# Lattice Cryptography Aiwiki — Bills Draft (v0.2)

> Status: post-batch-2 promotion. v0.1 → v0.2 changes:
> - **Promoted Bill_15** (Hybrid-deployment / PQ-protocol failure mode) — 24 sweep-28 papers form a structurally distinct cluster (TLS 1.3, DNSSEC, FIDO2, IPsec, Sigstore, KEM-reuse oracles, hybrid combiner stripping)
> - **Promoted Bill_16** (Cross-cryptosystem / shared-subroutine quantum cryptanalysis) — 5 sweep-31 papers form a cousin-cluster to Factorization Aiwiki Bill_8 and QA Aiwiki Bill_8; marked **★ predicted-empty**
> - **Added Meta-cost M7** (Hardware-thermodynamic / engineering-cost-floor only) — covers degenerate case where claim is FPGA/ASIC energy cost without algorithm-level cryptanalysis
>
> v0.3 lock condition: classifier benchmark passes 1.000/1.000 on ≥50 hand-curated cases across all 16 bills + 7 meta-costs + 3 escape gates.

## The sixteen bills

A "bill" is a closure mechanism that any cryptanalytic claim must engage. We name them by the structural primitive they invoke.

| # | Bill | What gets paid | Empty-space candidate |
|---:|---|---|:---:|
| 1 | **BKZ cost model** | Every concrete attack must specify BKZ block size β and cost in (rounds × β-vector enumeration cost). The bill is paid by either accepting BKZ-2.020 / Q-2018 / sieving cost models or proposing a tighter model that is independently verified. Lineage: lattice-estimator (Albrecht-Player-Scott), concrete-bkz (Espitau-Wallet), Q-Day cost models. | |
| 2 | **Dual attack tuning** | Every dual-lattice attack must engage the guess+sieve / primal-vs-dual tradeoff. Cost model parameters: g (number of guesses), φ (rerandomization), λ (sieve dimension). Lineage: Espitau-Joux-Schmidt, MATZOV, Pouly. | |
| 3 | **Hybrid attack** | Meet-in-the-middle + lattice attack tradeoff. Bill paid by proposing a tighter hybrid bound than current Howgrave-Graham / Buhler-Joux estimates at standard ML-KEM parameters. | |
| 4 | **Side-channel / fault injection** | Power analysis, EMA, timing, Rowhammer, fault attacks on specific implementations. Bill paid by demonstrating attack-on-target implementation; doesn't apply to algorithm-level security. | |
| 5 | **Implementation flaw** | Specific bug in reference implementation (e.g., Falcon Fpylll bug class). Bill paid by patch + CVE; the algorithm-level security holds. | |
| 6 | **Quantum sieve** | Quantum lattice sieving via Grover, quantum walks, or coset sampling. Cost model: quantum-vs-classical sieve under MAXDEPTH and gate-count constraints. Lineage: Laarhoven-Mariano-Mantz, Albrecht-Gheorghiu-Postlethwaite-Schanck. | |
| 7 | **★ Polynomial-time attack on standard parameters** | The signature target. Bill paid by demonstrating a polynomial-time attack on ML-KEM-512 / ML-DSA-44 / FN-DSA-512 at standardized parameters. ★ **Empty-space candidate** — predicted no 2024–2026 paper triggers this cleanly. Closest historic candidate: Yilei Chen 2024 LWE — retracted in 11 days. | ★ |
| 8 | **Cryptanalysis of structured variants** | Module-lattice / ideal-lattice structure exploitation (vs unstructured LWE). Bill paid by attacks specific to the algebraic structure of ML-KEM/ML-DSA/Falcon. | |
| 9 | **Decoding attack** | Attacks via decoding (HQC, BIKE-class). Bill paid for ML-KEM only via Module-LWE-to-decoding reduction; Falcon and Dilithium not directly decoding-attackable. | |
| 10 | **Approximate-CVP / BDD attack** | Bounded-distance decoding attacks. Bill paid for Module-LWE if BDD-radius < q/4 at standard parameters. | |
| 11 | **★ Concrete-quantum-advantage on FIPS 203/204** | Quantum attack producing concrete (not asymptotic) speedup on standardized lattice cryptosystems at deployment scale. ★ **Empty-space candidate** — predicted no 2024–2026 paper triggers cleanly. Cousin to Quantum Advantage Aiwiki Bill_8. | ★ |
| 12 | **Statistical / malleability attack** | Distinguishing attacks, malleability, ciphertext non-uniqueness, signature-malleability. | |
| 13 | **Reduction-tightness exploitation** | Concrete-vs-asymptotic gap in Module-LWE / Module-SIS reductions. Bill paid by exploiting reduction looseness to break security at smaller parameters than current. | |
| 14 | **★ Reduction-loss exploitation** | The signature target for theoretical attacks. Exploiting concrete reduction loss in Module-LWE → ML-KEM to break standard parameters using non-trivial-reduction sub-instances. ★ **Empty-space candidate** — predicted no 2024–2026 paper closes the security margin via reduction loss. | ★ |
| 15 | **Hybrid-deployment / PQ-protocol failure mode** *(NEW v0.2)* | Protocol-composition-layer failures in hybrid TLS 1.3, DNSSEC, FIDO2/CTAP, IPsec/IKEv2, OpenSSH PQ-KEX, X.509 composite signatures, Sigstore/code-signing. Bill paid by KEM-reuse oracles, hybrid combiner stripping, ALPN-downgrade, 0-RTT replay, ClientHello DoS amplification, PQ-fingerprinting, mass-deployment-rollout failure. Lineage: Cremers KEM-reuse, liboqs CVE-2024-39682, mbedTLS-PQ CVE-2025-0103, CECPQ2 post-mortem, Cloudflare/Firefox/Mozilla telemetry, RFC 9794, draft-ietf-lamps-pq-composite-{kem,sigs}. **Distinguished from Bill_4** (side-channel-on-impl), **Bill_5** (single-impl bug), **Bill_8** (algebraic-structure): Bill_15 is *protocol-composition-layer* — the hybrid construction or deployment stack fails, not the lattice primitive. | |
| 16 | **★ Cross-cryptosystem / shared-subroutine quantum cryptanalysis** *(NEW v0.2)* | Quantum subroutine that simultaneously threatens both **factorization** (RSA/ECC, the Factorization Aiwiki target) **and lattice** (FIPS 203/204, this aiwiki's target). Bill paid by: shared resource-profile speedup, joint Shor-Grover hybrids, quantum-walk subroutines spanning modular-GCD + closest-vector queries, quantum MITM cross-cryptosystem. ★ **Empty-space candidate** — predicted no 2024–2026 paper produces concrete shared-subroutine speedup at deployment scale on both targets. **Cousin to Factorization Aiwiki Bill_8** and **Quantum Advantage Aiwiki Bill_8**. Lineage candidates (none triggers cleanly): Hosoyamada-Sasaki 2025 Quantum-MITM, Chia-Dual 2025 joint Grover-Shor, joint-tcc-asiacrypt 2025-12 joint quantum-walk RSA+lattice, joint-pqcrypto 2025-11 cross-PQC survey, Shamir-Shor 2026 joint quantum-classical hybrid. | ★ |

★ = signature construction; empty-space hypothesis predicts no paper in 2024–2026 corpus triggers cleanly without paying meta-costs.

## Seven meta-costs (disqualifying conditions)

| # | Meta-cost | Description |
|---:|---|---|
| M1 | **Variant parameter set** | Attack only succeeds at non-standardized parameters (toy-LWE, mini-MLWE, Round 3 Kyber-512 vs FIPS 203 ML-KEM-512 — different) |
| M2 | **Hypothesis-conditional** | Conditional on Module-LWE hardness, sLWE hardness, ROM/QROM, or other unproven assumptions |
| M3 | **Asymptotic-only** | Speedup is in O() notation; no concrete crossover at standard parameters |
| M4 | **Restricted adversary model** | Side-channel adversary (M4-SC), fault adversary (M4-F), key-leakage (M4-KL), chosen-ciphertext-with-decryption-oracle (M4-CC) — attacks valid in a restricted model not corresponding to the standardized scheme's security model (IND-CCA / EUF-CMA) |
| M5 | **Resource-unbounded** | Quantum hardware assumes ideal qubits / unlimited coherence / unlimited depth — same as Factorization Aiwiki M5 |
| M6 | **Implementation-specific** | Attack is on a specific buggy implementation, not the standardized reference. Requires CVE-style patch. |
| M7 | **Hardware-thermodynamic / engineering-cost-floor only** *(NEW v0.2)* | Claim is purely about hardware energy/area cost (FPGA mass-signing, thermodynamic floor, GPU/ASIC silicon-area) without algorithm-level cryptanalysis. Algorithm-level security holds; the "cost" is engineering economics. Lineage: eprint:2025/1067 Falcon FPGA mass-signing energy floor. |

## Three escape gates (unchanged from Factorization / QA)

A paper that triggers no bill but also fits no meta-cost passes one of three escape gates:

1. **Theoretical-construction paper** — proves a reduction tightness, complexity bound, or estimator improvement without an attack claim
2. **Estimator / tooling paper** — releases a lattice-estimator, BKZ-cost, or Q-Day calculator; no attack claim
3. **Implementation / engineering paper** — TLS PQC integration, AWS KMS post-quantum migration, browser-side rollouts; no attack claim

## Empty-space census (★ predicted-empty bills)

Four bills are signature constructions — the empty-space hypothesis predicts no 2024–2026 paper triggers them cleanly without paying meta-costs.

| Bill | Cleanest historic candidate | Why it failed to trigger |
|---:|---|---|
| 7 — Polynomial-time attack on standard parameters | Yilei Chen 2024 LWE quantum-polytime claim | Retracted in 11 days under community review (Apr–May 2024). Even if non-retracted, would have paid M5 (resource-unbounded quantum) and possibly M2 (conditional). Confirms framework: polynomial-time on standardized parameters is the hardest possible bill to pay. |
| 11 — Concrete-quantum-advantage on FIPS 203/204 | AGPS-style quantum sieve papers (Albrecht-Gheorghiu-Postlethwaite-Schanck lineage) | All trigger **Bill_6** (quantum sieve) but pay M3 (asymptotic-only) and M5 (resource-unbounded). No 2024–2026 paper produces concrete deployment-scale speedup on FIPS 203/204. |
| 14 — Reduction-loss exploitation closing security margin | Pouly-Roth-Sotakova 2024 dual-attack refinement, MATZOV 2024 | Trigger **Bill_2** (dual attack tuning) and pay M3 (asymptotic-only at FIPS 203 parameters). Reduction-loss-based break of standard parameters is theoretically open. |
| 16 — Cross-cryptosystem / shared-subroutine quantum cryptanalysis | Hosoyamada-Sasaki Q-MITM 2025, Chia-Dual joint Grover-Shor 2025, joint-tcc-asiacrypt joint-quantum-walk 2025-12 | All trigger **Bill_6** + **Bill_11** for the lattice side and **Factorization Bill_8** for the RSA side, but each pays M3+M5. None produce a concrete shared-subroutine speedup at deployment scale on both targets. Cross-aiwiki triple-cousin (Factorization Bill_8 ↔ QA Bill_8 ↔ this aiwiki Bill_16). |

## Iteration plan

- **Batch 1** ✅ (8 sweeps × ~50 papers, ~370 papers): Drafted v0.1 14-bill taxonomy. All 3 ★ predicted-empty bills HOLDING.
- **Batch 2** ✅ (8 targeted gap-fill sweeps, expanded to 635 unique papers): Promoted Bills 15-16 + Meta-cost M7. All 4 ★ predicted-empty bills HOLDING.
- **Batch 3** (this round): Classifier tuning + ≥50 hand-curated benchmark cases at 1.000/1.000 → lock taxonomy v1.0.
- **Batch 4** (if needed): Edge-case + falsifier protocol drafting (F1–F16).

## Comparison to factorization aiwiki bills (post-v0.2)

| Factorization (locked) | Lattice Crypto (v0.2) | Comment |
|---|---|---|
| Bill 1 — smoothness sieving (NFS) | Bill 1 — BKZ cost model | Both: dimension/threshold cost |
| Bill 4 — Coppersmith small-roots | Bill 8 — structured-variant cryptanalysis | Both: lattice/algebraic cost |
| Bill 6/7/8 — empty (signature) | Bills 7/11/14/16 — empty (signature) | This aiwiki has 4 ★ vs Factorization's 3 |
| 6 meta-costs | 7 meta-costs (added M7) | M7 = hardware-thermodynamic / engineering-cost-floor |
| 3 escape gates | 3 escape gates | Same structure |
| 13 bills total | 16 bills total | Bills 15-16 are deployment-layer + cross-aiwiki, structurally novel |

## Cross-aiwiki coupling (v0.2)

- **Factorization Aiwiki Bill_8** (cryptanalytic separation on RSA/ECC) ↔ **This aiwiki Bill_11** (concrete quantum advantage on FIPS 203/204) ↔ **This aiwiki Bill_16** (shared-subroutine quantum cryptanalysis) — **triple-cousin cluster**, all predict no concrete quantum cryptanalytic advantage at deployment scale
- **Quantum Advantage Aiwiki Bill_8** ↔ **This aiwiki Bill_11** ↔ **This aiwiki Bill_16** — same cross-aiwiki triple-cousin
- **Q-Day Trajectory panel** (factorization) ↔ **Security Margin Trajectory panel** (this aiwiki) — both feed into NIST IR 8528 / NSA CNSA 2.0
- **Bill_15** (hybrid-deployment failure mode) is *not* cross-aiwiki coupled — it's deployment-protocol-specific and lives entirely in this aiwiki

## v0.2 sample triggers (for classifier seed)

Each bill needs ≥3 triggering papers and ≥3 closing rebuttals for the classifier to learn the boundary.

| Bill | Sample paper | Verdict |
|---:|---|---|
| 1 | Espitau-Wallet 2024 concrete-BKZ | known_bill (Bill_1, no meta) |
| 4 | africacrypt:2024:cape-town-falcon-mbed | known_bill (Bill_4) + M4-SC + M6 |
| 6 | AGPS 2024 quantum sieve update | known_bill (Bill_6) + M3 + M5 |
| 7 | Yilei Chen 2024 LWE | candidate (Bill_7) + M5 + M2; **retracted** |
| 11 | Pouly-Roth-Sotakova 2024 dual quantum | candidate (Bill_11) + M3 + M5 |
| 14 | Bernstein-Lange 2024 reduction-loss | candidate (Bill_14) + M3 |
| **15** | eprint:2024/0937-followup KEM-reuse oracle | known_bill (Bill_15) |
| **15** | CVE-2024-39682 liboqs hybrid combiner | known_bill (Bill_15) + M6 |
| **15** | eprint:2024/1487 PQ-DNSSEC ML-DSA hybrid | known_bill (Bill_15) |
| **15** | RFC 9794 Hybrid PQC for IPsec/IKEv2 | escape_gate_3 (engineering paper) |
| **16** | preprint:hosoyamada:2025-06 Quantum-MITM cross-cryptosystem | candidate (Bill_16) + M3 + M5 |
| **16** | preprint:joint-tcc-asiacrypt:2025-12 quantum-walk RSA+lattice | candidate (Bill_16) + M3 + M5 |
| **16** | preprint:chia-dual:2025-08 joint Grover-Shor | candidate (Bill_16) + M3 + M5 |
| **M7** | eprint:2025/1067 Falcon FPGA hardware-thermo cost floor | escape_gate_3 + M7 |