stateless hash-based&lt;/td&gt;
&lt;td&gt;hash-and-sign over Module-LIP&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Public key&lt;/td&gt;
&lt;td&gt;897 bytes&lt;/td&gt;
&lt;td&gt;1312 bytes&lt;/td&gt;
&lt;td&gt;32 bytes&lt;/td&gt;
&lt;td&gt;Falcon-class&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Signature&lt;/td&gt;
&lt;td&gt;666 bytes&lt;/td&gt;
&lt;td&gt;2420 bytes&lt;/td&gt;
&lt;td&gt;7856+ bytes&lt;/td&gt;
&lt;td&gt;Falcon-class&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Arithmetic&lt;/td&gt;
&lt;td&gt;floating-point (FFT)&lt;/td&gt;
&lt;td&gt;integer only&lt;/td&gt;
&lt;td&gt;integer (hashing)&lt;/td&gt;
&lt;td&gt;integer only&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Worst-case reduction&lt;/td&gt;
&lt;td&gt;no (at q = 12289)&lt;/td&gt;
&lt;td&gt;yes (Module-LWE)&lt;/td&gt;
&lt;td&gt;not applicable&lt;/td&gt;
&lt;td&gt;Module-LIP (younger)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Structural handle&lt;/td&gt;
&lt;td&gt;g/f dense sublattice&lt;/td&gt;
&lt;td&gt;none of that kind&lt;/td&gt;
&lt;td&gt;none&lt;/td&gt;
&lt;td&gt;no quotient&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Status, mid-2026&lt;/td&gt;
&lt;td&gt;draft FIPS 206&lt;/td&gt;
&lt;td&gt;final FIPS 204&lt;/td&gt;
&lt;td&gt;final FIPS 205&lt;/td&gt;
&lt;td&gt;not standardized&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;The sizes come from the Falcon specification, FIPS 204, and FIPS 205; the reduction column from the survey literature and the standards; the handle and status columns summarize Sections 3 and 6 [@falcon-spec] [@fips-204] [@fips-205] [@peikert-decade-2016] [@nist-pqc]. Read across the Falcon column and the shape of the bet is stark: it is the only entry that is smallest on size &lt;em&gt;and&lt;/em&gt; alone in carrying both a dense-sublattice handle and no worst-case reduction. SLH-DSA sits at the opposite corner, resting on nothing but hash functions and paying for it in multi-kilobyte signatures [@nist-pqc].&lt;/p&gt;

Among the standardized lattice signatures, Falcon rests on the only assumption with a dense-sublattice handle and no worst-case reduction at $q = 12289$. That is what &quot;least conservative&quot; means -- stated precisely, not rhetorically.
&lt;p&gt;Now for the honest complication, because the thesis has to survive it.&lt;/p&gt;

It is not that NTRU can never earn a reduction. In 2011 Damien Stehle and Ron Steinfeld proved that a *modified* NTRU -- with wider Gaussian secrets and a much larger modulus, which makes $h$ statistically close to uniform -- is as hard as worst-case problems over ideal lattices [@stehle-steinfeld-2011]. A provable-NTRU reduction genuinely exists. But Falcon&apos;s $q = 12289$ is far too small to inherit it: the proof lives in a parameter regime Falcon deliberately avoids for the sake of compactness. That sharpens the point rather than softening it. The theorem tells you exactly what Falcon trades away to be small.
&lt;p&gt;So the &quot;least conservative&quot; verdict is not a slur on Falcon. It is a factual placement on a map that Stehle-Steinfeld themselves drew: the reduction sits over &lt;em&gt;there&lt;/em&gt;, at big parameters; Falcon sits over &lt;em&gt;here&lt;/em&gt;, at small ones, in the open country between the proof and the best-known attacks. Its security in that country is a well-tested assumption, not a theorem.&lt;/p&gt;
&lt;p&gt;An assumption with no proof beneath it is only as safe as the attacks that have failed to reach it so far. That would be a comfortable enough position -- most of cryptography lives there -- if not for one specific, documented fact about NTRU. For some parameters, the attacks do not fail. They succeed completely. The only question is how far those parameters sit from Falcon&apos;s.&lt;/p&gt;
&lt;h2&gt;8. The Documented Failure Regime: Overstretched NTRU&lt;/h2&gt;
&lt;p&gt;There is a number that decides whether NTRU is safe or doomed, and it is not the dimension. It is the modulus $q$ -- and NTRU has a cliff.&lt;/p&gt;
&lt;p&gt;To see the cliff you need the yardstick every lattice scheme is measured against: generic lattice reduction.&lt;/p&gt;

BKZ is the workhorse lattice-reduction algorithm. It improves a basis block by block, and each block of dimension $\beta$ (the &quot;blocksize&quot;) requires a near-exact shortest-vector computation, supplied by *sieving*. The best known heuristic sieve, BDGL 2016, costs about $2^{0.292\beta}$ operations classically. A scheme&apos;s security is the cost of the smallest blocksize $\beta$ at which reduction recovers a key or a forgery [@bdgl-2016].
&lt;p&gt;The generic curve is the same for every lattice scheme, Falcon and Dilithium and Kyber alike: pick the blocksize that breaks you, read off $2^{0.292\beta}$. You can run the mapping yourself. The blocksizes below are the ones the standard estimator assigns to Falcon-512, which we return to in Section 9.&lt;/p&gt;
&lt;p&gt;{&lt;code&gt;// R3: Core-SVP cost. A lattice attack must run BKZ with block size beta; // the best heuristic sieve costs about 2^(0.292*beta) classically (BDGL 2016). // Falcon-512&apos;s cheapest structural attack (in this conservative model) is // forgery at beta = 415; key recovery needs beta = 481. const classicalBits = beta =&amp;gt; 0.292 * beta;   // BDGL sieving exponent const quantumBits   = beta =&amp;gt; 0.265 * beta;   // model-dependent quantum sieve for (const [label, beta] of [[&quot;forgery (SIS)&quot;, 415], [&quot;key recovery (NTRU)&quot;, 481]]) {   const c = classicalBits(beta), qb = quantumBits(beta);   console.log(label + &quot;: beta = &quot; + beta +     &quot;  -&amp;gt;  classical 2^&quot; + c.toFixed(1) + &quot;,  quantum 2^&quot; + qb.toFixed(1)); } console.log(&quot;Doubling the attack&apos;s reach means moving beta -- an exponential wall.&quot;);&lt;/code&gt;}&lt;/p&gt;
&lt;p&gt;Those two numbers -- forgery near $2^{121}$, key recovery near $2^{140}$ -- are Falcon-512&apos;s generic security floor in the conservative model, computed with the standard lattice estimator, and they are shared-shape risk: an advance in sieving lowers that exponent for &lt;em&gt;everyone&lt;/em&gt; [@estimator-tool] [@bdgl-2016].&lt;/p&gt;
&lt;p&gt;It is worth knowing what fixes that blocksize, because it sets the entire floor. After BKZ reduces a basis, the lengths of its Gram-Schmidt vectors fall along a predictable downward &lt;em&gt;profile&lt;/em&gt;, and an attack succeeds at the smallest $\beta$ whose profile first lets the target vector poke through -- the projected-target picture behind the standard estimate [@newhope-2016] [@agvw-scn-2018]. Two things lower the $\beta$ you need: a shorter or more uniquely planted target, and a flatter, lower profile.&lt;/p&gt;
&lt;p&gt;That is why Falcon-512&apos;s two costs differ. Forgery needs only &lt;em&gt;some&lt;/em&gt; vector under a relatively loose norm bound and clears its profile at $\beta \approx 415$; key recovery must expose the &lt;em&gt;specific&lt;/em&gt;, very short secret module and only clears at $\beta \approx 481$ -- which is why the one $0.292$ constant reads out $2^{121}$ for the first and $2^{140}$ for the second [@estimator-tool]. Those constants come from the model, not from a derivation here: this is the intuition for what sets the floor, kept on the near side of the scope fence.&lt;/p&gt;
&lt;p&gt;Now watch what NTRU does that Module-LWE does not.&lt;/p&gt;
&lt;p&gt;In 2016, Martin Albrecht, Shi Bai, and Leo Ducas showed that when $q$ is large relative to $n$, you can project NTRU into a subfield of the ring, shrink the dimension, and expose the secret far below the generic cost [@albrecht-bai-ducas-2016].&lt;/p&gt;
&lt;p&gt;A year later, Paul Kirchner and Pierre-Alain Fouque removed the subfield crutch: plain BKZ, run on the NTRU lattice directly, &lt;em&gt;finds the dense sublattice&lt;/em&gt; on its own once $q$ is large enough [@kirchner-fouque-2017]. The $g/f$ quotient&apos;s planted structure becomes so short that reduction stumbles onto it early. This is a structural collapse, not a generic speedup -- the cost falls because of what NTRU &lt;em&gt;is&lt;/em&gt;, not because sieving got faster.&lt;/p&gt;
&lt;p&gt;Why does the planted sublattice go short exactly when $q$ is &lt;em&gt;large&lt;/em&gt;? The mechanism is a one-line volume argument, and it turns on two lengths inside the NTRU lattice that move with $q$ in opposite directions.&lt;/p&gt;
&lt;p&gt;Begin with the ambient lattice. The NTRU lattice has dimension $2n$ and volume $q^n$ -- one factor of $q$ for each of the $n$ coset constraints $v \equiv u \cdot h$ [@ntrufatigue-code]. The Gaussian heuristic estimates the shortest vector of a structureless lattice of dimension $d$ and volume $V$ at about $\sqrt{d / 2\pi e} \cdot V^{1/d}$ [@newhope-2016]. Substitute $d = 2n$ and $V = q^n$:&lt;/p&gt;
&lt;p&gt;$$
\mathrm{gh}(\Lambda_h) = \sqrt{\tfrac{2n}{2\pi e}} \cdot \left(q^{n}\right)^{1/(2n)} = \sqrt{\tfrac{n}{\pi e}} \cdot \sqrt{q}.
$$&lt;/p&gt;
&lt;p&gt;So the &lt;em&gt;generic&lt;/em&gt; shortest vector -- what plain reduction finds in a lattice of this shape with no planted structure -- grows like $\sqrt{q}$. Now take the planted sublattice. The secret $(f, g)$ and its $n$ ring-shifts $x^i \cdot (f, g)$ span a rank-$n$ sublattice inside the NTRU lattice. Multiplication by $x$ in the ring is only a signed coordinate rotation, so every one of those generators has the &lt;em&gt;same&lt;/em&gt; norm as $(f, g)$ itself -- a length set by how short the secret is, and completely &lt;em&gt;independent&lt;/em&gt; of $q$.&lt;/p&gt;
&lt;p&gt;Put the two lengths together and the whole overstretched phenomenon falls out. As $q$ climbs, the ambient generic length rises like $\sqrt{q}$ while the planted sublattice stays pinned at $|(f, g)|$. The secret module grows steadily more anomalous against its own surroundings. The security-relevant quantity is their ratio, proportional to $|(f, g)| / \sqrt{q}$, and it &lt;em&gt;shrinks&lt;/em&gt; as $q$ grows. That is the entire content of the warning that a bigger modulus is backwards: enlarging $q$ inflates the haystack&apos;s generic vectors while leaving the secret needle exactly as long, so the needle protrudes further, not less.&lt;/p&gt;
&lt;p&gt;Past a threshold, that protrusion changes what reduction finds &lt;em&gt;first&lt;/em&gt;. Instead of isolating the single shortest secret, BKZ surfaces the whole planted block. Ducas and van Woerden separate the two outcomes experimentally: a &lt;em&gt;Dense-Sublattice-Discovery&lt;/em&gt; event, in which reduction reveals vectors of the planted module, versus a &lt;em&gt;Secret-Key-Recovery&lt;/em&gt; event, in which it pins down the one shortest secret [@ntrufatigue-code]. Overstretched NTRU is precisely the regime where the Dense-Sublattice-Discovery event fires first, at a blocksize far below the cost of ordinary key recovery. That early discovery is the structural short-cut, and it is the engine of Hypothesis A.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; The natural intuition is that a bigger modulus is &quot;more room&quot; and therefore safer. For NTRU it is exactly backwards. A &lt;em&gt;large&lt;/em&gt; $q$ shortens the dense sublattice relative to the rest of the NTRU lattice, and a shorter planted sublattice is easier for reduction to catch. Overstretched means large $q$. Falcon&apos;s small $q = 12289$ is not a weakness here -- it is the very thing that keeps Falcon out of the overstretched regime [@albrecht-bai-ducas-2016] [@kirchner-fouque-2017].&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;How large is large? In 2021 Ducas and van Woerden answered it with an extensive experimental campaign, pinning the exact crossover.&lt;/p&gt;

NTRU is *overstretched* when its modulus $q$ is large relative to its dimension $n$, so that the dense sublattice is short enough for reduction to find cheaply. The *fatigue point* is the crossover modulus at which this overstretched attack overtakes ordinary key recovery. Ducas and van Woerden measured it experimentally at $q \approx 0.004 \cdot n^{2.484}$ for ternary secrets [@ducas-vanwoerden-2021].
&lt;p&gt;That formula is the whole game, so read it carefully. It says the cliff scales like $n^{2.484}$: as the dimension grows, you can afford a much larger modulus before falling off. It is also, in two specific ways, softer than a theorem -- it is an experimental average-case crossover rather than a proven bound, and it was fit to &lt;em&gt;ternary&lt;/em&gt; secrets, whereas Falcon samples discrete-Gaussian secrets. Both caveats matter enormously, and Section 9 makes them do work.Pierre-Alain Fouque co-designed Falcon and co-authored the Kirchner-Fouque overstretched attack. The designer and the cryptanalyst of the failure regime are the same person -- the strongest signal available that this is the live fault line, not a hypothetical one [@falcon-spec] [@kirchner-fouque-2017].&lt;/p&gt;

The same expertise that built Falcon&apos;s trapdoor also mapped its one uninsured failure regime.
&lt;p&gt;So the cliff is real, it has a mechanism -- the dense sublattice going short -- and it has a formula, fit from real computation. Falcon&apos;s whole claim to safety is that it sits on the near side of that cliff. The only question left is arithmetic. Plug in Falcon&apos;s numbers. How much margin is there?&lt;/p&gt;
&lt;h2&gt;9. The Margin: Why Falcon Stays Clear, For Now&lt;/h2&gt;
&lt;p&gt;Falcon-512 uses $q = 12289$. The fatigue formula says the cliff at $n = 512$ sits near $q \approx 21{,}500$. That is a safety factor of about 1.75. Sit with that number for a moment.&lt;/p&gt;
&lt;p&gt;Here is the calculation, laid out so you can move the dimension yourself and watch the margin change.&lt;/p&gt;
&lt;p&gt;{&lt;code&gt;// R2: NTRU &quot;fatigue&quot; margin. Ducas-van Woerden (2021) measured the modulus q // at which the overstretched (dense-sublattice) attack overtakes ordinary key // recovery: q ~= 0.004 * n^2.484, for TERNARY secrets. Falcon uses q = 12289. const fatigueQ = n =&amp;gt; 0.004 * Math.pow(n, 2.484); const FALCON_Q = 12289; for (const n of [512, 1024]) {   const fq = fatigueQ(n);   console.log(&quot;n = &quot; + n + &quot;:  fatigue-q ~= &quot; + Math.round(fq) +     &quot;   Falcon q = &quot; + FALCON_Q +     &quot;   margin ~= &quot; + (fq / FALCON_Q).toFixed(2) + &quot;x&quot;); } console.log(&quot;Caveat: this fit is experimental and for ternary secrets;&quot;); console.log(&quot;Falcon uses discrete-Gaussian secrets, so the margin is an extrapolation.&quot;);&lt;/code&gt;}&lt;/p&gt;
&lt;p&gt;The two rows are the whole story of Falcon&apos;s structural safety today.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Dimension $n$&lt;/th&gt;
&lt;th&gt;Fatigue-$q$, from $0.004 \cdot n^{2.484}$&lt;/th&gt;
&lt;th&gt;Falcon&apos;s $q$&lt;/th&gt;
&lt;th&gt;Margin&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;512 (Falcon-512)&lt;/td&gt;
&lt;td&gt;about 21,500&lt;/td&gt;
&lt;td&gt;12,289&lt;/td&gt;
&lt;td&gt;about 1.75x&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;1024 (Falcon-1024)&lt;/td&gt;
&lt;td&gt;about 120,000&lt;/td&gt;
&lt;td&gt;12,289&lt;/td&gt;
&lt;td&gt;about 9.8x&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;At $n = 1024$ the margin is roughly 9.8x -- comfortable by any standard. At $n = 512$ it is about 1.75x, and Falcon-512 is likely to be the more widely deployed of the two, because it is the small, fast one [@ducas-vanwoerden-2021] [@falcon-spec]. With FN-DSA still in draft and nothing yet in production, that is a prediction rather than a measured fact -- but if it holds, the thinnest margin in the standardized lattice family sits under the Falcon most deployments will reach for.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; The 1.75x is softer than it looks, in two independent ways. First, the fatigue point is an &lt;em&gt;experimental, average-case&lt;/em&gt; crossover measured from computation -- not a proof that NTRU is hard for any $q$ below it. Second, it was fit to &lt;em&gt;ternary&lt;/em&gt; secrets, while Falcon uses &lt;em&gt;discrete-Gaussian&lt;/em&gt; secrets, so applying it to Falcon is an extrapolation across secret distributions. The 1.75x is an estimate of exposure, not a security theorem [@ducas-vanwoerden-2021].&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Take those caveats seriously in both directions. They do not prove Falcon is in danger; nobody has broken $q = 12289$, and the extrapolation could just as easily place the true cliff &lt;em&gt;higher&lt;/em&gt; for Gaussian secrets as lower. But they do mean the number guarding Falcon-512 is not a proven wall. It is a measured, extrapolated fence, and its exact location for Falcon&apos;s own secret distribution has never been pinned.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; The margin widens with dimension, so the conservative long-term choice is Falcon-1024, while the thinnest exposure sits under the Falcon-512 that most deployments are expected to prefer. A break from this direction would not arrive as a bolt from the blue -- it would arrive as the fatigue boundary $q \approx 0.004 \cdot n^{2.484}$ being pushed downward, or extended rigorously to Gaussian secrets and landing lower than hoped [@ducas-vanwoerden-2021].&lt;/p&gt;
&lt;/blockquote&gt;

The concrete blocksizes come from the open Sage tool lattice-estimator. Load it, call NTRU.estimate and SIS.estimate on Falcon-512&apos;s parameters, and record the commit, because the outputs are model- and commit-dependent. The rough (Core-SVP) model returns forgery at blocksize 415 and key recovery at blocksize 481; the exact bit-costs, 0.292 times 415 giving 121.2 and 0.292 times 481 giving 140.5, confirm that the rough numbers are Core-SVP numbers. Refined models push these above 146 and 160 respectively [@estimator-tool] [@estimator-paper-2015].
&lt;p&gt;A 1.75x margin below an unproven, extrapolated cliff is not a reason to panic. Falcon is not broken, and this section has not shown a break -- it has shown a boundary and measured a distance to it. But it is a reason to ask the real question, the one the whole article has been building toward. When Falcon eventually breaks, is &lt;em&gt;this&lt;/em&gt; where it starts -- the NTRU cliff creeping toward $q = 12289$ -- or does it start somewhere else entirely, in a generic advance or a quantum machine? To answer that, we have to rank.&lt;/p&gt;
&lt;h2&gt;10. Weighing the Hypotheses: Where Does Falcon&apos;s Crack Start?&lt;/h2&gt;
&lt;p&gt;Now we can rank. There are exactly three ways Falcon&apos;s own mathematics could fail, and only one of them is both open and Falcon&apos;s alone.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Hypothesis A -- an NTRU-specific advance.&lt;/strong&gt; Someone finds a sharper way to exploit the $g/f$ dense sublattice at Falcon&apos;s small $q$, or pushes the fatigue boundary $q \approx 0.004 \cdot n^{2.484}$ downward -- or extends it rigorously to discrete-Gaussian secrets and it lands lower than the ternary fit suggested. Any of these would break Falcon while leaving Module-LWE schemes untouched. It is open, it is aimed squarely at NTRU, and it is the one hypothesis with an already-documented failure regime one factor of 1.75 away [@kirchner-fouque-2017] [@ducas-vanwoerden-2021].&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Hypothesis B -- a generic reduction advance.&lt;/strong&gt; Someone improves BKZ or sieving and lowers the exponent below the classical $2^{0.292\beta}$ (or the model-dependent quantum $2^{0.265\beta}$), where $\beta$ is the attack blocksize, for &lt;em&gt;all&lt;/em&gt; lattices [@bdgl-2016]. This is the larger threat in absolute terms: it would weaken Dilithium, Kyber, and Falcon in a single stroke. But that universality is exactly why it is the wrong answer to our question. It moves the whole floor, not Falcon&apos;s floor.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Hypothesis C -- transcript leakage.&lt;/strong&gt; The break that felled NTRUSign. Closed, structurally, by GPV&apos;s provable Gaussian sampling, as Section 5 showed. A true-Gaussian transcript is independent of the secret basis, so there is nothing to learn [@gpv-2008] [@nguyen-regev-2006].&lt;/p&gt;

flowchart TD
    Q[&quot;How could Falcon&apos;s mathematics fail?&quot;] --&amp;gt; A[&quot;A. NTRU-specific advance, sharper g/f or the cliff moves down&quot;]
    Q --&amp;gt; B[&quot;B. Generic reduction or sieving advance&quot;]
    Q --&amp;gt; C[&quot;C. Transcript leakage&quot;]
    A --&amp;gt; AV[&quot;Open and Falcon-specific, with a documented regime, ranked first&quot;]
    B --&amp;gt; BV[&quot;Open but hits every lattice scheme, largest yet non-specific&quot;]
    C --&amp;gt; CV[&quot;Closed by GPV Gaussian sampling, dismissed&quot;]
&lt;p&gt;Set them side by side on the properties that matter.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Property&lt;/th&gt;
&lt;th&gt;Hypothesis A (thesis)&lt;/th&gt;
&lt;th&gt;Hypothesis B (rival)&lt;/th&gt;
&lt;th&gt;Hypothesis C (dismissed)&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Target&lt;/td&gt;
&lt;td&gt;NTRU&apos;s $g/f$ quotient&lt;/td&gt;
&lt;td&gt;every lattice scheme&lt;/td&gt;
&lt;td&gt;deterministic good-basis signing&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Mechanism&lt;/td&gt;
&lt;td&gt;dense sublattice goes short, cliff moves&lt;/td&gt;
&lt;td&gt;faster BKZ and sieving&lt;/td&gt;
&lt;td&gt;key leaks through the signature cloud&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Best-known cost&lt;/td&gt;
&lt;td&gt;fatigue-$q$ about 21,500 at $n = 512$, Falcon below&lt;/td&gt;
&lt;td&gt;about $2^{0.292\beta}$ classical, $2^{0.265\beta}$ quantum&lt;/td&gt;
&lt;td&gt;about 90,000 signatures on NTRUSign&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Falcon-specific?&lt;/td&gt;
&lt;td&gt;yes, misses Module-LWE&lt;/td&gt;
&lt;td&gt;no, moves the whole floor&lt;/td&gt;
&lt;td&gt;historically NTRU, now closed&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Status versus Falcon&lt;/td&gt;
&lt;td&gt;open, specific, measured&lt;/td&gt;
&lt;td&gt;open, non-specific&lt;/td&gt;
&lt;td&gt;closed by GPV&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;The table is the argument in miniature. Column C is greyed out by a theorem. Column B is real and frightening, but it is a threat to lattice cryptography as a category, not a Falcon story -- if it lands, the headline is &quot;lattices weakened,&quot; and Falcon is one name in a long list. Column A is the only one where the headline reads &quot;Falcon&quot; and no one else.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; The series asks a specific question: where does &lt;em&gt;Falcon&apos;s&lt;/em&gt; crack start? That question selects for Falcon-specificity. Hypothesis B is the larger existential threat to lattice cryptography as a whole, and this article concedes that plainly. But a generic sieving advance breaks Dilithium and Kyber in the same motion -- it is not where Falcon fails &lt;em&gt;first and alone&lt;/em&gt;. Hypothesis A is the only break that is open, aimed at Falcon in particular, and already carries a measured failure regime. That is why A outranks B on this question, even though B is bigger.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Say the honest part out loud, because the thesis lives or dies on it. &quot;Most likely&quot; here is a &lt;em&gt;ranked judgment&lt;/em&gt;, not a documented fact. No one has broken Falcon&apos;s actual parameters; the overstretched attacks break &lt;em&gt;other&lt;/em&gt;, large-$q$ NTRU, and the 1.75x margin is an extrapolation across secret distributions.&lt;/p&gt;
&lt;p&gt;If you want a claim of the form &quot;here is Falcon, broken,&quot; this article cannot give it to you, and neither can anyone else today. What it can give you is a disciplined ordering: given that Falcon &lt;em&gt;will&lt;/em&gt; eventually face sharper mathematics, the break that is simultaneously open, Falcon-specific, and already partway documented is the one to bet on first.&lt;/p&gt;

The assumption Falcon cannot insure -- the NTRU quotient plus the missing worst-case reduction -- is exactly where the crack is likeliest to begin.
&lt;p&gt;Notice what carries the ranking. It is not that the NTRU attack is close to working -- it is a comfortable distance away. It is that the NTRU attack is the only one of the three that is both &lt;em&gt;live&lt;/em&gt; and &lt;em&gt;specific&lt;/em&gt;. Hypothesis C had specificity but is dead; Hypothesis B is alive but generic. Only Hypothesis A has both at once -- and in a &quot;how would &lt;em&gt;this&lt;/em&gt; scheme break&quot; question, both are what you rank on.&lt;/p&gt;
&lt;p&gt;The whole ranking, though, rests on two load-bearing assumptions of its own: that Shor&apos;s algorithm really cannot touch Falcon, so the quantum future does not simply erase the question, and that the fatigue cliff really is unproven, so the margin is a research frontier rather than a settled bound. Both deserve a hard look, and the second is more fragile than the first.&lt;/p&gt;
&lt;h2&gt;11. Theoretical Limits and the Quantum Question&lt;/h2&gt;
&lt;p&gt;The most important fact about Falcon&apos;s quantum security is a non-result: the algorithm that broke RSA does nothing here.&lt;/p&gt;
&lt;p&gt;That deserves to be stated carefully, because it is the reason the whole field exists. &lt;a href=&quot;https://paragmali.com/blog/how-q-day-breaks-everything-shors-algorithm-and-the-simultan/&quot; rel=&quot;noopener&quot;&gt;Shor&apos;s algorithm&lt;/a&gt; is not a general code-breaker. It solves one abstract problem exceptionally well, and factoring and discrete logarithm happen to be instances of it.&lt;/p&gt;

The abstract problem Shor&apos;s algorithm solves: given a function that is constant on the cosets of a hidden subgroup of an *abelian* (commutative) group, find the subgroup. Factoring and discrete logarithm are instances, which is why a quantum computer breaks RSA and elliptic-curve cryptography. Lattice problems are *not* an instance of it -- and that is precisely why they are candidates for post-quantum security [@regev-quantum-2004].
&lt;p&gt;Lattices sit outside the abelian-HSP family, so Shor has no purchase on Falcon. The closest anyone has come to a quantum handle is a 2004 result of Oded Regev connecting a lattice problem (unique-SVP) to the &lt;em&gt;dihedral&lt;/em&gt; hidden-subgroup problem -- but the reduction runs one way only, and no one knows how to prepare the quantum states it would need to run usefully in reverse [@regev-quantum-2004]. Two decades of effort have not reversed it.&lt;/p&gt;

flowchart TD
    Q[&quot;Is the hard problem an abelian hidden-subgroup problem?&quot;] --&amp;gt;|Yes, such as RSA and ECC| S[&quot;Shor solves it, the scheme is broken&quot;]
    Q --&amp;gt;|No, as with lattices| L[&quot;Shor does not apply&quot;]
    L --&amp;gt; R[&quot;The only quantum lever is a faster sieve&quot;]
    R --&amp;gt; E[&quot;The classical 0.292 beta exponent drops toward 0.265 beta&quot;]
    E --&amp;gt; N[&quot;A constant-factor gain in the exponent, not a structural collapse&quot;]
&lt;p&gt;So what &lt;em&gt;does&lt;/em&gt; a quantum computer buy an attacker against Falcon? One thing, and it is modest in shape if not in size: a faster sieve. Quantum near-neighbor search lowers the sieving exponent from the classical $2^{0.292\beta}$ toward roughly $2^{0.265\beta}$ in the sieve blocksize $\beta$ -- a model-dependent figure associated with the Core-SVP quantum line [@bdgl-2016] [@newhope-2016]. That is a genuine improvement, but look at what &lt;em&gt;kind&lt;/em&gt; it is: it lowers the exponent&apos;s constant. It makes Hypothesis B a little cheaper. It does not convert the problem into one Shor can solve, and it does not touch the NTRU-specific structure at all.Regev&apos;s one-directional reduction lands lattices on the &lt;em&gt;dihedral&lt;/em&gt; hidden-subgroup problem [@regev-quantum-2004] -- the same problem Kuperberg&apos;s sub-exponential algorithm attacks [@kuperberg-2005]. But no one knows how to prepare the coset states that algorithm needs from a lattice instance, which is why it drives attacks on isogeny schemes such as CSIDH [@csidh-2018] rather than on lattices. It is a frequent source of confusion in exactly this discussion.Grover&apos;s algorithm speeds up unstructured brute-force search [@grover-1996], but Falcon&apos;s security rests on the hardness of a lattice problem, not on guessing a symmetric key, so Grover has no structural target here. It is named once and set aside as a generic search speedup, not a break.&lt;/p&gt;
&lt;p&gt;Now stack the two things the theory leaves unproven, because together they are the real picture.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; Falcon&apos;s safety lives in two unproven gaps at once. The &lt;em&gt;reduction gap&lt;/em&gt;: at $q = 12289$ there is no worst-case-to-average-case reduction, so no theorem sits beneath the assumption. The &lt;em&gt;fatigue gap&lt;/em&gt;: only about 1.75x separates Falcon-512 from an experimental, ternary-secret cliff. Shor cannot touch either gap, and a faster sieve only nudges the generic floor. The real exposure is the NTRU-specific space between those two gaps -- which is exactly why the likeliest structural crack is Hypothesis A, not a quantum collapse and not a generic advance.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;This is the understanding that flips the usual intuition. Most people carry a mental model in which &quot;NIST standardized it, so it is proven, and the only danger is a future quantum computer running Shor.&quot; Every clause of that is off. Shor cannot touch Falcon. A quantum computer buys only a constant-factor sieving gain against a floor that is already high. And &quot;standardized&quot; does not mean &quot;proven&quot;: Falcon&apos;s exact parameters have no reduction beneath them, and the boundary that keeps them safe is an experimental fit to a different secret distribution.&lt;/p&gt;
&lt;p&gt;There is a positive impossibility in the mix too, and it belongs on the ledger in Falcon&apos;s favor. For a &lt;em&gt;true&lt;/em&gt; discrete Gaussian, GPV&apos;s theorem makes transcript-based key recovery information-theoretically impossible -- not hard, impossible [@gpv-2008]. Falcon&apos;s quantum-and-theory scorecard is therefore lopsided in a very specific way: strong where people fear weakness (Shor, transcripts), and quietly exposed where people assume strength (the reduction and fatigue gaps).&lt;/p&gt;
&lt;p&gt;So the theory leaves Falcon standing on an assumption with no proof beneath it and a cliff whose exact location for its own secrets nobody has pinned. That is not a flaw to hide. It is a research frontier to map -- and the people best placed to map it are already at work. Here is where that frontier actually is.&lt;/p&gt;
&lt;h2&gt;12. Open Problems and the NTRU-Free Frontier&lt;/h2&gt;
&lt;p&gt;The people best positioned to know where Falcon breaks are already building the scheme that would replace it. That is the most honest signal in this whole story.&lt;/p&gt;
&lt;p&gt;The research frontier around Falcon is not vague hand-wringing; it is five specific questions, and each one is a lever on the thesis.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Can the fatigue analysis be made a proof?&lt;/strong&gt; Ducas and van Woerden measured the crossover; no one has proven that NTRU is hard for every $q$ &lt;em&gt;below&lt;/em&gt; it, and no one has redone the measurement for Falcon&apos;s discrete-Gaussian secrets rather than ternary ones [@ducas-vanwoerden-2021]. A proof would settle Falcon-512&apos;s safety; a sharper measurement could move the cliff either way. This is the single most decisive open problem for the thesis.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Is there an unexploited handle at Falcon&apos;s dimension?&lt;/strong&gt; Both overstretched routes -- subfield and subfield-free -- need a large $q$. Whether some &lt;em&gt;other&lt;/em&gt; structural attack on $h = g/f$ beats generic reduction at Falcon&apos;s small $q$ is open; the consolidated survey of refinements records steady progress but no sub-generic attack there yet [@albrecht-ducas-2021] [@kirchner-fouque-2017]. Such an attack would be Hypothesis A made real.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Does quantum help lattices beyond sieving?&lt;/strong&gt; Reversing Regev&apos;s one-directional reduction, or finding any quantum lever past the sieving speedup, would reshape the entire field [@regev-quantum-2004]. Widely believed impossible, entirely unproven.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Can NTRU&apos;s reduction be narrowed to Falcon&apos;s parameters?&lt;/strong&gt; This is the one open problem whose success would &lt;em&gt;strengthen&lt;/em&gt; Falcon.OP4 is the escape hatch: narrow the Stehle-Steinfeld reduction toward $q = 12289$ and Falcon&apos;s assumption would finally gain the theorem it currently lacks, softening the &quot;least conservative&quot; verdict at the center of this article [@stehle-steinfeld-2011]. No one has managed it; the reduction still lives only at large parameters [@stehle-steinfeld-2011].&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Is Module-LWE&apos;s reduction worth the bytes?&lt;/strong&gt; The practitioner&apos;s version of the thesis: quantify how much the worst-case reduction is worth against Falcon&apos;s roughly 1.5x to 3.6x size advantage. NIST&apos;s answer so far is an institutional hedge -- standardize both, ML-DSA as the default and Falcon for the compact niche -- rather than a resolved ranking [@nist-pqc] [@fips-204].&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Be clear about what is and is not in dispute. The &lt;em&gt;mechanisms&lt;/em&gt; in this article are settled results: the NTRU quotient and its dense sublattice, GPV&apos;s provable sampling, the overstretched fatigue phenomenon. What is contested is the &lt;em&gt;ranking&lt;/em&gt; -- which failure arrives first. That combination, rigorous foundations under an open ordering, is exactly the right shape for a &quot;How It Would Break&quot; question.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;And then there is the tell.&lt;/p&gt;

The clearest signal that the thesis names the right fault line is institutional. HAWK is a Falcon-class hash-and-sign that drops the $g/f$ quotient entirely, basing security on the module lattice-isomorphism problem and running over the integers with no floating-point sampler [@hawk-2022]. Two of the NTRU-Fatigue authors -- Leo Ducas and Wessel van Woerden -- co-designed it. The people who measured NTRU&apos;s cliff went and built the NTRU-free alternative. The honest counter-caveat runs the other way: the lattice-isomorphism problem is younger and less battle-tested than NTRU, so HAWK trades a well-scrutinized assumption for a less-scrutinized one. It is a hedge, not a verdict.
&lt;p&gt;That HAWK exists, and that its designers overlap with NTRU&apos;s own cliff-mappers, is the strongest available evidence that Falcon&apos;s NTRU assumption is a &lt;em&gt;chosen trade-off&lt;/em&gt; rather than a free lunch. No standardized scheme occupies the ideal corner -- compact, integer-only, reduction-backed, and quotient-free all at once. Falcon has the compactness and pays with the assumption; ML-DSA has the reduction and pays with bytes; HAWK reaches for the quotient-free corner and pays with youth. The design space has no free lunch, only priced trades.&lt;/p&gt;
&lt;p&gt;None of this is a reason to avoid Falcon. It is a reason to deploy it with your eyes open -- which, for a defender planning a real migration, is a concrete and answerable question. What do you actually do on Monday?&lt;/p&gt;
&lt;h2&gt;13. What a Defender Does on Monday&lt;/h2&gt;
&lt;p&gt;You are a defender planning a post-quantum migration. You have read the argument. What do you actually do?&lt;/p&gt;
&lt;p&gt;Start by matching the signature to the constraint, not to the hype.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; - &lt;strong&gt;Default: ML-DSA (FIPS 204).&lt;/strong&gt; Finalized, integer-only, easy to implement in constant time, and backed by a worst-case reduction. Choose it unless a hard constraint forces otherwise [@fips-204] [@peikert-decade-2016]. - &lt;strong&gt;Bandwidth-critical: Falcon (FN-DSA), eyes open.&lt;/strong&gt; When the smallest signature and key are decisive -- certificate chains, constrained links -- and you accept both the thinner NTRU margin and the draft status [@falcon-spec] [@fips-206-status]. - &lt;strong&gt;Assumption-minimal: SLH-DSA (FIPS 205).&lt;/strong&gt; When you want to depend on nothing but hash functions and can pay multi-kilobyte signatures [@nist-pqc]. - &lt;strong&gt;Belt-and-suspenders: hybrids.&lt;/strong&gt; Pair a classical signature with a post-quantum one during migration, or pair ML-DSA with Falcon for both a reduction and compactness. - &lt;strong&gt;Frontier, watch but do not deploy: HAWK.&lt;/strong&gt; The NTRU-free hash-and-sign that removes the exact handle this article isolates; not standardized [@hawk-2022].&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Then decide what you &lt;em&gt;watch&lt;/em&gt;, because the thesis tells you exactly what an early warning looks like. Watch the fatigue margin: any result pushing $q \approx 0.004 \cdot n^{2.484}$ downward, or extending it rigorously to discrete-Gaussian secrets and landing lower, is a signal aimed straight at Falcon-512 [@ducas-vanwoerden-2021]. Watch for a new $g/f$ sublattice technique that bites at Falcon&apos;s small $q$ [@kirchner-fouque-2017]. What you do &lt;em&gt;not&lt;/em&gt; need to watch for is a sudden Shor-style collapse -- the mathematics rules that out. An NTRU break announces itself as a shrinking margin, not a thunderclap.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; FN-DSA is draft FIPS 206 as of mid-2026, with final publication expected late 2026 or early 2027 [@fips-206-status] [@encryptionconsulting-fndsa]. Treat it as plan-and-test, not production. Keep ML-DSA as the drop-in conservative sibling, and keep your stack crypto-agile so you can swap schemes if the margin moves.&lt;/p&gt;
&lt;/blockquote&gt;


No. Lattice problems are not an instance of the abelian hidden-subgroup problem that Shor&apos;s algorithm solves, which is the very reason Falcon is a post-quantum candidate. A quantum computer only speeds up generic sieving, a constant-factor gain in the exponent, not a structural collapse [@regev-quantum-2004] [@bdgl-2016].


No. Those attacks require a *large* modulus $q$ relative to the dimension. Falcon&apos;s $q = 12289$ is deliberately small and sits below the measured fatigue cliff, in the regime where the NTRU lattice is believed to behave generically [@albrecht-bai-ducas-2016] [@ducas-vanwoerden-2021].


No. NTRUSign leaked its key because it signed *deterministically*, making every signature a sample from the secret parallelepiped. Falcon&apos;s GPV discrete-Gaussian sampling provably closes that exact leak: a true-Gaussian transcript is independent of the secret basis [@nguyen-regev-2006] [@gpv-2008].


Here it is the opposite. A large modulus shortens NTRU&apos;s dense sublattice and invites the overstretched attack; Falcon&apos;s small $q$ is precisely what keeps it clear of that regime [@kirchner-fouque-2017] [@albrecht-bai-ducas-2016].


Not yet. FIPS 206 is still draft; ML-DSA (FIPS 204) is the finalized default for general use. Reach for Falcon where bytes are genuinely scarce, with the NTRU margin and draft status understood [@fips-206-status] [@fips-204].


A paper pushing the fatigue boundary $q \approx 0.004 \cdot n^{2.484}$ downward, or extending it rigorously to Falcon&apos;s discrete-Gaussian secrets and finding it lower than the ternary fit, or a new $g/f$ sublattice technique effective at Falcon&apos;s dimension. Not a sudden quantum collapse [@ducas-vanwoerden-2021] [@kirchner-fouque-2017].


It is the same ring and the same $h = g/f$ quotient, but a different use -- a GPV trapdoor signature rather than encryption -- with carefully chosen, deliberately non-overstretched parameters [@ntru-1998] [@falcon-spec].


This article analyzed only Falcon&apos;s mathematics. The other half of Falcon&apos;s risk -- the floating-point and FFT sampler&apos;s implementation pitfalls, timing and power side channels, fault injection, RNG failures, and protocol misuse -- attacks the code, not the assumption, and it is the subject of the empirical sibling, *How the NIST Finalists Broke: Rainbow in a Weekend, SIKE in an Afternoon, and the Graveyard of Post-Quantum Candidates*. It is drawn here only to mark the line: a real deployment must defend both sides, and they fail in completely different ways.
&lt;p&gt;Return, finally, to the paradox we opened with. Pierre-Alain Fouque helped build Falcon&apos;s trapdoor, and he helped map the overstretched regime that is its likeliest structural fault line. That is not a scandal and not a warning to run from Falcon. It is how good cryptography is supposed to work: the same experts who build a scheme are the ones who probe hardest at where it could give way, in public, with formulas and CPU-years, long before an adversary gets there.&lt;/p&gt;

When Falcon eventually cracks, the crack most likely starts in the NTRU structure -- not in Shor, not in a generic sieve, but in the one assumption Falcon&apos;s compactness could never insure.
&lt;p&gt;That is the whole argument, assembled from the evidence: transcript leakage is closed by a theorem, a generic advance is real but hits everyone alike, and the NTRU-specific break is the only failure that is open, aimed at Falcon in particular, and already one measured factor of 1.75 away. The ranking is a judgment, not a proof -- but it is the judgment the evidence supports. Deploy Falcon where its smallness earns its place, watch the fatigue margin like a hawk, and keep ML-DSA one configuration change away.&lt;/p&gt;
&lt;p&gt;&amp;lt;StudyGuide slug=&quot;how-falcon-would-break&quot; keyTerms={[
  { term: &quot;NTRU lattice&quot;, definition: &quot;The 2n-dimensional lattice fixed by the public key h = g/f, in which the short secret pair (f, g) is a shortest vector.&quot; },
  { term: &quot;The g/f quotient&quot;, definition: &quot;NTRU publishes a ratio of two short secrets, not two independent values; the ratio plants a dense sublattice.&quot; },
  { term: &quot;Dense sublattice&quot;, definition: &quot;A region of the NTRU lattice unusually rich in short vectors, created by the quotient and exploited when q is large.&quot; },
  { term: &quot;GPV sampling&quot;, definition: &quot;Provable discrete-Gaussian preimage sampling whose output law is independent of the secret basis, closing transcript leakage.&quot; },
  { term: &quot;Worst-case-to-average-case reduction&quot;, definition: &quot;A proof that a random key is as hard as the worst case; Module-LWE has an asymptotic one in its parameter regime, NTRU at q equals 12289 does not.&quot; },
  { term: &quot;Overstretched NTRU and fatigue point&quot;, definition: &quot;The large-q regime where the dense sublattice goes short; the crossover q is about 0.004 times n to the 2.484, for ternary secrets.&quot; },
  { term: &quot;Core-SVP model&quot;, definition: &quot;A conservative cost model mapping a BKZ blocksize beta to about 2 to the 0.292 beta classical operations.&quot; },
  { term: &quot;Module-LWE&quot;, definition: &quot;The assumption under Dilithium and Kyber; same ring class as NTRU but no g/f quotient and an asymptotic worst-case reduction in its parameter regime.&quot; }
]} questions={[
  { q: &quot;Derive why enlarging the modulus q makes NTRU&apos;s planted secret easier to find, not harder.&quot;, a: &quot;The NTRU lattice has volume q to the n, so its generic shortest vector grows like the square root of q, while the planted (f, g) module and its ring-shifts keep a length independent of q; the ratio of secret length to square-root-of-q shrinks as q grows, so the secret protrudes further above the generic floor.&quot; },
  { q: &quot;Why does Module-LWE&apos;s worst-case reduction being asymptotic and quantum limit what it guarantees at ML-DSA-44&apos;s deployed numbers?&quot;, a: &quot;Being asymptotic and non-tight, it constrains the family as n grows rather than pinning the concrete bit-security at ML-DSA-44&apos;s exact parameters, which the lattice estimator still sets; and the clean, tight form of Regev&apos;s reduction is quantum, since the known classical routes need either an exponentially large modulus or a dimension-increasing detour.&quot; },
  { q: &quot;Why is Falcon-512&apos;s forgery blocksize (about 415) smaller than its key-recovery blocksize (about 481)?&quot;, a: &quot;Forgery needs only some vector under a relatively loose norm bound, which reduction clears at a smaller blocksize; key recovery must expose the specific, very short secret module, so it clears only at a larger blocksize, and the same 0.292 constant then reads out 2 to the 121 versus 2 to the 140.&quot; },
  { q: &quot;What is Falcon-512&apos;s fatigue margin, and why is it only an extrapolation?&quot;, a: &quot;About 1.75x, from an experimental average-case fit measured on ternary secrets while Falcon uses discrete-Gaussian secrets.&quot; },
  { q: &quot;Rank the three ways Falcon could structurally break.&quot;, a: &quot;NTRU-specific advance first (open, specific, measured), generic sieving second (open but non-specific), transcript leakage last (closed by GPV).&quot; }
]} /&amp;gt;&lt;/p&gt;
&lt;p&gt;Part 8 of &lt;em&gt;How It Would Break&lt;/em&gt; turns to a different assumption entirely -- but the question stays the same: when it breaks, where does the crack start?&lt;/p&gt;
</content:encoded><category>post-quantum-cryptography</category><category>falcon</category><category>ntru</category><category>lattice-cryptography</category><category>digital-signatures</category><category>cryptanalysis</category><category>fn-dsa</category><author>noreply@paragmali.com (Parag Mali)</author></item><item><title>How Q-Day Breaks Everything: Shor&apos;s Algorithm and the Simultaneous Fall of RSA, Diffie-Hellman, and ECC</title><link>https://paragmali.com/blog/how-q-day-breaks-everything-shors-algorithm-and-the-simultan/</link><guid isPermaLink="true">https://paragmali.com/blog/how-q-day-breaks-everything-shors-algorithm-and-the-simultan/</guid><description>RSA, Diffie-Hellman, DSA, and elliptic curves share one abelian period. A single quantum computer running Shor&apos;s algorithm reads it and breaks all four at once.</description><pubDate>Sat, 18 Jul 2026 00:00:00 GMT</pubDate><content:encoded>
RSA, Diffie-Hellman, DSA, and elliptic-curve cryptography look like four independent security systems, but they secretly rest on one structure: a hidden period in a finite abelian group. A single fault-tolerant quantum computer running Shor&apos;s algorithm reads that period directly with the quantum Fourier transform, breaking all four in polynomial time -- and enlarging keys does not help, because Shor scales with the logarithm of the key. Symmetric cryptography (AES, SHA-2/3) survives Q-Day intact because it hides no such period, so it faces only Grover&apos;s quadratic speedup, which doubling the key size neutralizes. No such machine exists in 2026 -- the best hardware runs about one below-threshold logical qubit -- but &quot;harvest now, decrypt later&quot; means the migration to post-quantum cryptography cannot wait for it to arrive.
&lt;h2&gt;1. One Break, Four Falls&lt;/h2&gt;
&lt;p&gt;Four cryptographers, working in four different decades on four different branches of mathematics, built the fortresses that guard almost every secret you have ever sent: a 2048-bit RSA key, a 2048-bit Diffie-Hellman group, a DSA signature, and a 256-bit elliptic curve. They look nothing alike -- different keys, different math, different inventors -- so we deployed them side by side and called it diversity.&lt;/p&gt;
&lt;p&gt;This article is about the afternoon a single machine running a single idea knocks all four down at once, while AES-256 in the field next door barely looks up -- and about why the reason those four fall together is exactly the reason the fifth survives.&lt;/p&gt;
&lt;p&gt;Here is the thesis, stated plainly before any mathematics arrives to defend it: the four are not four problems. They are one. Underneath RSA&apos;s factoring, Diffie-Hellman&apos;s discrete logarithm, DSA&apos;s signatures, and elliptic-curve cryptography&apos;s smaller keys lies a single shared object -- a hidden period in a finite abelian group. A quantum computer running Peter Shor&apos;s 1994 algorithm reads that period more or less in one shot, and when the period falls, all four fortresses built on top of it fall with it [@shor-1994].&lt;/p&gt;
&lt;p&gt;Symmetric cryptography survives for the mirror-image reason: a well-built cipher hides no period at all, so there is nothing for the same machine to read.&lt;/p&gt;
&lt;p&gt;The event has a name.&lt;/p&gt;

Q-Day is the hypothetical day a cryptographically relevant quantum computer first runs Shor&apos;s algorithm at scale against deployed keys, breaking the public-key cryptography (RSA, Diffie-Hellman, DSA, and elliptic-curve schemes) that secures most of the internet. It is a threshold, not a gradual slope: the same machine that cannot break a 2048-bit key at all on Monday can break it in hours once it crosses the fault-tolerance threshold.
&lt;p&gt;Two questions organize everything that follows, and the whole article is their answer: &lt;em&gt;why do these four fall together?&lt;/em&gt; and &lt;em&gt;why not AES?&lt;/em&gt; Hold both in your head. The first is a story about a hidden unity nobody designed on purpose. The second is a story about a boundary so sharp it can be stated as a theorem -- and that same boundary turns out to be the entire design premise of the cryptography we are now scrambling to deploy.&lt;/p&gt;

RSA, Diffie-Hellman, DSA, and elliptic curves were never four independent bets. They are one bet -- that a hidden period in a finite abelian group is hard to find -- made four times in four disguises. Shor&apos;s algorithm collects on all four at once.
&lt;p&gt;One honesty flag, planted here and never lowered: no such machine exists in 2026. Not almost, not in a lab somewhere -- none. The best error-corrected hardware yet demonstrated encodes about one reliable logical qubit [@google-willow-2025], and a real attack needs on the order of a thousand of them holding still for hours. So this is a loaded gun on the table, not a fired one. That gap between a proven algorithm and an unbuilt machine is not a reason to relax; as we will see, it is precisely the deadline.&lt;/p&gt;
&lt;p&gt;The journey runs in seven moves: how the world came to trust just two hard problems, the one quantum trick that matters, the breakthrough that turned factoring into period-finding, the same trick applied three more times, the asymmetry that spares AES, the machine&apos;s true price tag, the limits of the blast radius, and why one proven fact already forces a global migration. To see why one machine breaks four fortresses, you first have to see how the world ended up trusting just two hard problems in the first place.&lt;/p&gt;
&lt;h2&gt;2. Two Problems the Whole World Rested On&lt;/h2&gt;
&lt;p&gt;Rewind to 1976. Two strangers want to agree on a shared secret while an eavesdropper records every bit that passes between them. For millennia this was considered impossible: to share a secret you first had to share a secret. Then Whitfield Diffie and Martin Hellman published a construction that let the two strangers mix public numbers into a private one the eavesdropper could not reconstruct, and modern cryptography was born [@diffie-hellman-1976]. Its security rested on a new assumption -- that one specific arithmetic operation is easy forward and hard backward.&lt;/p&gt;

In a cyclic group generated by an element $g$, exponentiation is easy: given $g$ and $x$, computing $h = g^x$ is fast. The discrete logarithm problem is the reverse: given $g$ and $h$, recover the exponent $x$. In the multiplicative group of integers modulo a large prime -- and, later, in the group of points on an elliptic curve -- recovering $x$ is believed to require super-polynomial classical effort. That belief is the security assumption beneath Diffie-Hellman, DSA, and elliptic-curve cryptography.
&lt;p&gt;A year later, Ron Rivest, Adi Shamir, and Leonard Adleman turned a different one-way asymmetry into a full encryption-and-signature system: multiplying two large primes is easy, but factoring their product back into those primes is hard [@rsa-1978]. &lt;a href=&quot;https://paragmali.com/blog/how-rsa-would-break-why-factoring-is-the-slow-path-and-coppe/&quot; rel=&quot;noopener&quot;&gt;RSA&lt;/a&gt; bet its life on integer factoring; &lt;a href=&quot;https://paragmali.com/blog/nobody-broke-the-discrete-log-a-field-guide-to-diffie-hellma/&quot; rel=&quot;noopener&quot;&gt;Diffie-Hellman&lt;/a&gt; had bet on the discrete logarithm. Two bets, two problems.&lt;/p&gt;
&lt;p&gt;Then the bets consolidated. In 1985 Victor Miller, and independently in 1987 Neal Koblitz, moved the discrete logarithm onto elliptic curves, where the best known classical attacks are far weaker and so the keys can be dramatically smaller for the same classical security [@miller-1986][@koblitz-1987]. &lt;a href=&quot;https://paragmali.com/blog/the-curve-was-hard-the-gap-was-soft-a-field-guide-to-using-e/&quot; rel=&quot;noopener&quot;&gt;Elliptic-curve cryptography&lt;/a&gt; was not a new hard problem -- it was the &lt;em&gt;same&lt;/em&gt; discrete logarithm relocated to a group where classical attackers had less traction.This is the seed of a cruel irony we will harvest in Section 5. ECC&apos;s whole selling point is that it achieves equal classical security with smaller keys, because no sub-exponential attack like index calculus applies to well-chosen curves [@koblitz-1987]. Against a quantum computer, &quot;smaller keys&quot; means &quot;fewer qubits to attack,&quot; so the classical strength inverts into a quantum liability.&lt;/p&gt;
&lt;p&gt;By the 1990s the accounting was stark. Strip away the packaging and essentially &lt;em&gt;all&lt;/em&gt; deployed public-key cryptography reduced to exactly two hard problems: integer factoring and the discrete logarithm. The classical attacks that calibrate their key sizes -- the general number field sieve for factoring, index calculus for finite-field discrete logs, Pollard&apos;s rho for elliptic curves -- are the subject of this series&apos; earlier posts on RSA and the discrete logarithm, and I will not re-derive them here [@bernstein-lange-2017].&lt;/p&gt;
&lt;p&gt;What matters is the structural fact: the entire public-key world put all its eggs in two baskets, and nobody chose those two baskets because they were secretly connected. They looked like independent bets.&lt;/p&gt;

Nobody chose factoring and the discrete logarithm because they were related. They looked like two independent bets. They were the same bet.
&lt;p&gt;While the defense lineage was consolidating, a second, unrelated lineage was quietly assembling the machine that would read both. In 1982 Richard Feynman observed that simulating quantum physics on a classical computer seems to require exponential resources, and proposed turning the problem around: build a computer that &lt;em&gt;is&lt;/em&gt; quantum-mechanical and let physics do the bookkeeping [@feynman-1982]. In 1985 David Deutsch made the idea rigorous, defining the universal quantum computer and the principle that it could simulate any physical process [@deutsch-1985].&lt;/p&gt;
&lt;p&gt;This was pure physics and computability theory. Nobody in 1985 thought it had anything to do with RSA. The two lineages were on tracks that had not yet touched.&lt;/p&gt;

flowchart LR
    subgraph Defense[&quot;Defense lineage -- the fortresses&quot;]
        DH[&quot;1976 Diffie-Hellman: discrete log assumption&quot;]
        RSA[&quot;1977 RSA: integer factoring&quot;]
        ECC[&quot;1985 to 1987 Miller and Koblitz: elliptic curves&quot;]
    end
    subgraph Attack[&quot;Attack lineage -- the machine&quot;]
        FEY[&quot;1982 Feynman: simulate physics with a quantum computer&quot;]
        DEU[&quot;1985 Deutsch: universal quantum computer&quot;]
        SIM[&quot;1994 Simon: period-finding template&quot;]
    end
    DH --&amp;gt; SHOR[&quot;1994 Shor: period-finding topples all four&quot;]
    RSA --&amp;gt; SHOR
    ECC --&amp;gt; SHOR
    FEY --&amp;gt; DEU
    DEU --&amp;gt; SIM
    SIM --&amp;gt; SHOR
    SHOR --&amp;gt; GID[&quot;2021 to 2025 Gidney: concrete qubit bill&quot;]
&lt;p&gt;Two problems, one machine, a decades-long collision course -- and in 1994 a single person connected them. The bridge between the two lineages started as one strange little algorithm about a hidden XOR mask, and to understand how it grew into the break, you have to understand the one quantum trick that makes all of this work.&lt;/p&gt;
&lt;h2&gt;3. The One Trick That Matters&lt;/h2&gt;
&lt;p&gt;Before we can watch four fortresses fall, we have to kill a myth, because the myth predicts the wrong outcome. The popular story says a quantum computer &quot;tries all the keys at once and reads out the winner.&quot; If that were true, it would break AES just as easily as RSA -- every symmetric cipher would fall too, and the entire second half of this article would be wrong. It is not true. A quantum computer does something far stranger and far more specific, and the specificity is the whole point.&lt;/p&gt;
&lt;p&gt;Start with the one genuinely non-classical resource.&lt;/p&gt;

A register of $n$ qubits can occupy a weighted combination of all $2^n$ basis states at once, written $\sum_x \alpha_x |x\rangle$ where each complex number $\alpha_x$ is an amplitude. Applying a function to that register evaluates it on every input simultaneously. But the result is an internal state, not a readable list: when you measure, you get exactly one outcome $x$, drawn at random with probability $|\alpha_x|^2$, and the rest of the superposition vanishes.
&lt;p&gt;This is where the myth breaks. Yes, you can evaluate a function on all $2^n$ inputs at once. No, you cannot read the answers. Measurement hands you a single random input-output pair, which is no better than guessing. Superposition alone buys you nothing. The art -- the entire art of quantum algorithms -- is what you do to the amplitudes &lt;em&gt;before&lt;/em&gt; you measure.&lt;/p&gt;
&lt;p&gt;The tool for that is interference. Amplitudes are complex numbers, and like waves they can add or cancel. If you can arrange the computation so that every path leading to a wrong answer is met by another path of opposite sign, the wrong answers cancel to near-zero amplitude, while the right answers reinforce. Measurement then returns a useful outcome with high probability -- not because you searched, but because you sculpted the wavefunction so that only the structure you care about is left standing.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; &quot;A quantum computer tries every key in parallel and reads the winner&quot; is wrong, and the error is not a detail. Parallel evaluation produces a superposition you cannot read; a single measurement collapses it to one random result. Every real quantum speedup comes from interference that cancels wrong answers -- and interference only helps when the problem has structure to exploit. Unstructured problems, like guessing an AES key, expose no such structure, which is exactly why they resist.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;So which structure can interference exploit? The most powerful answer known is &lt;em&gt;periodicity&lt;/em&gt;. Suppose a function $f$ is periodic: it repeats with some hidden period $r$, so that $f(x)$ and $f(x + r)$ always agree. Evaluate $f$ over a superposition of all inputs, and the state quietly organizes itself around that period. The instrument that reads it is the quantum Fourier transform.&lt;/p&gt;

The QFT is the quantum analogue of the discrete Fourier transform, applied to the amplitudes of a quantum state rather than to a list of numbers. Fed a state whose amplitudes repeat with a hidden period $r$, it concentrates the total amplitude onto the frequencies that match $r$, so that measuring the transformed state returns a multiple of $1/r$ with high probability. On an $n$-qubit register it runs in about $O(n^2)$ elementary gates [@nielsen-chuang-2010].
&lt;p&gt;Put those pieces together and you have a machine that does exactly one magical thing: it takes a function with a hidden period and hands you that period. Superpose over all inputs, evaluate the function, and the act of computing it entangles the input register with the output so that the input register&apos;s amplitudes now repeat with the function&apos;s period. Apply the QFT, and interference collapses that repeating pattern onto its frequency. Measure, and you read out information about $r$ -- the period no classical observer could see without effectively checking the inputs one by one.&lt;/p&gt;

flowchart TD
    A[&quot;Superpose over all inputs x&quot;] --&amp;gt; B[&quot;Evaluate f(x) into a second register&quot;]
    B --&amp;gt; C[&quot;Measuring or entangling leaves the input register repeating with period r&quot;]
    C --&amp;gt; D[&quot;Quantum Fourier transform concentrates amplitude on multiples of 1 over r&quot;]
    D --&amp;gt; E[&quot;Measure: read a multiple of the hidden frequency&quot;]
    E --&amp;gt; F[&quot;Classical post-processing recovers r&quot;]
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; A quantum computer does not search in parallel and read the winner. It engineers interference so that wrong answers cancel and only a function&apos;s hidden period survives measurement. No period, no exponential speedup -- which is precisely why the same machine that shatters RSA cannot touch a well-built symmetric cipher.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The first person to turn this into a concrete algorithm was Daniel Simon. In 1994 he built a toy problem -- a function that secretly satisfies $f(x) = f(x \oplus s)$ for a hidden bit-string $s$ -- and showed that quantum interference recovers $s$ exponentially faster than any classical method possibly could [@simon-1994].Simon&apos;s algorithm is the direct ancestor Shor read. Its &quot;period&quot; is a hidden XOR mask in a group of bit-strings, which breaks nothing anyone deployed. Shor&apos;s leap was to see the same template hiding inside a problem the entire economy depended on, and to swap Simon&apos;s simple transform for the QFT over the integers modulo $N$ [@simon-1994].&lt;/p&gt;
&lt;p&gt;Simon&apos;s hidden period lived in a toy group and broke nothing real. But it proved the template: encode a secret as the period of a function, then let interference read it. The question that ended an era was the obvious next one -- what &lt;em&gt;real&lt;/em&gt;, deployed, load-bearing problem is secretly period-finding in disguise?&lt;/p&gt;
&lt;h2&gt;4. The Breakthrough: Factoring Is Period-Finding&lt;/h2&gt;
&lt;p&gt;In 1994, at Bell Labs, Peter Shor answered that question with a move so clean it still reads like sleight of hand. Factoring -- the problem RSA stakes its life on -- is secretly a period-finding problem. Watch the reduction before the machinery, because the reduction is the whole trick.&lt;/p&gt;
&lt;p&gt;To factor a large number $N$, pick a random integer $a$ with no common factor with $N$. Now consider the innocent-looking function $f(x) = a^x \bmod N$. Because there are only finitely many residues modulo $N$, this function must eventually repeat, and it repeats with a period: the smallest $r$ for which $a^r \equiv 1 \pmod N$. That period has a name.&lt;/p&gt;

The multiplicative order of $a$ modulo $N$ is the smallest positive integer $r$ such that $a^r \equiv 1 \pmod N$. It is exactly the period of the function $f(x) = a^x \bmod N$. Classically, finding $r$ appears about as hard as factoring $N$ itself. Quantumly, it is the one thing the QFT does well.
&lt;p&gt;Here is why the order cracks the factorization. Suppose $r$ is even. Then $a^r - 1 = (a^{r/2} - 1)(a^{r/2} + 1)$ is divisible by $N$. Unless $a^{r/2} \equiv -1 \pmod N$ (a case you detect and retry), neither factor on the right is a multiple of $N$ by itself, so each shares only &lt;em&gt;part&lt;/em&gt; of $N$&apos;s prime structure. Computing $\gcd(a^{r/2} \pm 1,, N)$ with Euclid&apos;s ancient algorithm then hands you a non-trivial factor. For a random $a$, this works with probability at least one-half, so a couple of tries suffice [@shor-1994].&lt;/p&gt;
&lt;p&gt;Every step in that paragraph is classical arithmetic you can run right now -- except one: finding the order $r$. That single sub-problem is where the quantum computer earns its keep, and it is period-finding exactly as Section 3 described it.&lt;/p&gt;
&lt;p&gt;Superpose over all exponents $x$, compute $a^x \bmod N$ reversibly into a second register (this modular exponentiation is the dominant cost of the whole circuit), and the first register is left repeating with period $r$. Apply the QFT, and amplitude concentrates on multiples of $1/r$; measure, and you get an estimate of some $k/r$. A classical continued-fraction expansion then recovers $r$ from that estimate.&lt;/p&gt;

flowchart TD
    A[&quot;Pick random a in the range 2 to N minus 1&quot;] --&amp;gt; B{&quot;a coprime to N?&quot;}
    B --&amp;gt;|no| Z[&quot;gcd(a, N) is already a factor -- lucky&quot;]
    B --&amp;gt;|yes| C[&quot;Quantum step: find the order r of a mod N by QFT period-finding&quot;]
    C --&amp;gt; D[&quot;Classical step: continued fractions recover r from the measured fraction&quot;]
    D --&amp;gt; E{&quot;r even and a^(r/2) not -1 mod N?&quot;}
    E --&amp;gt;|no| A
    E --&amp;gt;|yes| F[&quot;Classical step: gcd(a^(r/2) +/- 1, N) yields a non-trivial factor&quot;]
&lt;p&gt;You do not need a quantum computer to see the reduction work, because only the order-finding is quantum. Compute the order by brute force on a small $N$, feed it into the same greatest-common-divisor step Shor uses, and a real factor drops out.&lt;/p&gt;
&lt;p&gt;{`
from math import gcd&lt;/p&gt;
&lt;p&gt;def find_order(a, N):
    # multiplicative order of a mod N: smallest r &amp;gt;= 1 with a^r = 1 (mod N)
    x = a % N
    r = 1
    while x != 1:
        x = (x * a) % N
        r += 1
        if r &amp;gt; N:                # safety: a was not coprime to N
            return None
    return r&lt;/p&gt;
&lt;p&gt;def factor_via_order(N, a):
    if gcd(a, N) != 1:
        return gcd(a, N), N // gcd(a, N)     # lucky: a already shares a factor
    r = find_order(a, N)
    if r is None or r % 2 != 0:
        return None                           # r odd -&amp;gt; pick another a and retry
    y = pow(a, r // 2, N)
    if y == N - 1:
        return None                           # a^(r/2) = -1 mod N -&amp;gt; retry
    return gcd(y - 1, N), gcd(y + 1, N)&lt;/p&gt;
&lt;p&gt;for (N, a) in [(15, 7), (21, 2), (2047, 5)]:
    print(&quot;N =&quot;, N, &quot; a =&quot;, a,
          &quot; order r =&quot;, find_order(a, N),
          &quot; factors =&quot;, factor_via_order(N, a))&lt;/p&gt;
N = 15  a = 7  order r = 4  factors = (3, 5)
N = 21  a = 2  order r = 6  factors = (7, 3)
N = 2047 a = 5  order r = 44 factors = (23, 89)
&lt;p&gt;`}&lt;/p&gt;

Add `(3233, 3)` to the list and it factors $3233 = 61 \times 53$ cleanly. Now add `(3233, 2)` and it returns `None`: with $a = 2$ the order is even but $a^{r/2} \equiv -1 \pmod{3233}$, the one case the reduction cannot use, so it must retry with a fresh $a$. That single `None` is the &quot;probability at least one-half&quot; caveat made concrete -- some choices of $a$ simply do not yield a factor, which is exactly why Shor picks $a$ at random and expects to need a couple of attempts.
&lt;p&gt;The classical order search above is exponential in the number of digits -- run it on a 2048-bit $N$ and it never returns. Shor&apos;s contribution is to replace that one line with a quantum circuit that finds the same $r$ in polynomial time.Alexei Kitaev reformulated the quantum step in 1995 as phase estimation on the operator that multiplies by $a$, recovering $r$ from the eigenvalue&apos;s phase. It is mathematically equivalent to Shor&apos;s order-finding and is how most modern textbooks present the algorithm [@kitaev-1995]. How polynomial? The whole circuit is about $O((\log N)^3)$ gates, dominated by the modular exponentiation; the QFT itself is only $O((\log N)^2)$ [@nielsen-chuang-2010].&lt;/p&gt;
&lt;p&gt;One precision point, flagged loudly because it will haunt Sections 7 and 8: that $O((\log N)^3)$ is a &lt;em&gt;circuit size&lt;/em&gt; on a perfect, noiseless, fault-tolerant machine. It counts logical gates, not seconds. The distance between &quot;a polynomial-size circuit exists&quot; and &quot;a machine ran it before lunch&quot; is measured in millions of physical qubits, and we will pay that bill in full later.&lt;/p&gt;
&lt;p&gt;Now the consequence that inverts fifty years of defensive instinct.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Every classical attack on RSA gets exponentially harder as the key grows, so the entire history of the field has been &quot;when the attacker catches up, add bits.&quot; Shor breaks that reflex. Its cost is polynomial in the &lt;em&gt;number of bits&lt;/em&gt; $n = \log N$. Going from RSA-2048 to RSA-4096 roughly doubles $n$, so it multiplies the qubit and gate counts by a small constant -- not the exponential wall classical attackers slam into. The first move everyone reaches for is worthless here.&lt;/p&gt;
&lt;/blockquote&gt;

Shor&apos;s cost grows with the logarithm of the key, not the key. Against this attack, RSA-4096 is not meaningfully safer than RSA-2048 -- it is a rounding error safer.
&lt;p&gt;Factoring was the first fortress to fall. But Shor&apos;s 1994 paper had a second half that almost nobody quotes, and it is the reason Diffie-Hellman, DSA, and elliptic curves fall too -- not by coincidence, but by the same mechanism running one dimension higher.&lt;/p&gt;
&lt;h2&gt;5. The Same Trick, Three More Times&lt;/h2&gt;
&lt;p&gt;If factoring is secretly period-finding, the natural question is: what else is? The answer is the entire argument of this article. Almost everything the deployed public-key world rests on is period-finding in disguise -- and Shor&apos;s own 1994 paper proved the second case himself.&lt;/p&gt;
&lt;p&gt;Recall the discrete logarithm: given $g$ and $h = g^s$ in a cyclic group of order $r$, recover the exponent $s$. Shor&apos;s insight was that $s$ is also hidden inside a periodicity, only now the period lives in two dimensions instead of one. Here is the mechanism in full, because it is the load-bearing step and hand-waving it would cheat you of the aha.&lt;/p&gt;
&lt;p&gt;Define the two-variable function&lt;/p&gt;
&lt;p&gt;$$f(x, y) = g^x , h^y = g^{,x + s y}.$$&lt;/p&gt;
&lt;p&gt;This function takes the same value whenever the exponent $x + s y$ is unchanged modulo $r$. So the set of shifts that leave $f$ invariant -- its hidden period, now a &lt;em&gt;lattice&lt;/em&gt; of vectors rather than a single number -- is&lt;/p&gt;
&lt;p&gt;$$L = {(x, y) \in \mathbb{Z}^2 : x + s y \equiv 0 \pmod{r}}.$$&lt;/p&gt;
&lt;p&gt;That lattice encodes the secret $s$ directly in its slope. To read it, Shor superposes over both exponent registers and applies a two-dimensional QFT. Interference concentrates the amplitude onto the dual frequency vectors $(k_1, k_2)$ satisfying $k_1 + s,k_2 \equiv 0 \pmod{r}$. A single measurement returns one such pair, and whenever $\gcd(k_2, r) = 1$ you solve for the secret in one line of classical arithmetic:&lt;/p&gt;
&lt;p&gt;$$s \equiv -,k_1 , k_2^{-1} \pmod{r}.$$&lt;/p&gt;
&lt;p&gt;Look at what just happened. This is the &lt;em&gt;exact&lt;/em&gt; same period-extraction that factored $N$ in Section 4 -- superpose, evaluate, transform, measure, post-process -- run in two dimensions instead of one [@shor-1994]. The discrete logarithm does not resist Shor any harder than factoring does; it surrenders the secret exponent directly. Finite-field Diffie-Hellman, DSA, and ElGamal all rest on precisely this discrete logarithm, so all three fall in the same stroke.&lt;/p&gt;
&lt;p&gt;Elliptic curves are the same story one more time. The points on an elliptic curve form a finite abelian group under a geometric addition law, and &quot;discrete logarithm&quot; there means recovering the integer $s$ with $Q = sP$ for public points $P$ and $Q$. It is the same $f(x,y)$, the same two-dimensional period, the same 2-D QFT -- only the group operation changes. John Proos and Christof Zalka worked out the elliptic-curve version explicitly in 2003, and with it ECDH, ECDSA, and EdDSA join the list [@proos-zalka-2003].&lt;/p&gt;
&lt;p&gt;Now the unification that turns three coincidences into one sentence.&lt;/p&gt;

Given a finite abelian group $G$ and a function $f$ on $G$ that is constant on the cosets of some hidden subgroup $H$ (and takes different values on different cosets), the abelian hidden subgroup problem is to find $H$. Order-finding, the finite-field discrete logarithm, and the elliptic-curve discrete logarithm are all special cases -- and the QFT with phase estimation solves every abelian instance in polynomial time [@kitaev-1995].
&lt;p&gt;Alexei Kitaev supplied this abstraction in 1995 [@kitaev-1995]. Before it, &quot;Shor breaks RSA&quot; and &quot;Shor breaks Diffie-Hellman&quot; looked like two separate results that happened to use the same author&apos;s trick. After it, they are two instances of a single mathematical fact: &lt;em&gt;the quantum Fourier transform reads a hidden period in any finite abelian group.&lt;/em&gt; Factoring hides its period in one dimension; both discrete logs hide theirs in two; the machine does not care which.&lt;/p&gt;

flowchart TD
    F1[&quot;Integer factoring -- RSA&quot;] --&amp;gt; HSP[&quot;Abelian hidden subgroup problem: f is constant on the cosets of a hidden subgroup&quot;]
    F2[&quot;Finite-field discrete log -- DH and DSA&quot;] --&amp;gt; HSP
    F3[&quot;Elliptic-curve discrete log -- ECDH and ECDSA&quot;] --&amp;gt; HSP
    HSP --&amp;gt; QFT[&quot;Quantum Fourier transform reads the hidden period&quot;]
    QFT --&amp;gt; O1[&quot;RSA falls&quot;]
    QFT --&amp;gt; O2[&quot;Diffie-Hellman and DSA fall&quot;]
    QFT --&amp;gt; O3[&quot;ECDH and ECDSA fall&quot;]
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; The four are not four security problems. They are one -- a hidden abelian period -- wearing four disguises. Factoring hides it in one dimension; the two discrete logs hide it in two. One machine, one idea, four falls.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Two precautions before the table. First, &quot;together&quot; means the same machine class and the same breakthrough, not one identical circuit pressing a single button. RSA, a finite field, and an elliptic curve need different arithmetic units compiled into the machine; what they share is that each reduces to the abelian HSP, so one fault-tolerant quantum computer running Shor&apos;s family of circuits dispatches all of them. Second -- and this is the counterintuitive kicker -- the four do not fall in the order their reputations suggest. Elliptic-curve cryptography, the &lt;em&gt;strongest&lt;/em&gt; of the four against classical attack, falls &lt;em&gt;first&lt;/em&gt;.&lt;/p&gt;
&lt;p&gt;Why? Because ECC&apos;s classical strength is small keys. No sub-exponential attack applies to a well-chosen curve, so a 256-bit elliptic key matches the classical security of a 3072-bit RSA key [@nist-sp800-57]. Against Shor, &quot;fewer bits&quot; simply means &quot;fewer logical qubits to build.&quot;&lt;/p&gt;
&lt;p&gt;Martin Roetteler and colleagues estimated in 2017 that breaking the NIST P-256 curve needs about 2330 logical qubits [@roetteler-2017] -- materially fewer than the roughly 6200 logical qubits (about $3n$) a 2048-bit RSA break requires [@gidney-ekera-2021]. Proos and Zalka had already found the same inversion in 2003: about 1000 qubits for 160-bit ECC versus about 2000 for the security-equivalent 1024-bit RSA [@proos-zalka-2003].Those small keys also pay a purely classical dividend that has nothing to do with quantum computers: at equal classical security an ECC certificate and its handshake messages are a fraction of the size of the RSA equivalent, which trims bandwidth and storage on every connection they protect.&lt;/p&gt;

&quot;ECC is an easier target than RSA.&quot; -- Roetteler, Naehrig, Svore, and Lauter, 2017
&lt;p&gt;The full ledger, with the survivor included so the contrast is unmissable:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Primitive&lt;/th&gt;
&lt;th&gt;Underlying hard problem&lt;/th&gt;
&lt;th&gt;Hidden abelian period?&lt;/th&gt;
&lt;th&gt;Quantum attack&lt;/th&gt;
&lt;th&gt;Do bigger keys help?&lt;/th&gt;
&lt;th&gt;Logical-qubit estimate&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;RSA-2048&lt;/td&gt;
&lt;td&gt;Integer factoring&lt;/td&gt;
&lt;td&gt;Yes -- one-dimensional order&lt;/td&gt;
&lt;td&gt;Shor order-finding&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;~6200 (about $3n$) [@gidney-ekera-2021]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Finite-field DH / DSA-2048&lt;/td&gt;
&lt;td&gt;Discrete log modulo a prime&lt;/td&gt;
&lt;td&gt;Yes -- two-dimensional period&lt;/td&gt;
&lt;td&gt;Shor DLP variant&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;Comparable to RSA-2048 [@gidney-ekera-2021]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;ECDH / ECDSA (P-256)&lt;/td&gt;
&lt;td&gt;Elliptic-curve discrete log&lt;/td&gt;
&lt;td&gt;Yes -- two-dimensional period&lt;/td&gt;
&lt;td&gt;Shor via Proos-Zalka&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;~2330 -- falls first [@roetteler-2017]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;AES-256&lt;/td&gt;
&lt;td&gt;None -- unstructured key&lt;/td&gt;
&lt;td&gt;No period at all&lt;/td&gt;
&lt;td&gt;Grover only (quadratic)&lt;/td&gt;
&lt;td&gt;Yes -- doubling suffices&lt;/td&gt;
&lt;td&gt;Not applicable [@bbbv-1997]&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;Three rows share the &quot;yes&quot; column, and that shared &quot;yes&quot; is the entire vulnerability. One machine, one idea, four falls -- and yet AES-256 in the field next door survives untouched. That survival is not luck, and it is not a gap someone will patch next year. It is the second half of the thesis, and it has a proof.&lt;/p&gt;
&lt;h2&gt;6. Why Symmetric Crypto Only Loses a Square Root&lt;/h2&gt;
&lt;p&gt;Return to &lt;a href=&quot;https://paragmali.com/blog/the-fortress-and-the-afterthought-how-aes-would-break-at-its/&quot; rel=&quot;noopener&quot;&gt;AES-256&lt;/a&gt;, standing untouched in the next field. The same machine that reads RSA&apos;s period in polynomial time barely dents it. The reason is exactly the reason RSA falls: AES hides no period. There is no abelian structure inside a well-designed cipher for the QFT to grab, so the exponential engine has nothing to bite on. What is left is the generic attack that works on &lt;em&gt;any&lt;/em&gt; search problem, structured or not.&lt;/p&gt;

Grover&apos;s algorithm finds a marked item in an unstructured space of $N$ candidates using about $\sqrt{N}$ evaluations of a test function, a quadratic speedup over the roughly $N/2$ a classical search expects [@grover-1996]. For an $n$-bit key there are $N = 2^n$ candidates, so Grover&apos;s query count is about $2^{n/2}$: AES-128 drops to about $2^{64}$ queries, AES-256 to about $2^{128}$.
&lt;p&gt;At a glance that looks alarming -- $2^{64}$ sounds within reach. Hold that thought; it is the most misunderstood number in the field, and we will dismantle it in a moment. First, the structural point, because it is what makes the symmetric world safe by design rather than by luck.&lt;/p&gt;
&lt;p&gt;The quadratic speedup is not a weak version of Shor&apos;s exponential one. It is a &lt;em&gt;different kind&lt;/em&gt; of thing, and its weakness is provable. Bennett, Bernstein, Brassard, and Vazirani proved in 1997 that any quantum algorithm searching an unstructured space needs at least on the order of $\sqrt{N}$ queries -- the $\Omega(\sqrt{N})$ lower bound [@bbbv-1997]. Grover is optimal; you cannot do better against a structureless target.&lt;/p&gt;
&lt;p&gt;This is the single most important bound in the article, because it converts &quot;we do not know a better attack on AES&quot; into &quot;there provably is no better generic attack.&quot; Shor exists because factoring has structure. Grover is the best you can ever do precisely when there is none.&lt;/p&gt;
&lt;p&gt;{`
// Classical brute force is 2^n; Grover&apos;s floor is 2^(n/2).
// This compares EXPONENTS -- it is a query lower bound, not a runtime.
function keyStrength(nBits) {
  return { classical: nBits, grover: nBits / 2 };  // log2 of each cost
}&lt;/p&gt;
&lt;p&gt;for (const n of [128, 192, 256]) {
  const s = keyStrength(n);
  console.log(&quot;AES-&quot; + n + &quot;: classical 2^&quot; + s.classical + &quot; vs Grover floor 2^&quot; + s.grover);
}&lt;/p&gt;
&lt;p&gt;// Doubling the key restores the pre-quantum margin:
const groverAes256 = keyStrength(256).grover;      // 2^128
const classicalAes128 = keyStrength(128).classical; // 2^128
console.log(&quot;AES-256&apos;s Grover floor 2^&quot; + groverAes256 +
            &quot; equals AES-128&apos;s old classical margin 2^&quot; + classicalAes128);
// AES-128: classical 2^128 vs Grover floor 2^64
// AES-256: classical 2^256 vs Grover floor 2^128
`}&lt;/p&gt;
&lt;p&gt;So doubling the key exactly undoes Grover: AES-256&apos;s $2^{128}$ Grover floor restores the $2^{128}$ margin AES-128 used to enjoy classically. But &quot;double the key&quot; undersells how safe AES-128 already is, and here is where the popular $2^{64}$ falls apart.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;That $2^{64}$ is a floor on operations, not a feasible runtime.&lt;/strong&gt; Three facts, each independently decisive, separate the number from any real attack. First, Grover is inherently &lt;em&gt;sequential&lt;/em&gt;: its roughly $2^{n/2}$ iterations must be applied one after another, and each iteration contains a full evaluation of AES as a reversible quantum circuit -- a deep block of gates, not a single step [@grassl-2015]. You cannot collapse the iterations into a shallow parallel circuit.&lt;/p&gt;
&lt;p&gt;Second, it barely parallelizes: split the search across $P$ machines and each one&apos;s work drops by only $\sqrt{P}$, not $P$. Christof Zalka proved this is fundamental -- quantum searching &quot;cannot be parallelized better than by assigning different parts of the search space to independent quantum computers&quot; [@zalka-1999]. Throwing a thousand quantum computers at AES-128 buys a factor of about 31, not 1000.&lt;/p&gt;
&lt;p&gt;Third, and most concrete: real machines have a maximum circuit depth. NIST&apos;s post-quantum call formalized this as MAXDEPTH, with plausible values of ${2^{40}, 2^{64}, 2^{96}}$ serial logical gates -- roughly a year, a decade, and a millennium of continuous computation. Under that constraint, NIST estimated the cost of a Grover key search on AES-128 at about $2^{170}/\text{MAXDEPTH}$ quantum gates, versus $2^{143}$ classical gates -- because &quot;one has to run many smaller instances of the algorithm in parallel, which makes the quantum speedup less dramatic&quot; [@nist-cfp-2016].&lt;/p&gt;
&lt;p&gt;Even with MAXDEPTH at a decade ($2^{64}$), that is about $2^{106}$ gates. Depth-restricted analyses of explicit AES Grover oracles confirm the picture and underpin NIST&apos;s security categories [@jaques-2020]. The clean $2^{64}$ was always a lower bound on abstract queries, never a wall-clock estimate.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Symmetric cryptography survives not by being stronger than RSA but by being structureless: no hidden period, so no Shor, only a provably quadratic nibble -- and even that nibble is a floor on operations under a depth limit, not a runtime. AES-256 is not a nervous hope. It is a proof-backed hedge.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The comparison, side by side:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Property&lt;/th&gt;
&lt;th&gt;Symmetric (AES-256, SHA-384)&lt;/th&gt;
&lt;th&gt;Asymmetric (RSA, DH, DSA, ECC)&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Exploitable abelian period?&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;Yes&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Best quantum attack&lt;/td&gt;
&lt;td&gt;Grover search&lt;/td&gt;
&lt;td&gt;Shor period-finding&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Speedup over classical&lt;/td&gt;
&lt;td&gt;Quadratic (square-root)&lt;/td&gt;
&lt;td&gt;Exponential&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Provably optimal attack?&lt;/td&gt;
&lt;td&gt;Yes -- $\Omega(\sqrt{N})$ [@bbbv-1997]&lt;/td&gt;
&lt;td&gt;Not applicable -- structure gives it away&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Effect of doubling the key&lt;/td&gt;
&lt;td&gt;Restores the full margin&lt;/td&gt;
&lt;td&gt;Negligible&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Survives Q-Day?&lt;/td&gt;
&lt;td&gt;Yes&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; For symmetric primitives the fix is boring and effective: prefer AES-256 over AES-128, and SHA-384 or SHA-512 over SHA-256. Because Grover is only quadratic -- and, under a depth limit, far weaker than even that -- doubling the security parameter is not just adequate, it is sufficient with margin to spare [@nist-cfp-2016]. No new mathematics, no migration project. The hard problem is entirely on the public-key side.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;One honest fence marks the edge of that &quot;only Grover&quot; claim.&lt;/p&gt;

There is a model in which symmetric constructions fall exponentially, not quadratically. In the superposition-query (Q2) model, where an attacker can query a secret-keyed device on a superposition of inputs, Kaplan and colleagues showed in 2016 that Simon&apos;s algorithm breaks specific *modes* -- Even-Mansour, CBC-MAC, GMAC -- in polynomial time [@kaplan-2016]. This is real and important, but note what it requires: physical access to a keyed oracle that will accept quantum superpositions as input, an implementation-and-protocol assumption, not a structural weakness of the AES primitive. This article&apos;s contract is structural-only, and under the realistic classical-query model the &quot;symmetric loses just a square root&quot; claim holds. The Q2 mode attacks belong to the sibling post on how cryptography breaks in real life, alongside side channels and fault attacks.
&lt;p&gt;So the break is real, the boundary is sharp, and the algorithm has been proven on paper for thirty years. Only one thing still stands between the mathematics and your ciphertext: a machine that does not yet exist. Building it is where the story turns from algorithms to engineering -- and where the price tag appears.&lt;/p&gt;
&lt;h2&gt;7. From Algorithm to Machine: Fault Tolerance and the Qubit Bill&lt;/h2&gt;
&lt;p&gt;A polynomial-time algorithm is not a polynomial-time afternoon. Shor&apos;s circuit is small on paper, but &quot;on paper&quot; assumes qubits that never make a mistake and never forget. Real qubits do both, constantly. Run a bare Shor circuit on today&apos;s noisy hardware and it dissolves into random noise long before the modular exponentiation finishes. Closing the gap between the proof and the machine is an engineering problem measured in millions of qubits, and it has a structure worth understanding, because that structure is where the cost estimates come from -- and where they are falling.&lt;/p&gt;
&lt;p&gt;Begin with the distinction the whole field turns on.&lt;/p&gt;

A physical qubit is one noisy device -- a superconducting transmon, a trapped ion, a neutral atom -- with an error rate around $10^{-3}$ per operation. A logical qubit is an error-corrected qubit assembled from many physical ones, whose effective error rate can be pushed arbitrarily low by adding more physical qubits, provided each is already below a threshold error rate. Shor&apos;s circuit counts logical qubits and logical gates; the machine must manufacture them out of vastly more physical hardware.
&lt;p&gt;The manufacturing method is quantum error correction, and the workhorse is the surface code.&lt;/p&gt;

The surface code lays physical qubits on a two-dimensional grid and repeatedly measures local parity checks that reveal where errors occurred without measuring -- and thus destroying -- the stored quantum information. Its defining property: the logical error rate falls exponentially as the code distance $d$ (roughly the grid width) grows, as long as physical errors stay below about $1\%$. It is the code behind every concrete Shor resource estimate [@google-willow-2025].
&lt;p&gt;Error correction handles the memory and the easy gates, but Shor also needs &quot;non-Clifford&quot; gates -- the T and Toffoli operations that do the genuinely quantum arithmetic -- and those cannot be done directly on surface-code qubits. They are supplied through a separate factory that distills noisy inputs into clean &quot;magic states.&quot;The modern version of that factory is magic-state cultivation, which reaches logical error rates as low as $2 \times 10^{-9}$ under $10^{-3}$ circuit noise and, in its authors&apos; words, hints that &quot;further magic state distillation may never be needed in practice&quot; -- shaving one of the largest overheads in the whole bill [@magic-state-cultivation-2024]. Stack it all together and you get the fault-tolerance pyramid every estimate rests on.&lt;/p&gt;

flowchart TD
    P[&quot;Thousands of noisy physical qubits, about 1 percent error each&quot;] --&amp;gt; S[&quot;Surface-code patch: parity checks suppress errors exponentially in code distance&quot;]
    S --&amp;gt; L[&quot;One reliable logical qubit&quot;]
    M[&quot;Magic-state cultivation: clean T and Toffoli states&quot;] --&amp;gt; G[&quot;Non-Clifford gates that Shor requires&quot;]
    L --&amp;gt; G
    G --&amp;gt; SHOR[&quot;Fault-tolerant Shor circuit: about 3n logical qubits, billions of gates&quot;]
&lt;p&gt;Now the part that reframes the entire threat. Line up the resource estimates chronologically and hold the hardware assumptions fixed, and you see the price of Q-Day &lt;em&gt;collapsing&lt;/em&gt; -- not because anyone built a better qubit, but because the algorithms kept improving.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Year&lt;/th&gt;
&lt;th&gt;Target&lt;/th&gt;
&lt;th&gt;Qubits&lt;/th&gt;
&lt;th&gt;Runtime&lt;/th&gt;
&lt;th&gt;What changed&lt;/th&gt;
&lt;th&gt;Source&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;2003&lt;/td&gt;
&lt;td&gt;160-bit ECC&lt;/td&gt;
&lt;td&gt;~1000 logical&lt;/td&gt;
&lt;td&gt;--&lt;/td&gt;
&lt;td&gt;First elliptic-curve estimate&lt;/td&gt;
&lt;td&gt;Proos-Zalka [@proos-zalka-2003]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2017&lt;/td&gt;
&lt;td&gt;P-256 ECC&lt;/td&gt;
&lt;td&gt;2330 logical&lt;/td&gt;
&lt;td&gt;--&lt;/td&gt;
&lt;td&gt;Simulation-backed qubit formula&lt;/td&gt;
&lt;td&gt;Roetteler et al. [@roetteler-2017]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2020&lt;/td&gt;
&lt;td&gt;ECC curves&lt;/td&gt;
&lt;td&gt;fewer logical gates&lt;/td&gt;
&lt;td&gt;--&lt;/td&gt;
&lt;td&gt;Optimized ECDLP circuits&lt;/td&gt;
&lt;td&gt;Haner et al. [@haner-2020]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2021&lt;/td&gt;
&lt;td&gt;RSA-2048&lt;/td&gt;
&lt;td&gt;20 million physical&lt;/td&gt;
&lt;td&gt;8 hours&lt;/td&gt;
&lt;td&gt;First full fault-tolerant bill&lt;/td&gt;
&lt;td&gt;Gidney-Ekera [@gidney-ekera-2021]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2023&lt;/td&gt;
&lt;td&gt;RSA-2048&lt;/td&gt;
&lt;td&gt;asymptotic&lt;/td&gt;
&lt;td&gt;~$O(n^{3/2})$ gates&lt;/td&gt;
&lt;td&gt;First asymptotic gate win in ~30 years&lt;/td&gt;
&lt;td&gt;Regev [@regev-2023]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2025&lt;/td&gt;
&lt;td&gt;RSA-2048&lt;/td&gt;
&lt;td&gt;under 1 million physical&lt;/td&gt;
&lt;td&gt;under a week&lt;/td&gt;
&lt;td&gt;Better algorithms, same 2019 hardware&lt;/td&gt;
&lt;td&gt;Gidney [@gidney-2025]&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;Read the last three rows slowly. In 2021 Craig Gidney and Martin Ekera published the first end-to-end physical estimate: about 20 million noisy physical qubits, 8 hours, assuming a surface code with $10^{-3}$ gate error, a microsecond cycle time,A surface-code cycle is one full round of parity measurement across the patch; the estimate assumes roughly one microsecond per round, so an 8-hour run is on the order of tens of billions of rounds. and short-discrete-log refinements from Ekera and Hastad folded in [@gidney-ekera-2021][@ekera-hastad-2017].&lt;/p&gt;
&lt;p&gt;In 2023 Oded Regev found the first asymptotic reduction in Shor&apos;s gate count in three decades -- roughly $O(n^{3/2})$ gates -- though he flagged it as resting on a heuristic and not clearly practical, and its variant trades gate count for extra space whose real-world cost is still unsettled [@regev-2023]. Then in 2025 Gidney returned with a new estimate: fewer than one million physical qubits, under a week -- and, in a line worth pausing on, &lt;em&gt;the same 2019 hardware assumptions he used in the 20-million estimate&lt;/em&gt; [@gidney-2025].&lt;/p&gt;

Twenty million qubits to under one million in six years -- same author, same hardware assumptions, one-twentieth the machine. The mathematics improved, not the metal.
&lt;p&gt;That drop happened with no improvement in the underlying qubits at all: the estimate, not the machine, was the moving part, which means the cost of Q-Day keeps falling on the strength of pure algorithm design, independent of when good hardware arrives. That is the uncomfortable dynamic hiding behind every &quot;quantum is decades away&quot; headline: the target keeps moving toward us on the math axis while we wait for the hardware axis. The algorithm&apos;s price tag is collapsing on its own schedule. So the only question left is the one everyone actually asks -- how close is the machine itself?&lt;/p&gt;
&lt;h2&gt;8. Where the Hardware Actually Is (and Isn&apos;t)&lt;/h2&gt;
&lt;p&gt;State the honesty anchor flatly, because everything downstream depends on it: as of 2026, no cryptographically relevant quantum computer exists. Not &quot;almost,&quot; not &quot;in a classified lab somewhere.&quot; None. The public state of the art is three to four orders of magnitude short of a Shor attack, and it helps to see exactly how short, because the headlines and the reality use the same words to mean different things.&lt;/p&gt;

A CRQC is a quantum computer large and reliable enough to run Shor&apos;s algorithm against real deployed keys -- on the order of a few thousand logical qubits held coherent through billions of gates, which with today&apos;s overheads means roughly a million physical qubits. It is a specific threshold. A 100-qubit noisy processor, however valuable for physics, is not a small CRQC and cannot be scaled into one without error correction.
&lt;p&gt;The state of the art splits cleanly into two regimes, and conflating them is the source of most confusion. The first is &lt;em&gt;fully below-threshold error correction&lt;/em&gt; -- the hard, scalable kind, where adding qubits genuinely drives the error down.&lt;/p&gt;
&lt;p&gt;Google&apos;s Willow is the reference point: a distance-7 surface-code patch, a 7-by-7 array of 49 data qubits totaling 101 physical qubits, encoding exactly &lt;em&gt;one&lt;/em&gt; logical qubit. The logical error is suppressed by a factor $\Lambda = 2.14 \pm 0.02$ for each two-step increase in code distance, and its lifetime beats its best physical qubit by 2.4 times [@google-willow-2025].That $\Lambda$ greater than 1 is the whole result: it is the first convincing demonstration that a real surface code operates &lt;em&gt;below&lt;/em&gt; threshold, so that making the patch bigger makes the logical qubit better rather than worse. The number to remember is the ratio: about 100 physical qubits for one good logical qubit, today [@google-willow-2025]. So the scalable frontier stands at roughly one logical qubit built from about a hundred physical ones.&lt;/p&gt;
&lt;p&gt;The second regime is &lt;em&gt;error detection&lt;/em&gt; at low code distance, and it is where the &quot;tens of logical qubits&quot; headlines come from. A neutral-atom processor from a Harvard, MIT, and QuEra collaboration entangled up to 48 logical qubits using small &lt;code&gt;[[8,3,2]]&lt;/code&gt; code blocks (alongside 40 color-code qubits and a surface-code logical operation scaled across code distances) on up to 280 physical qubits [@bluvstein-2024]. That is a genuine milestone -- but these are transversal, post-selected error-&lt;em&gt;detection&lt;/em&gt; demonstrations, which throw away runs where an error is spotted, not a scalable below-threshold memory that can run for billions of gates.&lt;/p&gt;
&lt;p&gt;On the trapped-ion side, Quantinuum ran a handful of logical qubits with full &lt;em&gt;repeated&lt;/em&gt; error correction: a &lt;code&gt;[[7,1,3]]&lt;/code&gt; code and a &lt;code&gt;[[12,2,4]]&lt;/code&gt; code based on Knill&apos;s C4/C6 scheme (two logical qubits), the first reaching error rates 9.8 to 500 times below the physical rate and the second 4.7 to 800 times below it [@quantinuum-2024].&lt;/p&gt;
&lt;p&gt;Put the three numbers next to the requirement and the chasm is obvious. Fully below-threshold correction reaches about one logical qubit on superconducting hardware and a couple on trapped ions; error detection reaches a few tens on neutral atoms.&lt;/p&gt;
&lt;p&gt;A CRQC needs about 2330 logical qubits for the P-256 curve [@roetteler-2017], or roughly $3n$ -- at least 6200 -- for RSA-2048, backed by fewer than a million physical qubits [@gidney-2025]. Between &quot;48 post-selected logical qubits in a detection demo&quot; and &quot;a few thousand fully corrected logical qubits running Shor for hours&quot; lie three to four orders of magnitude and several unsolved engineering problems.&lt;/p&gt;
&lt;p&gt;When, then? The honest answer is a window, not a date. Expert judgment clusters the arrival of a CRQC in roughly the 2030 to 2035 range with wide uncertainty on both sides. The most-cited proxy, the Global Risk Institute and evolutionQ expert-survey timeline, reports figures on the order of 28 to 49 percent probability within ten years [@quantum-threat-timeline] -- but that number must be quoted with its qualifier: it is a &lt;em&gt;survey of expert opinion&lt;/em&gt;, not a measured or primary-verified quantity, and the defensible claim is the qualitative window, not any single percentage.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; The absence of a machine today would be comforting if secrets expired the moment they were sent. They do not. An adversary can record your encrypted traffic now and store it until a CRQC arrives, then decrypt it retroactively. For any data whose confidentiality must outlive the 2030s, &quot;no quantum computer exists yet&quot; provides exactly zero protection. The clock started when the ciphertext was first captured, not when the machine boots.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The gun is loaded and sitting on the table. Its trigger is an engineering trajectory, not a delivered capability, and the timeline is a judgment rather than a promise -- but a judgment that says &quot;sometime in the next decade&quot; is not a judgment you can safely ignore for data that must stay secret into the 2040s. Before we talk about who has to move first, one question decides everything downstream: what, exactly, does this machine &lt;em&gt;not&lt;/em&gt; break?&lt;/p&gt;
&lt;h2&gt;9. What Q-Day Does Not Break&lt;/h2&gt;
&lt;p&gt;The blast radius is bounded, and the boundary is the thesis restated as a theorem: Shor breaks &lt;em&gt;exactly&lt;/em&gt; the abelian-hidden-subgroup primitives, and nothing else structurally. Everything on the safe side of that line survives Q-Day, and a whole field of cryptography was deliberately built there.&lt;/p&gt;
&lt;p&gt;Start the inventory. Symmetric ciphers and hashes survive with only Grover&apos;s quadratic nibble, as Section 6 proved. Hash-based signatures such as SLH-DSA rest on nothing but the preimage and collision resistance of a hash function, so they inherit that same square-root safety and no more [@fips-205]. And the new public-key families -- lattices, codes, isogenies, multivariate systems -- survive because not one of them is an abelian hidden-subgroup problem. The QFT has no period to read.&lt;/p&gt;
&lt;p&gt;The sharpest way to say why is to name the structure lattices actually touch.&lt;/p&gt;

The dihedral group is non-abelian: its elements do not all commute. The hidden subgroup problem over it is the natural non-abelian cousin of the one the QFT dispatches so easily -- but the Fourier machinery that concentrates amplitude so neatly in the abelian case does not do so here. Despite two decades of effort, the best known quantum algorithm is Kuperberg&apos;s, running in sub-exponential but still super-polynomial time $2^{O(\sqrt{\log N})}$ [@kuperberg-2003]. Certain lattice problems relate to it, which is one reason lattice cryptography is believed quantum-resistant.
&lt;p&gt;Notice the symmetry. The abstraction that &lt;em&gt;unifies&lt;/em&gt; the attack -- the abelian HSP -- is the very same abstraction that &lt;em&gt;bounds&lt;/em&gt; it. Cross from abelian to non-abelian structure and the QFT stops working, Shor&apos;s polynomial-time guarantee evaporates, and the best anyone has managed in twenty years is sub-exponential. That single conceptual line is the design premise of post-quantum cryptography.&lt;/p&gt;
&lt;p&gt;But here precision matters more than anywhere else in the article, because the most natural way to summarize this is &lt;em&gt;wrong&lt;/em&gt; and plants a misconception. It is tempting to write that the best quantum attack on lattice schemes is Kuperberg&apos;s sub-exponential algorithm. It is not, for three reasons worth stating explicitly.&lt;/p&gt;
&lt;p&gt;First, the attack that actually sets lattice key sizes is not a hidden-subgroup attack at all. It is lattice sieving -- quantum-accelerated BKZ -- and it is &lt;em&gt;exponential&lt;/em&gt;. Heuristic quantum sieving for the shortest-vector problem runs in about $2^{0.312n + o(n)}$, against the classical $2^{0.384n + o(n)}$ [@laarhoven-2013]. Quantum search shaves the constant in the exponent; it never reaches sub-exponential. Lattice parameters are chosen against that exponential wall.&lt;/p&gt;
&lt;p&gt;Second, the famous link between lattices and the dihedral HSP is a &lt;em&gt;one-directional reduction, not a usable attack&lt;/em&gt;. Regev showed in 2004 that a dihedral-HSP solver &lt;em&gt;by coset sampling&lt;/em&gt; would break the unique shortest-vector problem [@regev-2004] -- but there is no known way to prepare the required dihedral coset states from an actual lattice instance. The implication runs from &quot;hypothetical dihedral solver&quot; to &quot;broken lattice,&quot; not the other way, so you cannot feed a real lattice problem into Kuperberg&apos;s algorithm and get an attack out.&lt;/p&gt;
&lt;p&gt;Third, Kuperberg&apos;s sub-exponential algorithm genuinely is the best known attack -- but for a &lt;em&gt;different&lt;/em&gt; family. Commutative-isogeny schemes like CSIDH are built on an abelian group action, a hidden-shift problem, and there Kuperberg&apos;s algorithm really does set the parameters [@csidh-2018][@kuperberg-2003]. The &quot;Kuperberg&quot; label belongs on a CSIDH row, never on the lattice row. With that fixed, here is the honest ledger of what falls and what stands.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Primitive&lt;/th&gt;
&lt;th&gt;Underlying problem&lt;/th&gt;
&lt;th&gt;Abelian HSP?&lt;/th&gt;
&lt;th&gt;Best known quantum attack&lt;/th&gt;
&lt;th&gt;Verdict&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;RSA / DH / DSA / ECC&lt;/td&gt;
&lt;td&gt;Factoring, discrete log&lt;/td&gt;
&lt;td&gt;Yes&lt;/td&gt;
&lt;td&gt;Shor -- polynomial&lt;/td&gt;
&lt;td&gt;Broken&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;AES-256, SHA-384/512&lt;/td&gt;
&lt;td&gt;Unstructured key or preimage&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;Grover -- quadratic (optimal)&lt;/td&gt;
&lt;td&gt;Safe: double the parameter [@bbbv-1997]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SLH-DSA (hash signatures)&lt;/td&gt;
&lt;td&gt;Hash preimage and collision&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;Grover -- quadratic&lt;/td&gt;
&lt;td&gt;Safe [@fips-205]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;ML-KEM / ML-DSA (lattice)&lt;/td&gt;
&lt;td&gt;Module-LWE&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;Exponential lattice sieving $2^{\Theta(n)}$&lt;/td&gt;
&lt;td&gt;Believed safe [@laarhoven-2013]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;CSIDH (commutative isogeny)&lt;/td&gt;
&lt;td&gt;Abelian group action, hidden shift&lt;/td&gt;
&lt;td&gt;Group action&lt;/td&gt;
&lt;td&gt;Kuperberg -- sub-exponential&lt;/td&gt;
&lt;td&gt;Sized against Kuperberg [@kuperberg-2003]&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; The line Shor cannot cross is the line between abelian and non-abelian structure -- and that single line is the entire design premise of post-quantum cryptography. Lattice schemes are not &quot;probably too hard to bother with&quot;; they sit provably on the far side of the abstraction that makes Shor work.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Two counterweights keep this from becoming triumphalism, and they cut in opposite directions.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Nobody has ever proven that factoring or the discrete logarithm is classically hard. Factoring&apos;s decision version sits in NP intersect co-NP and is not believed NP-complete, so Shor exploits &lt;em&gt;special structure&lt;/em&gt;, not raw NP-hardness. That means Shor is &lt;em&gt;the known&lt;/em&gt; structural break -- not a proof that no classical shortcut exists. The public-key world was never standing on proven ground; it was standing on ground nobody had found a way through yet.&lt;/p&gt;
&lt;/blockquote&gt;

In 2022 Wouter Castryck and Thomas Decru broke SIDH, a leading isogeny-based candidate, recovering the key of SIKEp434 in about ten minutes on a single classical core [@castryck-decru-2022]. No quantum computer was involved. Two lessons follow. First, do not conflate &quot;elliptic-curve&quot; with &quot;Shor target&quot;: SIDH is isogeny-based, a different hard problem, and it fell to classical mathematics, not to Q-Day. Second, the post-quantum assumptions are themselves young and unproven, and SIDH is proof that a scheme can be quantum-immune and still catastrophically broken. Note also that SIDH is not CSIDH: one collapsed classically, the other still stands, sized against Kuperberg.
&lt;p&gt;So Shor is a scalpel, not a bomb. It cuts exactly one structure -- the abelian hidden period -- and a whole field of cryptography was engineered to live on the parts it cannot reach. That field exists for exactly one reason, and with every piece now on the table, it is time to name it.&lt;/p&gt;
&lt;h2&gt;10. Why This One Event Is the Whole Reason PQC Exists&lt;/h2&gt;
&lt;p&gt;Assemble the pieces and one sentence follows that you now have every reason to accept. Because RSA, Diffie-Hellman, DSA, and elliptic-curve cryptography share exactly one crack -- the abelian period the QFT reads -- that crack is not four separate vulnerabilities. It is a &lt;em&gt;single point of failure&lt;/em&gt; for nearly the entire deployed public-key world. And a single point of failure of that magnitude does not get patched. It gets routed around, by building a replacement on the far side of the abelian line.&lt;/p&gt;

One shared crack under four fortresses is not four vulnerabilities. It is one -- a single point of failure for nearly all deployed public-key cryptography. Post-quantum cryptography is the world&apos;s response to that one fact.
&lt;p&gt;That response is already machinery, and every gear traces back to Shor. In 2016 NIST opened a public competition to standardize quantum-resistant algorithms [@nist-pqc-project]; on 13 August 2024 it published the first three standards -- FIPS 203 (ML-KEM) for key establishment, FIPS 204 (ML-DSA) for signatures, and FIPS 205 (SLH-DSA) for hash-based signatures [@fips-203][@fips-204][@fips-205].&lt;/p&gt;
&lt;p&gt;The NSA&apos;s CNSA 2.0 suite sets a national-security transition timeline and, tellingly, keeps AES-256 and &lt;a href=&quot;https://paragmali.com/blog/how-sha-2-and-sha-3-would-break-merkle-damgard-collisions-le/&quot; rel=&quot;noopener&quot;&gt;SHA-384/512&lt;/a&gt; on the symmetric side because those need no replacement [@nsa-cnsa-2.0]. And in 2026 the United States made it binding: Executive Order 14412 requires high-value systems to adopt post-quantum key establishment by 31 December 2030 and post-quantum signatures by 31 December 2031 [@eo-14412].&lt;/p&gt;
&lt;p&gt;There is a quiet revival buried in that timeline. The lattice hardness now anchoring ML-KEM and ML-DSA is not new: Miklos Ajtai put worst-case lattice hardness on a rigorous footing in 1996, and NTRU shipped a ring-based lattice cryptosystem in 1998 [@ajtai-1996][@ntru-1998]. Both sat in a niche for two decades. What changed their fortunes was not a new theorem -- it was Shor turning &quot;hardness the quantum Fourier transform cannot read&quot; into the single most valuable property a cryptosystem can have, and a generation of survey work mapping out the lattice, code, hash, and isogeny families that possess it [@bernstein-lange-2017].&lt;/p&gt;
&lt;p&gt;But standards and deadlines only matter if they beat the clock, and the clock is subtle, because it started ticking before the machine exists. Michele Mosca captured the logic in a single inequality.&lt;/p&gt;

Let $X$ be the years your organization needs to migrate to quantum-safe cryptography, $Y$ the years your data must stay confidential, and $Z$ the years until a CRQC exists. If $X + Y &amp;gt; Z$, then data you protect today will still be sensitive when the machine arrives -- so you are already exposed, no matter how far off Q-Day turns out to be [@mosca-2018].

flowchart LR
    X[&quot;X: years to migrate&quot;] --&amp;gt; SUM[&quot;X + Y&quot;]
    Y[&quot;Y: years data must stay secret&quot;] --&amp;gt; SUM
    Z[&quot;Z: years until a CRQC exists&quot;] --&amp;gt; CMP{&quot;X + Y greater than Z?&quot;}
    SUM --&amp;gt; CMP
    CMP --&amp;gt;|yes| EXP[&quot;Already exposed: harvested ciphertext will be readable&quot;]
    CMP --&amp;gt;|no| OK[&quot;Safe, for this data, for now&quot;]
&lt;p&gt;The inequality has teeth because of the harvesting strategy that makes $Z$ irrelevant for confidentiality.&lt;/p&gt;

Harvest-now-decrypt-later is the practice of recording encrypted traffic today and storing it until a quantum computer can decrypt it. It converts a future capability into a present threat: the confidentiality of a long-lived secret is compromised the moment its ciphertext is captured, not the moment Q-Day arrives.
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; If an adversary is recording your encrypted traffic now -- and for high-value targets it is safe to assume someone is -- then every secret with a shelf life into the 2030s is effectively in the open already. You cannot un-send the ciphertext. This is the reason the migration cannot wait for proof that a CRQC exists: by the time the proof arrives, the harvested data is decades into its exposure. The empirical side of this -- who is harvesting, what is already at risk, and what the captured traffic looks like -- is the subject of the companion post, &quot;How Q-Day Is Already Breaking Things: Harvest Now, Decrypt Later.&quot;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;This is the hinge of the whole series, so state it without hedging. The post-quantum migration is not a bet on when quantum computers will arrive. It is a response to one already-proven mathematical fact -- that Shor&apos;s algorithm reads the shared abelian period under RSA, Diffie-Hellman, DSA, and ECC -- combined with one strategic fact, that adversaries can harvest today and decrypt later. Neither of those facts depends on a machine booting up. Which means the work starts now, not on Q-Day. So what, concretely, do you do before the machine that does not yet exist finally does?&lt;/p&gt;
&lt;h2&gt;11. What To Do Before Q-Day&lt;/h2&gt;
&lt;p&gt;You cannot buy a cryptographically relevant quantum computer, and you cannot wait for one to appear before acting -- harvest-now-decrypt-later has already seen to that. The good news is that the pre-Q-Day checklist follows directly from the thesis, and every item on it is doable today with shipping standards.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;1. Inventory every use of RSA, DH, DSA, ECDH, and ECDSA.&lt;/strong&gt; Build a cryptographic bill of materials: where each algorithm lives, which keys protect what, and how long each secret must last. This is not busywork. Because all four primitives share one crack, &lt;em&gt;nothing&lt;/em&gt; on that list is safe by virtue of key size, curve choice, or obscurity -- the inventory is the map of your entire exposure.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;2. Triage by secrecy lifetime.&lt;/strong&gt; Run Mosca&apos;s inequality on each data class. Anything whose confidentiality must outlive the CRQC window -- health records, state secrets, long-lived credentials, genomic data -- migrates first, because for that data $X + Y &amp;gt; Z$ already holds [@mosca-2018]. You can compute the gap directly.&lt;/p&gt;
&lt;p&gt;{`
// If migration time X + secrecy lifetime Y exceeds time-to-CRQC Z, you are exposed.
function mosca(X, Y, Z) {
  const exposed = (X + Y) &amp;gt; Z;
  const gap = (X + Y) - Z;   // positive gap = years of exposure
  return { exposed, gap };
}&lt;/p&gt;
&lt;p&gt;const cases = [
  { label: &quot;Long-lived health records&quot;, X: 5, Y: 25, Z: 12 },
  { label: &quot;Short-lived session key&quot;,   X: 2, Y: 1,  Z: 12 },
];
for (const c of cases) {
  const r = mosca(c.X, c.Y, c.Z);
  console.log(c.label + &quot;: X=&quot; + c.X + &quot; Y=&quot; + c.Y + &quot; Z=&quot; + c.Z + &quot; -&amp;gt; &quot; +
    (r.exposed ? &quot;EXPOSED by &quot; + r.gap + &quot; years&quot; : &quot;safe by &quot; + (-r.gap) + &quot; years&quot;));
}
// Long-lived health records: X=5 Y=25 Z=12 -&amp;gt; EXPOSED by 18 years
// Short-lived session key: X=2 Y=1 Z=12 -&amp;gt; safe by 9 years
`}&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;3. Deploy hybrid key establishment now.&lt;/strong&gt; Combine a classical exchange with a lattice one -- for example the &lt;code&gt;X25519MLKEM768&lt;/code&gt; hybrid -- so that a future CRQC cannot decrypt today&apos;s captured sessions, while a flaw in the young post-quantum scheme still leaves the classical layer standing [@fips-203]. Hybrids are the pragmatic answer to &quot;the abelian period is readable&quot; and &quot;the new assumptions are unproven&quot; at the same time.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;4. Migrate signatures on their own timeline.&lt;/strong&gt; Move to ML-DSA or SLH-DSA, but recognize the urgency differs from confidentiality [@fips-204][@fips-205]. A forged signature requires a CRQC at signing time; there is nothing an adversary can harvest today and forge later. Confidentiality is the harvestable asset, so it leads.&lt;/p&gt;

Harvest-now-decrypt-later threatens *confidentiality*: recorded ciphertext sits waiting for the machine. Signatures are different -- forgery needs a CRQC while the signing key is still trusted, so there is no equivalent of a stored capture that becomes forgeable in hindsight. This is why key establishment carries the earlier deadline in Executive Order 14412 than signatures do. The exception is long-lived roots of trust -- certificate-authority roots, firmware-signing keys valid for a decade or more -- whose validity windows reach into the CRQC era and so deserve early attention.
&lt;p&gt;&lt;strong&gt;5. Take the cheap symmetric hedge.&lt;/strong&gt; Prefer AES-256 over AES-128 and SHA-384 or SHA-512 over SHA-256. As Section 6 established, Grover is only quadratic -- and under a realistic depth limit, far weaker than even that -- so doubling the security parameter is sufficient, not merely hopeful [@bbbv-1997]. This is the one part of the migration that costs almost nothing.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;6. Build crypto-agility.&lt;/strong&gt; Design so the algorithm can be swapped without re-architecting the protocol, so the next transition is a configuration change rather than another decade-long project.&lt;/p&gt;

Crypto-agility is building systems so a cryptographic algorithm can be replaced without redesigning the protocol or application around it. It turns a future migration from a rebuild into a swap.
&lt;p&gt;Crypto-agility is doubly warranted here, because the destination assumptions are young. SIDH&apos;s classical collapse in 2022 is the standing reminder that a scheme can look quantum-safe and still fail for reasons no one anticipated [@castryck-decru-2022]. Agility is how you survive being wrong about the replacement.&lt;/p&gt;
&lt;p&gt;For the details of &lt;em&gt;what&lt;/em&gt; to migrate to -- parameter sets, performance trade-offs, and deployment patterns -- this series&apos; &lt;a href=&quot;https://paragmali.com/blog/one-event-three-assumptions-five-answers-a-field-guide-to-th/&quot; rel=&quot;noopener&quot;&gt;post-quantum-toolkit&lt;/a&gt; and &lt;a href=&quot;https://paragmali.com/blog/you-cannot-rotate-what-you-cannot-see-crypto-agility-and-the/&quot; rel=&quot;noopener&quot;&gt;crypto-agility&lt;/a&gt; installments carry the load, and the implementation-hardening questions (side channels, fault attacks, and the rest) belong to the empirical sibling, per this article&apos;s structural-only contract. None of it waits for the machine. That is the whole point -- and it is why the last few questions people always ask deserve straight, mechanism-grounded answers.&lt;/p&gt;
&lt;h2&gt;12. Sharp Questions, Straight Answers&lt;/h2&gt;


No. The threat to confidentiality is already live through harvest-now-decrypt-later: an adversary records your encrypted traffic today and decrypts it once a CRQC exists [@mosca-2018]. If your data must stay secret into the 2030s, the absence of a machine in 2026 protects nothing -- the ciphertext is already captured, and you cannot un-send it.


No. Symmetric primitives expose no abelian period, so Shor does not apply; they face only Grover&apos;s quadratic speedup, which is provably the best any quantum attacker can do against unstructured search [@bbbv-1997]. And even that is a floor on operations, not a runtime: under NIST&apos;s MAXDEPTH depth limit, an AES-128 key search costs about $2^{170}/\text{MAXDEPTH}$ quantum gates [@nist-cfp-2016]. Prefer AES-256 and SHA-384/512 and the problem is closed.


No, and this is the counterintuitive part. Shor&apos;s cost is polynomial in the number of key bits, so going from RSA-2048 to RSA-4096 buys a small constant, not security [@shor-1994]. Worse for the intuition: elliptic curves use *smaller* keys, so they need *fewer* logical qubits and fall first -- about 2330 logical qubits for P-256 versus roughly 6200 for RSA-2048 [@roetteler-2017][@gidney-ekera-2021].


Same machine class and same breakthrough, not one identical circuit. RSA, a finite field, and an elliptic curve need different arithmetic compiled into the machine, but each reduces to the abelian hidden-subgroup problem, so one CRQC running Shor&apos;s family dispatches all of them [@kitaev-1995]. If anything, elliptic-curve schemes fall a step ahead because they need the fewest qubits [@roetteler-2017].


No -- and this conflation is a common trap. The broken isogeny scheme SIDH was not defeated by Shor at all; Castryck and Decru broke it with classical mathematics in about ten minutes on one core [@castryck-decru-2022]. &quot;Elliptic-curve&quot; is not the same as &quot;Shor target.&quot; Isogeny problems are a different structure, and their risks (as SIDH showed) can be entirely classical.


The migration is not a bet on hardware timing. Mosca&apos;s inequality shows that if migration time plus secrecy lifetime exceeds time-to-CRQC, you are already exposed [@mosca-2018]. Meanwhile the cost estimates keep falling on algorithmic progress alone -- 20 million qubits to under a million in six years, same hardware assumptions [@gidney-ekera-2021][@gidney-2025] -- and the underlying algorithm has been proven for three decades. The proof is not in doubt; only the schedule is.

&lt;p&gt;Step back to the single image the whole article was built to earn. Four cryptographers, four decades, four branches of mathematics -- and one hidden period beneath all of them. RSA, Diffie-Hellman, DSA, and elliptic curves were never four independent bets. They were one bet, that a hidden abelian period is hard to find, made four times in four disguises.&lt;/p&gt;
&lt;p&gt;Shor&apos;s algorithm reads that period with the quantum Fourier transform and collects on all four at once, while AES-256 in the next field survives for the mirror-image reason: it hides no period, so the same machine can do no better than a provably quadratic nibble. That asymmetry -- abelian falls, non-abelian stands -- is not a footnote. It is the exact line post-quantum cryptography was engineered to live behind.&lt;/p&gt;
&lt;p&gt;The shared quantum vulnerability of RSA, Diffie-Hellman, DSA, and elliptic curves is a single point of failure, and that single point is the whole reason post-quantum cryptography exists. The algorithm is proven; the machine is not here yet; and the distance between those two facts is not your safety margin -- it is your deadline.&lt;/p&gt;
&lt;p&gt;The gun is loaded and on the table. No one has fired it, and no one can say precisely when someone will. But the mathematics that makes it fire was settled in 1994, the price of ammunition is falling every year, and some of the secrets it will read are being recorded right now. That is why the work does not start on Q-Day. It starts today.&lt;/p&gt;
&lt;p&gt;&amp;lt;StudyGuide slug=&quot;how-q-day-breaks-everything&quot; keyTerms={[
  { term: &quot;Q-Day&quot;, definition: &quot;The day a cryptographically relevant quantum computer first runs Shor&apos;s algorithm against deployed keys, breaking RSA, Diffie-Hellman, DSA, and elliptic-curve cryptography.&quot; },
  { term: &quot;Discrete Logarithm Problem&quot;, definition: &quot;Recovering the exponent x from g and h = g^x in a finite group; the assumption under Diffie-Hellman, DSA, and ECC.&quot; },
  { term: &quot;Superposition&quot;, definition: &quot;A quantum register occupying a weighted combination of all basis states at once; measuring returns just one outcome at random.&quot; },
  { term: &quot;Quantum Fourier Transform&quot;, definition: &quot;The instrument that concentrates a quantum state&apos;s amplitude onto the frequency of a hidden period, so measurement reveals the period.&quot; },
  { term: &quot;Order of a mod N&quot;, definition: &quot;The smallest positive r with a to the r congruent to 1 mod N; the period of a to the x mod N and the key to factoring.&quot; },
  { term: &quot;Abelian Hidden Subgroup Problem&quot;, definition: &quot;Finding a hidden subgroup of a finite abelian group from a function constant on its cosets; solved by the QFT in polynomial time and shared by factoring and both discrete logs.&quot; },
  { term: &quot;Grover&apos;s algorithm&quot;, definition: &quot;A generic unstructured search in about the square root of the space; a quadratic, provably optimal, non-structural speedup.&quot; },
  { term: &quot;Logical vs physical qubit&quot;, definition: &quot;A logical qubit is an error-corrected qubit built from many noisy physical qubits; Shor&apos;s circuit counts logical qubits and gates.&quot; },
  { term: &quot;Surface code&quot;, definition: &quot;A two-dimensional error-correcting code whose logical error falls exponentially with code distance when physical errors stay below about one percent.&quot; },
  { term: &quot;CRQC&quot;, definition: &quot;A cryptographically relevant quantum computer: enough logical qubits held coherent through billions of gates to run Shor against real keys, roughly a million physical qubits today.&quot; },
  { term: &quot;Dihedral (non-abelian) HSP&quot;, definition: &quot;The non-abelian hidden-subgroup problem lattice problems relate to; the best known quantum algorithm is only sub-exponential, which is why lattice cryptography resists Shor.&quot; },
  { term: &quot;Mosca&apos;s inequality&quot;, definition: &quot;If migration time plus data secrecy lifetime exceeds time-to-CRQC, your data is already exposed to harvest-now-decrypt-later.&quot; }
]} questions={[
  { q: &quot;Why does enlarging an RSA or ECC key fail to defend against Shor?&quot;, a: &quot;Shor&apos;s cost is polynomial in the number of key bits, so more bits add only a small constant; ECC&apos;s smaller keys even make it fall first.&quot; },
  { q: &quot;Why does AES-256 survive Q-Day when RSA does not?&quot;, a: &quot;AES hides no abelian period for the QFT to read, so it faces only Grover&apos;s quadratic speedup, which the BBBV bound proves is optimal; doubling the key restores the margin.&quot; },
  { q: &quot;In what sense are RSA, DH, DSA, and ECC the same problem?&quot;, a: &quot;All three underlying problems are instances of the abelian hidden-subgroup problem, which the quantum Fourier transform solves in polynomial time.&quot; },
  { q: &quot;Why is the best quantum attack on ML-KEM exponential rather than Kuperberg&apos;s sub-exponential algorithm?&quot;, a: &quot;Lattice parameters are set by exponential sieving; the lattice-to-dihedral-HSP link is a one-directional reduction, and Kuperberg&apos;s algorithm actually applies to commutative-isogeny schemes like CSIDH.&quot; },
  { q: &quot;Why must migration start before a quantum computer exists?&quot;, a: &quot;Harvest-now-decrypt-later means data captured today can be decrypted after Q-Day, so Mosca&apos;s inequality can already be violated for long-lived secrets.&quot; }
]} /&amp;gt;&lt;/p&gt;
</content:encoded><category>quantum-computing</category><category>shors-algorithm</category><category>post-quantum-cryptography</category><category>cryptanalysis</category><category>rsa</category><category>elliptic-curve-cryptography</category><category>diffie-hellman</category><category>hidden-subgroup-problem</category><author>noreply@paragmali.com (Parag Mali)</author></item><item><title>Two Standards, One Lattice: How ML-KEM and ML-DSA Would Break</title><link>https://paragmali.com/blog/two-standards-one-lattice-how-ml-kem-and-ml-dsa-would-break/</link><guid isPermaLink="true">https://paragmali.com/blog/two-standards-one-lattice-how-ml-kem-and-ml-dsa-would-break/</guid><description>ML-KEM and ML-DSA rest on one hard problem, Module-LWE, measured by one ruler. Here is how that ruler would slip -- and why one slip debits both standards.</description><pubDate>Sat, 18 Jul 2026 00:00:00 GMT</pubDate><content:encoded>
**ML-KEM and ML-DSA are not two security stories -- they are one.** Both rest on a single hard problem, Module-LWE, whose strength is not proven but *measured*, by one number: the BKZ block size that lattice reduction must reach. The realistic &quot;break&quot; is not a sudden collapse but that ruler slipping a few bits at a time as reduction improves -- and because both standards read the same ruler, one advance debits both at once (correlated failure). The wildcards are a still-hypothetical &quot;Shor for lattices&quot; (the closest attempt was retracted within days) and a structural attack on the cyclotomic ring, the one risk the ruler cannot price.
&lt;h2&gt;1. We Escaped Shor by Making One Bet&lt;/h2&gt;
&lt;p&gt;We escaped Shor by making a single bet. RSA and elliptic curves fell to a quantum algorithm that hunts for hidden periodic structure, and lattice problems replaced them precisely because they seem to offer no such structure to hunt. In August 2024 the US National Institute of Standards and Technology (NIST) finished the job, publishing ML-KEM as FIPS 203 for key establishment [@fips-203] and ML-DSA as FIPS 204 for signatures [@fips-204]. The celebrations were real. But they skipped an uncomfortable question: if a quantum computer cannot break the replacements the way it broke the originals, how &lt;em&gt;would&lt;/em&gt; they break?&lt;/p&gt;
&lt;p&gt;The honest answer is: not with a bang. ML-KEM and ML-DSA are two products of one assumption, the Module Learning-With-Errors problem, and the strength of that assumption is not proven. It is &lt;em&gt;measured&lt;/em&gt; -- read off a single ruler that lattice cryptographers argue about openly. The likely failure is not a dramatic event but that ruler slipping, a few bits at a time, as attacks improve. And because both standards are pinned to the same ruler, one slip debits both at once.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; Two standards, one lattice, one ruler. ML-KEM and ML-DSA do not have two security stories; they have one -- Module-LWE -- read off a single ruler, the core-SVP block size that lattice reduction must reach. The realistic break is that ruler slipping a few bits at a time, and because both standards read the same ruler, one slip debits both at once. A &lt;em&gt;sudden&lt;/em&gt; break would have to come from the one thing the ruler does not price: the algebra of the cyclotomic ring.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;That lens sorts the whole threat surface into three routes, in descending order of likelihood. First and most probable is &lt;strong&gt;erosion&lt;/strong&gt;: lattice reduction gets a little better, the ruler reads a few bits lower, and the published margins thin. This has already happened once in miniature, and it is the route this article says you should expect.&lt;/p&gt;
&lt;p&gt;The second is &lt;strong&gt;the quantum route&lt;/strong&gt; everyone fears -- a &quot;Shor for lattices&quot; that would collapse the margin all at once. It has been claimed exactly once, and retracted within days. The third is the &lt;strong&gt;wildcard&lt;/strong&gt;: a structural attack on the extra algebra of the cyclotomic ring, the one surface the ruler does not even try to price. Low probability, high impact, genuinely contested.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; This is a structural-cryptanalysis piece. It asks by what &lt;em&gt;mathematical&lt;/em&gt; route ML-KEM and ML-DSA would fail: attacks on the algorithms&apos; own hardness assumptions. It deliberately excludes implementation attacks -- timing leaks such as KyberSlash, fault and power analysis, random-number-generator failures, and protocol misuse. Those are real and they matter, but they break a particular &lt;em&gt;program&lt;/em&gt;, not the &lt;em&gt;mathematics&lt;/em&gt;. They belong to the empirical sibling, &quot;How ML-KEM Breaks in Real Life.&quot; One boundary case is worth stating up front: quantum algorithms that attack the math (Shor) are in scope, and we will spend a section explaining precisely why Shor gets no purchase here.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;To see how the ruler slips, we first have to see where the hardness came from -- and why &quot;noisy linear algebra&quot; survived the very tools that killed RSA.&lt;/p&gt;
&lt;h2&gt;2. Where the Hardness Comes From&lt;/h2&gt;
&lt;p&gt;In 1996, at IBM&apos;s Almaden Research Center, Miklos Ajtai proved something that sounds too good to be true: certain &lt;em&gt;random&lt;/em&gt; lattice problems are as hard as the &lt;em&gt;worst&lt;/em&gt; case of a related problem [@ajtai-1996]. For a cryptographer, that is the dream.&lt;/p&gt;
&lt;p&gt;Normally, a randomly generated key gives no guarantee you did not pick an easy instance. Ajtai&apos;s worst-case-to-average-case reduction says these lattice problems are different: a random instance is not a roll of the dice -- it inherits the difficulty of the hardest instance that exists. Build your keys on that, and breaking your &lt;em&gt;average&lt;/em&gt; key would mean breaking the &lt;em&gt;worst-case&lt;/em&gt; problem everyone believes is hard.&lt;/p&gt;

The set of all integer combinations of a fixed set of basis vectors -- a regular, infinite grid of points in $n$-dimensional space. The same lattice has infinitely many bases. The hard problems live in the gap between a &quot;good&quot; basis (short, nearly perpendicular vectors) and a &quot;bad&quot; one (long, skewed vectors) that generate the identical grid.
&lt;p&gt;The grid has a catch that makes it useful. Given a &quot;bad&quot; basis, simple questions become brutal.&lt;/p&gt;

Given a basis for a lattice, find the shortest non-zero vector in it. In high dimension, with a bad basis, no efficient algorithm is known -- and the best ones we have get exponentially slower as the dimension grows. Cryptographic hardness is quoted relative to how hard SVP is in the relevant dimension.
&lt;p&gt;Ajtai&apos;s foundation was beautiful. The cryptosystems built directly on it were not. The first generation broke almost as fast as it was proposed. The Ajtai-Dwork scheme was provably hard but shipped megabyte-sized keys, and Nguyen and Stern broke it at its proposed parameters in 1998 [@nguyen-stern-1998]. The Goldreich-Goldwasser-Halevi scheme followed the tempting &quot;publish a bad basis, decrypt with a secret good basis&quot; template. Phong Nguyen broke it in 1999 by noticing that its special error distribution leaked a congruence, recovering plaintext outright at four of the five proposed dimensions and most of it at the fifth [@nguyen-ggh-1999].&lt;/p&gt;
&lt;p&gt;The lesson was expensive and permanent: hiding a good basis is not enough, because the structure you use to decrypt is structure an attacker can find. The hardness was real; the packaging was hopeless.&lt;/p&gt;
&lt;p&gt;The fix arrived in 2005, and it changed the shape of the field. Oded Regev introduced Learning With Errors.&lt;/p&gt;

Recover a secret vector $\mathbf{s}$ from many noisy linear samples $(\mathbf{a}_i,\; \langle \mathbf{a}_i, \mathbf{s}\rangle + e_i \bmod q)$, where each $\mathbf{a}_i$ is public and random and each $e_i$ is a small secret error. Without the errors this is a linear system you solve by Gaussian elimination. With them, it is believed hard. LWE is &quot;linear algebra where every equation is slightly, deliberately wrong.&quot;
&lt;p&gt;Regev&apos;s construction did two things at once. It made the noise &lt;em&gt;intrinsic&lt;/em&gt; -- the hardness no longer depended on hiding a clever basis, but came from the errors themselves -- and it came with a quantum worst-case-to-average-case reduction connecting a random LWE key to the worst case of standard lattice problems [@regev-lwe-2005]. That word &quot;quantum&quot; is deliberate: Regev&apos;s reduction was tuned for a post-quantum world from the start.&lt;/p&gt;
&lt;p&gt;It also points at the deeper reason lattices replaced RSA and elliptic curves. &lt;a href=&quot;https://paragmali.com/blog/how-q-day-breaks-everything-shors-algorithm-and-the-simultan/&quot; rel=&quot;noopener&quot;&gt;Shor&apos;s algorithm&lt;/a&gt; breaks RSA and Diffie-Hellman because those problems hide a &lt;em&gt;periodic&lt;/em&gt; structure that a quantum Fourier transform can extract. LWE exposes no such period.This is the one-line reason lattices were chosen for the post-quantum standards: a period-finding or hidden-subgroup quantum algorithm has nothing to grab onto in the geometry of short vectors. Section 7 makes this precise. The very feature that makes LWE resist Shor is that its hardness is geometric, not arithmetic.&lt;/p&gt;
&lt;p&gt;You can feel why the noise is load-bearing with a tiny numerical example.&lt;/p&gt;
&lt;p&gt;{`
// A toy LWE instance mod q. Recover the secret s from samples (a, b).
const q = 97;
const s = [42, 15, 8];                 // the secret we must recover
const dot = (a, b) =&amp;gt; a.reduce((t, x, i) =&amp;gt; t + x * b[i], 0);
const A = [[12, 5, 33],[7, 88, 1],[54, 2, 19]];  // 3 public random rows&lt;/p&gt;
&lt;p&gt;// Case 1: no noise. b = A s mod q. Gaussian elimination recovers s exactly.
const clean = A.map(a =&amp;gt; ((dot(a, s) % q) + q) % q);
console.log(&quot;clean samples b =&quot;, clean);
// With 3 equations and 3 unknowns and NO error, solving is instant and exact.&lt;/p&gt;
&lt;p&gt;// Case 2: add a small error e in {-1,0,1} to each equation.
const e = [1, -1, 1];
const noisy = A.map((a, i) =&amp;gt; ((((dot(a, s) + e[i]) % q) + q) % q));
console.log(&quot;noisy samples b =&quot;, noisy);
// Now the linear system is INCONSISTENT with the true s: every naive solve
// that assumes e = 0 returns a different, wrong vector. The attacker must
// search over which tiny error vector was added -- and in real dimensions
// (n = 256 and up) that search is the hard lattice problem itself.
console.log(&quot;difference caused by e =&quot;, noisy.map((b, i) =&amp;gt; b - clean[i]));
`}&lt;/p&gt;
&lt;p&gt;Three equations in three unknowns is trivial. The standards use dimensions in the hundreds, and the error turns &quot;solve the system&quot; into &quot;find a suspiciously short vector in a lattice built from the system&quot; -- which is SVP wearing a disguise. That disguise is the entire security story. The rest of this article is about how sharp the disguise really is.&lt;/p&gt;
&lt;p&gt;LWE did not appear from nowhere; it was the turning point of a forty-year accretion, and seeing that lineage explains why the eventual break is an endpoint, not a surprise.&lt;/p&gt;

flowchart LR
    A[&quot;LLL basis reduction, 1982&quot;] --&amp;gt; B[&quot;Ajtai worst-case hardness, 1996&quot;]
    B --&amp;gt; C[&quot;Regev LWE, 2005&quot;]
    C --&amp;gt; D[&quot;Ring-LWE, 2010&quot;]
    D --&amp;gt; E[&quot;Module-LWE, 2015&quot;]
    E --&amp;gt; F[&quot;Kyber and Dilithium, 2017-2018&quot;]
    F --&amp;gt; G[&quot;FIPS 203 and FIPS 204, 2024&quot;]
&lt;p&gt;The oldest box on that diagram, the LLL algorithm of 1982, is not a footnote [@lll-1982]. It is the ancestor of every attack in this article: the first efficient method to take a bad basis and grind it into a better one. LWE was hard and clean, but its keys were quadratic in the security parameter -- far too heavy to ship in a TLS handshake. The fix was to add structure. And structure, it turns out, is exactly where the danger lives.&lt;/p&gt;
&lt;h2&gt;3. Building the Spine: From LWE to Module-LWE&lt;/h2&gt;
&lt;p&gt;The efficiency move came in 2010, and it came with a bill the field is still arguing about. Vadim Lyubashevsky, Chris Peikert, and Oded Regev introduced Ring-LWE, which shrinks LWE&apos;s quadratic keys to quasi-linear by pouring all the algebra into a single polynomial ring [@ring-lwe-lpr-2010]. Instead of storing a full random matrix $\mathbf{A}$, you store one polynomial and let the ring&apos;s multiplication &lt;em&gt;generate&lt;/em&gt; the matrix. Multiplication becomes a number-theoretic transform, the same fast-Fourier trick that makes the schemes practical on a phone. Keys drop from megabytes to kilobytes. Without this step there is no shippable post-quantum handshake.&lt;/p&gt;
&lt;p&gt;But look at what changed. In plain LWE the matrix $\mathbf{A}$ is fully random -- every entry independent. In Ring-LWE that matrix is &lt;em&gt;generated by one polynomial&lt;/em&gt;, so its entries are locked together in a rigid, algebraic way. That relatedness is exactly what makes the scheme fast. It is also what has divided lattice cryptography ever since: does the ring structure only buy speed, or does it also buy the attacker a shortcut?&lt;/p&gt;
&lt;p&gt;Daniel Bernstein and the NTRU Prime team have argued for years that the extra structure is an under-appreciated risk, and they built their alternative to avoid the most structured ring choices [@bernstein-kyber512-2023]. The design teams and NIST bet the other way. Section 8 weighs that dispute; for now, note only that it is real and unresolved.&lt;/p&gt;
&lt;p&gt;The standards did not take either extreme. They took the middle, on purpose.&lt;/p&gt;

LWE instantiated over a rank-$k$ module of a polynomial ring: instead of one big structured polynomial (Ring-LWE) or a fully random matrix (plain LWE), you use a small matrix *of* ring elements at module rank $k$ (square $k \times k$ for ML-KEM; rectangular $k \times l$ -- such as $6 \times 5$ or $8 \times 7$ -- for ML-DSA). It is the deliberate middle ground -- most of Ring-LWE&apos;s speed, but the single-ring symmetry diluted across $k$ components. This is the shared spine of both FIPS standards.
&lt;p&gt;Damien Stehle and Adeline Langlois gave this middle ground its worst-case-to-average-case reduction in 2015, proving that module lattices inherit the same style of hardness guarantee Ajtai and Regev had established for their settings [@langlois-stehle-2015]. That reduction is what lets the designers treat Module-LWE as a trustworthy foundation rather than an ad-hoc compromise. The rank $k$ becomes a dial: turn it up and you dilute the ring structure toward plain LWE (safer, heavier); turn it down toward $k=1$ and you recover Ring-LWE (faster, more structured). The hedge is built into the assumption itself.&lt;/p&gt;

The Short Integer Solution problem over modules: find a short, non-zero combination of given ring vectors that sums to zero. It is a &quot;find a short collision&quot; problem, dual in flavor to Module-LWE&apos;s &quot;recover a short secret.&quot; ML-DSA depends on Module-SIS for unforgeability; ML-KEM does not carry this assumption at all.
&lt;p&gt;Module-SIS is the second load-bearing assumption, and it matters for the asymmetry at the heart of this article: it is carried by the signature and not by the key-encapsulation mechanism. Both schemes then live in the same specific algebraic home.&lt;/p&gt;

The ring $\mathbb{Z}_q[X]/(X^{256}+1)$ that both standards build on: polynomials of degree below 256, with coefficients modulo $q$, reduced whenever the degree reaches 256 by the rule $X^{256} = -1$. Because $256$ is a power of two, this is a &quot;power-of-two cyclotomic&quot; ring -- the most efficient choice, and the one whose extra algebra is the wildcard&apos;s attack surface.

flowchart LR
    A[&quot;Plain LWE: fully random matrix, no ring structure, safest, keys too heavy to ship&quot;] --&amp;gt; B[&quot;Module-LWE: small matrix of ring elements, structure diluted across rank k, the tuned middle&quot;]
    B --&amp;gt; C[&quot;Ring-LWE: one polynomial generates everything, fastest, most structured&quot;]
&lt;p&gt;The through-line from 1998 is worth naming, because the worry is as old as the efficiency trick.NTRU, published in 1998 by Hoffstein, Pipher, and Silverman, was the original &quot;put the lattice in a polynomial ring to make it fast&quot; cryptosystem [@ntru-1998]. It is simultaneously the ancestor of every ring-based scheme here and the origin of the recurring worry that ring structure buys the attacker something. Its descendants include the Falcon signature, whose different spine we meet in Section 4. The field has known since NTRU that ring structure is a bargain with two sides. Module-LWE is the current answer to &quot;how much structure dare we cash in?&quot;&lt;/p&gt;
&lt;p&gt;Module-LWE is the single object both FIPS standards are built on: same ring, same core problem, two products. Which raises the question that defines this whole article. If they share one foundation, do they share one failure?&lt;/p&gt;
&lt;h2&gt;4. Two Standards, One Assumption&lt;/h2&gt;
&lt;p&gt;Lay the two standards side by side and they resolve into one. ML-KEM, the key-encapsulation mechanism in FIPS 203, rests on Module-LWE alone, over the ring $\mathbb{Z}_q[X]/(X^{256}+1)$ with modulus $q = 3329$, and offers three parameter sets at module ranks 2, 3, and 4 [@fips-203]. ML-DSA, the signature in FIPS 204, rests on Module-LWE &lt;em&gt;and&lt;/em&gt; Module-SIS, over the &lt;em&gt;same&lt;/em&gt; ring but with a &lt;em&gt;different&lt;/em&gt;, much larger modulus $q = 8380417$, and signs using Fiat-Shamir with aborts [@fips-204]. Same spine, different parameters.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Property&lt;/th&gt;
&lt;th&gt;ML-KEM (FIPS 203)&lt;/th&gt;
&lt;th&gt;ML-DSA (FIPS 204)&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Purpose&lt;/td&gt;
&lt;td&gt;Key encapsulation&lt;/td&gt;
&lt;td&gt;Digital signatures&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Core hardness&lt;/td&gt;
&lt;td&gt;Module-LWE&lt;/td&gt;
&lt;td&gt;Module-LWE + Module-SIS&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Ring&lt;/td&gt;
&lt;td&gt;$\mathbb{Z}_q[X]/(X^{256}+1)$&lt;/td&gt;
&lt;td&gt;$\mathbb{Z}_q[X]/(X^{256}+1)$&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Modulus $q$&lt;/td&gt;
&lt;td&gt;3329&lt;/td&gt;
&lt;td&gt;8380417&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Module ranks&lt;/td&gt;
&lt;td&gt;2 / 3 / 4 (square $k \times k$)&lt;/td&gt;
&lt;td&gt;grows with level (rectangular $k \times l$)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Signing structure&lt;/td&gt;
&lt;td&gt;not applicable&lt;/td&gt;
&lt;td&gt;Fiat-Shamir with aborts&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Extra structural route&lt;/td&gt;
&lt;td&gt;decryption failure&lt;/td&gt;
&lt;td&gt;SelfTargetMSIS forgery&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;A Module-LWE break yields&lt;/td&gt;
&lt;td&gt;the decryption key&lt;/td&gt;
&lt;td&gt;the signing key (universal forgery)&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;The table&apos;s most important row is the third from the bottom, and it hides in plain sight. Both public keys &lt;em&gt;are&lt;/em&gt;, essentially, the same object: a Module-LWE sample $\mathbf{t} = \mathbf{A}\mathbf{s} + \mathbf{e}$, a structured matrix times a short secret plus a small error. For ML-KEM the public key is literally such a sample, and recovering $\mathbf{s}$ &lt;em&gt;is&lt;/em&gt; recovering the decryption key.&lt;/p&gt;
&lt;p&gt;For ML-DSA the public key is the same shape, and recovering the short secret &lt;em&gt;is&lt;/em&gt; recovering the signing key -- which lets an attacker forge any signature at will. In both cases the attack is one thing: solve search-Module-LWE, find the short secret hiding in the sample. This is the mechanism the whole article turns on.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; Correlated failure. Because each public key is a Module-LWE sample read off the same ruler, a single advance in lattice reduction against Module-LWE debits &lt;em&gt;both&lt;/em&gt; standards at once -- the key-encapsulation mechanism and the signature together. It is not two independent bets. It is one bet, made twice.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The correlation is real, but it is &lt;em&gt;one-directional&lt;/em&gt;, and precision here matters. A Module-LWE or lattice-reduction advance hits both schemes. But each scheme also carries one extra structural route the other does not share. ML-DSA has a second forgery path through its extra assumption; ML-KEM has a second path through decryption failures. Neither of those extra routes touches the other scheme, and because the two standards use different moduli, ranks, and noise, the &lt;em&gt;same&lt;/em&gt; reduction advance erodes them by &lt;em&gt;different&lt;/em&gt; amounts. &quot;Correlated&quot; does not mean &quot;identical.&quot;&lt;/p&gt;

flowchart TD
    A[&quot;Module-LWE hardness, the shared spine&quot;] --&amp;gt; B[&quot;ML-KEM public key, a Module-LWE sample&quot;]
    A --&amp;gt; C[&quot;ML-DSA public key, a Module-LWE sample&quot;]
    R[&quot;A lattice-reduction advance&quot;] --&amp;gt; A
    B --&amp;gt; D[&quot;Recover the ML-KEM decryption key&quot;]
    C --&amp;gt; E[&quot;Recover the ML-DSA signing key, universal forgery&quot;]
    C --&amp;gt; F[&quot;Extra ML-DSA route: SelfTargetMSIS forgery&quot;]
    B --&amp;gt; G[&quot;Extra ML-KEM route: decryption-failure attack&quot;]
&lt;p&gt;To see why ML-DSA&apos;s forgery route is separate, you need its signing template.&lt;/p&gt;

ML-DSA&apos;s signature method. It builds a signature the Fiat-Shamir way -- commit, hash the message to derive a challenge, respond -- but then *rejection-samples*: any candidate signature whose distribution would leak information about the secret key is thrown away (&quot;abort&quot;) and the signer retries. The published signatures are therefore distributed independently of the signing key, so the only structural way to forge is to solve the underlying short-vector problem directly.
&lt;p&gt;Vadim Lyubashevsky introduced the &quot;with aborts&quot; idea in 2009 [@lyubashevsky-fswa-2009] and made it a trapdoor-free lattice signature in 2012 [@lyubashevsky-sigs-2012]; ML-DSA is its standardized descendant [@dilithium-2018] [@pq-crystals-dilithium]. The rejection step is why forging ML-DSA reduces to a specific hard problem, called SelfTargetMSIS, rather than to &quot;study enough signatures until the key leaks.&quot; That closed door matters, because it was wide open in an earlier generation.&lt;/p&gt;

The post-quantum standards include a second lattice signature, FN-DSA (Falcon), and it is built on a completely different spine: not Fiat-Shamir with aborts, but the GPV &quot;hash-and-sign&quot; framework over NTRU lattices, using fast-Fourier Gaussian sampling [@falcon-spec] [@gpv-2008]. The contrast is instructive. The naive version of hash-and-sign -- signing by rounding with a secret basis, as in NTRUSign -- leaks that basis a little with every signature, and Nguyen and Regev showed in 2006 that collecting enough transcripts recovers the key outright [@nguyen-regev-2006]. The perturbation countermeasures meant to plug the leak were themselves broken in 2012 [@ducas-nguyen-2012]. Falcon survives because GPV sampling is *provably* independent of the basis. ML-DSA reaches the same &quot;signatures reveal nothing about the key&quot; guarantee by a different road -- rejection sampling instead of Gaussian sampling. Two lattice signatures, two spines, two distinct break surfaces: a reminder that &quot;lattice-based&quot; is not one thing.
&lt;p&gt;Correlated failure only bites if the shared foundation can actually be eroded. So how does anyone measure how close an attack is to succeeding? The answer is a single number -- and it is emphatically not a proof.&lt;/p&gt;
&lt;h2&gt;5. The Ruler: How the Margin Is Measured&lt;/h2&gt;
&lt;p&gt;Here is the uncomfortable truth behind every &quot;128-bit security&quot; claim you have ever read about these schemes: there is no proof of it. There is a &lt;em&gt;measurement&lt;/em&gt;, taken with a model that the people who built it will happily tell you is simplified and conservative. To understand how ML-KEM and ML-DSA would break, you have to meet the ruler that says how strong they are today.&lt;/p&gt;
&lt;p&gt;The best known attacks all reduce to lattice reduction, and the workhorse is BKZ, the block-wise reduction introduced by Schnorr and Euchner in 1994 [@bkz-1994].&lt;/p&gt;

Block Korkine-Zolotarev reduction improves a lattice basis by repeatedly calling a subroutine -- an &quot;SVP oracle&quot; -- that solves the shortest-vector problem exactly inside projected blocks of $\beta$ consecutive basis vectors. A larger block size $\beta$ produces shorter vectors and can break harder instances, but the oracle&apos;s cost grows sharply with $\beta$. Concrete security is quoted as &quot;the block size $\beta$ that BKZ must reach to solve this instance.&quot;
&lt;p&gt;The whole security estimate then collapses onto the cost of one oracle call. The cheapest known way to run that oracle is lattice sieving, and in 2016 Becker, Ducas, Gama, and Laarhoven pinned its cost: a sieve solves SVP in a block of size $\beta$ in time $2^{0.292\beta + o(\beta)}$ using $2^{0.208\beta}$ memory [@bdgl16-sieving]. That exponent, $0.292$, is one of the most consequential constants in modern cryptography. The conservative way to price a whole attack is to charge for just that single most expensive call and ignore everything else.&lt;/p&gt;

The deliberately pessimistic (for the defender) cost model that prices an entire lattice attack at the cost of one SVP-oracle call at the required block size: $2^{0.292\beta}$ classical, $2^{0.265\beta}$ quantum. It ignores the many other operations a real attack needs, the cost of memory, and any structure the ring might offer. Because it charges the attacker so little, a scheme that looks secure under core-SVP has margin to spare -- but the number is a modeling choice, not a theorem.
&lt;p&gt;The model originated with the NewHope proposal in 2016 [@newhope-2016]. It was operationalized by the LWE estimator of Albrecht, Player, and Scott, which turns a parameter set into a predicted block size and bit-cost [@aps-estimator-2015]; its maintained successor is the tool NIST parameters are checked against [@lattice-estimator-tool].The estimator is open source. Anyone can install it and re-read the ruler for any parameter set -- which is exactly why the margin is a public, moving number rather than a vendor secret. You can feel the ruler directly: the bit-cost is just the exponent, so a block size and a constant are all you need.&lt;/p&gt;
&lt;p&gt;{`
// Core-SVP prices an attack at ONE sieve-oracle call at block size beta.
// The base-2 log of the cost is simply constant * beta, so the exponent
// IS the bit-security number. No astronomically large integers needed.
const bits = (constant, beta) =&amp;gt; (constant * beta).toFixed(1);&lt;/p&gt;
&lt;p&gt;const beta = 406;                       // ML-KEM-512&apos;s required block size
console.log(&quot;ML-KEM-512, beta =&quot;, beta);
console.log(&quot;classical core-SVP  0.292&lt;em&gt;beta =&quot;, bits(0.292, beta), &quot;bits&quot;);
console.log(&quot;quantum   core-SVP  0.265&lt;/em&gt;beta =&quot;, bits(0.265, beta), &quot;bits&quot;);
console.log(&quot;refined quantum sieve 0.2570   =&quot;, bits(0.2570, beta), &quot;bits&quot;);&lt;/p&gt;
&lt;p&gt;// Now watch the ruler SLIP. Shave the classical constant a hair, from 0.292
// to 0.280 -- the kind of change a better sieve could deliver -- and see how
// many bits of &quot;security&quot; evaporate from the same, unchanged lattice.
console.log(&quot;if the constant drops to 0.280:&quot;, bits(0.280, beta), &quot;bits&quot;);
console.log(&quot;bits lost from a 0.012 change  =&quot;, (bits(0.292,beta) - bits(0.280,beta)).toFixed(1));
`}&lt;/p&gt;
&lt;p&gt;Run it and the classical figure lands near $2^{118}$ -- the pure core-SVP number for ML-KEM-512. Now notice what the last two lines show: nudging the exponent constant by twelve thousandths erases almost five bits from an &lt;em&gt;unchanged&lt;/em&gt; lattice. The ruler is not carved in stone. Its markings move whenever someone finds a better sieve. That is the entire thesis in one code block.&lt;/p&gt;
&lt;p&gt;And the disagreement is not hypothetical. The &lt;em&gt;same&lt;/em&gt; ML-KEM-512 lattice reads wildly differently depending on which model you trust.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Cost model for ML-KEM-512&lt;/th&gt;
&lt;th&gt;Reads as&lt;/th&gt;
&lt;th&gt;What it actually counts&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Pure core-SVP&lt;/td&gt;
&lt;td&gt;about $2^{118}$&lt;/td&gt;
&lt;td&gt;one sieve-oracle call, $2^{0.292\beta}$ at $\beta \approx 406$ [@lattice-estimator-tool]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Estimator default (ring operations)&lt;/td&gt;
&lt;td&gt;about $2^{143.8}$&lt;/td&gt;
&lt;td&gt;ring operations across the whole attack, not just one call&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;NIST gate model&lt;/td&gt;
&lt;td&gt;$2^{135}$ to $2^{165}$&lt;/td&gt;
&lt;td&gt;logical gates with the cost of memory access priced in&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;One lattice. Three models. Tens of bits apart. NIST&apos;s own Kyber-512 analysis concedes the spread openly, estimating that the real gate count &quot;would range from $2^{135}$ to $2^{165}$&quot; depending on how you model memory [@nist-kyber512-faq]. That range is not a rounding error; it is the margin the thesis says is slipping, written down as a live interval by the standardizer itself.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; The break is not a bang; it is a ruler slipping. There is no proof behind &quot;128-bit security&quot; for these schemes -- only a measurement, on a conservative and openly debated model whose defining property is that it moves. The likely break is not an event you watch happen. It is an erosion that has already begun, on a spreadsheet.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;That reframes the entire question the article opened with. We were looking for the dramatic moment a scheme &quot;cracks.&quot; There may never be one. There is a number, and it drifts.&lt;/p&gt;
&lt;p&gt;The debate over how to read the ruler is public and pointed. Daniel Bernstein has argued that NIST&apos;s Kyber-512 accounting mixes up its arithmetic.&lt;/p&gt;

&quot;NIST&apos;s primary error ... boils down to nonsensically multiplying two costs that should have been added.&quot; -- Daniel J. Bernstein, on the Kyber-512 gate-count dispute

The dispute is a case study in &quot;the margin is a model, not a fact.&quot; Bernstein contends that NIST&apos;s security accounting for Kyber-512 multiplies factors that should be summed, inflating the estimate and papering over how thin the Category 1 margin is [@bernstein-kyber512-2023]. NIST&apos;s Kyber-512 FAQ defends the choice and retains the parameter set at Category 1, publishing the $2^{135}$ to $2^{165}$ range as its honest uncertainty [@nist-kyber512-faq]. The design team&apos;s own conservative reading put Kyber-768 at roughly AES-192 strength and described the margins as holding &quot;under a very conservative analysis&quot; [@pq-crystals-kyber]. You do not have to adjudicate the fight to take the point: the people who build and standardize these schemes disagree, in print, about how many bits of security the smallest parameter set actually has. That disagreement *is* the ruler.
&lt;p&gt;One precaution before we watch the ruler move, because two different quantities share the same number.The sieving exponent $2^{0.292n}$ describes the cost of sieving in the full sieve dimension $n$; the core-SVP figure $2^{0.292\beta}$ describes one oracle call in a block of size $\beta$. They share the constant $0.292$ because both are sieving, but they measure different objects. Conflating them is a classic way to misread the ruler by hundreds of bits. Sieving is not the only oracle, either: the older approach, enumeration, runs in time $2^{\Theta(\beta \log \beta)}$ with only polynomial memory [@bkz2-chen-nguyen-2011]. Sieving wins on time at cryptographic block sizes, which is why the standards are set against it -- but the &quot;best&quot; oracle is itself a moving research target, another reason the ruler is provisional.&lt;/p&gt;
&lt;p&gt;Concretely, the trusted way to read the ruler is the primal attack.&lt;/p&gt;

flowchart TD
    A[&quot;Public key: a Module-LWE sample&quot;] --&amp;gt; B[&quot;Embed it into a lattice whose shortest vector encodes the secret&quot;]
    B --&amp;gt; C[&quot;Run BKZ with block size beta&quot;]
    C --&amp;gt; D[&quot;Each step calls the sieve SVP oracle, cost 2 to the 0.292 beta&quot;]
    D --&amp;gt; E[&quot;At large enough beta, the short secret vector appears&quot;]
    E --&amp;gt; F[&quot;Recover the secret: decryption key or signing key&quot;]
&lt;p&gt;The primal attack embeds the public key into a lattice engineered so its shortest vector &lt;em&gt;is&lt;/em&gt; the secret, then reduces until that vector surfaces [@aps-estimator-2015]. It is the binding constraint -- the number NIST fixes parameters against -- because it relies on no fragile statistical distinguisher, only on reaching the block size. A ruler that is a debated model rather than a proof has one defining property: it moves. And it has moved before.&lt;/p&gt;
&lt;h2&gt;6. The Likely Break: Erosion&lt;/h2&gt;
&lt;p&gt;The break already had a rehearsal. In 2022 a research unit of the Israeli Defense Forces known as MATZOV published an improved dual lattice attack and reported that it shaved measurable margin off the very schemes NIST was about to standardize [@matzov-2022]. No scheme collapsed. No key was recovered. A number moved on a spreadsheet -- and that is exactly what the likely break looks like.&lt;/p&gt;

&quot;Combining these improvements considerably reduces the security levels of Kyber, Saber and Dilithium ... bringing them below the thresholds defined by NIST.&quot; -- MATZOV, Report on the Security of LWE, 2022
&lt;p&gt;Read that quote against the thesis. One attack, aimed at the shared Module-LWE spine, moved &lt;em&gt;both&lt;/em&gt; Kyber (now ML-KEM) [@kyber-2018] and Dilithium (now ML-DSA) at once. That is correlated failure in miniature: not a metaphor, a measurement. And it moved them by &lt;em&gt;different&lt;/em&gt; amounts, because their parameters differ -- exactly the one-directional, unequal correlation Section 4 predicted.&lt;/p&gt;
&lt;p&gt;MATZOV was not a bolt from the blue. It was the latest step in a cryptanalysis lineage that has been quietly moving the ruler for forty years.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Advance&lt;/th&gt;
&lt;th&gt;Year&lt;/th&gt;
&lt;th&gt;Effect on the ruler&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;LLL basis reduction&lt;/td&gt;
&lt;td&gt;1982&lt;/td&gt;
&lt;td&gt;first efficient reduction; makes weak bases tractable&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;BKZ with enumeration&lt;/td&gt;
&lt;td&gt;1990s-2011&lt;/td&gt;
&lt;td&gt;block reduction; oracle cost $2^{\Theta(\beta \log \beta)}$&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Lattice sieving (BDGL16)&lt;/td&gt;
&lt;td&gt;2016&lt;/td&gt;
&lt;td&gt;cheaper oracle, $2^{0.292\beta}$ -- the modern classical constant&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Improved dual attack (MATZOV)&lt;/td&gt;
&lt;td&gt;2022&lt;/td&gt;
&lt;td&gt;dual sieving plus an FFT distinguisher; thins Kyber-512 below a clean 128&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;Each row lowered the block size an attacker needs, or the cost per block -- which is the same thing as lowering the bit-security the ruler reports. None of them &quot;broke&quot; anything. All of them moved the number.&lt;/p&gt;
&lt;p&gt;But honesty about erosion cuts both ways, and the MATZOV figure is itself contested. In 2023, Ducas and Pulles examined the dual-attack family and found its success-probability heuristics internally inconsistent in some regimes -- a &quot;waterfall-floor&quot; behavior in which the predicted advantage is, in their words, presumably significantly overestimated [@ducas-pulles-2023].&lt;/p&gt;
&lt;p&gt;So the &lt;em&gt;precedent&lt;/em&gt; is solid: dual attacks improved and the estimates dropped. The &lt;em&gt;exact magnitude&lt;/em&gt; of the drop is a live, disputed number. This is why any specific bit-count in this debate must name its model and source -- and why &quot;the margin is a moving estimate&quot; is more accurate than any single figure.&lt;/p&gt;

The dual attack does not look for the short secret directly. It works in the *dual* lattice: it guesses part of the secret, then uses short vectors of the dual lattice as a statistical distinguisher -- run through a fast Fourier transform over the guessed coordinates -- to test whether the guess was right. MATZOV&apos;s contribution was a faster way to produce those dual vectors (dual sieving) and a sharper distinguisher [@matzov-2022]. The catch Ducas and Pulles identified is that the standard heuristic for the distinguisher&apos;s success probability is internally inconsistent: in some regimes it predicts a probability that a more careful analysis contradicts, producing the tell-tale &quot;waterfall-floor&quot; curve, so the claimed advantage is likely overstated [@ducas-pulles-2023]. This is why the *direction* of the erosion is trusted but the *magnitude* is not, and why the primal attack -- which has no such fragile distinguisher -- remains the number parameters are actually fixed against.
&lt;p&gt;There is also a large, reassuring gap between the theory and what anyone can actually do.The primal attack on ML-KEM-512 needs a block size of about $\beta \approx 406$ [@lattice-estimator-tool]. The public record for a solved shortest-vector challenge, tracked on the SVP Challenge Hall of Fame, stands near dimension 210 [@svp-challenge]. The distance between &quot;the block size the ruler says you need&quot; and &quot;the block size anyone has ever reached&quot; is the practical safety margin -- and it is enormous. The reference sieving implementations that hold those records are highly optimized and public [@g6k-2019], which makes the record a meaningful ceiling rather than a guess. Erosion is real, but the frontier of the &lt;em&gt;achievable&lt;/em&gt; is far below the frontier of the &lt;em&gt;estimated&lt;/em&gt;.&lt;/p&gt;
&lt;p&gt;The key-encapsulation mechanism carries one more erosion axis of its own, and it is purely structural -- a property of the parameters, not of any particular program. ML-KEM&apos;s decryption is not guaranteed to succeed: there is a tiny probability that Module-LWE noise plus the rounding in ciphertext compression pushes a coordinate across a decoding boundary, and the recovered key is wrong.&lt;/p&gt;
&lt;p&gt;The design fixes this by parameter choice. The round-3 Kyber specification targets decryption-failure probabilities of $\delta = 2^{-139}$, $2^{-164}$, and $2^{-174}$ for the three levels -- all comfortably below $2^{-128}$ -- and the modulus $q = 3329$ was chosen partly to keep that probability negligible [@kyber-round3-spec].&lt;/p&gt;
&lt;p&gt;Why does this matter for a &lt;em&gt;break&lt;/em&gt;? Because decryption failures leak. D&apos;Anvers, Guo, and collaborators showed that observed failures can be turned into full secret-key recovery [@danvers-guo-2019]; &quot;failure boosting&quot; uses precomputation to hunt for failure-inducing ciphertexts [@danvers-vv-2019]; failures cluster, so one found failure makes the next more likely [@bindel-schanck-2020]; and &quot;directional&quot; boosting exploits that clustering, so the cost is dominated by finding the &lt;em&gt;first&lt;/em&gt; failure [@danvers-rossi-virdia-2020].&lt;/p&gt;
&lt;p&gt;It is a genuine structural attack surface -- and at the standardized parameters it is closed, because those same analyses find the required number of oracle queries sits above any practical limit thanks to the conservative $\delta$ [@danvers-vv-2019]. It is the mirror image of ML-DSA&apos;s extra forgery route: real, scheme-specific, and neutralized by the parameter margin, not by luck.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Concrete security for ML-KEM and ML-DSA is a measurement that erodes, not a lock that snaps. The realistic failure mode is the estimator reading a few bits lower after the next reduction paper, not a morning when the schemes stop working. This is why crypto-agility matters more than any single parameter choice, and why &quot;watch the estimator, not the headlines&quot; is the operative advice.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;That insight organizes the rest of the threat surface. Erosion is the likely route; two tail risks would not be gradual at all.&lt;/p&gt;

flowchart TD
    A[&quot;How Module-LWE would break&quot;] --&amp;gt; B[&quot;Erosion: better lattice reduction (LIKELY)&quot;]
    A --&amp;gt; C[&quot;Quantum: a Shor for lattices (FEARED)&quot;]
    A --&amp;gt; D[&quot;Ring: cyclotomic structural attack (WILDCARD)&quot;]
    B --&amp;gt; B2[&quot;Gradual: the ruler slips a few bits at a time&quot;]
    C --&amp;gt; C2[&quot;Sudden and total, but so far unrealized&quot;]
    D --&amp;gt; D2[&quot;Sudden and total, low probability, high impact&quot;]
&lt;p&gt;One boundary marker before we go on. None of this section is about KyberSlash. That family of timing and division side channels is an &lt;em&gt;implementation&lt;/em&gt; leak -- a bug in how a particular program computes, not a weakness in the mathematics -- and it belongs to the empirical sibling, &quot;How ML-KEM Breaks in Real Life.&quot; Erosion is the likely structural break. Take the quantum tail risk next, because it is the one everyone fears.&lt;/p&gt;
&lt;h2&gt;7. The Quantum Axis: Feared, Not Realized&lt;/h2&gt;
&lt;p&gt;The nightmare has a name -- &quot;a Shor for lattices&quot; -- and for about a week in April 2024 it looked like it had arrived. Yilei Chen posted a claimed polynomial-time quantum algorithm for LWE [@chen-2024-retracted]. Had it held, it would have implied a quantum polynomial-time solver for standard lattice problems within an approximation factor of $\tilde{\Omega}(n^{4.5})$ -- close enough to matter, and built on genuinely new machinery: a complex-Gaussian construction its author called a &quot;Karst wave,&quot; driven through a windowed quantum Fourier transform. For a few days the post-quantum transition held its breath.&lt;/p&gt;
&lt;p&gt;Then it broke -- the claim, not the schemes. Within days, Hongxun Wu and Thomas Vidick identified a fatal error in Step 9, and Chen retracted the result himself.&lt;/p&gt;

&quot;Step 9 of the algorithm contains a bug, which I don&apos;t know how to fix ... the claim of showing a polynomial time quantum algorithm for solving LWE ... does not hold.&quot; -- Yilei Chen, retraction note, 2024
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; The Chen algorithm is not a live threat and must not be cited as one. It is the single most important recent data point about the &lt;em&gt;absence&lt;/em&gt; of a quantum lattice break: the best attempt by a strong cryptographer, using new tools, failed at one step. That is evidence of difficulty, not of imminent collapse.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Set the fear against what quantum computers actually buy against lattices, which is modest. Quantum &lt;em&gt;sieving&lt;/em&gt; speeds up the SVP oracle from $2^{0.292\beta}$ to about $2^{0.265\beta}$, later refined to roughly $2^{0.2570\beta}$ [@chailloux-loyer-2021]. That is a discount on the exponent, not a change in kind -- and it assumes cheap, large-scale quantum RAM that does not exist. It shaves bits; it does not collapse the problem. The refined quantum constant is why the higher parameter sets keep a comfortable margin even against an idealized quantum sieve.&lt;/p&gt;
&lt;p&gt;Why does the big speedup keep not arriving? Because the structure Shor exploits is simply not present.&lt;/p&gt;

Shor&apos;s algorithm breaks RSA and elliptic curves by solving a hidden-subgroup problem over a *commutative* (abelian) group: it finds a hidden period using the quantum Fourier transform, and periodicity is the whole game. Lattice problems do not present that structure. The shortest-vector problem is about geometry -- distances in a grid -- not about a hidden arithmetic period a Fourier transform can extract. The one explicit bridge anyone has built from lattices to a hidden-subgroup problem, due to Regev in 2002, lands on the *dihedral* group, which is non-commutative and which Shor&apos;s period-finding machinery does not solve [@regev-quantum-2002]. So even the closest structural connection leads to a door Shor cannot open. This is the direct hand-off from the previous part in this series, &quot;How Q-Day Breaks Everything&quot;: lattices were chosen precisely because Shor&apos;s specific trick has nothing to grab. As Chris Peikert&apos;s field survey puts it, generic and relatively modest quantum speedups are the only known quantum advantage against these problems [@peikert-decade-2016].
&lt;p&gt;That leaves only Grover&apos;s algorithm, and it is not a structural break at all.Wu and Vidick found the Step-9 bug in Chen&apos;s algorithm independently and within days, which is itself a sign of how carefully the community watches this line of work. Separately, Grover&apos;s algorithm offers a generic square-root speedup on brute-force key search -- effectively halving the security level in the exponent -- which the standards simply absorb by choosing larger parameters. It is named once and set aside, because it applies to every cryptosystem equally and exploits nothing about lattices. Grover turns a $2^{n}$ search into a $2^{n/2}$ one; the parameter sets are sized so that even after that discount the key-search cost stays out of reach. It is a reason the numbers are what they are, not a route to a break.&lt;/p&gt;
&lt;p&gt;Quantum is the feared route that keeps not arriving. The other tail risk is quieter, older, and the one the ruler literally cannot price: the algebra of the ring itself.&lt;/p&gt;
&lt;h2&gt;8. The Wildcard: The Cyclotomic Ring&lt;/h2&gt;
&lt;p&gt;The core-SVP ruler measures one thing: how hard it is to find a short vector by generic lattice reduction. It does not measure whether the &lt;em&gt;algebra&lt;/em&gt; of the ring offers a shortcut that reduction never sees. That unpriced surface is the wildcard, and intellectual honesty demands steelmanning the people who worry about it, because they have been right before.&lt;/p&gt;
&lt;p&gt;Ring structure has been cashed in for real attacks. In 2016, Cramer, Ducas, Peikert, and Regev showed a quantum polynomial-time (classically sub-exponential) algorithm that recovers short generators of principal ideals in cyclotomic fields -- a structural shortcut that plain lattice reduction does not find [@cdpr-2016]. The same year, Albrecht, Bai, and Ducas broke &quot;overstretched&quot; NTRU by projecting the problem into a subfield, exploiting ring structure that appears when the modulus is very large [@albrecht-bai-ducas-2016].&lt;/p&gt;
&lt;p&gt;Neither attack touches ML-KEM or ML-DSA at their standardized parameters -- the first needs principal ideals with unusually short generators, the second a modulus far larger than the standards use -- but both prove the general point: structure is not free, and sometimes the attacker gets to spend it. This is why Daniel Bernstein and the NTRU Prime team argue the cyclotomic choice is an under-appreciated risk and deliberately avoid the most structured rings in their own designs [@bernstein-kyber512-2023].&lt;/p&gt;
&lt;p&gt;Now the counterweight, weighed just as fairly. First, Module-LWE was chosen partly to dilute exactly this risk: spreading the problem across a rank-$k$ module reduces the single-ring symmetry an algebraic attack would exploit. Second, at the standardized parameters, no known algebraic attack beats generic sieving -- the ideal and subfield attacks live in regimes the standards specifically avoid.&lt;/p&gt;
&lt;p&gt;Third, and most concretely, the newest analysis points the &lt;em&gt;other&lt;/em&gt; way. In 2025, Ducas, Engelberts, and de Perthuis studied module-lattice reduction directly and found that for the power-of-two cyclotomic ring -- exactly the ring ML-KEM and ML-DSA use -- the module structure gives the attacker no free reduction in block size [@ducas-mbkz-2025]. If anything it costs a little: their module-BKZ prediction needs a block size larger by roughly $(d-1)$. The ring the standards chose is, by this measure, a slight &lt;em&gt;disadvantage&lt;/em&gt; to the attacker, not a gift.&lt;/p&gt;
&lt;p&gt;The power-of-two choice is deliberate and load-bearing. Bernstein&apos;s NTRU Prime avoids power-of-two cyclotomics on principle, precisely because &lt;em&gt;other&lt;/em&gt; cyclotomic fields carry more exploitable algebra. And the 2025 module-reduction analysis finds that non-power-of-two cyclotomic fields can yield a sub-exponential module-BKZ gain, whereas the power-of-two ring yields none [@ducas-mbkz-2025]. The standards picked the ring that gives the attacker the least algebraic help, not the most.&lt;/p&gt;
&lt;p&gt;Put the three routes on one page and the wildcard sits where it belongs.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Route&lt;/th&gt;
&lt;th&gt;Likelihood&lt;/th&gt;
&lt;th&gt;Impact&lt;/th&gt;
&lt;th&gt;Best evidence it is real&lt;/th&gt;
&lt;th&gt;Counterweight&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Erosion (better reduction)&lt;/td&gt;
&lt;td&gt;Likely&lt;/td&gt;
&lt;td&gt;Gradual, partial&lt;/td&gt;
&lt;td&gt;MATZOV 2022 moved the published margin&lt;/td&gt;
&lt;td&gt;Huge gap: $\beta \approx 406$ needed vs SVP record near 210 [@lattice-estimator-tool] [@svp-challenge]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Quantum (a Shor for lattices)&lt;/td&gt;
&lt;td&gt;Feared&lt;/td&gt;
&lt;td&gt;Sudden, total&lt;/td&gt;
&lt;td&gt;Chen 2024 attempt using new machinery&lt;/td&gt;
&lt;td&gt;Retracted in days; quantum sieve is only a modest discount&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Ring (cyclotomic structure)&lt;/td&gt;
&lt;td&gt;Wildcard&lt;/td&gt;
&lt;td&gt;Sudden, total&lt;/td&gt;
&lt;td&gt;Ideal and subfield attacks on adjacent variants&lt;/td&gt;
&lt;td&gt;Diluted by modules; no free block-size at power-of-two (2025)&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;The honest reading of that table is not &quot;relax.&quot; It is &quot;the two catastrophic routes are unrealized and actively fenced off, while the likely route is gradual and observable.&quot; That asymmetry is the entire risk posture of lattice cryptography.&lt;/p&gt;
&lt;p&gt;NIST reads it the same way, and hedged accordingly. In March 2025 it selected the code-based key-encapsulation mechanism HQC as a backup to ML-KEM [@nist-hqc-announcement], explicitly as insurance against a systemic weakness in lattices [@nist-ir-8545]. That is not a vote of no confidence in ML-KEM; it is a standardizer refusing to make the entire post-quantum transition depend on a single hard problem.&lt;/p&gt;

If a lattice break is the fear, the answer is not to abandon lattices -- it is to keep a non-lattice fallback ready. NIST&apos;s portfolio is built for exactly this [@nist-pqc-project]. The hash-based signature SLH-DSA (FIPS 205) rests only on the security of hash functions, an assumption entirely disjoint from lattices [@fips-205]. The code-based HQC rests on the hardness of decoding random linear codes [@nist-ir-8545]. For the ring worry specifically, one can move down Section 3&apos;s spectrum toward unstructured LWE, paying the full efficiency price to remove ring structure entirely, or choose a non-power-of-two ring as NTRU Prime does [@bernstein-kyber512-2023]. Each option trades performance or key size for independence from the lattice-and-ring assumptions. That is what a hedge costs.
&lt;p&gt;The ring wildcard is low-probability, high-impact -- and honestly labeled as such. But naming it forces a deeper and more uncomfortable question. How much of any of this is actually &lt;em&gt;proven&lt;/em&gt;?&lt;/p&gt;
&lt;h2&gt;9. What Is Actually Proven&lt;/h2&gt;
&lt;p&gt;Here is the honest accounting, and it is more humbling than the marketing suggests. Lattice hardness is &lt;em&gt;unproven&lt;/em&gt; -- and, in a precise sense, it cannot be proven to the standard people quietly assume it meets.&lt;/p&gt;
&lt;p&gt;Start with the ceiling. The approximate shortest-vector problem relevant to cryptography -- GapSVP with an approximation factor around $\sqrt{n}$ -- was shown by Aharonov and Regev in 2005 to lie in $\mathrm{NP} \cap \mathrm{coNP}$ [@aharonov-regev-2005]. That single fact has a large consequence: a problem in $\mathrm{NP} \cap \mathrm{coNP}$ is very unlikely to be NP-hard, because if it were, the polynomial hierarchy would collapse. So lattice cryptography can &lt;em&gt;never&lt;/em&gt; be founded on NP-completeness. The dream of &quot;as hard as the hardest problems in NP&quot; is off the table by a theorem.&lt;/p&gt;
&lt;p&gt;The flip side is just as sobering: a genuine &lt;em&gt;proof&lt;/em&gt; that these problems are hard would prove $\mathrm{P} \neq \mathrm{NP}$ and settle the biggest open question in computer science. Nobody expects that proof. Security rests on the &lt;em&gt;failure of decades of effort&lt;/em&gt; to find an efficient algorithm, not on a lower bound.&lt;/p&gt;
&lt;p&gt;Then there are the reductions everyone points to -- Ajtai&apos;s, Regev&apos;s, Langlois and Stehle&apos;s. They are real and they are beautiful, but read their quantifiers carefully.&lt;/p&gt;

An *asymptotic* hardness result says a problem is hard &quot;for all large enough $n$,&quot; with unspecified constants. A *concrete* security claim says a specific instance -- $n = 256$, $q = 3329$ -- costs a specific number of operations to break. The worst-case-to-average-case reductions for lattices are asymptotic. They guarantee that *some* sufficiently large parameter is hard; they do not pin the bit-security of the exact parameters a standard ships.
&lt;p&gt;This is the gap the ruler papers over, and it has two halves. First, the reductions are asymptotic: they never certify $n = 256$ specifically, so the concrete strength of the standardized parameters is an estimate, not a corollary.&lt;/p&gt;
&lt;p&gt;Second, even the &lt;em&gt;estimate&lt;/em&gt; trusts a heuristic. The provable cost of solving SVP is around $2^{n}$, but concrete security is quoted using the heuristic sieving cost $2^{0.292n}$ that the estimator actually runs [@bdgl16-sieving]. The number protecting your data is the smaller, unproven one. Both halves point the same way: concrete lattice security is a carefully argued &lt;em&gt;belief&lt;/em&gt;, propped up by a conservative model, not a theorem.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; This is the same epistemic position RSA has always occupied -- on a younger assumption. RSA&apos;s security was never proven either; it rests on the enduring failure to factor efficiently. Lattice security rests on the enduring failure to reduce lattices efficiently. The difference is only age and exposure: factoring has been hammered for decades longer than Module-LWE has existed. &quot;Believed hard, and watched closely&quot; is the honest label for both.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;That reframing turns the open problems from anxieties into a research agenda, and they are worth stating as the questions they are. Is there a large quantum speedup for lattices -- a working version of what Chen 2024 reached for? Is the cyclotomic ring structure exploitable at cryptographic sizes, or does the power-of-two choice hold? And how tight is the core-SVP model really -- what is the true cost of one sieve call, once memory and data movement are honestly priced? Each of these is being worked on in the open, and the answer to each moves the ruler.&lt;/p&gt;
&lt;p&gt;None of this means ML-KEM and ML-DSA are weak. It means their strength is a measured, moving, human judgment rather than a settled fact -- which is exactly why what you do with them on Monday matters.&lt;/p&gt;
&lt;h2&gt;10. What to Do on Monday&lt;/h2&gt;
&lt;p&gt;If the ruler moves, engineering to a single fixed number is the wrong instinct. Engineer for headroom, and engineer for change. Five moves follow directly from everything above.&lt;/p&gt;
&lt;p&gt;Prefer the higher parameter set for anything long-lived. ML-KEM offers levels 512, 768, and 1024; ML-DSA offers a matching ladder up to ML-DSA-87 [@fips-203] [@fips-204]. The smallest set, Kyber-512, is where the margin debate is sharpest, so for data that must stay secret for a decade, choose ML-KEM-1024 and the high ML-DSA level and buy yourself bits the estimator cannot easily erase. Even the design team&apos;s conservative reading places the middle set, Kyber-768, near AES-192 and treats it as the sensible default [@pq-crystals-kyber].&lt;/p&gt;
&lt;p&gt;Deploy in &lt;a href=&quot;https://paragmali.com/blog/q-day-has-not-happened-the-incident-already-has-harvest-now-/&quot; rel=&quot;noopener&quot;&gt;hybrid&lt;/a&gt;. Run the post-quantum key exchange alongside a classical one (X25519 or a P-curve) and combine both secrets, so a break of the lattice problem is not a single point of failure -- the classical layer still stands, and vice versa. This is the mainstream transition posture for exactly the reason this article gives: correlated failure across the lattice standards means a lattice break is systemic, and a non-lattice layer is the cheapest insurance against it.&lt;/p&gt;
&lt;p&gt;Build crypto-agility. The lesson of the moving ruler is that today&apos;s parameters are a snapshot. Architect so that swapping a parameter set -- or an entire algorithm -- is a configuration change, not a rewrite. The sibling articles on &lt;a href=&quot;https://paragmali.com/blog/you-cannot-rotate-what-you-cannot-see-crypto-agility-and-the/&quot; rel=&quot;noopener&quot;&gt;crypto-agility&lt;/a&gt; and &lt;a href=&quot;https://paragmali.com/blog/one-event-three-assumptions-five-answers-a-field-guide-to-th/&quot; rel=&quot;noopener&quot;&gt;the post-quantum toolkit&lt;/a&gt; go deeper here; the one-line version is that agility is the property that lets you re-read the ruler and act on it.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; 1. For long-lived secrets, default to ML-KEM-1024 and ML-DSA-87; reserve the smaller sets for ephemeral or low-value data. 2. Deploy post-quantum key exchange in hybrid with a classical algorithm, never alone. 3. Make algorithm and parameter choices swappable in configuration -- build for the swap you will eventually make. 4. Watch the lattice estimator and the cryptanalysis literature, not the headlines; the real signal is a few bits moving, not a dramatic announcement. 5. Keep a non-lattice backstop in your portfolio -- SLH-DSA for signatures, HQC for key encapsulation -- so a systemic lattice result is a migration, not a crisis [@fips-205] [@nist-ir-8545].&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Watch the estimator, not the headlines. The break, if it comes the likely way, will show up first as a revised number in a tool most people never look at. The teams that will migrate calmly are the ones already tracking that number.&lt;/p&gt;
&lt;p&gt;These are not the moves of a field in crisis. They are the moves of a field that has learned to live with a believed-hard problem, and to read its ruler honestly.&lt;/p&gt;
&lt;h2&gt;11. Frequently Asked Questions, and a Closing Thought&lt;/h2&gt;


No. At the standardized parameters, no public attack recovers a key or forges a signature. What is happening is measurement, not breakage: cryptanalysts refine the estimated cost of the best attacks, and the numbers drift. The 2022 MATZOV result thinned the estimated margin of the smallest Kyber set, but even its magnitude is contested, and the block size a real attack needs remains far beyond anything ever demonstrated [@matzov-2022] [@ducas-pulles-2023].


No, and that is the entire reason they were chosen. Shor&apos;s algorithm breaks RSA and elliptic curves by finding hidden periodic structure over a commutative group; lattice problems do not expose that structure, and the one explicit bridge to a hidden-subgroup problem lands on the non-commutative dihedral group that Shor&apos;s method does not solve [@regev-quantum-2002]. The only known quantum advantage against lattices is a modest speedup of the sieving oracle [@peikert-decade-2016].


Only in the weak, generic sense that it speeds up brute-force search everywhere. Grover turns a cost of $2^{n}$ into $2^{n/2}$, so it effectively halves the exponent of a key search -- a discount the parameter sizes already absorb. It exploits nothing specific to lattices and is not a structural break.


Both standards rest on Module-LWE, so a single lattice-reduction advance debits both at once -- that is the correlation. It is one-directional and unequal: the two schemes use different moduli and ranks, so the same advance erodes them by different amounts, and ML-DSA carries an extra forgery route through Module-SIS that ML-KEM does not share [@fips-204]. The key-encapsulation mechanism, in turn, has its own extra route through decryption failures [@danvers-guo-2019]. Shared spine, not identical schemes.


No. Security bits come from the cost of lattice reduction, not from a larger modulus, and *more* ring structure can *add* attack surface rather than remove it -- an overly large modulus is exactly what makes overstretched-NTRU breakable [@albrecht-bai-ducas-2016]. The standards chose the power-of-two cyclotomic ring because it gives the attacker the least algebraic help [@ducas-mbkz-2025], not because bigger is better.


No. KyberSlash is an implementation timing leak -- a flaw in how specific software computed, not in the mathematics of Module-LWE. It is real and it mattered, but it lives outside this article&apos;s structural scope. The empirical sibling, &quot;How ML-KEM Breaks in Real Life,&quot; covers that whole family of implementation attacks.


For long-lived data, prefer the higher parameter sets (ML-KEM-1024, a high ML-DSA level) [@fips-203] [@fips-204]. Deploy post-quantum key exchange in hybrid with a classical algorithm so a lattice break is not a single point of failure, build crypto-agility so you can swap parameters or algorithms as a configuration change, and keep a non-lattice backstop such as SLH-DSA or HQC in your portfolio [@fips-205] [@nist-ir-8545].

&lt;p&gt;So return to the question the celebrations skipped. If a quantum computer cannot break ML-KEM and ML-DSA the way it broke RSA, how &lt;em&gt;would&lt;/em&gt; they break? The answer, assembled piece by piece, is a single sentence: two standards, one lattice, one ruler. They share the Module-LWE spine, and their strength is not proven but measured, on a core-SVP ruler that the field argues about in the open. The likely break is that ruler slipping a few bits at a time as reduction improves -- and because both standards read the same ruler, one slip debits both at once.&lt;/p&gt;
&lt;p&gt;The evidence lines up behind that reading. Erosion is not hypothetical: MATZOV already moved the margin once, and the only debate is by how much. The feared quantum collapse remains unrealized -- the best attempt was retracted within days over a bug at Step 9. The structural wildcard, the algebra of the cyclotomic ring, is genuinely unpriced by the ruler, but the newest analysis finds the power-of-two ring gives the attacker no free reduction, and NIST hedged anyway by standardizing code-based HQC.&lt;/p&gt;
&lt;p&gt;The verdict is not &quot;broken.&quot; It is &quot;believed hard, conservatively measured, and watched closely&quot; -- the same position RSA has long occupied, on a much younger assumption.&lt;/p&gt;
&lt;p&gt;Which is why the honest way to end is not with a warning but with a recalibration. If the break comes the likely way, it will not be a morning when the internet stops working. It will be a line in a changelog -- a revised constant in a tool most people never open, moving the ruler a few bits and asking, quietly, whether it is time to turn the parameter dial again.&lt;/p&gt;
&lt;p&gt;&amp;lt;StudyGuide slug=&quot;how-ml-kem-and-ml-dsa-would-break&quot; keyTerms={[
  { term: &quot;Module-LWE&quot;, definition: &quot;The shared hard problem under both ML-KEM and ML-DSA: LWE over a rank-k module of a polynomial ring, the tuned middle ground between unstructured LWE and Ring-LWE.&quot; },
  { term: &quot;Module-SIS&quot;, definition: &quot;A short-collision problem over modules; ML-DSA&apos;s extra assumption for unforgeability, which ML-KEM does not carry.&quot; },
  { term: &quot;Core-SVP model&quot;, definition: &quot;The conservative cost model that prices a whole lattice attack at one sieve-oracle call: 2^(0.292 beta) classical, 2^(0.265 beta) quantum. A debated measurement, not a proof.&quot; },
  { term: &quot;Block size beta&quot;, definition: &quot;The BKZ parameter that sets how large a projected block the SVP oracle must solve; security is quoted as the beta an attack must reach.&quot; },
  { term: &quot;Correlated failure&quot;, definition: &quot;Because both standards read the same Module-LWE ruler, one reduction advance debits both at once; one-directional and unequal across the two schemes.&quot; },
  { term: &quot;Cyclotomic ring&quot;, definition: &quot;The ring Z_q[X]/(X^256+1) both standards use; its extra algebra is the unpriced wildcard attack surface, chosen as a power-of-two form to minimize the attacker&apos;s algebraic help.&quot; },
  { term: &quot;Fiat-Shamir with aborts&quot;, definition: &quot;ML-DSA&apos;s signing method: rejection-sample any transcript that would leak the key, so signatures are distributed independently of the signing key.&quot; },
  { term: &quot;Erosion&quot;, definition: &quot;The likely break: better lattice reduction lowers the estimated bit-security a few bits at a time, as MATZOV 2022 demonstrated in miniature.&quot; }
]} questions={[
  { q: &quot;Why does a single advance against Module-LWE threaten both ML-KEM and ML-DSA at once?&quot;, a: &quot;Each public key is essentially a Module-LWE sample, so both are read off the same core-SVP ruler; a reduction advance lowers both estimates, though by different amounts because their parameters differ.&quot; },
  { q: &quot;Why is core-SVP called a measurement rather than a proof?&quot;, a: &quot;It is a deliberately conservative cost model with debated constants; the same ML-KEM-512 lattice reads 2^118, 2^143.8, or 2^135 to 2^165 depending on the model, so the number moves as models and attacks improve.&quot; },
  { q: &quot;Why does Shor&apos;s algorithm not break lattice schemes?&quot;, a: &quot;Shor exploits hidden periodic structure over commutative groups; lattice problems expose no such period, and the one bridge to a hidden-subgroup problem lands on the non-commutative dihedral group Shor cannot solve.&quot; },
  { q: &quot;What happened with the Chen 2024 quantum LWE claim?&quot;, a: &quot;It claimed a polynomial-time quantum algorithm for LWE but was retracted within days over a fatal Step-9 bug identified by Wu and Vidick; it is the strongest recent evidence that no quantum lattice break exists yet.&quot; },
  { q: &quot;Why did the standards choose the power-of-two cyclotomic ring?&quot;, a: &quot;The 2025 module-reduction analysis finds it gives the attacker no free block-size reduction, whereas other cyclotomic fields can yield a sub-exponential gain; the module structure also dilutes the exploitable ring symmetry.&quot; },
  { q: &quot;In what precise sense is lattice hardness unproven?&quot;, a: &quot;Approximate SVP sits in NP intersect coNP, so it cannot be NP-hard, and the worst-case-to-average-case reductions are asymptotic; concrete security is a believed-hard judgment resting on a heuristic cost model, not a theorem.&quot; }
]} /&amp;gt;&lt;/p&gt;
</content:encoded><category>post-quantum-cryptography</category><category>ml-kem</category><category>ml-dsa</category><category>module-lwe</category><category>lattice-reduction</category><category>cryptanalysis</category><category>core-svp</category><category>fips-203</category><author>noreply@paragmali.com (Parag Mali)</author></item><item><title>How RSA Would Break: Why Factoring Is the Slow Path and Coppersmith Is the Fast One</title><link>https://paragmali.com/blog/how-rsa-would-break-why-factoring-is-the-slow-path-and-coppe/</link><guid isPermaLink="true">https://paragmali.com/blog/how-rsa-would-break-why-factoring-is-the-slow-path-and-coppe/</guid><description>Everyone says you break RSA by factoring the modulus. That is the slowest path. A structural tour of the fast lane, the slow lane, and the quantum one.</description><pubDate>Fri, 17 Jul 2026 00:00:00 GMT</pubDate><content:encoded>
Most people picture an RSA break as someone factoring the modulus. That is the slowest, least-likely path there is: the best classical sieve methods (the quadratic sieve, then the General Number Field Sieve) are sub-exponential, and the record has crawled from 426-bit RSA-129 in 1994 to 829-bit RSA-250 in 2020, still a universe short of a 2048-bit key [@boudot-rsa250-2020]. The fast cracks never factor `N` at all. Coppersmith&apos;s lattice method, Wiener&apos;s small-`d` attack, and their relatives run in polynomial time, but only when a parameter or key-generation choice deviates from the ideal [@boneh-survey-1999]. Against a correctly generated RSA-2048 key with `e = 65537`, a full-size random `d`, and OAEP padding, every one of those preconditions is absent, so the fast lane has no applicable attack. The only structural attack that breaks a well-formed key is Shor&apos;s quantum algorithm, which as of 2026 waits on hardware that does not yet exist [@shor-siam-1997; @gidney-2025].
&lt;h2&gt;1. The break never comes through the front door&lt;/h2&gt;
&lt;p&gt;Ask a room of engineers how RSA breaks, and almost everyone reaches for the same answer: someone factors the modulus. They are describing the slowest, least-likely path there is. The attacks that actually work never touch &lt;code&gt;N&lt;/code&gt; at all, and the one attack that could break a flawlessly generated key has not been built yet, because it needs a computer that does not exist.&lt;/p&gt;
&lt;p&gt;That is the whole argument of this article, and it runs against the common intuition hard enough to be worth stating plainly. RSA&apos;s security is usually explained as &quot;factoring is hard, and your key is a big number nobody can factor.&quot; Both halves are true, and together they still point you at the wrong threat. Factoring your modulus is the one attack a bigger key genuinely slows down, which is exactly why it is the attack that will almost certainly never be the way your key falls.&lt;/p&gt;
&lt;p&gt;Here is the organizing lens for everything that follows: a &lt;strong&gt;two-speed map&lt;/strong&gt; with a third road. The &lt;em&gt;slow lane&lt;/em&gt; attacks the hardness assumption directly by factoring &lt;code&gt;N&lt;/code&gt;. It works on any key, needs no mistake on your part, and is asymptotically glacial.&lt;/p&gt;
&lt;p&gt;The &lt;em&gt;fast lane&lt;/em&gt; ignores &lt;code&gt;N&lt;/code&gt; entirely and attacks the &lt;em&gt;instantiation&lt;/em&gt;, the specific way this key and this message were built. It runs in polynomial time and is genuinely fast, but only when the parameters or the key generation leaked structure they should not have. And the &lt;em&gt;third road&lt;/em&gt;, Shor&apos;s quantum algorithm, reopens the front door itself by changing the machine you compute on, breaking even a perfect key, if and only if someone builds the hardware.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; The front door of RSA is bolted, and it opens only at a crawl: factoring is the slow path, not the likely one. The fast cracks come through side windows that a well-generated key never leaves open. And the single attack that opens the front door itself is quantum, on a machine that has not been built.&lt;/p&gt;
&lt;/blockquote&gt;

flowchart TD
    A[&quot;Break RSA-2048&quot;] --&amp;gt; B[&quot;Slow lane: factor N directly&quot;]
    A --&amp;gt; C[&quot;Fast lane: attack the instantiation&quot;]
    A --&amp;gt; D[&quot;Third road: change the machine&quot;]
    B --&amp;gt; B1[&quot;GNFS, sub-exponential, glacial&quot;]
    C --&amp;gt; C1[&quot;Coppersmith, Wiener, polynomial&quot;]
    D --&amp;gt; D1[&quot;Shor, polynomial, needs a quantum computer&quot;]
    B1 --&amp;gt; E{&quot;Beats a correct key?&quot;}
    C1 --&amp;gt; E
    D1 --&amp;gt; E
    E --&amp;gt;|&quot;slow lane, not in practice&quot;| F[&quot;Correct key survives classically&quot;]
    E --&amp;gt;|&quot;fast lane, only with a defect&quot;| F
    E --&amp;gt;|&quot;third road, yes, on hardware that does not exist&quot;| G[&quot;The one real structural threat&quot;]
&lt;p&gt;One boundary before we begin, because it decides what counts as an answer. This is a &lt;em&gt;structural&lt;/em&gt; story about the mathematics of the algorithm itself. The attacks that steal real data most often never touch RSA&apos;s math at all; they break the implementation or the protocol around it. Here we stay inside the equations, where the only question is whether the numbers themselves give way.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; This article analyzes cryptanalysis of RSA&apos;s own mathematics. Side channels, fault and power attacks, implementation bugs, weak random-number generators, key-generation library defects such as ROCA, padding oracles such as Bleichenbacher&apos;s, and protocol downgrades such as FREAK are all out of scope. They are how RSA breaks &lt;em&gt;in practice&lt;/em&gt;, and they are covered by the companion article. One exception that belongs to the math: Shor&apos;s quantum algorithm counts as a structural break and is in scope. Grover&apos;s algorithm, a generic search speedup, is only mentioned to mark the edge of the map.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;So if factoring is the slow path, what makes the fast one fast, and why does it never touch &lt;code&gt;N&lt;/code&gt;? To see that, start where RSA started: with a bet nobody could prove they would win.&lt;/p&gt;
&lt;h2&gt;2. A wager on a problem no one has proven hard&lt;/h2&gt;
&lt;p&gt;In 1977, three researchers at MIT, Ron Rivest, Adi Shamir, and Leonard Adleman, answered an open call. A year earlier, Whitfield Diffie and Martin Hellman had described what public-key cryptography should do without giving a concrete way to do it: a lock anyone can snap shut but only the keyholder can open [@diffie-hellman-1976]. Rivest, Shamir, and Adleman supplied the lock [@rivest-shamir-adleman-1978].&lt;/p&gt;
&lt;p&gt;That August, Martin Gardner&apos;s Mathematical Games column in &lt;em&gt;Scientific American&lt;/em&gt; handed it to the public as a dare: a 129-digit number to factor, a modest cash prize, and the confident promise that reading the encrypted message would take far longer than any reader would live to see [@gardner-1977; @atkins-rsa129-1995].&lt;/p&gt;
&lt;p&gt;The question worth holding onto is whether that confidence was &lt;em&gt;earned&lt;/em&gt; or merely &lt;em&gt;borrowed&lt;/em&gt;.&lt;/p&gt;
&lt;p&gt;RSA itself is almost aggressively simple. Pick two large primes and multiply them into a public modulus $N = pq$. Publish &lt;code&gt;N&lt;/code&gt; and a public exponent &lt;code&gt;e&lt;/code&gt;. To encrypt a message &lt;code&gt;m&lt;/code&gt;, compute $c = m^e \bmod N$; to decrypt, compute $m = c^d \bmod N$, where the private exponent &lt;code&gt;d&lt;/code&gt; is chosen so that $ed \equiv 1 \pmod{\varphi(N)}$ and $\varphi(N) = (p-1)(q-1)$ is Euler&apos;s totient [@rivest-shamir-adleman-1978]. Encryption is a modular exponentiation anyone can perform. Decryption is the same operation with a secret exponent that only the keyholder knows.&lt;/p&gt;
&lt;p&gt;Everything rests on one hinge. To recover &lt;code&gt;d&lt;/code&gt;, the obvious route is to compute $\varphi(N)$, and to compute $\varphi(N)$ you need &lt;code&gt;p&lt;/code&gt; and &lt;code&gt;q&lt;/code&gt;, which means factoring &lt;code&gt;N&lt;/code&gt;. So RSA is &lt;em&gt;believed&lt;/em&gt; to be as hard to break as factoring is hard to do. Read that sentence twice, because the load-bearing word is &quot;believed.&quot; Rivest, Shamir, and Adleman did not prove that breaking RSA requires factoring, and no one has proven it since. RSA is a wager that a specific problem is hard, staked on decades of failed attempts to make it easy rather than on a theorem.&lt;/p&gt;

A function that is easy to compute in the forward direction but hard to invert, unless you hold a secret piece of information (the trapdoor) that makes inversion easy. RSA&apos;s forward direction is modular exponentiation, its trapdoor is the factorization of `N`, and its entire security is the conjecture that without the trapdoor, inversion stays hard.
&lt;p&gt;What makes the RSA story unusually honest is that the field turned this belief into a &lt;em&gt;dated, public experiment&lt;/em&gt;. In March 1991, RSA Security launched the RSA Factoring Challenge: a published list of moduli, cash bounties, and an open invitation to factor them [@wiki-rsa-factoring-challenge]. Every time a challenge number fell, the community learned precisely how far the sharpest available methods and machines could reach in a given year. The result is something most security assumptions never get: a fifty-year measured record of exactly how hard factoring has proven to be in practice.&lt;/p&gt;

timeline
    title Fifty years of RSA cryptanalysis
    1977 : RSA published : Gardner challenge
    1985 : Hastad low-exponent broadcast
    1990 : Wiener small-d attack : Number Field Sieve
    1994 : Shor quantum factoring : RSA-129 factored
    1996 : Coppersmith small-root method
    1999 : Boneh-Durfee small-d lattice : Boneh survey
    2009 : RSA-768 factored
    2020 : RSA-250 factored
    2025 : Shor estimate under one million qubits
&lt;p&gt;That timeline is also a map of everything this article covers, and it splits cleanly into the two speeds. Some entries, the Number Field Sieve, RSA-129, RSA-768, RSA-250, are the slow lane: brute assaults on the factoring problem itself, dated by when a bigger number finally fell. Others, Hastad, Wiener, Coppersmith, Boneh-Durfee, are the fast lane: polynomial-time attacks that never factor anything, dated by when someone noticed a new way for a careless instantiation to give itself away. Only one entry, Shor, belongs to neither lane, because it changes the machine.&lt;/p&gt;

It is worth naming the excluded failures precisely, because they, not the mathematics, are what actually break RSA deployments in the wild: timing and power side channels that leak the private key, fault attacks that corrupt a computation to expose a factor, weak random-number generators that hand out repeated or flawed primes (the ROCA vulnerability), padding oracles such as Bleichenbacher&apos;s that turn a chatty server into a decryption service, and protocol downgrades such as FREAK. Every one is a genuine break, and not one of them factors `N` or attacks RSA&apos;s mathematics. They are implementation and protocol failures, and they belong to the empirical sibling, *How RSA Breaks in Real Life*. This article is about the equations.
&lt;p&gt;If the whole system rests on one unproven assumption, the obvious move is to attack that assumption head-on and just factor &lt;code&gt;N&lt;/code&gt;. Fifty years of the sharpest minds in computational number theory tried exactly that. Here is how far they got.&lt;/p&gt;
&lt;h2&gt;3. The slow lane: attacking factoring head-on&lt;/h2&gt;
&lt;p&gt;The direct attack writes itself: break RSA by factoring the modulus. The punchline is not triumph but frustration. Even the reigning champion algorithm is, at cryptographic sizes, glacial.&lt;/p&gt;
&lt;p&gt;The ladder is a genealogy, and each rung earned its place by beating the one below it. At the bottom sits &lt;strong&gt;trial division&lt;/strong&gt; and Fermat&apos;s method, fully exponential in the size of &lt;code&gt;N&lt;/code&gt; and useless past a few dozen digits. Then come the special-purpose methods: John Pollard&apos;s &lt;strong&gt;&lt;code&gt;p-1&lt;/code&gt;&lt;/strong&gt; method (1974), fast whenever &lt;code&gt;p-1&lt;/code&gt; happens to have only small prime factors [@pollard-pm1-1974], and his &lt;strong&gt;rho&lt;/strong&gt; method (1975), which finds a small factor &lt;code&gt;p&lt;/code&gt; in about $O(p^{1/2})$ steps using almost no memory [@pollard-rho-1975]. These are lethal against unlucky primes but hopeless against a balanced modulus whose factors are both enormous.&lt;/p&gt;
&lt;p&gt;The real lineage of general-purpose factoring begins with a single idea: instead of searching for a factor directly, manufacture a congruence of squares $x^2 \equiv y^2 \pmod{N}$ with $x \not\equiv \pm y$, and read a factor off $\gcd(x-y, N)$. Morrison and Brillhart&apos;s continued-fraction method, &lt;strong&gt;CFRAC&lt;/strong&gt; (1975), was the first to collect many small relations and combine them into that square with linear algebra, and the first general method to run in sub-exponential time [@morrison-brillhart-1975]. Carl Pomerance&apos;s &lt;strong&gt;Quadratic Sieve&lt;/strong&gt; (1985) replaced slow per-number testing with a fast sieve and dominated the 1980s and early 1990s at heuristic cost $L_N[1/2, 1]$ [@pomerance-qs-1985]. Then, in 1990, the &lt;strong&gt;Number Field Sieve&lt;/strong&gt; dropped the exponent from one half to one third, the single largest asymptotic improvement in the history of factoring, and the last one to date [@lenstra-nfs-1990].&lt;/p&gt;

Factoring costs are written with $L_N[\alpha, c] = \exp\big((c + o(1))(\ln N)^{\alpha}(\ln\ln N)^{1-\alpha}\big)$. The exponent $\alpha$ interpolates between two worlds: $\alpha = 1$ is fully exponential in the bit-length, $\alpha = 0$ is polynomial, and $\alpha = 1/3$ sits in between, &quot;sub-exponential.&quot; Sub-exponential is genuinely faster than exponential, which is why big numbers can be factored at all, and genuinely slower than polynomial, which is why they cannot be factored at cryptographic sizes.

The fastest known classical algorithm for factoring a general large integer, with heuristic running time $L_N[1/3, (64/9)^{1/3}] \approx L_N[1/3, 1.923]$ [@lenstra-nfs-1990]. It builds a congruence of squares by collecting relations that are simultaneously smooth on a rational side and an algebraic side, then solves a very large linear system. Every RSA factoring record since the late 1990s has used a GNFS implementation [@zimmermann-records].

An integer is B-smooth if every one of its prime factors is at most `B`. Smoothness is the lever every modern factoring algorithm pulls: the sieve hunts for values that are B-smooth, because only those factor completely over a fixed, small &quot;factor base&quot; of primes and can be fed into the linear algebra. The art of the Number Field Sieve is arranging for enough smooth relations to appear.
&lt;p&gt;Definitions establish that GNFS is sub-exponential. The record trajectory shows what sub-exponential &lt;em&gt;feels&lt;/em&gt; like against real keys, and it is the heart of this section&apos;s argument. Do not take &quot;glacial&quot; on faith. Watch the dates.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Challenge&lt;/th&gt;
&lt;th&gt;Modulus size&lt;/th&gt;
&lt;th&gt;Year factored&lt;/th&gt;
&lt;th&gt;Method and reported effort&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;RSA-129&lt;/td&gt;
&lt;td&gt;426 bits (129 digits)&lt;/td&gt;
&lt;td&gt;1994&lt;/td&gt;
&lt;td&gt;Quadratic sieve, worldwide volunteer effort [@atkins-rsa129-1995]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;RSA-155&lt;/td&gt;
&lt;td&gt;512 bits&lt;/td&gt;
&lt;td&gt;1999&lt;/td&gt;
&lt;td&gt;Number Field Sieve [@cavallar-rsa155-2000]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;RSA-768&lt;/td&gt;
&lt;td&gt;768 bits&lt;/td&gt;
&lt;td&gt;2009&lt;/td&gt;
&lt;td&gt;GNFS, nearly 2000 core-years [@kleinjung-rsa768-2010]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;RSA-250&lt;/td&gt;
&lt;td&gt;829 bits&lt;/td&gt;
&lt;td&gt;2020&lt;/td&gt;
&lt;td&gt;GNFS, roughly 2700 core-years [@boudot-rsa250-2020]&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;Read the first and last rows together. From RSA-129 in 1994 to RSA-250 in 2020 is roughly 400 bits of progress in 26 years [@zimmermann-records; @wiki-rsa-numbers]. A deployed RSA key is 2048 bits. The record is still more than 1,200 bits short of it, and RSA-250 alone burned about 2,700 core-years of computation on the open-source CADO-NFS software [@boudot-rsa250-2020; @cado-nfs].A core-year is one processor core running flat out for a year, so 2,700 core-years is a large cluster running for months. The same team&apos;s peer-reviewed 240-digit experiment documents the sieving-and-linear-algebra methodology behind these records [@boudot-dlp240-2020]. The gap is not a matter of waiting a few more years for a faster cluster, because the cost curve is sub-exponential, so each additional bit is more expensive than the last. You can compute just how much more expensive.&lt;/p&gt;
&lt;p&gt;{`
from math import log, exp&lt;/p&gt;
Heuristic GNFS cost L_N[1/3, (64/9)^(1/3)] as a function of bit-length.
&lt;p&gt;def L(bits, alpha=1/3, c=(64/9)&lt;strong&gt;(1/3)):
    lnN = bits * log(2)                       # ln N for a &apos;bits&apos;-bit modulus
    return exp(c * lnN&lt;/strong&gt;alpha * (log(lnN))**(1 - alpha))&lt;/p&gt;
&lt;p&gt;cost_829  = L(829)    # RSA-250, the current classical record
cost_2048 = L(2048)   # a deployed key&lt;/p&gt;
&lt;p&gt;print(&quot;GNFS constant (64/9)^(1/3) =&quot;, round((64/9)**(1/3), 4))
print(&quot;Relative L-cost at  829 bits: %.3e&quot; % cost_829)
print(&quot;Relative L-cost at 2048 bits: %.3e&quot; % cost_2048)
print(&quot;RSA-2048 is harder than RSA-250 by a factor of about: %.3e&quot; % (cost_2048 / cost_829))
print()
print(&quot;RSA-250 already cost ~2700 core-years; scaling by that factor gives&quot;)
print(&quot;about %.1e core-years for RSA-2048 -- far beyond any foreseeable cluster.&quot;
      % (2700 * cost_2048 / cost_829))
`}&lt;/p&gt;
&lt;p&gt;The numbers that fall out are not &quot;a thousand times harder&quot; or &quot;a million times harder.&quot; They are astronomical: the same sober &lt;code&gt;L[1/3]&lt;/code&gt; curve that predicted RSA-250 puts a 2048-bit modulus permanently outside the reach of any classical machine anyone can foresee. This is the slow lane in one image. It works on every key, it needs no mistake by the defender, and it will almost certainly never reach a modern modulus.&lt;/p&gt;

flowchart TD
    A[&quot;Trial division and Fermat: fully exponential&quot;] --&amp;gt; B[&quot;Pollard p-1 (1974) and rho (1975): special-purpose&quot;]
    B --&amp;gt; C[&quot;CFRAC (1975): first sub-exponential&quot;]
    C --&amp;gt; D[&quot;Quadratic Sieve (1985): exponent one half&quot;]
    D --&amp;gt; E[&quot;Number Field Sieve (1990): exponent one third&quot;]
    E --&amp;gt; F[&quot;No asymptotic gain since 1990&quot;]
    A --&amp;gt; G[&quot;ECM (1987): niche, cost set by the smallest factor&quot;]
&lt;p&gt;The ladder has texture worth pausing on. When RSA-129 fell in 1994, the recovered plaintext was a puzzle phrase the designers had hidden inside the challenge.The RSA-129 plaintext was &quot;THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE&quot; [@atkins-rsa129-1995]. A widely repeated web summary claims it read &quot;SEND MORE MONEY&quot;; that is simply wrong. Pollard&apos;s &lt;code&gt;p-1&lt;/code&gt; method left a lasting mark on how primes were chosen: for years, key-generation guidance called for &quot;strong primes,&quot; primes &lt;code&gt;p&lt;/code&gt; where &lt;code&gt;p-1&lt;/code&gt; has a large prime factor, precisely so the &lt;code&gt;p-1&lt;/code&gt; attack could not bite.The strong-prime design rule is a direct descendant of Pollard&apos;s 1974 &lt;code&gt;p-1&lt;/code&gt; method [@pollard-pm1-1974]. Modern guidance mostly dropped the requirement once GNFS made the specific structure of &lt;code&gt;p-1&lt;/code&gt; irrelevant to the dominant attack, but the historical lineage is exact. And one rung of the ladder never went away, it just found a different job.Hendrik Lenstra&apos;s Elliptic Curve Method (1987) has a running time that depends on the size of the &lt;em&gt;smallest&lt;/em&gt; factor, not the whole modulus [@lenstra-ecm-1987]. That makes it superb at peeling small primes off a number and useless against a balanced RSA modulus whose two factors are each half the bits. It is a living tool, in the wrong weight class for this fight.&lt;/p&gt;
&lt;p&gt;The slow lane also has a recurring failure mode that is not technical but sociological, and it is worth immunizing against before the fast lane tempts you.&lt;/p&gt;

Every few years, a preprint claims to have shattered RSA, and every few years it evaporates on contact with implementation. The cleanest recent specimen is Claus Schnorr&apos;s 2021 IACR ePrint, whose abstract ended with the sentence &quot;This destroys the RSA cryptosystem&quot; [@schnorr-eprint-2021; @schneier-2021]. It did not. The claimed speedup relied on finding enough short lattice vectors to generate factoring relations, and when Leo Ducas implemented the method as *SchnorrGate*, it produced zero usable relations at cryptographic size [@ducas-schnorrgate]. Bruce Schneier&apos;s response carried the whole verdict in its title, and later revisions of the preprint quietly deleted the offending sentence [@schneier-2021]. The lesson is durable: an extraordinary cryptanalytic claim is worth exactly as much as its implementation, and until someone factors a real challenge number, the record trajectory stands.

&quot;No, RSA Is Not Broken.&quot; -- Bruce Schneier, on the 2021 claim that short-vector lattice algorithms had destroyed the RSA cryptosystem [@schneier-2021].
&lt;p&gt;So the front door is bolted, and it opens only at a crawl. Fifty years of the best available mathematics moved the record about 400 bits, and the cost curve guarantees the next 1,200 bits are not coming on any classical machine. A defender who only worries about factoring has been watching the wrong door. Because a locksmith&apos;s insight changes the whole game: what if you never had to open the front door at all? What if you never factored &lt;code&gt;N&lt;/code&gt;?&lt;/p&gt;
&lt;h2&gt;4. The fast lane opens: Hastad and Wiener&lt;/h2&gt;
&lt;p&gt;The insight that reroutes the entire story is deceptively small: you do not have to factor &lt;code&gt;N&lt;/code&gt; at all. Factoring is the &lt;em&gt;hardest&lt;/em&gt; way to break RSA, not the easiest. If the way this particular key or this particular message was built leaks structure, the key can fall in polynomial time, and &lt;code&gt;N&lt;/code&gt; stays untouched the whole time. Two attacks from the late 1980s and early 1990s proved the fast lane exists, and each one falls out of a single leaked parameter.&lt;/p&gt;
&lt;p&gt;The first is &lt;strong&gt;Johan Hastad&apos;s low-exponent broadcast attack&lt;/strong&gt; (introduced at CRYPTO &apos;85 and generalized in his 1988 SIAM paper). Suppose a sender uses a tiny public exponent, say $e = 3$, and sends the &lt;em&gt;same&lt;/em&gt; message &lt;code&gt;m&lt;/code&gt; to several recipients, each with their own modulus $N_i$, without randomized padding. Each recipient sees $c_i = m^3 \bmod N_i$. An eavesdropper who collects three of these ciphertexts applies the Chinese Remainder Theorem to combine them into a single value congruent to $m^3$ modulo $N_1 N_2 N_3$ [@hastad-1988].&lt;/p&gt;
&lt;p&gt;Since &lt;code&gt;m&lt;/code&gt; is smaller than every $N_i$, the true $m^3$ is smaller than the product $N_1 N_2 N_3$, so the combined congruence is an &lt;em&gt;equation over the integers&lt;/em&gt;: the combined value simply equals $m^3$, with no modular wraparound. Take an ordinary integer cube root and you have the message. No factoring, no lattice, just arithmetic [@hastad-1988].&lt;/p&gt;
&lt;p&gt;The precondition is loud, and it is the reason a good key is immune. Hastad needs a tiny exponent &lt;em&gt;and&lt;/em&gt; the same message broadcast unpadded to several recipients. Use $e = 65537$ instead of 3, or pad each message with fresh randomness so no two ciphertexts encrypt the same integer, and the broadcast structure that made $m^3$ recoverable is gone. The attack does not get slower; it stops applying.&lt;/p&gt;
&lt;p&gt;The second attack targets the other exponent. &lt;strong&gt;Michael Wiener&apos;s small private-exponent attack&lt;/strong&gt; (1990) shows that shrinking &lt;code&gt;d&lt;/code&gt; to speed up decryption is fatal. When the private exponent is small, specifically $d &amp;lt; \tfrac{1}{3}N^{1/4}$, the public ratio $e/N$ becomes an extraordinarily good rational approximation to the secret ratio $k/d$ that lurks in the key equation [@wiener-1990]. And there is a classical theorem of number theory that says the &lt;em&gt;only&lt;/em&gt; fractions that approximate a real number that well are its continued-fraction convergents. So the attacker expands $e/N$ as a continued fraction, and the secret denominator &lt;code&gt;d&lt;/code&gt; appears as one of the convergents&apos; denominators, recovered from nothing but the public key &lt;code&gt;(e, N)&lt;/code&gt; [@wiener-1990].&lt;/p&gt;

Any real number can be written as a nested fraction $a_0 + 1/(a_1 + 1/(a_2 + \cdots))$. Truncating that expansion after a few terms gives a sequence of rational approximations $h_i/k_i$ called convergents, and they are provably the *best* rational approximations for their denominator size. Wiener&apos;s attack turns key recovery into a search through the convergents of $e/N$: one of their denominators is the secret exponent `d`.
&lt;p&gt;Because the whole attack is a short walk through a list of fractions, it is genuinely fast, and it is easy to watch happen. The code below builds an RSA key with a deliberately small &lt;code&gt;d&lt;/code&gt;, publishes only &lt;code&gt;(e, N)&lt;/code&gt;, and then recovers &lt;code&gt;d&lt;/code&gt; from the public key alone.&lt;/p&gt;
&lt;p&gt;{`
from math import isqrt, gcd&lt;/p&gt;
Build a deliberately weak RSA key with a very small private exponent d.
&lt;p&gt;p = 999999937
q = 999999893
N = p * q
phi = (p - 1) * (q - 1)&lt;/p&gt;
Wiener succeeds whenever d &amp;lt; (1/3) * N**(1/4). Take the largest such d.
&lt;p&gt;bound = isqrt(isqrt(N)) // 3
d = next(x for x in range(bound, 2, -1) if gcd(x, phi) == 1)
e = pow(d, -1, phi)                      # matching public exponent
print(&quot;Public key:  N =&quot;, N)
print(&quot;             e =&quot;, e)
print(&quot;Hidden small d =&quot;, d, &quot; (Wiener bound about&quot;, bound, &quot;)&quot;)&lt;/p&gt;
The attacker sees only (e, N). Expand e/N as a continued fraction;
each convergent&apos;s denominator is a candidate for d.
&lt;p&gt;def convergents(num, den):
    a = []
    x, y = num, den
    while y:
        a.append(x // y)
        x, y = y, x % y
    h0, h1 = 0, 1
    k0, k1 = 1, 0
    for ai in a:
        h0, h1 = h1, ai * h1 + h0
        k0, k1 = k1, ai * k1 + k0
        yield h1, k1                     # (candidate k, candidate d)&lt;/p&gt;
&lt;p&gt;for k_cand, d_cand in convergents(e, N):
    if k_cand == 0:
        continue
    if (e * d_cand - 1) % k_cand == 0:           # phi(N) must be an integer
        phi_guess = (e * d_cand - 1) // k_cand
        s = N - phi_guess + 1                    # candidate p + q
        disc = s * s - 4 * N                     # roots of x^2 - s*x + N
        if disc &amp;gt;= 0 and isqrt(disc) ** 2 == disc:
            print(&quot;Recovered d =&quot;, d_cand, &quot; correct:&quot;, d_cand == d)
            break
`}&lt;/p&gt;
&lt;p&gt;Once again the precondition is the whole story. Wiener needs a small &lt;code&gt;d&lt;/code&gt;. A correctly generated key uses a full-size random &lt;code&gt;d&lt;/code&gt; on the order of &lt;code&gt;N&lt;/code&gt; itself, and there is no low-denominator convergent of $e/N$ to find, so the attack has nothing to grab.&lt;/p&gt;
&lt;p&gt;Notice what these two attacks share, and where each falls short. Both exploit a &lt;em&gt;leaked parameter&lt;/em&gt;, not the modulus. Both run in polynomial time. And both were, at first, treated as clever isolated tricks: a broadcast maneuver here, a continued-fraction maneuver there. Hastad even needs an awkward number of near-identical ciphertexts, and Wiener&apos;s $N^{1/4}$ bound is visibly loose, as if it could be pushed further with a better tool. For eight years the fast lane stayed a grab-bag of one-offs. Then someone found the single principle hiding underneath all of them.&lt;/p&gt;
&lt;h2&gt;5. Coppersmith&apos;s master key&lt;/h2&gt;
&lt;p&gt;In 1996, Don Coppersmith found the idea that turned the grab-bag into a theory. Stated plainly, it is one of the most useful facts in applied cryptography, and once you see it you cannot unsee it in any of the fast-lane attacks.&lt;/p&gt;
&lt;p&gt;Here is the theorem. Take a polynomial $f(x)$ of degree &lt;code&gt;d&lt;/code&gt;, and suppose it has a root $x_0$ modulo &lt;code&gt;N&lt;/code&gt; that is &lt;em&gt;small&lt;/em&gt;, meaning $|x_0| &amp;lt; N^{1/d}$. Then you can find $x_0$ in time polynomial in $\log N$ and &lt;code&gt;d&lt;/code&gt;, using lattice reduction [@coppersmith-1997]. That is the whole master key. Not &quot;factor &lt;code&gt;N&lt;/code&gt;,&quot; not &quot;guess the message,&quot; but: whenever an unknown quantity is &lt;em&gt;small&lt;/em&gt; and sits inside a &lt;em&gt;known&lt;/em&gt; algebraic structure, you can solve for it directly.&lt;/p&gt;

A lattice is the set of all integer combinations of some basis vectors, an infinite grid of points in space. The same lattice has many bases, some &quot;long and skew,&quot; some &quot;short and nearly perpendicular.&quot; The Lenstra-Lenstra-Lovasz (LLL) algorithm, from 1982, efficiently turns a bad basis into a reduced one whose vectors are short and close to orthogonal. Throughout this article LLL is a black box with one job: hand it a lattice, and it returns a surprisingly short vector in polynomial time [@may-survey-2009].
&lt;p&gt;The bridge from &quot;small modular root&quot; to &quot;short lattice vector&quot; is the contribution of Nick Howgrave-Graham (1997), whose reformulation is the version taught and coded today [@howgrave-graham-1997]. The trick is elegant. You do not attack $f$ directly. Instead you build a lattice out of shifted and scaled multiples of $f$, all of which vanish at the same secret root $x_0$ modulo powers of &lt;code&gt;N&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;LLL finds a short combination of them, and shortness has a precise payoff: a polynomial with small enough coefficients that, at the small value $x_0$, it cannot merely be &lt;em&gt;congruent&lt;/em&gt; to zero modulo &lt;code&gt;N&lt;/code&gt;; it must be &lt;em&gt;exactly&lt;/em&gt; zero as an integer [@howgrave-graham-1997]. The modular problem has become an ordinary equation over the integers, and ordinary equations over the integers are easy to solve for their roots. That is the same &quot;collapse to the integers&quot; trick that let Hastad&apos;s cube root work, generalized into a machine.&lt;/p&gt;

flowchart LR
    A[&quot;Known structure plus a small unknown&quot;] --&amp;gt; B[&quot;Write it as f(x) with a small root mod N&quot;]
    B --&amp;gt; C[&quot;Build a lattice from shifted multiples of f&quot;]
    C --&amp;gt; D[&quot;LLL returns a short vector&quot;]
    D --&amp;gt; E[&quot;A new polynomial, same root, small enough to hold over the integers&quot;]
    E --&amp;gt; F[&quot;Ordinary root-finding recovers x0&quot;]

A polynomial-time algorithm that, given a monic polynomial $f(x)$ of degree `d` and a modulus `N`, finds every integer root $x_0$ with $|x_0| &amp;lt; N^{1/d}$ satisfying $f(x_0) \equiv 0 \pmod{N}$ [@coppersmith-1997]. The size bound $N^{1/d}$ is the load-bearing threshold: it is generous for tiny degree (a cube-root-sized unknown for $d = 3$) and shrinks fast as the degree grows, which is exactly why a large public exponent starves the method of anything to find.
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; Every fast-lane attack in this article is the same sentence in a different costume: known structure plus a small unknown lets you solve for the unknown. Hastad&apos;s broadcast, stereotyped messages, related messages, partial key exposure, and the strongest small-&lt;code&gt;d&lt;/code&gt; attack are all instances of Coppersmith&apos;s small-root method, powered by LLL whenever the unknown is smaller than $N^{1/d}$. The zoo is one animal.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Watch Hastad collapse to a corollary. His broadcast attack is just the small-root method for the polynomial $f(x) = x^e - c$ with the tiny exponent making the root findable; the CRT step is a convenience, not the essence [@coppersmith-1997]. The purest instance of all is textbook RSA with $e = 3$ and no padding, where the message itself is the small root. If $m^3 &amp;lt; N$, the ciphertext never wrapped around the modulus, so the &quot;encryption&quot; is just a cube, and a cube root is the entire attack.&lt;/p&gt;
&lt;p&gt;{`
def icbrt(n):
    # Exact integer cube root via Newton&apos;s method (works for huge integers).
    if n &amp;lt; 2:
        return n
    x = 1 &amp;lt;&amp;lt; ((n.bit_length() + 2) // 3)
    while True:
        y = (2 * x + n // (x * x)) // 3
        if y &amp;gt;= x:
            return x
        x = y&lt;/p&gt;
&lt;p&gt;N = (1 &amp;lt;&amp;lt; 2047) + 12345      # a 2048-bit stand-in modulus
e = 3
m = 42424242424242           # a short message: m^3 stays far below N
c = pow(m, e, N)             # textbook RSA &quot;encryption&quot;: c = m^3 mod N&lt;/p&gt;
&lt;p&gt;print(&quot;Is m^3 &amp;lt; N ?&quot;, m**3 &amp;lt; N)
print(&quot;recovered m =&quot;, icbrt(c), &quot; correct:&quot;, icbrt(c) == m)&lt;/p&gt;
Real padding widens the message so that m2^3 exceeds N and wraps around.
&lt;p&gt;m2 = (1 &amp;lt;&amp;lt; 700) | m
c2 = pow(m2, e, N)
print(&quot;Is (padded m2)^3 &amp;lt; N ?&quot;, m2**3 &amp;lt; N)
print(&quot;plain cube root now fails:&quot;, icbrt(c2) != m2)
`}&lt;/p&gt;
&lt;p&gt;The second half of that snippet is the entire defense in miniature. Once the message is widened by real padding so that its cube exceeds &lt;code&gt;N&lt;/code&gt;, the ciphertext wraps around the modulus, the &quot;small root&quot; is no longer small, and the cube root returns garbage. The attack did not get harder to run; its precondition vanished. Hold onto that distinction, because it is the shape of every result in the next section: one theorem, many doors. So which locks does the master key actually open on a real RSA deployment, and, just as important, which ones stay firmly shut?&lt;/p&gt;
&lt;h2&gt;6. The Coppersmith family today&lt;/h2&gt;
&lt;p&gt;The mature fast lane is the master key reused, deliberately, by name. Each member of the family has the same shape, known structure hiding one small unknown, and each is neutralized by exactly one standard parameter choice. Walk them in order and the pattern becomes impossible to miss.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Stereotyped and known-bits messages.&lt;/strong&gt; Suppose an attacker knows most of a message, a fixed template &lt;code&gt;B&lt;/code&gt;, and only a short secret block &lt;code&gt;x&lt;/code&gt; is unknown, so the plaintext is $B + x$. With public exponent &lt;code&gt;e&lt;/code&gt;, the ciphertext gives the polynomial $f(x) = (B + x)^e - c$, whose small root is the secret block, recoverable whenever $|x| &amp;lt; N^{1/e}$ [@coppersmith-1997]. A low exponent and a mostly-known message is all it takes. Raise &lt;code&gt;e&lt;/code&gt; to 65537 and the recoverable window $N^{1/e}$ shrinks to almost nothing; randomize the message with padding and the &quot;small unknown&quot; becomes the entire plaintext, far too big to be a small root.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Factoring with high bits of &lt;code&gt;p&lt;/code&gt; known.&lt;/strong&gt; Coppersmith&apos;s method also attacks the modulus, but only with a head start. If an attacker already knows roughly the top half of the bits of &lt;code&gt;p&lt;/code&gt;, the remaining low bits form a small root of a polynomial modulo &lt;code&gt;N&lt;/code&gt;, and the method recovers them, factoring &lt;code&gt;N&lt;/code&gt; in polynomial time [@coppersmith-1997; @may-survey-2009]. The precondition is severe: you must already know half of a secret prime. Generate both primes from a good random source and no such head start exists.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Related messages and short pads.&lt;/strong&gt; If two messages satisfy a &lt;em&gt;known linear relation&lt;/em&gt; and are sent under the same small exponent, the attacker forms two polynomials sharing the plaintext as a root and takes their polynomial greatest common divisor, which reveals it. This is the Franklin-Reiter base case [@cfpr-1996]. Coppersmith extended it to the case where the relation is an &lt;em&gt;unknown but short&lt;/em&gt; pad, solved with the small-root method, the short-pad attack [@cfpr-1996]. Both need a small &lt;code&gt;e&lt;/code&gt; and a short or structured relationship between messages. &lt;a href=&quot;https://paragmali.com/blog/rsa-is-a-trapdoor-not-a-cryptosystem-oaep-pss-and-the-25-yea/&quot; rel=&quot;noopener&quot;&gt;OAEP&lt;/a&gt;&apos;s long, fully random pad destroys any such relation, which is precisely what it was designed to do.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Partial key exposure.&lt;/strong&gt; Perhaps the most unsettling member: a &lt;em&gt;fraction&lt;/em&gt; of the private key&apos;s bits can reconstruct the rest. Boneh, Durfee, and Frankel showed in 1998 that for a low public exponent, roughly a quarter of the least-significant bits of &lt;code&gt;d&lt;/code&gt; suffice to recover the whole exponent [@bdf98-1998]. Ernst, Jochemsz, May, and de Weger removed the low-exponent restriction in 2005, extending partial key exposure to full-size exponents with multivariate Coppersmith techniques [@ernst-pke-2005]. The precondition is a &lt;em&gt;leak&lt;/em&gt;: some bits of &lt;code&gt;d&lt;/code&gt; or &lt;code&gt;p&lt;/code&gt; must escape. With no leakage, there is nothing to extend, and &lt;em&gt;how&lt;/em&gt; bits leak, timing, power, a fault, is the implementation sibling&apos;s subject, not RSA&apos;s mathematics.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Boneh-Durfee.&lt;/strong&gt; Finally, the master key circles back to finish what Wiener started. Boneh and Durfee re-aimed Coppersmith&apos;s lattice at the key equation itself and pushed the vulnerable small-&lt;code&gt;d&lt;/code&gt; bound from Wiener&apos;s $N^{1/4}$ up to $d &amp;lt; N^{0.292}$, the strongest small-exponent attack known [@boneh-durfee-1999]. It is the same lattice engine, pointed at a different polynomial. And it dies against the same defense: a full-size random &lt;code&gt;d&lt;/code&gt; on the order of &lt;code&gt;N&lt;/code&gt; sits far above the $N^{0.292}$ threshold.&lt;/p&gt;
&lt;p&gt;These are cryptanalytic tools, not shipped software, but they are entirely practical to run. LLL and its stronger cousin BKZ live in the open-source &lt;strong&gt;fplll&lt;/strong&gt; library and its Python binding &lt;strong&gt;fpylll&lt;/strong&gt; [@fplll; @fpylll], and Coppersmith&apos;s small-root method is a single function call, &lt;code&gt;small_roots()&lt;/code&gt;, in SageMath [@sagemath-smallroots]. The barrier to using them is never the tooling. It is finding a key with a precondition to attack.&lt;/p&gt;

A stereotyped-message attack in SageMath looks close to this: work in `Zmod(N)`, define the polynomial `f = (B + x)^e - c` whose small root is the secret block, and call `f.small_roots(X=bound, beta=1)`. The library builds the lattice, runs LLL, and returns the root, with no hand-rolled lattice at all [@sagemath-smallroots]. Swap in a different `f` and the same call becomes factoring-with-known-bits or a related-message attack: one engine, pointed at a different polynomial.

flowchart TD
    E[&quot;Coppersmith small-root engine&quot;] --&amp;gt; A[&quot;Stereotyped or known-bits message: short secret block&quot;]
    E --&amp;gt; B[&quot;Factoring with high bits of p known: half of p leaks&quot;]
    E --&amp;gt; C[&quot;Franklin-Reiter and short-pad: same small e, short or known pad&quot;]
    E --&amp;gt; D[&quot;Partial key exposure: a fraction of d&apos;s bits leak&quot;]
    E --&amp;gt; F[&quot;Boneh-Durfee: deliberately small private exponent d&quot;]
&lt;p&gt;Lay the whole family in a table and the argument writes itself. Every row is a real, polynomial-time attack. Every row also has a right-hand column that a correctly generated RSA-2048 key fills in by default.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Fast-lane attack&lt;/th&gt;
&lt;th&gt;Exact precondition it needs&lt;/th&gt;
&lt;th&gt;Closed by&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Hastad broadcast&lt;/td&gt;
&lt;td&gt;tiny &lt;code&gt;e&lt;/code&gt;, same message sent unpadded to many recipients&lt;/td&gt;
&lt;td&gt;$e = 65537$ or randomized padding [@hastad-1988]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Stereotyped / known-bits&lt;/td&gt;
&lt;td&gt;most of the message is a known template, short secret block&lt;/td&gt;
&lt;td&gt;randomized OAEP padding [@rfc8017]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Factoring, high bits of &lt;code&gt;p&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;roughly half the top bits of &lt;code&gt;p&lt;/code&gt; already known&lt;/td&gt;
&lt;td&gt;independent, well-sourced random primes [@may-survey-2009]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Franklin-Reiter / short-pad&lt;/td&gt;
&lt;td&gt;same small &lt;code&gt;e&lt;/code&gt;, a known or short relation between messages&lt;/td&gt;
&lt;td&gt;$e = 65537$ plus OAEP&apos;s long random pad [@cfpr-1996]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Partial key exposure&lt;/td&gt;
&lt;td&gt;a constant fraction of &lt;code&gt;d&lt;/code&gt;&apos;s or &lt;code&gt;p&lt;/code&gt;&apos;s bits leaked&lt;/td&gt;
&lt;td&gt;no key-bit leakage; full-size random &lt;code&gt;d&lt;/code&gt; [@ernst-pke-2005]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Wiener small-&lt;code&gt;d&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;$d &amp;lt; \tfrac{1}{3}N^{1/4}$&lt;/td&gt;
&lt;td&gt;full-size random &lt;code&gt;d&lt;/code&gt; [@wiener-1990]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Boneh-Durfee small-&lt;code&gt;d&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;$d &amp;lt; N^{0.292}$&lt;/td&gt;
&lt;td&gt;full-size random &lt;code&gt;d&lt;/code&gt; near &lt;code&gt;N&lt;/code&gt; [@boneh-durfee-1999]&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;

The randomized padding scheme standardized for RSA encryption in PKCS #1 v2.2 (RFC 8017) [@rfc8017]. Before exponentiation, OAEP mixes the message with fresh random bytes through a two-round structure, so that the integer actually raised to the power `e` is large, high-entropy, and different every time, even for identical plaintexts. That single step removes the &quot;known structure&quot; and the &quot;small unknown&quot; that every Coppersmith-family attack needs, which is why OAEP is the defense that closes most of the table at once.
&lt;p&gt;There is something almost paradoxical here, and it is the sharpest structural point in all of RSA cryptanalysis. None of these attacks is wrong. None is slow. None has been refuted or patched away. They remain perfectly correct, polynomial-time algorithms. They are simply &lt;em&gt;inapplicable&lt;/em&gt; to a key that never grants their precondition. The fast lane does not fail against a good key by being outrun, the way the slow lane is outrun by a big modulus. It fails by &lt;em&gt;precondition-absence&lt;/em&gt;: there is nothing for the lattice to grab.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; This is the mental model to keep. A larger key defeats the slow lane by making factoring more expensive. Nothing defeats the fast lane, because the fast lane was never a contest of speed. It is a contest of &lt;em&gt;whether a defect exists&lt;/em&gt;. Remove the defect, small exponent, small &lt;code&gt;d&lt;/code&gt;, missing padding, leaked bits, correlated primes, and each attack does not slow down; it simply has no input. A correct RSA-2048 key wins the fast lane by forfeit.&lt;/p&gt;
&lt;/blockquote&gt;

An attack that is perfectly correct yet perfectly inapplicable is the sharpest point in RSA cryptanalysis. Against a well-generated key, the fast lane has no applicable attack.
&lt;p&gt;So put the two lanes together against a specific, correct target: RSA-2048 with $e = 65537$, a full-size random &lt;code&gt;d&lt;/code&gt;, two independent well-sourced primes, and OAEP padding. The slow lane is available but glacial, more than 1,200 bits and an astronomical cost curve away from success. The fast lane is polynomial but inert, because every precondition in the table above is absent [@boneh-survey-1999; @rfc8017]. Against that key, the classical state of the art is a phrase worth memorizing: &lt;em&gt;no applicable attack.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;The fast lane is fast but conditional; the slow lane is universal but glacial. Put all three roads on one table, and ask the only question that matters: which one actually threatens a well-generated key?&lt;/p&gt;
&lt;h2&gt;7. Three roads, compared&lt;/h2&gt;
&lt;p&gt;Everything so far has been building one picture. Lay the slow lane, the fast lane, and the third road side by side, and the article&apos;s thesis stops being a claim and becomes something you can read straight off a table.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Dimension&lt;/th&gt;
&lt;th&gt;Slow lane: GNFS&lt;/th&gt;
&lt;th&gt;Fast lane: Coppersmith family&lt;/th&gt;
&lt;th&gt;Third road: Shor&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;What it attacks&lt;/td&gt;
&lt;td&gt;the hardness assumption (factor &lt;code&gt;N&lt;/code&gt;)&lt;/td&gt;
&lt;td&gt;the instantiation (a specific defect)&lt;/td&gt;
&lt;td&gt;the hardness assumption (factor &lt;code&gt;N&lt;/code&gt;)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Input required&lt;/td&gt;
&lt;td&gt;&lt;code&gt;N&lt;/code&gt; only&lt;/td&gt;
&lt;td&gt;&lt;code&gt;N&lt;/code&gt; plus a parameter or key-gen defect&lt;/td&gt;
&lt;td&gt;&lt;code&gt;N&lt;/code&gt; only&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Precondition&lt;/td&gt;
&lt;td&gt;none&lt;/td&gt;
&lt;td&gt;small &lt;code&gt;e&lt;/code&gt;, small &lt;code&gt;d&lt;/code&gt;, no padding, leaked bits, or correlated primes&lt;/td&gt;
&lt;td&gt;a working quantum computer of the right size&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Worst-case time&lt;/td&gt;
&lt;td&gt;$L_N[1/3, 1.923]$, sub-exponential&lt;/td&gt;
&lt;td&gt;polynomial&lt;/td&gt;
&lt;td&gt;polynomial in $\log N$&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Breaks a correct RSA-2048 key?&lt;/td&gt;
&lt;td&gt;not in practice&lt;/td&gt;
&lt;td&gt;no&lt;/td&gt;
&lt;td&gt;yes&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Computational model&lt;/td&gt;
&lt;td&gt;classical&lt;/td&gt;
&lt;td&gt;classical&lt;/td&gt;
&lt;td&gt;quantum&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;Read the table as three sentences. The &lt;strong&gt;slow lane&lt;/strong&gt; breaks &lt;em&gt;any&lt;/em&gt; key, needs no mistake, and is asymptotically stalled: its $L_N[1/3, 1.923]$ cost has not improved since 1990, and against 2048 bits it is glacial [@lenstra-nfs-1990]. The &lt;strong&gt;fast lane&lt;/strong&gt; is genuinely polynomial and genuinely fast, but it goes completely dark against a correct key, because every one of its attacks needs a defect the key does not have [@coppersmith-1997]. Two roads, and &lt;em&gt;neither&lt;/em&gt; threatens a well-generated RSA-2048 key in practice: one is too slow, the other has no opening.&lt;/p&gt;
&lt;p&gt;That is the corner the argument has painted us into, and it forces the third road into view. If the slow lane is stalled and the fast lane is inert, then the only way to break a correct key is to stop playing the classical game entirely, to change the &lt;em&gt;machine&lt;/em&gt;. That is Shor&apos;s algorithm, first announced at FOCS in 1994 and published in full in 1997 [@shor-focs-1994; @shor-siam-1997].&lt;/p&gt;
&lt;p&gt;It attacks the same hardness assumption as the slow lane, factoring &lt;code&gt;N&lt;/code&gt; with no defect required, but it runs in time polynomial in the number of digits of &lt;code&gt;N&lt;/code&gt;, an exponential speedup over GNFS. It is the one entry in the table that breaks a flawless key, and it carries the one precondition no careful key generation can supply or deny: a large, fault-tolerant quantum computer, which does not exist as of 2026.&lt;/p&gt;
&lt;p&gt;The mechanism is the subject of the next section; for now, the table has delivered its verdict. The only structural attack left standing against a good key is a change of computational model.&lt;/p&gt;
&lt;p&gt;That verdict points at one uncomfortable question the table cannot answer. The slow lane is stalled, and we have been treating that as if it were a law of nature. But is factoring &lt;em&gt;actually&lt;/em&gt; hard, or have we simply not found the trick yet? The honest answer is more unsettling than either the optimists or the doomsayers usually admit.&lt;/p&gt;
&lt;h2&gt;8. Is factoring even hard, and how hard?&lt;/h2&gt;
&lt;p&gt;Beneath fifty years of engineering confidence lies an uncomfortable truth: nobody has ever &lt;em&gt;proven&lt;/em&gt; that factoring is hard. RSA&apos;s security is a conjecture that has survived a long time, which is a very different thing from a theorem.&lt;/p&gt;
&lt;p&gt;Start with the most common misconception, because correcting it reframes everything. People often say factoring is NP-hard, as if RSA inherited the full difficulty of the hardest problems in NP. It did not. The decision version of factoring sits in $\text{NP} \cap \text{co-NP}$: a factor is a short certificate that the answer is &quot;yes,&quot; and because primality can be checked efficiently, there is also a short certificate for &quot;no&quot; [@hac-1996]. A problem in that intersection cannot be NP-complete unless NP equals co-NP, which almost no one believes.&lt;/p&gt;
&lt;p&gt;So factoring is very likely &lt;em&gt;not&lt;/em&gt; among the hardest problems in NP, and the casual &quot;RSA is NP-hard&quot; intuition is simply false [@hac-1996].&lt;/p&gt;
&lt;p&gt;It may be worse than that, in a precise and interesting way: breaking RSA might be &lt;em&gt;strictly easier&lt;/em&gt; than factoring. Boneh and Venkatesan gave evidence that no &quot;algebraic reduction&quot; can turn an efficient low-exponent RSA-breaker into a general factoring algorithm, which would mean recovering a message does not require the full strength of factoring [@boneh-venkatesan-1998].&lt;/p&gt;
&lt;p&gt;Aggarwal and Maurer later proved that breaking RSA &lt;em&gt;is&lt;/em&gt; equivalent to factoring, but only in the restricted &quot;generic ring model,&quot; where the attacker is forbidden from exploiting the specific bit-representation of numbers [@aggarwal-maurer-2009]. Put together, the honest statement is that we do not know whether the RSA problem and factoring are equally hard. We only know the assumption rests on belief, layered on belief.&lt;/p&gt;
&lt;p&gt;What we &lt;em&gt;can&lt;/em&gt; state precisely are the upper bounds, and the gap between them is the whole story. Classically, the best we can do is GNFS, sub-exponential $L_N[1/3, 1.923]$ [@lenstra-nfs-1990]. On a quantum computer, Shor&apos;s algorithm factors in time polynomial in the number of digits of &lt;code&gt;N&lt;/code&gt;, an exponential improvement [@shor-siam-1997].&lt;/p&gt;
&lt;p&gt;There is no known classical &lt;em&gt;lower&lt;/em&gt; bound anywhere near the upper bound, so the space between &quot;maybe there is a fast classical algorithm we have not found&quot; and &quot;there is definitely a fast quantum algorithm&quot; is enormous and almost entirely unmapped.&lt;/p&gt;
&lt;p&gt;Shor&apos;s mechanism deserves to be seen, because it is not a faster search; it is a genuinely different idea. Factoring &lt;code&gt;N&lt;/code&gt; is reduced to finding the &lt;em&gt;period&lt;/em&gt; of the function $a^x \bmod N$ for a random base &lt;code&gt;a&lt;/code&gt;, that is, the smallest &lt;code&gt;r&lt;/code&gt; with $a^r \equiv 1 \pmod{N}$. Classically, finding that period is as hard as factoring.&lt;/p&gt;
&lt;p&gt;Quantumly, a superposition over all &lt;code&gt;x&lt;/code&gt;, a modular exponentiation, and a quantum Fourier transform extract &lt;code&gt;r&lt;/code&gt; efficiently. Once you have an even &lt;code&gt;r&lt;/code&gt; with $a^{r/2} \not\equiv -1 \pmod N$, an ordinary classical greatest-common-divisor, $\gcd(a^{r/2} \pm 1, N)$, hands you a factor [@shor-siam-1997]. It is a classical reduction wrapped around a single quantum subroutine.&lt;/p&gt;

flowchart TD
    A[&quot;Pick a random a coprime to N&quot;] --&amp;gt; B[&quot;Quantum: find the period r of a^x mod N with the QFT&quot;]
    B --&amp;gt; C{&quot;r even and a^(r/2) not congruent to -1?&quot;}
    C --&amp;gt;|&quot;no, retry&quot;| A
    C --&amp;gt;|&quot;yes&quot;| D[&quot;Classical: compute gcd(a^(r/2) plus or minus 1, N)&quot;]
    D --&amp;gt; E[&quot;A nontrivial factor of N&quot;]

A quantum computer large and reliable enough to run Shor&apos;s algorithm against real cryptographic parameters, for example to factor a 2048-bit RSA modulus. Because Shor needs many high-fidelity logical qubits maintained through a long computation, a CRQC requires fault-tolerant error correction over a vast number of physical qubits. No such machine exists as of 2026, and building one is an unsolved engineering problem, not merely a matter of scaling up today&apos;s devices.
&lt;p&gt;How far is that machine? The honest answer comes from the people doing the most careful accounting, and their numbers are moving in a way worth understanding. In 2019, Craig Gidney and Martin Ekera estimated that factoring a 2048-bit RSA key with Shor would take roughly 20 million noisy physical qubits running for about 8 hours [@gidney-ekera-2021]. In May 2025, Gidney revised the estimate to &lt;em&gt;fewer than one million&lt;/em&gt; noisy qubits in under a week, under the &lt;em&gt;same&lt;/em&gt; hardware assumptions as the 2019 analysis [@gidney-2025].&lt;/p&gt;
&lt;p&gt;Read those two figures together carefully. The twentyfold drop did not come from better hardware; it came from better &lt;em&gt;algorithms&lt;/em&gt; for organizing the computation. The &lt;em&gt;estimate&lt;/em&gt; is improving far faster than the &lt;em&gt;machines&lt;/em&gt;, and today&apos;s largest quantum devices remain orders of magnitude below even the reduced requirement [@gidney-2025]. No cryptographically relevant quantum computer exists as of 2026.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; It is easy to slide from &quot;the resource estimates are dropping fast&quot; to &quot;a quantum break is imminent.&quot; That slide is not supported here. As of 2026 there is no machine capable of running Shor against RSA-2048, and predicting when, or whether, one will be built is genuinely uncertain. What the falling estimates establish is that the &lt;em&gt;paper cost&lt;/em&gt; of the attack is shrinking, not that the &lt;em&gt;hardware&lt;/em&gt; has arrived. Treat any specific date you see quoted, from anyone, as a forecast, not a fact.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Two facts about scale make the quantum threat qualitatively different from the classical one, and both cut against the defender&apos;s usual instinct. First, a bigger key does not help. Shor&apos;s cost grows only &lt;em&gt;polynomially&lt;/em&gt; in the number of digits of &lt;code&gt;N&lt;/code&gt;, so doubling the modulus from 2048 to 4096 bits multiplies the quantum work by a small constant, not by the astronomical factor that same doubling imposes on GNFS. The move that defeats the slow lane is nearly useless against the third road.&lt;/p&gt;
&lt;p&gt;Second, and for the same reason, there is no &quot;safe classical margin&quot; to buy. Against Shor, the defense is not a larger RSA key; it is a different kind of cryptography entirely.&lt;/p&gt;

Grover&apos;s algorithm is the other quantum result people invoke, and it is a boundary marker, not a structural break [@grover-1996]. It gives a generic square-root speedup for brute-force search, turning a $2^{n}$ key search into about $2^{n/2}$. That halves the effective strength of a symmetric key, which is why AES-256 is favored for post-quantum margin [@nist-sp800-57], but it does nothing structural to RSA: it does not factor `N`, and a square-root speedup on an already-astronomical factoring search changes nothing.
&lt;p&gt;Sit with what this section actually established, because it is the third and deepest shift in the whole article. We cannot prove factoring is hard; its decision problem is not even NP-complete, so RSA rests on a belief rather than a theorem. The fast lane is inert against a correct key, and the slow lane has been asymptotically frozen since 1990. Therefore the only structural break left standing against a well-generated key is a change of computational model, Shor&apos;s, and against that change a bigger key does essentially nothing.&lt;/p&gt;
&lt;p&gt;The confidence that &quot;a large enough RSA key is safe forever&quot; quietly dissolves. What replaces it is not panic but humility: the security you rely on is an assumption with a possible expiry date you cannot see.&lt;/p&gt;
&lt;p&gt;So we cannot prove it is hard, and we cannot yet build the machine that makes it easy. That leaves a precise list of things the field genuinely does not know, and one of them carries a deadline that is invisible precisely because no one can read it.&lt;/p&gt;
&lt;h2&gt;9. What is genuinely unresolved&lt;/h2&gt;
&lt;p&gt;Strip away the settled results and four honest unknowns remain. This is where the frontier actually sits, and naming the unknowns precisely is more useful than any confident prediction.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Is factoring in P?&lt;/strong&gt; No polynomial-time classical factoring algorithm is known, and none has been ruled out. The strongest evidence for &quot;hard&quot; is negative and empirical: the GNFS exponent has not moved off one third since 1990, and RSA-250 still stands as the largest general-purpose factorization [@lenstra-nfs-1990; @zimmermann-records]. But &quot;we have not found a faster algorithm in 35 years&quot; is not a proof that none exists, and no lower bound forbids one. This is the open problem the entire slow lane rests on.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Is the RSA problem strictly easier than factoring?&lt;/strong&gt; Also open. Boneh and Venkatesan&apos;s evidence points toward &quot;yes, at least for algebraic reductions,&quot; while Aggarwal and Maurer&apos;s equivalence holds only inside the generic ring model [@boneh-venkatesan-1998; @aggarwal-maurer-2009]. Whether recovering an RSA plaintext genuinely requires factoring, in the full model where an attacker can do anything, is unresolved.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;How far can the small-&lt;code&gt;d&lt;/code&gt; lattice bound be pushed?&lt;/strong&gt; Boneh-Durfee reaches $d &amp;lt; N^{0.292}$, and Boneh and Durfee themselves conjecture the true insecurity threshold is $d &amp;lt; N^{0.5}$ [@boneh-durfee-1999]. The gap between $0.292$ and $0.5$ has resisted every attempt to close it, and subsequent lattice reformulations reach the same $0.292$ more cleanly without surpassing it [@may-survey-2009]. Nobody knows where the real boundary lies.&lt;/p&gt;

The exponent $0.292\ldots$ is not a round number; it is exactly $1 - 1/\sqrt{2} \approx 0.2929$, a quadratic irrational (the root of $2\delta^2 - 4\delta + 1 = 0$) that falls out of the lattice determinant condition [@boneh-durfee-1999]. Two honesty caveats travel with it: the conjectured true bound $N^{0.5}$ is only a conjecture, and even the proven $N^{0.292}$ result relies on the standard, unproven heuristic that the short lattice vectors LLL returns are algebraically independent. The fast lane&apos;s strongest result is itself built on an assumption.
&lt;p&gt;&lt;strong&gt;When does a cryptographically relevant quantum computer arrive?&lt;/strong&gt; Genuinely unknowable. And this is the unknown with teeth, because it does not need to be answered to be dangerous.&lt;/p&gt;

An attacker records encrypted traffic today and stores it, betting that a cryptographically relevant quantum computer will exist before the data stops being sensitive. When that machine arrives, the archived ciphertext is decrypted retroactively with Shor&apos;s algorithm. The threat is live *now*, even though the tool to exploit it does not exist yet, because the interception happens today and only the decryption waits.

Harvest-now-decrypt-later is what converts an unpredictable timeline into a present-day decision. If your data must stay confidential for ten or twenty years, medical records, state secrets, long-term financial or identity data, then the relevant question is not &quot;does a quantum computer exist today?&quot; but &quot;might one exist within the confidentiality lifetime of what I am encrypting now?&quot; For long-lived secrets, the honest answer is that you cannot rule it out, and the falling resource estimates make ruling it out harder each year [@gidney-2025]. That is the entire case for beginning migration to [post-quantum key-establishment](/blog/one-event-three-assumptions-five-answers-a-field-guide-to-th/) even though no CRQC exists and no credible timeline can be given. You are not reacting to a machine; you are protecting data whose lifetime outruns your ability to forecast.
&lt;p&gt;Unknowable timelines are not an excuse for paralysis. If you ship RSA today, all four open problems collapse into one concrete, answerable question: what do you actually &lt;em&gt;do&lt;/em&gt;?&lt;/p&gt;
&lt;h2&gt;10. How not to be the vulnerable key&lt;/h2&gt;
&lt;p&gt;Here is the practical reward for all this theory: every fast-lane attack in this article maps to exactly one parameter choice that closes it. The defense is not vigilance or luck. It is a short, checkable list, and mainstream libraries already implement most of it by default.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Do this&lt;/th&gt;
&lt;th&gt;It closes&lt;/th&gt;
&lt;th&gt;Anchor&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Use at least 2048-bit keys; 3072-bit for long-lived data&lt;/td&gt;
&lt;td&gt;the slow lane (GNFS)&lt;/td&gt;
&lt;td&gt;[@nist-sp800-57]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Set $e = 65537$, never 3&lt;/td&gt;
&lt;td&gt;Hastad, stereotyped, Franklin-Reiter and short-pad&lt;/td&gt;
&lt;td&gt;[@hastad-1988]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Use a full-size random &lt;code&gt;d&lt;/code&gt;, never a small one&lt;/td&gt;
&lt;td&gt;Wiener, Boneh-Durfee&lt;/td&gt;
&lt;td&gt;[@boneh-durfee-1999]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Encrypt with OAEP, never textbook RSA&lt;/td&gt;
&lt;td&gt;known-bits and related-message recovery&lt;/td&gt;
&lt;td&gt;[@rfc8017]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Generate two independent, well-sourced random primes&lt;/td&gt;
&lt;td&gt;known-bits-of-&lt;code&gt;p&lt;/code&gt; factoring&lt;/td&gt;
&lt;td&gt;[@may-survey-2009]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Begin migrating long-lived secrets to post-quantum schemes&lt;/td&gt;
&lt;td&gt;Shor plus harvest-now-decrypt-later&lt;/td&gt;
&lt;td&gt;[@gidney-2025]&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;NIST maps key sizes to security levels calibrated directly against the GNFS cost curve: RSA-2048 gives roughly 112-bit security and RSA-3072 roughly 128-bit, which is why 3072 bits is the right choice for data that must survive well past 2030 [@nist-sp800-57]. That single row is the &lt;em&gt;only&lt;/em&gt; place where &quot;use a bigger key&quot; is the correct advice, because it is the only threat, the slow lane, that key size actually defends against.&lt;/p&gt;

Why $e = 65537$ specifically? It is $2^{16} + 1$, a Fermat prime. Being greater than the tiny exponents lets it defeat the low-exponent attacks, Hastad&apos;s broadcast, stereotyped-message recovery, Franklin-Reiter, while being only 17 bits long, with just two set bits, so encryption stays fast: a square-and-multiply exponentiation needs only 17 steps. It is the sweet spot: recommended by RFC 8017 [@rfc8017] and now the near-ubiquitous default in practice.
&lt;p&gt;The two scaling facts from the last two sections invert the usual intuition. A bigger key buys you &lt;em&gt;nothing&lt;/em&gt; against a fast-lane defect: an RSA-4096 key with a small &lt;code&gt;d&lt;/code&gt; falls to Wiener exactly as fast as an RSA-2048 key with a small &lt;code&gt;d&lt;/code&gt;, because the attack never touched the modulus size. And a bigger key buys you &lt;em&gt;nothing&lt;/em&gt; against Shor, whose cost grows only polynomially in the key length.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; A bigger RSA key does one thing: it makes the slow lane slower. It does nothing against a fast-lane defect, because those attacks ignore the modulus, and nothing against Shor, whose cost barely grows with key size. Security against the fast lane comes only from &lt;em&gt;removing the precondition&lt;/em&gt;; security against the third road comes only from &lt;em&gt;changing the primitive&lt;/em&gt;. Neither is bought with bits.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Use a 2048-bit key (3072-bit for long-lived data), the default $e = 65537$, a full-size random &lt;code&gt;d&lt;/code&gt;, two independent random primes from a vetted generator, and OAEP for encryption via your library&apos;s high-level API. That configuration closes the entire fast lane by construction and pushes the slow lane past any classical machine. The remaining work is not choosing better parameters, it is starting to plan a migration path for secrets whose confidentiality must outlast the arrival of a quantum computer.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;One honest reminder, because a checklist can create false comfort. This list closes the &lt;em&gt;structural&lt;/em&gt; attacks, the subject of this article. It does not, by itself, protect you from the implementation and protocol failures that break RSA far more often in the real world: padding oracles, timing and fault leaks, weak random-number generators, the ROCA key-generation defect, and downgrade attacks such as FREAK. Those are a different discipline, covered by the empirical sibling &lt;em&gt;How RSA Breaks in Real Life&lt;/em&gt;. A perfectly parameterized key in a leaky implementation is still a broken key.&lt;/p&gt;
&lt;p&gt;Follow the checklist and the entire fast lane goes dark while the slow lane stays glacial, which leaves exactly one way a correctly generated key ever breaks.&lt;/p&gt;
&lt;h2&gt;11. The verdict&lt;/h2&gt;
&lt;p&gt;Return to the two-speed map, now carrying everything the article has shown. The front door, factoring the modulus, is bolted, and it opens only at a crawl. In 26 years the classical record moved from RSA-129 to RSA-250, roughly 400 bits, and it is still more than 1,200 bits short of a deployed 2048-bit key, on a cost curve that makes the remaining distance astronomical [@zimmermann-records; @boudot-rsa250-2020]. The engineers who picture a break as &quot;someone factors my key&quot; are watching the one door a bigger key actually guards.&lt;/p&gt;
&lt;p&gt;The fast cracks come through side windows, and a well-generated key never leaves them open. Against RSA-2048 with $e = 65537$, a full-size random &lt;code&gt;d&lt;/code&gt;, two independent primes, and OAEP, every Coppersmith-family precondition is absent, and the classical state of the art is simply &lt;em&gt;no applicable attack&lt;/em&gt; [@boneh-survey-1999; @rfc8017]. The fast lane is not slow against a good key; it is inapplicable, which is a stronger and stranger kind of safety.&lt;/p&gt;
&lt;p&gt;The one attack that opens the front door itself is Shor&apos;s, structural, polynomial, and almost indifferent to key size. It breaks even a flawless key, and it waits on hardware that does not exist as of 2026, with no credible timeline [@shor-siam-1997]. So the most-likely eventual &lt;em&gt;structural&lt;/em&gt; break of a good RSA key is not a classical factoring breakthrough at all. It is quantum, on a machine not yet built, and harvest-now-decrypt-later is what makes that future-tense sentence something to act on in the present [@gidney-2025].&lt;/p&gt;

The most-likely eventual break of a good RSA key is quantum, on a machine that has not been built. That is exactly why the forecast is actionable today.
&lt;p&gt;The misconceptions this reframing overturns, &quot;RSA is already broken,&quot; &quot;a quantum computer just cracked it,&quot; &quot;factoring is NP-hard,&quot; &quot;a bigger key stops everything,&quot; deserve direct answers, which the questions below provide. This article asked how RSA &lt;em&gt;would&lt;/em&gt; break. The answer is a two-speed map with a quantum horizon, and every road on it is now labeled.&lt;/p&gt;
&lt;h2&gt;12. Frequently asked questions&lt;/h2&gt;
&lt;p&gt;The claims below are the ones that come up most often, corrected against the evidence in this article.&lt;/p&gt;


No. A correctly generated RSA-2048 key with $e = 65537$, a full-size random `d`, independent primes, and OAEP padding has no applicable classical attack: the slow lane (GNFS) is astronomically far from a 2048-bit modulus, and every fast-lane attack needs a defect this key does not have [@boneh-survey-1999; @boudot-rsa250-2020]. RSA is not broken. It is a well-understood assumption with a known and distant classical threat, and a structural quantum threat that has no hardware yet.


No. Recurring headlines claim exactly this, and none has broken RSA-2048. No cryptographically relevant quantum computer exists as of 2026 [@gidney-2025]. The quantum result people most often conflate with a break, Grover&apos;s search algorithm, is only a quadratic speedup and is not a structural attack on RSA [@grover-1996]. The classical &quot;shortcut&quot; claims follow the same pattern as Schnorr&apos;s 2021 preprint, whose method produced zero usable relations at cryptographic size when implemented [@ducas-schnorrgate; @schneier-2021].


No, and this is the most common technical misconception. The decision version of factoring lies in the intersection of NP and co-NP, so it cannot be NP-complete unless NP equals co-NP, which is widely disbelieved [@hac-1996]. RSA does not inherit the difficulty of the hardest problems in NP. Its security rests on the specific, unproven belief that factoring is hard, not on a theorem [@hac-1996].


No. Shor&apos;s cost grows only polynomially in the number of digits of `N`, so doubling the modulus from 2048 to 4096 bits multiplies the quantum work by a small constant, not by the astronomical factor that same change imposes on classical factoring [@shor-siam-1997]. Key size defends only against the slow lane. Against the quantum threat, the answer is a different primitive, not a longer RSA key [@gidney-2025].


With correct OAEP padding, the low-exponent attacks lose their precondition, so $e = 3$ is not automatically fatal [@cfpr-1996; @rfc8017]. But $e = 65537$ is the safer default: it defeats the low-exponent family outright while staying cheap to compute, so a single padding mistake with $e = 3$ does not immediately reopen Hastad&apos;s broadcast or the stereotyped-message attack [@hastad-1988]. Choose the exponent that fails safe.


Those are out of scope for this article by design, because they are not breaks of RSA&apos;s mathematics. ROCA is a key-generation library defect, Bleichenbacher and Manger are padding oracles, FREAK is a protocol downgrade, and timing and fault attacks are physical side channels. Every one of them breaks the implementation or protocol around RSA, not the algorithm itself. They are the subject of the companion article, *How RSA Breaks in Real Life*.


Yes, but only for data with a long confidentiality lifetime. An attacker can record RSA-encrypted traffic now and decrypt it once a quantum computer exists [@gidney-2025]. If your secrets must stay protected for a decade or more, begin planning migration to post-quantum key-establishment even though no such machine exists today and no credible timeline can be given. For short-lived data, the classical picture in this article still governs.

&lt;p&gt;The question this article opened with was not whether RSA is broken, but how it &lt;em&gt;would&lt;/em&gt; break if it ever did. The evidence has drawn the map: a bolted front door that opens at a crawl, side windows a good key never leaves ajar, and a single quantum road to a machine still on the horizon.&lt;/p&gt;
&lt;p&gt;&amp;lt;StudyGuide slug=&quot;how-rsa-would-break&quot; keyTerms={[
  { term: &quot;Trapdoor one-way function&quot;, definition: &quot;Easy to compute forward, hard to invert without a secret. RSA&apos;s trapdoor is the factorization of N, and its security is the conjecture that inversion stays hard without it.&quot; },
  { term: &quot;General Number Field Sieve (GNFS)&quot;, definition: &quot;The fastest known classical factoring algorithm, heuristic cost L_N[1/3, (64/9)^(1/3)]; sub-exponential and glacial at cryptographic sizes.&quot; },
  { term: &quot;Sub-exponential / L-notation&quot;, definition: &quot;L_N[a,c] = exp((c+o(1))(ln N)^a (ln ln N)^(1-a)); the exponent a=1/3 sits between polynomial (0) and fully exponential (1).&quot; },
  { term: &quot;Coppersmith&apos;s small-root method&quot;, definition: &quot;Finds a root x0 of a degree-d modular polynomial in polynomial time whenever |x0| &amp;lt; N^(1/d), via LLL lattice reduction. The engine behind the whole fast lane.&quot; },
  { term: &quot;Continued-fraction convergent&quot;, definition: &quot;A best rational approximation h/k to a real number; Wiener&apos;s attack finds a small private exponent d as a convergent denominator of e/N.&quot; },
  { term: &quot;Boneh-Durfee bound&quot;, definition: &quot;The strongest small-d attack: recovers d whenever d &amp;lt; N^0.292, using Coppersmith&apos;s lattice aimed at the RSA key equation. Conjectured true bound is N^0.5.&quot; },
  { term: &quot;OAEP&quot;, definition: &quot;Randomized RSA padding from RFC 8017; injects fresh randomness so the encrypted integer is large and unique, removing the structure every Coppersmith-family attack needs.&quot; },
  { term: &quot;Shor&apos;s algorithm&quot;, definition: &quot;Quantum factoring in time polynomial in log N, via period-finding plus a classical gcd. Breaks even a correctly generated key, but needs a fault-tolerant quantum computer.&quot; },
  { term: &quot;CRQC&quot;, definition: &quot;A cryptographically relevant quantum computer: large and reliable enough to run Shor against RSA-2048. None exists as of 2026.&quot; },
  { term: &quot;Harvest now, decrypt later&quot;, definition: &quot;Record ciphertext today, decrypt once a CRQC exists; the reason an undated quantum threat is actionable now for long-lived secrets.&quot; }
]} questions={[
  { q: &quot;Why is factoring the slow path rather than the likely one?&quot;, a: &quot;GNFS is sub-exponential, so its cost climbs steeply with key size; the record moved only about 400 bits in 26 years and remains over 1200 bits short of RSA-2048. A bigger key defeats it outright.&quot; },
  { q: &quot;Why does the fast lane go dark against a correctly generated key?&quot;, a: &quot;Every Coppersmith-family attack needs a defect: a small exponent, a small d, missing padding, leaked bits, or correlated primes. A correct RSA-2048/OAEP key supplies none, so the attacks are correct but inapplicable.&quot; },
  { q: &quot;What single idea unifies Hastad, Wiener, Franklin-Reiter, partial key exposure, and Boneh-Durfee?&quot;, a: &quot;Coppersmith&apos;s small-root method: known structure plus a small unknown lets you solve for the unknown, using LLL whenever the unknown is smaller than N^(1/d).&quot; },
  { q: &quot;Why is the claim that RSA is NP-hard false?&quot;, a: &quot;The decision version of factoring lies in NP intersect co-NP, so it cannot be NP-complete unless NP equals co-NP. RSA rests on a belief that factoring is hard, not on a hardness theorem.&quot; },
  { q: &quot;Why does a bigger key fail to defend against Shor?&quot;, a: &quot;Shor&apos;s cost grows only polynomially in the digits of N, so doubling the modulus adds only a small constant of quantum work. Defending against the quantum road requires a different primitive, not more RSA bits.&quot; }
]} /&amp;gt;&lt;/p&gt;
</content:encoded><category>rsa</category><category>cryptanalysis</category><category>factoring</category><category>coppersmith</category><category>lattice-attacks</category><category>shor</category><category>public-key</category><category>post-quantum</category><author>noreply@paragmali.com (Parag Mali)</author></item><item><title>How SHA-2 and SHA-3 Would Break: Merkle-Damgard Collisions, Length Extension, and the Sponge&apos;s Algebraic Frontier</title><link>https://paragmali.com/blog/how-sha-2-and-sha-3-would-break-merkle-damgard-collisions-le/</link><guid isPermaLink="true">https://paragmali.com/blog/how-sha-2-and-sha-3-would-break-merkle-damgard-collisions-le/</guid><description>SHA-2 and SHA-3 have never broken, yet each construction already dictates how it would fall -- collisions, length extension, and the sponge algebraic frontier.</description><pubDate>Fri, 17 Jul 2026 00:00:00 GMT</pubDate><content:encoded>
SHA-256 and SHA3-256 make the same promise -- about $2^{128}$ work to force a collision -- yet they share almost none of their internal machinery, and that difference decides how each one would die. SHA-2 (Merkle-Damgard) would fall to a Wang-style differential collision threaded through its compression function, and it already carries the length-extension property by design. SHA-3 (the Keccak sponge) has neither weakness; it relocates the fight onto the algebra of a single degree-2 step, chi, where the leading avenues are cube-style algebraic attacks and internal-differential collisions. The best published attacks reach only about 39 of SHA-256&apos;s 64 steps and 6 of Keccak&apos;s 24 rounds, so both margins are very large today. This is a structural &quot;how it would break,&quot; not a report that either has.
&lt;h2&gt;1. Two Hashes, Two Deaths&lt;/h2&gt;
&lt;p&gt;Here is something you can say about a machine before it has ever failed: which way it will fall. A structural engineer knows a bridge sways before it buckles and buckles before it snaps, because the failure mode is written into the truss, not painted onto the surface. &lt;a href=&quot;https://paragmali.com/blog/the-fingerprint-two-files-shared-a-field-guide-to-cryptograp/&quot; rel=&quot;noopener&quot;&gt;Cryptographic hash functions&lt;/a&gt; are the same. We can already describe, mechanically and in detail, how SHA-2 and SHA-3 would break -- even though nobody has ever broken either one, and the two descriptions have almost nothing in common.&lt;/p&gt;
&lt;p&gt;The two functions NIST standardized as the Secure Hash Standard and the SHA-3 Standard [@fips-180-4, @fips-202] sit underneath an enormous amount of modern security: certificate chains, signed software updates, commitment schemes, the proof-of-work in a blockchain. They advertise the same guarantee. For a 256-bit digest, finding any two inputs that hash to the same value should cost about $2^{128}$ attempts.That number is easy to say and hard to feel. $2^{128} \approx 3.4 \times 10^{38}$, a 39-digit count -- far more than every grain of sand on Earth, yet far fewer than the atoms that make up the Earth. It is an enormous human-scale number that is still dwarfed by atomic-scale ones.&lt;/p&gt;

A hash function is collision resistant if it is computationally infeasible to find two distinct inputs $m_1 \neq m_2$ with $H(m_1) = H(m_2)$. It is the strongest of the standard hash guarantees, and the one that differential cryptanalysis attacks head-on.
&lt;p&gt;That $2^{128}$ figure is not a design target so much as a ceiling imposed by arithmetic. Feed roughly $2^{n/2}$ random messages into any $n$-bit hash and, by the birthday paradox, two of them almost certainly collide. So $2^{128}$ is simply the generic cost of a birthday search against a 256-bit digest -- the number every genuine attack has to beat to count as a break [@fips-180-4].&lt;/p&gt;

For an ideal $n$-bit hash, a collision can always be found in about $2^{n/2}$ evaluations by the birthday paradox, and a preimage in about $2^{n}$. These generic costs -- $2^{128}$ and $2^{256}$ for a 256-bit digest -- are the definitional security targets any structural attack must beat.
&lt;p&gt;Now the strange part. SHA-256 and SHA3-256 keep that identical promise using almost none of the same parts. SHA-2 iterates a small compression function from a fixed starting value, folding the message in one block at a time -- the Merkle-Damgard design. SHA-3 does something else entirely: it stirs the message into a large public permutation and squeezes the digest back out -- the sponge. Two constructions, one guarantee.&lt;/p&gt;
&lt;p&gt;And because the constructions differ, their deaths differ. A Merkle-Damgard hash does not die at its digest size; it dies when a carefully chosen difference in the input threads through the compression function and cancels at the output -- the method that felled MD5 and SHA-1. It also leaks: given a digest, you can often extend the message without knowing it. The sponge has neither trait. It hands an attacker a different target: the algebra of its one nonlinear step, chi, which has algebraic degree just two.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Construction, not digest size, decides the failure mode. SHA-2 would die by a differential collision on its compression function and carries length extension by design; SHA-3 exposes an algebraic frontier against its degree-2 chi and has no length extension. Same promise, different battlefield.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;That is the whole argument in one sentence, and the rest of this article is its proof. One boundary before we begin.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; This is structural cryptanalysis: it studies attacks on the mathematics of the algorithms themselves. Side-channel leaks, fault and power attacks, buggy implementations, weak random number generators, and protocol misuse are out of scope. They are real, and they are the subject of the companion article, &quot;How the Hash Functions Broke in Real Life: MD5, Flame, SHATTERED, and the Long Death of SHA-1.&quot; When the practical SHA-1 collisions appear below, they appear only as proof that a method works end to end, never as deployment history.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;To see why each death is pre-written, we have to go back to the 1989 bargain that made iterated hashing trustworthy in the first place -- and to the two debts it quietly signed on SHA-2&apos;s behalf.&lt;/p&gt;
&lt;h2&gt;2. The Merkle-Damgard Bargain of 1989&lt;/h2&gt;
&lt;p&gt;In 1989 two people, an ocean apart and unaware of each other, answered the same question the same way -- and in doing so pre-wrote how SHA-2 would one day die. Ralph Merkle and Ivan Damgard each presented the result at CRYPTO 1989 [@merkle-1989, @damgard-1989].&lt;/p&gt;
&lt;p&gt;The question was practical and deep at once: how do you hash a message of &lt;em&gt;arbitrary&lt;/em&gt; length using only a &lt;em&gt;fixed-size&lt;/em&gt; building block, and then &lt;em&gt;prove&lt;/em&gt; the result is as hard to collide as that block? Their answer is the scaffolding under nearly every hash you have ever used.&lt;/p&gt;

A method for turning a fixed-input-length compression function $f$ into a hash on arbitrary-length messages. Pad the message and split it into blocks $M_1, M_2, \ldots, M_t$; starting from a fixed initialization value $H_0 = IV$, compute $H_i = f(H_{i-1}, M_i)$; output the final $H_t$ as the digest. Merkle and Damgard each proved that if $f$ is collision resistant, so is the whole hash.
&lt;p&gt;The shape of the compression function they had in mind, and the one every hash in the SHA line uses, is Davies-Meyer.&lt;/p&gt;

A way to build a compression function from a block cipher $E$: treat the message block as the key and the chaining value as the plaintext, then feed the input back in, $H_i = E_{M_i}(H_{i-1}) \oplus H_{i-1}$. The final XOR -- the &quot;feed-forward&quot; -- is what makes the function hard to invert; without it, an attacker could run the cipher backward from a chaining value.

flowchart LR
    IV[&quot;IV (fixed start)&quot;] --&amp;gt; F1[&quot;f&quot;]
    B1[&quot;Message block 1&quot;] --&amp;gt; F1
    F1 --&amp;gt;|&quot;chaining value H1&quot;| F2[&quot;f&quot;]
    B2[&quot;Message block 2&quot;] --&amp;gt; F2
    F2 --&amp;gt;|&quot;chaining value H2&quot;| F3[&quot;f&quot;]
    B3[&quot;Final block + length pad&quot;] --&amp;gt; F3
    F3 --&amp;gt; D[&quot;Digest = final chaining value&quot;]
&lt;p&gt;The proof is the reason the world trusted this design for two decades, and it is worth seeing rather than taking on faith -- because both of SHA-2&apos;s structural debts fall directly out of it.&lt;/p&gt;

Suppose an attacker finds two different messages $M \neq M&apos;$ with $H(M) = H(M&apos;)$; the two chains therefore end on the same value, $H_t = H&apos;_{t&apos;}$. If the messages have different lengths, Merkle-Damgard strengthening (appending the encoded length) forces the final blocks to differ, so two *different* last-step inputs map under $f$ to the *same* output -- a collision in $f$. If the messages have the same length, walk backward from the output, comparing the inputs fed into each $f$-call. The outputs match at the last step; if the inputs there differ, that is your $f$-collision, and if they match, the previous chaining values must match too, so you recurse one step earlier. Because $M \neq M&apos;$, some block differs, so the backward march cannot stay equal all the way down -- at the first step (scanning from the end) where the two $f$-inputs diverge, two distinct inputs produce one output. Every collision of $H$ yields a collision of $f$. Contrapositively, if $f$ is collision resistant, so is $H$: the whole hash is at least as strong as its compression function [@merkle-1989, @hac-chap9].
&lt;p&gt;That reduction is a genuine gift -- it lets designers focus all their effort on one small function -- but it comes with two debts written into the same clause.&lt;/p&gt;
&lt;p&gt;The first debt: &lt;em&gt;all&lt;/em&gt; of the hash&apos;s collision resistance now concentrates in $f$. An attacker cannot collide SHA-256 without colliding its 64-step compression function, so that function is the entire battlefield. Everything a would-be attacker does, and everything the last thirty-five years of cryptanalysis has done, targets exactly that object [@hac-chap9].&lt;/p&gt;
&lt;p&gt;The second debt is subtler and, for a practitioner, more immediately dangerous. Look again at the chain: the digest that comes out &lt;em&gt;is&lt;/em&gt; the final chaining value -- the complete internal state at the end of the computation. Nothing is hidden.&lt;/p&gt;

Given only $H(m)$ and the length of $m$ -- but not $m$ itself -- an attacker can compute $H(m \,\|\, \text{pad} \,\|\, y)$ for a suffix $y$ of their choosing. Because the digest is the full internal state, the attacker simply resumes the iteration from it, appends the &quot;glue&quot; padding, and continues hashing. This works against any plain Merkle-Damgard hash, including SHA-256.
&lt;p&gt;The strengthening step -- appending the message length before the final block -- is what makes the collision proof go through, closing the length-mismatch case above.The Davies-Meyer feed-forward and the length padding are two separate load-bearing details. The feed-forward stops an attacker running the block cipher backward from a chaining value; the length padding stops trivial collisions between messages of different lengths. Remove either and the reduction fails. But it does nothing to hide the state -- so it fixes the first debt&apos;s proof without touching the second debt at all.&lt;/p&gt;

Merkle-Damgard signs two debts at once: all collision resistance concentrates in one small function, and the digest is the whole internal state. The first is where the hash can be collided; the second is why it leaks.
&lt;p&gt;A construction that concentrates all its collision resistance in one small function is only ever as safe as that function is hard to collide. For fifteen years, nobody could touch it. Then the mathematics of differences arrived, and MD5 fell in minutes.&lt;/p&gt;
&lt;h2&gt;3. How a Merkle-Damgard Hash Actually Dies&lt;/h2&gt;
&lt;p&gt;The break, when it came, did not come from brute force. It came from the arithmetic of differences -- and once you see it, you cannot un-see why SHA-2 is built the way it is.&lt;/p&gt;
&lt;p&gt;The idea starts with a question no birthday search ever asks: what if we do not treat the hash as a black box, but push a &lt;em&gt;specific&lt;/em&gt;, carefully chosen difference between two messages through its internals and watch where the difference travels? If we can arrange for the difference to appear, ripple through a few steps, and then cancel itself out exactly at the output, the two messages collide -- and we never paid the $2^{n/2}$ birthday toll.&lt;/p&gt;
&lt;p&gt;Florian Chabaud and Antoine Joux built the first working version of this against SHA-0 at CRYPTO 1998 [@chabaud-joux-1998]. Their tools were two ideas that still organize the whole subject.&lt;/p&gt;

A low-weight input difference that creates a small perturbation over a handful of steps and then cancels itself, leaving the internal state unchanged afterward. Chaining local collisions along a message is how an attacker assembles a full collision out of small, controllable pieces.

A step-by-step trail specifying the exact difference between two computations at every point in the compression function, chosen so the trail begins with a message difference and ends in zero difference at the output. The probability that a random conforming message pair follows the trail governs the attack&apos;s cost.
&lt;p&gt;By chaining local collisions along a differential characteristic so the total difference vanished at the output, Chabaud and Joux drove the estimated cost of a SHA-0 collision down to roughly $2^{61}$ -- comfortably below the $2^{80}$ birthday wall for a 160-bit digest [@chabaud-joux-1998]. It was an estimate, not a produced collision, but it was the first real crack in the black box.&lt;/p&gt;
&lt;p&gt;Then Xiaoyun Wang turned the estimate into a scalpel. In 2004 and 2005, Wang, with Hongbo Yu and Yiqun Lisa Yin, announced results that stunned the field: full, practical collisions for MD5 -- Rivest&apos;s 1992 design [@rfc-1321] -- and a collision attack on the full SHA-1 [@rfc-3174], well below its birthday bound [@wang-yu-2005, @wang-yin-yu-2005]. The engine had two new parts. First, a &lt;em&gt;hand-built nonlinear path&lt;/em&gt; through the hard early steps of the compression function, spliced onto a cheap linear trail for the rest. Second, and decisive:&lt;/p&gt;

A technique that satisfies the early, high-probability conditions of a differential characteristic *deterministically*, by directly adjusting message words rather than hoping a random pair happens to comply. It moves the expensive part of the search from the beginning of the trail to its cheaper tail, collapsing the total cost.

flowchart TD
    A[&quot;Choose a message difference&quot;] --&amp;gt; B[&quot;Build a differential characteristic ending in zero output difference&quot;]
    B --&amp;gt; C[&quot;Derive per-step sufficient conditions on state bits&quot;]
    C --&amp;gt; D[&quot;Message-modify the early steps to force cheap conditions deterministically&quot;]
    D --&amp;gt; E[&quot;Search the residual probability for the hard late conditions&quot;]
    E --&amp;gt; F[&quot;Output a conforming colliding message pair&quot;]
&lt;p&gt;Why does modifying the message help so much? The answer is specific enough to work through, and it is exactly the mechanism the earlier hashes handed the attacker for free.&lt;/p&gt;

In a Davies-Meyer compression function the first sixteen steps consume the sixteen message words of the block essentially one per step: at step $i$ (for $i = 0..15$) the expanded word is just $W_i = m_i$, mixed straight into the state. So each early-step word is a *free variable the attacker fully controls*, entering the computation at exactly one known step.&lt;p&gt;Now, a differential characteristic holds only if certain state bits take certain values at each step -- Wang&apos;s &quot;sufficient conditions.&quot; Left to chance, each condition holds with probability about $1/2$, so a path with $k$ conditions costs about $2^k$ to satisfy by random trial. That is the naive price.&lt;/p&gt;
&lt;p&gt;Here is the trick. Because the attacker controls the very word $m_i$ feeding step $i$, they do not &lt;em&gt;gamble&lt;/em&gt; on the step-$i$ conditions -- they &lt;em&gt;solve&lt;/em&gt; for them. Given the desired output bits of step $i$, invert the round update (its additions, rotations, and Boolean function) for the single unknown $m_i$ and set it to the one value that forces those conditions with probability $1$. Every condition in the first sixteen steps is paid off deterministically, at unit cost, instead of probabilistically at $2^k$.&lt;/p&gt;
&lt;p&gt;Past step sixteen the message words re-enter through the schedule and no longer offer a fresh free variable per step, so the later conditions cannot all be solved directly. Wang&apos;s &lt;em&gt;multi-message&lt;/em&gt; modification clears some of them with coordinated corrective tweaks to several early words, but the residual conditions in the &quot;tail&quot; stay probabilistic. The total cost therefore collapses from the full characteristic probability (all conditions) to just the &lt;em&gt;tail&lt;/em&gt; probability. That collapse is why full MD5 fell in seconds to minutes and full SHA-1 fell to roughly $2^{69}$, far below its $2^{80}$ birthday wall [@wang-yu-2005, @wang-yin-yu-2005].
&lt;/p&gt;&lt;p&gt;&lt;/p&gt;
&lt;p&gt;The consequence reset every intuition about hash security. Full MD5, whose 128-bit digest nominally promised $2^{64}$ collision work, collapsed to seconds on a PC [@wang-yu-2005]. Full SHA-1, nominally $2^{80}$, fell to an estimated $2^{69}$ -- a real break of the design, years before anyone spent the compute to exhibit an actual colliding pair [@wang-yin-yu-2005].&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; A Merkle-Damgard hash does not die at its digest size. It dies when a differential characteristic plus message modification threads its compression function -- deterministically through the early steps, cheaply through the tail. Collision resistance was never really about the number of output bits; it was always about whether a path exists through $f$.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Those hand-built attacks were later paid out in full, practical collisions -- SHAttered in 2017 and SHAmbles in 2020 -- but those belong to the deployment story, not this one.SHAttered (Stevens, Karpman, Bursztein, Albertini, and Markov) produced the first identical-prefix SHA-1 collision at about $2^{63.1}$ [@shattered]; SHAmbles (Gaetan Leurent and Thomas Peyrin, correcting a common misattribution to Marc Stevens) produced the first &lt;em&gt;chosen-prefix&lt;/em&gt; SHA-1 collision at about $2^{63.4}$ and forged a PGP key [@leurent-peyrin-2020, @sha-mbles-site]. Both are evidence that the differential method pays out end to end; the empirical sibling article tells their story.&lt;/p&gt;
&lt;p&gt;This is the pivotal fact of the whole subject. So the real question becomes: can that same scalpel reach SHA-2? The answer forced cryptography down two roads at once.&lt;/p&gt;
&lt;h2&gt;4. Two Lineages Diverge&lt;/h2&gt;
&lt;p&gt;Start with the cleanest evidence in the whole story that patching a weak compression function only buys time. SHA-0, standardized in 1993, had a linear message expansion; it was withdrawn in 1995 and replaced by SHA-1, whose entire difference from SHA-0 was a &lt;em&gt;single one-bit rotation&lt;/em&gt; added to that expansion. That one rotation held for about a decade. Then a Wang-style path walked straight through it [@wang-yin-yu-2005]. A one-operation fix delayed the break; it did not prevent it.&lt;/p&gt;
&lt;p&gt;This is the pattern to internalize: &quot;just add a round&quot; or &quot;just add a rotation&quot; hardens a Davies-Meyer compression function against yesterday&apos;s specific path, not against the &lt;em&gt;method&lt;/em&gt;. Incremental patches to a lightly-mixed function buy years, not safety -- which is exactly why SHA-2 needed a qualitatively heavier schedule and SHA-3 needed a different construction altogether.&lt;/p&gt;
&lt;p&gt;The full six-generation lineage reads as a slow-motion argument, each break motivating the next design.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Hash family&lt;/th&gt;
&lt;th&gt;Year&lt;/th&gt;
&lt;th&gt;Key design idea&lt;/th&gt;
&lt;th&gt;Best collision result&lt;/th&gt;
&lt;th&gt;Status&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;MD4&lt;/td&gt;
&lt;td&gt;1990&lt;/td&gt;
&lt;td&gt;Merkle-Damgard + Davies-Meyer, 128-bit, 48 steps&lt;/td&gt;
&lt;td&gt;full collisions (Dobbertin 1996 [@dobbertin-1996]; Wang 2005)&lt;/td&gt;
&lt;td&gt;historical [@wang-yu-2005]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;MD5&lt;/td&gt;
&lt;td&gt;1992&lt;/td&gt;
&lt;td&gt;MD4 hardened: 64 steps, per-step constants&lt;/td&gt;
&lt;td&gt;practical full collisions (Wang-Yu 2005)&lt;/td&gt;
&lt;td&gt;historical [@rfc-1321, @wang-yu-2005]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SHA-0&lt;/td&gt;
&lt;td&gt;1993&lt;/td&gt;
&lt;td&gt;160-bit, linear message expansion (no rotation)&lt;/td&gt;
&lt;td&gt;$\approx 2^{61}$ (Chabaud-Joux 1998)&lt;/td&gt;
&lt;td&gt;withdrawn 1995 [@chabaud-joux-1998]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SHA-1&lt;/td&gt;
&lt;td&gt;1995&lt;/td&gt;
&lt;td&gt;SHA-0 plus one-bit rotation, 80 steps&lt;/td&gt;
&lt;td&gt;$\approx 2^{69}$ (Wang 2005); demonstrated 2017&lt;/td&gt;
&lt;td&gt;superseded [@wang-yin-yu-2005, @rfc-3174]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SHA-2&lt;/td&gt;
&lt;td&gt;2001&lt;/td&gt;
&lt;td&gt;bigger state, nonlinear carry-laden schedule, 64/80 steps&lt;/td&gt;
&lt;td&gt;39/64 steps (reduced-round), full unbroken&lt;/td&gt;
&lt;td&gt;active [@fips-180-4, @li-liu-wang-2024]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SHA-3 / Keccak&lt;/td&gt;
&lt;td&gt;2012/2015&lt;/td&gt;
&lt;td&gt;sponge over Keccak-f[1600], 24 rounds, hidden capacity&lt;/td&gt;
&lt;td&gt;6/24 rounds (reduced-round), full unbroken&lt;/td&gt;
&lt;td&gt;active [@fips-202, @keccak-team]&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;

gantt
    title Two lineages, 1989 to 2024
    dateFormat YYYY
    axisFormat %Y
    section Construction
    Merkle-Damgard bargain :1989, 1990
    MD5 (RFC 1321) :1992, 1993
    SHA-1 (FIPS 180-1) :1995, 1996
    SHA-2 standardized :2001, 2002
    SHA-3 competition :2007, 2012
    SHA-3 standard (FIPS 202) :2015, 2016
    section Cryptanalysis
    Chabaud-Joux on SHA-0 :1998, 1999
    Wang breaks MD5 and SHA-1 :2004, 2006
    Zero-sum full Keccak-f :2011, 2012
    SHA-256 reduced-round records :2013, 2024
    SHA-3 internal-differential records :2013, 2024
&lt;p&gt;By 2005 the field had a decision to make, and it split into two philosophies. The first response was to harden the &lt;em&gt;same&lt;/em&gt; construction. SHA-2, standardized in 2001 and still the workhorse, kept Merkle-Damgard and Davies-Meyer but gave the compression function a much larger state, a heavier message schedule, and modular-addition mixing designed to starve differential paths [@fips-180-4]. That is the road we return to in the next section, because it worked.&lt;/p&gt;
&lt;p&gt;The second response was more radical. Stung by the 2004-2005 breaks, NIST announced the SHA-3 competition on November 2, 2007, and ran it until October 2, 2012, explicitly seeking a hash that would fail &lt;em&gt;differently&lt;/em&gt; from the Merkle-Damgard family -- so that a single new cryptanalytic idea could not bring down every standardized hash at once [@nist-sha3-project]. The winner was Keccak, a sponge built on a large public permutation, designed from the start so that its hidden capacity removes length extension by construction [@keccak-team].&lt;/p&gt;
&lt;p&gt;The subtle and load-bearing point is what NIST did &lt;em&gt;not&lt;/em&gt; do. It did not retire SHA-2.&lt;/p&gt;

The MD5-to-SHA-1-to-SHA-2 progression was a ladder of *replacements* -- each rung was climbed because the one below it broke. SHA-2 and SHA-3 are not that. FIPS 202 states in its own opening that the SHA-3 functions &quot;supplement&quot; SHA-1 and the SHA-2 family rather than replace them [@fips-202], and NIST&apos;s hash-function policy says plainly that &quot;currently there is no need to transition applications from SHA-2 to SHA-3&quot; [@nist-hash-policy]. The two standards coexist on purpose. The value is *diversification*: if a structural idea ever threatens one construction, the other rests on entirely different mathematics and is untouched. SHA-3 is an insurance policy, not an eviction notice.
&lt;p&gt;Two lineages, two answers to the same failure. But an answer is only as good as the attack it survives -- so why has SHA-2 held for more than two decades, and what exactly did the sponge change?&lt;/p&gt;
&lt;h2&gt;5. Why SHA-2 Held, and What the Sponge Changed&lt;/h2&gt;
&lt;p&gt;Two structural facts define the present. The first is that the same message-modification machinery that broke MD5 and SHA-1 &lt;em&gt;stalls&lt;/em&gt; on SHA-2 -- and the reason is one design choice. The second is that the sponge removed the debts a differential attack needs, and put something entirely different in their place.&lt;/p&gt;
&lt;h3&gt;Why the scalpel stalls on SHA-2&lt;/h3&gt;
&lt;p&gt;Recall the mechanism from the last section: message modification is cheap only because, in the early steps, each message word is a free variable entering the state at exactly one place. Break that &quot;one free word per early step&quot; structure and the trick loses its edge. SHA-2 breaks it on purpose.&lt;/p&gt;
&lt;p&gt;In MD5 and SHA-1 the message schedule is essentially a permutation (and, later, a linear expansion) of the input words -- clean and separable. SHA-2&apos;s schedule is neither. From step 16 onward, each expanded word is built by&lt;/p&gt;
&lt;p&gt;$$W_t = \sigma_1(W_{t-2}) + W_{t-7} + \sigma_0(W_{t-15}) + W_{t-16} \pmod{2^{32}}$$&lt;/p&gt;
&lt;p&gt;where $\sigma_0$ and $\sigma_1$ are XORs of rotations and a shift, and the additions are &lt;em&gt;modular&lt;/em&gt; [@fips-180-4]. Those modular additions couple the words through &lt;em&gt;carries&lt;/em&gt;: changing one bit of one word can ripple through carry chains into many others. The clean, separable structure that let an attacker solve each early condition by inverting a single word update is gone. Now solving one sufficient condition perturbs others, and the conditions can no longer be discharged by independent single-word inversion.&lt;/p&gt;
&lt;p&gt;That carry-laden coupling is the structural reason the hand construction that felled MD5 and SHA-1 cannot be driven through SHA-2 by hand at all -- which is why the modern realization of the attack is an automated SAT/SMT solver managing the entangled condition system, and why even that tooling, in the record-holders&apos; own words, &quot;has reached the bottleneck&quot; around 39 of 64 steps [@li-liu-wang-2024]. We return to that number in the next section. For now the point is qualitative: SHA-2 held because it made the compression function&apos;s internals too coupled for the differential scalpel to carve cleanly.&lt;/p&gt;
&lt;h3&gt;What the sponge deleted&lt;/h3&gt;
&lt;p&gt;Keccak does not try to win the differential arms race. It changes the board.&lt;/p&gt;

A hash built from a single large public permutation $f$ over a state of $b = r + c$ bits. To *absorb*, split the padded message into $r$-bit blocks and, for each, XOR it into the first $r$ bits of the state and apply $f$. To *squeeze*, read out $r$ bits at a time, applying $f$ between reads, until enough digest bits are produced. Keccak uses $f = $ Keccak-f[1600], a 1600-bit permutation of 24 rounds.

The sponge state of $b$ bits is split into a *rate* of $r$ bits and a *capacity* of $c$ bits, with $b = r + c$. The message is XORed only into the rate, and the digest is read only from the rate. The capacity is never touched directly by input or output -- it is the hidden reservoir that carries security across the permutation calls.

flowchart LR
    MSG[&quot;Message blocks&quot;] --&amp;gt;|&quot;XOR into rate&quot;| RATE[&quot;Rate (r bits)&quot;]
    RATE --&amp;gt; F[&quot;Keccak-f[1600], 24 rounds&quot;]
    CAP[&quot;Capacity (c bits): never absorbed or squeezed&quot;] --&amp;gt; F
    F --&amp;gt;|&quot;squeeze&quot;| DIG[&quot;Digest, read from the rate only&quot;]
&lt;p&gt;Two debts vanish at once. Because the capacity is never emitted, the digest is &lt;em&gt;not&lt;/em&gt; the full internal state -- so no attacker can resume the computation from it. Length extension is gone by construction, not by patch [@keccak-sponge-duplex]. And because there is no keyed compression function -- just one fixed public permutation -- there is no keyed object to push a differential characteristic through to force a hash collision directly the way Wang did. The entire Merkle-Damgard attack surface is simply absent.&lt;/p&gt;
&lt;p&gt;So what is left to attack? The permutation&apos;s algebra. And that turns on the single nonlinear step inside Keccak-f.&lt;/p&gt;

flowchart LR
    S[&quot;State (1600 bits)&quot;] --&amp;gt; T[&quot;theta: linear column mixing (degree 1)&quot;]
    T --&amp;gt; R[&quot;rho: bit rotations (degree 1)&quot;]
    R --&amp;gt; P[&quot;pi: lane permutation (degree 1)&quot;]
    P --&amp;gt; C[&quot;chi: the only nonlinear step (degree 2)&quot;]
    C --&amp;gt; I[&quot;iota: add round constant (degree 1)&quot;]
    I --&amp;gt; O[&quot;Next-round state&quot;]

Every Boolean function can be written uniquely as a sum (XOR) of monomials over GF(2) -- its algebraic normal form. Its *algebraic degree* is the size of the largest monomial. An affine map (only single-variable terms) has degree 1; an AND of two input bits has degree 2. Low degree is a weakness: it makes a function vulnerable to higher-order-differential and cube techniques.

Chi is the single nonlinear step of Keccak-f. Along each 5-bit row it computes $y_i = x_i \oplus ((\lnot\, x_{i+1}) \land x_{i+2})$. Each output bit contains exactly one AND of two state bits, so chi has algebraic degree exactly 2. The other four steps of a round -- theta, rho, pi, iota -- are all linear or affine.
&lt;p&gt;Here is the load-bearing fact of the sponge&apos;s exposure, and it is worth deriving rather than asserting, because one word in it does real work.&lt;/p&gt;
&lt;p&gt;One round is the composition $R = \iota \circ \chi \circ \pi \circ \rho \circ \theta$. Four of those five steps are affine, degree 1; only chi is nonlinear, degree 2. Composing a degree-2 map with affine maps leaves the degree at 2, so a single round has $\deg(R) = 2$.&lt;/p&gt;
&lt;p&gt;Now use the composition bound for Boolean functions, $\deg(f \circ g) \le \deg(f) \cdot \deg(g)$, across $r$ rounds: $\deg(R^2) \le 2 \cdot 2 = 4$, $\deg(R^3) \le 2 \cdot 4 = 8$, and in general each extra round multiplies the bound by at most 2. The degree &lt;em&gt;doubles&lt;/em&gt; per round:&lt;/p&gt;
&lt;p&gt;$$1 ;\to; 2 ;\to; 4 ;\to; 8 ;\to; \cdots ;\to; 2^r, \qquad \text{so} \qquad \deg(\text{Keccak-}f^{,r}) \le 2^r.$$&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; The degree &lt;em&gt;doubles&lt;/em&gt; each round, giving $\deg \le 2^r$. It does not &lt;em&gt;square&lt;/em&gt; each round -- squaring would compound as $2, 4, 16, 256, \ldots \approx 2^{(2^r)}$, a doubly-exponential growth that would make the bound useless within a few rounds and contradict the $2^r$ figure itself. The composition law multiplies the degree by at most $\deg(R) = 2$ each round, which is doubling. Getting this verb right is the difference between a bound that explains the whole algebraic frontier and one that is internally inconsistent.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;You can watch chi&apos;s degree-2 structure force a higher-order derivative to vanish directly. A degree-$d$ function summed (XORed) over any affine cube of dimension $d+1$ gives zero, so summing degree-2 chi over any 3-dimensional cube must vanish.&lt;/p&gt;
&lt;p&gt;{`
// chi on a 5-bit row: y[i] = x[i] XOR ((NOT x[i+1]) AND x[i+2]), indices mod 5.
function chi(x) {
  let y = 0;
  for (let i = 0; i &amp;lt; 5; i++) {
    const xi  = (x &amp;gt;&amp;gt; i) &amp;amp; 1;
    const xi1 = (x &amp;gt;&amp;gt; ((i + 1) % 5)) &amp;amp; 1;
    const xi2 = (x &amp;gt;&amp;gt; ((i + 2) % 5)) &amp;amp; 1;
    const bit = xi ^ ((xi1 ^ 1) &amp;amp; xi2);   // one AND term =&amp;gt; algebraic degree 2
    y |= (bit &amp;lt;&amp;lt; i);
  }
  return y;
}&lt;/p&gt;
&lt;p&gt;// A degree-d function has a vanishing (d+1)-th order derivative:
// summing it over ANY affine cube of dimension d+1 gives 0.
// chi has degree 2, so summing over ANY 3-dimensional cube must XOR to 0.
function sumOverCube(base, d1, d2, d3) {
  let acc = 0;
  for (let m = 0; m &amp;lt; 8; m++) {
    let x = base;
    if (m &amp;amp; 1) x ^= d1;
    if (m &amp;amp; 2) x ^= d2;
    if (m &amp;amp; 4) x ^= d3;
    acc ^= chi(x);
  }
  return acc;
}&lt;/p&gt;
&lt;p&gt;console.log(&quot;chi(0b10110)          =&quot;, chi(0b10110));
console.log(&quot;3-cube sum (should 0) =&quot;, sumOverCube(0b00000, 0b00001, 0b00010, 0b00100));
console.log(&quot;3-cube sum (should 0) =&quot;, sumOverCube(0b10101, 0b00011, 0b01100, 0b10000));
`}&lt;/p&gt;
&lt;p&gt;One honesty note keeps this from overclaiming.The bound $\deg \le 2^r$ is the &lt;em&gt;elementary&lt;/em&gt; degree-doubling law, and it is only informative at low round counts. Keccak-f acts on 1600 bits, where &lt;em&gt;any&lt;/em&gt; permutation has degree at most 1599; $2^r$ already exceeds 1599 at $r = 11$, so the elementary bound says nothing about the full 24 rounds. The full-round result in Section 8 -- a zero-sum partition of size $2^{1590}$ -- rests instead on the tighter degree bound of Boura, Canteaut, and De Canniere, which stays below the state size even at 24 rounds [@boura-canteaut-decanniere-2011]. The elementary law is what caps the cube attack at a handful of rounds; the refined bound is what lets the zero-sum reach all 24. Keep them separate and the whole SHA-3 frontier stays legible.&lt;/p&gt;
&lt;p&gt;Now the two constructions can be laid side by side.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Dimension&lt;/th&gt;
&lt;th&gt;SHA-2 (SHA-256)&lt;/th&gt;
&lt;th&gt;SHA-3 (SHA3-256 / SHAKE256)&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Construction&lt;/td&gt;
&lt;td&gt;Merkle-Damgard + Davies-Meyer&lt;/td&gt;
&lt;td&gt;Keccak sponge over Keccak-f[1600]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Full-function rounds/steps&lt;/td&gt;
&lt;td&gt;64 steps&lt;/td&gt;
&lt;td&gt;24 rounds&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Leading structural avenue&lt;/td&gt;
&lt;td&gt;differential collision search (single)&lt;/td&gt;
&lt;td&gt;algebraic frontier + internal-differential (two)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Best structural collision reach&lt;/td&gt;
&lt;td&gt;39/64 SFS; $\approx$ 31/64 from-IV&lt;/td&gt;
&lt;td&gt;6/24 (SHAKE256); 5/24 (SHA3-384)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Length extension&lt;/td&gt;
&lt;td&gt;yes (structural; digest is the full state)&lt;/td&gt;
&lt;td&gt;no (capacity hidden)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Generic collision target&lt;/td&gt;
&lt;td&gt;$2^{128}$&lt;/td&gt;
&lt;td&gt;$2^{128}$&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; SHA-2 keeps the differential attack surface and the length-extension debt. The sponge trades both away for an algebraic surface whose degree grows only as $2^r$. The two functions do not sit on one strength axis, a bigger lock on the same door -- they expose &lt;em&gt;different&lt;/em&gt; attack surfaces, so they would die &lt;em&gt;different&lt;/em&gt; deaths. Construction, not digest size, selects the failure mode.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;So the two constructions hand an attacker two different problems: thread a carry-laden differential path through 64 steps, or break the low-degree algebra of 24 rounds. How far has anyone actually gotten on each?&lt;/p&gt;
&lt;h2&gt;6. The Best Published Attacks, With Margins&lt;/h2&gt;
&lt;p&gt;Here is the scoreboard. After thirty-five years of cryptanalysis, where exactly does the deepest published structural attack stop on each function, and how far is that from the full thing? This is the article&apos;s quantitative core, and it comes with a reading rule that matters more than any single number.&lt;/p&gt;
&lt;p&gt;The yardstick never changes. A structural break must beat the generic birthday cost of $2^{n/2}$ on the &lt;em&gt;full&lt;/em&gt; function. On full SHA-256 and full SHA3-256, no published attack does; the best-known collision attack on either full function is still the generic one at $2^{128}$ [@li-liu-wang-2024, @dinur-etal-2015]. Every record below is progress on the &lt;em&gt;method&lt;/em&gt;, measured against a full function that remains untouched.&lt;/p&gt;
&lt;h3&gt;The SHA-2 record board&lt;/h3&gt;
&lt;p&gt;Against SHA-2, one avenue has all the reach: automated differential characteristic search -- the mechanized descendant of Wang&apos;s hand construction, driven by SAT and SMT solvers and steered by mixed-integer linear programming. Reading its records needs one distinction.&lt;/p&gt;

Attack models differ in how much freedom the attacker has over the chaining value. A *from-IV* collision uses the real fixed initialization value and is a true hash collision. A *semi-free-start* (SFS) collision lets the attacker choose the single chaining value both messages share. A *free-start* (FS) collision lets the attacker also choose a difference in the chaining value. SFS and FS are weaker attacker goals -- progress markers on the compression function, not full-hash collisions.
&lt;p&gt;The current records, all &lt;em&gt;practical&lt;/em&gt; (a real colliding pair verified on a PC, not merely a sub-birthday estimate), come from Mendel, Nad, and Schlaffer in 2013 and from Li, Liu, and Wang in 2024 [@mendel-nad-schlaffer-2013, @li-liu-wang-2024]:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Function&lt;/th&gt;
&lt;th&gt;Model&lt;/th&gt;
&lt;th&gt;Best reach&lt;/th&gt;
&lt;th&gt;Practical?&lt;/th&gt;
&lt;th&gt;Untouched margin&lt;/th&gt;
&lt;th&gt;Source&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;SHA-256&lt;/td&gt;
&lt;td&gt;from-IV&lt;/td&gt;
&lt;td&gt;31 / 64 steps&lt;/td&gt;
&lt;td&gt;yes&lt;/td&gt;
&lt;td&gt;33 steps&lt;/td&gt;
&lt;td&gt;Mendel-Nad-Schlaffer 2013 [@mendel-nad-schlaffer-2013]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SHA-256&lt;/td&gt;
&lt;td&gt;semi-free-start&lt;/td&gt;
&lt;td&gt;39 / 64 steps&lt;/td&gt;
&lt;td&gt;yes&lt;/td&gt;
&lt;td&gt;25 steps&lt;/td&gt;
&lt;td&gt;Li-Liu-Wang 2024 [@li-liu-wang-2024]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SHA-224&lt;/td&gt;
&lt;td&gt;free-start&lt;/td&gt;
&lt;td&gt;40 / 64 steps&lt;/td&gt;
&lt;td&gt;yes (prior best $2^{110}$)&lt;/td&gt;
&lt;td&gt;24 steps&lt;/td&gt;
&lt;td&gt;Li-Liu-Wang 2024 [@li-liu-wang-2024]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SHA-512&lt;/td&gt;
&lt;td&gt;semi-free-start&lt;/td&gt;
&lt;td&gt;28 practical / 31 theoretic of 80&lt;/td&gt;
&lt;td&gt;yes&lt;/td&gt;
&lt;td&gt;49+ steps&lt;/td&gt;
&lt;td&gt;Li-Liu-Wang 2024 [@li-liu-wang-2024]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SHA3-384&lt;/td&gt;
&lt;td&gt;collision&lt;/td&gt;
&lt;td&gt;5 / 24 rounds&lt;/td&gt;
&lt;td&gt;yes&lt;/td&gt;
&lt;td&gt;19 rounds&lt;/td&gt;
&lt;td&gt;Zhang-Hou-Liu 2024 [@zhang-hou-liu-2024]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SHAKE256&lt;/td&gt;
&lt;td&gt;collision&lt;/td&gt;
&lt;td&gt;6 / 24 rounds&lt;/td&gt;
&lt;td&gt;yes&lt;/td&gt;
&lt;td&gt;18 rounds&lt;/td&gt;
&lt;td&gt;Zhang-Hou-Liu 2024 [@zhang-hou-liu-2024]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Keccak (keyed)&lt;/td&gt;
&lt;td&gt;key recovery&lt;/td&gt;
&lt;td&gt;9 / 24 rounds&lt;/td&gt;
&lt;td&gt;6-round practical&lt;/td&gt;
&lt;td&gt;large&lt;/td&gt;
&lt;td&gt;Dinur et al. 2015 [@dinur-etal-2015]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Keccak-f&lt;/td&gt;
&lt;td&gt;zero-sum distinguisher&lt;/td&gt;
&lt;td&gt;24 / 24 rounds&lt;/td&gt;
&lt;td&gt;structural set&lt;/td&gt;
&lt;td&gt;none, but no break&lt;/td&gt;
&lt;td&gt;Boura-Canteaut-De Canniere 2011 [@boura-canteaut-decanniere-2011]&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;The 2024 paper set three firsts at once: the first practical semi-free-start collision for 39-step SHA-256 (improving the decade-old 38-step SFS record), the first practical free-start collision for 40-step SHA-224 where the prior best was a theoretic attack at time complexity $2^{110}$, and practical and theoretic collisions for reduced SHA-512 [@li-liu-wang-2024]. Impressive -- and then the same authors say where the road ends.&lt;/p&gt;

&quot;The current advanced tool to search for SHA-2 characteristics has reached the bottleneck.&quot; -- Li, Liu, and Wang, on why the attack cannot climb past about 39 of 64 steps [@li-liu-wang-2024]
&lt;p&gt;The modular-addition diffusion from Section 5 is exactly what makes longer characteristics effectively unfindable with today&apos;s encodings.The three record numbers for the same function are not a contradiction -- they are three different attacker games. From-IV is a true collision on the real hash. Semi-free-start hands the attacker the shared chaining value. Free-start additionally hands them a chosen difference in it. Each added freedom buys a few more steps of reach, which is why SHA-256 shows 31 (from-IV), 39 (SFS), and its sibling SHA-224 shows 40 (FS). The from-IV number is the one that measures the real hash.&lt;/p&gt;
&lt;h3&gt;The SHA-3 record board&lt;/h3&gt;
&lt;p&gt;The sponge side has three attacks rather than one, and the next section is devoted to why they disagree about what &quot;progress&quot; means.&lt;/p&gt;
&lt;p&gt;For the scoreboard, the reduced-round facts are these. Cube and cube-like algebraic attacks reach up to 9 of the 24 rounds in &lt;em&gt;keyed&lt;/em&gt; Keccak modes, with the 6-round attacks fully practical on a desktop [@dinur-etal-2015]. Internal-differential collision cryptanalysis holds the actual &lt;em&gt;collision&lt;/em&gt; records: 5 of 24 rounds for SHA3-384 and 6 of 24 for SHAKE256 [@zhang-hou-liu-2024]. And a zero-sum distinguisher reaches all 24 rounds of the permutation while producing no collision at all [@boura-canteaut-decanniere-2011] -- the row we unpack next.&lt;/p&gt;
&lt;p&gt;The team that set the deepest keyed reach stated the bottom line directly.&lt;/p&gt;

&quot;The security margin of Keccak remains large.&quot; -- Dinur, Morawiecki, Pieprzyk, Srebrny, and Straus, whose cube-attack-like cryptanalysis reached the deepest keyed rounds [@dinur-etal-2015]
&lt;p&gt;Now state the margins plainly, because they are the number a practitioner actually needs. For SHA-256, the deepest collision result leaves roughly 25 of 64 steps untouched in the semi-free-start model and about 33 untouched from the real IV. For a Keccak &lt;em&gt;collision&lt;/em&gt;, roughly 18 of 24 rounds remain untouched. Those are not narrow escapes; they are the bulk of each function.&lt;/p&gt;
&lt;p&gt;{`
// A toy keyed function of public bits p0,p1 and secret key bits k0,k1.
// Algebraic degree 2 -- the product (p0 AND p1) is the only quadratic term.
function f(p0, p1, k0, k1) {
  return ((p0 &amp;amp; p1) ^ (p1 &amp;amp; k0) ^ (p0 &amp;amp; k1) ^ k0) &amp;amp; 1;
}&lt;/p&gt;
&lt;p&gt;// Cube over the single public variable p0: XOR f over p0 in {0,1}.
// The resulting &quot;superpoly&quot; is LINEAR in the key -- it equals p1 XOR k1.
function cubeSumOverP0(p1, k0, k1) {
  return f(0, p1, k0, k1) ^ f(1, p1, k0, k1);
}&lt;/p&gt;
&lt;p&gt;// The attacker cannot see the key. Say the hidden key is:
const K0 = 1, K1 = 0;&lt;/p&gt;
&lt;p&gt;// Query with p1 = 0 and sum the cube: the quadratic term dies and k1 falls out.
const recovered = cubeSumOverP0(0, K0, K1);
console.log(&quot;cube superpoly at p1=0 recovers k1 =&quot;, recovered, &quot;(true k1 =&quot;, K1, &quot;)&quot;);&lt;/p&gt;
&lt;p&gt;// The same reading discipline for any reduced-round headline:
function margin(reached, total, unit) {
  return &quot;reached &quot; + reached + &quot;/&quot; + total + &quot; &quot; + unit +
         &quot;  -&amp;gt;  &quot; + (total - reached) + &quot; &quot; + unit + &quot; still untouched&quot;;
}
console.log(margin(39, 64, &quot;SHA-256 steps&quot;));
console.log(margin(6, 24, &quot;SHAKE256 rounds&quot;));
`}&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; A headline of &quot;39 of 64 steps&quot; or &quot;6 of 24 rounds&quot; is not &quot;almost broken.&quot; A reduced-round record measures &lt;em&gt;distance to a break&lt;/em&gt;, not &lt;em&gt;nearness&lt;/em&gt; to one. The record climbs by one or two steps every few years, against a function whose full round count has never been threatened. Treat every such headline as a ruler laid against the margin, and the panic evaporates.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;One number on the SHA-3 side hides an argument, though. The deepest result of all -- the zero-sum -- reaches every one of Keccak&apos;s 24 rounds, and still breaks nothing. To see why, look at the three rival attacks on the sponge side by side.&lt;/p&gt;
&lt;h2&gt;7. The SHA-3 Fork the Thesis Holds Open&lt;/h2&gt;
&lt;p&gt;SHA-2&apos;s story has one protagonist: differential collision search, with no rival of comparable reach. SHA-3&apos;s story has three, and they disagree about what the word &quot;reach&quot; even means. Pretending that one of them is &lt;em&gt;the&lt;/em&gt; SHA-3 break would misrepresent the field, so this section keeps the fork open.&lt;/p&gt;
&lt;h3&gt;Method A: cube and cube-like attacks&lt;/h3&gt;
&lt;p&gt;The cube attack, introduced by Itai Dinur and Adi Shamir in 2009, is the avenue the title of this article names the &lt;em&gt;algebraic frontier&lt;/em&gt;, because it exploits the low degree that chi keeps small at low round counts [@dinur-shamir-2009].&lt;/p&gt;

An algebraic attack that treats each output bit as an unknown low-degree polynomial over GF(2) in the public and secret input bits. Summing the output over a *cube* -- all $2^{k}$ assignments of $k$ chosen public variables -- cancels every term that does not contain all $k$ cube variables, leaving a lower-degree &quot;superpoly.&quot; Choose the cube so the superpoly is linear in the secret bits, collect enough such equations, and solve for the key.
&lt;p&gt;The method is provably successful on random low-degree polynomials whenever the number of public variables exceeds $d + \log_d n$, and it runs in about $2^{d-1} n + n^2$ bit operations for degree $d$ over $n$ secret variables [@dinur-shamir-2009].&lt;/p&gt;
&lt;p&gt;Against Keccak, Dinur, Morawiecki, Pieprzyk, Srebrny, and Straus reached up to 9 of the 24 rounds faster than exhaustive search, with the 6-round attacks fully practical [@dinur-etal-2015]. But note precisely what it threatens: key recovery or forgery in &lt;em&gt;keyed&lt;/em&gt; Keccak modes -- not a plain hash collision.The cube round counts come from keyed Keccak variants such as message authentication codes and the Keyak authenticated-encryption scheme, whose nominal round count is 12. In those modes a secret key exists to recover. Standard SHA3-256 hashing has no key, so the cube attack does not by itself produce a hash collision -- it is the deepest &lt;em&gt;algebraic&lt;/em&gt; reach, in a different attack model. And because the degree doubles each round, the cube needed grows astronomically past a handful of rounds, which is exactly why it stalls at 9.&lt;/p&gt;
&lt;h3&gt;Method B: zero-sum distinguishers&lt;/h3&gt;
&lt;p&gt;Take the same low-degree property but drop the key, and you get a statement about the raw permutation. Christina Boura, Anne Canteaut, and Christophe De Canniere used a refined bound on the degree of iterated permutations to build zero-sum partitions of size $2^{1590}$ for the &lt;em&gt;full&lt;/em&gt; 24-round Keccak-f [@boura-canteaut-decanniere-2011].&lt;/p&gt;
&lt;p&gt;This is the deepest structural reach anyone has into Keccak -- it touches every round -- and it is also the least usable result in the subject. It distinguishes the permutation from an ideal one; it yields no collision, no preimage, nothing against the hash. Hold that paradox; the next section is built on it.&lt;/p&gt;
&lt;h3&gt;Method C: internal-differential collisions&lt;/h3&gt;
&lt;p&gt;The record-holders work differently again -- and they are the avenue that produces the property that actually matters for a hash.&lt;/p&gt;

Instead of a difference between two separate messages, an internal-differential attack exploits a difference *within a single state* -- for example, between translated copies of the state under Keccak&apos;s internal symmetry. Inputs that respect the symmetry are squeezed into a small subset of possible outputs, so a birthday search confined to that small subset finds collisions far below the usual $2^{n/2}$ cost.
&lt;p&gt;The line runs from Thomas Peyrin&apos;s generalized internal differentials in 2010, through Dinur, Dunkelman, and Shamir -- who produced actual collisions for 3-round Keccak, a 4-round Keccak-384 attack $2^{45}$ times faster than birthday, and collisions on 5 rounds of Keccak-256 [@dinur-dunkelman-shamir-2013] -- to Zhongyi Zhang, Chengan Hou, and Meicheng Liu, whose &quot;probabilistic linearization&quot; extended the records to 5 rounds of SHA3-384 and 6 of SHAKE256 [@zhang-hou-liu-2024]. This is the only avenue that delivers real collisions on the standardized instances.&lt;/p&gt;
&lt;p&gt;Now put the three side by side. The decisive column is not &quot;how many rounds&quot; but &quot;what property.&quot;&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Dimension&lt;/th&gt;
&lt;th&gt;Cube / cube-like&lt;/th&gt;
&lt;th&gt;Zero-sum higher-order diff.&lt;/th&gt;
&lt;th&gt;Internal-differential collisions&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Property threatened&lt;/td&gt;
&lt;td&gt;keyed-mode key recovery / forgery&lt;/td&gt;
&lt;td&gt;permutation distinguisher (not a break)&lt;/td&gt;
&lt;td&gt;actual hash collisions&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Best round reach&lt;/td&gt;
&lt;td&gt;9 / 24 (keyed)&lt;/td&gt;
&lt;td&gt;24 / 24 (full permutation)&lt;/td&gt;
&lt;td&gt;6 / 24 (SHAKE256), 5 / 24 (SHA3-384)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Practical demo&lt;/td&gt;
&lt;td&gt;yes, 6-round&lt;/td&gt;
&lt;td&gt;structural ($2^{1590}$ sets)&lt;/td&gt;
&lt;td&gt;yes, actual collisions to 3-5 rounds&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Model&lt;/td&gt;
&lt;td&gt;keyed (MAC / AE)&lt;/td&gt;
&lt;td&gt;keyless permutation&lt;/td&gt;
&lt;td&gt;keyless hash / XOF&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;What limits it&lt;/td&gt;
&lt;td&gt;degree doubles per round ($\deg \le 2^r$)&lt;/td&gt;
&lt;td&gt;capacity hides the permutation output&lt;/td&gt;
&lt;td&gt;characteristic decays with rounds&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Structural motivation&lt;/td&gt;
&lt;td&gt;direct: low-degree chi&lt;/td&gt;
&lt;td&gt;direct: the degree bound&lt;/td&gt;
&lt;td&gt;indirect: Keccak internal symmetry&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Source&lt;/td&gt;
&lt;td&gt;[@dinur-shamir-2009, @dinur-etal-2015]&lt;/td&gt;
&lt;td&gt;[@boura-canteaut-decanniere-2011]&lt;/td&gt;
&lt;td&gt;[@dinur-dunkelman-shamir-2013, @zhang-hou-liu-2024]&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; This is the honest balance the whole SHA-3 story turns on. The zero-sum method reaches all 24 rounds but yields no break; the cube method reaches 9 rounds but only in keyed modes; the internal-differential method reaches just 6 rounds but is the sole avenue that produces real collisions. The algebraic / cube line is the &lt;em&gt;distinctive, structurally-motivated&lt;/em&gt; frontier -- it follows directly from the degree-2 chi -- and the internal-differential line &lt;em&gt;holds the collision records&lt;/em&gt;. Both are leading; neither out-reaches the other on the property that matters to it. Contrast SHA-2, where differential collision search is the single leading avenue with no competitor of comparable reach.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Third-party cryptanalysis of all three families is tracked publicly by the designers [@keccak-third-party]. That middle row -- 24 rounds reached, nothing broken -- is not an accident of today&apos;s tooling. It is a &lt;em&gt;provable&lt;/em&gt; wall, and understanding why forces us to the theoretical limits.&lt;/p&gt;
&lt;h2&gt;8. The Ideal, the Bounds, and the Distinguisher Trap&lt;/h2&gt;
&lt;p&gt;Begin with the middle row from the last table, because it is the strangest fact in the subject. A zero-sum partition of size $2^{1590}$ reaches &lt;em&gt;all 24 rounds&lt;/em&gt; of Keccak-f -- the deepest structural property anyone has ever proved about it -- and it yields no collision, no preimage, nothing usable against the hash [@boura-canteaut-decanniere-2011]. How can the deepest result reach the whole function and still break nothing?&lt;/p&gt;
&lt;p&gt;First, the wall that neither function&apos;s attackers have crossed. On the &lt;em&gt;full&lt;/em&gt; SHA-256 and full SHA3-256, no published structural attack beats $2^{128}$ for a collision or $2^{256}$ for a preimage. Best-known equals generic on both, so the &quot;beat the birthday bound&quot; gap is not merely large -- it is &lt;em&gt;open and uncrossed&lt;/em&gt;. Nobody has closed &lt;em&gt;any&lt;/em&gt; of it on either full function [@fips-180-4, @fips-202]. Everything in Section 6 is reduced-round evidence about how far away the break is.&lt;/p&gt;
&lt;p&gt;Now the answer to the zero-sum paradox, which is a proof, not a hope.&lt;/p&gt;

A structured set of inputs whose images under the permutation XOR to zero and whose preimages also XOR to zero. Because Keccak-f has bounded algebraic degree forward and a low-degree inverse backward, one can build such a set straight through the permutation. It distinguishes Keccak-f from an ideal random permutation, and does nothing else.

A construction built on an ideal primitive is *indifferentiable* from a random oracle if no efficient distinguisher can tell them apart, even when the distinguisher is allowed to query the underlying primitive directly. It is the strong security notion for hash constructions: it certifies that the construction adds no exploitable structure of its own on top of the primitive.
&lt;p&gt;Bertoni, Daemen, Peeters, and Van Assche proved in 2008 that a sponge calling a random permutation is indifferentiable from a random oracle: the success probability of &lt;em&gt;any&lt;/em&gt; generic attack is at most its success probability against a true random oracle plus $N^2/2^{c-1}$, where $N$ is the number of queries to the permutation and $c$ is the capacity [@sponge-indiff, @keccak-sponge-duplex].&lt;/p&gt;
&lt;p&gt;The strength of the claim is the clause &quot;even when the distinguisher can query the permutation directly&quot; -- a simulator can answer those permutation queries consistently with random-oracle outputs up to about $2^{c/2}$ work. Below $2^{c/2}$ in the hidden capacity, nothing separates the sponge from an ideal object.&lt;/p&gt;
&lt;p&gt;That is what disarms the zero-sum. A zero-sum partition is a structural distinguisher of the &lt;em&gt;permutation&lt;/em&gt; f alone -- a global property of how f maps XOR structure. The indifferentiability theorem runs in exactly one direction: any attack on the sponge F implies a distinguisher on f, but &lt;em&gt;not the converse&lt;/em&gt;. Having a distinguisher on f does not hand you an attack on F. In the designers&apos; own words:&lt;/p&gt;

&quot;The existence of a structural distinguisher for f does not necessarily imply an attack or weakness in F.&quot; -- Bertoni, Daemen, Peeters, and Van Assche, on why a permutation property need not be a hash break [@keccak-sponge-duplex]
&lt;p&gt;Concretely, a collision requires &lt;em&gt;steering&lt;/em&gt; the rate bits of two different messages so that their squeezed outputs coincide across the hidden capacity. The zero-sum gives an attacker no such steering: it certifies a global XOR property of the permutation, not a way to aim two chosen inputs at one output through the capacity. So it lies &lt;em&gt;outside&lt;/em&gt; the class of exploitable structure that indifferentiability rules out, and a distinguisher whose success probability is zero below $2^{c/2}$, in the designers&apos; phrase, &quot;forms no threat&quot; [@keccak-sponge-duplex].&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; A permutation distinguisher is not a hash break. &quot;Reaches all 24 rounds&quot; and &quot;produces a collision&quot; are provably &lt;em&gt;different&lt;/em&gt; statements, separated by the capacity&apos;s $2^{c/2}$ indifferentiability margin -- not merely by the current state of tooling. Depth of reach into the permutation is not nearness to a break of the hash. The capacity stands between them by design, and the standing between is a theorem.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; When you read a headline that an attack &quot;reaches the full permutation&quot; or &quot;distinguishes all rounds,&quot; resist the reflex to read it as near-catastrophe. For a sponge, a full-permutation distinguisher and a hash collision are separated by a proof. The distinguisher can be the deepest result in the field and still be the least dangerous one.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Two more limits complete the picture, one on each construction. On the sponge side, the full-round zero-sum exists only because of the &lt;em&gt;refined&lt;/em&gt; degree bound, not the elementary one.Recall from Section 5 that the elementary law $\deg \le 2^r$ goes vacuous by round 11 against a 1600-bit state. The 24-round zero-sum instead rests on Boura, Canteaut, and De Canniere&apos;s tighter bound for permutations whose nonlinear layer is parallel small S-boxes, which stays below the state size all the way to round 24 [@boura-canteaut-decanniere-2011]. The elementary law caps the cube attack; the refined law powers the distinguisher. On the Merkle-Damgard side, length extension is not a bug that a better implementation could remove -- it is a &lt;em&gt;provable inevitability&lt;/em&gt; of the untruncated construction. Because the SHA-2 digest is the whole final chaining value, anyone with $H(m)$ and $|m|$ can resume the iteration, full stop [@hac-chap9]. The only cures are to stop emitting the whole state (the sponge), hide enough of it (sufficient truncation), or wrap the hash (&lt;a href=&quot;https://paragmali.com/blog/the-tag-verified-the-cipher-held-the-forgery-went-through-a-/&quot; rel=&quot;noopener&quot;&gt;HMAC&lt;/a&gt;).&lt;/p&gt;
&lt;p&gt;So the limits cut both ways. The sponge is closer to the &lt;em&gt;ideal object&lt;/em&gt; -- indifferentiable up to the capacity, no length extension -- while SHA-2 is closer to the &lt;em&gt;ideal margin in practice&lt;/em&gt;, with the bulk of its steps untouched by any differential path. Neither is anywhere near falling. One scope marker remains, because readers always ask about it.&lt;/p&gt;

Quantum computing changes the constants, not the constructions. Grover&apos;s algorithm lowers a *preimage* search from $2^n$ to $2^{n/2}$, but it does *not* beat the classical $2^{n/2}$ birthday bound for *collisions* in realistic bounded-memory models, and it exploits no internal structure of either hash -- it is a generic square-root speedup that would apply equally to an ideal random oracle. So it is generic, not structural, and the correct hedge is simply *more output bits* (SHA-384, SHA-512, SHAKE256 at a longer output), not a new design [@nist-hash-policy]. Shor&apos;s algorithm, which does break things structurally, is irrelevant here: it factors integers and computes discrete logarithms, threatening asymmetric primitives such as RSA and elliptic-curve signatures, not symmetric hashes. In this series, Shor counts as structural math for those primitives; for SHA-2 and SHA-3 it simply does not apply.
&lt;p&gt;The limits leave exactly one question standing: if neither function is close to falling, where &lt;em&gt;would&lt;/em&gt; the next round of progress even come from?&lt;/p&gt;
&lt;h2&gt;9. Where the Next Round Would Come From&lt;/h2&gt;
&lt;p&gt;If either function is ever broken, the break will arrive through one of a small, nameable set of open problems. Naming them turns you from spectator into forecaster.&lt;/p&gt;

flowchart TD
    Q[&quot;Where would a break come from?&quot;] --&amp;gt; A[&quot;SHA-2: differential search&quot;]
    Q --&amp;gt; B[&quot;SHA-3: three avenues&quot;]
    A --&amp;gt; A1[&quot;OP-1: past ~40 of 64 steps? Stalled at 39&quot;]
    B --&amp;gt; B1[&quot;Cube: 9 of 24, keyed only&quot;]
    B --&amp;gt; B2[&quot;Internal-differential: 6 of 24 collisions&quot;]
    B --&amp;gt; B3[&quot;Zero-sum: 24 of 24, distinguisher only&quot;]
    B2 --&amp;gt; OP2[&quot;OP-2: close the ~18-round gap?&quot;]
    B3 --&amp;gt; OP4[&quot;OP-4: cross the capacity barrier?&quot;]
    A1 --&amp;gt; OP3[&quot;OP-3: beat 2^128 on a full function, THE break, none known&quot;]
    OP2 --&amp;gt; OP3
    OP4 --&amp;gt; OP3
&lt;p&gt;&lt;strong&gt;OP-1: Can differential characteristic search push SHA-256 past about 40 steps?&lt;/strong&gt; The full-function margin depends entirely on how far this single leading avenue can climb, and the 2024 record paper reports the tooling &quot;has reached the bottleneck&quot; -- modular-addition diffusion makes longer characteristics effectively unfindable with current encodings. Whether that is a fundamental barrier or an artifact of today&apos;s solvers is itself open [@li-liu-wang-2024].&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;OP-2: Can any SHA-3 avenue close the roughly 18-round gap to a full-Keccak collision?&lt;/strong&gt; The best collision reach is 6 of 24 rounds, and the two leading avenues advance a round or two per decade, neither clearly out-reaching the other on its target property [@zhang-hou-liu-2024, @dinur-etal-2015].&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;OP-3: Is there any structural attack that beats the birthday bound on either full family?&lt;/strong&gt; This is &lt;em&gt;the&lt;/em&gt; break -- and today the answer is a clean no. Best-known equals generic on both full functions; everything else in this article is reduced-round evidence about how far away this remains [@fips-180-4, @fips-202].&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;OP-4: Why is the permutation-distinguisher / hash-collision divide so hard to cross?&lt;/strong&gt; The deepest reach into Keccak-f, the 24-round zero-sum, currently yields nothing usable against the hash. Section 8 argued the reason is structural: indifferentiability makes the capacity a genuine barrier, not merely a reduction nobody has found yet [@boura-canteaut-decanniere-2011, @sponge-indiff].&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Only OP-3 is a break. OP-1, OP-2, and OP-4 are all measurements of &lt;em&gt;distance&lt;/em&gt; to OP-3. That reframing is the whole discipline of reading this field calmly: a reduced-round record moves a ruler, it does not open a door.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;None of this is the same as a proof of security. What cryptographers have &lt;em&gt;proved&lt;/em&gt; are &lt;em&gt;reductions&lt;/em&gt; -- collision resistance reduces to the compression function, sponge security reduces to the capacity -- plus the absence of any known attack that beats generic. &quot;No known structural attack&quot; is a strong empirical statement after thirty-five years of trying, but it is not &quot;proven unbreakable.&quot; Honesty about that gap is part of taking the subject seriously.&lt;/p&gt;
&lt;p&gt;None of these problems is close to solved -- which is exactly why the practical answer to &quot;what should I ship?&quot; is calm and specific.&lt;/p&gt;
&lt;h2&gt;10. What the Margins Mean on Monday Morning&lt;/h2&gt;
&lt;p&gt;So: should you change anything you shipped last week? Almost certainly not -- but there is exactly one structural gotcha worth ten minutes of your attention.&lt;/p&gt;
&lt;p&gt;Start with the reassurance. Both full functions are sound for their advertised properties. Every record in Section 6 is reduced-round; 39 of 64 steps of SHA-256 and 6 of 24 rounds of SHAKE256 do not threaten the full functions, which remain safe for collision, preimage, and second-preimage resistance [@li-liu-wang-2024, @zhang-hou-liu-2024]. Nothing in this article is a reason to rip out SHA-256.&lt;/p&gt;
&lt;p&gt;The one gotcha is &lt;a href=&quot;https://paragmali.com/blog/the-signature-was-valid-the-message-was-forged-a-field-guide/&quot; rel=&quot;noopener&quot;&gt;length extension&lt;/a&gt;, and it is a property of the construction, not a defect to be patched. If you ever compute a keyed digest as $H(\text{secret} ,|, \text{message})$ with a plain Merkle-Damgard hash and treat it as a MAC, an attacker who sees that digest can forge a valid one for a longer message without knowing the secret.&lt;/p&gt;

A construction that turns any iterated hash into a keyed message authentication code by nesting two hash calls, roughly $H((k \oplus opad) \,\|\, H((k \oplus ipad) \,\|\, m))$. The outer keyed hash means an attacker never sees a raw $H(\text{secret} \,\|\, \cdots)$ digest to extend, which is why HMAC defeats length extension even over SHA-256.
&lt;p&gt;The decision guide fits in one table.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Your need&lt;/th&gt;
&lt;th&gt;Use&lt;/th&gt;
&lt;th&gt;Why it works&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Keyed integrity / a MAC&lt;/td&gt;
&lt;td&gt;HMAC over SHA-2&lt;/td&gt;
&lt;td&gt;the outer keyed hash hides the extensible state [@rfc-2104]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;A drop-in SHA-2 that resists extension&lt;/td&gt;
&lt;td&gt;SHA-512/256&lt;/td&gt;
&lt;td&gt;truncation hides 256 state bits, more than enough [@fips-180-4]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Length-extension immunity by construction&lt;/td&gt;
&lt;td&gt;SHA-3 or SHAKE&lt;/td&gt;
&lt;td&gt;the capacity is never emitted, so there is no state to resume [@fips-202]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;What to avoid&lt;/td&gt;
&lt;td&gt;plain SHA-256(secret then message) as a MAC&lt;/td&gt;
&lt;td&gt;the digest is the full state, so it is forgeable&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Need a keyed digest? Reach for HMAC or a SHA-3 / KMAC construction. Need a plain hash that will not leak its state? Use SHA-512/256 or any SHA-3 function. Do not hand-roll $H(\text{secret} ,|, m)$.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The mechanism is worth seeing once, because it explains why &quot;just hash the secret with the message&quot; fails.&lt;/p&gt;

sequenceDiagram
    participant D as Defender
    participant A as Attacker
    D-&amp;gt;&amp;gt;D: hash secret then message into digest t
    D-&amp;gt;&amp;gt;A: publish digest t and the message length
    Note over A: attacker never learns the secret
    A-&amp;gt;&amp;gt;A: resume internal state from t
    A-&amp;gt;&amp;gt;A: append glue padding then an evil suffix
    A-&amp;gt;&amp;gt;D: send forged message plus a new digest
    Note over D: the new digest verifies as a valid hash
&lt;p&gt;{`
// A toy Merkle-Damgard hash where the state IS the digest.
// This shows the STRUCTURE of length extension, not real SHA-256 output.
function compress(state, ch) {
  // stand-in mixing; a real f is Davies-Meyer over a block cipher
  return (((state &amp;lt;&amp;lt; 5) ^ (state &amp;gt;&amp;gt;&amp;gt; 2) ^ ch) &amp;gt;&amp;gt;&amp;gt; 0);
}
function hash(state, message) {
  for (let i = 0; i &amp;lt; message.length; i++) {
    state = compress(state, message.charCodeAt(i));
  }
  return state &amp;gt;&amp;gt;&amp;gt; 0;
}&lt;/p&gt;
&lt;p&gt;const IV = 0x9e3779b9;&lt;/p&gt;
&lt;p&gt;// Defender hashes a secret-prefixed message and publishes only the digest.
const secretPrefixed = &quot;SECRET-user=guest&quot;;
const digest = hash(IV, secretPrefixed);&lt;/p&gt;
&lt;p&gt;// Attacker never learns the secret, but the digest IS the state,
// so they resume from it and append a chosen suffix.
const suffix = &quot;&amp;amp;admin=true&quot;;
const forged = hash(digest, suffix);&lt;/p&gt;
&lt;p&gt;// In a real hash the attacker also splices in the glue padding,
// producing H(m || pad || suffix). Here (no padding) it lands exactly:
const legitimate = hash(IV, secretPrefixed + suffix);&lt;/p&gt;
&lt;p&gt;console.log(&quot;forged   =&quot;, forged);
console.log(&quot;expected =&quot;, legitimate);
console.log(&quot;match    =&quot;, forged === legitimate);
`}&lt;/p&gt;
&lt;p&gt;A worked forgery for SHA-256 and SHA-512 is exactly what the hash_extender tool automates [@hash-extender]. But truncation is where the naive intuition &quot;any truncation stops extension&quot; quietly fails, and SHA-224 is the trap.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; SHA-224 is SHA-256 truncated to 224 bits, so it emits seven of the eight 32-bit words of the internal state and hides only one -- about 32 bits. An attacker who wants to resume the iteration is missing just those $2^{32}$ possibilities, which is a brute-force search a laptop finishes quickly, after which extension proceeds normally. So SHA-224 is &lt;em&gt;not&lt;/em&gt; immune to length extension; it merely raises the bar by a weak 32-bit margin. That point is a &lt;em&gt;structural word-count&lt;/em&gt; argument, not something the standard tool shows: hash_extender declines to implement SHA-224 precisely because the naive extension does not directly apply, so it lists SHA-224 as &quot;not&quot; vulnerable [@hash-extender]. Do not read that &quot;not&quot; as safety -- read it as &quot;32 bits of margin.&quot; True immunity needs a truncation that hides &lt;em&gt;enough&lt;/em&gt; state, which is why SHA-512/256, hiding 256 bits, genuinely resists extension and SHA-224 does not [@fips-180-4].&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Two smaller notes round out the practical picture. First, a naming hazard that bites developers.Ethereum&apos;s &quot;Keccak-256&quot; is not SHA3-256. Ethereum froze the original Keccak submission before FIPS 202 added its domain-separation padding, so the two functions append different bits before permuting and therefore produce &lt;em&gt;different digests on the same input&lt;/em&gt; [@fips-202]. Code that assumes they are interchangeable will compute the wrong hash. This is a padding difference, not a security difference -- but it is a real bug source. Second, the quantum question again: if you are hedging against a future quantum adversary, the move is a &lt;em&gt;longer digest&lt;/em&gt; -- SHA-384, SHA-512, or SHAKE256 at a longer output -- not a migration to a different construction, because Grover is a generic speedup that a bigger output absorbs [@nist-hash-policy].&lt;/p&gt;
&lt;p&gt;Every one of these recommendations is a corollary of a single idea -- the construction decides the failure mode. A few common misconceptions fall out of the same idea, and they are worth clearing up directly.&lt;/p&gt;
&lt;h2&gt;11. Misconceptions the Structural View Corrects&lt;/h2&gt;
&lt;p&gt;Six questions whose honest answers are all the same idea in disguise: the construction, not the digest size, decides the failure mode.&lt;/p&gt;


No -- it *supplements* the SHA-2 family rather than replacing it, and NIST sees no need to migrate; the two coexist as deliberate design diversity, so a break in one construction leaves the other standing. See Section 4 [@fips-202, @nist-hash-policy].


Only for preimages, and only generically: Grover square-roots a preimage search but gives no real edge on collisions in bounded-memory models, so the hedge is a longer digest, not a new construction. See Section 8 [@nist-hash-policy].


No -- only a truncation that hides *enough* state. SHA-512/256 hides 256 bits and resists it; SHA-224 hides only about 32, a weak margin rather than true immunity. See the SHA-224 truncation trap in Section 10 [@fips-180-4].


No. A reduced-round record measures distance to a break, not nearness to one: the deepest results reach only about 39 of SHA-256&apos;s 64 steps and 6 of Keccak&apos;s 24 rounds. See Section 6 [@li-liu-wang-2024, @zhang-hou-liu-2024].


No. Ethereum froze the pre-FIPS-202 Keccak padding, so Keccak-256 and SHA3-256 return different digests on the same input -- same permutation, different padding. See Section 10 [@fips-202].


No -- it is a provable structural property of any untruncated Merkle-Damgard hash, removed (not patched) by HMAC, sufficient truncation, or the sponge. See Sections 2 and 10 [@rfc-2104, @fips-202].

&lt;p&gt;Every answer traces back to the same sentence. It is worth stating that sentence one last time, with all the evidence now behind it.&lt;/p&gt;
&lt;h2&gt;12. The Construction Writes the Obituary&lt;/h2&gt;
&lt;p&gt;We opened with a claim that should have sounded like a bluff: that we could describe, mechanically, how each of these functions would fall before either has ever fallen. Now the description is complete, and the two obituaries share nothing but a date that has not arrived.&lt;/p&gt;
&lt;p&gt;SHA-2 would die the way MD5 and SHA-1 died -- a Wang-style differential collision threaded through its compression function, deterministic in the early steps and cheap through the tail. It survives today only because its carry-laden schedule keeps that path unfindable past about 39 of 64 steps, and it carries length extension as a structural debt from the 1989 bargain [@li-liu-wang-2024].&lt;/p&gt;
&lt;p&gt;SHA-3 would die a different death entirely, on the algebra of a single degree-2 step: the cube frontier that stalls at 9 keyed rounds, and the internal-differential collisions that hold the records at 6 [@zhang-hou-liu-2024]. Its deepest known property reaches all 24 rounds and still breaks nothing, because the capacity provably stands between a permutation distinguisher and a hash collision.&lt;/p&gt;
&lt;p&gt;And the margins are the payoff. Roughly 25 to 33 of SHA-256&apos;s 64 steps, and roughly 18 of Keccak&apos;s 24 rounds, remain entirely untouched after thirty-five years of the best cryptanalysis in the world [@li-liu-wang-2024, @zhang-hou-liu-2024, @dinur-etal-2015]. The construction writes the obituary; the cryptanalysis only fills in the date, and the date is nowhere close.&lt;/p&gt;

The construction writes the obituary. A hash does not die at its digest size -- it dies where its construction is thinnest, and no two constructions are thin in the same place.
&lt;p&gt;That is the through-line, and it hands off cleanly. How these functions have actually failed people in the field -- Flame&apos;s rogue certificate, the long death of SHA-1 in the browser -- is a different kind of story, told by the empirical sibling to this piece, &quot;How the Hash Functions Broke in Real Life.&quot;&lt;/p&gt;
&lt;p&gt;And it points forward: if a hash&apos;s construction predicts its structural death, the natural next question for this series is whether the same is true for the ciphers and signature schemes still to come -- whether, for every primitive, the shape of the thing already names the way it would break.&lt;/p&gt;
&lt;p&gt;&amp;lt;StudyGuide slug=&quot;how-sha2-and-sha3-would-break&quot; keyTerms={[
  { term: &quot;Merkle-Damgard construction&quot;, definition: &quot;Iterating a compression function from a fixed IV over padded message blocks; the digest is the final chaining value.&quot; },
  { term: &quot;Length extension&quot;, definition: &quot;Computing H(m plus pad plus y) from H(m) and the length of m, without knowing m, because the digest is the full internal state.&quot; },
  { term: &quot;Differential characteristic&quot;, definition: &quot;A step-by-step trail of input-to-output differences that ends in zero difference, the backbone of a collision attack.&quot; },
  { term: &quot;Message modification&quot;, definition: &quot;Solving the early sufficient conditions of a characteristic deterministically by adjusting free message words, collapsing the search cost to the tail.&quot; },
  { term: &quot;Sponge construction&quot;, definition: &quot;Absorbing message blocks into the rate of a large permutation and squeezing the digest from the rate, keeping the capacity hidden.&quot; },
  { term: &quot;Algebraic degree&quot;, definition: &quot;The size of the largest monomial in a function&apos;s algebraic normal form; Keccak&apos;s chi has degree 2.&quot; },
  { term: &quot;Zero-sum distinguisher&quot;, definition: &quot;A structured input set whose images and preimages both XOR to zero, a property of the permutation that is not a hash break.&quot; },
  { term: &quot;Indifferentiability&quot;, definition: &quot;A proof that a construction adds no exploitable structure over its primitive, up to about 2^(c/2) in the capacity for the sponge.&quot; }
]} questions={[
  { q: &quot;Why does a Merkle-Damgard hash die at a differential path rather than at its digest size?&quot;, a: &quot;Because a collision of the hash reduces to a collision of the compression function, and a differential characteristic plus message modification finds one far below the birthday bound.&quot; },
  { q: &quot;Why is SHA-2 more resistant to message modification than MD5 or SHA-1?&quot;, a: &quot;Its message schedule couples words through modular-addition carries, so solving one sufficient condition perturbs others, destroying the one-free-word-per-step structure.&quot; },
  { q: &quot;Why does the degree bound double per round instead of squaring?&quot;, a: &quot;The composition law multiplies the degree by at most deg(R) equals 2 each round, giving 1,2,4,8 up to 2^r; squaring would grow doubly-exponentially and contradict the 2^r bound.&quot; },
  { q: &quot;Why is a full-round zero-sum distinguisher not a collision?&quot;, a: &quot;The sponge is indifferentiable from a random oracle up to the capacity, so an attack on the sponge implies a distinguisher on the permutation but not the converse.&quot; },
  { q: &quot;What is the one practical gotcha the structural view flags?&quot;, a: &quot;Length extension: use HMAC, SHA-512/256, or SHA-3 rather than a plain keyed Merkle-Damgard digest, and note that SHA-224 hides only about 32 bits.&quot; }
]} /&amp;gt;&lt;/p&gt;
</content:encoded><category>sha-2</category><category>sha-3</category><category>keccak</category><category>cryptanalysis</category><category>hash-functions</category><category>merkle-damgard</category><category>length-extension</category><category>sponge-construction</category><author>noreply@paragmali.com (Parag Mali)</author></item><item><title>The Fortress and the Afterthought: How AES Would Break at Its Key Schedule</title><link>https://paragmali.com/blog/the-fortress-and-the-afterthought-how-aes-would-break-at-its/</link><guid isPermaLink="true">https://paragmali.com/blog/the-fortress-and-the-afterthought-how-aes-would-break-at-its/</guid><description>AES is not broken -- but if it ever were, the crack would start at its linear key schedule, not its celebrated round function. A structural cryptanalysis tour.</description><pubDate>Fri, 17 Jul 2026 00:00:00 GMT</pubDate><content:encoded>
**AES is not broken -- but if it ever were, the crack would start at its key schedule, not its celebrated round function.** Twenty-five years of single-key cryptanalysis have plateaued near 7 of AES-128&apos;s 10 rounds, which is the wide-trail round function working exactly as designed. The only attacks that reach all rounds faster than brute force either target the linear key schedule directly (related-key attacks: full AES-256 at $2^{99.5}$, full AES-192 at $2^{176}$) or lean on its slow diffusion (the biclique attack: $2^{126.1}$ / $2^{189.7}$ / $2^{254.4}$, a meet-in-the-middle acceleration of brute force, not a pure key-schedule break). The security margin is a living, quantitative measure -- narrow in *rounds reached* under related keys, astronomically wide in *complexity* everywhere -- and the key schedule is where it is thinnest.
&lt;h2&gt;1. The Cipher That Guards the Internet&lt;/h2&gt;
&lt;p&gt;Every time you open a bank app, unlock a laptop, or load a padlocked website, you are trusting AES -- and in twenty-five years of public assault, no one has come close to breaking it in the way that would matter. It underpins TLS sessions [@rfc8446-tls13], the &lt;a href=&quot;https://paragmali.com/blog/bitlocker-on-windows-architecture-attacks-and-the-limits-of-/&quot; rel=&quot;noopener&quot;&gt;full-disk encryption&lt;/a&gt; on laptops and phones, secure messaging, and the tunnels inside most VPNs. So this article does not ask whether AES is broken. It isn&apos;t. It asks a sharper, more honest question: &lt;em&gt;if&lt;/em&gt; it ever broke, where would the very first crack appear -- and the answer is not the part everyone admires.&lt;/p&gt;
&lt;p&gt;The Advanced Encryption Standard was chosen in an open, international contest run by the U.S. National Institute of Standards and Technology between 1997 and 2001, precisely so the world&apos;s cryptanalysts could attack the candidates before one became the standard [@nist-aes-dev]. The winner, Rijndael, has since absorbed a quarter-century of that attention. Textbooks celebrate two of its parts above all: the S-box, a slice of finite-field algebra, and MixColumns, a diffusion layer with a provable mixing guarantee. If you asked most engineers where a future break might begin, they would point at that famous mathematics.&lt;/p&gt;
&lt;p&gt;They would be pointing at the wrong place. The strongest results against full-round AES do not touch the S-box or MixColumns at all. They exploit the humblest component in the design -- the &lt;strong&gt;key schedule&lt;/strong&gt;, the little routine that stretches your 128-, 192-, or 256-bit key into the sequence of round keys the cipher actually uses. It is fast, simple, and almost entirely linear, and it is exactly where every sub-brute-force full-round result lives or leans.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; The AES round function is the most-analyzed, most-trusted primitive in symmetric cryptography, and it has held. The key schedule is its least-designed, most-linear component. If AES ever falls, the accumulated evidence says the first crack starts there -- not at the celebrated mathematics, but at the afterthought bolted beside it.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;That gap between &quot;the best attack we have&quot; and &quot;trying every key&quot; has a name, and it is the ruler this entire article uses.&lt;/p&gt;

The security margin of a cipher is the distance between the best known attack and brute force -- measured two ways at once: how many of the cipher&apos;s rounds an attack can reach out of the total, and how far below the $2^{n}$ cost of exhaustive key search the best full-cipher attack sits. A wide margin means attacks fall far short; a thin margin means they are creeping close. It is a living, quantitative number, not a binary &quot;broken or safe.&quot;
&lt;p&gt;One boundary before we start. This is a structural story -- about the mathematics of the algorithm itself. The attacks that actually steal data in the real world -- &lt;a href=&quot;https://paragmali.com/blog/correct-constant-time-and-still-owned-a-field-guide-to-side-/&quot; rel=&quot;noopener&quot;&gt;cache-timing side channels&lt;/a&gt;, fault injection, repeated GCM nonces, &lt;a href=&quot;https://paragmali.com/blog/they-read-your-plaintext-without-breaking-your-cipher-a-fiel/&quot; rel=&quot;noopener&quot;&gt;padding oracles&lt;/a&gt;, key-reinstallation attacks like KRACK -- never touch the cipher&apos;s math at all. Those belong to this article&apos;s empirical sibling; here, we stay inside the equations.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Everything below analyzes cryptanalysis of AES&apos;s own mathematics: the round function and the key schedule. Side channels, fault and power attacks, implementation bugs, weak random number generators, and protocol or mode misuse are deliberately out of scope, named only to mark the edge. They are the subject of the sibling article in the companion series &lt;em&gt;How It Breaks in Real Life&lt;/em&gt;.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;To see why the key schedule is the suspect, you first have to see what the designers built -- and what they admitted they left cheap.&lt;/p&gt;
&lt;h2&gt;2. A Cipher Designed Against Its Own Attack&lt;/h2&gt;
&lt;p&gt;By the late 1990s the old standard was dying in public. In 1998 the Electronic Frontier Foundation built a purpose-made machine called Deep Crack and brute-forced a DES key in a matter of days, proving a 56-bit key was no longer enough [@eff-des-cracker].DES had been the U.S. standard since 1977 [@eff-des-cracker]. Deep Crack&apos;s public key recovery in 1998 was the exclamation point on years of warnings, and it set the clock ticking on the AES competition.&lt;/p&gt;
&lt;p&gt;NIST&apos;s response was radical for a spy-adjacent agency: instead of designing a replacement behind closed doors, it announced an open, international contest and invited the world to break the candidates first [@nist-aes-dev]. Fifteen submissions were cut to five finalists -- MARS, RC6, Rijndael, Serpent, and Twofish -- and in October 2000 NIST named the Belgian design Rijndael the winner [@nist-round1] [@nist-press-2000].&lt;/p&gt;
&lt;p&gt;The cipher is &lt;em&gt;Rijndael&lt;/em&gt;, designed by Joan Daemen and Vincent Rijmen (the name blends theirs). &lt;em&gt;AES&lt;/em&gt; is the specific profile NIST standardized: Rijndael restricted to a 128-bit block with 128-, 192-, or 256-bit keys. Cryptanalysts often say &quot;Rijndael&quot; for the general cipher and &quot;AES&quot; for the standard.&lt;/p&gt;
&lt;p&gt;Here is the part of the story that plants this article&apos;s thesis. Daemen and Rijmen did not come to the contest cold. In 1997 they had co-designed an earlier cipher, Square, and -- unusually -- had published the strongest attack against it themselves: the &lt;strong&gt;Square attack&lt;/strong&gt;, a structural technique that tracks a carefully chosen set of inputs through the cipher&apos;s byte operations [@square-fse97]. They arrived at the AES competition already knowing the best way to attack their own architecture, and they engineered Rijndael&apos;s round function specifically to resist it.&lt;/p&gt;
&lt;p&gt;The tool they used was the wide-trail strategy, and it is the reason the round function has held for twenty-five years.&lt;/p&gt;

The wide-trail strategy is a design method that makes differential and linear attack paths (&quot;trails&quot;) provably improbable by guaranteeing many active S-boxes. In AES, MixColumns has a *branch number* of 5, which forces any two consecutive rounds to activate at least 5 of the byte substitutions. Over four rounds this compounds to a provable minimum of 25 active S-boxes -- and since each S-box caps an attacker&apos;s differential probability at $2^{-6}$, no useful high-probability trail can stretch across the cipher [@design-rijndael].
&lt;p&gt;The key schedule got the opposite treatment. Where the round function was engineered against a known attack with a provable bound, the key expansion was designed for speed and simplicity: enough structure to break symmetry between rounds and eliminate equivalent keys, and no more. It is built almost entirely from XOR and word rotation, with only an occasional column of S-box nonlinearity to break symmetry. The designers concentrated their genius on the round function and, by their own account, left the key schedule cheap. Twenty years later, peer-reviewed work put the consequence bluntly.&lt;/p&gt;

&quot;The key schedule is arguably the weakest part of the AES.&quot; -- Gaëtan Leurent and Clara Pernot, EUROCRYPT 2021 [@leurent-pernot-eurocrypt21]
&lt;p&gt;That asymmetry -- a fortress round function bolted to a lightly-built key schedule -- is the seed of everything that follows. The competition worked exactly as intended: Rijndael was chosen after the community failed to break it and the round function proved resilient [@nist-rijndael-report]. But &quot;resilient round function&quot; and &quot;no weak spot anywhere&quot; are different claims, and the next two decades of attacks would find the difference.&lt;/p&gt;
&lt;p&gt;The whole arc, from the contest to the full-round results, fits on one timeline.&lt;/p&gt;

timeline
    title The structural cryptanalysis of AES, 1997 to 2021
    1997 : Square cipher and the Square attack, Rijndael&apos;s ancestor
    2000 : Rijndael wins, round-function attacks reach 6 to 7 rounds
    2001 : FIPS 197 standardizes AES
    2008 : Single-key meet-in-the-middle line begins, still short of full rounds
    2009 : Related-key attacks reach full AES-192 and AES-256
    2011 : Biclique, the only single-key full-round result
    2021 : New key-schedule structure found after 20 years
&lt;p&gt;The designers told us where they concentrated their effort, and where they did not. To understand why that choice matters, open the machine up and look at the four operations inside.&lt;/p&gt;
&lt;h2&gt;3. Where the Strength Is, and Where It Isn&apos;t&lt;/h2&gt;
&lt;p&gt;AES is four operations repeated ten to fourteen times. Three of them are among the most-analyzed primitives in cryptography. The fourth -- the one that stretches your key into round keys -- is the one nobody fortified.&lt;/p&gt;
&lt;p&gt;Each round of AES transforms a 4-by-4 grid of 16 bytes through the same four steps [@fips197]:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;SubBytes&lt;/strong&gt; replaces every byte using the S-box, the cipher&apos;s only source of nonlinearity in the data path.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;ShiftRows&lt;/strong&gt; rotates the rows of the grid by different offsets, spreading bytes across columns.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;MixColumns&lt;/strong&gt; mixes each column through a fixed matrix so that one changed input byte disturbs all four output bytes.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;AddRoundKey&lt;/strong&gt; XORs in the round key for that round.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;AES-128 runs 10 rounds, AES-192 runs 12, and AES-256 runs 14. The count grows with the key because a longer key means a longer key schedule and more round keys to derive.The original Rijndael also permitted 192- and 256-bit blocks, but AES fixes the block at 128 bits and varies only the key length. Throughout this article, &quot;AES&quot; means that fixed-block profile.&lt;/p&gt;

flowchart TD
    A[&quot;State: 16 bytes in a 4x4 grid&quot;] --&amp;gt; B[&quot;SubBytes: S-box on every byte&quot;]
    B --&amp;gt; C[&quot;ShiftRows: rotate each row&quot;]
    C --&amp;gt; D[&quot;MixColumns: mix each column, branch number 5&quot;]
    D --&amp;gt; E[&quot;AddRoundKey: XOR the round key&quot;]
    E --&amp;gt; F[&quot;Next round&quot;]
&lt;p&gt;Two of these steps are why AES is trusted. The S-box is not an arbitrary lookup table; it is algebra.&lt;/p&gt;

The AES S-box maps each byte to its multiplicative inverse in the finite field $GF(2^8)$ (with zero mapped to zero), followed by a fixed affine transformation over the bits. The inversion supplies strong nonlinearity -- it caps the probability of any input-to-output difference at $2^{-6}$ -- while the affine step destroys the clean algebraic form that a pure inversion would leave behind, blunting algebraic attacks [@fips197] [@design-rijndael].
&lt;p&gt;MixColumns is the diffusion partner. Its matrix is chosen so that changing a single input byte changes all four output bytes of the column.This is the maximum-distance-separable (MDS) property, summarized by a &lt;em&gt;branch number&lt;/em&gt; of 5: the number of nonzero input bytes plus nonzero output bytes of MixColumns is always at least 5. It is what lets four rounds guarantee 25 active S-boxes, and it is unusually strong diffusion for such a cheap operation. Together, SubBytes and MixColumns make the round function mix so thoroughly that after just a couple of rounds every output bit depends on every input bit in a way no attacker has been able to shortcut. This is the fortress.&lt;/p&gt;
&lt;p&gt;Now meet the protagonist. The key schedule -- the routine FIPS 197 calls key expansion -- is what turns your master key into the round keys that AddRoundKey consumes.&lt;/p&gt;

The AES key schedule expands the master key into one round key per round (plus one for the initial whitening). It processes the key in 32-bit words: most new words are simply the XOR of two earlier words, and once per group of words it applies RotWord (a byte rotation), SubWord (the S-box on four bytes), and a round constant Rcon to break symmetry. AES-256 adds one extra SubWord column at the midpoint of each eight-word group -- two nonlinear columns per group rather than one -- but even then the expansion is overwhelmingly linear, XOR and rotation [@fips197].

flowchart LR
    W0[&quot;Word w0 to w3: the master key&quot;] --&amp;gt; N[&quot;Once per group: RotWord, then SubWord, then XOR Rcon&quot;]
    N --&amp;gt; X[&quot;XOR into the next word&quot;]
    W0 --&amp;gt; X
    X --&amp;gt; W1[&quot;Next four words: round key 1&quot;]
    W1 --&amp;gt; Y[&quot;Mostly plain XOR of earlier words&quot;]
    Y --&amp;gt; W2[&quot;Round key 2, and so on&quot;]
&lt;p&gt;Make the contrast visceral. The round function stirs the state with a nonlinear S-box on all 16 bytes and a strong diffusion layer, every single round. The key schedule stirs its state with XOR and rotation, and touches the S-box only four bytes at a time, once or twice per group of words.A 32-bit word is one column of four bytes, and SubWord runs the S-box on all four at once -- so one word and one S-box column mean the same thing here. One mixes with a sledgehammer; the other barely swirls.&lt;/p&gt;
&lt;p&gt;That gap has a consequence worth holding onto: because the expansion is mostly linear, a difference injected into the key propagates through it &lt;em&gt;predictably&lt;/em&gt;. If you know the difference going in, you can compute much of the difference coming out -- no probabilities required. Remember that when we reach the related-key attacks.&lt;/p&gt;
&lt;p&gt;You can watch the slow, predictable diffusion yourself. The demo below injects a one-byte difference into a master key and follows it through the linear backbone of the expansion. Notice that the earliest words stay untouched, and that once the difference appears it propagates in a fixed, fully determined pattern rather than exploding into randomness the way the round function would scramble it.&lt;/p&gt;
&lt;p&gt;{`
// A deliberately simplified model of the AES key-expansion BACKBONE:
// new word = previous word XOR the word four positions back.
// (The real schedule adds one S-box column per group; we skip that
//  nonlinear part to expose why differences travel predictably.)
const Nk = 4;          // 128-bit key = 4 words
const totalWords = 44; // 11 round keys of 4 words each&lt;/p&gt;
&lt;p&gt;function expandBackbone(seed) {
  const w = seed.slice();
  for (let i = Nk; i &amp;lt; totalWords; i++) {
    // linear step only: XOR of two earlier words
    w[i] = w[i - 1] ^ w[i - 4];
  }
  return w;
}&lt;/p&gt;
&lt;p&gt;// Two master keys that differ in exactly ONE word (a single injected difference).
const keyA = [0x00000000, 0x11111111, 0x22222222, 0x33333333];
const keyB = [0x00000000, 0x11111111, 0x22222222, 0x33333333 ^ 0x01000000];&lt;/p&gt;
&lt;p&gt;const a = expandBackbone(keyA);
const b = expandBackbone(keyB);&lt;/p&gt;
&lt;p&gt;let firstTouched = -1, touchedCount = 0;
for (let i = 0; i &amp;lt; a.length; i++) {
  const diff = a[i] ^ b[i];
  if (diff !== 0) {
    touchedCount++;
    if (firstTouched === -1) firstTouched = i;
  }
}
console.log(&quot;Injected a 1-word difference into word 3.&quot;);
console.log(&quot;First word carrying the difference: w&quot; + firstTouched);
console.log(&quot;Words disturbed out of &quot; + totalWords + &quot;: &quot; + touchedCount);
console.log(&quot;The difference is fully determined -- no guessing, no probability.&quot;);
console.log(&quot;A real attacker exploits exactly this predictability.&quot;);
`}&lt;/p&gt;
&lt;p&gt;A fortress bolted to an afterthought. For years, no attacker seemed to notice the afterthought -- they all threw themselves at the fortress. Here is what happened when they did.&lt;/p&gt;
&lt;h2&gt;4. The First Cracks, at Four to Seven Rounds&lt;/h2&gt;
&lt;p&gt;The moment Rijndael became a finalist, the world&apos;s cryptanalysts opened fire. The first attacks worked -- and then hit a wall almost immediately, at a height that has barely moved since.&lt;/p&gt;

A reduced-round attack targets a version of the cipher with fewer than the full number of rounds -- say 6-round AES-128 instead of 10-round. Cryptanalysts study reduced-round variants because they are the natural way to measure the security margin: the highest round count you can break, compared with the full count, is a direct reading of how much cushion remains [@lu-idc-indocrypt08].
&lt;p&gt;The opening salvo was the designers&apos; own weapon, turned up to full power. Integral cryptanalysis -- the generalized Square attack -- does not chase a probabilistic pattern the way classical differential attacks do. It exploits a property that holds with certainty.&lt;/p&gt;

An integral attack feeds the cipher a structured set of plaintexts -- a &quot;Lambda-set&quot; of 256 texts in which one byte takes all 256 possible values and the rest are held constant -- and tracks the whole set at once. Because SubBytes is a bijection, an all-values byte stays all-values; the load-bearing invariant is that after a few rounds the XOR (over $GF(2^8)$) of all 256 intermediate states is provably zero, or &quot;balanced.&quot; A wrong key guess in the final round breaks the balance, so the attacker keeps only guesses that preserve it [@square-fse97].
&lt;p&gt;That balanced sum gives a 3-round distinguisher, which the Square attack extends by wrapping key-guessing rounds around it to break up to 6 rounds of AES at about $2^{72}$ work [@square-fse97]. The invariant is simple enough that a student can implement it in a few lines.&lt;/p&gt;
&lt;p&gt;{`
// A Lambda-set&apos;s active byte takes all 256 values exactly once.
// Claim: after any bijective S-box, the XOR of all outputs is still 0.
// This is the &quot;balance&quot; property the Square attack sieves keys with.&lt;/p&gt;
&lt;p&gt;// Build a toy S-box: a random permutation of 0..255 (a bijection like AES&apos;s).
const sbox = Array.from({length: 256}, (_, i) =&amp;gt; i);
for (let i = 255; i &amp;gt; 0; i--) {
  const j = Math.floor(Math.random() * (i + 1));
  [sbox[i], sbox[j]] = [sbox[j], sbox[i]];
}&lt;/p&gt;
&lt;p&gt;// Active byte: all 256 values. XOR them before and after the S-box.
let xorInput = 0, xorOutput = 0;
for (let v = 0; v &amp;lt; 256; v++) {
  xorInput ^= v;          // XOR of 0..255 is 0 by construction
  xorOutput ^= sbox[v];   // a bijection just permutes those values
}
console.log(&quot;XOR of the active byte (input):  &quot; + xorInput);   // 0
console.log(&quot;XOR after the bijective S-box:   &quot; + xorOutput);  // still 0
console.log(xorOutput === 0 ? &quot;Balanced: the distinguisher holds.&quot; :
                              &quot;Broken balance (won&apos;t happen for a bijection).&quot;);
`}&lt;/p&gt;
&lt;p&gt;The Square attack&apos;s real bottleneck was not the distinguisher but the cost of the final key-guessing summation. In 2000, Niels Ferguson, John Kelsey, David Wagner and colleagues fixed exactly that with the &lt;strong&gt;partial-sums&lt;/strong&gt; technique, reorganizing the summation to reuse intermediate results. It cut the 6-round work to roughly $2^{44}$ and bought one more round, reaching 7-round AES-128 at about $2^{120}$ using almost the entire codebook [@partial-sums-fse00]. The same year, Henri Gilbert and Marine Minier found a different route to the same height: a collision attack on 7 rounds of Rijndael that exploited collisions between partial functions inside the cipher [@gilbert-minier-aes3].&lt;/p&gt;
&lt;p&gt;A third family arrived in parallel and turned differential logic inside out. Impossible-differential cryptanalysis of Rijndael originated with Eli Biham and Nathan Keller in an unpublished report at the Third AES Candidate Conference in 2000.That original Biham-Keller report was never formally published and is not indexed in the usual bibliographic databases, so this article attributes only the &lt;em&gt;origin&lt;/em&gt; of the technique to it and takes every concrete figure from the peer-reviewed successors below. Precision about what is and is not on the record is part of honest cryptanalysis. Instead of a high-probability pattern, it uses one that occurs with probability &lt;em&gt;exactly zero&lt;/em&gt;: AES has a 4-round differential that can never happen, so any key guess that would produce it is provably wrong and can be sieved out.&lt;/p&gt;
&lt;p&gt;Jiqiang Lu, Orr Dunkelman, Nathan Keller and Jongsung Kim formalized and optimized the technique in 2008, as did Behnam Bahrak and Mohammad Reza Aref independently. It gave the best impossible-differential attacks of its era: 7 rounds of AES-128 and AES-192, and 8 rounds of AES-256 [@lu-idc-indocrypt08] [@bahrak-aref-iet08].&lt;/p&gt;
&lt;p&gt;Step back and the pattern is unmistakable. Integral, partial sums, collision, impossible differential -- four different mechanisms, and every one of them targets the round function, and every one of them stalls far below the full 10 rounds. Around seven rounds, they all hit the same ceiling. Some of these are &lt;em&gt;distinguishers&lt;/em&gt; (they tell real AES apart from a random permutation) and some are &lt;em&gt;key recoveries&lt;/em&gt; (they actually extract key bytes), but the reach is the same either way.&lt;/p&gt;
&lt;p&gt;Different attacks, one shared ceiling: about seven rounds. Was that a coincidence -- or was something stopping them?&lt;/p&gt;
&lt;h2&gt;5. Climbing the Round Ladder&lt;/h2&gt;
&lt;p&gt;For fifteen years the single-key attacks improved -- new mechanisms, cleverer bookkeeping, automated search. And still they stalled around seven rounds. The reason they stalled is the whole point of this article.&lt;/p&gt;
&lt;p&gt;The next mechanism traded probability for memory. If the distinguishers of Section 4 were too short, why not &lt;em&gt;store&lt;/em&gt; a description of several middle rounds rather than propagate a pattern through them?&lt;/p&gt;

A meet-in-the-middle attack splits the cipher into two halves and works from both ends toward the middle. The attacker precomputes every possible value of some property in the middle, then, for each key guess, computes the same property from the data and checks for a match. It trades memory for a way around the probability barrier that limits differential and integral attacks -- you look the answer up instead of hoping it appears [@demirci-selcuk-fse08].
&lt;p&gt;In 2008, Hüseyin Demirci and Ali Aydın Selçuk built the first MITM attack on AES, reaching 8 rounds of AES-256 -- past the seven-round wall. But there was a catch that makes the plateau vivid: the precomputed table held on the order of $2^{206}$ entries [@demirci-selcuk-fse08]. That is not a time cost you wait out; it is more storage than exists on Earth. The attack was structurally valid and physically impossible at once -- a memory catastrophe.&lt;/p&gt;
&lt;p&gt;Two years later, Orr Dunkelman, Nathan Keller and Adi Shamir rescued it. Their differential-enumeration technique restricted the precomputed table to only the middle states actually reachable from a chosen truncated differential, and a compact &quot;multiset&quot; representation shrank it further -- collapsing the impossible $2^{206}$ down toward the attack&apos;s own time complexity and turning a physical impossibility into a coherent shortcut for 8-round AES-192 and AES-256 [@dks-asiacrypt10].&lt;/p&gt;
&lt;p&gt;Then, in 2013, Patrick Derbez, Pierre-Alain Fouque and Jérémy Jean treated the search for the best MITM parameters as a computer-search problem, automating the exploration to squeeze out the best single-key numbers anyone has found: 7-round AES-128 with data, time and memory all under $2^{100}$; 8-round AES-192 and AES-256; and 9-round AES-256 [@dfj-eurocrypt13].&lt;/p&gt;
&lt;p&gt;Line the generations up and the shape of the wall becomes concrete.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Generation&lt;/th&gt;
&lt;th&gt;Year&lt;/th&gt;
&lt;th&gt;Rounds reached&lt;/th&gt;
&lt;th&gt;The wall it hit&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Integral / Square&lt;/td&gt;
&lt;td&gt;1997-2000&lt;/td&gt;
&lt;td&gt;up to 6&lt;/td&gt;
&lt;td&gt;Cost of the final key-guessing summation [@square-fse97]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Partial sums&lt;/td&gt;
&lt;td&gt;2000&lt;/td&gt;
&lt;td&gt;7 (AES-128)&lt;/td&gt;
&lt;td&gt;Distinguisher still only about 4 rounds long [@partial-sums-fse00]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Impossible differential&lt;/td&gt;
&lt;td&gt;2000-2008&lt;/td&gt;
&lt;td&gt;7-8&lt;/td&gt;
&lt;td&gt;The impossible differential is fixed at 4 rounds [@lu-idc-indocrypt08]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Demirci-Selçuk MITM&lt;/td&gt;
&lt;td&gt;2008&lt;/td&gt;
&lt;td&gt;8 (AES-256)&lt;/td&gt;
&lt;td&gt;A physically impossible $2^{206}$-entry table [@demirci-selcuk-fse08]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Differential-enumeration MITM&lt;/td&gt;
&lt;td&gt;2010&lt;/td&gt;
&lt;td&gt;8&lt;/td&gt;
&lt;td&gt;Memory tamed, but still single-key, still 8 rounds [@dks-asiacrypt10]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Automated MITM&lt;/td&gt;
&lt;td&gt;2013&lt;/td&gt;
&lt;td&gt;7 / 8 / 9&lt;/td&gt;
&lt;td&gt;No long single-key characteristic exists to extend [@dfj-eurocrypt13]&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;Fifteen years, five mechanisms, and the frontier climbs from six rounds to nine and stops. It is tempting to read that trend line as a slow slide toward a break -- seven rounds today, ten rounds soon. That reading is exactly backwards.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; The single-key plateau near seven rounds is not the attackers failing. It is the wide-trail round function succeeding. By provable design there is no long, high-probability characteristic to extend across the round function, so every single-key attack must bolt a few key-guessing rounds onto a short distinguisher -- and runs out of room. The plateau is evidence of strength, and it is precisely what forces every full-round result off the round function and onto the key schedule.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Not every idea in this era survived. The most famous casualty was an algebraic dream.&lt;/p&gt;

In 2002, Nicolas Courtois and Josef Pieprzyk proposed writing AES as a giant system of quadratic equations and solving it with a method they called XSL; a later GF(256) adaptation by Sean Murphy and Matthew Robshaw put the suggested attacks in the range of $2^{87}$ to $2^{100}$ [@xsl-eprint02]. It caused a stir -- an attack that ignored rounds entirely. But the method was heuristic, and its own authors admitted its complexity was &quot;very difficult to evaluate.&quot; In 2005, Carlos Cid and Gaëtan Leurent analyzed XSL carefully and showed it did not work as claimed [@cid-leurent-xsl05]. The S-box&apos;s affine layer and field structure are part of why algebraic attacks have never dented AES.
&lt;p&gt;If the round function cannot be beaten in the ordinary attack model, there are exactly two ways forward, and both leave the round function untouched. The first is to change the rules of engagement.&lt;/p&gt;

In the related-key model, the attacker cannot choose the secret key but *can* obtain encryptions under several keys whose differences it knows -- for example, the real key and the real key XORed with a chosen constant. It is a stronger, more demanding model than the standard single-key setting, and well-designed protocols never grant it. But it is a legitimate measure of a cipher&apos;s structural health, and it is the setting in which AES&apos;s key schedule first cracked [@bk-asiacrypt09].
&lt;p&gt;The escape route through that model runs directly through the key schedule&apos;s linearity: because the expansion is mostly XOR, a difference injected into the key travels through it predictably and can be arranged to &lt;em&gt;cancel&lt;/em&gt; a difference in the data over a few rounds -- a &quot;local collision&quot; that, chained, lets a usable characteristic span the entire cipher for the first time. The second escape gives up on beating brute force outright and instead &lt;em&gt;accelerates&lt;/em&gt; it, with a structure called a biclique that leans on how slowly the key schedule diffuses. We will need one more idea for both roads.&lt;/p&gt;

A distinguisher is an attack that tells the real cipher apart from an idealized random permutation, without necessarily recovering the key. It is weaker than a key recovery, but it still counts as a structural break: an ideal cipher should be indistinguishable from random, so any efficient distinguisher proves the cipher deviates from the ideal. Distinguishers often precede full key-recovery attacks by years [@bkn-crypto09].
&lt;p&gt;Both escapes were walked between 2009 and 2011. Neither one beat the round function. Both went for the key schedule.&lt;/p&gt;

flowchart TD
    S[&quot;AES cryptanalysis&quot;] --&amp;gt; A[&quot;Single-key round-function line&quot;]
    S --&amp;gt; B[&quot;Full-round results&quot;]
    A --&amp;gt; A1[&quot;Integral, partial sums, impossible differential&quot;]
    A1 --&amp;gt; A2[&quot;MITM and automated MITM&quot;]
    A2 --&amp;gt; A3[&quot;Plateau near 7 to 9 rounds: the round function holding&quot;]
    B --&amp;gt; B1[&quot;Related-key: local collisions in the linear key schedule&quot;]
    B --&amp;gt; B2[&quot;Biclique: leans on slow key-schedule diffusion&quot;]
    A3 --&amp;gt; K[&quot;The key schedule&quot;]
    B1 --&amp;gt; K
    B2 --&amp;gt; K
&lt;h2&gt;6. Two Ways Past the Full Cipher&lt;/h2&gt;
&lt;p&gt;In 2009 and 2011, three papers did what nobody had managed in a decade: they reached all the way through AES faster than brute force. Neither road beat the round function. Both went for the key schedule -- one breaking it head-on, one leaning on it.&lt;/p&gt;
&lt;h3&gt;Road one: related-key attacks break the key schedule directly&lt;/h3&gt;
&lt;p&gt;The first road exploits the linearity you watched in Section 3. Because AES-256&apos;s key schedule is so close to linear, a difference injected into the key propagates through it predictably, and it can be arranged to cancel a difference that the round keys introduce into the data.&lt;/p&gt;

A related-key attack queries the cipher under keys whose differences the attacker knows. Its key tool against AES is the *local collision*: a difference introduced into the state by one round key is cancelled by a difference the linear key schedule carries into the very next round key, so the two differences annihilate over a short span. Because the schedule is mostly XOR, these cancellations are cheap to arrange and can be chained into a differential covering the whole cipher [@bk-asiacrypt09].
&lt;p&gt;In 2009, Alex Biryukov, Dmitry Khovratovich and Ivica Nikolić delivered the first full-round result of any kind. They defined a &lt;em&gt;differential q-multicollision&lt;/em&gt; and showed AES-256 admits them in about $q \cdot 2^{67}$ operations, against a provable lower bound of roughly $q \cdot 2^{((q-1)/(q+1)) \cdot 128}$ for an ideal cipher -- a gap wide enough to prove, in their words, that AES-256 &quot;can not model an ideal cipher&quot; [@bkn-crypto09].&lt;/p&gt;
&lt;p&gt;From that they built the first attack on all 14 rounds: a related-key distinguisher working for 1 out of every $2^{35}$ keys using $2^{120}$ data, convertible to a key recovery at $2^{131}$ time and $2^{65}$ memory [@bkn-crypto09]. It was a weak-key-class result -- powerful, but not yet a universal key recovery.&lt;/p&gt;
&lt;p&gt;Months later, Biryukov and Khovratovich closed that gap and extended it. Combining local collisions with the boomerang attack and a trick called boomerang switching -- which buys free middle rounds by reconciling two short differentials where they meet -- they produced a key recovery on the full AES-256 that works for &lt;em&gt;all&lt;/em&gt; keys, at $2^{99.5}$ time and data, using four related keys [@bk-asiacrypt09]. The same machinery gave the first cryptanalysis of the full AES-192, at complexity $2^{176}$ [@bk-asiacrypt09].The paper notes the AES-256 figure improves to $2^{99}$. Two precision points that matter: the attack uses &lt;em&gt;four&lt;/em&gt; related keys, and the $2^{99.5}$ (or $2^{99}$) number belongs to AES-256 alone. The full AES-192 result is $2^{176}$ -- never attach the AES-256 figure to AES-192.&lt;/p&gt;
&lt;p&gt;Sit with what that means, because it inverts a near-universal assumption. AES-256 has more rounds and a longer key than AES-128, and everyone treats it as the stronger choice. Yet under related keys it is &lt;em&gt;weaker&lt;/em&gt;: its longer key schedule is more linear structure to exploit, and no comparable all-keys full-round attack exists against AES-128. This is the thesis in its most literal form -- more key material bought more exploitable structure, and the longer key schedule breaks worse.&lt;/p&gt;

flowchart TD
    A[&quot;Attacker injects a known key difference&quot;] --&amp;gt; B[&quot;Linear key schedule propagates it predictably&quot;]
    B --&amp;gt; C[&quot;Round-key difference cancels the state difference: local collision&quot;]
    C --&amp;gt; D[&quot;Chain local collisions across rounds&quot;]
    D --&amp;gt; E[&quot;Boomerang switching joins two short trails, buys free middle rounds&quot;]
    E --&amp;gt; F[&quot;Characteristic spans full AES-192 and AES-256&quot;]
&lt;h3&gt;Road two: biclique leans on the key schedule&apos;s slow diffusion&lt;/h3&gt;
&lt;p&gt;The second road answers a different question. Related-key attacks need a strong model no protocol grants. Could &lt;em&gt;anything&lt;/em&gt; reach the full cipher in the ordinary single-key model? In 2011, Andrey Bogdanov, Dmitry Khovratovich and Christian Rechberger answered yes -- with an important asterisk.&lt;/p&gt;

A biclique is a meet-in-the-middle structure that lets an attacker test a whole group of keys at nearly the cost of testing one. By precomputing partial encryptions over a few rounds and reusing them across every key in the group, it accelerates exhaustive key search: instead of a full encryption per candidate key, each key costs only the handful of operations that actually differ. It is not a shortcut around the cipher&apos;s mathematics -- it is a faster way to try every key [@biclique-asiacrypt11].
&lt;p&gt;Applied to full AES with no related keys assumed, the biclique attack recovers keys at $2^{126.1}$ for AES-128, $2^{189.7}$ for AES-192, and $2^{254.4}$ for AES-256 [@biclique-asiacrypt11]. Those are the only single-key, full-round results faster than brute force that exist.&lt;/p&gt;
&lt;p&gt;And here is where the savings come from: between neighboring keys in a group, so few round-key and state bytes change that most of the computation can be reused -- and &lt;em&gt;that&lt;/em&gt; is a consequence of the key schedule&apos;s slow diffusion, the same sluggish mixing we watched in Section 3. Where the related-key road exploits the schedule&apos;s linearity, the biclique road exploits its slowness.&lt;/p&gt;
&lt;p&gt;But the honest framing is load-bearing, and this article treats it as non-negotiable.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; The biclique attack is a meet-in-the-middle &lt;em&gt;acceleration of exhaustive key search&lt;/em&gt;, not a pure structural break of the key schedule. Its recomputation savings &lt;em&gt;depend on&lt;/em&gt; the key schedule&apos;s slow diffusion, but it does not exploit a mathematical weakness that collapses the cipher. The gain over brute force is about two bits -- a factor of roughly four. Never describe biclique as &quot;breaking&quot; the key schedule the way the related-key attacks do; it &lt;em&gt;leans on&lt;/em&gt; the schedule, and that distinction is the difference between honest analysis and hype.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The authors said as much themselves, and it is the most important sentence in the whole biclique story.&lt;/p&gt;

The biclique attacks on full AES &quot;do not threaten the practical use of AES in any way.&quot; -- Bogdanov, Khovratovich, and Rechberger, ASIACRYPT 2011 [@biclique-asiacrypt11]

flowchart TD
    A[&quot;Partition the key space into groups&quot;] --&amp;gt; B[&quot;Build a biclique over a few rounds per group&quot;]
    B --&amp;gt; C[&quot;Precompute partial encryptions once per group&quot;]
    C --&amp;gt; D[&quot;Neighboring keys differ in few bytes: slow key-schedule diffusion&quot;]
    D --&amp;gt; E[&quot;Reuse precomputation, recompute only what changed&quot;]
    E --&amp;gt; F[&quot;Each key costs less than one full encryption&quot;]
    F --&amp;gt; G[&quot;Full-round key recovery, about a factor of 4 under brute force&quot;]
&lt;p&gt;Put the two roads side by side and the article&apos;s claim stops being rhetoric.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; The only two ways anyone has reached full-round AES faster than brute force both run through the key schedule. The related-key attacks break it head-on, chaining local collisions through its linearity to recover keys on full AES-192 and AES-256. The biclique attack leans on it, exploiting its slow diffusion to shave a factor of four off exhaustive search in the single-key model. The celebrated S-box and MixColumns are untouched in both. The crack starts at the part nobody fortified.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Two roads to the full cipher, both paved by the key schedule -- one breaking it, one leaning on it. So where exactly does AES stand today?&lt;/p&gt;
&lt;h2&gt;7. Where AES Stands Today&lt;/h2&gt;
&lt;p&gt;Strip away the drama and put the numbers on one table. That table is the clearest statement of where AES is strong and where it is thin.&lt;/p&gt;
&lt;p&gt;Three ceilings orient everything: brute force costs $2^{128}$, $2^{192}$, and $2^{256}$ for the three key sizes. Every result below is measured against those.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Variant&lt;/th&gt;
&lt;th&gt;Rounds&lt;/th&gt;
&lt;th&gt;Best single-key reduced-round&lt;/th&gt;
&lt;th&gt;Best single-key full-round&lt;/th&gt;
&lt;th&gt;Best related-key full-round&lt;/th&gt;
&lt;th&gt;Brute-force ceiling&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;AES-128&lt;/td&gt;
&lt;td&gt;10&lt;/td&gt;
&lt;td&gt;7 rounds, under $2^{100}$ [@dfj-eurocrypt13]&lt;/td&gt;
&lt;td&gt;$2^{126.1}$ [@biclique-asiacrypt11]&lt;/td&gt;
&lt;td&gt;none comparable known&lt;/td&gt;
&lt;td&gt;$2^{128}$&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;AES-192&lt;/td&gt;
&lt;td&gt;12&lt;/td&gt;
&lt;td&gt;8 rounds, $2^{172}$ [@dfj-eurocrypt13]&lt;/td&gt;
&lt;td&gt;$2^{189.7}$ [@biclique-asiacrypt11]&lt;/td&gt;
&lt;td&gt;$2^{176}$ [@bk-asiacrypt09]&lt;/td&gt;
&lt;td&gt;$2^{192}$&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;AES-256&lt;/td&gt;
&lt;td&gt;14&lt;/td&gt;
&lt;td&gt;9 rounds, $2^{203}$ [@dfj-eurocrypt13]&lt;/td&gt;
&lt;td&gt;$2^{254.4}$ [@biclique-asiacrypt11]&lt;/td&gt;
&lt;td&gt;$2^{99.5}$, improved to $2^{99}$ [@bk-asiacrypt09]&lt;/td&gt;
&lt;td&gt;$2^{256}$&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;Read the columns and the whole argument snaps into focus. The single-key reduced-round column stalls at 7, 8, and 9 rounds out of 10, 12, and 14 -- and it has not moved since 2013 [@dfj-eurocrypt13]. The single-key full-round column sits about two bits under the ceiling, a factor of roughly four, courtesy of biclique [@biclique-asiacrypt11].Tao and Wu refined the biclique complexities in 2015, nudging the last digits and cutting the attack&apos;s storage requirement, but the headline numbers barely moved -- evidence that the single-key full-round margin has been essentially static for over a decade [@taowu-acisp15] [@wikipedia-aes]. The related-key column is the outlier: $2^{99}$ against a $2^{256}$ ceiling for AES-256 is an enormous complexity gap -- but only in a model real deployments deny.&lt;/p&gt;
&lt;p&gt;The frontier keeps yielding small refinements, and where they land is telling. In 2018, Achiya Bar-On, Orr Dunkelman, Nathan Keller, Eyal Ronen and Adi Shamir cut the best 5-round single-key attack from about $2^{32}$ to under $2^{22}$ -- practical enough to run -- and gave the best practical-data attacks on 7-round AES-192 [@barron-crypto18].&lt;/p&gt;
&lt;p&gt;And in 2021, Gaëtan Leurent and Clara Pernot found that the AES-128 key schedule can be split into four independent parallel computations on 32-bit chunks, up to linear transformation -- a structural fact, in their words, &quot;not described in the literature after more than 20 years&quot; of analysis [@leurent-pernot-eurocrypt21]. Twenty years on, the fresh cryptanalytic advantage still comes from the key schedule.&lt;/p&gt;
&lt;p&gt;So the margin is asymmetric. In &lt;em&gt;rounds reached&lt;/em&gt;, the related-key model gets uncomfortably close to full coverage while the single-key model plateaus a few rounds short. In &lt;em&gt;complexity&lt;/em&gt;, the numbers are astronomically wide everywhere except the related-key AES-256 corner. And even that &quot;best&quot; single-key number is not remotely a threat.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; The biclique attack on AES-128 costs $2^{126.1}$ operations. That is faster than the $2^{128}$ brute-force ceiling -- and it is still roughly $10^{38}$ operations, a number with no physical meaning. If every atom-scale computer that could ever be built ran for the age of the universe, it would not make a dent. &quot;Faster than brute force&quot; is a statement about cryptographic bookkeeping, not about feasibility. AES is not close to breakable; it is close to &lt;em&gt;optimal&lt;/em&gt;, and the tiny gap that remains is a ruler, not a wound.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;One table, two full-round winners, one common thread. Line them up as competing methods and the thesis stops being a claim and becomes a pattern.&lt;/p&gt;
&lt;h2&gt;8. Single-Key, Related-Key, and the Common Thread&lt;/h2&gt;
&lt;p&gt;These attack families are not really competitors -- they optimize for different things. Put them on shared axes and you can see exactly what each one buys, what it costs, and what it leans on.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Attack family&lt;/th&gt;
&lt;th&gt;Model&lt;/th&gt;
&lt;th&gt;Full rounds?&lt;/th&gt;
&lt;th&gt;Best complexity&lt;/th&gt;
&lt;th&gt;Threatens deployed AES?&lt;/th&gt;
&lt;th&gt;Leans on key schedule?&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Biclique&lt;/td&gt;
&lt;td&gt;Single-key&lt;/td&gt;
&lt;td&gt;Yes (10/12/14)&lt;/td&gt;
&lt;td&gt;$2^{126.1}$ / $2^{189.7}$ / $2^{254.4}$ [@biclique-asiacrypt11]&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;Yes, via slow diffusion&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Related-key boomerang&lt;/td&gt;
&lt;td&gt;Related-key&lt;/td&gt;
&lt;td&gt;Yes (AES-192/256)&lt;/td&gt;
&lt;td&gt;AES-256 $2^{99}$, AES-192 $2^{176}$ [@bk-asiacrypt09]&lt;/td&gt;
&lt;td&gt;No, model denied&lt;/td&gt;
&lt;td&gt;Yes, directly, via linearity&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Single-key MITM (DS to DKS to DFJ)&lt;/td&gt;
&lt;td&gt;Single-key&lt;/td&gt;
&lt;td&gt;No (7/8/9)&lt;/td&gt;
&lt;td&gt;7-round AES-128 under $2^{100}$ [@dfj-eurocrypt13]&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;Indirectly&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Impossible-diff / integral (incl. Bar-On)&lt;/td&gt;
&lt;td&gt;Single-key&lt;/td&gt;
&lt;td&gt;No (7 or fewer)&lt;/td&gt;
&lt;td&gt;5-round under $2^{22}$, practical [@barron-crypto18]&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;Increasingly&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;The two full-round rows and the two reduced-round rows tell opposite halves of the same story. The reduced-round families cannot cross the wide-trail wall no matter how cleverly they are automated or how practical their data becomes -- they top out short of the full cipher because the round function gives them nothing longer to work with.&lt;/p&gt;
&lt;p&gt;The full-round families cross it only by refusing to fight the round function at all. One changes the model to attack the key schedule&apos;s linearity; the other accepts brute-force complexity and mines the key schedule&apos;s slow diffusion for a discount. Every entry in the &quot;leans on key schedule?&quot; column is a yes or a trending-toward-yes.&lt;/p&gt;

AES-256 has more rounds and a longer key than AES-128 -- and under related keys, that longer, still-linear key schedule is exactly what makes it weaker. More key material, more structure to exploit.
&lt;p&gt;The honest caveat rides along in the table too. Biclique&apos;s &quot;yes&quot; in the last column is an &lt;em&gt;enabling&lt;/em&gt; dependence -- it needs the schedule to diffuse slowly so its precomputation can be reused -- not the structural collapse that the related-key row represents. Reading the two together is the point: the key schedule is the common thread of every full-round result, but it is threaded two different ways, and only one of them is a direct break.&lt;/p&gt;

Not every result fits the key-recovery mould. In 2007, Lars Knudsen and Vincent Rijmen introduced *known-key distinguishers*, where the key is public and the goal is merely to show the cipher behaves less randomly than an ideal permutation would [@known-key-ac07]. It sounds academic, but it broadened what counts as &quot;a break&quot; and seeded the rebound attacks that are genuinely productive against AES-based hash and compression functions -- a reminder that a cipher can be perfectly safe as an encryptor while its internals still leak structure when repurposed.
&lt;p&gt;The pattern is undeniable, but a pattern is not a proof. How close &lt;em&gt;can&lt;/em&gt; cryptanalysis get -- and could we ever prove it can get no closer?&lt;/p&gt;
&lt;h2&gt;9. How Close Can Cryptanalysis Get?&lt;/h2&gt;
&lt;p&gt;Here is the uncomfortable truth that separates cryptography from mathematics: nobody can prove AES is secure. Not &quot;has not proven it yet&quot; -- cannot, even in principle, in the way we mean it for public-key systems.&lt;/p&gt;
&lt;p&gt;&lt;a href=&quot;https://paragmali.com/blog/rsa-is-a-trapdoor-not-a-cryptosystem-oaep-pss-and-the-25-yea/&quot; rel=&quot;noopener&quot;&gt;RSA&lt;/a&gt; and &lt;a href=&quot;https://paragmali.com/blog/nobody-broke-the-discrete-log-a-field-guide-to-diffie-hellma/&quot; rel=&quot;noopener&quot;&gt;Diffie-Hellman&lt;/a&gt; rest on the &lt;em&gt;assumed hardness&lt;/em&gt; of a specific, well-studied problem -- integer factoring, or the discrete logarithm -- that the world&apos;s mathematicians have failed to solve efficiently for decades, and some public-key schemes (Rabin, or lattice systems) provably reduce to such problems. Their security is anchored to a famous open question. Block ciphers have no such anchor.&lt;/p&gt;
&lt;p&gt;AES&apos;s security is not reducible to any problem believed hard; it rests entirely on the fact that very smart people have attacked it for twenty-five years and failed. That is strong evidence, but it is not a proof, and it means a future structural break can never be &lt;em&gt;ruled out&lt;/em&gt; -- only measured, as a margin.&lt;/p&gt;
&lt;p&gt;The nearest thing to a proof AES has is a design-level bound, and it is precisely bounded in what it covers.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; The wide-trail strategy proves that any differential or linear trail across four AES rounds activates at least 25 S-boxes, capping such a trail&apos;s probability at $2^{-150}$ [@design-rijndael]. That is a real theorem -- and it is exactly why single-key differential and linear attacks fail. But it bounds only &lt;em&gt;trails through the round function&lt;/em&gt;. It says nothing about the key schedule, nothing about related-key differentials, and nothing about meet-in-the-middle accelerations like biclique. The one thing AES can almost prove is the one thing the round function already does well. The key schedule sits outside the theorem.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;That gap is the article&apos;s most counterintuitive lesson. Security is not a binary a cipher passes or fails; it is a measured quantity, and the measurement keeps coming back thinnest at the key schedule. Worse for intuition: the AES-256-versus-AES-128 result shows that adding key material can &lt;em&gt;lower&lt;/em&gt; the margin rather than raise it, because a longer linear key schedule is more structure to attack. The one genuine impossibility result we do have points the same way -- Biryukov, Khovratovich and Nikolić proved AES-256 cannot instantiate an ideal cipher, using the very key-schedule structure the related-key attacks ride [@bkn-crypto09].&lt;/p&gt;
&lt;p&gt;What about quantum computers -- surely they change the answer? For AES, structurally, they do not.&lt;/p&gt;
&lt;p&gt;Grover&apos;s halving is the main reason to prefer AES-256 for long-term or post-quantum margin -- not because AES-128 is structurally weaker, but because the larger key leaves a more comfortable margin against a generic quantum speedup.&lt;/p&gt;
&lt;p&gt;Grover&apos;s algorithm gives a generic square-root speedup for key search: $2^{n/2}$ instead of $2^{n}$, so AES-128 drops to roughly $2^{64}$ and AES-256 to roughly $2^{128}$ [@grover-aes-pqcrypto16]. Crucially, that speedup is &lt;em&gt;independent of AES&apos;s internal structure&lt;/em&gt; -- it applies to any cipher, treating AES as a black box. It does not touch the key schedule, the S-box, or MixColumns; it does not care how AES is built.&lt;/p&gt;
&lt;p&gt;That is exactly why Grover sits &lt;em&gt;outside&lt;/em&gt; this article&apos;s thesis: it is a generic key-search discount, not a structural break. And Shor&apos;s algorithm [@shor-siam97], which shatters RSA and &lt;a href=&quot;https://paragmali.com/blog/the-curve-was-hard-the-gap-was-soft-a-field-guide-to-using-e/&quot; rel=&quot;noopener&quot;&gt;elliptic curves&lt;/a&gt;, attacks the hidden-subgroup structure of public-key math and simply does not apply to symmetric ciphers.&lt;/p&gt;

Grover marks one edge of this article&apos;s territory: a generic speedup, not a structural crack, so it is named and set aside. The other edge is the entire world of real-world AES failures -- cache-timing side channels, fault injection, repeated GCM nonces, padding oracles, key-reinstallation attacks like KRACK. None of those touch the cipher&apos;s mathematics; they break the wrapper around it. They are the subject of the companion piece, *How AES Breaks in Real Life: The Attacks That Never Touched the Cipher*. This article is the would-break-in-theory story; that one is the did-break-in-the-field story.
&lt;p&gt;No proof, a thin single-key margin, and a key schedule that keeps yielding fresh structure twenty years on. So what would it actually take to break AES?&lt;/p&gt;
&lt;h2&gt;10. What Would Actually Break AES&lt;/h2&gt;
&lt;p&gt;If you wanted to be the person who genuinely dented AES, here is the to-do list -- and why every item on it has resisted the field&apos;s best for more than a decade.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Close the single-key reduced-round gap.&lt;/strong&gt; The frontier has sat at 7, 8, and 9 rounds since 2013, despite automated search tools purpose-built to push it [@dfj-eurocrypt13]. Nobody has extended the single-key attacks by even one round in over ten years. Either a genuinely new distinguisher is needed, or the round function really does leave nothing longer to exploit.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Migrate the key-schedule attacks into the single-key model.&lt;/strong&gt; The related-key attacks reach the full cipher, but only under a model real protocols deny. Can their key-schedule insight be recast into an attack that needs no related keys? So far, no -- and this is the single most important open question for the thesis. If it ever happened, the crack really would start where this article predicts, in a model that matters.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Prove that a nonlinear key schedule would have mattered.&lt;/strong&gt; Would a heavier, nonlinear key expansion have removed both the related-key local collisions and biclique&apos;s recomputation discount? There is strong circumstantial evidence it would: Leurent and Pernot&apos;s 2021 discovery that the AES-128 schedule still splits into four independent 32-bit computations shows the linearity keeps handing attackers structure two decades on [@leurent-pernot-eurocrypt21].&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Find a real single-key shortcut on full AES-128.&lt;/strong&gt; Not biclique&apos;s two bits -- an attack meaningfully below $2^{126}$ that reflects a structural weakness rather than an accounting trick. None is known.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Push the new structural distinguishers deeper.&lt;/strong&gt; In 2017, Lorenzo Grassi, Christian Rechberger and Sondre Rønjom found an unexpected structural-differential property of 5-round AES, which Bar-On and colleagues then turned into the best practical 5-round attack [@grassi-eurocrypt17] [@barron-crypto18]. Can such properties reach 6, 7, or more rounds? So far they have not.&lt;/p&gt;

A secret-key distinguisher, like the Grassi-Rechberger-Rønjom 5-round property, does not extract a single key byte -- it only shows the cipher behaves less randomly than it should over a few rounds [@grassi-eurocrypt17]. That sounds harmless. But historically, distinguishers are the early-warning system: they reveal structure years before anyone works out how to convert it into a key recovery, and every family in this article began as a distinguishing property before it became an attack. Watching where new distinguishers appear -- and they keep appearing near the key schedule -- is how you predict where the next real attack will come from.
&lt;p&gt;None of these five is close to solved. The standing challenge is stark: outside the related-key model, and beyond biclique&apos;s two-bit shave, nothing has meaningfully dented full-round single-key AES-128 in the entire history of its public analysis. Which is exactly why, for everyone who actually ships software, the right question is not &quot;when will AES break?&quot; but &quot;what should I do today?&quot;&lt;/p&gt;
&lt;h2&gt;11. What This Means for You&lt;/h2&gt;
&lt;p&gt;Strip all of it down to what changes your decisions. For almost everyone, the answer is: nothing -- and understanding &lt;em&gt;why&lt;/em&gt; nothing changes is the real payoff.&lt;/p&gt;
&lt;p&gt;AES is not broken. Every structural result in this article is astronomically infeasible, the strongest single-key full-round attack shaves a factor of four off a number no machine will ever reach, and the related-key attacks need access that correctly built systems never grant. Keep using AES.&lt;/p&gt;
&lt;p&gt;On key size, choose deliberately rather than superstitiously. AES-128 and AES-256 are both effectively unbreakable in the single-key model your systems actually run in; the related-key paradox that makes AES-256 &quot;weaker&quot; lives entirely in a model deployments deny [@bk-asiacrypt09].&lt;/p&gt;
&lt;p&gt;Prefer AES-256 when you want long-term or post-quantum margin, because Grover&apos;s generic square-root speedup halves the effective key length and a $2^{128}$ quantum margin is more comfortable than $2^{64}$ [@grover-aes-pqcrypto16]. Prefer AES-128 when you want raw speed and a post-Grover margin of $2^{64}$ is ample for your threat model. Both are sound; the choice is about margin, not about one being broken.&lt;/p&gt;
&lt;p&gt;The one pitfall worth internalizing is the related-key boundary.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Related-key attacks only bite if an attacker can influence the &lt;em&gt;relationships&lt;/em&gt; between the keys you use -- for example, by driving AES as a hash or compression function where attacker-known differences flow into the key input, or a home-grown key-derivation scheme that XORs chosen constants into a master key. Use AES as a keyed black box under independent, well-generated keys, and the entire related-key family -- including the full AES-192 and AES-256 results -- simply does not apply. Independent keys are the whole defense.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;You can make the margin tangible with a few lines of arithmetic. The calculator below reads the AES-128 single-key margin both ways the article measures it: as rounds reached versus total, and as the best full-round complexity versus the brute-force ceiling.&lt;/p&gt;
&lt;p&gt;{`
// Two ways to feel the margin, using the numbers from this article.
const totalRounds = 10;
const bestSingleKeyRounds = 7;         // best single-key reduced-round (DFJ 2013)
const bruteForceExponent = 128;        // brute-force ceiling for AES-128
const bestFullRoundExponent = 126.1;   // biclique (BKR 2011)&lt;/p&gt;
&lt;p&gt;// 1) Round margin: how many full rounds still resist single-key attack.
const roundMargin = totalRounds - bestSingleKeyRounds;
console.log(&quot;Rounds still beyond the best single-key attack: &quot; + roundMargin +
            &quot; of &quot; + totalRounds);&lt;/p&gt;
&lt;p&gt;// 2) Complexity margin: how much &quot;faster than brute force&quot; biclique really is.
const speedupFactor = Math.pow(2, bruteForceExponent - bestFullRoundExponent);
console.log(&quot;Biclique speedup over brute force: about &quot; +
            speedupFactor.toFixed(1) + &quot;x&quot;);
console.log(&quot;Brute force itself: 2^128, roughly 1 followed by 38 zeros.&quot;);
console.log(&quot;A 3.7x discount on a never-finishable computation is still never-finishable.&quot;);
`}&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; This article covered how AES would break &lt;em&gt;in theory&lt;/em&gt; -- the mathematics of the cipher itself. The attacks that actually steal data break the &lt;em&gt;deployment&lt;/em&gt;: the nonce, the padding, the key generation, a downgrade, a validation bug. If you want the field&apos;s real incident history, read the companion piece, &lt;em&gt;How AES Breaks in Real Life: The Attacks That Never Touched the Cipher&lt;/em&gt;.&lt;/p&gt;
&lt;/blockquote&gt;


No. In twenty-five years of public analysis, no attack has come close to breaking full-round AES in any way that matters. The single strongest single-key result -- the biclique attack -- recovers an AES-128 key in about $2^{126.1}$ operations, a factor of roughly four below brute force and still on the order of $10^{38}$ operations, which is physically meaningless [@biclique-asiacrypt11]. Every other full-round result needs a related-key model that real systems deny. AES is not broken; it is close to optimal.


Only in the related-key model, and only there. AES-256&apos;s longer, still-linear key schedule gives an attacker more structure, which is why a full-round related-key key recovery exists for AES-256 (about $2^{99}$) but no comparable full-round single-key break exists for AES-128 [@bk-asiacrypt09]. In the single-key model your deployments actually use, both are effectively unbreakable, and AES-256 gives you more post-quantum margin. The &quot;paradox&quot; is real cryptanalysis, not a practical warning.


No. Its complexity for AES-128 is $2^{126.1}$ -- roughly $10^{38}$ operations -- and its own authors state the attacks &quot;do not threaten the practical use of AES in any way&quot; [@biclique-asiacrypt11]. Biclique is best understood as a precise *measurement* of the thin single-key margin, not a threat to it. It is a meet-in-the-middle acceleration of brute force, not a structural collapse.


Not structurally. Grover&apos;s algorithm gives a generic square-root speedup for key search -- $2^{n/2}$ instead of $2^{n}$ -- so AES-128 drops to about $2^{64}$ and AES-256 to about $2^{128}$ of quantum security [@grover-aes-pqcrypto16]. That is a black-box discount independent of AES&apos;s internal design, which is why it is not a structural break; use AES-256 if you want the larger margin. Shor&apos;s algorithm [@shor-siam97], which does break RSA and elliptic curves, does not apply to symmetric ciphers at all.


It is this article&apos;s well-motivated thesis, carefully bounded. The related-key attacks break the full cipher by targeting the key schedule&apos;s linearity directly [@bk-asiacrypt09]; the biclique attack leans on the key schedule&apos;s slow diffusion to accelerate brute force [@biclique-asiacrypt11]; and peer-reviewed work in 2021 still calls the key schedule &quot;arguably the weakest part of the AES&quot; [@leurent-pernot-eurocrypt21]. The honest caveat: biclique&apos;s dependence is enabling, not a pure structural break, so this is a synthesized argument, not a claim that every full-round result is a key-schedule attack.


It is an attack in which the adversary obtains encryptions under several keys whose differences it knows [@bk-asiacrypt09]. It cannot happen unless your construction lets an attacker influence the relationships between keys -- which well-designed protocols never do. Use independent, well-generated keys and treat AES as a keyed black box, and the entire related-key family evaporates. It is a statement about a cipher&apos;s structural health, not a common deployment risk.


Because &quot;faster&quot; here means a factor of about four below $2^{128}$ -- the difference between $2^{128}$ and $2^{126.1}$ [@biclique-asiacrypt11]. Both are numbers no computation will ever complete. In cryptography, &quot;faster than brute force&quot; is the technical bar for a result to count at all; it is a bookkeeping threshold, not a statement that the cipher is within reach of any attacker, now or ever.

&lt;p&gt;Return to the question this article opened with: not whether AES is broken, but where the first crack would appear if it ever were. The evidence has answered it.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; The AES round function is the most-analyzed, most-trusted primitive in symmetric cryptography, and twenty-five years of single-key attacks have plateaued a few rounds short of it -- the wide-trail design working exactly as intended. Every full-round result faster than brute force lives somewhere else: the related-key attacks break the linear key schedule head-on, reaching full AES-192 and AES-256, and the biclique attack leans on its slow diffusion to shave a factor of four off exhaustive search. The S-box and MixColumns are untouched. If AES ever falls, the evidence says the first crack starts at the key schedule -- the least-designed, most-linear component -- bounded by the honest caveat that biclique leans on the schedule rather than breaking it.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;&amp;lt;StudyGuide slug=&quot;how-aes-would-break&quot; keyTerms={[
  { term: &quot;Security margin&quot;, definition: &quot;The distance between the best known attack and brute force, measured both in rounds reached out of total and in complexity below the 2^n ceiling.&quot; },
  { term: &quot;Wide-trail strategy&quot;, definition: &quot;AES&apos;s round-function design method: MixColumns&apos; branch number of 5 forces at least 25 active S-boxes over four rounds, capping any trail&apos;s probability at 2^-150.&quot; },
  { term: &quot;S-box (SubBytes)&quot;, definition: &quot;Multiplicative inversion in GF(2^8) followed by a fixed affine transformation; AES&apos;s only data-path nonlinearity, with maximum differential probability 2^-6.&quot; },
  { term: &quot;Key schedule&quot;, definition: &quot;The mostly-linear (XOR plus rotation) expansion of the master key into round keys, with one S-box column per group of words; AES&apos;s least-designed component.&quot; },
  { term: &quot;Integral (Square) attack&quot;, definition: &quot;Tracks a Lambda-set of 256 texts so a byte-wise XOR sum is provably zero after a few rounds, sieving wrong key guesses.&quot; },
  { term: &quot;Meet-in-the-middle attack&quot;, definition: &quot;Splits the cipher and matches a precomputed middle property against online computation, trading memory for the probability barrier.&quot; },
  { term: &quot;Related-key attack&quot;, definition: &quot;The attacker queries under keys whose differences it knows; against AES it chains local collisions through the linear key schedule.&quot; },
  { term: &quot;Local collision&quot;, definition: &quot;A state difference introduced by one round key that the linear key schedule cancels in the next, annihilating over a short span.&quot; },
  { term: &quot;Biclique&quot;, definition: &quot;A meet-in-the-middle structure that tests a group of keys at nearly the cost of one, accelerating exhaustive search by leaning on slow key-schedule diffusion.&quot; },
  { term: &quot;Distinguisher&quot;, definition: &quot;An attack that tells the real cipher apart from an ideal random permutation without necessarily recovering the key; a weaker but still structural break.&quot; }
]} questions={[
  { q: &quot;Why do single-key attacks on AES plateau near seven rounds?&quot;, a: &quot;Because the wide-trail round function leaves no long high-probability characteristic to extend; attackers must bolt key-guessing rounds onto a short distinguisher and run out of room. The plateau is the design working.&quot; },
  { q: &quot;Name the only two ways anyone has reached full-round AES faster than brute force, and what each exploits.&quot;, a: &quot;Related-key boomerang attacks (exploiting the key schedule&apos;s linearity via local collisions) and the biclique attack (leaning on the key schedule&apos;s slow diffusion to accelerate exhaustive search).&quot; },
  { q: &quot;Why is AES-256 weaker than AES-128 under related keys?&quot;, a: &quot;Its longer, still-linear key schedule offers more exploitable structure, yielding a full-round related-key recovery near 2^99 with no comparable single-key full-round break on AES-128.&quot; },
  { q: &quot;Why can AES never be proven secure the way RSA can?&quot;, a: &quot;Block ciphers have no security reduction to a problem believed hard, so a structural break can never be ruled out -- only measured as a margin. The wide-trail bound only covers round-function trails, not the key schedule.&quot; },
  { q: &quot;Why is Grover&apos;s algorithm outside this article&apos;s thesis?&quot;, a: &quot;Grover is a generic square-root key-search speedup independent of AES&apos;s internal structure, so it is a black-box discount, not a structural break.&quot; }
]} /&amp;gt;&lt;/p&gt;
</content:encoded><category>aes</category><category>cryptanalysis</category><category>key-schedule</category><category>related-key-attacks</category><category>biclique</category><category>block-ciphers</category><category>security-margin</category><author>noreply@paragmali.com (Parag Mali)</author></item><item><title>The Log Was Never the Weak Part: How Discrete-Log Cryptography Actually Breaks</title><link>https://paragmali.com/blog/the-log-was-never-the-weak-part-how-discrete-log-cryptograph/</link><guid isPermaLink="true">https://paragmali.com/blog/the-log-was-never-the-weak-part-how-discrete-log-cryptograph/</guid><description>For a well-chosen group the discrete log is optimally hard. Every faster break exploits the group&apos;s structure, not the log -- only Shor survives a clean one.</description><pubDate>Fri, 17 Jul 2026 00:00:00 GMT</pubDate><content:encoded>
For a well-chosen group the discrete logarithm is essentially as hard as it can be: the best generic attack is Pollard&apos;s rho at about $0.886\sqrt{\ell}$ steps, and Shoup proved no *generic* algorithm does better. So every faster classical break -- anomalous curves, MOV and Frey-Ruck pairing transfers, weak twists, invalid-curve shadow groups, Weil descent, the Number Field Sieve, Logjam&apos;s shared-prime precomputation, and small-characteristic quasi-polynomial descent -- is never a cleverer logarithm; it is a receipt for a structural property of the *group that was chosen*. Strip every such property away and only one known break remains, and it changes the machine: Shor&apos;s quantum algorithm -- &quot;as far as is known,&quot; since the elliptic-curve discrete-log problem is still unproven to be hard.
&lt;h2&gt;1. The 256-Bit Paradox&lt;/h2&gt;
&lt;p&gt;Four cryptographic groups walk onto the internet. NIST P-256 and Curve25519 -- both 256 bits wide -- each advertise roughly $2^{128}$ security, and after two decades of public scrutiny neither has been broken [@safecurves]. A &lt;em&gt;third&lt;/em&gt; 256-bit curve, differing from the first two only in a hidden arithmetic property, can be broken on a laptop in polynomial time [@smart-1999]. And a 1024-bit finite-field group -- four times the bit length of the curves -- is a realistic target for a well-funded adversary [@logjam-adrian-2015]. The operation an attacker has to invert is the &lt;em&gt;same discrete logarithm&lt;/em&gt; in all four groups.&lt;/p&gt;
&lt;p&gt;The variable that decided their fates was never the logarithm. It was the group.&lt;/p&gt;
&lt;p&gt;That sentence runs against the way most of us first meet the subject. We are taught that a one-way function is hard, that a bigger key makes it harder, and that &quot;solving the discrete log&quot; is a single monolithic feat an attacker either can or cannot perform. This article argues the opposite, and it argues it as a claim you should not yet believe: &lt;strong&gt;the discrete logarithm is essentially never the weak part. The weak part is always the group&lt;/strong&gt; -- some extra structure it carries, or the wrong group quietly substituted for the right one.&lt;/p&gt;
&lt;p&gt;Two settings recur throughout. The first is the multiplicative group of a prime field, written $\mathbb{F}_p^*$, the home of classic finite-field Diffie-Hellman, DSA, and ElGamal. The second is the group of points on an elliptic curve over a finite field, the home of ECDH, ECDSA, and EdDSA. The plan is a guided tour of every known way the discrete log &quot;breaks.&quot; Each stop will turn out to exploit a structural property of a &lt;em&gt;chosen&lt;/em&gt; group rather than compute a faster logarithm, and the tour ends at the one break that survives even a flawless group: Shor&apos;s quantum algorithm.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; This is a structural cryptanalysis -- an argument about the mathematics of the group itself. Side-channel leaks, fault and power attacks, implementation bugs, weak random-number generators, and protocol misuse are out of scope, named only to mark the boundary. Those failures are real and often more common in practice, but they belong to the empirical sibling of this piece, &quot;How Elliptic Curves and Diffie-Hellman Break in Real Life: PS3, CurveBall, Logjam, and Biased Nonces.&quot; When a break here has an implementation trigger, this article hands that trigger to the sibling and keeps only the group mathematics.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;By the end you will be able to look at any of the ten attacks in the literature and name, in one phrase, the structural property of the group it needs -- and see that a well-chosen group simply does not have it. To understand why the group is the variable, we have to go back to the moment the discrete log became something worth attacking at all.&lt;/p&gt;
&lt;h2&gt;2. What the Discrete Log Actually Is, and Where It Lives&lt;/h2&gt;
&lt;p&gt;In November 1976, Whitfield Diffie and Martin Hellman published &quot;New Directions in Cryptography&quot; and handed two strangers a way to agree on a shared secret over a wiretapped line without ever having met [@diffie-hellman-1976]. Their construction is simple enough to state in a sentence, and in stating it they turned an obscure number-theoretic puzzle into the thing standing between an eavesdropper and your traffic.&lt;/p&gt;

Fix a cyclic group with a public generator $g$. Alice picks a secret $a$ and publishes $g^a$; Bob picks a secret $b$ and publishes $g^b$. Each raises the other&apos;s value to their own secret, so both compute $g^{ab}$ -- the shared key. An eavesdropper sees $g$, $g^a$, and $g^b$, and must find $g^{ab}$. The obvious route is to recover $a$ from $g^a$, which is exactly the discrete logarithm.

Given a cyclic group generated by $g$ and an element $h = g^x$, find the exponent $x$. In the integers this is easy -- it is just division on a logarithmic scale. Inside a finite group the exponent &quot;wraps around&quot; unpredictably, and no efficient general method to recover $x$ is known. The security of Diffie-Hellman, DSA, ElGamal, ECDH, ECDSA, and EdDSA all rest on this one problem being hard in the group they use.
&lt;p&gt;The instant the DLP became a security assumption, a very old question acquired stakes: how hard is it, actually? And the first answer was unsettling, because it showed that the difficulty had nothing to do with the size of the numbers involved.&lt;/p&gt;
&lt;p&gt;Priority is disputed. At GCHQ, James Ellis, Clifford Cocks, and Malcolm Williamson developed classified &quot;non-secret encryption&quot; and a key-exchange analogue between 1969 and 1974, work declassified only in 1997 [@ellis-1997]. The public invention, and the framing of the discrete log as a security assumption, are Diffie and Hellman&apos;s.&lt;/p&gt;

timeline
    title Fifty years of attacking the discrete logarithm
    section The problem and its floor
      1976 : Diffie-Hellman make the discrete log a security assumption
      1978 : Pohlig-Hellman shatters smooth-order groups : Pollard rho sets the sqrt-time floor
    section The escape to curves
      1985 : Miller and Koblitz move the log onto elliptic curves
      1993 : MOV pairing transfer : Gordon adapts the Number Field Sieve to prime fields
      1994 : Shor reduces the discrete log to quantum period-finding
    section Structure strikes back
      1998 : Anomalous trace-one curves fall in polynomial time
      2002 : Weil descent breaks special binary curves
    section Records and frontiers
      2015 : Logjam weaponizes shared-prime precomputation
      2019 : A 795-bit prime-field record : quasi-polynomial small-characteristic descent proven
&lt;h3&gt;The first structural lesson: Pohlig-Hellman&lt;/h3&gt;
&lt;p&gt;In January 1978, Stephen Pohlig and Martin Hellman proved something that should have set the tone for the entire field [@pohlig-hellman-1978]. Suppose the order of the group -- the number of elements -- factors into small primes, $n = p_1^{e_1} p_2^{e_2} \cdots p_r^{e_r}$. Then the discrete log does not have to be solved in the big group at all. It can be solved separately in each prime-power piece, where the numbers are tiny, and the answers glued back together with the Chinese Remainder Theorem.&lt;/p&gt;
&lt;p&gt;The total work is on the order of $\sum_i e_i(\log n + \sqrt{p_i})$ -- dominated by the &lt;em&gt;largest&lt;/em&gt; prime factor, not by the size of $n$.&lt;/p&gt;
&lt;p&gt;Read that again with the thesis in mind. A group can be astronomically large and still offer no security, if its order happens to be a product of small primes. A 4096-bit group whose order is smooth falls instantly.&lt;/p&gt;
&lt;p&gt;Security was never a property of &quot;the log&quot; or of the key length. It was a property of the &lt;em&gt;group&apos;s order&lt;/em&gt; -- specifically, whether that order contains a large prime factor. The first thing anyone proved about the discrete log moved the weakness off the logarithm and onto a structural feature of the chosen group. Everything that follows is a variation on that move.&lt;/p&gt;
&lt;h3&gt;The escape that defines the rest of the article&lt;/h3&gt;
&lt;p&gt;By the mid-1980s, the multiplicative group $\mathbb{F}_p^*$ had a second problem beyond smooth orders: it admitted &lt;em&gt;index calculus&lt;/em&gt;, a family of sub-exponential attacks we will meet in Section 6. The response, arriving independently from two directions, was not a better logarithm algorithm. It was a change of group.&lt;/p&gt;
&lt;p&gt;In 1985, Victor Miller [@miller-1986] and, independently, Neal Koblitz [@koblitz-1987] proposed replacing $\mathbb{F}_p^*$ with the group of points on an elliptic curve over a finite field. Their motivation was explicit and structural: the multiplicative group hands index calculus something to grip, and a general elliptic curve does not, so the same security should be reachable with far smaller keys.&lt;/p&gt;
&lt;p&gt;This is the thesis in its constructive form -- &lt;em&gt;when a group is weak, do not sharpen the attack, choose a group with less structure&lt;/em&gt; -- and it introduces the lens we will look through for the rest of the article: the distinction between a &lt;strong&gt;generic&lt;/strong&gt; group, whose elements are opaque handles you can only combine with the group operation, and a &lt;strong&gt;structured&lt;/strong&gt; group, whose elements leak extra arithmetic an attacker can exploit.&lt;/p&gt;
&lt;p&gt;Miller and Koblitz had escaped one kind of structure. The question their move raised -- and the one the next section answers -- is what an attacker can do against a group that has &lt;em&gt;nothing&lt;/em&gt; wrong with it. If Pohlig-Hellman is defeated by a large prime order, how hard is the log then?&lt;/p&gt;
&lt;h2&gt;3. The Generic Floor: Why Square-Root Time Is the Best You Can Do&lt;/h2&gt;
&lt;p&gt;Here is a number that has barely moved in fifty years. Against a well-chosen group, the best known generic attack on the discrete log runs in about $0.886\sqrt{\ell}$ steps, where $\ell$ is the largest prime factor of the group&apos;s order. Not only is that the best anyone has found -- there is a &lt;em&gt;proof&lt;/em&gt; you cannot do fundamentally better generically. To see why that floor exists, and why it is a floor and not a ceiling waiting to be lowered, start with the simplest attack that hits it.&lt;/p&gt;
&lt;h3&gt;Baby-step giant-step: sorting your way to the log&lt;/h3&gt;
&lt;p&gt;In 1971 Daniel Shanks described a deterministic method that trades memory for time [@shanks-1971]. To solve $h = g^x$ with $x$ below some bound $N$, precompute and store the &quot;baby steps&quot; $g^0, g^1, \ldots, g^{m-1}$ for $m \approx \sqrt{N}$, then take &quot;giant steps&quot; $h \cdot g^{-jm}$ for $j = 0, 1, 2, \ldots$ until one lands in the stored table. A match pins down $x = i + jm$. The running time is $O(\sqrt{N})$ and so is the memory -- and remarkably, this square-root cost is essentially the same one that still bounds the state of the art.&lt;/p&gt;
&lt;p&gt;The clean &quot;given $g$ and $h$, find $x$&quot; statement of the DLP that every textbook now opens with is partly a later reconstruction; Shanks&apos;s 1971 paper framed the computation in the language of class numbers and genera, and the crisp cryptographic phrasing was settled in references like the Handbook of Applied Cryptography [@hac-1996].&lt;/p&gt;
&lt;p&gt;The memory is the problem. Storing $\sqrt{\ell}$ group elements is fine for a 40-bit group and impossible for a 256-bit one. The breakthrough was getting the same square-root &lt;em&gt;time&lt;/em&gt; with almost no memory at all.&lt;/p&gt;

A *generic* algorithm treats group elements as opaque tokens: it can multiply them, invert them, and test equality, but it cannot read anything from their representation -- no bits, no size, no factorization. A group is effectively *generic* for an attacker when no such extra structure is exposed. The whole thesis of this article lives in this word: the square-root floor is proven only for *generic* algorithms, and every faster attack works precisely by treating the group as *non*-generic.
&lt;h3&gt;Pollard&apos;s rho: a random walk that traps itself&lt;/h3&gt;

Walk pseudo-randomly through the group with a function $f$ that also tracks how each point is built from the generator $g$ and the target $Q$, as $g^a Q^b$. Because the group is finite, the walk must eventually revisit a point, and the birthday bound makes that first self-collision appear after only about $\sqrt{\ell}$ steps. When it does, two different expressions $g^{a_1}Q^{b_1}$ and $g^{a_2}Q^{b_2}$ name the same element, which rearranges into $(a_1 - a_2) \equiv x\,(b_2 - b_1) \pmod{\ell}$ -- and the log $x$ drops out.
&lt;p&gt;John Pollard published this in 1978 [@pollard-rho-1978]. Its beauty is the memory: using Floyd&apos;s or Brent&apos;s cycle-finding, you need to remember only a couple of points, so the cost is about $0.886\sqrt{\ell} = \sqrt{\pi/4},\sqrt{\ell}$ group operations at $O(1)$ space. The name comes from the shape the walk traces -- a tail that runs into a loop, like the Greek letter rho.&lt;/p&gt;

Two effects stack. A pseudo-random walk through a set of $\ell$ elements is expected to run into its own past after on the order of $\sqrt{\ell}$ steps, and working that expected value through the birthday integral gives $\sqrt{\pi/2}\,\sqrt{\ell} \approx 1.2533\sqrt{\ell}$ -- the pure birthday constant. On an elliptic curve a second, curve-specific discount then applies: because $P$ and $-P$ share an $x$-coordinate, the walk can run on equivalence classes under point negation, a $\sqrt{2}$ speedup that pulls the constant down to $\sqrt{\pi/4}\,\sqrt{\ell} \approx 0.886\sqrt{\ell}$ -- the figure SafeCurves quotes for the elliptic-curve discrete log [@safecurves]. Half a century of refinement -- distinguished points, that negation map, better step functions -- has improved the constant but never the exponent. The square root is the wall.

flowchart TD
    A[Start at a known element, tracking exponents a and b] --&amp;gt; B[Apply the pseudo-random step f]
    B --&amp;gt; C[Land on the next element of the walk]
    C --&amp;gt; D{&quot;Element seen before?&quot;}
    D --&amp;gt;|No, keep walking| B
    D --&amp;gt;|Yes, collision| E[Two products in g and Q name the same element]
    E --&amp;gt; F[The collision becomes a linear equation in the unknown x]
    F --&amp;gt; G[Read off the discrete log x]
&lt;p&gt;You can watch the birthday collision happen on a toy group. The subgroup below has prime order $\ell = 509$, so $\sqrt{\ell} \approx 23$; the walk finds its self-collision in a few dozen steps and reads off the secret exponent.&lt;/p&gt;
&lt;p&gt;{`&lt;/p&gt;
Group: the order-509 subgroup of the integers mod 1019. Q = g^x; recover x.
&lt;p&gt;p, l, g = 1019, 509, 4      # p = 2*l + 1 (safe prime); g has prime order l
x_secret = 137              # the exponent the attacker does not know
Q = pow(g, x_secret, p)&lt;/p&gt;
&lt;p&gt;def step(X, a, b):
    # A three-way pseudo-random walk that also tracks X = g^a * Q^b (mod p).
    r = X % 3
    if r == 0:   return (X * Q) % p, a, (b + 1) % l
    elif r == 1: return (X * X) % p, (2 * a) % l, (2 * b) % l
    else:        return (X * g) % p, (a + 1) % l, b&lt;/p&gt;
&lt;p&gt;seen = {}                   # a table only to make the collision visible
X, a, b = g, 1, 0           # start at X = g^1 * Q^0
for i in range(1, l + 5):
    if X in seen:
        a2, b2 = seen[X]
        den = (b - b2) % l
        x = ((a2 - a) * pow(den, -1, l)) % l   # solve the collision for x
        print(&quot;collision at step&quot;, i, &quot; (sqrt(l) is about&quot;, round(l ** 0.5), &quot;)&quot;)
        print(&quot;recovered x =&quot;, x, &quot; true x =&quot;, x_secret, &quot; match:&quot;, x == x_secret)
        break
    seen[X] = (a, b)
    X, a, b = step(X, a, b)
`}&lt;/p&gt;
&lt;p&gt;A production attacker drops the table and uses constant memory, restarting on the rare degenerate collision where the bookkeeping cancels. What matters is the exponent: the cost scales as the &lt;em&gt;square root&lt;/em&gt; of the subgroup order, and nothing about the group&apos;s size changes that scaling.&lt;/p&gt;
&lt;p&gt;A close cousin, Pollard&apos;s kangaroo (or lambda) method, solves the DLP when $x$ is known to lie in a short interval, at cost proportional to the square root of the interval width rather than of $\ell$.&lt;/p&gt;
&lt;h3&gt;Parallelism does not change the exponent&lt;/h3&gt;
&lt;p&gt;In 1999, Paul van Oorschot and Michael Wiener turned rho into a production weapon [@vanoorschot-wiener-1999]. Many machines walk independently and report only &lt;em&gt;distinguished points&lt;/em&gt; -- points with a rare, easy-to-test property such as a run of leading zero bits. A collision between any two chains is caught by a central server, and the speedup is near-linear: $m$ machines finish in about $\sqrt{\ell}/m$ wall-clock time. Parallelism buys you a smaller constant and a division by your budget. It does not touch the square root.&lt;/p&gt;
&lt;h3&gt;The floor is a theorem, not a lack of imagination&lt;/h3&gt;
&lt;p&gt;Why be sure no cleverer generic walk exists? Because in 1997 Victor Shoup proved a matching lower bound: any algorithm that uses only the group operation must make $\Omega(\sqrt{\ell})$ queries to solve the discrete log, where $\ell$ is the largest prime factor of the order [@shoup-1997]. Pollard&apos;s upper bound and Shoup&apos;s lower bound close on the same exponent.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; On a group with no exploitable structure, the best attack anyone knows -- Pollard rho at about $0.886\sqrt{\ell}$ steps -- is provably the best attack anyone generically &lt;em&gt;can&lt;/em&gt; know, because Shoup&apos;s $\Omega(\sqrt{\ell})$ lower bound meets it. The two bounds coincide at $\Theta(\sqrt{\ell})$. The hardness is not a property of &quot;the logarithm.&quot; It is fixed entirely by one number: the largest prime factor of the group&apos;s order. The variable has moved from the operation to the group.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;That is why &quot;security level&quot; is &lt;em&gt;defined&lt;/em&gt; as the rho cost. A 256-bit curve is a $2^{128}$ target, not a $2^{256}$ one, because rho gets a square-root discount that no key-size increase can revoke.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Curve (256-bit unless noted)&lt;/th&gt;
&lt;th&gt;Pollard rho cost&lt;/th&gt;
&lt;th&gt;What it means&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Curve25519&lt;/td&gt;
&lt;td&gt;$2^{125.8}$&lt;/td&gt;
&lt;td&gt;about 128-bit security, unbroken [@safecurves]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;NIST P-256, secp256k1&lt;/td&gt;
&lt;td&gt;$2^{127.8}$&lt;/td&gt;
&lt;td&gt;about 128-bit security, unbroken [@safecurves]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;brainpoolP256&lt;/td&gt;
&lt;td&gt;$2^{127.5}$&lt;/td&gt;
&lt;td&gt;about 128-bit security, unbroken [@safecurves]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;NIST P-384 (384-bit)&lt;/td&gt;
&lt;td&gt;$2^{191.8}$&lt;/td&gt;
&lt;td&gt;about 192-bit security [@safecurves]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SafeCurves &quot;anomalous&quot; curve (about 204-bit)&lt;/td&gt;
&lt;td&gt;$2^{101.6}$ by size alone&lt;/td&gt;
&lt;td&gt;a red herring -- its real break is polynomial-time SSSA (Section 4), off the rho scale entirely [@safecurves]&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;

State-of-the-art attacks on the elliptic-curve discrete log are still within a factor of two of Shanks&apos;s 1971 method. Half a century of cryptanalysis against a clean curve has bought a factor of two.
&lt;p&gt;The records bear this out. The largest discrete log ever solved on a generic, randomly chosen prime-field elliptic curve is a 112-bit curve, secp112r1, cracked in 2009 by a parallel rho computation [@bos-112bit-2009]. The only solves that have reached higher leaned on exploitable curve structure rather than a stronger generic attack, which is the thesis in miniature. Set that against the finite-field records we are about to meet, where the numbers run past 795 bits, and the gap tells the whole story: against a clean curve there is no better attack than the square-root walk, so records crawl.&lt;/p&gt;
&lt;p&gt;This is the wall every attacker hits -- unless the group hands them a crack. So where are the cracks? They start with the curve you choose.&lt;/p&gt;
&lt;h2&gt;4. The Curve as the Weak Part, I: Special Curves That Transfer the Log Away&lt;/h2&gt;
&lt;p&gt;The move to elliptic curves was supposed to strip out structure. But the first generation of curve choices smuggled it back in, and the way each weakness works is the quiet engine of this whole article. None of them computes a faster logarithm. Each one &lt;strong&gt;moves the logarithm out of the curve&lt;/strong&gt; and into a different group where the log was never hard to begin with.&lt;/p&gt;

flowchart TD
    A[ECDLP on the chosen curve E] --&amp;gt; B{&quot;What structure did the curve leak?&quot;}
    B --&amp;gt;|Trace equals 1, so the point count equals p| C[Additive transfer, the SSSA map]
    B --&amp;gt;|Small embedding degree k| D[Pairing transfer, MOV and Frey-Ruck]
    C --&amp;gt; E[Log now lives in the additive group of F_p, which has no hardness]
    D --&amp;gt; F[Log now lives in a finite field where index calculus finishes it]
    E --&amp;gt; G[Recovered in polynomial time]
    F --&amp;gt; H[Recovered in sub-exponential time]
&lt;h3&gt;Anomalous curves: a trapdoor hiding in the point count&lt;/h3&gt;
&lt;p&gt;Every elliptic curve over a prime field $\mathbb{F}_p$ has a point count governed by a single integer. Hasse&apos;s theorem says $#E(\mathbb{F}_p) = p + 1 - t$, where $t$ is the &lt;em&gt;trace of Frobenius&lt;/em&gt; and $|t| \le 2\sqrt{p}$. That one number, $t$, decides whether the curve is world-class or worthless.&lt;/p&gt;

The trace of Frobenius $t$ measures how the number of points on $E$ over $\mathbb{F}_p$ deviates from $p + 1$, via $\#E(\mathbb{F}_p) = p + 1 - t$. A curve is *anomalous* when $t = 1$, so that $\#E(\mathbb{F}_p) = p$ exactly -- the group of points has the same order as the additive group of the field it sits over. That coincidence is fatal.
&lt;p&gt;When the group order equals $p$, a map exists -- built from the $p$-adic (formal) logarithm and expressible through Fermat quotients -- that sends the elliptic-curve discrete log straight into $(\mathbb{F}_p, +)$, the additive group of the field. And addition has no discrete-log hardness at all: recovering $x$ from $x \cdot a$ in $(\mathbb{F}_p, +)$ is one modular division. The transfer runs in &lt;strong&gt;polynomial time&lt;/strong&gt;.&lt;/p&gt;
&lt;p&gt;This was worked out in 1998 and 1999 by Nigel Smart [@smart-1999], and independently by Igor Semaev [@semaev-1998] and by Takakazu Satoh and Kiyomichi Araki [@satoh-araki-1998]; the attack is often abbreviated SSSA after the four names.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Size buys nothing here. A 256-bit anomalous curve -- indistinguishable at a glance from a strong one, same field size, same key length -- falls in polynomial time, essentially instantly, while its 256-bit clean neighbor stands at about $2^{125.8}$ operations [@safecurves]. The only thing that changed is the trace. The defense is one check: confirm that $#E(\mathbb{F}_p) \neq p$.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;There is a subtlety worth flagging so you can spot a common mis-citation: this 1998-99 break is the &lt;em&gt;additive&lt;/em&gt;, formal-logarithm transfer. It is not Semaev&apos;s later 2004 work on summation polynomials [@semaev-2004], which is a different line of attack we will meet in Section 10. Trace one is a coincidence in the point count; summation polynomials are an index-calculus program. Conflating them is the classic error in retellings of this attack.&lt;/p&gt;
&lt;h3&gt;Low embedding degree: a bridge into a weaker field&lt;/h3&gt;
&lt;p&gt;The second transfer needs a different structural flaw. Every prime-order subgroup of a curve has an &lt;em&gt;embedding degree&lt;/em&gt;, and if it is small, a bridge opens into a finite field where the log is soft.&lt;/p&gt;

For a subgroup of prime order $\ell$ on a curve over $\mathbb{F}_q$, the embedding degree $k$ is the least positive integer such that $\ell \mid q^k - 1$. Equivalently, $k$ is the smallest extension field $\mathbb{F}_{q^k}$ whose multiplicative group contains a copy of the subgroup. When $k$ is small, that copy is reachable, and the finite-field discrete log there is sub-exponential rather than square-root.
&lt;p&gt;The bridge itself is a bilinear pairing.&lt;/p&gt;

A pairing is a map $e$ that takes two curve points to an element of $\mathbb{F}_{q^k}^*$ and is *bilinear*: $e(aP, bQ) = e(P, Q)^{ab}$. Bilinearity is what turns a curve log into a field log, but there is a subtlety most retellings get wrong. The *Weil* pairing that MOV uses is *alternating*: $e(P, P) = 1$ for every $P$, so a naive $e(P, P)^x$ is just $1$ and carries no information. MOV instead pairs $Q = xP$ with a *second, linearly independent* order-$\ell$ point $R \notin \langle P \rangle$, giving $e(Q, R) = e(P, R)^x$ in $\mathbb{F}_{q^k}^*$ -- an ordinary finite-field discrete log in the nontrivial root of unity $e(P, R)$. On the classic supersingular victims that independent $R$ arrives for free from a *distortion map* $\psi$, an endomorphism that moves $P$ off its own subgroup so that $R = \psi(P)$ works [@verheul-2004] [@galbraith-2012]. Frey and Ruck use the *Tate* pairing, which is not alternating and does admit a nontrivial self-pairing, so there the bare $e(P, P)^x$ form is the legitimate one.
&lt;p&gt;Menezes, Okamoto, and Vanstone published the Weil-pairing reduction in 1993 [@mov-1993]; Frey and Ruck gave the companion Tate-pairing version in 1994 [@frey-ruck-1994]. The classic victims are supersingular curves, which have embedding degree $k \le 6$. Once transferred into $\mathbb{F}_{q^k}^*$ with small $k$, the log falls to the sub-exponential Number Field Sieve of Section 6.&lt;/p&gt;
&lt;p&gt;The escape to a curve is undone by a curve that quietly kept a low-degree door into a field. The defense, again, is a property of the curve you &lt;em&gt;choose&lt;/em&gt;: demand a large embedding degree, which the pairing textbook literature treats as a standard selection criterion [@hankerson-mv-2004].&lt;/p&gt;

There is a twist worth savoring. The very property MOV and Frey-Ruck exploit -- a workable pairing into a small field -- became the foundation of an entire branch of cryptography. Identity-based encryption, BLS signatures, and much of what makes modern threshold and aggregate signatures possible are *built on* pairing-friendly curves with deliberately small embedding degree. The supersingular curves that MOV destroyed for plain ECDLP found a second career as the substrate of constructive pairing-based cryptography. The same distortion maps that hand MOV its independent second point are what make Antoine Joux&apos;s one-round tripartite Diffie-Hellman work -- a three-party key agreement in a single round, and the first purpose-built pairing protocol [@joux-tripartite-2000]. A structural feature is only a weakness relative to what you are trying to do with it.
&lt;p&gt;Step back and notice what both attacks have in common with each other and with Pohlig-Hellman before them.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Neither the anomalous break nor the pairing break computes a faster logarithm. Each one &lt;em&gt;transfers&lt;/em&gt; the log: the anomalous curve&apos;s log is mapped into $(\mathbb{F}&lt;em&gt;p, +)$, where addition is trivial; the low-embedding-degree curve&apos;s log is mapped into $\mathbb{F}&lt;/em&gt;{q^k}^*$, where index calculus finishes it. The attacker never out-computes the logarithm on the curve. They relocate it to a group that was never hard. Structure, not speed, is the entire game.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Trace one and small embedding degree are properties an attacker can only &lt;em&gt;hope&lt;/em&gt; the designer chose badly. The next family of breaks is nastier, because they can be triggered by the attacker&apos;s own inputs, or by a field chosen one level up from the curve.&lt;/p&gt;
&lt;h2&gt;5. The Curve as the Weak Part, II: Twists, Shadow Groups, and Descent&lt;/h2&gt;
&lt;p&gt;The cleanest structural weakness of all does not live in the curve you publish. It lives in the curve&apos;s twin.&lt;/p&gt;
&lt;h3&gt;Twist attacks: falling off the curve onto its shadow&lt;/h3&gt;
&lt;p&gt;Fast elliptic-curve implementations often work with $x$-coordinates only -- the Montgomery ladder, used by X25519, never computes a $y$-coordinate at all. That is a real speed and safety win, but it introduces a subtlety: an $x$ value the attacker sends might not correspond to any point on $E$.&lt;/p&gt;

Over $\mathbb{F}_p$, a curve $E$ has a *quadratic twist* $E&apos;$ -- a sibling curve that becomes isomorphic to $E$ only over the larger field $\mathbb{F}_{p^2}$. The key fact for $x$-only arithmetic is that every $x$ in $\mathbb{F}_p$ is the $x$-coordinate of a point on *either* $E$ *or* $E&apos;$. So an attacker-supplied $x$ that is not on $E$ is silently processed as a point on the twist. A curve is *twist-secure* when both $E$ and $E&apos;$ have near-prime order.
&lt;p&gt;Here is the attack. If the twist $E&apos;$ has a &lt;em&gt;smooth&lt;/em&gt; order -- a product of small primes -- then a scalar multiplication the victim performs on that twist leaks the secret modulo each small prime, exactly the Pohlig-Hellman shattering from Section 2, now triggered by an attacker&apos;s chosen input rather than by the designer&apos;s bad luck. Collect enough small residues and the Chinese Remainder Theorem reassembles the key.&lt;/p&gt;
&lt;p&gt;The weakness is real, and again it is a property of the group the designer &lt;em&gt;chose&lt;/em&gt;: it is defeated by requiring the twist&apos;s order, not just the curve&apos;s, to be near-prime. Curve25519 was designed to be twist-secure from the start [@bernstein-curve25519-2006], and SafeCurves treats twist security as a first-class criterion [@safecurves].&lt;/p&gt;
&lt;h3&gt;Invalid-curve shadow groups: arithmetic that forgets its own curve&lt;/h3&gt;
&lt;p&gt;The next mechanism is sharper still, and it exposes something almost philosophical about how curve arithmetic works.&lt;/p&gt;

For a short-Weierstrass curve $y^2 = x^3 + ax + b$, the standard point-addition formulas use $a$ but never use $b$. So if you feed the arithmetic a point that satisfies $y^2 = x^3 + ax + c$ for the *wrong* constant $c$, every formula still returns a well-defined answer -- computed as if on a different, weaker &quot;shadow&quot; curve. If that shadow curve has smooth order, the secret is confined to small subgroups, just as in a twist attack.
&lt;p&gt;Biehl, Meyer, and Muller analyzed this in 2000 [@biehl-meyer-muller-2000], and SafeCurves states the load-bearing fact plainly: the standard formulas do not involve the constant coefficient $b$ [@safecurves]. What makes this a &quot;shadow group&quot; rather than a single weak curve is that the attacker gets to choose $c$, and so gets a whole &lt;em&gt;family&lt;/em&gt; of weaker curves to hunt through for one with a smooth order.&lt;/p&gt;
&lt;p&gt;Do not confuse invalid-curve attacks with small-subgroup confinement in the Lim-Lee sense. The former uses many &lt;em&gt;different&lt;/em&gt; off-curve shadow curves reached by varying $c$; the latter feeds a single low-order element inside &lt;em&gt;one&lt;/em&gt; group. Both end in Pohlig-Hellman, but the structural handle is different.&lt;/p&gt;
&lt;p&gt;Now, the honest boundary. The &lt;em&gt;mechanism&lt;/em&gt; above is pure group arithmetic -- a genuine structural property of the short-Weierstrass addition law -- and that is what belongs here. What makes it fire in a real system is a missing check: the software accepted a point without verifying it was on the intended curve. That trigger is an implementation gap, not curve mathematics, and this article deliberately stops at the mathematics.&lt;/p&gt;

This piece keeps a strict contract: it analyzes only the mathematics of the group. The moment a break depends on a missing input validation, a leaked nonce, a fault injected into a signature, a downgrade negotiated on the wire, or a manipulated parameter, it crosses into implementation and protocol territory. Those are the domain of the empirical sibling, &quot;How Elliptic Curves and Diffie-Hellman Break in Real Life: PS3, CurveBall, Logjam, and Biased Nonces,&quot; which covers the PlayStation 3 repeated-nonce disaster, the CurveBall certificate-validation flaw, the Logjam downgrade handshake, and the biased-nonce lattice attacks. When you finish here knowing *which group properties* are dangerous, that article shows *how deployments trip over them*. The invalid-curve trigger -- &quot;the code forgot to validate the point&quot; -- is handed there in full.
&lt;h3&gt;Weil descent: a weakness chosen one level up, in the field&lt;/h3&gt;
&lt;p&gt;The last structural break in this pair does not need a bad curve so much as a badly chosen &lt;em&gt;field&lt;/em&gt;. Some curves live over binary extension fields $\mathbb{F}_{2^n}$. When the extension degree $n$ is composite, a technique called Weil restriction can re-express the curve&apos;s group as points on a higher-genus curve over a smaller subfield -- and on that higher-genus object, &lt;em&gt;index calculus&lt;/em&gt; applies and beats the generic square-root floor.&lt;/p&gt;
&lt;p&gt;Gaudry, Hess, and Smart formalized this in 2002 [@ghs-2002], and the title of their paper is itself a summary of this whole section: &quot;Constructive and destructive facets of Weil descent on elliptic curves.&quot; The precondition is structural and specific: a composite-degree binary extension field. The defense is equally specific: use prime fields, or at worst prime-degree extensions, so there is no subfield to descend into.&lt;/p&gt;
&lt;p&gt;Every curve break in these two sections has needed a &lt;em&gt;particular&lt;/em&gt; structural precondition -- trace one, small embedding degree, a smooth twist, $b$-independent arithmetic, a composite extension field. Not one has been a faster logarithm. Now cross the aisle to the group the whole field was fleeing in 1985. There, the structure is not an accident of a bad curve. It is built into the group itself.&lt;/p&gt;
&lt;h2&gt;6. The Finite-Field Side: When the Group Itself Has Structure&lt;/h2&gt;
&lt;p&gt;An anomalous curve is a &lt;em&gt;bad choice&lt;/em&gt; -- pick a different curve and the weakness is gone. The multiplicative group $\mathbb{F}_p^*$ is different. It is not a bad choice; it is &lt;em&gt;inherently&lt;/em&gt; structured. Its elements are ordinary integers, and integers can be multiplied and factored. That single property -- the one thing an elliptic-curve group pointedly does not have -- is exactly what the fastest classical attack needs.&lt;/p&gt;
&lt;h3&gt;Index calculus: turning multiplication into linear algebra&lt;/h3&gt;

Fix a *factor base* of small primes. An element is *smooth* if it factors completely over that base. Index calculus hunts for powers $g^k$ that are smooth; each one factors as a product of factor-base primes, and taking logs turns that product into a *linear equation* relating the unknown logs of the base primes. Collect more smooth relations than there are base primes, solve the linear system once, and you know the log of every prime in the base. To finish a specific target $h$, nudge it by random powers of $g$ until $h \cdot g^k$ is smooth, and read the answer off the precomputed base logs.
&lt;p&gt;Notice what index calculus consumes: the ability to &lt;em&gt;factor&lt;/em&gt; group elements into small pieces. In $\mathbb{F}_p^*$ that ability is free, because the elements are integers. On an elliptic curve there is no such thing as a &quot;small&quot; point, no factor base, no notion of a smooth point at all. The attack has nothing to grip. That absence is not a minor detail -- it is the entire reason elliptic-curve cryptography exists.&lt;/p&gt;
&lt;h3&gt;The Number Field Sieve, pointed at the logarithm&lt;/h3&gt;
&lt;p&gt;The mature form of this idea is the Number Field Sieve. Built for factoring by Lenstra, Lenstra, Manasse, and Pollard in 1990 [@nfs-llmp-1990], it was adapted to the discrete log in a prime field by Daniel Gordon in 1993 [@gordon-1993].&lt;/p&gt;
&lt;p&gt;Its pipeline has four stages: choose number fields tuned to $p$ (polynomial selection), sieve for smooth relations (relation collection), solve the resulting sparse linear system modulo the group order (linear algebra), and then peel off each individual target log (descent). The first three stages depend only on the prime $p$ -- a fact that looks academic here and becomes a weapon in the next section.&lt;/p&gt;

Cryptographers measure these costs with $L_p[\alpha, c] = \exp\!\big((c + o(1))(\ln p)^{\alpha}(\ln\ln p)^{1-\alpha}\big)$. The exponent $\alpha$ interpolates between two worlds: $\alpha = 1$ is fully exponential (Pollard rho on a $b$-bit group costs about $2^{b/2}$, an $L_p[1, 1/2]$ cost), and $\alpha = 0$ is polynomial. The Number Field Sieve sits at $\alpha = 1/3$, deep in *sub-exponential* territory -- vastly faster than the generic square root, and the same complexity class as integer factoring.
&lt;p&gt;Gordon&apos;s 1993 algorithm put the finite-field discrete log in the sub-exponential $L_p[1/3]$ class, with heuristic constant $3^{2/3} \approx 2.08$ [@gordon-1993]; later refinements sharpened that constant to the modern $(64/9)^{1/3} \approx 1.923$. To feel what the difference between $\alpha = 1/2$ and $\alpha = 1/3$ does to real key sizes, run the estimator: the finite-field cost grows like a &lt;em&gt;cube root&lt;/em&gt; of the bit length in the exponent, while the elliptic-curve cost grows &lt;em&gt;linearly&lt;/em&gt;. That is why the two settings need such different key sizes for the same security.&lt;/p&gt;
&lt;p&gt;{`
import math&lt;/p&gt;
&lt;p&gt;def nfs_bits(bits):
    # Leading-term model of the NFS-DL cost L_p[1/3, (64/9)^(1/3)] for a &apos;bits&apos;-bit prime.
    lnp = bits * math.log(2)
    c = (64 / 9) ** (1 / 3)                  # about 1.923
    return c * lnp ** (1/3) * math.log(lnp) ** (2/3) / math.log(2)&lt;/p&gt;
&lt;p&gt;def rho_bits(order_bits):
    return order_bits / 2                    # Pollard rho: half the bit length&lt;/p&gt;
&lt;p&gt;print(&quot;Finite-field DH (cost grows like a cube root in the exponent):&quot;)
for b in [512, 1024, 2048, 3072]:
    print(f&quot;  {b:&amp;gt;4}-bit prime  ~  2^{nfs_bits(b):5.1f}&quot;)
print(&quot;Elliptic curve (cost grows linearly):&quot;)
for m in [160, 224, 256]:
    print(f&quot;  {m:&amp;gt;4}-bit curve   ~  2^{rho_bits(m):5.1f}&quot;)&lt;/p&gt;
The leading term runs a little high; calibrated against real records, standard
practice reads 1024-bit as roughly 80-bit and 3072-bit as roughly 128-bit security.
&lt;p&gt;`}&lt;/p&gt;
&lt;p&gt;The scaling is the point. A clean 256-bit curve and a 3072-bit prime deliver comparable security -- the curve does it with an eighth of the key length -- precisely because the curve denies the sieve its factor base. This is the thesis at its sharpest: the &lt;em&gt;same&lt;/em&gt; discrete logarithm, but a group whose structure leaks drops the attack from square-root time all the way to $L_p[1/3]$.&lt;/p&gt;

Same discrete log. On a generic curve, the largest ever solved is 112 bits and the records crawl. In a prime field, the record is 795 bits and climbing. The logarithm did not change -- the group did.
&lt;p&gt;The records make the gap concrete. The current prime-field discrete-log record is 795 bits (240 decimal digits), set in 2019 by Boudot, Gaudry, Guillevic, Heninger, Thome, and Zimmermann, with the discrete-log computation costing roughly 3,100 core-years [@boudot-795bit-2020]; the previous record was 768 bits [@kleinjung-768bit-2017]. Against the 112-bit generic-curve ceiling of Section 3, the sieve&apos;s structural advantage is not subtle. The multiplicative group hands the attacker a factor base; the curve hands them nothing. The results corroborate the standard textbook accounting of index calculus and its consequences for finite-field sizing [@hac-1996].&lt;/p&gt;
&lt;p&gt;A sub-exponential attack still sounds expensive -- years of computation for a single prime. So why is a 1024-bit Diffie-Hellman group a &lt;em&gt;practical&lt;/em&gt; target rather than a merely theoretical one? Because the expensive part only has to be done once.&lt;/p&gt;
&lt;h2&gt;7. Logjam: Precomputation as a Structural Property&lt;/h2&gt;
&lt;p&gt;The most misunderstood word in &lt;a href=&quot;https://paragmali.com/blog/nobody-broke-the-discrete-log-a-field-guide-to-diffie-hellma/&quot; rel=&quot;noopener&quot;&gt;forward secrecy&lt;/a&gt; is &quot;fresh.&quot; A new ephemeral key on every connection &lt;em&gt;feels&lt;/em&gt; like it should defeat any precomputed attack -- surely a one-time secret cannot be broken by work done in advance. Against a &lt;em&gt;shared&lt;/em&gt; prime, that intuition is simply wrong, and seeing why is the sharpest lesson the finite-field side has to teach.&lt;/p&gt;
&lt;p&gt;Recall the four stages of the Number Field Sieve. Three of them -- polynomial selection, relation collection, and the enormous linear-algebra solve -- depend only on the prime $p$. They produce the discrete logs of the entire factor base, and that output is reusable for &lt;em&gt;every&lt;/em&gt; discrete log computed in that same prime field. Only the final descent step depends on the particular target. The Logjam researchers put it in one line on the project page: the first step of the number field sieve is dependent only on this prime [@logjam-adrian-2015].&lt;/p&gt;

flowchart TD
    subgraph PC[&quot;Precomputation, depends only on the prime p&quot;]
      A[Polynomial selection] --&amp;gt; B[Relation collection by sieving]
      B --&amp;gt; C[Linear algebra, logs of the whole factor base]
    end
    C --&amp;gt; D[Per-target descent, one quick step per connection]
    D --&amp;gt; E[Discrete log of this specific ephemeral key]
    F[Every connection that shares p reuses the same precomputation] -.-&amp;gt; D
&lt;p&gt;So a fresh ephemeral does not help if the prime behind it is shared and undersized. The attacker pays the sieve cost once, for the prime, and then every &quot;fresh&quot; handshake using that prime falls in the cheap descent step. Freshness protects the &lt;em&gt;key&lt;/em&gt;; it does nothing for a &lt;em&gt;shared group&lt;/em&gt;.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Precomputation is not a shortcut around the math -- it &lt;em&gt;is&lt;/em&gt; the structure being exploited. The weakness Logjam turns into a live threat is the amortized cost of a shared, undersized prime, spread across millions of connections. It is not a faster logarithm and not a smaller key in isolation. It is the fact that everyone reused the same group.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The blast radius came from exactly that reuse. A handful of 1024-bit primes were hard-coded into standards and shipped in software everywhere. Adrian and colleagues measured the exposure [@logjam-adrian-2015]. The immediate Logjam downgrade, forcing connections to 512-bit export-grade Diffie-Hellman, initially left 8.4% of the Top 1 Million HTTPS domains vulnerable.&lt;/p&gt;
&lt;p&gt;Looking forward, a single precomputation against one common 1024-bit prime would let a passive eavesdropper read roughly 18% of the Top 1 Million HTTPS domains; precomputing a second common 1024-bit prime would reach about 66% of VPNs and 26% of SSH servers. A nation-state budget for one very large computation buys passive decryption of a striking fraction of the internet, all because the primes were shared.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; The lesson people take away from Logjam is usually &quot;use bigger primes,&quot; and that is half right. The deeper point is that a 1024-bit prime is dangerous mainly because it is &lt;em&gt;shared and precomputed&lt;/em&gt;, not merely because it is 1024 bits. A &lt;em&gt;unique&lt;/em&gt;, per-organization 2048-bit or larger prime denies the attacker the amortization that makes the sieve economical at internet scale. Shared-and-precomputed versus unique is the real axis; size is secondary [@logjam-adrian-2015].&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;There is a further twist this article names only to hand off: a prime can be &lt;em&gt;maliciously&lt;/em&gt; constructed so that a hidden special-number-field-sieve structure makes it far weaker than it looks, a trapdoor invisible to anyone who did not build it. That, along with the wire-level mechanics of how a downgrade is actually negotiated, is deployment and protocol territory -- the empirical sibling&apos;s ground, not this article&apos;s.&lt;/p&gt;
&lt;p&gt;Logjam attacks a field whose prime was too small and, above all, shared. But there is a family of fields where the sieve does not merely amortize -- it changes complexity class entirely, from sub-exponential to almost polynomial. The only question is which fields, and the answer is, once again, a structural property someone chose.&lt;/p&gt;
&lt;h2&gt;8. Small Characteristic: The Quasi-Polynomial Frontier&lt;/h2&gt;
&lt;p&gt;For one specific family of fields, the discrete log came close to &lt;em&gt;collapsing&lt;/em&gt; -- and the story teaches the same lesson one more time, in its most dramatic form: the characteristic you choose is a structural gift to the attacker.&lt;/p&gt;
&lt;p&gt;Finite fields come in two flavors that matter here. Prime fields $\mathbb{F}&lt;em&gt;p$ have large characteristic $p$. Extension fields like $\mathbb{F}&lt;/em&gt;{2^n}$ and $\mathbb{F}_{3^n}$ have &lt;em&gt;small&lt;/em&gt;, fixed characteristic (2 or 3) and a large extension degree $n$. For decades both were treated as roughly comparable homes for the discrete log. Then, in the span of a few years, the small-characteristic case fell apart.&lt;/p&gt;
&lt;p&gt;In 2013, Antoine Joux broke the long-standing $L[1/3]$ barrier for small-characteristic fields with a new index-calculus algorithm of complexity $L[1/4 + o(1)]$, published at Selected Areas in Cryptography [@joux-2013-l14]. That was the crack in the dam. In 2014, Barbulescu, Gaudry, Joux, and Thome went much further, giving a &lt;em&gt;heuristic quasi-polynomial&lt;/em&gt; algorithm -- cost $n^{O(\log n)}$ -- for the discrete log in finite fields of small characteristic [@bgjt-2014]. Quasi-polynomial is not merely faster than sub-exponential; it is a different universe of growth, far below $L[1/3]$.&lt;/p&gt;
&lt;p&gt;Then in 2019, Kleinjung and Wesolowski removed the heuristics, proving that the discrete log in a fixed-characteristic field can be solved in expected time $(pn)^{2\log_2(n) + O(1)}$ -- a genuine theorem, not a conjecture backed by experiments [@kleinjung-wesolowski-2019].&lt;/p&gt;
&lt;p&gt;Why does small characteristic collapse when a prime field does not? The whole descent turns on one structural gift. In a field like $\mathbb{F}_{2^n}$ every element is a low-degree polynomial over a tiny base field, and the Frobenius map $x \mapsto x^p$ acts &lt;em&gt;linearly&lt;/em&gt; on that representation, because $(a + b)^p = a^p + b^p$ in characteristic $p$. Those two facts hand the attacker a cheap, self-replenishing supply of low-degree relations: the algorithm presents the field through a low-degree identity linking an element to its Frobenius image, so a single relation spawns a whole orbit of them essentially for free.&lt;/p&gt;
&lt;p&gt;The attack then &lt;em&gt;descends on degree&lt;/em&gt;. It rewrites the logarithm of a degree-$d$ target as a combination of logarithms of strictly lower-degree elements, recurses ($d \to d/2 \to \cdots$), and bottoms out at degree-one elements whose logs are read off directly. Because each step roughly halves the degree while spawning only quasi-polynomially many sub-problems, the descent tree has depth about $\log d$ and terminates in $n^{O(\log n)}$ time -- that logarithmic recursion depth is exactly why the exponent is &quot;quasi-,&quot; not fully, polynomial.&lt;/p&gt;
&lt;p&gt;A prime field $\mathbb{F}_p^*$ offers none of this. Its elements are integers modulo $p$, with no subfield tower, no element degree to shrink, and no small-characteristic Frobenius to make relations cheap. The descent has nothing to grip, which is precisely why the Number Field Sieve at $L_p[1/3]$ stays the best attack there.&lt;/p&gt;
&lt;p&gt;The practical consequence was immediate: this line of work retired small-characteristic pairing choices, including the supersingular binary curves once proposed for pairing-based cryptography, whose security rested on a small-characteristic field discrete log. The field that was supposed to be the hard part evaporated.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; The quasi-polynomial result applies to &lt;em&gt;small, fixed characteristic&lt;/em&gt; only: $\mathbb{F}&lt;em&gt;{2^n}$, $\mathbb{F}&lt;/em&gt;{3^n}$, and their relatives. It does &lt;strong&gt;not&lt;/strong&gt; extend to prime fields $\mathbb{F}_p$, where the Number Field Sieve at $L_p[1/3]$ remains the best known attack. Dropping the words &quot;small characteristic&quot; would produce a dangerous falsehood -- that prime-field Diffie-Hellman is quasi-polynomially broken. It is not. Finite-field DH over a properly sized, unique prime is still standing; only the small-characteristic cousins collapsed [@kleinjung-wesolowski-2019].&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The calibration is almost comical in scale. The record discrete log in a fixed-characteristic field now stands at $\mathrm{GF}(2^{30750})$, computed in 2019 [@disclog-records-wiki]. That field is roughly thirty-nine times larger in bit length than the 795-bit &lt;em&gt;prime-field&lt;/em&gt; record from the same era. Same &quot;discrete logarithm&quot;; the characteristic of the chosen field decides whether the records sit near 800 bits or sail past 30,000.&lt;/p&gt;
&lt;p&gt;This reinforced a standards trend already under way. NIST SP 800-186 &lt;em&gt;deprecates&lt;/em&gt; the binary and Koblitz curves defined over small-characteristic fields, and FIPS 186-5 &lt;em&gt;removes&lt;/em&gt; them from the approved list entirely [@nist-sp800-186]. The precision matters: deprecation and removal are two distinct regulatory steps, and the small-characteristic results are part of why both happened.&lt;/p&gt;
&lt;p&gt;Eight sections, eight breaks, and one relentless pattern: every classical break so far -- Pohlig-Hellman, the anomalous transfer, MOV and Frey-Ruck, twists, invalid-curve shadows, Weil descent, the Number Field Sieve, and now small-characteristic descent -- needs a &lt;em&gt;specific&lt;/em&gt; structural property of the chosen group. But a pattern is only convincing if you can see all of it at once. Lay every attack on a single table, and the thesis stops being a claim you have to trust and becomes something you can read straight off a column.&lt;/p&gt;
&lt;h2&gt;9. A Map of Where the Weakness Lives&lt;/h2&gt;
&lt;p&gt;One table, read down one column, is the whole argument. Here is every attack in this article, each with the structural property it requires, the easy group it reduces the log to, its cost, and the one question that matters -- does a well-chosen group have that property?&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Attack&lt;/th&gt;
&lt;th&gt;Group property it needs&lt;/th&gt;
&lt;th&gt;Reduces the log to&lt;/th&gt;
&lt;th&gt;Complexity&lt;/th&gt;
&lt;th&gt;Clean group has it?&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Pollard rho [@pollard-rho-1978]&lt;/td&gt;
&lt;td&gt;none (generic)&lt;/td&gt;
&lt;td&gt;nothing; it &lt;em&gt;is&lt;/em&gt; the floor&lt;/td&gt;
&lt;td&gt;$\approx 0.886\sqrt{\ell}$&lt;/td&gt;
&lt;td&gt;the baseline&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Pohlig-Hellman [@pohlig-hellman-1978]&lt;/td&gt;
&lt;td&gt;smooth group order&lt;/td&gt;
&lt;td&gt;small subgroups plus CRT&lt;/td&gt;
&lt;td&gt;$\sum_i e_i(\log n + \sqrt{p_i})$&lt;/td&gt;
&lt;td&gt;No: large prime order&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Anomalous / SSSA [@smart-1999]&lt;/td&gt;
&lt;td&gt;trace $t = 1$, so $#E = p$&lt;/td&gt;
&lt;td&gt;addition in $(\mathbb{F}_p, +)$&lt;/td&gt;
&lt;td&gt;polynomial&lt;/td&gt;
&lt;td&gt;No: require $#E \neq p$&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;MOV / Frey-Ruck [@mov-1993]&lt;/td&gt;
&lt;td&gt;small embedding degree $k$&lt;/td&gt;
&lt;td&gt;DLP in $\mathbb{F}_{q^k}^*$&lt;/td&gt;
&lt;td&gt;sub-exponential&lt;/td&gt;
&lt;td&gt;No: large $k$&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Twist confinement [@safecurves]&lt;/td&gt;
&lt;td&gt;smooth twist plus x-only ladder&lt;/td&gt;
&lt;td&gt;small subgroups on the twist&lt;/td&gt;
&lt;td&gt;small-subgroup cost&lt;/td&gt;
&lt;td&gt;No: twist-secure&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Invalid-curve shadow [@biehl-meyer-muller-2000]&lt;/td&gt;
&lt;td&gt;$b$-independent arithmetic plus weak shadow&lt;/td&gt;
&lt;td&gt;small subgroups on a shadow curve&lt;/td&gt;
&lt;td&gt;small-subgroup cost&lt;/td&gt;
&lt;td&gt;No: twist-secure and validated&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Weil descent / GHS [@ghs-2002]&lt;/td&gt;
&lt;td&gt;composite-degree binary field&lt;/td&gt;
&lt;td&gt;index calculus on a higher-genus curve&lt;/td&gt;
&lt;td&gt;sub-exponential&lt;/td&gt;
&lt;td&gt;No: prime field&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;NFS-DL [@gordon-1993]&lt;/td&gt;
&lt;td&gt;a factor base (multiplicative smoothness)&lt;/td&gt;
&lt;td&gt;linear algebra on smooth relations&lt;/td&gt;
&lt;td&gt;$L_p[1/3,, 1.923]$&lt;/td&gt;
&lt;td&gt;No: a curve has no factor base&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Small-char quasi-poly [@kleinjung-wesolowski-2019]&lt;/td&gt;
&lt;td&gt;small, fixed characteristic&lt;/td&gt;
&lt;td&gt;function-field descent&lt;/td&gt;
&lt;td&gt;quasi-polynomial&lt;/td&gt;
&lt;td&gt;No: prime field&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Shor [@shor-1997]&lt;/td&gt;
&lt;td&gt;none (changes the machine)&lt;/td&gt;
&lt;td&gt;quantum period-finding&lt;/td&gt;
&lt;td&gt;polynomial in $\log \ell$&lt;/td&gt;
&lt;td&gt;Yes, but needs a quantum computer&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; Read the &quot;group property it needs&quot; column from top to bottom. Every classical attack that beats square-root time names a &lt;em&gt;specific&lt;/em&gt; structural precondition -- a smooth order, trace one, low embedding degree, a smooth twist, $b$-independent arithmetic, a composite extension field, a factor base, small characteristic. The only two rows needing &lt;em&gt;no&lt;/em&gt; structure are Pollard rho, which &lt;em&gt;is&lt;/em&gt; the square-root floor, and Shor, which leaves the classical world entirely. Not one classical row is a faster generic logarithm. That is the thesis, rendered as a table.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The same pattern shows up in what a working engineer actually chooses between. Line up the deployed groups and the story is not &quot;big keys versus small keys&quot; -- it is &quot;which structural weakness is present.&quot;&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Group&lt;/th&gt;
&lt;th&gt;Advertised security&lt;/th&gt;
&lt;th&gt;Public-key size&lt;/th&gt;
&lt;th&gt;Best known classical attack&lt;/th&gt;
&lt;th&gt;Status&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;FFDH-1024 (shared prime)&lt;/td&gt;
&lt;td&gt;about 80-bit, broken in practice&lt;/td&gt;
&lt;td&gt;1024-bit&lt;/td&gt;
&lt;td&gt;NFS-DL plus shared-prime precomputation [@logjam-adrian-2015]&lt;/td&gt;
&lt;td&gt;Deprecated, nation-state target&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;FFDH-2048 / 3072 (shared or unique)&lt;/td&gt;
&lt;td&gt;about 112 / 128-bit&lt;/td&gt;
&lt;td&gt;2048 / 3072-bit&lt;/td&gt;
&lt;td&gt;NFS-DL, but precomputation is infeasible at this size&lt;/td&gt;
&lt;td&gt;Acceptable if unavoidable&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;NIST P-256&lt;/td&gt;
&lt;td&gt;about 128-bit ($2^{127.8}$ rho)&lt;/td&gt;
&lt;td&gt;256-bit&lt;/td&gt;
&lt;td&gt;Pollard rho, generic [@safecurves]&lt;/td&gt;
&lt;td&gt;Active, FIPS&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Curve25519 / X25519&lt;/td&gt;
&lt;td&gt;about 128-bit ($2^{125.8}$ rho)&lt;/td&gt;
&lt;td&gt;256-bit&lt;/td&gt;
&lt;td&gt;Pollard rho, generic [@safecurves]&lt;/td&gt;
&lt;td&gt;Active, twist-secure and rigid&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;The two 256-bit curves and the 3072-bit prime all deliver about 128-bit security -- the curves with an eighth of the key length -- because a clean curve denies the sieve its factor base. And the two finite-field rows differ not by size alone but by &lt;em&gt;sharing&lt;/em&gt;: the 1024-bit row is a target because its prime is common and precomputed, not merely because it is 1024 bits.&lt;/p&gt;
&lt;p&gt;The table has one uncomfortable empty space. Every row is a break that needs structure, and a clean group has none of those structures. But is there a &lt;em&gt;proof&lt;/em&gt; that a structure-free group is actually safe -- or have we simply never found the crack? To answer honestly, we have to admit what the entire edifice rests on.&lt;/p&gt;
&lt;h2&gt;10. Theoretical Limits: Is the Log Itself Ever the Weak Part?&lt;/h2&gt;
&lt;p&gt;Here is the admission the whole subject rests on, and it is more unsettling than most textbooks let on: &lt;strong&gt;nobody has proved the discrete log is hard.&lt;/strong&gt; Not for $\mathbb{F}_p^*$, not for a clean elliptic curve, not for any group that carries real traffic. The security of a large fraction of the internet rests on a problem no one can prove is difficult.&lt;/p&gt;
&lt;p&gt;The only proven wall is Shoup&apos;s $\Omega(\sqrt{\ell})$ lower bound from Section 3 [@shoup-1997] -- and its scope is precisely the catch. It holds &lt;em&gt;in the generic-group model&lt;/em&gt;, where the algorithm may not read anything from the encoding of group elements. It is a statement about structure-blind algorithms, not about the discrete log as such.&lt;/p&gt;
&lt;p&gt;This is exactly why index calculus is not a paradox. The Number Field Sieve beats Shoup&apos;s $\sqrt{\ell}$ floor for $\mathbb{F}_p^&lt;em&gt;$ not because the proof is wrong but because $\mathbb{F}_p^&lt;/em&gt;$ is &lt;em&gt;not a generic group&lt;/em&gt;: its elements are integers, the algorithm reads their factorizations, and the generic model&apos;s central assumption simply does not apply. Every faster attack in this article is another group that leaves the generic model through some door of its own. The matching bound of Section 3 is real, and it is real only inside a model that structured groups escape.&lt;/p&gt;

The gap has two values, and keeping them straight is the difference between understanding this subject and sloganeering about it. *In the generic-group model* the question is CLOSED: Pollard rho&apos;s $O(\sqrt{\ell})$ upper bound meets Shoup&apos;s $\Omega(\sqrt{\ell})$ lower bound at $\Theta(\sqrt{\ell})$, a rare matching pair. *Unconditionally* it is WIDE OPEN: there is no proof the discrete log is hard at all. The space between the generic wall and reality is exactly what index calculus and the curve transfers exploit. And there is a structural reason a hardness proof is out of reach: the DLP lies in $\mathrm{NP} \cap \mathrm{coNP}$ -- given the factorization of the group order, both a claimed logarithm and its absence are efficiently checkable -- so it is *not expected* to be NP-complete, since an NP-complete problem in $\mathrm{NP} \cap \mathrm{coNP}$ would collapse $\mathrm{NP} = \mathrm{coNP}$ [@galbraith-2012] [@hac-1996]. Proving the discrete log hard would be a complexity-theory landmark far beyond anything currently in reach. That is why &quot;only Shor breaks a clean group&quot; must always be read &quot;as far as is known.&quot;
&lt;p&gt;The sharpest open question sits one level down, and it is the one that keeps elliptic-curve cryptographers honest: does a sub-exponential, index-calculus-style algorithm exist for the ECDLP over a &lt;em&gt;prime&lt;/em&gt; field? If it did, it would do to elliptic curves what the Number Field Sieve did to finite-field Diffie-Hellman -- collapse the square-root advantage that justifies 256-bit keys.&lt;/p&gt;
&lt;p&gt;This is the correct home for Semaev&apos;s &lt;em&gt;summation polynomials&lt;/em&gt; and the related Gröbner-basis point-decomposition program, from 2004 onward [@semaev-2004] -- a genuine attempt to build an ECDLP index calculus. It must not be confused with the 1998-99 anomalous-curve transfer of Section 4, which is a different mechanism entirely. Over prime fields the summation-polynomial approach remains &lt;em&gt;exponential&lt;/em&gt;: it is the live frontier, not a solved attack.&lt;/p&gt;
&lt;p&gt;So, classically and as far as anyone knows, a clean group leaves the square-root floor standing. There is no known sub-exponential attack on a well-chosen prime-field curve, and the conjecture that none exists is exactly that -- a conjecture, the working hypothesis behind every ECC key-size recommendation.&lt;/p&gt;
&lt;p&gt;Even the improvements that do exist stay on their side of the line. The extended Tower Number Field Sieve of Kim and Barbulescu sharpens the &lt;em&gt;constants&lt;/em&gt; for medium- and non-prime-characteristic fields, but it does not move the $1/3$ exponent for prime fields [@kim-barbulescu-2016]. Prime-field discrete logs have been stuck at $L_p[1/3]$ since Gordon in 1993.&lt;/p&gt;
&lt;p&gt;If the log&apos;s classical hardness is unproven yet unbroken on a clean group, then the only &lt;em&gt;known&lt;/em&gt; way to break such a group is not a cleverer algorithm in the same world. It is to change worlds -- to a machine that computes on a fundamentally different substrate.&lt;/p&gt;
&lt;h2&gt;11. The Third Road: Shor, and Why a Clean Group Leaves Only Quantum&lt;/h2&gt;
&lt;p&gt;Strip a group of every exploitable structure and the classical attacker is back at Pollard&apos;s 1978 random walk, hitting the square-root wall with no crack to exploit. The one thing left that beats that wall does not compute a cleverer logarithm. It runs on a different machine.&lt;/p&gt;
&lt;p&gt;In 1994, Peter Shor showed that a quantum computer could solve both integer factoring and the discrete log in polynomial time [@shor-1997]. The discrete-log algorithm does not attack the group&apos;s structure the way index calculus does. It rewrites the problem into a shape a quantum computer is uniquely good at.Framed abstractly, Shor&apos;s discrete-log routine solves a &lt;em&gt;hidden subgroup problem&lt;/em&gt;: the secret $x$ hides a subgroup of $\mathbb{Z}&lt;em&gt;\ell \times \mathbb{Z}&lt;/em&gt;\ell$ generated by $(x, 1)$, and the quantum Fourier transform is the tool that exposes it [@childs-vandam-2010]. The abelian hidden-subgroup problem is the common engine behind Shor&apos;s factoring and discrete-log algorithms alike.&lt;/p&gt;

Shor&apos;s move is to recast the discrete log as *period-finding*. From the target one builds a function whose period encodes the secret exponent $x$. A classical machine cannot see that period without effectively searching for it, but a quantum machine can evaluate the function over a superposition of inputs and apply the quantum Fourier transform, which concentrates measurement probability on the period. Each measurement then returns a pair $(\alpha, \beta)$ obeying a linear relation $\alpha x + \beta \equiv 0 \pmod{\ell}$, and a few such relations pin down $x$ by classical linear algebra mod $\ell$ -- not the continued-fractions step that finishes Shor&apos;s *factoring* routine.

flowchart TD
    A[Target: Q equals x times P on a clean curve] --&amp;gt; B[Build a function periodic in the unknown x]
    B --&amp;gt; C[Evaluate it over a superposition on the quantum register]
    C --&amp;gt; D[Quantum Fourier transform makes the period observable]
    D --&amp;gt; E[Measure: each shot yields a linear relation in x, mod l]
    E --&amp;gt; F[Solve the linear congruences for the discrete log x, polynomial in log of the order]
&lt;p&gt;The consequence is the one classical cryptanalysis can never deliver: the cost is &lt;em&gt;polynomial in $\log \ell$&lt;/em&gt;, so &lt;strong&gt;key size is no defense.&lt;/strong&gt; Doubling the curve size barely moves Shor&apos;s cost. And it needs none of the structural preconditions from the table in Section 9 -- no trace one, no small embedding degree, no smooth twist, no factor base. It breaks a &lt;em&gt;correct key on a flawless group&lt;/em&gt;. Shor is the empty cell filled in: the only known attack that does not require the group to be badly chosen.&lt;/p&gt;
&lt;p&gt;Crucially, the progress since 1994 has been &lt;em&gt;algorithmic&lt;/em&gt;, not hardware. The first ECDLP-specific quantum circuit came from Proos and Zalka in 2003, who made a structural observation that still holds: elliptic curves are an &lt;em&gt;easier&lt;/em&gt; quantum target than equal-security &lt;a href=&quot;https://paragmali.com/blog/how-rsa-would-break-why-factoring-is-the-slow-path-and-coppe/&quot; rel=&quot;noopener&quot;&gt;RSA&lt;/a&gt; [@proos-zalka-2003].&lt;/p&gt;
&lt;p&gt;The modern resource estimate, from Roetteler, Naehrig, Svore, and Lauter in 2017, is concrete: a 256-bit ECDLP needs about 2,330 logical qubits -- following their count of $9n + 2\lceil\log_2 n\rceil + 10$, which for $n = 256$ gives $2304 + 16 + 10 = 2330$ -- and on the order of $1.3 \times 10^{11}$ Toffoli gates, versus roughly 6,146 logical qubits for RSA-3072 [@roetteler-2017]. The curve&apos;s small keys, its great classical advantage, make it the &lt;em&gt;cheaper&lt;/em&gt; thing to break once a quantum computer exists.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Shor is structural mathematics against an asymmetric primitive: it breaks the discrete-log problem itself, in polynomial time, on a flawless group -- squarely the subject of this article. Grover&apos;s algorithm is a different animal: a generic square-root speedup for unstructured search that halves the effective key length of &lt;em&gt;symmetric&lt;/em&gt; ciphers and hashes. It is not a structural break of the discrete log, and simply doubling a symmetric key neutralizes it. Grover is named here only to be set aside.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Two honest boundaries close this section. First, no cryptographically-relevant quantum computer exists today, and this article asserts &lt;em&gt;no timeline&lt;/em&gt; for when, or whether, one will. The resource estimates set a migration clock, not a countdown. Second, the genuine successor to discrete-log cryptography is &lt;em&gt;post-quantum cryptography&lt;/em&gt; -- schemes built on entirely &lt;em&gt;different&lt;/em&gt; hard problems such as lattices, error-correcting codes, and hash functions. That is a separate research program, out of scope here, and its independence is the point: it is not a faster discrete log but a different foundation.&lt;/p&gt;
&lt;p&gt;That post-quantum cryptography is a genuinely different problem, not a continuation of the discrete-log genealogy, is underscored by how young and unsettled it still is: several proposed post-quantum schemes have themselves been broken during standardization -- the SIDH/SIKE isogeny key-exchange scheme fell to an efficient classical key-recovery attack [@castryck-decru-2022], and the Rainbow signature finalist was broken on a laptop in a single weekend [@beullens-2022] -- which would be impossible if they were merely the discrete log in disguise. Different problems fail in different ways.&lt;/p&gt;
&lt;p&gt;So the mathematics is settled enough to act on. Choose a group with no weak part, and the classical attacker is stranded at the square-root floor; the only remaining break is one you cannot out-size, and the response to it is migration, not a bigger key. That leaves one practical question: how do you actually choose a group with no weak part? Every criterion is a scar from an attack in this article.&lt;/p&gt;
&lt;h2&gt;12. Choosing a Group With No Weak Part&lt;/h2&gt;
&lt;p&gt;Every line on a curve-selection checklist is a scar from a specific attack in this article. Read the checklist not as arbitrary hygiene but as a map of defeated enemies -- each criterion exists because someone, somewhere, lost a key to the attack it blocks.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Criterion&lt;/th&gt;
&lt;th&gt;Attack it defeats&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Large prime subgroup order&lt;/td&gt;
&lt;td&gt;Pohlig-Hellman [@pohlig-hellman-1978]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Small cofactor&lt;/td&gt;
&lt;td&gt;small-subgroup leakage&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Trace not one, so $#E \neq p$&lt;/td&gt;
&lt;td&gt;anomalous / SSSA transfer [@smart-1999]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Large embedding degree&lt;/td&gt;
&lt;td&gt;MOV / Frey-Ruck [@mov-1993]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Twist-security (curve and twist near-prime order)&lt;/td&gt;
&lt;td&gt;twist confinement; in a single-coordinate ladder it also confines an off-curve input to the secure twist. The full-coordinate invalid-curve shadow needs input-point validation instead, an implementation check handed to the sibling [@safecurves] [@biehl-meyer-muller-2000]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Prime field, no small characteristic, no composite extension&lt;/td&gt;
&lt;td&gt;Weil descent / GHS [@ghs-2002], small-char quasi-poly [@kleinjung-wesolowski-2019]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Rigidity (fully explained, manipulation-resistant parameters)&lt;/td&gt;
&lt;td&gt;hidden-structure and backdoor suspicion [@bernstein-curve25519-2006]&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;Two of these checks are easy enough to run on a toy example, which makes the abstract concrete: a curve is anomalous exactly when its point count equals the field prime, and it has a dangerous embedding degree exactly when the subgroup order divides $p^k - 1$ for some small $k$.&lt;/p&gt;
&lt;p&gt;{`
def embedding_degree(l, p, bound=200):
    # least k with l dividing p^k - 1; small k means a MOV / Frey-Ruck door
    r = p % l
    for k in range(1, bound + 1):
        if r == 1:
            return k
        r = (r * p) % l
    return None  # beyond the search bound: safely large&lt;/p&gt;
&lt;p&gt;def score(p, n, l):
    flags = []
    if n == p:
        flags.append(&quot;ANOMALOUS: #E equals p, trace one -&amp;gt; polynomial-time SSSA transfer&quot;)
    if n % l == 0:
        k = embedding_degree(l, p)
        if k is not None and k &amp;lt;= 6:
            flags.append(&quot;LOW EMBEDDING DEGREE k=&quot; + str(k) + &quot; -&amp;gt; MOV / Frey-Ruck transfer&quot;)
        if n // l &amp;gt; 8:
            flags.append(&quot;LARGE COFACTOR &quot; + str(n // l) + &quot; -&amp;gt; small-subgroup leakage&quot;)
    else:
        flags.append(&quot;subgroup order does not divide the point count (bad parameters)&quot;)
    return flags or [&quot;no structural red flag on these two checks&quot;]&lt;/p&gt;
&lt;p&gt;print(&quot;anomalous toy (p = n = 23):&quot;, score(23, 23, 23))
print(&quot;low-k toy (p=23, points=24, order=3):&quot;, score(23, 24, 3))
print(&quot;clean toy (p=101, points=order=83):&quot;, score(101, 83, 83))
`}&lt;/p&gt;
&lt;h3&gt;The decision, in one flow&lt;/h3&gt;

flowchart TD
    A{&quot;What are you building?&quot;} --&amp;gt;|New system, free choice| B[X25519 for key exchange, Ed25519 for signatures]
    A --&amp;gt;|FIPS-constrained| C[NIST P-256]
    A --&amp;gt;|Finite-field DH is forced| D[A standard RFC 7919 group of at least 2048 bits, never a shared 1024-bit prime]
    B --&amp;gt; E[Verify large prime order, small cofactor, trace not one, large embedding degree, twist-secure, rigid]
    C --&amp;gt; E
    D --&amp;gt; F[Plan a post-quantum or hybrid migration for the Shor horizon]
    E --&amp;gt; F
&lt;p&gt;For a new system with a free hand, use X25519 for key exchange and Ed25519 for signatures [@rfc7748] [@rfc8032]: they are twist-secure and rigid by construction, and they close every classical door in the table above. Where a standard mandates the NIST curves, &lt;a href=&quot;https://paragmali.com/blog/the-curve-was-hard-the-gap-was-soft-a-field-guide-to-using-e/&quot; rel=&quot;noopener&quot;&gt;P-256&lt;/a&gt; is a sound choice with the same generic-floor security [@nist-sp800-186]. If finite-field Diffie-Hellman is genuinely unavoidable, use a standard RFC 7919 group of at least 2048 bits -- its shared named groups are safe at this size because the sieve precomputation is infeasible -- or a dedicated unique prime; never a shared or legacy 1024-bit prime, whose danger was the entire lesson of Logjam [@rfc7919].&lt;/p&gt;
&lt;p&gt;And across the board, avoid the families this article condemned: anomalous curves, low-embedding-degree curves, small-characteristic fields, and the binary and Koblitz curves that NIST now deprecates and FIPS 186-5 removes [@nist-sp800-186].&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; For roughly 128-bit security you can carry a 256-bit elliptic-curve key or a 3072-bit finite-field prime -- an eighth of the size for the same strength, with the gap widening at higher security levels. That is not a small optimization; it is why elliptic curves dominate new deployments. Unless a specific standard forces finite-field Diffie-Hellman, prefer X25519 and Ed25519 for smaller keys and faster, twist-secure operations [@safecurves] [@rfc7748].&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;One caveat belongs to the sibling article, not this one: choosing a strong group is necessary but not sufficient. A flawless curve still fails if the software forgets to validate an input point, reuses a nonce, or leaks timing -- the implementation failures catalogued in &quot;How Elliptic Curves and Diffie-Hellman Break in Real Life.&quot; This article guarantees only that the &lt;em&gt;mathematics&lt;/em&gt; of a well-chosen group offers no purchase. The code still has to hold up its end.&lt;/p&gt;
&lt;p&gt;That covers what to do. The questions careful engineers keep asking -- and the misconceptions that trip up even good ones -- deserve direct answers.&lt;/p&gt;
&lt;h2&gt;13. Frequently Asked Questions&lt;/h2&gt;

No -- it gives about 128-bit security. Because Pollard rho solves the discrete log in roughly the square root of the group order, a 256-bit curve is a $2^{128}$ target, not a $2^{256}$ one. SafeCurves lists NIST P-256 at about $2^{127.8}$ and Curve25519 at about $2^{125.8}$ operations [@safecurves]. The bit length of the key is double the security level, not equal to it.

Only for two of the problems. A bigger key raises the generic square-root floor, and a larger, unique prime defeats undersized or shared finite-field Diffie-Hellman. But a *structural* break ignores key size entirely: an anomalous curve falls in polynomial time regardless of its bit length [@smart-1999], a shared precomputed prime falls no matter how fresh the ephemeral [@logjam-adrian-2015], and Shor is polynomial in the log of the order, so doubling the curve barely moves its cost [@shor-1997]. Against structure, size is no defense.

No. On a well-chosen group it is, as far as anyone knows, as hard as it can be -- the best generic attack is Pollard rho, and Shoup proved no generic algorithm does better [@shoup-1997]. Every real break in the literature exploited a structural property of a *chosen* group, not the logarithm itself. The honest caveat is that elliptic-curve discrete-log hardness is *unproven*: no one can prove it is hard, only observe that no one has broken a clean curve.

Because $\mathbb{F}_p^*$ has a factor base and a clean curve does not. The multiplicative group&apos;s elements are integers you can factor, which is exactly what the sub-exponential Number Field Sieve needs [@gordon-1993]. A well-chosen elliptic curve has no notion of a &quot;smooth&quot; point, so the sieve has nothing to grip, and the best attack stays at the square-root floor. The Logjam exposure came from that structural difference meeting a shared, undersized prime [@logjam-adrian-2015].

No. The expensive first stage of the Number Field Sieve depends only on the *prime*, not on any individual key, so it amortizes across every connection that shares that prime [@logjam-adrian-2015]. Freshness protects the ephemeral key; it does nothing about a shared group. A unique prime, not a fresh ephemeral, is what denies the attacker the precomputation.

Shor. It reduces the discrete log to quantum period-finding and solves it in polynomial time on a flawless group, which is a structural break and squarely in scope [@shor-1997]. Grover&apos;s algorithm is only a generic square-root speedup for unstructured search; it shortens *symmetric* keys and is neutralized by doubling them. Grover is not a structural break of the discrete log at all, and it is named here only to be set aside.

No. The only proven wall is Shoup&apos;s $\Omega(\sqrt{\ell})$ lower bound, and it holds only in the *generic-group* model -- index calculus beats it for $\mathbb{F}_p^*$ precisely because that group is not generic [@shoup-1997]. There is no unconditional hardness proof, and one is not expected soon: the discrete log sits in $\mathrm{NP} \cap \mathrm{coNP}$, so it is believed not to be NP-complete, which puts a hardness proof far beyond current complexity theory [@galbraith-2012]. &quot;Only Shor breaks a clean group&quot; always carries the silent rider &quot;as far as is known.&quot;
&lt;h2&gt;The Log Was Never the Weak Part&lt;/h2&gt;
&lt;p&gt;Return to the four groups from the opening. NIST P-256 and Curve25519 stand at about $2^{128}$ because they have large prime order, trace not one, large embedding degree, twist-security, and rigid parameters -- every structural door bolted shut, leaving only the square-root floor.&lt;/p&gt;
&lt;p&gt;The third 256-bit curve dies in polynomial time for one reason: its trace is one, so its log transfers into simple addition. And the 1024-bit finite-field group is a nation-state target because its group is inherently factorable and its prime was shared and precomputed. Four groups, the same discrete logarithm, three different fates -- and in every case the deciding variable was the group.&lt;/p&gt;

Same discrete log, radically different fates. The variable was never the logarithm. It was the group.
&lt;p&gt;That is the pattern under all ten attacks. Pohlig-Hellman needs a smooth order. The anomalous transfer needs trace one. MOV and Frey-Ruck need a small embedding degree. Twist attacks need a smooth twist. Invalid-curve shadows need $b$-independent arithmetic. Weil descent needs a composite extension field. The Number Field Sieve needs a factor base. Logjam needs a shared prime. Small-characteristic descent needs a small characteristic. Every classical break is a receipt for a structural property of a &lt;em&gt;chosen&lt;/em&gt; group, and never once a faster generic logarithm.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; Strip a group of every exploitable structure -- give it a large prime order, a small cofactor, trace not one, a large embedding degree, twist-security, rigidity, a prime field, no small characteristic, and a unique well-sized prime -- and the classical attacker is thrown all the way back to Pollard&apos;s 1978 random walk. The only thing left that beats it does not compute a cleverer logarithm; it changes the machine. The logarithm was never the weak part. The group always was.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Which is why the rational response has two halves. Choose a clean group -- the checklist in Section 12 is really a list of defeated attacks -- and begin preparing for the one break you cannot out-size, by planning the migration to &lt;a href=&quot;https://paragmali.com/blog/one-event-three-assumptions-five-answers-a-field-guide-to-th/&quot; rel=&quot;noopener&quot;&gt;post-quantum primitives&lt;/a&gt; before a quantum computer forces the issue.&lt;/p&gt;
&lt;p&gt;For the failures that live in code rather than mathematics -- unvalidated points, repeated nonces, timing leaks, negotiated downgrades -- turn to the empirical sibling, &quot;How Elliptic Curves and Diffie-Hellman Break in Real Life.&quot; The mathematics here gives you a group with no weak part. The engineering there decides whether your system keeps it that way.&lt;/p&gt;
&lt;p&gt;&amp;lt;StudyGuide slug=&quot;how-discrete-log-would-break&quot; keyTerms={[
  { term: &quot;Discrete logarithm problem (DLP)&quot;, definition: &quot;Given g and h = g to the x in a cyclic group, recover the exponent x. The hardness assumption behind Diffie-Hellman, DSA, ECDH, ECDSA, and EdDSA.&quot; },
  { term: &quot;Generic group&quot;, definition: &quot;A group whose elements are opaque tokens with no readable structure; the setting in which the square-root floor is proven.&quot; },
  { term: &quot;Pollard rho&quot;, definition: &quot;A low-memory pseudo-random walk that solves the DLP in about 0.886 times the square root of the group order via a birthday collision.&quot; },
  { term: &quot;Pohlig-Hellman&quot;, definition: &quot;Reduction that shatters a smooth-order group into small prime-power subgroups, so security requires a large prime factor of the order.&quot; },
  { term: &quot;Trace of Frobenius&quot;, definition: &quot;The integer t with number of points equal to p plus 1 minus t; a curve is anomalous when t equals 1.&quot; },
  { term: &quot;Anomalous curve&quot;, definition: &quot;A curve with point count equal to p, whose discrete log transfers into the additive group of the field and falls in polynomial time (SSSA).&quot; },
  { term: &quot;Embedding degree&quot;, definition: &quot;The least k with the subgroup order dividing q to the k minus 1; a small k opens the MOV and Frey-Ruck pairing transfers.&quot; },
  { term: &quot;Quadratic twist and twist-security&quot;, definition: &quot;The sibling curve reached by off-curve x-coordinates; twist-security requires both curve and twist to have near-prime order.&quot; },
  { term: &quot;Index calculus&quot;, definition: &quot;A DLP attack using a factor base of small primes and smooth relations; it needs factorable elements, which a clean curve lacks.&quot; },
  { term: &quot;L-notation&quot;, definition: &quot;Sub-exponential cost measure L[alpha, c]; alpha equal to 1 is exponential, 0 is polynomial, and 1/3 is the Number Field Sieve regime.&quot; },
  { term: &quot;Number Field Sieve for discrete logs&quot;, definition: &quot;The sub-exponential attack on finite-field DLP at L[1/3]; its precomputation depends only on the prime, which Logjam exploits.&quot; },
  { term: &quot;Period-finding&quot;, definition: &quot;The quantum subroutine at the heart of Shor&apos;s algorithm; it recovers the discrete log in polynomial time on any clean group.&quot; }
]} /&amp;gt;&lt;/p&gt;
</content:encoded><category>cryptography</category><category>discrete-logarithm</category><category>elliptic-curves</category><category>diffie-hellman</category><category>cryptanalysis</category><category>quantum-computing</category><category>number-field-sieve</category><author>noreply@paragmali.com (Parag Mali)</author></item></channel></rss>