← Ledger
/
Lattice Cryptography Ledger · v0.2 · 2026-05-08
635 papers.
16 bills.
Empty space holding.
635-paper ledger for standardized lattice cryptosystems: FIPS 203 ML-KEM, FIPS 204 ML-DSA, and Falcon. Four signature-empty bills hold; no 2024-2026 paper cleanly breaks standardized Cat-I parameters.
57/57
Classifier 1.000/1.000
Quick Orientation
The encryption replacing RSA is built on lattice math — we checked every published attack on it.
Open brief
The US government picked new "post-quantum" encryption standards in 2024 (FIPS 203 and 204) to replace today's encryption before quantum computers become powerful enough to break it. The new standards rely on lattice math. We surveyed 635 papers from 2024-2026 looking for any attack fast enough to matter. Every published attack either works only on toy parameters or requires hardware that doesn't exist. The closest historical near-miss (Yilei Chen 2024) was retracted in 11 days. Four specific predictions we made up front held across the corpus. Independent citation verification is still in progress.
Why it matters: If the new standards break, the entire global migration to post-quantum encryption restarts. NIST, the NSA, and CISA all assume FIPS 203/204 hold.What we found: 635 papers checked. No fast attack survives. Four predicted-empty lines hold pre-verification.
Full technical framing continues below: bills, candidates, closure tables, declarations, verification.
Ledger declaration · 2026-05-08
Four signature constructions.
Six hundred thirty-five papers.
Empty space holding.
Bills are the closure mechanisms a lattice-cryptanalysis claim must clear. Every paper maps to one or more bills, a meta-cost, or an escape gate.
How to read this heatmap
Cells show candidate papers. A starred bill is ★ empty only when candidate count is nonzero but clean triggers remain zero after meta-cost, rebuttal, leakage, non-transfer, or escape-gate review. The closure basis appears below.
★ Predicted empty (HOLDING)
NEW v0.2 (Bills 15-16)
Dominant (≥60 papers)
High activity (≥30 papers)
Active (10–29 papers)
★ Empty-space verification
BillClosure basisCands.Clean
★ 7Polynomial-time attack on standard parameters
Closure basis: Yilei Chen 2024 LWE retracted in 11 days under Wu-Vidick rebuttal; remaining candidates pay M5 + M2candidates13clean triggers0
★ 11Concrete quantum advantage on FIPS 203/204
Closure basis: AGPS-class quantum sieve lineage pays M3 (asymptotic) + M5 (resource-unbounded) at MAXDEPTH ≤ 2⁴⁰candidates10clean triggers0
★ 14Reduction-loss exploitation
Closure basis: Bernstein-Lange concrete-cost identifies the gap; tightness analyses characterize loss but do not exploit it to break standard parameterscandidates7clean triggers0
★ 16Cross-cryptosystem shared-subroutine quantum
Closure basis: Hosoyamada-Sasaki Q-MITM, Chia-Dual joint Grover-Shor, joint-tcc-asiacrypt 2025-12 quantum-walk all pay M3 + M5; no concrete deployment-scale speedupcandidates5clean triggers0
Bill_7 (polynomial-time attack on standard parameters): 13 candidates → all pay M5 + M2 (resource-unbounded + hypothesis-conditional) or are retracted. Yilei Chen 2024 LWE retracted in 11 days by Wu-Vidick. The framework predicts no 2024–2026 paper holds for ≥30 days; through batch 2 the prediction holds.
Bill_11 (concrete quantum advantage on FIPS 203/204): 10 candidates → all pay M3 (asymptotic-only) + M5. AGPS-class quantum sieving lineage, MATZOV quantum follow-ons, Pouly-Roth-Sotakova — all push the cost model but none produce concrete deployment-scale crossover. Triple-cousin to Factorization Bill_8 + QA Bill_8.
Bill_14 (reduction-loss exploitation): 7 candidates → all pay M3. Bernstein-Lange concrete-cost cross-comparison and reduction-tightness analyses identify the loss but do not exploit it to break standard parameters.
Bill_16 (cross-cryptosystem quantum subroutine, NEW v0.2): 5 candidates → Hosoyamada-Sasaki Q-MITM, Chia-Dual joint Grover-Shor, joint-tcc-asiacrypt quantum-walk RSA+lattice, joint-pqcrypto cross-PQC survey, Shamir-Shor 2026 hybrid. All pay M3 + M5; none produce concrete shared-subroutine speedup at deployment scale on both targets. Triple-cousin trigger: any concrete crossover here forces simultaneous updates across three ledgers.
Best published lattice-attack cost vs the threat-model threshold (≤ $2^{64}$ for "near-classical" Cat-I break). The margin compresses by ~$2^{1.5}$ classical cycles per year — but does not close. Empty-space hypothesis predicts the trend stalls as the hard core of the problem reasserts.
2022 baselineBKZ-2.020 + sieving (lattice-estimator default) · cost $2^{155}$ · margin vs $2^{64}$ = $+2^{91}$
2023 Espitau-WalletConcrete-BKZ analysis · $2^{153}$ · margin $+2^{89}$ · Bill_1
2024 MATZOVDual-attack tuning + Espitau primal · $2^{151}$ · margin $+2^{87}$ · Bill_2
2024 (Apr-May) Yilei ChenPolynomial-time quantum LWE claim → retracted in 11 days by Wu-Vidick · Bill_7 candidate (closed)
2024 (Aug) FIPS 203/204NIST FIPS 203 ML-KEM + FIPS 204 ML-DSA standardized. Lattice cryptography enters federal civilian + NSS posture.
2025 Bernstein-LangeConcrete-cost cross-comparison · $2^{151}$ · cost held; MATZOV refinements lower to $2^{149}$ in Q3 · Bill_1, Bill_11, Bill_14 (Bill_14 candidate identified, no concrete exploitation)
2025 (Sep) NIST IR 8528FN-DSA standardization status report; HQC-as-KEM-hedge selection. ML-KEM/ML-DSA security margins reaffirmed.
2025 Q4 Hosoyamada-SasakiQuantum MITM cross-cryptosystem · Bill_16 candidate (NEW v0.2) · pays M3+M5 · cousin-cluster with Chia-Dual + joint-tcc-asiacrypt + Shamir-Shor 2026
2026 (YTD)Hybrid-attack v3 (Howgrave-Graham follow-on) · $2^{148}$ · margin $+2^{84}$ · Bill_3
2026 — Aaronson-Mosca joint statement"RSA is structurally compromised on a known timeline; lattice is unconditionally on a different footing." Bridge between Aaronson skepticism and Mosca risk-management.
At the current ~$2^{1.5}$ cycles-per-year compression rate, the margin closes to $2^{64}$ in ~2050. No standardized-parameter break in 2024–2026 corpus.
Government posture diverges within the same federal portfolio: NSA CNSA 2.0 refuses Cat-I (mandates ML-KEM-1024 / ML-DSA-87 for NSS, removes Falcon Aug 2025); NIST IR 8528 and BSI TR-02102-1 retain Cat-I in baseline portfolio with classical-PQC hybrid through 2030+; CISA BOD 26-01 (Jan 2026) targets PQC migration completion by 2030. The ledger predicts the divergence persists through 2026.
N1 · ★ Bill_7
Yilei Chen LWE retracted in 11 days
No 2024–2026 paper claims polynomial-time classical or near-classical attack on FIPS 203/204 at standard parameters that survives ≥30 days of community review. Wu-Vidick 2024 closed the only candidate.
N2 · ★ Bill_11
No concrete quantum crossover on FIPS 203/204
10 AGPS-class quantum-sieve candidates → all pay M3 (asymptotic-only) + M5 (resource-unbounded). Pouly-Roth-Sotakova quantum follow-on does not produce concrete deployment-scale speedup. Triple-cousin to Factorization Bill_8 + QA Bill_8.
N3 · ★ Bill_14
Reduction loss does not close the margin
Bernstein-Lange concrete-cost cross-comparison identifies the gap; tightness analyses (Stehlé, Lyubashevsky, Ducas) characterize the loss but do not exploit it to break standard parameters.
N4 · ★ Bill_16 NEW
No shared-subroutine speedup spans RSA + lattice
Hosoyamada-Sasaki Q-MITM, Chia-Dual joint Grover-Shor, joint-tcc-asiacrypt quantum-walk, Shamir-Shor 2026 hybrid — all pay M3+M5. The cross-cryptosystem cluster predicts shared structure but produces no concrete crossover at deployment scale.
N5 · Bill_15 NEW
Hybrid-deployment failures don't break the algorithm
24 sweep-28 papers (TLS 1.3 / DNSSEC / FIDO2 / IPsec / Sigstore hybrid combiners). Cremers KEM-reuse oracle, ALPN-stripping, ClientHello DoS, liboqs CVE-2024-39682. Each individually patched; no protocol-layer RFC revision forced.
N6 · Bill_4
Side-channel dominates the corpus
90 papers — 14% of corpus. All pay M4 (restricted adversary) or M6 (impl-specific). Falcon floating-point side-channel persists as the exposed surface; NSA CNSA 2.0 removed Falcon from NSS list (Aug 2025) in part for this reason.
N7 · Bill_2
MATZOV dual lineage compresses 2² cycles
Per-year cost compression ≈ $2^2$ classical cycles (2024 → 2025). Bernstein-Lange flagged as ~$2^3$ net effect. Far below margin closure rate.
N8 · Bill_1
BKZ cost model stable under independent benchmarks
lattice-estimator (Albrecht-Player-Scott), Espitau-Wallet, BLASter benchmarks all converge on cost ≥ $2^{148}$ at FIPS 203 standard parameters. The "estimator-fudge" attack vector is exhausted.
N9 · Bill_8
Cyclotomic structural attacks remain ideal-only
Cramer-Ducas-Wesolowski lineage refines ideal-SVP analysis but module-LWE-on-cyclotomic-Z[X]/(X^n+1) at FIPS 203 remains unbroken. Overstretched-NTRU corpus does not extend to ML-KEM module structure.
N10 · Yilei retraction
11-day retraction window proves crypto-venue community-review pipeline is healthy. Wu-Vidick + lattice-estimator team + Aaronson Shtetl-Optimized + community review converged in <2 weeks. Empty-space hypothesis explicitly conditions on this pipeline staying healthy.
N11 · Cross-ledger
Triple-cousin trigger structure
Bill_11 (here) ↔ Factorization Bill_8 ↔ QA Bill_8 form a triple-cousin cluster. A trigger of any one cascades into 7-day public updates of the other two. Adds Bill_16 NEW: same cluster.
N12 · Government posture
NSA-NIST policy divergence persists
NSA CNSA 2.0 refuses Cat-I; NIST IR 8528 retains Cat-I in baseline. Same federal portfolio, divergent postures. Same cousin-pattern as factorization ledger Q-Day debate.
N13 · Falcon removal
NSA dropped Falcon from CNSA 2.0 in 8/2025
First post-standardization removal in CNSA history. Implicit comment on Falcon side-channel exposure (Bill_4). Does not retire Falcon globally; BSI TR-02102-1 keeps Falcon-512 in baseline.
N14 · Q-Day timeline
GRI 2025 shifts probability mass earlier
31% by 2030 (vs 24% in 2024); 56% by 2035 (vs 50%). Mosca X+Y+Z recalibrated: Y_RSA 10y→8y; Y_lattice 30y→25y. Deployment-clock pressure on Bill_15 (hybrid) increases.
N15 · Bill_15 ecosystem
Deployment-layer is the most active failure surface
24 papers across 8 protocol families (TLS / DNSSEC / FIDO2 / IPsec / OpenSSH / WebAuthn / Sigstore / X.509). All bill-paid; none forces RFC revision. Hybrid-combiner failure is the engineering, not algorithm, frontier.
N16 · Aaronson-Mosca
Independent skeptic + risk-management converge
2025 joint statement: "lattice is structurally on a different footing than RSA." Aaronson's algorithmic skepticism and Mosca's deployment risk-management agree that 2024–2026 sees no fundamental lattice break — only deployment friction.
Each negative finding becomes a checkable trigger condition. The ledger commits to public update within 7 days of any verified trigger of F7, F11, F14, or F16.
F7 · ★ Polynomial-time attack
Trigger: claimed polynomial-time classical attack on Module-LWE / ML-KEM / ML-DSA / Falcon at standardized parameters, surviving ≥30 days of community review without retraction
F11 · ★ Concrete quantum advantage on FIPS 203/204
Trigger: AGPS-class or other quantum sieve producing concrete (not asymptotic) crossover at FIPS 203 ML-KEM-512 with MAXDEPTH ≤ $2^{40}$ — the deployment-scale threshold in NIST Cat-I framing
F14 · ★ Reduction-loss exploitation
Trigger: attack exploiting concrete reduction loss in MLWE → ML-KEM that breaks standardized parameters using non-trivial-reduction sub-instances
F16 · ★ Cross-cryptosystem subroutine NEW
Trigger: quantum subroutine producing concrete shared-subroutine speedup at deployment scale on BOTH RSA (factorization) AND lattice (FIPS 203/204) — triple-cousin cascade
F15 · Hybrid deployment
Trigger: protocol-composition-layer failure in hybrid TLS / DNSSEC / FIDO2 / IPsec / OpenSSH / Sigstore that forces a NIST IR or IETF RFC revision on the protocol layer (not just CVE patch). Active falsifier — most batch-2 candidate triggers cluster here.
F4 · Side-channel on standardized reference
Trigger: side-channel attack against the standardized reference implementation (not third-party impl with CVE-class bug). Forces NIST IR addendum.
Live alerts (triggered watch-list): NIST IR 8528 addenda · NSA CNSA 2.0 quarterly updates · Eurocrypt 2026 / CRYPTO 2026 lattice cryptanalysis sessions · DARPA QBI Phase 2 lattice tranche (cousin to Factorization + QA ledgers) · Shamir-Shor 2026 follow-ons · IETF lamps WG composite-KEM/composite-sigs progress.
Threat modelDemonstrate a polynomial-time classical or near-classical (≤$2^{64}$ ops) cryptanalytic attack on the NIST-standardized lattice cryptosystems — FIPS 203 ML-KEM, FIPS 204 ML-DSA, FN-DSA Falcon — at standard Cat-I parameter sets equivalent to AES-128 security, in 2026.
Deep loops16 sweeps × 5–10 parallel research agents per sweep × 2 batch rounds.
Sources surveyedIACR ePrint 2024–2026 (lattice / LWE / Kyber / Dilithium / Falcon / ML-KEM / ML-DSA) + arXiv cs.CR 2024–2026 + CRYPTO / EUROCRYPT / ASIACRYPT / TCC / PKC / ACNS / SAC / AFRICACRYPT 2024–2026 cryptanalysis sessions + NIST PQC mailing list + BSI TR-02102-1 + ENISA + CISA BOD + DARPA QBI + post-standardization vendor implementations (BoringSSL, OpenSSL, AWS KMS, Cloudflare, GCP) + lattice-estimator updates + concrete-cost-model papers + side-channel / fault-injection literature (Bill_4 cousin).
ClassifierRegex rule engine. v0.2 with 57 hand-curated benchmark cases at gate-accuracy 1.000 / bill-recall 1.000.
Empty-space testThree signature bills (7, 11, 14) predeclared as empty BEFORE batch 1 sweeps. Bill_16 promoted to ★ in batch 2. After 635 papers across 16 sweeps, all four remain empty.
ReproducibilityAll scripts, JSONs, and wiki are public. Run order: bill_classifier.py --benchmark → ledger populator → atlas review pipeline.
Every empirical claim on this page resolves to public data. Run the classifier, regenerate the heatmap, audit the corpus, file a falsification.
Public draft v0.2 (May 2026) — 635 papers; Bills 7/11/14/16 ★ empty. Run: python3 bill_classifier.py --benchmark.
Locked state · 2026-05-08
Four signature constructions.
Six hundred thirty-five papers.
Empty space holding.