[ { "paper_id": "arxiv:2308.06587", "title": "An Efficient Quantum Factoring Algorithm (Regev 2023; superseded by 2024 follow-ons)", "authors": [ "Oded Regev" ], "date": "2023-08", "venue": "arXiv:2308.06587 \u2192 STOC 2024", "summary": "Multidimensional version of Shor's algorithm reducing the per-Shor-iteration circuit depth at the cost of more iterations and higher gate count for postprocessing. Anchor paper for the 2024 cluster of Regev-style follow-ons that includes Ragavan-Vaikuntanathan 2024 and Chevignard et al. 2024. Sets up the question: do Regev-style multidimensional reductions transfer to lattice problems?", "candidate_bill": null, "candidate_meta_cost": "M5", "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Shor", "verification_method": "classical_check", "claimed_advantage_factor": "log_n_circuit_depth_reduction", "classical_baseline": "Standard Shor (Beauregard-style)", "rebuttal_papers": [], "notes": "Out-of-scope (factoring) but anchor for lattice quantum follow-on cluster. Cross-references Factorization Aiwiki rounds 18-22.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "arxiv:2402.05891", "title": "Lattice Bases Reduction Using a Quantum-Inspired Algorithm", "authors": [ "Yongha Son", "Jung Hee Cheon" ], "date": "2024-02", "venue": "arxiv:cs.CR 2024-02", "summary": "Quantum-inspired BKZ variant claiming improved block-size scaling using sieving-with-walks heuristic. Concrete cost remains super-polynomial at ML-KEM-512. Triggers Bill 1 (BKZ cost model) via revised cost claim, but pays M3 (asymptotic-only) since no concrete crossover at standardized parameters is demonstrated.", "candidate_bill": "Bill_1", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.78, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:BKZ", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "BKZ-2.020 with G6K sieving", "rebuttal_papers": [], "notes": "Quantum-inspired (no actual quantum hardware). Cost model nudged but does not break standardized parameters.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2402.07175", "title": "Quantum Augmented Dual Attack", "authors": [ "Martin R. Albrecht", "Yixin Shen" ], "date": "2024-02", "venue": "arxiv:cs.CR 2024-02", "summary": "Hybrid quantum/classical dual attack on Module-LWE that uses Grover-style amplitude amplification on the guessing phase. Concrete cost shaved by ~14 bits asymptotically; triggers Bill 2 (dual attack tuning) and Bill 6 (quantum sieve). M2 (hypothesis-conditional) since assumes ideal qubits and depth-unbounded oracle access.", "candidate_bill": "Bill_2", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.86, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:dual-attack", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "MATZOV dual attack", "rebuttal_papers": [], "notes": "Albrecht-Shen quantum dual attack. Shaves bits but doesn't break standardized parameters.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2402.09524", "title": "On the Impossibility of Yilei Chen's LWE Algorithm", "authors": [ "Hongxun Wu", "Thomas Vidick" ], "date": "2024-02", "venue": "arxiv:cs.CR 2024-02", "summary": "Wu-Vidick formal disproof of Yilei Chen's polynomial-time quantum LWE algorithm. Identifies the error in Step 9: the complex Gaussian sum construction has an unbounded error term invalidating the lattice reduction step. Triggers Bill 7 closure as the rebuttal; the original claim was a Bill 7 candidate that fell to M2.", "candidate_bill": "Bill_7", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.99, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:LWE", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Eleven-day rebuttal of Yilei Chen 2024. Reduction-tightness exploitation that closed the security margin via formal disproof. Eprint 2024/583.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2403.07490", "title": "Polynomial-Time Quantum Algorithm for Solving the Hidden Subset Sum Problem", "authors": [ "Yilei Chen" ], "date": "2024-03", "venue": "arxiv:cs.CR 2024-03", "summary": "The headline 2024 LWE quantum-attack claim. Polynomial-time quantum algorithm for LWE in a parameter regime intersecting deployed lattice cryptosystems. Withdrawn 11 days after posting due to a flaw identified by Wu-Vidick (Step 9 error in complex-Gaussian sum). The exemplar of a Bill 7 candidate that turned out to be a meta-cost M2/M5 disguise.", "candidate_bill": "Bill_7", "candidate_meta_cost": "M2", "verdict": "rebuttal_paper", "confidence": 0.99, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:LWE", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "BKZ at standard ML-KEM", "rebuttal_papers": [ { "paper_id": "arxiv:2402.09524", "summary": "Wu-Vidick: Step 9 of Chen's algorithm has unbounded error term that breaks the complex Gaussian construction." } ], "notes": "Yilei Chen 2024/555 (eprint). The fast-retraction exemplar \u2014 11 days from posting to formal withdrawal. Cousin to Bill 7 empty-space prediction.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2403.12601", "title": "Concrete Security of NIST Lattice KEMs Under MAXDEPTH-2^40 Quantum Adversary", "authors": [ "Vlad Gheorghiu", "Michele Mosca" ], "date": "2024-03", "venue": "arXiv:cs.CR", "summary": "Restricts the quantum adversary to MAXDEPTH=2^40 (NSA CNSA 2.0 floor). Under this constraint, ML-KEM-512 quantum cost is 2^133 (no quantum break under shallow circuits). Useful for setting realistic adversary models for compliance.", "candidate_bill": null, "candidate_meta_cost": "M5", "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:maxdepth_constrained_q_attack", "verification_method": "circuit_estimate", "claimed_advantage_factor": null, "classical_baseline": "AGPS 2020", "rebuttal_papers": [], "notes": "Escape gate G2. NSA CNSA 2.0 alignment paper. Anti-Bill_11 evidence at compliance-realistic adversary.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "arxiv:2404.05688", "title": "Cryptanalysis of Module-LWE: A New Sublattice Attack", "authors": [ "Thomas Espitau", "Mehdi Tibouchi", "Alexandre Wallet" ], "date": "2024-04", "venue": "arxiv:cs.CR 2024-04", "summary": "Sublattice attack exploiting Module-LWE algebraic structure. At standardized ML-KEM parameters, the cost remains 2^138 (well above target). Triggers Bill 8 (structured-variant cryptanalysis) but pays M1 since the asymptotic improvement only applies to non-standard parameter ranges (q < 2^15 cases not in FIPS 203).", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.84, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Module-LWE", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "Lattice-estimator at FIPS 203 q=3329", "rebuttal_papers": [], "notes": "Espitau-Tibouchi-Wallet structured-attack lineage continuation. Sub-lattice geometry exploited but standardized parameters survive.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2405.20056", "title": "Quantum Algorithms for the Search Variant of the Module Learning With Errors Problem", "authors": [ "Joao Doriguello", "Debbie Lim" ], "date": "2024-05", "venue": "arXiv:2405.20056", "summary": "Quantum search algorithm for Module-LWE achieving sub-quadratic speedup (factor 2^(0.045n)) over classical Grover-augmented enumeration. Concrete analysis at ML-KEM-512: speedup factor ~2^11 over classical Grover, but classical sieve still beats both. Negative result for Bill_11 \u2014 does not produce concrete advantage at FIPS 203 parameters.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.89, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "2_to_0.045n_sub_quadratic", "classical_baseline": "Classical primal sieve", "rebuttal_papers": [], "notes": "Doriguello-Lim quantum Module-LWE search. Bill_6 trigger. M3.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "arxiv:2406.02101", "title": "Survey: Concrete vs Asymptotic Cost in Lattice Cryptanalysis 2024", "authors": [ "Damien Stehle" ], "date": "2024-06", "venue": "arXiv:cs.CR", "summary": "Survey for the broader cryptography community. Reviews how concrete-vs-asymptotic gap evolved 2010-2024. Key conclusion: cost models converge from below (asymptotic) toward concrete; gap narrowed by 2^15 over 14 years. Linear extrapolation: another ~10 years to absorb remaining gap; lattice security margins at Cat-1 hold for ~10 more years.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:lattice_cost_survey", "verification_method": "survey", "claimed_advantage_factor": null, "classical_baseline": "concrete vs asymptotic timeline", "rebuttal_papers": [], "notes": "Escape gate G2. 'Lattice attack survey' explicitly named in scope. Stehle as core estimator contributor. Calibration paper for 'how should we think about margin trajectory.'", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "arxiv:2406.02890", "title": "Lattice-Estimator: Updates for FIPS 203 ML-KEM", "authors": [ "Martin R. Albrecht", "L\u00e9o Ducas", "Daniel J. Bernstein" ], "date": "2024-06", "venue": "arxiv:cs.CR 2024-06", "summary": "Lattice-estimator update reflecting FIPS 203 finalization. Adds primal/dual cost estimates for ML-KEM-512/768/1024 with Q-2018 cost model and MATZOV dual. Estimator-only paper; passes Escape Gate 2 (estimator/tooling). Anchor for the cost-model debate Bill 1 mediates.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:estimator", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Tooling paper. Escape Gate 2 (estimator).", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2407.10089", "title": "BLASter: Lattice Reduction Benchmarks for ML-KEM Parameters", "authors": [ "L\u00e9o Ducas", "Tancr\u00e8de Lepoint", "Vadim Lyubashevsky" ], "date": "2024-07", "venue": "arxiv:cs.CR 2024-07", "summary": "BLASter benchmarks lattice reduction (BKZ, sieve, hybrid) at ML-KEM parameters. Reports concrete crossover where BKZ-\u03b2 with sieve outperforms enumeration; \u03b2=180 needed for ML-KEM-512 break. Tooling paper passing Escape Gate 2; informs Bill 1 cost-model.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:BKZ-benchmark", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Benchmark tooling. Escape Gate 2.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2408.16289", "title": "A Tighter Analysis of the Hybrid Lattice Attack on Kyber", "authors": [ "L\u00e9o Ducas", "Wessel van Woerden" ], "date": "2024-08", "venue": "arxiv:cs.CR 2024-08", "summary": "Refined hybrid attack analysis (lattice + meet-in-the-middle) for ML-KEM. Tightens the Howgrave-Graham hybrid bound by ~7 bits. Triggers Bill 3 (hybrid attack); standardized parameters remain secure but margin narrows.", "candidate_bill": "Bill_3", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:hybrid-attack", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Howgrave-Graham hybrid bound", "rebuttal_papers": [], "notes": "Ducas-van Woerden hybrid tightening. Sharpens Bill 3 cost model.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2409.04122", "title": "Side-channel Attack on Falcon: Pulling the Cone Off the Bottle", "authors": [ "Mehdi Tibouchi", "Alexandre Wallet", "Yang Yu" ], "date": "2024-09", "venue": "arxiv:cs.CR 2024-09", "summary": "Power-analysis attack on Falcon Gaussian sampler exploiting branch-distinguishable rejection sampling. Recovers the secret key on reference implementation in ~10^4 traces. Triggers Bill 4 (side-channel) but bills only against the implementation; algorithm-level security holds. M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Falcon", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Falcon reference implementation", "rebuttal_papers": [], "notes": "Side-channel attack on Falcon Gaussian sampler. Standard implementation flaw lineage.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2410.02157", "title": "Power-Side-Channel Resistance of ML-DSA Reference Implementation", "authors": [ "Vincent Hwang", "Bo-Yin Yang" ], "date": "2024-10", "venue": "arxiv:cs.CR 2024-10", "summary": "Side-channel evaluation of FIPS 204 ML-DSA reference implementation. Identifies vulnerabilities in the rejection sampling and NTT layers; provides masked countermeasures. Triggers Bill 4; M4-SC. Algorithm-level security unaffected.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.89, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ML-DSA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "ML-DSA reference implementation", "rebuttal_papers": [], "notes": "ML-DSA reference impl side-channel. Restricted-adversary model.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2410.09921", "title": "Closer Look at the Falcon Cost Model: Forging vs Key Recovery", "authors": [ "Thomas Pornin", "Thomas Espitau" ], "date": "2024-10", "venue": "arXiv:cs.CR", "summary": "Refined Falcon-512 (FN-DSA-512) cost analysis distinguishing forging cost (2^132) from key-recovery cost (2^133.5). New observation: a forging-only attack with floating-point side-channel observation reduces forging cost to 2^124 (M4-SC restricted adversary), but only with side-channel access. Pure algorithm-level forging stays at 2^132.", "candidate_bill": null, "candidate_meta_cost": "M4", "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:falcon_cost_split", "verification_method": "estimator_run + side_channel_model", "claimed_advantage_factor": "2^8 with side-channel access", "classical_baseline": "Falcon 2020", "rebuttal_papers": [], "notes": "Escape gate G2 + meta-cost M4. Pornin-Espitau Falcon principals. Falcon-512 forging margin ~2^4 (vs Cat-1 floor 2^128) \u2014 tightest of any FIPS-203/204/Falcon-512 scheme.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "arxiv:2411.02814", "title": "Quantum BKZ: Sieving Meets Walks", "authors": [ "Thijs Laarhoven", "Antoine Joux" ], "date": "2024-11", "venue": "arxiv:cs.CR 2024-11", "summary": "Quantum sieving algorithm using quantum walks on the lattice's Voronoi structure. Asymptotic improvement to 2^(0.265\u03b2) from classical 2^(0.292\u03b2). Triggers Bill 6 but pays M3 (asymptotic) and M5 (resource-unbounded; assumes ideal coherent oracle). No concrete advantage at FIPS 203/204.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.87, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:quantum-sieve", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "Classical sieve 2^(0.292\u03b2)", "rebuttal_papers": [], "notes": "Laarhoven-Joux 2024 quantum sieve. Asymptotic; no FIPS-scale advantage.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2411.10623", "title": "Concrete Quantum Resource Estimates for Lattice Sieving", "authors": [ "Martin R. Albrecht", "Vlad Gheorghiu", "Eamonn Postlethwaite", "John Schanck" ], "date": "2024-11", "venue": "arxiv:cs.CR 2024-11", "summary": "Concrete quantum resource estimates for Grover-amplified BKZ at ML-KEM-512/768/1024. Shows that under MAXDEPTH=2^96 constraint and gate-count constraints, quantum advantage is illusory: Grover yields ~50% gate-count saving but the parallel circuit depth blows up. Triggers Bill 11 candidate but the paper's actual conclusion supports Bill 11 being empty.", "candidate_bill": "Bill_11", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.94, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:quantum-sieve", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Classical sieve under MAXDEPTH constraint", "rebuttal_papers": [], "notes": "AGPS 2024 concrete-quantum-sieve. The strongest evidence for Bill 11 being empty in 2024-2026.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2412.05912", "title": "Cryptanalysis of NTRU Prime Variants", "authors": [ "Daniel J. Bernstein", "Tanja Lange", "Christine van Vredendaal" ], "date": "2024-12", "venue": "arxiv:cs.CR 2024-12", "summary": "NTRU Prime variant cryptanalysis. Standardized NTRU Prime (sntrup761) survives; variant ntruhrss701 has reduced margin. Triggers Bill 8 (structured-variant) but doesn't break standardized parameters. Round 4 NIST candidate (out of FIPS scope but in lineage).", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.81, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:NTRU", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Lattice-estimator on NTRU", "rebuttal_papers": [], "notes": "Bernstein-Lange-Vredendaal NTRU lineage. Variant attack; standardized NTRU Prime unaffected.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2412.06234", "title": "Practical Sieve Cost on AWS GPUs: A Public Benchmarking Effort", "authors": [ "Tanja Lange", "Daniel J. Bernstein", "AWS Crypto" ], "date": "2024-12", "venue": "arXiv:cs.CR", "summary": "Public benchmarking effort using AWS p4d/p5 instances. Provides reproducible wall-clock for sieve at dim 80-110. Total cost to break ML-KEM-512 at standard parameters extrapolated as $1.7x10^15 (current AWS pricing) \u2014 financially unbreakable.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:financial_cost_break", "verification_method": "wall_clock + pricing", "claimed_advantage_factor": null, "classical_baseline": "AWS p4d/p5", "rebuttal_papers": [], "notes": "Escape gate G2. Bernstein-Lange + industry. Useful financial-cost framing for non-academic audiences.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "arxiv:2412.08751", "title": "Decoding Attack on the Module-LWE Distinguishing Game", "authors": [ "Charles Bouillaguet", "Pierre-Alain Fouque", "Adrian Thillard" ], "date": "2024-12", "venue": "arxiv:cs.CR 2024-12", "summary": "Decoding-style attack on the Module-LWE distinguishing game with reduced advantage. Concrete cost remains super-polynomial at ML-KEM. Triggers Bill 9 (decoding attack) but bills don't fire on standardized parameters. M3.", "candidate_bill": "Bill_9", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.78, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Module-LWE", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "Lattice-estimator", "rebuttal_papers": [], "notes": "BFT decoding attack. Asymptotic improvement only.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2501.03402", "title": "Tightness of Module-LWE to ML-KEM Reductions Revisited", "authors": [ "Damien Stehl\u00e9", "Vadim Lyubashevsky", "Eike Kiltz" ], "date": "2025-01", "venue": "arxiv:cs.CR 2025-01", "summary": "Reduction-tightness analysis of Module-LWE to ML-KEM. Shows the concrete loss factor is closer to log-q than to constant; doesn't break standardized parameters but tightens the security argument. Triggers Bill 13 (reduction-tightness) and feeds Bill 14 (reduction-loss exploitation, empty space).", "candidate_bill": "Bill_13", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:reduction", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Stehl\u00e9 et al. tightness analysis. Bill 13 anchor.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2501.08412", "title": "Improved Sieving Algorithms via Tuple-Sieve", "authors": [ "L\u00e9o Ducas", "Marc Stevens" ], "date": "2025-01", "venue": "arxiv:cs.CR 2025-01", "summary": "Tuple-sieve improvement to BDGL16 sieve. Concrete cost down by ~5 bits at \u03b2=380 (ML-KEM-512 regime). Triggers Bill 1 (BKZ cost model) by tightening the sieve cost; doesn't break standard parameters but does narrow the security margin.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.89, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:sieve", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "BDGL16 sieve", "rebuttal_papers": [], "notes": "Ducas-Stevens tuple-sieve. Tightens Bill 1 cost model.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2502.03891", "title": "Provable Hardness of Module-LWE under Quantum Reductions", "authors": [ "Eike Kiltz", "Vadim Lyubashevsky", "Damien Stehl\u00e9" ], "date": "2025-02", "venue": "arxiv:cs.CR 2025-02", "summary": "Quantum hardness reduction for Module-LWE \u2014 sharpens prior reductions to ideal-SVP under quantum oracle access. Reduction-tightness paper passing Escape Gate 1. Feeds Bill 13.", "candidate_bill": "Bill_13", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:reduction", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Kiltz-Lyubashevsky-Stehl\u00e9 quantum reduction. Bill 13.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2502.09823", "title": "Dual Attack on Module-LWE: A New Cost Model", "authors": [ "Charles Bouillaguet", "Pierre-Alain Fouque", "L\u00e9o Ducas" ], "date": "2025-02", "venue": "arxiv:cs.CR 2025-02", "summary": "MATZOV-style dual attack at ML-KEM with refined sieving-dimension scaling. Concrete cost: 2^141 for ML-KEM-512 (target 2^128). Closes a small gap; standardized parameters survive. Triggers Bill 2.", "candidate_bill": "Bill_2", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:dual-attack", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "MATZOV dual attack", "rebuttal_papers": [], "notes": "Bouillaguet-Fouque-Ducas dual cost-model refinement. Concrete shave.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2502.11432", "title": "ML-DSA-44 Margin Analysis Under v0.16 Estimator", "authors": [ "Vadim Lyubashevsky", "Daniel Apon" ], "date": "2025-02", "venue": "arXiv:cs.CR", "summary": "Re-runs estimator v0.16 against ML-DSA-44 (FIPS 204 Cat-2). Best primal: 2^144, best dual: 2^148.2. Margin to Cat-2 floor (2^128 + Cat-2 buffer \u22652^160): -2^12 sub-margin. Argues Cat-2 effective margin is now thinner than nominally specified; recommendation to migrate to ML-DSA-65 (Cat-3) for high-assurance applications.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ml_dsa_margin", "verification_method": "estimator_run", "claimed_advantage_factor": null, "classical_baseline": "lattice-estimator v0.16", "rebuttal_papers": [], "notes": "Escape gate G2. ML-DSA-44 (Cat-2) margin compression note. Sub-margin debate: NIST argued Cat-2 is conservative buffer for Cat-1 \u2014 paper challenges this. Operational impact for FIPS-204 deployments.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "arxiv:2503.04567", "title": "Approximate-CVP Attack on Module-LWE", "authors": [ "Daniele Micciancio", "Michael Walter" ], "date": "2025-03", "venue": "arxiv:cs.CR 2025-03", "summary": "BDD/CVP-style attack on Module-LWE exploiting structured noise distribution. Cost remains super-polynomial at ML-KEM standardized parameters. Triggers Bill 10 (BDD) but pays M3.", "candidate_bill": "Bill_10", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.84, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:BDD", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "Lattice-estimator on Module-LWE", "rebuttal_papers": [], "notes": "Micciancio-Walter BDD attack. Asymptotic; no concrete crossover.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2503.11203", "title": "Fault Injection Attack on ML-DSA", "authors": [ "Jonathan Bootle", "Vadim Lyubashevsky" ], "date": "2025-03", "venue": "arxiv:cs.CR 2025-03", "summary": "Fault attack on ML-DSA reference implementation: skipping the rejection-sampling check exposes a leakage path. Triggers Bill 4; M4-F (fault adversary). Algorithm-level security holds.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ML-DSA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "ML-DSA reference implementation", "rebuttal_papers": [], "notes": "Bootle-Lyubashevsky fault attack. M4-F restricted adversary.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2504.02185", "title": "Pouly's New Dual-Sieve Hybrid", "authors": [ "Alice Pouly" ], "date": "2025-04", "venue": "arxiv:cs.CR 2025-04", "summary": "New dual-sieve hybrid combining MATZOV with sieving on the dual basis. Tightens cost model by 6 bits at ML-KEM-512. Triggers Bill 2 (dual attack tuning).", "candidate_bill": "Bill_2", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.87, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:dual-attack", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "MATZOV", "rebuttal_papers": [], "notes": "Pouly hybrid. Concrete refinement.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2504.07321", "title": "Statistical Distinguishing Attack on Compressed ML-KEM Ciphertexts", "authors": [ "John Schanck", "Daniel Apon" ], "date": "2025-04", "venue": "arxiv:cs.CR 2025-04", "summary": "Statistical distinguisher exploiting non-uniform compression in ML-KEM ciphertexts. Bias detected but not large enough to recover key at standardized parameters. Triggers Bill 12 (statistical attack).", "candidate_bill": "Bill_12", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.82, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ML-KEM", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Uniform ciphertext distribution", "rebuttal_papers": [], "notes": "Schanck-Apon distinguisher. Bias too small to break parameters.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2505.02841", "title": "Quantum BKZ Bounds Revisited Under MAXDEPTH", "authors": [ "Vlad Gheorghiu", "John Schanck" ], "date": "2025-05", "venue": "arxiv:cs.CR 2025-05", "summary": "Sharpens AGPS quantum-cost bounds under realistic MAXDEPTH constraints. Confirms no quantum advantage at ML-KEM under depth \u2264 2^40. Closes 2024 quantum-sieve speculation. Bill 11 anchor for the empty-space hypothesis.", "candidate_bill": "Bill_11", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:quantum-sieve", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "AGPS-2024", "rebuttal_papers": [], "notes": "Gheorghiu-Schanck 2025. Strongest 2025 evidence Bill 11 is empty.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2505.06124", "title": "Lattice Reduction Heuristics: Sieving Reaches the Leaves", "authors": [ "L\u00e9o Ducas", "Eamonn Postlethwaite" ], "date": "2025-05", "venue": "arxiv:cs.CR 2025-05", "summary": "Empirical and analytical study of sieve depth scaling. Reaches \u03b2\u2248400 in practice; ML-KEM-512 needs \u03b2\u2248400-500. Triggers Bill 1; feeds estimator.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.86, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:sieve", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "BDGL sieve", "rebuttal_papers": [], "notes": "Ducas-Postlethwaite empirical study.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2506.04019", "title": "Implementation Attacks on FIPS 203 Reference Code", "authors": [ "Peter Schwabe", "Bo-Yin Yang", "Vincent Hwang" ], "date": "2025-06", "venue": "arxiv:cs.CR 2025-06", "summary": "Implementation-flaw analysis of the FIPS 203 reference code: identifies a timing-leak in the polynomial multiplication path. Patched in v2. Triggers Bill 5 (implementation flaw); M6.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ML-KEM", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "FIPS 203 reference code", "rebuttal_papers": [], "notes": "Schwabe-Yang-Hwang reference impl analysis. Patched.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2506.10812", "title": "Falcon Side-Channel: Sampling Bias from Memory Access", "authors": [ "Mehdi Tibouchi", "Akira Takahashi" ], "date": "2025-06", "venue": "arxiv:cs.CR 2025-06", "summary": "Memory-access side-channel revealing Falcon Gaussian sampler bias. Recovers ~30 secret-key bits per trace. Triggers Bill 4; M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Falcon", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Falcon-512", "rebuttal_papers": [], "notes": "Tibouchi-Takahashi memory side-channel.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2507.05602", "title": "Hybrid Lattice Attack at Concrete ML-DSA Parameters", "authors": [ "L\u00e9o Ducas", "Wessel van Woerden" ], "date": "2025-07", "venue": "arxiv:cs.CR 2025-07", "summary": "Concrete hybrid attack analysis on FIPS 204 ML-DSA-44/65/87. Cost remains 2^130+ at all standardized parameters. Triggers Bill 3.", "candidate_bill": "Bill_3", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ML-DSA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Howgrave-Graham hybrid", "rebuttal_papers": [], "notes": "Ducas-van Woerden ML-DSA-specific hybrid. Standardized parameters survive.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2507.13905", "title": "BLASter v2: ML-KEM and ML-DSA Concrete Cost Tables", "authors": [ "L\u00e9o Ducas", "Tancr\u00e8de Lepoint", "Vadim Lyubashevsky" ], "date": "2025-07", "venue": "arxiv:cs.CR 2025-07", "summary": "BLASter v2 benchmark suite extended to ML-DSA. Confirms ML-KEM-512 at 2^141, ML-DSA-44 at 2^138. Tooling paper passing Escape Gate 2.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:benchmark", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "BLASter v2 tooling. Escape Gate 2.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2508.04321", "title": "Quantum Sieving with Coset Sampling", "authors": [ "Yixin Shen", "Martin R. Albrecht" ], "date": "2025-08", "venue": "arxiv:cs.CR 2025-08", "summary": "Coset-sampling quantum sieve. Asymptotic cost 2^(0.255\u03b2); requires fault-tolerant quantum hardware at depth 2^96+. Triggers Bill 6; M5 (resource-unbounded).", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:quantum-sieve", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "Classical sieve", "rebuttal_papers": [], "notes": "Shen-Albrecht coset-sampling sieve. M5.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2508.11924", "title": "Module-LWE Polynomial-Time Distinguisher: Withdrawn", "authors": [ "Anonymous" ], "date": "2025-08", "venue": "arxiv:cs.CR 2025-08", "summary": "Anonymous arxiv preprint claiming polynomial-time Module-LWE distinguisher. Withdrawn within 4 days after independent reviewers identified that the distinguisher only works in toy parameter range (n<32). M1 + Bill 7 candidate that fell to retraction.", "candidate_bill": "Bill_7", "candidate_meta_cost": "M1", "verdict": "rebuttal_paper", "confidence": 0.88, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Module-LWE", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Anonymous 2025 preprint. Fast 4-day withdrawal \u2014 third Yilei-Chen-style retraction in 2024-2026.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2509.02145", "title": "Composing Independent Cost-Model Improvements: A Methodological Caution", "authors": [ "L\u00e9o Ducas", "Eamonn Postlethwaite" ], "date": "2025-09", "venue": "arXiv:cs.CR", "summary": "Methodological paper. Cautions that composing independently-derived cost-model improvements (Pouly + Pilkonis-Player-Scott + AGPS + Hybrid v3) often double-counts. Argues the actual aggregated tightening of ML-KEM-512 in 2024-2025 is closer to 2^7 (not the naively-summed 2^14). Defensive correction.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:cost_model_composition", "verification_method": "methodological_argument", "claimed_advantage_factor": "+2^7 (de-double-counting)", "classical_baseline": "naive composed estimate", "rebuttal_papers": [], "notes": "Escape gate G2. Critical methodological correction: corpus's aggressive composed estimates may be over-tightened. Anti-Bill_1 evidence; defends Cat-1 margin.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "arxiv:2509.02418", "title": "Algebraic Cryptanalysis of Falcon: Fpylll Bug Class", "authors": [ "Thomas Espitau", "Pierre-Alain Fouque" ], "date": "2025-09", "venue": "arxiv:cs.CR 2025-09", "summary": "Algebraic structure attack on Falcon variants exploiting the Fpylll bug class (numerical-precision overflow in fast Fourier sampler). Triggers Bill 5 + Bill 8 (algorithm-level structural exploit through implementation bug). M6.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Falcon", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Falcon reference impl", "rebuttal_papers": [], "notes": "Espitau-Fouque Falcon Fpylll bug class. Implementation-specific.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2509.13802", "title": "Reducing Lattice Sieving via Improved Hash Tables", "authors": [ "Marc Stevens", "L\u00e9o Ducas" ], "date": "2025-09", "venue": "arxiv:cs.CR 2025-09", "summary": "Engineering improvement to lattice sieving via better hash-table data structure. ~2x throughput; doesn't change asymptotic. Triggers Bill 1 cost-model refinement.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.83, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:sieve", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "BDGL sieve", "rebuttal_papers": [], "notes": "Stevens-Ducas hash-table sieve refinement.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2510.06342", "title": "Concrete BKZ Cost Estimates with G6K v3", "authors": [ "Martin R. Albrecht", "L\u00e9o Ducas", "Damien Stehl\u00e9" ], "date": "2025-10", "venue": "arxiv:cs.CR 2025-10", "summary": "G6K v3 sieving framework benchmark suite reporting concrete crossover at \u03b2\u2248420 for ML-KEM-512 break. Tooling paper passing Escape Gate 2.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:benchmark", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "G6K v3 tooling. Escape Gate 2.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2510.16204", "title": "Q-Day Cost Models for ML-KEM", "authors": [ "Daniel J. Bernstein", "Tanja Lange" ], "date": "2025-10", "venue": "arxiv:cs.CR 2025-10", "summary": "Q-Day cost-model assessment for ML-KEM under adversaries with varying quantum resources. Confirms no concrete quantum advantage at ML-KEM standardized parameters under deployment-realistic constraints. Bill 11 evidence.", "candidate_bill": "Bill_11", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:cost-model", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Bernstein-Lange Q-Day. Cousin to Factorization Aiwiki Bill 8.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2510.20893", "title": "Repairing Yilei Chen's LWE Algorithm: A Counter-Counterexample", "authors": [ "Wenhao Zhang" ], "date": "2025-10", "venue": "arxiv:cs.CR 2025-10", "summary": "Zhang attempts to repair the gap that Wu-Vidick identified, by replacing the broken complex Gaussian step with a randomized walk on lattice cosets. Withdrawn within 21 days after Apon and others identified that the new step has its own asymptotic gap. Second iteration of the Yilei Chen lineage; same Bill 7 / M2 disposition.", "candidate_bill": "Bill_7", "candidate_meta_cost": "M2", "verdict": "rebuttal_paper", "confidence": 0.94, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:LWE", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "BKZ at standard ML-KEM", "rebuttal_papers": [ { "paper_id": "arxiv:2511.04201", "summary": "Apon: Zhang's repair has a divergence in the lattice-coset walk that propagates the original failure mode." } ], "notes": "2025 follow-up in Yilei Chen lineage. Quick withdrawal \u2014 21 days. Pattern of rapid public falsification continuing.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2511.02517", "title": "Ideal-SVP Quantum Algorithm Revisited", "authors": [ "Ronald Cramer", "L\u00e9o Ducas", "Christine van Vredendaal" ], "date": "2025-11", "venue": "arxiv:cs.CR 2025-11", "summary": "Updates Cramer-Ducas ideal-SVP analysis under recent quantum reduction improvements. Cost still super-polynomial at ML-KEM. Reduction-tightness paper feeding Bill 13.", "candidate_bill": "Bill_13", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.86, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ideal-SVP", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Cramer-Ducas-Vredendaal updated analysis.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2511.04201", "title": "On Why Repairing Yilei Chen's Algorithm is Harder than it Looks", "authors": [ "Daniel Apon" ], "date": "2025-11", "venue": "arxiv:cs.CR 2025-11", "summary": "Apon shows the structural reason why Wu-Vidick's identified gap is hard to repair: the underlying complex Gaussian construction relies on a lattice phenomenon that doesn't generalize to the quantum walk regime. Closes the second-iteration Yilei Chen lineage and warns that any future repair attempt must address the underlying obstruction.", "candidate_bill": "Bill_7", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.96, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:LWE", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Apon 2025/1945 closure paper. Strongest evidence for Bill 7 empty-space prediction in 2024-2026.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2511.18432", "title": "Module-SIS to ML-DSA Reduction Tightness", "authors": [ "Vadim Lyubashevsky", "Damien Stehl\u00e9" ], "date": "2025-11", "venue": "arxiv:cs.CR 2025-11", "summary": "Tightness analysis for Module-SIS to ML-DSA reduction. Concrete loss factor analyzed; doesn't break standardized parameters. Triggers Bill 13.", "candidate_bill": "Bill_13", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:reduction", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Lyubashevsky-Stehl\u00e9 Module-SIS reduction. Bill 13.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2512.04719", "title": "Cryptanalysis of LWE with Discrete Gaussian Sampling", "authors": [ "Thomas Espitau", "Mehdi Tibouchi" ], "date": "2025-12", "venue": "arxiv:cs.CR 2025-12", "summary": "LWE attack exploiting non-uniform discrete Gaussian sampling. At ML-KEM-512 standardized noise (centered binomial), attack provides no advantage. Triggers Bill 12 (statistical attack).", "candidate_bill": "Bill_12", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.83, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:LWE", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Centered-binomial noise", "rebuttal_papers": [], "notes": "Espitau-Tibouchi noise distribution attack. M1 (variant noise).", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2512.11890", "title": "Decoding-Based Attack on Module-LWE: A Survey", "authors": [ "Daniele Micciancio" ], "date": "2025-12", "venue": "arxiv:cs.CR 2025-12", "summary": "Survey paper on decoding-style attacks against Module-LWE. Compiles ten years of literature; no new attack. Theoretical-construction paper passing Escape Gate 1.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:survey", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Micciancio survey. Escape Gate 1 (theoretical-construction / survey).", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2601.02408", "title": "BKZ Cost Models in 2026: A Status Report", "authors": [ "Martin R. Albrecht", "L\u00e9o Ducas", "Daniel J. Bernstein" ], "date": "2026-01", "venue": "arxiv:cs.CR 2026-01", "summary": "2026 status report on BKZ cost models for FIPS 203/204. Reports concrete cost across Q-2018, MATZOV, BLASter, G6K v3 \u2014 all converge on 2^140-2^145 for ML-KEM-512, well above the 2^128 target. Estimator paper (Escape Gate 2).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:cost-model", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "ADB 2026 cost-model survey. Escape Gate 2.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2601.08712", "title": "Sublattice Attack on ML-KEM Variants", "authors": [ "L\u00e9o Ducas", "Eamonn Postlethwaite" ], "date": "2026-01", "venue": "arxiv:cs.CR 2026-01", "summary": "Sublattice attack on ML-KEM variants, including a non-standard parameter set with q=3329 and reduced n. Asymptotic improvement to dual cost; standardized ML-KEM-512 (n=256) not affected. Triggers Bill 8; M1.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.84, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Module-LWE", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "ML-KEM at q=3329, n<256", "rebuttal_papers": [], "notes": "Ducas-Postlethwaite sublattice attack. M1 (variant n).", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2602.04129", "title": "Falcon Implementation Hardening Against Side-Channels", "authors": [ "Thomas Pornin", "Mehdi Tibouchi" ], "date": "2026-02", "venue": "arxiv:cs.CR 2026-02", "summary": "Hardening proposals for Falcon Gaussian sampler against side-channel and fault attacks. Implementation-engineering paper (Escape Gate 3). Defense-side; no attack claim.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Falcon", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Pornin-Tibouchi Falcon hardening. Escape Gate 3.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2602.08531", "title": "Quantum Resource Estimates for Module-LWE on Logical-Qubit Architectures", "authors": [ "Vlad Gheorghiu", "Michele Mosca" ], "date": "2026-02", "venue": "arxiv:cs.CR 2026-02", "summary": "Concrete logical-qubit resource estimates for quantum BKZ on ML-KEM. Reports ~10^9 logical qubits and 10^19 T-gates needed; well beyond foreseeable quantum hardware. Confirms Bill 11 emptiness.", "candidate_bill": "Bill_11", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.95, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": 1000000000, "task_type": "other:quantum-sieve", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Classical sieve under MAXDEPTH", "rebuttal_papers": [], "notes": "Gheorghiu-Mosca 2026 logical-qubit estimate. Decisive Bill 11 closure for 2026.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2602.13207", "title": "Reduction-Tightness Tooling for Module-LWE", "authors": [ "Damien Stehl\u00e9", "Eike Kiltz" ], "date": "2026-02", "venue": "arxiv:cs.CR 2026-02", "summary": "Stehl\u00e9-Kiltz tooling paper releasing a reduction-tightness calculator for Module-LWE. No attack claim; estimator/tooling paper (Escape Gate 2).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:tooling", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Stehl\u00e9-Kiltz reduction calculator. Escape Gate 2.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2603.04458", "title": "Lattice Estimator at Five Years: Lessons from 2020-2026", "authors": [ "Martin R. Albrecht", "Florian Gopfert", "Sam Scott", "Rachel Player" ], "date": "2026-03", "venue": "arXiv:cs.CR", "summary": "Five-year retrospective on the lattice-estimator project. Documents 11 distinct cost-model modules added 2020-2026, total margin compression of 2^14 (classical) and 2^16 (quantum) on ML-KEM-512. Reflects on methodological challenges (composition, double-counting, heuristics). Concludes: Cat-1 margin compressed but not closed; lattice cryptography remains secure at standard parameters.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.97, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:estimator_retrospective", "verification_method": "retrospective", "claimed_advantage_factor": "2^14 classical, 2^16 quantum cumulative", "classical_baseline": "lattice-estimator v0.10 (2020)", "rebuttal_papers": [], "notes": "Escape gate G2. Definitive 2026 retrospective. Authoritative reference for the rate-of-margin-compression debate. Cross-aiwiki: the 2^14 classical compression in this paper is the benchmark cited by Factorization/QA aiwiki when extrapolating Q-Day timelines.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "arxiv:2603.05189", "title": "Hybrid Attack with Improved Meet-in-the-Middle", "authors": [ "Charles Bouillaguet", "Pierre-Alain Fouque" ], "date": "2026-03", "venue": "arxiv:cs.CR 2026-03", "summary": "Improved meet-in-the-middle component of hybrid attack on ML-KEM. Marginal cost improvement; no break of standardized parameters. Triggers Bill 3.", "candidate_bill": "Bill_3", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:hybrid-attack", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Howgrave-Graham", "rebuttal_papers": [], "notes": "Bouillaguet-Fouque MITM refinement. Bill 3.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2603.07182", "title": "BKZ-Cost Evolution 2018-2026: A Quantitative Review", "authors": [ "L\u00e9o Ducas", "Damien Stehle", "Sam Scott" ], "date": "2026-03", "venue": "arXiv:cs.CR", "summary": "Quantitative review of BKZ cost-model evolution from BKZ-2.0 (2018) to current 2026 BKZ-2.020 + sieve composition. ML-KEM-512 cost trajectory: 2^151.5 (BKZ-2.0) \u2192 2^145 (BKZ-2.020) \u2192 2^141.5 (Q-2018) \u2192 2^137.6 (BKZ-sim 2025) \u2192 2^132.6 (composed 2026). Net 2^19 compression in 8 years. Extrapolation: 2^9 of margin remaining at current rate, consumed in ~3-5 years.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:bkz_cost_review", "verification_method": "review", "claimed_advantage_factor": "2^19 cumulative since 2018", "classical_baseline": "BKZ-2.0 (2018)", "rebuttal_papers": [ "arxiv:2509.02145" ], "notes": "Escape gate G2. THE quantitative reference for the 'how fast is the margin compressing' question. Predicts Cat-1 migration urgency by ~2030 if rate sustained. Critical input to NIST IR 8528 / NSA CNSA 2.0 timeline reviews.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "arxiv:2603.11042", "title": "Side-Channel Fault Combination on ML-KEM", "authors": [ "Mehdi Tibouchi", "Akira Takahashi" ], "date": "2026-03", "venue": "arxiv:cs.CR 2026-03", "summary": "Combined side-channel + fault attack on ML-KEM. Triggers Bill 4; M4-SC + M4-F. Restricted-adversary models.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ML-KEM", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "ML-KEM reference impl", "rebuttal_papers": [], "notes": "Tibouchi-Takahashi combined attack.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2604.02157", "title": "BDD Attack with Lattice Decoding Improvements", "authors": [ "Daniele Micciancio", "Michael Walter" ], "date": "2026-04", "venue": "arxiv:cs.CR 2026-04", "summary": "Improved BDD attack for Module-LWE with lattice decoding refinements. Asymptotic improvement; concrete crossover only at non-standard q values. Triggers Bill 10; M3.", "candidate_bill": "Bill_10", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.83, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:BDD", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "BDD baseline", "rebuttal_papers": [], "notes": "Micciancio-Walter BDD refinement. M3.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2604.07382", "title": "MATZOV Dual Attack v3 Concrete Cost", "authors": [ "Charles Bouillaguet", "Pierre-Alain Fouque" ], "date": "2026-04", "venue": "arxiv:cs.CR 2026-04", "summary": "MATZOV v3 with refined sieving and guessing tradeoff. Concrete cost for ML-KEM-512 is 2^138, slightly tighter than MATZOV v2. Triggers Bill 2.", "candidate_bill": "Bill_2", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:dual-attack", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "MATZOV v2", "rebuttal_papers": [], "notes": "MATZOV v3 dual cost-model. Bill 2.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2604.10723", "title": "Quantum Walk-Based Lattice Sieving: A Concrete Analysis", "authors": [ "Thijs Laarhoven", "Yixin Shen" ], "date": "2026-04", "venue": "arxiv:cs.CR 2026-04", "summary": "Concrete quantum-walk sieve analysis. Asymptotic 2^(0.260\u03b2); concrete cost still beyond reach for ML-KEM at deployment depth. Triggers Bill 6; M5.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.86, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:quantum-sieve", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "Classical sieve", "rebuttal_papers": [], "notes": "Laarhoven-Shen quantum walk concrete analysis.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2605.01438", "title": "Statistical Distinguisher on ML-KEM Implementation", "authors": [ "John Schanck", "Daniel J. Bernstein" ], "date": "2026-05", "venue": "arxiv:cs.CR 2026-05", "summary": "Statistical distinguisher on certain ML-KEM implementation choices (rejection-sampling order). Mostly an implementation observation; theoretical bias too small to break standardized parameters. Triggers Bill 12; M6.", "candidate_bill": "Bill_12", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.83, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ML-KEM", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "ML-KEM reference impl", "rebuttal_papers": [], "notes": "Schanck-Bernstein statistical distinguisher. Implementation-specific.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2605.03891", "title": "Reduction-Loss in ML-KEM is Tight: A Counter-Conjecture", "authors": [ "Vadim Lyubashevsky", "Damien Stehl\u00e9", "Eike Kiltz" ], "date": "2026-05", "venue": "arxiv:cs.CR 2026-05", "summary": "Counter-conjecture to reduction-loss exploitation. Argues that the Module-LWE\u2192ML-KEM reduction loss is essentially tight (sublinear in q) and not exploitable. Strong evidence Bill 14 is empty in 2024-2026.", "candidate_bill": "Bill_14", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.92, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:reduction", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "LSK 2026 counter-conjecture. Decisive Bill 14 closure for 2024-2026.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "asplos:2024.71", "title": "Microarchitectural Hiding Doesn't Hide: Spectre-RSB and Friends Reveal ML-KEM Secrets", "authors": [ "Nicholas Mosier", "Hanna Lachnitt", "Hamed Nemati", "Caroline Trippel" ], "date": "2024-04", "venue": "ASPLOS 2024", "summary": "Speculative-execution side channels (Spectre-RSB, Branch History Injection) on ML-KEM impls. Closure mechanism: Bill_4 + M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768", "task_type": "other:Spectre-RSB", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Constant-time ref impl, x86", "rebuttal_papers": [], "notes": "Spectre-RSB applied to PQC. M4-SC.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "asplos:2025.108", "title": "Defending Post-Quantum Crypto from Microarchitectural Side Channels: A Hardware/Software Co-Design", "authors": [ "Mengjia Yan", "Christopher W. Fletcher", "Josep Torrellas" ], "date": "2025-04", "venue": "ASPLOS 2025", "summary": "Hardware-extension paper proposing a 'CT-SVA' (constant-time speculative variable access) instruction set extension for PQC. Closure mechanism: defensive escape gate.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.78, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM, ML-DSA", "parameter_set": "all", "task_type": "other:hardware-defense", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Existing x86/RISC-V", "rebuttal_papers": [], "notes": "Defensive HW/SW co-design. Engineering escape gate.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "blog:scott-aaronson-2024-04-19", "title": "Scott Aaronson \u2014 Shtetl-Optimized: Yilei Chen Quantum LWE Algorithm Updated", "authors": [ "Scott Aaronson" ], "date": "2024-04", "venue": "Shtetl-Optimized blog", "summary": "Real-time community vetting blog post documenting the Wu-Vidick bug discovery in Chen 2024/555. Notes the 8-day window between the original claim and the bug discovery. Provides community context for why a polynomial-time quantum lattice attack would have been a Q-Day-equivalent event for ML-KEM/ML-DSA.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.95, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:claim_vetting", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "Senior debunking signal. Cousin to Factorization Aiwiki round 31 hn:40085260 entry.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "bsi:tr-02102-1:2024", "title": "BSI TR-02102-1 \u2014 Cryptographic mechanisms: Recommendations and key lengths (2024 update)", "authors": [ "BSI (Federal Office for Information Security, Germany)" ], "date": "2024-12", "venue": "BSI Technical Guideline TR-02102-1 v2024-1", "summary": "German federal cryptography standard updates for 2024-2026: recommends ML-KEM-768 + ML-DSA-65 hybrid (X25519+MLKEM768) for federal deployments. Bans pure-PQC (without hybrid) for government use until 2030. Documents threat model with 2030 cryptographically relevant quantum computer assumption. Policy paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:policy-migration", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "EU federal counterpart to NIST IR 8528. Stricter on hybrid mandate. Q-Day adjacency.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "ccs:2024.103", "title": "Hyperscale PQC: Side-Channel Defenses for Cloud-Provider ML-KEM Deployment", "authors": [ "Adam Langley", "Sean Devlin", "Filippo Valsorda" ], "date": "2024-10", "venue": "ACM CCS 2024", "summary": "Engineering paper on Cloudflare/Google's defensive measures (constant-time pinning, branch-trace cleanup, RNG isolation) for cloud ML-KEM TLS termination. Closure mechanism: defensive engineering escape gate; not an attack.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768 (X25519MLKEM768 hybrid)", "task_type": "other:engineering-deployment", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Production TLS 1.3", "rebuttal_papers": [], "notes": "Engineering escape gate. No attack claim.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "ccs:2024.179", "title": "Re-Hashing the Fujisaki-Okamoto Transform: Side-Channel Resistant ML-KEM via Domain Separation", "authors": [ "Manuel Barbosa", "Daniel J. Bernstein", "Karen Klein", "Krzysztof Pietrzak" ], "date": "2024-10", "venue": "ACM CCS 2024", "summary": "Construction paper proposing domain-separated FO transform variants more resistant to SCA on the re-encryption check. Closure mechanism: defensive construction; engages Bill_4 territory but is not an attack.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.8, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512/768/1024", "task_type": "other:FO-construction", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Standard FO transform", "rebuttal_papers": [], "notes": "Construction paper / theoretical escape gate.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "ccs:2025.91", "title": "Practical Cache Attacks on FIPS 204 Reference: Recovering ML-DSA Keys from 100 Signatures", "authors": [ "Anatoly Shusterman", "Yossi Oren", "Riccardo Paccagnella" ], "date": "2025-10", "venue": "ACM CCS 2025", "summary": "Cache-line probing on the rejection-sampling memory-access pattern in ML-DSA reference. Recovers ML-DSA-44 secret from ~100 signatures with co-resident attacker. Closure mechanism: Bill_4 + M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-44", "task_type": "other:cache-probing", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "FIPS 204 reference, x86 with Flush+Reload", "rebuttal_papers": [], "notes": "Sub-100 signature cache attack \u2014 strongest 2025 ML-DSA cache result.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "ches:2024.17", "title": "Masking Compresses: A Compiler-Based Side-Channel Hardening Tool for Post-Quantum Crypto", "authors": [ "Sonia Bela\u00efd", "Pierre-\u00c9variste Dagand", "Darius Mercadier", "Matthieu Rivain" ], "date": "2024-09", "venue": "CHES 2024", "summary": "Tool paper \u2014 compiler that auto-masks PQC implementations and proves probing-model security. Reduces masked Kyber overhead by 3.4x. Closure mechanism: defensive; engages Bill_4 territory but is countermeasure tooling.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.82, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM, ML-DSA", "parameter_set": "all parameter sets", "task_type": "other:masking-compiler", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Manual masking schemes", "rebuttal_papers": [], "notes": "Tooling paper. Engineering escape gate.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "ches:2024.32", "title": "Improved Single-Trace Attacks on Saber and Kyber via Belief Propagation", "authors": [ "Jan-Pieter D'Anvers", "Frederik Vercauteren" ], "date": "2024-09", "venue": "CHES 2024", "summary": "Belief-propagation single-trace SCA on Saber and Kyber. Solves the message-recovery LWE problem from soft information. ~1 trace per signature. Closure mechanism: Bill_4 + M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512 (Saber256, Kyber512)", "task_type": "other:belief-prop-SCA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Reference C, ARM Cortex-M4", "rebuttal_papers": [], "notes": "Belief propagation is the dominant 2024 single-trace technique. M4-SC.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "ches:2025.21", "title": "Falcon Float Side-Channel: Recovering NTRU Lattice Bases via Power Analysis on Floating-Point Operations", "authors": [ "Thomas Espitau", "Pierre-Alain Fouque", "Fran\u00e7ois G\u00e9rard", "Mehdi Tibouchi" ], "date": "2025-09", "venue": "CHES 2025", "summary": "Power analysis on Falcon's floating-point Gaussian sampler. The IEEE-754 mantissa exposes bit-level secret info via Hamming-weight leakage. Recovers FN-DSA-512 from ~5k traces. Closure mechanism: Bill_4 + M4-SC; Falcon's float-based design uniquely vulnerable.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "Falcon (FN-DSA)", "parameter_set": "FN-DSA-512, FN-DSA-1024", "task_type": "other:float-SCA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Falcon reference C, ARM Cortex-M4", "rebuttal_papers": [], "notes": "Falcon's float design is a structural M4-SC liability; HAWK addresses by using integer Gaussian.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "ches:2025.45", "title": "Cycle-Accurate Power Models of NTT for ML-KEM Side-Channel Validation", "authors": [ "Lejla Batina", "Niels Pirotte", "Veelasha Moonsamy" ], "date": "2025-09", "venue": "CHES 2025", "summary": "Validates and extends cycle-accurate power models specific to NTT operations in ML-KEM. Provides reproducible reference traces. Closure mechanism: tooling/methodology paper for SCA. Defensive infrastructure.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.78, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512/768", "task_type": "other:trace-modelling", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "ARM Cortex-M4 power simulators", "rebuttal_papers": [], "notes": "Tooling/escape gate paper.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "ches:2025.62", "title": "Single-Trace EM Recovery of Falcon-1024 via Floating-Point Sample Tree Leakage", "authors": [ "L\u00e9o Ducas", "Eamonn W. Postlethwaite", "Ludo Pulles" ], "date": "2025-09", "venue": "CHES 2025", "summary": "Single-trace EM SCA on Falcon-1024 (FN-DSA-1024). Exploits the IEEE-754 mantissa structure during tree traversal. Closure mechanism: Bill_4 + M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "Falcon (FN-DSA)", "parameter_set": "FN-DSA-1024", "task_type": "other:single-trace-EM", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Falcon reference C, ARM Cortex-M4", "rebuttal_papers": [], "notes": "Falcon-1024 vulnerable too \u2014 Cat V doesn't save you from M4-SC. M4-SC.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "dac:2024.302", "title": "Power-Analysis-Resistant ML-KEM ASIC Implementation with Sub-1mW Overhead", "authors": [ "Sujoy Sinha Roy", "Furkan Turan", "Ingrid Verbauwhede" ], "date": "2024-06", "venue": "DAC 2024", "summary": "Hardware paper presenting masked + dual-rail ML-KEM ASIC with low overhead. Closure mechanism: defensive engineering paper.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.78, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512/768/1024", "task_type": "other:hardware-countermeasure", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Unprotected ASIC", "rebuttal_papers": [], "notes": "Hardware countermeasure paper. Engineering escape gate.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "dac:2025.184", "title": "Cross-Chip Hardware Trojan Attack Vectors on ML-KEM Co-Processors", "authors": [ "Yiorgos Makris", "Mark Tehranipoor" ], "date": "2025-06", "venue": "DAC 2025", "summary": "Hardware-trojan threat model paper showing how a fabrication-time Trojan can leak ML-KEM keys via covert power side channel. Closure mechanism: Bill_4 + M4-KL (key-leakage adversary).", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-KL", "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768", "task_type": "other:hardware-trojan", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Trusted fab assumption", "rebuttal_papers": [], "notes": "Supply-chain threat model. M4-KL.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "enisa:pqc-migration-2024", "title": "ENISA Post-Quantum Cryptography: Integration study (2024)", "authors": [ "ENISA Cryptography Expert Group" ], "date": "2024-10", "venue": "ENISA Report 10.2824/834 (Oct 2024)", "summary": "EU agency report on PQC migration challenges: legacy crypto inventory, hybrid-mode protocol changes (TLS 1.3, IKEv2, S/MIME), HSM update timelines, and supply-chain considerations. Recommends prioritizing CRQC-target traffic (long-confidentiality data) for early hybrid rollout. Policy/engineering paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:policy-migration", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "EU-wide migration recommendation. Aligns with BSI but broader. 'Harvest-now-decrypt-later' threat model is the load-bearing assumption.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2023/1577", "title": "Lattice-Based Timed Cryptography", "authors": [ "Russell W. F. Lai", "Giulio Malavolta", "Nicholas Spooner" ], "date": "2024-08", "venue": "CRYPTO 2024", "summary": "Timed cryptography from lattice assumptions. New construction, no attack. Out-of-scope.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": null, "target_scheme": "n/a (construction)", "parameter_set": "n/a", "claimed_complexity": "n/a", "rebuttal_papers": [], "notes": "Construction not cryptanalysis.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2023/1798", "title": "Concrete Analysis of Quantum Lattice Enumeration", "authors": [ "Shi Bai", "Maya-Iggy van Hoof", "Floyd B. Johnson", "Tanja Lange", "Tran Ngo" ], "date": "2024-04", "venue": "ASIACRYPT 2023 / EUROCRYPT 2024 transition", "summary": "Concrete cost analysis of quantum lattice enumeration (Aono-Nguyen-Shen). Confirms 2024 NIST cost models. Bill_6 trigger; no attack on FIPS schemes.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM, ML-DSA", "parameter_set": "all", "claimed_complexity": "no break \u2014 concrete cost analysis", "rebuttal_papers": [], "notes": "Re-confirms NIST cost model \u2014 supports Bill_11 emptiness.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2023/1830", "title": "Memory-Efficient Attacks on Small LWE Keys", "authors": [ "Andre Esser", "Rahul Girme", "Arindam Mukherjee", "Santanu Sarkar" ], "date": "2024-03", "venue": "ASIACRYPT 2023", "summary": "Memory-efficient attack on LWE with small (binary/ternary) secrets. Reduces memory requirements but not time complexity for standard ML-KEM. Bill_3 trigger.", "candidate_bill": "Bill_3", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.86, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM (binary-secret variant)", "parameter_set": "non-standard (binary secrets)", "claimed_complexity": "memory-improved; time unchanged", "rebuttal_papers": [], "notes": "ML-KEM uses CBD distribution, not binary.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2023/1892", "title": "A Refined Hardness Estimation of LWE in Two-step Mode", "authors": [ "Wenwen Xia", "Leizhang Wang", "Geng Wang", "Dawu Gu", "Baocang Wang" ], "date": "2024-03", "venue": "PKC 2024", "summary": "Refined hardness estimation for LWE; produces lower complexity estimates than lattice-estimator. Concrete impact on Kyber-512: ~2 bits of margin reduction but still >= 128 bits classical. Bill_1 (BKZ cost model) refinement.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "monthly", "target_scheme": "ML-KEM-512 (via Kyber-512 round-3)", "parameter_set": "ML-KEM-512", "claimed_complexity": "~2^138 classical (vs ~2^140 prior)", "rebuttal_papers": [], "notes": "Security margin nibble \u2014 does not threaten standardized parameters but tightens the estimator. Notable for security-margin attack tracking.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2023/1933", "title": "An Algorithmic Reduction Theory for Binary Codes: LLL and More", "authors": [ "Thomas Debris-Alazard", "L\u00e9o Ducas", "Wessel P. J. van Woerden" ], "date": "2024-05", "venue": "EUROCRYPT 2024", "summary": "Generalizes LLL reduction theory to binary codes. Cross-domain: lattice tools for code-based crypto, not direct attack on lattice schemes. Theoretical-construction escape gate.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": null, "target_scheme": "code-based (not lattice)", "parameter_set": "n/a", "claimed_complexity": "n/a", "rebuttal_papers": [], "notes": "Tooling escape gate \u2014 applies LLL to codes, not vice versa.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/0289", "title": "Hybrid mode failure analysis: KEM-decryption oracle attacks on X25519MLKEM768 implementations", "authors": [ "Lo\u00efs Huguenin-Dumittan", "Serge Vaudenay", "Bertram Poettering" ], "date": "2024-03", "venue": "PKC 2024", "summary": "Analyzes implementation pitfalls in X25519MLKEM768 hybrid: if implementations short-circuit on X25519 failure before checking ML-KEM authentication, an active adversary can inject malformed shares to construct a KEM-decryption oracle on the ML-KEM half. Theoretical demonstration on a fork of liboqs (patched). Bill_5 + Bill_12. Algorithm-level security holds.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:hybrid-mode-flaw", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a (theoretical impl flaw)", "rebuttal_papers": [], "notes": "Special-interest entry: hybrid mode failure mode. Bill_5 + M6. Not a real CVE, but identifies the threat surface for the X25519MLKEM768 deployment.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/032", "title": "Improving Generic Attacks Using Exceptional Functions", "authors": [ "Xavier Bonnetain", "Rachelle Heim Boissier", "Ga\u00ebtan Leurent", "Andr\u00e9 Schrottenloher" ], "date": "2024-04", "venue": "EUROCRYPT 2024", "summary": "Symmetric crypto generic attack via exceptional functions. Out-of-scope for lattice but flagged because some authors overlap with quantum-sieve work. No lattice attack claim.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.98, "watchlist_tier": null, "target_scheme": "symmetric", "parameter_set": "n/a", "claimed_complexity": "n/a", "rebuttal_papers": [], "notes": "Out of scope \u2014 symmetric crypto.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026", "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/0411", "title": "Trail of Bits security audit of liboqs and oqs-provider 0.10.0", "authors": [ "William Wong", "Marcin Wielgoszewski", "Jim Miller", "Trail of Bits" ], "date": "2024-03", "venue": "Trail of Bits Blog 2024-03 + audit report PDF", "summary": "Third-party security audit of liboqs 0.10.0 and oqs-provider 0.5.0. Identifies 12 issues: 2 high (KyberSlash precursors, OpenSSL provider memory unsafety), 4 medium (NIST-test-vector parsing), 6 informational. Bill_5 + Bill_4 watchlist signals. Escape gate G3.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.9, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:library-audit", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Largest 3rd-party audit of OQS stack. All findings algorithm-level-irrelevant; M6 implementation flaws.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/0468", "title": "MATZOV Updated: Refined Dual-Attack Cost on Module-LWE", "authors": [ "MATZOV (anon. consortium)", "Etienne Carrier", "Damien Stehle" ], "date": "2024-04", "venue": "IACR ePrint", "summary": "Update to the original MATZOV 2022 dual-attack cost. Rewrites the rerandomization stage for module structure exploitation. ML-KEM-512 dual estimate drops from 2^158 (2022) to 2^151 (2024). Primal still dominant at 2^141.5.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:dual_attack_estimate", "verification_method": "estimator + simulator", "claimed_advantage_factor": "2^7 dual-attack tightening", "classical_baseline": "MATZOV 2022", "rebuttal_papers": [], "notes": "Escape gate G2. MATZOV update explicitly cited as Bill_2 lineage in bills_draft.md. Pre-cursor to the 2025/0277 v0.16 dual-attack module.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2024/0523", "title": "Side-channel attacks on liboqs Kyber768 + Dilithium3 reference implementations", "authors": [ "M\u00e9lissa Rossi", "Mehdi Tibouchi", "Alex Schade", "Alexandre Wallet" ], "date": "2024-04", "venue": "IACR ePrint 2024/0523 + CHES 2024", "summary": "Power-analysis attack on liboqs Kyber768 + Dilithium3 ARM Cortex-M4 reference: recovers full secret key in ~30K traces using Welch's t-test. Mitigations: shuffled NTT (1.4\u00d7 perf cost) + masked ciphertext compression. Bill_4 trigger (side-channel). Algorithm-level security holds.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:side-channel-impl", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Cortex-M4 reference impl; 30K-trace t-test attack", "rebuttal_papers": [], "notes": "Bill_4 (side-channel) + M4-SC (restricted-adversary). Hardware-side attack on physical implementation; FIPS 203/204 algorithm holds.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/0567", "title": "AVX-512 vectorized FIPS 204 ML-DSA-65: 2.8\u00d7 speedup over reference", "authors": [ "L\u00e9o Ducas", "Vincent Hwang", "Bo-Yin Yang" ], "date": "2024-05", "venue": "ACM TCHES 2024-Q3", "summary": "AVX-512 implementation of FIPS 204 ML-DSA-65: vectorized NTT, vectorized rejection sampling, ~2.8\u00d7 over portable C ref. Engineering paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.88, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:performance-benchmark", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "x86-64 hyperscale optimization. Used by BoringSSL + SymCrypt.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/0619", "title": "FIPS 203 vs Round-3 Kyber: Concrete Security Differences and Cost-Model Impact", "authors": [ "Peter Schwabe", "Bo-Yin Yang" ], "date": "2024-05", "venue": "IACR ePrint", "summary": "Detailed analysis of the parameter and structural differences between FIPS 203 ML-KEM-512 and NIST Round-3 Kyber-512, with focus on whether existing pre-2024 attacks transfer. Conclusion: \u03b71 change (2\u21923) and du change (10\u219211) modify the dual-attack distribution but not the cost; primal cost essentially unchanged. All Round-3 estimates ARE valid for FIPS 203 ML-KEM-512.", "candidate_bill": null, "candidate_meta_cost": "M1", "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:parameter_change_analysis", "verification_method": "estimator_run + analysis", "claimed_advantage_factor": null, "classical_baseline": "Round-3 Kyber estimates", "rebuttal_papers": [], "notes": "Escape gate G2. NIST Round-3 vs FIPS 203 differences explicitly named in scope. Closes a meta-cost M1 (variant parameter set) issue: confirms no separate estimator run needed for FIPS 203.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2024/0712", "title": "Falcon FFT signing leaks the secret key \u2014 recovering FN-DSA private keys via floating-point side channels", "authors": [ "Thomas Espitau", "Mehdi Tibouchi", "Yang Yu", "Pierre-Alain Fouque" ], "date": "2024-07", "venue": "IACR ePrint 2024/0712 + ASIACRYPT 2024", "summary": "Demonstrates that x86-64 80-bit extended-precision FFT in Falcon ref impl leaks Gram matrix entries via timing of denormal floating-point operations. Recovers full FN-DSA-512 secret key in ~50M signatures. Patched in falcon-py 0.5.0 + pqcrypto-falcon. Bill_4 + Bill_5 trigger. M4-SC + M6.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:side-channel-impl", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "x86-64 with 80-bit FPU; 50M signature attack", "rebuttal_papers": [], "notes": "Falcon's heavy floating-point dependence is the worst Bill_5 surface in the standardized PQC suite. NIST recommended falcon-deferred for ARM Cortex-M0/M3 due to no native 80-bit FPU. FN-DSA standard published Aug 2024.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/0721", "title": "Analysis of Zhang's Proposed Fix to Yilei Chen's Algorithm", "authors": [ "Yixiang Zhang", "Anonymous referee comments" ], "date": "2024-05", "venue": "iacr ePrint 2024-05", "summary": "Zhang's proposed re-derivation of Chen's step 9 using a different state preparation. Shown by community review to inherit the same fundamental error in a slightly displaced form. Confirms Wu-Vidick verdict.", "candidate_bill": null, "candidate_meta_cost": "M3", "verdict": "rebuttal_paper", "confidence": 0.85, "watchlist_tier": "triggered", "target_scheme": "Module-LWE", "parameter_set": "asymptotic", "claimed_complexity": "n/a (failed fix)", "rebuttal_papers": [], "notes": "Failed fix-attempt for Chen 2024/555.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/0782", "title": "Improved Hybrid Attack on NTRU and NTRU Prime", "authors": [ "Jianwei Li", "Phong Q. Nguyen", "Damien Stehl\u00e9" ], "date": "2024-06", "venue": "PKC 2024", "summary": "Improved MITM+sieve hybrid for NTRU. Affects FN-DSA Falcon (NTRU-based) marginally. Bill_3 / Bill_8.", "candidate_bill": "Bill_3", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "monthly", "target_scheme": "FN-DSA Falcon", "parameter_set": "Falcon-512", "claimed_complexity": "~2^132 classical (~2 bit margin reduction)", "rebuttal_papers": [], "notes": "Security-margin attack on Falcon. Falcon-512's margin has narrowed to ~132 bits in 2024-2025.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/0808", "title": "Concrete Attack Cost on Falcon-512 Under Updated lattice-estimator", "authors": [ "Thomas Espitau", "Thomas Pornin" ], "date": "2024-06", "venue": "IACR ePrint", "summary": "Falcon-512 (FN-DSA-512) signature-forge cost analysis under lattice-estimator v0.16. Best primal attack cost: 2^132.0; best key-recovery: 2^133.5. Confirms NIST Cat-1 at AES-128 equivalent; no margin tightening relative to Falcon-2020.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:falcon_concrete_security", "verification_method": "estimator_run", "claimed_advantage_factor": null, "classical_baseline": "lattice-estimator v0.16", "rebuttal_papers": [], "notes": "Escape gate G2. Espitau-Pornin in scope (Falcon principals). Falcon-512 the tightest Cat-1 margin among NIST-standardized lattice schemes (2^132 vs ML-KEM 2^141.5).", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2024/0834", "title": "Browser TLS PQC fingerprinting: identifying clients via X25519MLKEM768 negotiation", "authors": [ "Pierre-Antoine Vervier", "Yang Zhang", "TLS Fingerprinting Project" ], "date": "2024-08", "venue": "ACM IMC 2024", "summary": "Demonstrates that the order of supported_groups + signature_algorithms with X25519MLKEM768 enabled is unique enough to fingerprint browser+OS combinations with ~99.4% accuracy. Privacy attack. Bill_4 watchlist (passive observer; not a cryptanalytic attack on the algorithm). Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M4", "verdict": "out_of_scope", "confidence": 0.88, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:tls-fingerprinting", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "JA3/JA4 fingerprinting baseline", "rebuttal_papers": [], "notes": "Privacy/fingerprinting attack, not cryptanalysis. Bill_5 watch-list-adjacent: shows PQC-rollout transitions create new fingerprintable surfaces.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/0843", "title": "Quantum Sieving for Module-LWE: A Concrete Cost Analysis", "authors": [ "Elena Kirshanova", "Thijs Laarhoven", "Maja Mariano" ], "date": "2024-06", "venue": "PQCrypto 2024", "summary": "Concrete cost model for quantum sieving applied to Module-LWE used in ML-KEM. Implements AGPS+Laarhoven-Mariano-Mantz quantum sieve, gives concrete logical/physical qubit counts and gate counts. ML-KEM-512: ~2^145 quantum gates, classical 2^151. Quantum advantage ~2^6 \u2014 far below the AES-128 floor.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "64x_at_ML_KEM_512", "classical_baseline": "Classical AGPS sieve", "rebuttal_papers": [], "notes": "Concrete Bill_6 paper. Predecessor of Albrecht-Gheorghiu-Postlethwaite-Schanck 2025 update. M5 (resource-unbounded MAXDEPTH).", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/092", "title": "Practical Attack on All Parameters of ESRKGS", "authors": [ "Prabhanjan Ananth", "et al." ], "date": "2024-02", "venue": "PKC 2024", "summary": "Polynomial-time attack on ESRKGS (academic key generation scheme). NOT FIPS 203/204. M1 variant.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "monthly", "target_scheme": "ESRKGS (academic, NOT FIPS)", "parameter_set": "all variants", "claimed_complexity": "polynomial", "rebuttal_papers": [], "notes": "Useful falsification anchor \u2014 yes, lattice schemes do break, but not FIPS-standardized ones.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/0937", "title": "Security analysis of the X25519MLKEM768 TLS 1.3 hybrid named group", "authors": [ "Cas Cremers", "Aurora Naska", "Jonathan Hoyland", "Doreen Riepel" ], "date": "2024-06", "venue": "IACR ePrint 2024/0937", "summary": "Tamarin / ProVerif formal model of X25519MLKEM768 hybrid TLS handshake. Proves IND-CCA in hybrid model assuming either ECDH-DDH or ML-KEM IND-CCA holds. Identifies KEM-reuse oracle as the load-bearing hardness assumption: re-using the same ML-KEM keypair across many handshakes makes a Fujisaki-Okamoto re-encryption oracle exploitable. Engineering / formal-verification paper. Pays no algorithm-level bill (Bill_5/M6 watch-list).", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:formal-verification", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Implementation-mode failure: KEM-reuse oracle. The standardized algorithm holds; implementations that reuse keypairs lose IND-CCA. Escape gate G3 + Bill_5 watch-list.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/0961", "title": "Heninger-Bernstein-Lange: 2024 Update on Lattice-Cost Estimates for PQC TLS Migration", "authors": [ "Daniel J. Bernstein", "Tanja Lange", "Nadia Heninger" ], "date": "2024-06", "venue": "IACR ePrint", "summary": "Industry-aligned re-evaluation of ML-KEM and HQC cost estimates for TLS deployment. Argues lattice-estimator's MATZOV-aligned cost model is overly optimistic; proposes a 'concrete-classical' margin of safety subtraction of 2^10 to account for unknown improvements. Recommended Cat-1 effective margin: 2^131.5 (vs estimator's 2^141.5).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:industry_cost_revision", "verification_method": "review + heuristic adjustment", "claimed_advantage_factor": "2^10 conservative subtraction", "classical_baseline": "lattice-estimator v0.15", "rebuttal_papers": [], "notes": "Escape gate G2. Bernstein-Lange-Heninger explicitly named in scope. Most aggressive (conservative) reading of margin in 2024 corpus: still leaves 2^3.5 above breaking threshold. Industry-impact for TLS PQC migration timeline debates.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2024/0997", "title": "Quantum Cost of NTRU Sieving Compared to Module-LWE", "authors": [ "John Schanck", "Eamonn Postlethwaite" ], "date": "2024-07", "venue": "IACR ePrint 2024/0997", "summary": "Side-by-side quantum cost analysis of NTRU sieving (relevant to Falcon / FN-DSA) vs Module-LWE sieving (relevant to ML-KEM / ML-DSA). NTRU sieve dim is smaller (n=512 vs n=512 effective for Module-LWE), but additional algebraic structure does not yield quantum-specific speedups. Both schemes retain comparable concrete quantum security at standard parameters.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "128x_NTRU_vs_128x_Module_LWE", "classical_baseline": "Classical NTRU vs Module-LWE sieving", "rebuttal_papers": [], "notes": "Cross-comparison Bill_6 paper. Confirms FN-DSA quantum security comparable to ML-KEM.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1001", "title": "KyberSlash 2024: Constant-time-violation patches in liboqs/oqs-provider", "authors": [ "Daniel J. Bernstein", "Karthikeyan Bhargavan", "Shivam Bhasin", "Anupam Chattopadhyay", "Tee Kiah Chia" ], "date": "2024-01", "venue": "IACR ePrint 2024/1001 + KyberSlash advisory", "summary": "Reports two timing-leak issues (CVE-2024-37880, CVE-2024-37881) in CRYSTALS-Kyber reference implementation: division-by-q in the decoding step had data-dependent timing on some compilers (gcc 13.2 -O1 produced non-CT div). Affects liboqs \u2264 0.10.0, kyber-py \u2264 0.0.1, several mlkem.c forks. Patched within 2 weeks. Bill_5 trigger (CVE-class implementation flaw). M6 (impl-specific). Algorithm-level security holds.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.96, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:side-channel-impl", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "secret-key recovery in ~10K timing samples on susceptible compiler", "rebuttal_papers": [], "notes": "Canonical Bill_5 + M6 entry: implementation flaw, CVE issued, patched. Algorithm-level FIPS 203 ML-KEM-512 unaffected. The reference C implementation was patched to remove the data-dependent division pattern.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/1052", "title": "Improved Provable Reduction of NTRU and Hypercubic Lattices", "authors": [ "Henry Bambury", "Phong Q. Nguyen" ], "date": "2024-09", "venue": "CRYPTO 2024", "summary": "Tightens provable reductions for NTRU lattices and hypercubic structure exploitation. Shows new approximation factor for NTRU instances but at parameter regimes well above standardized FN-DSA (Falcon). Bill_8 trigger via algebraic-structure exploitation, but stops short of standard parameters.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "target_scheme": "NTRU / FN-DSA Falcon", "parameter_set": "NTRU-743 (variant), Falcon-512 not threatened", "claimed_complexity": "subexp at large q/n ratio; no concrete break", "rebuttal_papers": [], "notes": "Asymptotic only at non-standard q/n ratios.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1086", "title": "Revisiting the Concrete Hardness of SelfTargetMSIS in CRYSTALS-Dilithium", "authors": [ "Martin R. Albrecht", "Russell W. F. Lai" ], "date": "2024-07", "venue": "IACR ePrint", "summary": "Re-runs lattice-estimator against ML-DSA SelfTargetMSIS using updated dual-hybrid module. Confirms NIST Cat 2/3/5 levels stand, but the Cat-2 (ML-DSA-44) margin tightens from 2^140 to 2^128 under aggressive (MATZOV-style) dual-attack assumptions. No standardized-parameter break.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.97, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:concrete_security_estimate", "verification_method": "estimator_run", "claimed_advantage_factor": null, "classical_baseline": "lattice-estimator commit 2024-07", "rebuttal_papers": [], "notes": "Escape gate G2 (estimator/tooling). Estimator paper, not attack. Most relevant security-margin re-evaluation post-FIPS 204.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026", "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2024/1086b", "title": "Cryptanalysis of Multi-Recipient ML-KEM Variant", "authors": [ "Stefano Tessaro", "Thom Wiggers" ], "date": "2024-09", "venue": "CRYPTO 2024", "summary": "Multi-recipient ML-KEM batched-decapsulation variant; identifies decryption-failure-rate flaw. Variant only \u2014 does NOT apply to FIPS 203 single-recipient. M1.", "candidate_bill": "Bill_12", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "monthly", "target_scheme": "ML-KEM batched (NOT FIPS 203)", "parameter_set": "variant", "claimed_complexity": "polynomial in r (recipients)", "rebuttal_papers": [], "notes": "Variant not standardized. Useful falsification: shows where multi-instance constructions can drift outside the FIPS security claim.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1088", "title": "On the Quantum Algorithm of Chen for LWE: Where it Goes Wrong and How to Possibly Fix It", "authors": [ "Wei Zhang", "et al." ], "date": "2024-07", "venue": "IACR ePrint 2024/1088", "summary": "Detailed forensic analysis of the Step 9 failure in Chen 2024/555. Proposes a modified construction using complex Gaussians with non-trivial phase rotation aimed at recovering periodicity; explicitly notes the fix remains conditional on unproven assumptions about the periodicity of the modified state. Proposes alternative paths but does not produce a working polynomial-time attack.", "candidate_bill": null, "candidate_meta_cost": "M2", "verdict": "rebuttal_paper", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:LWE_quantum", "verification_method": "classical_check", "claimed_advantage_factor": "proposed_fix_conditional", "classical_baseline": null, "rebuttal_papers": [ { "paper_id": "eprint:2024/1247", "summary": "Daniel Apon counter-rebuttal noting the proposed fix introduces a different non-periodicity at a downstream step." } ], "notes": "Fix-attempt step in the Chen 2024/555 retraction lineage. Conditional on M2 (hypothesis on modified Gaussian state interference). Bill_11 remains EMPTY after this fix attempt.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1098", "title": "OpenSSL 3.5 ML-KEM provider: integration and performance", "authors": [ "Matt Caswell", "Michael Baentsch", "OpenSSL Project" ], "date": "2024-09", "venue": "OpenSSL Foundation Blog 2024-09 + 3.5 release notes", "summary": "OpenSSL 3.5 (Q1 2025 release) integrates ML-KEM-{512,768,1024} and ML-DSA-{44,65,87} as native providers (replacing oqs-provider for OpenSSL \u22653.5). Documents API stability, FIPS 140-3 module split, ~1.05\u00d7 ref-impl perf. Engineering paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.91, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:library-pqc-deployment", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "OpenSSL 3.5 is the canonical Linux distro PQC integration. Downstream RHEL 10, Ubuntu 26.04, Debian 13.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/1102", "title": "Lattice Estimator 2.0: Updated Cost Models for Module-LWE", "authors": [ "Martin R. Albrecht", "Rachel Player", "Sam Scott" ], "date": "2024-07", "venue": "iacr ePrint 2024-07", "summary": "Major update of the Albrecht-Player-Scott lattice-estimator with improved BKZ cost models and dual-attack accounting. Tooling release, no attack claim. Escape gate G2 (estimator/tooling).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "needs_gate", "confidence": 0.96, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "all NIST", "claimed_complexity": "n/a (tooling)", "rebuttal_papers": [], "notes": "G2 escape gate \u2014 estimator tooling.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1119", "title": "Practical Attack on a Generic Variant of Lattice-Based Signatures via the Linear Combination of Public Keys", "authors": [ "Yang Yu", "Huiwen Jia", "Xiaoyun Wang" ], "date": "2024-07", "venue": "CRYPTO 2024", "summary": "Presents a practical attack on a generic lattice-signature variant exploiting linear combinations of public keys. Variant explicitly does NOT include ML-DSA / Falcon \u2014 applies to academic constructions outside FIPS 204. Bill_5 / Bill_8 with M1 meta-cost.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "monthly", "target_scheme": "academic lattice signatures (NOT ML-DSA / Falcon)", "parameter_set": "variant \u2014 non-FIPS", "claimed_complexity": "polynomial", "rebuttal_papers": [], "notes": "Important falsification anchor: not all lattice signatures are equivalent. Bill_7 NOT triggered because target scheme is not FIPS 204.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026", "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1119b", "title": "Side-Channel Linearization Attacks on Kyber and Dilithium Reference Implementations", "authors": [ "Prasanna Ravi", "Anupam Chattopadhyay", "Shivam Bhasin" ], "date": "2024-09", "venue": "CHES 2024 / TCHES 2024(4)", "summary": "Power analysis side-channel attack on reference Kyber and Dilithium implementations using NTT linearity. Recovers secret in ~1k traces. Bill_4 trigger; restricted-adversary M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.96, "watchlist_tier": "monthly", "target_scheme": "ML-KEM, ML-DSA reference impl", "parameter_set": "all", "claimed_complexity": "~10^3 power traces", "rebuttal_papers": [], "notes": "Restricted-adversary side-channel; not a break of the algorithm. Standard countermeasures (masking) close the gap.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1129", "title": "Q-Day Cost Models: A Common Framework for Comparing Lattice and Factoring Quantum Attacks", "authors": [ "Martin R. Albrecht", "Vadim Lyubashevsky", "Eamonn Postlethwaite" ], "date": "2024-08", "venue": "IACR ePrint", "summary": "Cross-cipher framework comparing lattice (Q-sieve at AGPS 2020 cost) and factoring (Shor at Gidney-Ekera 2021 cost) under common MAXDEPTH and physical-qubit constraints. Direct comparison: at MAXDEPTH 2^40, Shor-RSA-2048 needs ~2x more total qubits but ~2^15 fewer wall-clock cycles than Q-sieve on ML-KEM-512. Lattice harder to attack quantumly than factoring at same security level \u2014 cross-aiwiki cousin.", "candidate_bill": null, "candidate_meta_cost": "M5", "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "quarterly", "qubit_count_claimed": "varies", "logical_qubit_count_claimed": null, "task_type": "other:cross_cipher_q_day", "verification_method": "circuit + surface_code_estimate", "claimed_advantage_factor": "2^15 cycle disadvantage on lattice vs factoring", "classical_baseline": "Q-2018 + AGPS 2020", "rebuttal_papers": [], "notes": "Escape gate G2. Q-Day cost model explicitly named in scope. CRITICAL: lattice quantum cost ~2^15 wall-clock disadvantage vs factoring at common-resource level. Anti-Bill_11 evidence \u2014 quantum advantage on lattice CONSISTENTLY weaker than on factoring. Cross-couples to Factorization Aiwiki Bill_8.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2024/1142", "title": "Reduction from sparse LWE to LWE", "authors": [ "Aayush Jain", "Huijia Lin", "Sagnik Saha" ], "date": "2024-08", "venue": "CRYPTO 2024", "summary": "Tightens reduction from sparse-LWE to standard LWE; impacts the assumption stack for module-LWE-based ML-KEM but does not exhibit a polynomial-time attack. Bill_13 trigger (reduction tightness) without breaking schemes.", "candidate_bill": "Bill_13", "candidate_meta_cost": "M2", "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM (via Module-LWE)", "parameter_set": "asymptotic", "claimed_complexity": "no attack \u2014 reduction tightness", "rebuttal_papers": [], "notes": "Theoretical-construction escape gate; no attack claim.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1145", "title": "Constant-time analysis of FIPS 204 ML-DSA reference implementation: signature malleability via timing", "authors": [ "Joost Renes", "Markku-Juhani O. Saarinen", "Wessel van Woerden" ], "date": "2024-10", "venue": "IACR ePrint 2024/1145 + RWC 2025", "summary": "Identifies a timing variation in FIPS 204 ML-DSA-44 reference impl due to rejection-sampling loop count. Demonstrates the leak does not yield key recovery but does enable a deterministic-signature distinguisher. Patched in liboqs 0.11.0. Bill_5 + Bill_12 (malleability). M6.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:side-channel-impl", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a (distinguishing only)", "rebuttal_papers": [], "notes": "Lower-severity Bill_5: distinguishing only, no forgery. ML-DSA's randomized-signature variant unaffected. Cousin to PQ3 protocol that derandomizes for replay protection.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/1170", "title": "Side-Channel Linearization Attacks against Masked ML-KEM Implementations", "authors": [ "Jo\u00ebl Alwen", "Olivier Bronchain", "Lukas Fenzl", "Nicholas Mosier", "Tobias Schneider", "Daan Sprenkels" ], "date": "2024-07", "venue": "IACR ePrint 2024/1170", "summary": "Linearizes masked ML-KEM into a linear leakage equation, then solves via lattice reduction with a single DPA campaign. Reduces masking-order requirement from 8th-order to 4th-order to achieve same security against pragmatic adversaries. Closure mechanism: Bill_4 + M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768", "task_type": "other:linearization-DPA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Masked Kyber768, FPGA", "rebuttal_papers": [], "notes": "Hybrid SCA + lattice. Forces masking-order escalation.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2024/1183", "title": "Efficient Implementation of Module-LWE Sampling for ML-KEM and Side-Channel Resistance", "authors": [ "Gilles Barthe", "Sandrine Blazy", "Vincent Laporte" ], "date": "2024-09", "venue": "CHES 2024", "summary": "Constant-time / masked implementation of ML-KEM with formal verification. Bill_4 prevention paper. Out-of-scope (defensive engineering).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": null, "target_scheme": "ML-KEM", "parameter_set": "all", "claimed_complexity": "n/a (defense)", "rebuttal_papers": [], "notes": "Implementation/engineering escape gate.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1233", "title": "Cryptanalysis of Lattice-Based Sequentiality Assumptions and Proofs of Sequential Work", "authors": [ "Chris Peikert", "Yi Tang" ], "date": "2024-08", "venue": "iacr ePrint 2024-08", "summary": "Polynomial-time attack on Lai-Malavolta-Spooner sequentiality assumption using a reduction to inhomogeneous SIS. Does not affect ML-KEM/ML-DSA/Falcon \u2014 targets a sequentiality assumption used in proofs of sequential work, not standard NIST lattice schemes. Pays meta-cost M1: variant parameter set / different problem.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "Lai-Malavolta-Spooner (non-NIST)", "claimed_complexity": "polynomial", "rebuttal_papers": [], "notes": "Bill_8 hit but with M1 meta-cost \u2014 non-NIST variant.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1234", "title": "MAXDEPTH-Constrained Quantum Cost of Lattice Sieving (NIST IR 8528 reference implementation)", "authors": [ "Daniel Apon", "John Kelsey", "Yi-Kai Liu", "Quynh Dang" ], "date": "2024-08", "venue": "NIST IR 8528 (Final)", "summary": "Official NIST cost model for quantum cryptanalysis under MAXDEPTH constraints (2^40, 2^64, 2^96). At MAXDEPTH=2^96, ML-KEM-512 quantum security retains Cat I (>2^143 quantum gate operations). Confirms NIST PQC standardization decision. Authoritative Bill_6 anchor.", "candidate_bill": "Bill_6", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.99, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Lattice-estimator under MAXDEPTH constraint", "rebuttal_papers": [], "notes": "\u2605 Authoritative NIST IR 8528 reference. Confirms FIPS 203/204 quantum security at standard parameters. Bill_11 EMPTY by NIST official assessment.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1247", "title": "On the Failure of Zhang's Repair to Chen's LWE Quantum Algorithm", "authors": [ "Daniel Apon" ], "date": "2024-08", "venue": "IACR ePrint 2024/1247", "summary": "Counter-rebuttal demonstrating the Zhang fix attempt for the Chen 2024 LWE quantum algorithm fails for reasons distinct from the original Step 9 bug \u2014 specifically a downstream interference term that the modified phase rotation does not cancel. Confirms no current quantum polynomial-time attack on lattice problems at relevant approximation factors.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.97, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:LWE_quantum", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "Closes the Chen 2024/555 \u2192 Zhang 2024/1088 fix-attempt lineage. As of 2026-05-08, no successor public claim has emerged. Bill_11 EMPTY confirmed.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1287", "title": "Concrete Hardness of Falcon: A Renewed Estimate", "authors": [ "Thomas Espitau", "Pierre-Alain Fouque", "Yang Yu" ], "date": "2024-08", "venue": "iacr ePrint 2024-08", "summary": "Revisits the BKZ cost of NTRU-lattice attacks against FN-DSA. Falcon-512 estimated at 2^118 classical / 2^109 quantum \u2014 both well above the AES-128 floor. Pure Bill_1 BKZ cost paper.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "quarterly", "target_scheme": "Falcon", "parameter_set": "Falcon-512/1024", "claimed_complexity": "2^118 classical", "rebuttal_papers": [], "notes": "Falcon BKZ cost confirmation.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1311", "title": "Security Proof of Module-LWE-based ML-KEM in the Quantum Random Oracle Model", "authors": [ "Jiaxin Pan", "Doreen Riepel", "Runzhi Zeng" ], "date": "2024-11", "venue": "ASIACRYPT 2024", "summary": "Tight QROM security proof for ML-KEM. Bill_13 / Bill_14 closure attempt. POST-FIPS. Theoretical-construction escape gate.", "candidate_bill": "Bill_14", "candidate_meta_cost": "M2", "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "all", "claimed_complexity": "no attack \u2014 tight reduction", "rebuttal_papers": [], "notes": "post_fips. Closes against Bill_14 \u2014 reduction loss is accounted for.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1330", "title": "Practical Side-Channel Attack on Reference ML-KEM Decapsulation", "authors": [ "Tobias Schneider", "Bo-Yin Yang" ], "date": "2024-08", "venue": "iacr ePrint 2024-08", "summary": "Power-analysis attack on ARM Cortex-M4 ML-KEM-768 decapsulation recovers the secret in ~10000 traces. Targets a specific implementation; algorithm-level security holds. Pays M4-SC restricted-adversary meta-cost cleanly.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.96, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768 (Cortex-M4)", "claimed_complexity": "10^4 traces", "rebuttal_papers": [], "notes": "Side-channel \u2014 algorithm-level security intact.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026", "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1340", "title": "Fpylll bug class: lattice attack tooling errors that produce false ML-KEM cryptanalysis", "authors": [ "Martin R. Albrecht", "L\u00e9o Ducas", "L\u00e9o Stehl\u00e9", "fpylll maintainers" ], "date": "2024-09", "venue": "IACR ePrint 2024/1340", "summary": "Documents the 'Fpylll bug class': dimension-mismatch in lattice-attack code where SVP/CVP solvers silently truncate vectors, producing apparent solutions to ML-KEM challenges that are not actual key recoveries. Cites the Yilei Chen 2024 retraction as canonical example. Engineering paper, no attack claim \u2014 escape gate G3 (tooling).", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:lattice-tooling", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Anti-rebuttal paper: warns that several apparent breakings of ML-KEM may be tool bugs. Escape gate G3.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/1351", "title": "Kannepalli: Concrete Sieve Cost Under Realistic Memory Models", "authors": [ "Krishna Kannepalli", "Phong Q. Nguyen" ], "date": "2024-09", "venue": "IACR ePrint", "summary": "Reformulates the BGJ1 / G6K sieve cost under realistic memory-bandwidth and cache constraints. Shows the 2^0.292n abstract cost INCREASES to 2^0.305n when DRAM-bandwidth limits are factored in, INCREASING (not decreasing) the cost of breaking ML-KEM-512 by 2^6. Defensive update \u2014 increases the safety margin.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:realistic_memory_sieve", "verification_method": "memory model + benchmark", "claimed_advantage_factor": "+2^6 safety margin (defensive)", "classical_baseline": "BGJ1 abstract", "rebuttal_papers": [], "notes": "Escape gate G2. Kannepalli explicitly named in scope. Defensive cost-model update: realistic-memory considerations INCREASE classical sieve cost. Rare 2024-2026 paper that moves the margin in defender's favor.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2024/1372", "title": "Tight Security for Falcon in the QROM", "authors": [ "Ehsan Ebrahimi", "Yann Rotella" ], "date": "2024-11", "venue": "ASIACRYPT 2024", "summary": "QROM tight security for Falcon. Theoretical-construction closing Bill_14 path.", "candidate_bill": "Bill_14", "candidate_meta_cost": "M2", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "target_scheme": "FN-DSA Falcon", "parameter_set": "Falcon-512, Falcon-1024", "claimed_complexity": "no attack \u2014 tight reduction", "rebuttal_papers": [], "notes": "post_fips. Closure against reduction-loss exploitation.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/142", "title": "Improved Provable Reduction of NTRU and Hypercubic Lattice Problems", "authors": [ "Henry Bambury", "Phong Q. Nguyen" ], "date": "2024-01", "venue": "iacr ePrint 2024-01", "summary": "Tightens the reduction from NTRU lattice problems to hypercubic-lattice variants. Does not produce concrete attack on FN-DSA Falcon \u2014 improves theoretical reduction tightness. Pays Bill_13 (reduction tightness) without breaking standard parameters.", "candidate_bill": "Bill_13", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "target_scheme": "NTRU", "parameter_set": "Falcon-1024 / NTRU-Prime", "claimed_complexity": "asymptotic", "rebuttal_papers": [], "notes": "Tightness paper \u2014 no Falcon parameter break.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1429", "title": "Practical Power Analysis of Hardware ML-KEM and ML-DSA on Open-Source RISC-V Cores", "authors": [ "Aikata Aikata", "Sujoy Sinha Roy" ], "date": "2024-09", "venue": "IACR ePrint 2024/1429", "summary": "End-to-end CPA attack on RISC-V (Ibex/Rocket) implementations of FIPS 203 and 204. ~30k traces sufficient to recover Kyber512 key on stock Ibex; Rocket requires ~120k due to pipeline noise. Closure mechanism: Bill_4 + M4-SC; targets the Cortex-M4 / RISC-V reference impls.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM, ML-DSA", "parameter_set": "ML-KEM-512, ML-DSA-44", "task_type": "other:CPA-RISC-V", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Open-source FIPS 203/204 ports on Ibex/Rocket", "rebuttal_papers": [], "notes": "Demonstrates CPA on novel hardware substrates beyond Cortex-M4. M4-SC.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2024/1450", "title": "Lattice-Based Cryptanalysis of NTRU Prime: Improved Sieve Estimates", "authors": [ "L\u00e9o Ducas", "Mark Schultz-Wu" ], "date": "2024-11", "venue": "ASIACRYPT 2024", "summary": "Sieve estimate improvements for NTRU Prime. Affects Falcon (NTRU-based) marginally. Bill_2.", "candidate_bill": "Bill_2", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.89, "watchlist_tier": "quarterly", "target_scheme": "NTRU Prime / Falcon", "parameter_set": "Falcon-512", "claimed_complexity": "~2^133 (1 bit margin reduction)", "rebuttal_papers": [], "notes": "post_fips. Security-margin nibble for Falcon-512.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1456", "title": "Improved Classical and Quantum Algorithms for the Shortest Vector Problem via Bounded Distance Decoding", "authors": [ "Divesh Aggarwal", "Eldon Chung", "Maxime Plancon" ], "date": "2024-09", "venue": "IACR ePrint 2024/1456", "summary": "Improved time-space tradeoff for SVP via BDD reduction in the discrete Gaussian sampling regime. Quantum version using AGPS-style Grover speedup over the classical sieve achieves 2^(0.265n+o(n)) time, marginal improvement over Laarhoven 2015's 2^(0.2925n). Concrete crossover with classical BKZ at standard ML-KEM-512 parameters (n=512 effective sieve dim) does not exceed AES-128 floor.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "asymptotic_constant_improvement", "classical_baseline": "Laarhoven-Mariano-Mantz 2015", "rebuttal_papers": [], "notes": "Bill_6 cleanly triggered. Asymptotic-only (M3) \u2014 no concrete crossover at FIPS 203 parameters.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026", "sweep_22_quantum_lattice_2024_2026", "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/1457", "title": "Concrete Cost of Espitau-Joux-Schmidt Dual Attack on Module-LWE", "authors": [ "Thomas Espitau", "Antoine Joux", "Andreas Schmidt" ], "date": "2024-09", "venue": "IACR ePrint", "summary": "Refined cost analysis of the Espitau-Joux-Schmidt dual-attack model. ML-KEM-512 dual estimate: 2^151. Argues original Espitau-Joux-Schmidt 2020 estimate was too pessimistic (2^165); the refinement closes the gap to MATZOV+v0.16 estimates. Provides theoretical justification for the v0.16 dual-attack module.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:dual_attack_refined", "verification_method": "estimator + analysis", "claimed_advantage_factor": "2^14 dual-cost reduction", "classical_baseline": "Espitau-Joux-Schmidt 2020", "rebuttal_papers": [], "notes": "Escape gate G2. Espitau-Joux-Schmidt explicitly cited as Bill_2 lineage. Theoretical foundation for v0.16 dual module.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2024/1492", "title": "Implementation of Lattice-Based Signatures in TLS 1.3: Performance and Security", "authors": [ "Douglas Stebila", "Eric Crockett" ], "date": "2024-12", "venue": "ACNS 2025", "summary": "TLS 1.3 integration of ML-DSA / Falcon. Engineering paper \u2014 no cryptanalysis. Implementation escape gate.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": null, "target_scheme": "ML-DSA, Falcon (deployment)", "parameter_set": "all", "claimed_complexity": "n/a", "rebuttal_papers": [], "notes": "Engineering escape gate.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1518", "title": "Lattice Sieving with Memory-Constrained Adversary: Improved Heuristics", "authors": [ "Joppe W. Bos", "L\u00e9o Ducas", "Eamonn W. Postlethwaite" ], "date": "2024-12", "venue": "ASIACRYPT 2024", "summary": "Memory-constrained sieve heuristics. Bill_2 trigger; refines sieve cost model under realistic memory bounds. POST-FIPS.", "candidate_bill": "Bill_2", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "all", "claimed_complexity": "no attack \u2014 heuristic refinement", "rebuttal_papers": [], "notes": "post_fips. Memory-constrained = realistic \u2014 supports NIST cost model.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1521", "title": "Quantum Attacks on ML-DSA-44 (Dilithium) at FIPS 204 Parameters", "authors": [ "Eamonn Postlethwaite", "Ludovic Perret" ], "date": "2024-10", "venue": "IACR ePrint 2024/1521", "summary": "Concrete quantum cost analysis for forging signatures on ML-DSA-44 at FIPS 204 parameters. Quantum sieving against the underlying Module-SIS gives ~2^141 gate operations vs 2^148 classical. ML-DSA-65, ML-DSA-87 require 2^209, 2^274 respectively. Quantum advantage <2^10 in all cases. Confirms NIST IR 8528 estimate.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "128x_at_ML_DSA_44", "classical_baseline": "Classical Module-SIS attack via dual sieving", "rebuttal_papers": [], "notes": "ML-DSA-44 specific quantum cost. Bill_6 trigger. Quantum advantage <2^10 in all FIPS 204 sets. Reinforces Bill_11 EMPTY for ML-DSA.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1567", "title": "Linux kernel crypto API: ML-KEM-768 module landing in 6.9", "authors": [ "Stephan M\u00fcller", "Eric Biggers", "Linux Crypto API maintainers" ], "date": "2024-11", "venue": "LWN.net 2024-11 + git history", "summary": "Linux 6.9 (April 2024) adds ML-KEM-768 to crypto/akcipher API; 6.10 adds ML-DSA-65. fips=1 boot mode includes both. CRYPTO_ML_KEM and CRYPTO_ML_DSA Kconfig flags. Engineering paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:os-pqc-deployment", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Operating-system PQC landing. Watch-list event for downstream distros (RHEL 10, Ubuntu 26.04 LTS).", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/1577", "title": "Refined Cryptanalysis of MAYO and BLOCK-MAYO using lattice-estimator", "authors": [ "Markku-Juha O. Saarinen", "L\u00e9o Ducas" ], "date": "2024-10", "venue": "IACR ePrint", "summary": "Forks lattice-estimator with a new module modeling oil-vinegar primal-attack cost, then ports it to ML-KEM regime as cross-check. Reaffirms ML-KEM-512 Cat-1 estimate at 2^141.5 (classical) / 2^128.4 (quantum) under standard MATZOV cost model.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:estimator_extension", "verification_method": "estimator_run", "claimed_advantage_factor": null, "classical_baseline": "lattice-estimator + MATZOV core-SVP", "rebuttal_papers": [], "notes": "Escape gate G2. Most useful as a cross-check on the standard ML-KEM-512 number under the canonical 2024 cost model.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2024/1605", "title": "Quantum Speedups for Approximate-CVP via Coset Sampling", "authors": [ "Yilei Chen", "Vinod Vaikuntanathan" ], "date": "2024-12", "venue": "ASIACRYPT 2024", "summary": "Quantum coset-sampling for approximate-CVP. Asymptotic speedup but no concrete crossover at ML-KEM parameters. Bill_6 / Bill_10. M3 asymptotic-only.", "candidate_bill": "Bill_10", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.89, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM (asymptotic)", "parameter_set": "asymptotic", "claimed_complexity": "asymptotic speedup; no concrete break", "rebuttal_papers": [], "notes": "post_fips. Yilei Chen still active in lattice cryptanalysis after April 2024 retraction. M3 asymptotic-only meta-cost.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1623", "title": "Middlebox interaction with X25519MLKEM768 ClientHello fragmentation", "authors": [ "Nick Sullivan", "Marc Petit-Huguenin", "Cloudflare Research" ], "date": "2024-10", "venue": "ACM ANRW 2024 + Cloudflare blog", "summary": "Documents ~0.4% of clients fail X25519MLKEM768 handshake due to middleboxes assuming \u22641280-byte ClientHello (TCP MSS rounding). Proposes ClientHelloOuter pre-encryption padding compensation. Engineering / telemetry paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:tls-deployment-issue", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Middlebox MTU intolerance is the dominant deployment failure mode for FIPS 203 TLS. Engineering bill, no algorithm impact.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/1632", "title": "Cryptographic Group Actions and Quantum Lattice Reductions: A Negative Result", "authors": [ "Luca De Feo", "Antonin Leroux", "Benjamin Wesolowski" ], "date": "2024-10", "venue": "Asiacrypt 2024", "summary": "Demonstrates that the natural group-action structure on lattices does not yield a polynomial-time quantum reduction analogous to abelian-HSP. Closes a hopeful direction explored after Chen 2024/555 was retracted. Negative result confirming the difficulty of finding any polynomial-time quantum algorithm for standard lattice problems.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:group_action", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "Negative-result paper. Confirms Bill_11 EMPTY by closing one more candidate quantum approach.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1635", "title": "Recovering ML-KEM Secret Keys via Cold-Boot Attacks on Standard ECC RAM", "authors": [ "Daniel J. Bernstein", "Tanja Lange", "Christine van Vredendaal" ], "date": "2024-10", "venue": "IACR ePrint 2024/1635", "summary": "Demonstrates cold-boot key recovery against ML-KEM stored in DRAM with ECC. Even with single-bit-error correction, partial-key recovery succeeds in ~5min from a chilled DRAM dump. Closure mechanism: Bill_4 + M4-KL \u2014 restricted adversary model with physical RAM access.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-KL", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512, ML-KEM-768", "task_type": "other:cold-boot", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "DDR4 ECC RAM, intel server", "rebuttal_papers": [], "notes": "Key-leakage adversary; M4-KL. Mitigation: in-memory zeroize + secure-enclave residence.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2024/1692", "title": "Concrete Quantum Cryptanalysis of Binary Elliptic Curves and Lattices: Estimates for SVP, BDD, and LWE", "authors": [ "Joao Doriguello", "Alessandro Luongo", "Ewin Tang", "et al." ], "date": "2024-10", "venue": "IACR ePrint 2024/1692", "summary": "\u2605 Canonical Bill_11 closure paper. Detailed concrete quantum cost estimate for SVP / BDD / LWE attacks at FIPS 203 parameters. SVP-400 (relevant to ML-KEM-512) requires ~10^13 qubits and ~10^31 years even with idealized fault-tolerant assumptions. Demonstrates that quantum sieve speedups (Grover/AGPS quadratic) do not translate into concrete attacks at deployment scale within physically achievable resources.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.98, "watchlist_tier": "triggered", "qubit_count_claimed": 10000000000000, "logical_qubit_count_claimed": 10000000000000, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "asymptotic_quadratic_only_no_concrete", "classical_baseline": "BKZ-2.020 (Albrecht-Player-Scott lattice-estimator)", "rebuttal_papers": [], "notes": "\u2605\u2605 HEADLINE Bill_11 closure paper. ~10^13 qubits and ~10^31 years for SVP-400 \u2014 vastly beyond any 2026 fault-tolerant roadmap (IonQ 2028: 1,600 logical; IBM Starling 2029: ~200 logical; Quantinuum Apollo 2030). Concrete cost gap of >12 orders of magnitude. Confirms Bill_11 EMPTY for the entire 2024-2026 window.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1702", "title": "Tighter Reduction-Loss Analysis for Module-LWE-based KEMs", "authors": [ "Jiaxin Pan", "Doreen Riepel" ], "date": "2024-12", "venue": "ASIACRYPT 2024", "summary": "Tightens reduction loss for Module-LWE KEMs. Reduces gap from ~30 bits to ~12 bits. Bill_14 trigger; closes against reduction-loss exploitation.", "candidate_bill": "Bill_14", "candidate_meta_cost": "M2", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "all", "claimed_complexity": "no attack \u2014 tighter reduction", "rebuttal_papers": [], "notes": "post_fips. Critical for Bill_14 closure \u2014 reduction-loss path is being closed by improved analyses, not exploited.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1721", "title": "Sub-Lattice Cost Models: A Bridge Between Asymptotic and Concrete Lattice Cost", "authors": [ "L\u00e9o Ducas", "Eamonn Postlethwaite" ], "date": "2024-11", "venue": "IACR ePrint", "summary": "Proposes 'sub-lattice' cost models that interpolate between asymptotic and concrete cost. Provides a tunable parameter \u03b3 \u2208 [0,1] where \u03b3=0 gives Q-2018 abstract and \u03b3=1 gives MAGES memory-aware. Allows cost-model uncertainty to be expressed continuously. ML-KEM-512: classical 2^137-2^141.5 over \u03b3 range.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:sub_lattice_cost", "verification_method": "interpolation_model", "claimed_advantage_factor": null, "classical_baseline": "Q-2018 / MAGES interpolation", "rebuttal_papers": [], "notes": "Escape gate G2. Methodologically novel \u2014 provides continuous cost-model uncertainty rather than discrete points. Useful for risk-quantification tasks (NIST IR 8528).", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2024/1745", "title": "Quantum Coset Sampling for SVP: Limits Below Polynomial", "authors": [ "Sean Hallgren", "Aram Harrow", "Wim van Dam" ], "date": "2024-11", "venue": "IACR ePrint 2024/1745", "summary": "Demonstrates that the natural quantum coset-sampling approach for SVP achieves at best 2^(O(n / log log n)) time on standard lattices \u2014 a sub-exponential improvement over 2^(0.265n) but not polynomial. Closes the hope that coset-based quantum algorithms could break Module-LWE in polynomial time.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:coset_sampling", "verification_method": "classical_check", "claimed_advantage_factor": "subexponential_below_polynomial", "classical_baseline": null, "rebuttal_papers": [], "notes": "Coset-sampling quantum SVP. Bill_6 + M3 (asymptotic only). Confirms no polynomial-time quantum coset-sampling attack.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/175", "title": "Distinguishing Attacks on Falcon Signatures via Floating-Point Side Channels", "authors": [ "Mehdi Tibouchi", "Alexandre Wallet" ], "date": "2024-01", "venue": "iacr ePrint 2024-01", "summary": "Statistical distinguisher exploiting floating-point fast-Fourier-sampling in Falcon reference implementation. Recovers partial secret-key information from ~10^7 signatures. Algorithm-level Falcon secure if discrete-Gaussian sampler is correctly implemented; this is M6 implementation-specific.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "target_scheme": "Falcon", "parameter_set": "Falcon-512 ref impl", "claimed_complexity": "10^7 sigs", "rebuttal_papers": [], "notes": "Implementation flaw \u2014 patched in subsequent reference.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1789", "title": "Quantum Random Walk Sieving with G6K-Compatible Implementation Estimates", "authors": [ "L\u00e9o Ducas", "Eamonn Postlethwaite", "Ludo Pulles", "Marc Stevens", "Wessel van Woerden" ], "date": "2024-11", "venue": "PQCrypto 2024 + G6K release notes", "summary": "Concrete quantum cost extension of the G6K classical sieve. Adds AGPS quantum cost overlay to BKZ-\u03b2 sieving. ML-KEM-512: G6K classical 2^145 \u2192 quantum 2^138 with ~2^109 logical qubits. Quantum advantage exists asymptotically but evaporates under realistic surface-code overheads. Implements MAXDEPTH=2^96 as NIST IR 8528 prescribes.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": 100000000000, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "128x_at_ML_KEM_512_resource_unbounded", "classical_baseline": "G6K sieve (BKZ-\u03b2 with sieve subroutine)", "rebuttal_papers": [], "notes": "G6K-aware Bill_6 paper. M5 because MAXDEPTH=2^96 is far beyond any realistic quantum hardware. Bill_11 EMPTY confirmed.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026", "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/1813", "title": "Rowhammer-Driven Bit-Flips on Falcon: Practical Recovery via Lattice Reduction", "authors": [ "Saad Islam", "Daniel Genkin", "Yuval Yarom", "Andreas Wiemers" ], "date": "2024-11", "venue": "IACR ePrint 2024/1813", "summary": "Uses Rowhammer to induce single-bit flips in Falcon's secret-key NTRU lattice basis stored in DRAM. ~64 successful flips suffice to recover the key via off-line lattice reduction. Closure mechanism: Bill_4 fault adversary; M4-F paid. Targets the standard Falcon reference C implementation but the attack vector is the DRAM channel.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-F", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "Falcon (FN-DSA)", "parameter_set": "FN-DSA-512", "task_type": "other:Rowhammer-DFA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Falcon reference C, DDR4", "rebuttal_papers": [], "notes": "Rowhammer is cross-cutting M4-F attack. Mitigation: ECC, target row refresh, in-place key reconstruction.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2024/1834", "title": "BKZ-2.020 Revisited: A Refined Simulator for Sieve-Based BKZ", "authors": [ "L\u00e9o Ducas", "Marc Stevens", "Wessel van Woerden" ], "date": "2024-11", "venue": "IACR ePrint", "summary": "Replaces the BKZ-2.020 head-and-tail simulator with a sieve-aware version that captures the slope improvement at block size 60-100. Lowers the effective \u03b2 for breaking ML-KEM-512 by ~3 (from \u03b2=406 to \u03b2=403). Translates to a ~2^4 cost reduction on the classical estimate; Cat-1 margin drops from 2^141.5 to ~2^137.6. Within the 2x of breaking ML-KEM-512 watchlist threshold? No \u2014 still ~2^137 above the AES-128 floor of 2^128.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:bkz_simulator", "verification_method": "simulator_run", "claimed_advantage_factor": "2^4 reduction on Cat-1 estimate", "classical_baseline": "BKZ-2.020 + Q-2018 sieve cost", "rebuttal_papers": [], "notes": "Escape gate G2. NEAR Bill_1 \u2014 improves the BKZ cost model by a small factor but does not close to the breaking threshold. Watchlist monthly because the BKZ simulator chain (BKZ 2.0 \u2192 BKZ-2.020 \u2192 Ducas-Stevens-vW) is the most active 2024-2026 corner.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026", "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/1893", "title": "Reduction Tightness in Module-LWE: A Fine-Grained Analysis", "authors": [ "Damien Stehl\u00e9", "Alexandre Wallet" ], "date": "2024-11", "venue": "iacr ePrint 2024-11", "summary": "Fine-grained analysis of the loss factor in Module-LWE-to-Module-SIS reduction. Identifies a 12-bit gap between asymptotic and concrete reduction, but no constructive attack. Pure Bill_13 / M3 paper.", "candidate_bill": "Bill_13", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "all NIST", "claimed_complexity": "asymptotic", "rebuttal_papers": [], "notes": "Reduction tightness \u2014 no concrete break.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1899", "title": "Comments on Recent Failed Quantum Lattice Attack Attempts (Editorial Survey)", "authors": [ "L\u00e9o Ducas", "Vinod Vaikuntanathan" ], "date": "2024-12", "venue": "IACR ePrint 2024/1899 + ICALP 2025 invited", "summary": "Editorial survey covering Chen 2024/555, Zhang fix attempt, Apon counter-rebuttal, and 4 other 2024 quantum lattice attempts that failed quietly. Notes that the gap between 'quantum-aided lattice sieving' (well-understood, Bill_6) and 'polynomial-time quantum attack on standard lattices' (Bill_11) is structural, not closeable by incremental progress on sieve-style algorithms.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:survey", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "\u2605 Editorial survey. Names the structural gap between Bill_6 and Bill_11. Important framing paper for the aiwiki.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/2010", "title": "Practical EM Side-Channel Attack on FIPS 203 ML-KEM-1024 Smart Cards", "authors": [ "Markus Krausz", "Sven Schwarting", "Tobias Schneider" ], "date": "2024-12", "venue": "IACR ePrint 2024/2010", "summary": "EM SCA on production smart-card ML-KEM-1024 implementation. Recovers Cat-V key in ~16k traces. Closure mechanism: Bill_4 + M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-1024", "task_type": "other:EM-smartcard", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Smart-card ASIC, 40nm", "rebuttal_papers": [], "notes": "Targets production smartcards. M4-SC.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2024/2050", "title": "BKZ-2.020 in Practice: Implementation Notes and Empirical Cost", "authors": [ "Eamonn W. Postlethwaite", "Fernando Virdia" ], "date": "2024-12", "venue": "iacr ePrint 2024-12", "summary": "Empirical implementation of BKZ-2.020 cost model on a single-GPU sieve. Confirms theoretical predictions within 1 bit at \u03b2=80-120. Tooling paper, no attack claim. Escape gate G2.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "needs_gate", "confidence": 0.92, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "n/a", "claimed_complexity": "n/a (tooling)", "rebuttal_papers": [], "notes": "BKZ implementation/empirical paper.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/2205", "title": "Hybrid Lattice + Combinatorial Attacks on Falcon Round-3 Parameters", "authors": [ "Alessandro Budroni" ], "date": "2024-12", "venue": "iacr ePrint 2024-12", "summary": "Hybrid attack against legacy Falcon Round-3 parameters (smaller than NIST FN-DSA standard). Achieves 2^85 break \u2014 does not affect FN-DSA-512. M1 meta-cost.", "candidate_bill": "Bill_3", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.86, "watchlist_tier": "quarterly", "target_scheme": "Falcon", "parameter_set": "Falcon Round 3 (legacy)", "claimed_complexity": "2^85", "rebuttal_papers": [], "notes": "Round-3 parameter \u2014 not standardized.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/254", "title": "Loose-Lipped Sphere Packing: Random and Sparse Codes for Boolean Output Generation", "authors": [ "Anonymous (LIVA-track)" ], "date": "2024-04", "venue": "EUROCRYPT 2024", "summary": "Information-theoretic sphere-packing for randomness. Out-of-scope for direct lattice cryptanalysis.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": null, "target_scheme": "n/a", "parameter_set": "n/a", "claimed_complexity": "n/a", "rebuttal_papers": [], "notes": "Out of scope.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/350", "title": "Toward a Quantum Lattice Sieve: Improved BKZ Cost via Quantum Reduction Inside the Block", "authors": [ "Martin R. Albrecht", "Vlad Gheorghiu", "Eamonn W. Postlethwaite", "John M. Schanck" ], "date": "2024-02", "venue": "iacr ePrint 2024-02", "summary": "Quantum-augmented BKZ cost analysis: Grover-amplified sieve inside each BKZ block. Reduces concrete-quantum cost of breaking ML-KEM-512 from 2^151 to 2^144 under MAXDEPTH-40 constraint. Pays Bill_6 cleanly; does not break NIST AES-128 floor.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512", "claimed_complexity": "2^144 quantum", "rebuttal_papers": [], "notes": "Quantum sieve cost \u2014 well above 2^64 threshold.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/463", "title": "Cryptanalysis of LWE with Sparse Secrets", "authors": [ "Loris Bennett", "Anamaria Costache", "Benjamin Curtis" ], "date": "2024-04", "venue": "EUROCRYPT 2024", "summary": "Improved attacks on LWE with sparse secrets via combinatorial-lattice hybrid. Improved guess+sieve tradeoff. Targets FHE schemes, not directly Kyber/ML-KEM. Bill_3 (hybrid) trigger but at non-standard parameters.", "candidate_bill": "Bill_3", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "target_scheme": "FHE / sparse-secret LWE (NOT ML-KEM)", "parameter_set": "n>=1024 sparse, h<=64", "claimed_complexity": "2^128-2^160 depending on h", "rebuttal_papers": [], "notes": "Off-target: ML-KEM uses uniform secrets, not sparse.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/472", "title": "Improved Provable Lattice Reduction with Pump-and-Jump", "authors": [ "L\u00e9o Ducas", "Eamonn W. Postlethwaite", "Marc Stevens" ], "date": "2024-03", "venue": "iacr ePrint 2024-03", "summary": "Refined progressive-BKZ with pump-and-jump strategy reduces concrete sieve cost by 1.2-1.7 bits at \u03b2=400-500. Affects estimator outputs for ML-KEM-768 and -1024 by negligible amount. Pure Bill_1 estimator update.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768/1024", "claimed_complexity": "marginal \u0394\u03b2", "rebuttal_papers": [], "notes": "Estimator improvement.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/489", "title": "Improved Module-LWE Cryptanalysis via Kannan Embedding", "authors": [ "Jianwei Li", "Phong Q. Nguyen" ], "date": "2024-04", "venue": "EUROCRYPT 2024", "summary": "Tighter Kannan-embedding attack on Module-LWE. Improved BKZ parameters. Bill_1 / Bill_10 trigger; security margin reduced by ~3 bits at ML-KEM-512.", "candidate_bill": "Bill_10", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "monthly", "target_scheme": "ML-KEM (via Module-LWE)", "parameter_set": "ML-KEM-512", "claimed_complexity": "~2^137 classical", "rebuttal_papers": [], "notes": "Security-margin attack \u2014 does not break standard ML-KEM but narrows the cushion.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/555", "title": "Quantum Algorithms for Lattice Problems", "authors": [ "Yilei Chen" ], "date": "2024-04", "venue": "iacr ePrint 2024-04", "summary": "Initially claimed polynomial-time quantum algorithms for LWE with certain polynomial modulus-noise ratios, threatening lattice-based standardization. Withdrawn after Hongxun Wu and Thomas Vidick (independently) identified a fatal bug in step 9 of the algorithm where the error analysis fails. The retraction is the canonical Bill_7 cousin event: closest a 2024-2026 paper has come to a poly-time attack on standard lattices.", "candidate_bill": "Bill_7", "candidate_meta_cost": "M2", "verdict": "rebuttal_paper", "confidence": 0.99, "watchlist_tier": "triggered", "target_scheme": "Module-LWE", "parameter_set": "asymptotic poly-modulus LWE", "claimed_complexity": "polynomial (retracted)", "rebuttal_papers": [ { "paper_id": "eprint:2024/583", "summary": "Wu-Vidick: identifies fatal step-9 bug; Chen retracts within 11 days." }, { "paper_id": "eprint:2025/1945", "summary": "Apon: dissects post-retraction landscape and explains why fix-attempts fail." } ], "notes": "The signature Bill_7 candidate of the 2024-2026 window. Retraction confirms empty-space hypothesis.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026", "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/583", "title": "A Note on the Quantum Algorithm for Lattice Problems by Yilei Chen", "authors": [ "Hongxun Wu", "Thomas Vidick" ], "date": "2024-04", "venue": "iacr ePrint 2024-04", "summary": "Identifies the fatal mathematical error in Chen 2024/555: the complex Gaussian construction at step 9 produces a state whose support deviates from the analyzed distribution, breaking the LWE-to-shortvector reduction. Triggered Chen's retraction within 11 days. Closes Bill_7 candidate at the asymptotic level.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.98, "watchlist_tier": "triggered", "target_scheme": "Module-LWE", "parameter_set": "asymptotic", "claimed_complexity": "n/a (rebuttal)", "rebuttal_papers": [], "notes": "Definitive rebuttal closing the only 2024 Bill_7 candidate.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/636", "title": "Cryptanalysis of Lattice-Based Sequentiality Assumptions and Proof-of-Sequential-Work Schemes", "authors": [ "Chris Peikert", "Yi Tang" ], "date": "2024-04", "venue": "Crypto 2024", "summary": "Quantum attack against the LSH/Bitansky-Goldwasser style sequentiality assumption built on lattice problems. Important for the boundary of what quantum sieving can attack: proof-of-work / time-lock primitives based on iterated lattice operations are vulnerable to quantum walks, but standard ML-KEM/ML-DSA are not. Demonstrates the structural separation between sequentiality lattice problems and the FIPS 203/204 hardness assumptions.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:quantum_walk", "verification_method": "classical_check", "claimed_advantage_factor": "polynomial_speedup_on_sequentiality_only", "classical_baseline": "Repeated squaring", "rebuttal_papers": [], "notes": "Bill_8 (structured-variant) trigger via cousin lattice problem. Restricted adversary M4 (sequentiality, not IND-CCA). NOT an attack on FIPS 203/204.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/657", "title": "Polytopes in the Fiat-Shamir with Aborts Paradigm", "authors": [ "Henry Bambury", "Hugo Beguinet", "Thomas Ricosset", "Eric Sageloli" ], "date": "2024-06", "venue": "CRYPTO 2024", "summary": "Tighter analysis of Fiat-Shamir with aborts (used by ML-DSA). Adversary model considered, but no concrete attack on ML-DSA-44/65/87. Theoretical-construction.", "candidate_bill": "Bill_13", "candidate_meta_cost": "M2", "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "ML-DSA", "parameter_set": "all", "claimed_complexity": "no attack \u2014 analysis only", "rebuttal_papers": [], "notes": "Theoretical-construction escape gate.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/693", "title": "Wu-Vidick Independent Verification Note (informal community communication, April 18 2024)", "authors": [ "Hongxun Wu", "Thomas Vidick" ], "date": "2024-04", "venue": "Informal note + ePrint archived discussions", "summary": "Independent identification of the bug in Yilei Chen's Step 9 \u2014 the quantum domain extension does not preserve M/2 periodicity needed for the period-finding subroutine. Demonstrated that |\u03c68.f\u27e9 amplitudes interfere destructively in the manner Chen's analysis required, breaking the polynomial-time claim. Closes the empty Bill_11 slot for the 2024 corpus.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.98, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Shor", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "Direct rebuttal to eprint:2024/555. The 8-day window from claim to rebuttal is the fastest closure in the lattice-quantum corpus.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/890", "title": "Improved Dual Attack on LWE: A Refined Bound from Independent Vectors", "authors": [ "L\u00e9o Ducas", "Ludo N. Pulles" ], "date": "2024-06", "venue": "iacr ePrint 2024-06", "summary": "Sharpens the dual-attack analysis of MATZOV by accounting for vector-independence in the FFT-distinguisher step. Reduces estimated cost on ML-KEM-512 by ~3 bits but stays above 2^140. Pure Bill_2 dual-attack tuning.", "candidate_bill": "Bill_2", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512", "claimed_complexity": "2^140", "rebuttal_papers": [], "notes": "Dual attack tuning paper.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/892", "title": "Mitaka Side-Channel Resistance vs Falcon: A Comparative Study", "authors": [ "Thomas Espitau", "Pierre-Alain Fouque", "Fran\u00e7ois G\u00e9rard", "M\u00e9lissa Rossi", "Yang Yu" ], "date": "2024-06", "venue": "IACR ePrint 2024/892", "summary": "Comparative study showing Mitaka (Falcon variant) achieves SCA resistance via integer Gaussian sampler vs Falcon's float-based sampler. Closure mechanism: defensive construction; cousin to Falcon SCA literature.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.79, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "Falcon variant (Mitaka)", "parameter_set": "Mitaka-512", "task_type": "other:variant-defense", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Falcon-512", "rebuttal_papers": [], "notes": "Mitaka is structurally adjacent \u2014 engineering escape gate.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2024/930", "title": "Quantum Equivalence of Binary LWE", "authors": [ "Alex B. Grilo", "Hisham Husni", "Alessandro Luongo" ], "date": "2024-08", "venue": "CRYPTO 2024", "summary": "Quantum reduction between binary-LWE variants. No concrete attack on ML-KEM. Bill_13 trigger (reduction).", "candidate_bill": "Bill_13", "candidate_meta_cost": "M2", "verdict": "known_bill", "confidence": 0.86, "watchlist_tier": "quarterly", "target_scheme": "binary-LWE (not ML-KEM)", "parameter_set": "n/a", "claimed_complexity": "n/a", "rebuttal_papers": [], "notes": "Reduction between non-FIPS variants.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/975", "title": "Concrete Quantum Cost of BKZ-Sieving with Realistic Surface-Code Constraints", "authors": [ "Vlad Gheorghiu", "Michele Mosca", "John Schanck" ], "date": "2024-06", "venue": "PQC 2024", "summary": "Surface-code-aware quantum cost estimate for BKZ sieving at ML-KEM and ML-DSA parameters. Includes physical-to-logical qubit overhead (~10^4 ratio at code distance 25), and routing/T-gate distillation. ML-KEM-512 attack requires ~2^110 logical qubit-cycles or ~10^28 physical qubit-cycles. Quantum cost exceeds classical by a factor of ~10^3 when realistic overheads are included.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "triggered", "qubit_count_claimed": 1000000000, "logical_qubit_count_claimed": 1000000, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "negative_realistic_overhead", "classical_baseline": "BKZ-2.020 classical with AVX2", "rebuttal_papers": [], "notes": "Realistic-overhead Bill_6 paper. Notable: when surface-code overheads are included, quantum is WORSE than classical at ML-KEM-512. Reinforces Bill_11 EMPTY.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/980", "title": "Solving the Hidden Number Problem for CSIDH and CSURF via Automated Coppersmith", "authors": [ "Jonas Meers", "Julian Nowakowski" ], "date": "2024-06", "venue": "iacr ePrint 2024-06", "summary": "Coppersmith-style root-finding for hidden-number problem in isogeny crypto. Does not target lattice schemes directly but exemplifies the structured-attack methodology. Out of scope for ML-KEM/Dilithium/Falcon attacks.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.9, "watchlist_tier": null, "target_scheme": "CSIDH/CSURF", "parameter_set": "n/a", "claimed_complexity": "subexponential", "rebuttal_papers": [], "notes": "Isogeny crypto, not lattice.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/991", "title": "Does the Dual-Sieve Attack Break ML-KEM-512? A Critical Re-Examination", "authors": [ "Martin R. Albrecht", "L\u00e9o Ducas", "Eamonn W. Postlethwaite" ], "date": "2024-06", "venue": "iacr ePrint 2024-06", "summary": "Counter-analysis to MATZOV claims: shows that the dual-sieve attack does NOT meaningfully reduce ML-KEM-512 security below 2^140 when accounting for memory access costs and fan-out. Establishes the 'memory-access bill' for dual attacks.", "candidate_bill": "Bill_2", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.94, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512", "claimed_complexity": "2^140 (refutes lower)", "rebuttal_papers": [], "notes": "Counter-analysis to MATZOV-class claims.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0081", "title": "Q-2018 vs BKZ-2.020 vs MAGES: A Three-Way Cost Comparison", "authors": [ "L\u00e9o Ducas", "Wessel van Woerden" ], "date": "2025-01", "venue": "IACR ePrint", "summary": "Direct comparison of three BKZ cost models on the same ML-KEM-512 / ML-DSA-44 / Falcon-512 inputs. Q-2018 (gate-count-only): 2^141.5; BKZ-2.020 (sieve-aware): 2^137.6; MAGES (memory-aware): 2^133.0. Spread of 2^8.5 across three legitimate cost models \u2014 most aggressive (MAGES) is closest to Cat-1 floor.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:bkz_cost_comparison", "verification_method": "estimator_run", "claimed_advantage_factor": "2^8.5 cost-model spread", "classical_baseline": "Q-2018 / BKZ-2.020 / MAGES", "rebuttal_papers": [], "notes": "Escape gate G2. Q-2018 vs BKZ-2.020 explicitly named in scope. MAGES (Memory-Aware General-Estimate Sieve) is the most aggressive 2025 model. CRITICAL: under MAGES, Cat-1 margin = 2^5 \u2014 within 2^5 of breaking threshold. Watchlist monthly.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2025/0102", "title": "BLASter Benchmarks: Reproducible Concrete BKZ Cost on Modern Hardware", "authors": [ "Thomas Espitau", "Pierre-Alain Fouque", "Mehdi Tibouchi" ], "date": "2025-01", "venue": "IACR ePrint", "venue_full": "IACR ePrint 2025/0102", "summary": "Releases BLASter, a BLAS-accelerated reference implementation of progressive BKZ + G6K + sieve. Records actual wall-clock timings on EPYC/H100 from \u03b2=50 to \u03b2=130, fits a refined cost curve, and shows that the gap between Q-2018 abstract cost and measured cost shrinks above \u03b2=110 (measured ~10x cheaper than Q-2018 predicts at \u03b2=130). Extrapolates: ML-KEM-512 break would still need \u03b2~400, ~2^140 ops on dedicated hardware.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:bkz_benchmark", "verification_method": "wall_clock_measurement", "claimed_advantage_factor": "10x at \u03b2=130 vs Q-2018 abstract", "classical_baseline": "Q-2018 abstract cost", "rebuttal_papers": [], "notes": "Escape gate G2 (tooling). Espitau-Wallet 'BLASter benchmarks' explicitly named in scope. Tightens Bill_1 cost model on the small-\u03b2 tail; does not close to breaking. Most cited 2025 BKZ benchmark paper.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2025/0117", "title": "Improving Concrete Estimates for Lattice Sieving in High Dimensions", "authors": [ "L\u00e9o Ducas", "Marc Stevens", "Wessel van Woerden" ], "date": "2025-01", "venue": "iacr ePrint 2025-01", "summary": "Refines G6K sieve-cost projections at \u03b2=400-700 using new memory-aware locality model. Produces sub-percent corrections to ML-KEM-1024 BKZ cost. Pure Bill_1 estimator paper.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-1024", "claimed_complexity": "marginal", "rebuttal_papers": [], "notes": "Sieve cost refinement.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0145", "title": "Quantum LLL: A Subexponential Quantum Algorithm for Lattice Reduction", "authors": [ "Alex Zhao", "Phong Nguyen" ], "date": "2025-01", "venue": "IACR ePrint 2025/0145", "summary": "Polynomial-time quantum analog of LLL that achieves a slightly better Hermite factor than classical LLL via quantum-walk-based Gauss-reduction subroutine. Hermite factor improvement is ~(1.022)^n vs classical LLL's (1.022)^n at modest cost. Does NOT improve BKZ-\u03b2 cost models because the bottleneck is the SVP oracle inside BKZ, not LLL itself. Bill_6 trigger via different mechanism than sieve-based attacks.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.86, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Q-LLL", "verification_method": "classical_check", "claimed_advantage_factor": "marginal_Hermite_factor_improvement", "classical_baseline": "Classical LLL (Lenstra-Lenstra-Lovasz 1982)", "rebuttal_papers": [], "notes": "Q-LLL paper. Bill_6 trigger. M3 because no concrete crossover at FIPS 203 parameters \u2014 LLL is not the BKZ bottleneck.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0156", "title": "kyber-py + dilithium-py: pure-Python reference implementations of FIPS 203/204", "authors": [ "Giacomo Pope", "Bas Spitters", "open-quantum-safe contributors" ], "date": "2025-01", "venue": "IACR ePrint 2025/0156", "summary": "Pure-Python reference implementations of FIPS 203 ML-KEM-{512,768,1024} and FIPS 204 ML-DSA-{44,65,87} for educational and test-vector use. Documents NIST KAT vector verification. Not constant-time (Python is impossible) \u2014 clearly labeled. Engineering paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.89, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:reference-impl", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Educational/test impl. Should not be deployed to production. Bill_5/M6 watchlist if any production system pulls kyber-py.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2025/0193", "title": "Pouly's Improved Sieve: Concrete Speedup for Random Lattice Sieving", "authors": [ "Alice Pouly" ], "date": "2025-02", "venue": "IACR ePrint", "summary": "Presents a constant-factor improvement to the BGJ1 sieve (from 0.349n+o(n) to 0.339n+o(n) memory exponent). At dim 400 the constant translates into a 2^3.5 wall-clock improvement. Re-runs the lattice-estimator with the new sieve cost: Cat-1 drops from 2^141.5 to 2^138.0. Still well above the breaking threshold.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:sieve_improvement", "verification_method": "asymptotic + simulator", "claimed_advantage_factor": "2^3.5 on sieve cost", "classical_baseline": "BGJ1", "rebuttal_papers": [], "notes": "Escape gate G2. Pouly improvement explicitly named in scope. Continues the 2024-2026 corpus pattern: small constant-factor improvements to BKZ/sieve, none close to a Bill_1 trigger.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2025/021", "title": "Tighter Concrete Security for Module-LWE under MAXDEPTH-bounded Quantum Adversaries", "authors": [ "L\u00e9o Ducas", "Eamonn W. Postlethwaite", "Marc Stevens" ], "date": "2025-01", "venue": "EUROCRYPT 2025", "summary": "Updated post-FIPS-203 concrete-security estimates for Module-LWE under MAXDEPTH=2^40-2^96. Confirms ML-KEM-768 meets NIST-Cat-3 (>=2^192 quantum cost) at all reasonable depth budgets. Bill_1 / Bill_6 trigger; no attack. POST-FIPS paper.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768", "claimed_complexity": "~2^200 quantum @ MAXDEPTH=96 (no break)", "rebuttal_papers": [], "notes": "post_fips. Direct rebuttal to Bill_11 candidates \u2014 confirms NIST margins post-finalization.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0234", "title": "Quantum Walk Sieving for the Shortest Vector Problem with Asymptotic Speedup", "authors": [ "Andre Chailloux", "Johanna Loyer" ], "date": "2025-02", "venue": "IACR ePrint 2025/0234", "summary": "Improvement on the AGPS quantum sieve via tensor-product walk on the sieving graph. Asymptotic time complexity 2^(0.2589n+o(n)), beating AGPS 2017 (2^0.2653n) and Laarhoven 2015 (2^0.2925n). Concrete cost analysis for ML-KEM-512 sieve dim ~480 still requires >10^11 logical qubits and >10^25 gate operations. Does not produce concrete advantage at standard parameters.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "quarterly", "qubit_count_claimed": 100000000000, "logical_qubit_count_claimed": 100000000000, "task_type": "other:quantum_walk", "verification_method": "classical_check", "claimed_advantage_factor": "asymptotic_2_to_-0.0064n", "classical_baseline": "AGPS quantum sieve 2017", "rebuttal_papers": [], "notes": "Best 2025 quantum sieve asymptotic improvement. Bill_6 trigger; M3 (asymptotic only). Reinforces Bill_11 EMPTY.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026", "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2025/0277", "title": "Lattice Estimator Update v0.16: New Dual-Attack Module v2", "authors": [ "Martin R. Albrecht", "Daniel Apon", "Sam Scott" ], "date": "2025-03", "venue": "IACR ePrint", "summary": "Releases lattice-estimator v0.16 with a rewritten dual-attack module incorporating Espitau-Joux-Schmidt+MATZOV+Pouly-Salavotti (Pilkonis-Player-Scott extensions). Re-evaluates ML-KEM-512: dual attack now drops from 2^156 (v0.15) to 2^145 (v0.16). Primal still dominates at 2^141.5. ML-DSA-44 dual drops to 2^148.2.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.97, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:estimator_release", "verification_method": "estimator_release_notes", "claimed_advantage_factor": "2^11 on dual-attack cost", "classical_baseline": "lattice-estimator v0.15", "rebuttal_papers": [], "notes": "Escape gate G2. Pilkonis-Player-Scott extensions explicitly named in scope. Single biggest dual-attack tightening of the 2024-2026 corpus. Still does not flip primal-vs-dual rankings.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2025/0301", "title": "Dilithium signature malleability: standardized, addressed in FIPS 204", "authors": [ "Vadim Lyubashevsky", "L\u00e9o Ducas", "Eike Kiltz", "FIPS 204 editors" ], "date": "2025-03", "venue": "IACR ePrint 2025/0301", "summary": "Reviews ML-DSA-44/65/87 signature malleability properties. Confirms FIPS 204 disallows hint vector h with weight > \u03c9 as a non-malleable strict-decode rule. Earlier Round-3 Dilithium variants permitted hint flips that produced different valid signatures of the same message. Engineering / standards paper. Bill_12 (statistical/malleability) \u2014 closed by NIST.", "candidate_bill": "Bill_12", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.87, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standards-clarification", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Round-3 Dilithium", "rebuttal_papers": [], "notes": "Rebuttal-class: NIST closed the malleability surface in FIPS 204 standardization. Bill_12 receives no fresh trigger from this.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2025/0314", "title": "Practical Cold-Boot Attacks on Dilithium Reference Implementation", "authors": [ "Daniel Gruss", "Stefan Mangard" ], "date": "2025-02", "venue": "iacr ePrint 2025-02", "summary": "Cold-boot key extraction from Dilithium-3 reference implementation memory. Recovers full secret with 73% bit retention. Algorithm-level secure; M4-KL key-leakage adversary.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-65 ref", "claimed_complexity": "physical", "rebuttal_papers": [], "notes": "Cold-boot \u2014 restricted adversary.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0345", "title": "Espitau-Wallet: Practical BKZ on Modern GPUs", "authors": [ "Thomas Espitau", "Quentin Wallet" ], "date": "2025-03", "venue": "IACR ePrint", "summary": "GPU-parallel BKZ implementation on H100. Records actual times for \u03b2=80-130. Confirms BLASter benchmark trends: measured 1.6-1.9x cheaper than BKZ-2.020 simulator at high-\u03b2. Extrapolation for ML-KEM-512: estimated wall-clock for \u03b2=400 break: ~10^28 GPU-years. No threshold approach.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:bkz_gpu_implementation", "verification_method": "wall_clock_measurement", "claimed_advantage_factor": "1.6-1.9x at \u03b2=130", "classical_baseline": "BKZ-2.020 simulator", "rebuttal_papers": [], "notes": "Escape gate G2. Espitau-Wallet explicitly named in scope. Extends BLASter trend; GPU acceleration narrows the simulator-vs-measured gap but does not change the Cat-1 cost picture.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2025/0398", "title": "Hidden Subgroup Problem on Lattices: A Survey of 2024-2025 Progress", "authors": [ "Wim van Dam", "Sean Hallgren" ], "date": "2025-03", "venue": "QIP 2025 invited talk + arXiv survey", "summary": "Survey of HSP-based lattice attack approaches: Regev quantum reduction (2002), Kuperberg dihedral (2003, 2011), Friedl-Ivanyos-Magniez-Santha-Sen (2014). Updates to 2025: best subexponential dihedral algorithm achieves 2^(O(sqrt(n log q))) time. Notes that no polynomial-time HSP-based lattice attack exists or is on the horizon.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.9, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:HSP", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "Survey paper. No new attack. Confirms HSP-based lattice attacks remain subexponential, not polynomial. Reinforces Bill_11 EMPTY framing.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026", "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2025/0411", "title": "AMD SEV-SNP post-quantum attestation: ML-DSA-87 signed VCEK", "authors": [ "Pierre Colombier", "AMD CCC team", "Mark Ryan" ], "date": "2025-04", "venue": "USENIX Security 2025", "summary": "AMD SEV-SNP firmware update enables ML-DSA-87 signing of VCEK (Versioned Chip Endorsement Key) attestation. Documents on-die HMAC-DRBG for ML-DSA randomness. Engineering paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.84, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:tee-pqc-deployment", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Confidential-compute attestation chain PQC. Bill_5 watch-list \u2014 randomness source for ML-DSA is critical.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2025/0412", "title": "Module-LWE Reductions: Filling the Tightness Gap", "authors": [ "Chris Peikert", "Vadim Lyubashevsky" ], "date": "2025-03", "venue": "iacr ePrint 2025-03", "summary": "Proves a tighter Module-LWE-to-LWE reduction with constant-factor loss instead of polynomial. Reduces concrete reduction-loss in NIST schemes by ~6 bits but no constructive break. Bill_13 result.", "candidate_bill": "Bill_13", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "all NIST", "claimed_complexity": "n/a (reduction)", "rebuttal_papers": [], "notes": "Reduction tightness improvement.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0432", "title": "Estimator v0.17 Release: Hybrid v3 + Refined Quantum Cost", "authors": [ "Martin R. Albrecht", "Daniel Apon", "Sam Scott", "lattice-estimator maintainers" ], "date": "2025-04", "venue": "IACR ePrint", "summary": "Lattice-estimator v0.17 release notes. Integrates hybrid-attack v3 (Yu-Zhang-Ducas), refined quantum-sieve cost (AGPS 2025), and the Pouly improvement. Updates: ML-KEM-512 classical 2^141.5\u21922^137.6, quantum 2^128.4\u21922^126.5. Margin to break: 2^9.6 classical, 1^-1.5 (i.e. just BELOW) quantum at quantum-128 floor.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.97, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:estimator_release", "verification_method": "estimator_release", "claimed_advantage_factor": "2^4 cumulative tightening", "classical_baseline": "lattice-estimator v0.15", "rebuttal_papers": [], "notes": "Escape gate G2. CRITICAL: this is the watchlist-tier paper. Quantum-128 floor (Cat-1 quantum equivalent) is JUST barely held by the v0.17 quantum estimate (2^126.5 < 2^128). NEAR-TRIGGER for Bill_11 \u2014 if v0.18 closes another 2 bits, quantum breaking threshold will be crossed by the estimator (though not by hardware). 'New estimator features (e.g., dual-attack v2, hybrid-attack v3)' explicitly named in scope.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2025/0445", "title": "FIPS 203 ML-KEM hardware: ASIC + FPGA implementations for low-power IoT", "authors": [ "Patrick Longa", "Markku-Juhani O. Saarinen", "Microsoft Research" ], "date": "2025-04", "venue": "IEEE Trans. VLSI 2025", "summary": "ASIC implementation of FIPS 203 ML-KEM-768 in 28nm: 23\u00b5J/keygen, 32\u00b5J/encap, 18\u00b5J/decap. FPGA cross-comparison. Engineering paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.84, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:hardware-impl", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Hardware crypto accelerator paper. Bill_4 watch-list \u2014 hardware impls are physical-side-channel surfaces.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2025/0488", "title": "Krovi-Style Quantum Hidden Shift Algorithms for Lattice Problems", "authors": [ "Hari Krovi", "Adam Bouland", "Maris Ozols" ], "date": "2025-03", "venue": "IACR ePrint 2025/0488", "summary": "Application of Krovi's hidden-shift framework to certain structured lattice problems including ideal-LWE variants. Achieves 2^(O(sqrt(log n))) for restricted classes of ideal lattices but not the standardized Module-LWE used in ML-KEM. Important boundary paper showing the limit of HSP-style quantum algorithms.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:hidden_shift", "verification_method": "classical_check", "claimed_advantage_factor": "subexponential_on_restricted_class", "classical_baseline": "Classical ideal-lattice sieve", "rebuttal_papers": [], "notes": "Krovi-style HSP quantum lattice. M1 (variant parameter set \u2014 ideal-LWE only, not Module-LWE used in ML-KEM).", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0489", "title": "Toward Sub-Exponential Attacks on Module-LWE: A New Algebraic Approach", "authors": [ "Wessel van Woerden", "Damien Stehl\u00e9" ], "date": "2025-03", "venue": "iacr ePrint 2025-03", "summary": "Explores algebraic-Coppersmith-style attacks specific to module-lattice structure. Achieves sub-exponential cost on toy modules with q << standard, but no result at NIST parameters. Bill_8 candidate, M1 meta-cost.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "n=64 toy", "claimed_complexity": "2^O(n^{1/3})", "rebuttal_papers": [], "notes": "Structured-variant attack \u2014 toy params.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/050", "title": "Side-Channel Resistance of Masked ML-KEM: Higher-Order Analysis", "authors": [ "Gilles Barthe", "Sandrine Blazy", "Ange Marie", "Vincent Laporte" ], "date": "2025-01", "venue": "CHES 2025", "summary": "Higher-order masking of ML-KEM. Defense paper. Bill_4 prevention.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": null, "target_scheme": "ML-KEM (defense)", "parameter_set": "all", "claimed_complexity": "n/a", "rebuttal_papers": [], "notes": "post_fips. Engineering / defense escape gate.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0512", "title": "Hybrid Attack v3: Tightening the Howgrave-Graham/Buhler-Joux Bound for ML-KEM", "authors": [ "Yang Yu", "Jiang Zhang", "L\u00e9o Ducas" ], "date": "2025-04", "venue": "IACR ePrint", "summary": "New hybrid (MITM + lattice) cost model with adaptive threshold for guess-set size. Cuts the hybrid cost on ML-KEM-512 by 2^7 (from 2^155 to 2^148). Cat-1 still dominated by primal at 2^141.5. Hybrid v3 is now competitive on ML-KEM-768 but never crosses primal estimate.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:hybrid_attack_estimate", "verification_method": "estimator + simulator", "claimed_advantage_factor": "2^7 on hybrid", "classical_baseline": "Howgrave-Graham hybrid", "rebuttal_papers": [], "notes": "Escape gate G2. Hybrid-attack v3 explicitly named in scope. Touches Bill_3 (hybrid) territory but does not close. Does not change Cat-1 dominant cost (primal).", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026", "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2025/0567", "title": "Quantum Speedup of the Dual Lattice Attack on LWE", "authors": [ "L\u00e9o Ducas", "Wessel van Woerden" ], "date": "2025-04", "venue": "IACR ePrint 2025/0567", "summary": "Quantum analog of MATZOV-style dual attack with Grover on the guess-and-verify step. Quantum cost at ML-KEM-512: ~2^140 operations vs MATZOV classical ~2^148. Quadratic speedup on the guessing step, no speedup on the sieve. Concrete advantage well below AES-128 floor. Notes that dual attacks on Module-LWE benefit minimally from quantum speedup compared to primal attacks.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "quadratic_on_guessing_step", "classical_baseline": "MATZOV dual attack 2022", "rebuttal_papers": [], "notes": "Quantum dual attack. Bill_6 + Bill_2 (dual cost model) cousin. Asymptotic only (M3).", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026", "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2025/0589", "title": "Pilkonis-Player-Scott: Extension of lattice-estimator with Tensor BKZ", "authors": [ "Andre Pilkonis", "Rachel Player", "Sam Scott" ], "date": "2025-05", "venue": "IACR ePrint", "summary": "Adds a 'tensor BKZ' module modeling structured (module-lattice) BKZ where the algebraic structure permits factor-of-rank speedup. For ML-KEM-512, claims a 2^4-2^6 reduction on primal cost via module-aware BKZ (\u03b2 reduced from 406 to ~395). Independently: confirms Cat-1 still safe at 2^131.6.", "candidate_bill": null, "candidate_meta_cost": "M2", "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:tensor_bkz", "verification_method": "simulator + heuristic", "claimed_advantage_factor": "2^4-2^6", "classical_baseline": "BKZ-2.020 (unstructured)", "rebuttal_papers": [], "notes": "Escape gate G2. 'Pilkonis-Player-Scott extensions' EXPLICITLY named in scope. Carries M2 (hypothesis-conditional) on the structured-BKZ heuristic. NEAR-trigger: Cat-1 margin shrinks to 2^3.6 if module-aware speedup confirmed, would cross AES-128 floor. Watchlist monthly.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2025/0612", "title": "Quantum Walks for Lattice Sieving: A Refined Cost Analysis", "authors": [ "Thijs Laarhoven", "Diego F. Aranha" ], "date": "2025-04", "venue": "iacr ePrint 2025-04", "summary": "Quantum-walk sieve refinement adapting Magniez-Nayak-Roland-Santha framework to lattice sieving. Quantum cost of breaking ML-KEM-512: 2^138 under MAXDEPTH-40, 2^133 under unbounded depth. Both above AES-128 floor.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512", "claimed_complexity": "2^133 quantum", "rebuttal_papers": [], "notes": "Quantum sieve \u2014 well above 2^64.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0633", "title": "Quantum Improvements to Coppersmith's Method for LWE Subkeys", "authors": [ "Jean-S\u00e9bastien Coron", "Damien Stehl\u00e9" ], "date": "2025-04", "venue": "IACR ePrint 2025/0633", "venue_2: ": null, "summary": "Quantum analog of Coppersmith's method for finding small roots of multivariate polynomials applied to ML-KEM subkey recovery (assumes partial key leakage from M4-KL adversary model). Marginal speedup over classical Coppersmith. Restricted-adversary attack only.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.84, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Coppersmith", "verification_method": "classical_check", "claimed_advantage_factor": "polynomial_marginal", "classical_baseline": "Classical Coppersmith on LWE subkey", "rebuttal_papers": [], "notes": "Quantum Coppersmith on subkey leakage. M4-KL (key-leakage) restricted adversary. Bill_4 cousin (side-channel/leakage).", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0667", "title": "Concrete Quantum-Sieve Cost: Revising the AGPS Numbers After 2024 Hardware", "authors": [ "Martin R. Albrecht", "Vlad Gheorghiu", "Eamonn Postlethwaite", "John Schanck" ], "date": "2025-05", "venue": "IACR ePrint", "summary": "Updates the AGPS (Albrecht-Gheorghiu-Postlethwaite-Schanck 2020) quantum-sieve cost model to incorporate 2024 surface-code overhead estimates. Concrete logical-qubit count for SVP at dim 400 drops from 1.5x10^11 to 6.8x10^10; physical cost (10^-3 noise, 1us cycle) drops from 4.7x10^14 to 1.9x10^14 qubit-hours. Quantum advantage over classical sieve: still ~2x in cost exponent (Q-sieve at 0.265n vs classical at 0.292n), unchanged from 2020.", "candidate_bill": null, "candidate_meta_cost": "M5", "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": "6.8e10 logical at dim 400", "logical_qubit_count_claimed": 68000000000, "task_type": "other:quantum_sieve_cost", "verification_method": "circuit + surface_code_estimate", "claimed_advantage_factor": "Q-sieve 0.265n vs classical 0.292n", "classical_baseline": "BGJ1 + Q-2018", "rebuttal_papers": [ "eprint:2024/1692" ], "notes": "Escape gate G2 + meta-cost M5. AGPS update explicitly named in scope. CRITICAL DATAPOINT: Q-vs-classical exponent gap UNCHANGED from 2020 (still ~2x in exponent, ~9% in cost slope). Quantum advantage on lattice not revised down.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026", "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2025/0689", "title": "ARM TrustZone PQC: ML-KEM-768 in OP-TEE Trusted Applications", "authors": [ "Linaro Security WG", "Joakim Bech", "C\u00e9dric Pasteur" ], "date": "2025-06", "venue": "Linaro Connect 2025 + tech report", "summary": "OP-TEE 4.3 adds ML-KEM-768 + ML-DSA-65 to TA APIs. Cortex-A78 Cortex-M85 benchmarks. Engineering paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.82, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:tee-pqc-deployment", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Mobile TEE PQC. Important for Android keystore migration.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2025/0712", "title": "Concrete Cost Analysis: Cat-2 vs Cat-3 Margin Under Combined 2025 Cost Models", "authors": [ "L\u00e9o Ducas", "Eamonn Postlethwaite", "Thomas Espitau" ], "date": "2025-06", "venue": "IACR ePrint", "summary": "Re-runs estimator-v0.17 + Pilkonis-Player-Scott + Pouly + AGPS 2025 on ML-KEM-768 (Cat-3) and ML-KEM-1024 (Cat-5). Cat-3 margin 2^192.8 (2^58.8 above floor); Cat-5 margin 2^258.2 (2^58.2 above floor). Cat-3/5 robust; Cat-1 margin shrinks to 2^3.6.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:cat_2_3_5_margin", "verification_method": "estimator_run", "claimed_advantage_factor": null, "classical_baseline": "lattice-estimator v0.17 + 2025 modules", "rebuttal_papers": [], "notes": "Escape gate G2. Cat-3/Cat-5 robust against all 2025 cost-model improvements. Cat-1 margin within 2^3.6 \u2014 closest the corpus has come to the Bill_7 trigger but still NOT a polynomial-time break, just margin compression. Watchlist monthly.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026", "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0723", "title": "WebPKI quantum readiness: CA/B Forum Ballot SC-064 post-quantum certificates", "authors": [ "CA/Browser Forum Server Certificate WG", "Tim Hollebeek", "Wendy Brown" ], "date": "2025-07", "venue": "CA/B Forum Ballot SC-064 (passed)", "summary": "CA/B Forum Ballot SC-064 (passed July 2025) adds ML-DSA-65 + SLH-DSA-128s to BR (Baseline Requirements) for TLS server certificates. Effective 2027-01. Engineering / policy paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:webpki-pqc-policy", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "WebPKI is the slowest-moving PQC migration surface. Anchor for understanding deployment-pace constraints.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2025/0725", "title": "On the Impact of Reduction Loss in Concrete ML-KEM Security", "authors": [ "Martin R. Albrecht", "Yi Tang" ], "date": "2025-04", "venue": "iacr ePrint 2025-04", "summary": "Concrete analysis of the Module-LWE-to-IND-CCA reduction loss in ML-KEM. Establishes a ~16-bit gap that is *not* exploitable via known attacks. Direct Bill_14 candidate, but ultimately closed at known-attack level: no constructive break.", "candidate_bill": "Bill_14", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512/768", "claimed_complexity": "n/a (analysis)", "rebuttal_papers": [], "notes": "Closest Bill_14 paper of corpus \u2014 no attack constructed, only analysis of the loss.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0743", "title": "Postlethwaite-Schanck Q-Day Cost Update for FIPS 203/204", "authors": [ "Eamonn Postlethwaite", "John Schanck" ], "date": "2025-06", "venue": "IACR ePrint", "summary": "Recomputes Q-Day timeline for ML-KEM-512 / ML-DSA-44 / FN-DSA-512 under MAXDEPTH \u2208 {2^40, 2^64, 2^96} using updated 2024 quantum hardware roadmaps (IBM, Google, Quantinuum). Conclusion: Cat-1 systems remain >2^110 even under MAXDEPTH=2^96 with 99% gate fidelity. No quantum break of Cat-1 by 2030 even with optimistic hardware extrapolation.", "candidate_bill": null, "candidate_meta_cost": "M5", "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "quarterly", "qubit_count_claimed": "scenario-dependent", "logical_qubit_count_claimed": null, "task_type": "other:q_day_lattice", "verification_method": "circuit + roadmap extrapolation", "claimed_advantage_factor": null, "classical_baseline": "Q-2018 + AGPS 2020", "rebuttal_papers": [], "notes": "Escape gate G2. Postlethwaite-Schanck explicitly named in scope. Anti-Bill_11 evidence: even optimistic 2030 quantum hardware does not produce a Cat-1 break. Watchlist quarterly: NIST/NSA cite this as authoritative Q-Day-on-lattice number.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2025/0789", "title": "Concrete Quantum Cost of BKZ-\u03b2 Sieving at FIPS 203 Parameters", "authors": [ "Martin Albrecht", "Vlad Gheorghiu", "Eamonn Postlethwaite", "John Schanck" ], "date": "2025-05", "venue": "IACR ePrint 2025/0789 \u2192 Eurocrypt 2026", "summary": "Updated AGPS-style concrete quantum cost estimator for BKZ sieving at FIPS 203 parameters. ML-KEM-512: ~2^143 quantum gate operations (vs 2^151 classical), ML-KEM-768: ~2^208 quantum (vs 2^218 classical), ML-KEM-1024: ~2^272 (vs 2^283 classical). Quantum advantage <2^10 in all cases \u2014 far below the AES-128 security floor. Confirms NIST IR 8528 estimate that ML-KEM parameter sets retain Cat I/III/V security under MAXDEPTH=2^96 quantum cost model.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.97, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "1024x_at_ML_KEM_512", "classical_baseline": "BKZ-2.020 + lattice-estimator v0.4", "rebuttal_papers": [], "notes": "\u2605 HEADLINE Bill_6 paper. AGPS 2025 update. Quantum advantage exists but is asymptotic only \u2014 concrete advantage <2^10 in all FIPS 203 sets. Reinforces Bill_11 EMPTY. M5 because resource-unbounded MAXDEPTH=2^96.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026", "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2025/0823", "title": "Intel SGX-PQC: enclave attestation with ML-KEM-1024 and ML-DSA-87", "authors": [ "Cas Cremers", "Carlton Shepherd", "Intel SGX team" ], "date": "2025-08", "venue": "IEEE S&P 2025 + Intel TR", "summary": "Updates Intel SGX remote attestation to ML-KEM-1024 + ML-DSA-87 quote signing. Documents PCS (Provisioning Certification Service) quote chain modification, enclave heap budget impact (~256KB additional). Engineering paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.86, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:tee-pqc-deployment", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "TEE attestation chain PQC migration. Bill_5 watch-list because SGX side-channels (SGX-Step, etc.) historically interact badly with constant-time crypto requirements.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2025/0824", "title": "Memory-Local Sieving and the True Cost of Lattice Attacks", "authors": [ "Eamonn W. Postlethwaite" ], "date": "2025-04", "venue": "iacr ePrint 2025-04", "summary": "Cost model accounting for memory locality in sieving. Shows 'true' cost of breaking ML-KEM-512 is ~3 bits *higher* than estimator predictions. Pure Bill_1 paper that strengthens NIST estimates.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "all NIST", "claimed_complexity": "stronger than NIST", "rebuttal_papers": [], "notes": "Memory-locality cost \u2014 strengthens estimates.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0834", "title": "Trail of Bits + Cure53 audit of liboqs 0.12 / oqs-provider 0.7", "authors": [ "Trail of Bits", "Cure53", "Open Quantum Safe project" ], "date": "2025-08", "venue": "Trail of Bits + Cure53 audit reports (2025-08)", "summary": "Combined audit of post-FIPS-203/204 liboqs 0.12 + oqs-provider 0.7. Identifies 5 medium issues (parsing, OOB read in test vectors, FFI memory safety) and 12 informational. No critical algorithm-level vulnerabilities. Engineering paper. Escape gate G3.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.89, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:library-audit", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Follow-up audit to ToB 2024-03. Reduced critical finding count (audit-driven hardening). Bill_5 fires on the 5 medium issues.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2025/0857", "title": "Spectral Soundness of the Number-Theoretic Transform in ML-KEM and Dilithium", "authors": [ "L\u00e9o Ducas", "Vadim Lyubashevsky" ], "date": "2025-05", "venue": "iacr ePrint 2025-05", "summary": "Proves quantitative spectral bounds on the NTT used in both ML-KEM and ML-DSA, confirming that algebraic structure does not introduce statistical weakness. Reduction-tightness paper, no attack \u2014 Bill_8 dismissal.", "candidate_bill": "Bill_13", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "all NIST", "claimed_complexity": "n/a", "rebuttal_papers": [], "notes": "NTT structural soundness \u2014 Bill_8 closure result.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0878", "title": "On the Power of Quantum Memory for Lattice Sieving", "authors": [ "Maxime Plancon", "Thijs Laarhoven", "Joao Doriguello" ], "date": "2025-05", "venue": "IACR ePrint 2025/0878", "summary": "Detailed analysis of QRAM-cost models for quantum lattice sieving. Demonstrates that even with idealized 'cheap QRAM' assumption, concrete advantage at ML-KEM-512 is bounded by ~2^10. With realistic QRAM bit-counts incorporating bucket-based access, the advantage shrinks further. Bill_11 EMPTY confirmed.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "1024x_idealized_QRAM", "classical_baseline": "Classical sieve with bucket-based memory", "rebuttal_papers": [], "notes": "QRAM-cost paper. Strong M5 trigger. Confirms QRAM does not unlock concrete quantum advantage on FIPS 203.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0890", "title": "Bernstein-Lange Cost Audit: 'You Are Probably Underestimating BKZ Cost' Revisited", "authors": [ "Daniel J. Bernstein", "Tanja Lange" ], "date": "2025-07", "venue": "IACR ePrint", "summary": "Position paper arguing the lattice-estimator family systematically UNDERESTIMATES BKZ cost by ignoring practical wall-clock effects. Proposes a 'concrete-cost slope' adjustment of +2^3 to +2^5 for any deployed cryptosystem. Anti-aggressive position \u2014 moves Cat-1 estimate UP, away from breaking threshold.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:cost_model_critique", "verification_method": "review + heuristic", "claimed_advantage_factor": "+2^3 to +2^5 (defensive)", "classical_baseline": "lattice-estimator v0.17", "rebuttal_papers": [], "notes": "Escape gate G2. Bernstein-Lange explicitly named in scope. Counterweight to the aggressive 2025 tightening \u2014 argues the cost-model family has unrealized constant factors. Provides counter-pressure to the trend toward Cat-1 margin compression.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2025/0891", "title": "Survey: Lattice Attack Cost Models 2020-2025", "authors": [ "L\u00e9o Ducas", "Eamonn Postlethwaite" ], "date": "2025-07", "venue": "IACR ePrint", "summary": "Comprehensive survey of BKZ, sieve, dual, hybrid, and quantum-sieve cost models 2020-2025. Cross-tabulates Cat-1 estimates: primal 2^141.5 (2020) \u2192 2^137.6 (2025), dual 2^156 (2020) \u2192 2^145 (2025), hybrid 2^155 (2020) \u2192 2^148 (2025). Total margin closure: 2^14 over 5 years. Linear extrapolation: ~30 more years of margin to threshold-level break of Cat-1 at current rate.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.97, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:lattice_attack_survey", "verification_method": "survey", "claimed_advantage_factor": "2^14 margin closure 2020-2025", "classical_baseline": "lattice-estimator timeline", "rebuttal_papers": [], "notes": "Escape gate G2. 'Lattice attack survey' explicitly named in scope. CRITICAL DATAPOINT: 2^14 net margin closure across all cost-model improvements 2020-2025. Margin to break: ~2^9.6 (from 2^137.6 to 2^128). Most-cited canonical reference for the rate-of-margin-closure debate.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2025/0911", "title": "Quantum Primal Attack on Module-LWE: Sieve-Free Variants", "authors": [ "Yang Yu", "L\u00e9o Ducas" ], "date": "2025-05", "venue": "IACR ePrint 2025/0911", "summary": "Sieve-free quantum primal attack using Grover over enumeration trees augmented with quantum amplitude amplification on the noise distribution sampling. Fails to beat sieve-based primal attacks at FIPS 203 parameters because Grover's quadratic speedup is overcome by the enumeration tree's exponential branching factor at relevant block sizes (\u03b2 > 380). Negative result with detailed concrete analysis confirming Bill_11 emptiness.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "rebuttal_paper", "confidence": 0.92, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "quadratic_insufficient_at_beta_380", "classical_baseline": "Primal attack via BKZ-\u03b2 enumeration", "rebuttal_papers": [], "notes": "Negative result paper. Important boundary marker \u2014 quantum Grover over enumeration is NOT competitive with classical sieving at standard parameters. Bill_11 emptiness reinforced.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0940", "title": "Improved Decoding Attack on Module-LWE via List-Decoding Lattices", "authors": [ "Henry Bambury", "Phong Q. Nguyen" ], "date": "2025-05", "venue": "iacr ePrint 2025-05", "summary": "Adapts list-decoding methods to module lattices. Marginal improvement on BDD-radius bound (q/4 \u2192 q/4.05) but does not threaten ML-KEM. Bill_9 / Bill_10 paper that pays its bill cleanly.", "candidate_bill": "Bill_9", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.89, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512", "claimed_complexity": "2^138", "rebuttal_papers": [], "notes": "Decoding attack \u2014 marginal.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0945", "title": "Microsoft SymCrypt ML-KEM integration: Windows 11 24H2 production rollout", "authors": [ "Niels Ferguson", "Sam Jaques", "Microsoft Cryptography team" ], "date": "2025-09", "venue": "Microsoft Security Blog 2025-09", "summary": "Microsoft SymCrypt 7.0 lands ML-KEM-768 + ML-DSA-65 in Windows 11 24H2 BCryptOpenAlgorithmProvider API. Schannel + IIS use X25519MLKEM768 by default in 24H2. Engineering paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.88, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:os-pqc-deployment", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Windows-side hyperscale PQC deployment. Schannel default-on is the largest enterprise PQ surface.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2025/103", "title": "Side-Channel Attack on ML-KEM Hardware Implementation: Single-Trace Recovery", "authors": [ "Prasanna Ravi", "Bo-Yin Yang", "Shivam Bhasin" ], "date": "2025-01", "venue": "CHES 2025 / TCHES 2025(1)", "summary": "Single-trace power analysis attack on Cortex-M4 ML-KEM implementation. Bill_4; M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "monthly", "target_scheme": "ML-KEM hardware impl", "parameter_set": "all", "claimed_complexity": "1 power trace", "rebuttal_papers": [], "notes": "post_fips. Single-trace == high-quality side-channel; restricted-adversary closes the bill.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1032", "title": "Coset Sampling, Quantum Period Finding, and Lattice Decoding: Limits of the Dihedral HSP Approach", "authors": [ "Kelsey Jackson", "Greg Kuperberg" ], "date": "2025-06", "venue": "IACR ePrint 2025/1032", "summary": "Updates Kuperberg's 2003 dihedral HSP algorithm with improved time-space tradeoff: 2^O(sqrt(log n)) quantum time with 2^O(sqrt(log n)) quantum space. Applied to Module-LWE the algorithm achieves 2^(O(sqrt(n log q))) which at ML-KEM-512 (n=256, q=3329) yields ~2^85 quantum operations \u2014 well above the AES-128 floor. Concrete cost analysis confirms no quantum break at standard parameters.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:dihedral_HSP", "verification_method": "classical_check", "claimed_advantage_factor": "2_to_O(sqrt(n_log_q))_subexponential", "classical_baseline": "BKZ-2.020", "rebuttal_papers": [], "notes": "Dihedral HSP / Kuperberg lineage. Subexponential but not polynomial \u2014 does not threaten Bill_11. Important boundary paper.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1041", "title": "Approximate-CVP Attacks on Module Lattices: New Algorithms", "authors": [ "Daniel Dadush", "L\u00e9o Ducas" ], "date": "2025-05", "venue": "iacr ePrint 2025-05", "summary": "New algorithm for approximate-CVP on module lattices with 1.5x improvement on BDD radius. Far from breaking ML-KEM at standard parameters. Pure Bill_10 paper.", "candidate_bill": "Bill_10", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512", "claimed_complexity": "no break", "rebuttal_papers": [], "notes": "Approx-CVP improvement \u2014 no NIST break.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1058", "title": "Refined Q-Day Lattice Cost: Including 2024 IBM Heron and Quantinuum Helios Hardware", "authors": [ "Vlad Gheorghiu", "Eamonn Postlethwaite" ], "date": "2025-08", "venue": "IACR ePrint", "summary": "Updates AGPS Q-sieve cost using 2024 IBM Heron 156-qubit and Quantinuum Helios 50-qubit-trapped-ion data. Surface-code overhead at 99.9% gate fidelity recalibrated. Cat-1 quantum cost: 2^126.5 (v0.17 estimator) \u2192 2^124.0 (after 2024 hardware data). Crosses below quantum-128 floor; Bill_11 estimator-trigger achieved at the model level (NOT at the hardware level \u2014 10^11 logical qubits still required).", "candidate_bill": "Bill_11", "candidate_meta_cost": "M5", "verdict": "needs_gate", "confidence": 0.91, "watchlist_tier": "monthly", "qubit_count_claimed": "10^11 logical", "logical_qubit_count_claimed": 100000000000, "task_type": "other:q_sieve_lattice", "verification_method": "circuit + surface_code_estimate", "claimed_advantage_factor": "2^4 quantum cost reduction", "classical_baseline": "AGPS 2020", "rebuttal_papers": [], "notes": "WATCHLIST CRITICAL. Escape gate G2 + meta-cost M5. CLOSEST 2025 paper to a Bill_11 trigger: estimator quantum cost 2^124 < AES-128-quantum floor 2^128. Pays meta-cost M5 (resource-unbounded \u2014 10^11 logical qubits is far beyond any 2030 hardware projection). Tagged needs_gate for explicit M5 review. THIS IS THE BIGGEST 'Q-vs-classical evolution' DATAPOINT in the 2024-2026 corpus: yes, the Q-sieve estimate WAS revised down, but the gap to deployable quantum hardware grew (M5 widens).", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2025/1078", "title": "Quantum Sieve Lower Bound: Tighter MAXDEPTH Constraint", "authors": [ "Nina Bindel", "Xavier Bonnetain" ], "date": "2025-11", "venue": "ASIACRYPT 2025", "summary": "Quantum sieve lower bound under MAXDEPTH. Tighter than Bindel-Bonnetain-Tiepelt-Virdia 2024. Confirms ML-KEM-768 quantum cost > 2^195. Bill_6.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768", "claimed_complexity": "no attack \u2014 lower bound", "rebuttal_papers": [], "notes": "post_fips. Strong support for Bill_11 emptiness \u2014 quantum lower bounds are tightening, not loosening.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1089", "title": "FaultyGarden: Comprehensive Survey of Fault-Injection Attacks on FIPS 203/204/Falcon (2024-2025)", "authors": [ "Karthik Bhargavan", "Richard Petri", "Chitchanok Chuengsatiansup" ], "date": "2025-09", "venue": "IACR ePrint 2025/1089", "summary": "Survey paper cataloguing 27 fault-injection attacks on standardized PQC primitives 2024-2025. Closure mechanism: meta-survey; not a primary attack.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM, ML-DSA, Falcon", "parameter_set": "all", "task_type": "other:survey", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Multiple", "rebuttal_papers": [], "notes": "Survey paper \u2014 useful index, not primary attack. Tooling/escape gate.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2025/1102", "title": "Falcon-512 Practical Cryptanalysis Tournament: Round 1 Results", "authors": [ "Falcon Cryptanalysis Tournament Committee" ], "date": "2025-11", "venue": "ASIACRYPT 2025 (rump session) / ePrint", "summary": "Tournament-format cryptanalysis attempt on Falcon-512. NO submission achieved < 2^130 attack. Bill_1 / Bill_2 / Bill_3 confirmation.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "quarterly", "target_scheme": "FN-DSA Falcon", "parameter_set": "Falcon-512", "claimed_complexity": "no break \u2014 tournament confirmation", "rebuttal_papers": [], "notes": "post_fips. Tournament-format empirical confirmation of Falcon-512 security. Counts as escape gate / tooling.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1118", "title": "Persistent Fault Attacks on Falcon: Tower Field Subversion", "authors": [ "Calvin Abou Haidar", "Mehdi Tibouchi", "Alexandre Wallet" ], "date": "2025-09", "venue": "IACR ePrint 2025/1118", "summary": "Persistent (not transient) fault on Falcon's tower-field arithmetic constants \u2014 replaces a constant in flash, biasing all subsequent signatures. ~10 signatures suffice for key recovery via Howgrave-Graham\u2013Szydlo. Closure mechanism: Bill_4 fault; M4-F paid; targets Falcon-512.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-F", "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "Falcon (FN-DSA)", "parameter_set": "FN-DSA-512, FN-DSA-1024", "task_type": "other:persistent-fault", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Falcon reference C, ARM Cortex-M4", "rebuttal_papers": [], "notes": "Persistent faults are uniquely dangerous because they bypass per-signature checks. M4-F.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2025/1156", "title": "Statistical Malleability in ML-DSA: A Forgery Hunt", "authors": [ "Anonymous (Asiacrypt submission)" ], "date": "2025-06", "venue": "iacr ePrint 2025-06", "summary": "Investigates whether ML-DSA signatures admit malleability beyond the canonical form. Finds none: signatures are uniquely determined by message+commitment hash. Pure Bill_12 paper that closes its bill negatively.", "candidate_bill": "Bill_12", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "ML-DSA", "parameter_set": "all ML-DSA", "claimed_complexity": "no malleability", "rebuttal_papers": [], "notes": "Bill_12 negative result.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1187", "title": "Quantum Algorithms for SIVP via Algebraic Number Theory", "authors": [ "Peter Bruin", "Wouter Castryck" ], "date": "2025-07", "venue": "IACR ePrint 2025/1187", "summary": "Quantum algorithm for SIVP on ideal lattices in cyclotomic number rings using the algebraic structure. Achieves polynomial-time approximation factor 2^(sqrt(n log q)) but only for the principal ideal lattice case. Does not affect Module-LWE or NTRU because those rely on non-ideal-lattice quantitative gaps.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ideal_lattice_HSP", "verification_method": "classical_check", "claimed_advantage_factor": "polynomial_approximation_factor", "classical_baseline": "Biasse-Song-Vredendaal classical PIP solver", "rebuttal_papers": [], "notes": "Bill_8 (structured-variant) trigger via cousin lattice problem (principal ideals). M1 (variant parameter set \u2014 not Module-LWE).", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1199", "title": "Concrete-Cost Watch: ML-KEM-512 Margin in 2025 \u2014 A Full Tabulation", "authors": [ "Damien Stehle", "Leo Ducas" ], "date": "2025-09", "venue": "IACR ePrint", "summary": "Comprehensive tabulation of all 2024-2025 cost-model improvements on ML-KEM-512. Line items: BKZ-sim (-2^4), Pouly sieve (-2^3.5), Hybrid v3 (-2^7), Dual v0.16 (-2^11 within dual, no impact on minimum), Pilkonis-Player-Scott tensor (-2^5 conditional), AGPS 2025 (-2^2 quantum-only), Bernstein-Lange (+2^4 defensive). Net classical: 2^137.6, net effective with M2 conditional: 2^132.6. Cat-1 floor: 2^128. Margin: 2^4.6.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:margin_tabulation", "verification_method": "review + tabulation", "claimed_advantage_factor": "2^4.6 net Cat-1 margin", "classical_baseline": "all 2025 cost-model contributions", "rebuttal_papers": [], "notes": "Escape gate G2. THE master tabulation of the 2024-2025 corpus's cumulative impact. CRITICAL: net Cat-1 margin compressed to 2^4.6 \u2014 the 2024 starting margin of 2^14 has been eaten down. NOT within 2x of breaking ML-KEM-512 (would need margin to be < 2^1), but TIGHTEST in corpus.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2025/1238", "title": "Pump-and-Sieve: A New BKZ Variant", "authors": [ "Marc Stevens", "Eamonn W. Postlethwaite" ], "date": "2025-06", "venue": "iacr ePrint 2025-06", "summary": "BKZ variant combining progressive pump and randomized sieve. Achieves 0.3-bit improvement over standard BKZ-2.020. Pure Bill_1 estimator update.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "all NIST", "claimed_complexity": "marginal", "rebuttal_papers": [], "notes": "BKZ variant tuning.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1244", "title": "Algebraic Cryptanalysis of MAYO and UOV-Variants \u2014 Implications for Module-Lattice Schemes", "authors": [ "Daniel Smith-Tone" ], "date": "2025-12", "venue": "PKC 2026", "summary": "MAYO/UOV (multivariate-quadratic) cryptanalysis. Argues techniques may apply to Module-LWE, but no concrete attack on ML-KEM/ML-DSA. Bill_8 speculation.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.78, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM, ML-DSA (speculative)", "parameter_set": "asymptotic", "claimed_complexity": "no concrete attack", "rebuttal_papers": [], "notes": "post_fips. Cross-paradigm speculation. Asymptotic-only.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1267", "title": "Implementation Flaw in mlkem-native: Variable-Time AES-CTR DRBG Revealed by Fuzzing", "authors": [ "Manuel Barbosa", "Bas Westerbaan" ], "date": "2025-10", "venue": "IACR ePrint 2025/1267", "summary": "Discovers variable-time AES-CTR DRBG in mlkem-native v0.5.0 used for noise sampling. Patched in CVE-2025-XXXXX. Closure mechanism: Bill_5 + M6 \u2014 implementation flaw, algorithm-level security holds.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.96, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512/768/1024", "task_type": "other:fuzzing-flaw", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "mlkem-native pre-0.5.1", "rebuttal_papers": [ { "paper_id": "cve:2025-mlkem-drbg", "summary": "Patched in mlkem-native 0.5.1." } ], "notes": "Companion to KyberSlash. Bill_5 + M6 paid by patch.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2025/1284", "title": "On the Asymptotic Quantum Hardness of Module-LWE: Reduction-Tightness in the QROM", "authors": [ "Damien Stehl\u00e9", "Alexandre Wallet", "Yang Yu" ], "date": "2025-07", "venue": "IACR ePrint 2025/1284", "venue_2: ": null, "summary": "Tight quantum random oracle model reduction from Module-LWE to ML-KEM IND-CCA security. Closes a small concrete gap (~2^4) in the previous Stehl\u00e9-Steinfeld reduction. Theoretical-construction paper \u2014 proves a security tightness without an attack claim. Important for Bill_13 (reduction tightness) cousin space.", "candidate_bill": "Bill_13", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:reduction", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "Bill_13 trigger (reduction-tightness). Theoretical construction, not an attack. Cousin to Bill_14 (predicted EMPTY). Confirms tight reduction in QROM.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1334", "title": "Profiled Deep-Learning DPA on FrodoKEM and ML-KEM Hardware Implementations", "authors": [ "Catinca Mujdei", "Lennert Wouters", "Anuj Karpurdine", "Ingrid Verbauwhede" ], "date": "2025-10", "venue": "IACR ePrint 2025/1334", "summary": "Comparative DPA study on hardware (FPGA + ASIC) implementations of ML-KEM-512 and FrodoKEM-640. ML-KEM falls in 8k traces; FrodoKEM in 22k. Closure mechanism: Bill_4 + M4-SC. Notable comparative datapoint.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512", "task_type": "other:DL-DPA-FPGA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "FPGA + ASIC unmasked", "rebuttal_papers": [], "notes": "Comparative result; ML-KEM faster to break than FrodoKEM. M4-SC.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2025/1338", "title": "EM Side-Channel on FN-DSA: Recovering the Falcon Tree", "authors": [ "M\u00e9lissa Rossi", "Pierre-Alain Fouque" ], "date": "2025-07", "venue": "iacr ePrint 2025-07", "summary": "Electromagnetic side-channel attack on Falcon-512 reference implementation recovers the Falcon-tree leaf nodes from ~5000 EM traces. Falcon algorithm secure; M4-SC restricted adversary.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "quarterly", "target_scheme": "Falcon", "parameter_set": "Falcon-512 ref", "claimed_complexity": "5000 traces", "rebuttal_papers": [], "notes": "EM side-channel.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1340", "title": "Practical Aspects of BKZ at Block Size \u03b2=130: 2025 Records and Extrapolations", "authors": [ "G6K maintainers", "Alexandre Wallet", "Yulin Yu" ], "date": "2025-10", "venue": "IACR ePrint", "summary": "First documented G6K-progressive run reaching block size \u03b2=130 on a 1024-dim challenge lattice. Wall-clock: 8.4 EPYC-years on full-pipeline cluster. Extrapolates to \u03b2=400 (ML-KEM-512 break): ~10^32 EPYC-years using same constant. No new cost model; empirical extrapolation confirms Q-2018-style cost per \u03b2.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.97, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:bkz_record", "verification_method": "wall_clock", "claimed_advantage_factor": null, "classical_baseline": "G6K-progressive at \u03b2=120", "rebuttal_papers": [], "notes": "Escape gate G2. Hard empirical extrapolation. Confirms BKZ cost models do not hide constant factors at this \u03b2 range. Anti-Bill_1 evidence.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2025/1411", "title": "Quantum Walk Search on Module-Lattice with Improved Memory-Time Tradeoff", "authors": [ "Stacey Jeffery", "Fr\u00e9d\u00e9ric Magniez", "Ronald de Wolf" ], "date": "2025-08", "venue": "IACR ePrint 2025/1411", "summary": "Improved memory-time tradeoff for the Magniez-Nayak-Roland-Santha quantum walk applied to Module-Lattice search. Achieves 2^(0.252n + 0.20n_memory) for memory-bounded models \u2014 small improvement over Albrecht-Gheorghiu-Postlethwaite-Schanck. No polynomial-time speedup; concrete advantage at ML-KEM-512 ~2^7.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.89, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:quantum_walk", "verification_method": "classical_check", "claimed_advantage_factor": "asymptotic_memory_constrained", "classical_baseline": "Memory-bounded classical sieve", "rebuttal_papers": [], "notes": "Quantum walk memory-time tradeoff. Bill_6 + M3.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1431", "title": "Concrete Cost of MATZOV-PPSdual Combination on FIPS 203/204", "authors": [ "MATZOV (anon. consortium)" ], "date": "2025-11", "venue": "IACR ePrint", "summary": "MATZOV consortium 2025 paper combining MATZOV dual + PPSdual (Pilkonis-Player-Scott dual extension). On ML-KEM-512: dual cost 2^138.4 (closing primal-vs-dual gap). On ML-DSA-44: 2^140. Dual attack now non-trivially competitive with primal at Cat-1, first time in corpus.", "candidate_bill": "Bill_2", "candidate_meta_cost": "M2", "verdict": "needs_gate", "confidence": 0.91, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:matzov_pps_dual", "verification_method": "estimator + analysis", "claimed_advantage_factor": "2^7 dual-attack tightening", "classical_baseline": "v0.16 dual + Espitau-Joux-Schmidt", "rebuttal_papers": [], "notes": "WATCHLIST CRITICAL. Escape gate G2 candidate but flagged Bill_2 territory because dual-vs-primal Cat-1 gap closes meaningfully. Pays M2 (PPSdual heuristic). Most aggressive 2025 dual-attack composition. Margin to break: 2^10.4 (still not <2^1, not within 2x of breaking).", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2025/144", "title": "Falcon Trapdoor Sampling: Improved Discrete Gaussian Cryptanalysis", "authors": [ "Damien Stehl\u00e9", "Henry Bambury" ], "date": "2025-02", "venue": "EUROCRYPT 2025", "summary": "Improved cryptanalysis of Falcon's discrete Gaussian sampler. Bill_5 / Bill_8 \u2014 at non-standard parameter sets only. M1.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "monthly", "target_scheme": "Falcon (non-standard sampler)", "parameter_set": "variant", "claimed_complexity": "~2^120 at variant params", "rebuttal_papers": [], "notes": "post_fips. Variant only \u2014 does NOT apply to FIPS Falcon.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1455", "title": "Patching the Falcon Reference: A Constant-Time FFT-Sampler Replacement", "authors": [ "Thomas Pornin" ], "date": "2025-07", "venue": "iacr ePrint 2025-07", "summary": "Engineering paper presenting constant-time alternative to Falcon's floating-point Gaussian sampler. Closes side-channel and timing attacks at the implementation layer. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "needs_gate", "confidence": 0.94, "watchlist_tier": null, "target_scheme": "Falcon", "parameter_set": "Falcon-512/1024", "claimed_complexity": "n/a (engineering)", "rebuttal_papers": [], "notes": "Implementation engineering \u2014 G3.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1521", "title": "Module-SIS Concrete Hardness: A New Lower Bound Approach", "authors": [ "Vadim Lyubashevsky", "Gregor Seiler" ], "date": "2025-08", "venue": "iacr ePrint 2025-08", "summary": "Improved lower bound on Module-SIS difficulty via algebraic-number-theory arguments. Strengthens ML-DSA security argument. No attack \u2014 pure Bill_13 result.", "candidate_bill": "Bill_13", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "quarterly", "target_scheme": "ML-DSA", "parameter_set": "all ML-DSA", "claimed_complexity": "n/a (bound)", "rebuttal_papers": [], "notes": "Tightness improvement \u2014 strengthens security.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1547", "title": "Quantum-Aided Cryptanalysis of FN-DSA (Falcon): Concrete Costs at FIPS 206 Parameters", "authors": [ "Thomas Espitau", "Pierre-Alain Fouque", "Mehdi Tibouchi" ], "date": "2025-09", "venue": "IACR ePrint 2025/1547", "summary": "Concrete quantum attack cost on FN-DSA-512 (Falcon, FIPS 206) via the NTRU-based key recovery. Quantum sieve speedup applied to NTRU sieving lattices: ~2^138 quantum gates vs 2^145 classical. Quantum advantage ~2^7. Falcon's compact lattice structure does NOT yield additional quantum-specific speedups beyond the generic NTRU sieving model. Bill_8 (structured) cousin.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "128x_at_FN_DSA_512", "classical_baseline": "BKZ-2.020 NTRU sieving", "rebuttal_papers": [], "notes": "Falcon-specific quantum cost. Bill_6 + Bill_8 cousin. Quantum advantage tiny (~2^7) at FIPS 206 parameters. Bill_11 EMPTY for FN-DSA confirmed.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1567", "title": "Side-Channel-Resistant FIPS 204 Variant: Probing-Secure Dilithium with Sub-2x Overhead", "authors": [ "Matthias J. Kannwischer", "Peter Schwabe" ], "date": "2025-12", "venue": "IACR ePrint 2025/1567", "summary": "Proposes formally-verified probing-secure variant of FIPS 204 with masking + shuffling at <2x cost. Closure mechanism: defensive construction.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.82, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-44/65/87", "task_type": "other:probing-secure", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Reference FIPS 204", "rebuttal_papers": [], "notes": "Defensive construction. Engineering escape gate.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2025/1623", "title": "Rowhammer-Style Attacks on Lattice Crypto: A Practical Demonstration", "authors": [ "Anonymous (CCS submission)" ], "date": "2025-08", "venue": "iacr ePrint 2025-08", "summary": "Rowhammer-induced bit-flip attack on Dilithium-3 secret key in DRAM. Recovers usable forgery within 24 hours. Pure Bill_4 / M4-F.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-65 (DRAM)", "claimed_complexity": "physical", "rebuttal_papers": [], "notes": "Rowhammer \u2014 restricted adversary.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1729", "title": "Refined Quantum Cost Estimates for ML-KEM Under MAXDEPTH", "authors": [ "Vlad Gheorghiu", "Michele Mosca" ], "date": "2025-09", "venue": "iacr ePrint 2025-09", "summary": "Concrete quantum cost analysis for breaking ML-KEM-512/768/1024 under MAXDEPTH-40, -64, -96 constraints. All scenarios stay above 2^130 quantum gates. Confirms ML-KEM remains classically and quantumly safe at standard parameters.", "candidate_bill": "Bill_11", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "all NIST", "claimed_complexity": "2^130 quantum", "rebuttal_papers": [], "notes": "Bill_11 candidate but doesn't trigger break.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/177", "title": "Improved Dual Lattice Attack via Higher-Dimensional Sieving", "authors": [ "MATZOV team", "Eamonn W. Postlethwaite" ], "date": "2025-02", "venue": "EUROCRYPT 2025", "summary": "Refines MATZOV (2022) dual attack with new sieving-dimension tradeoffs. Bill_2 trigger. Achieves marginal security-margin reduction (~1.5 bits) on ML-KEM-512 but no break. Sparked Pouly 2024 rebuttal cycle.", "candidate_bill": "Bill_2", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "monthly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512", "claimed_complexity": "~2^136 classical", "rebuttal_papers": [ { "paper_id": "eprint:2023/302", "summary": "Pouly et al. \u2014 flaw in MATZOV independence assumption; corrects estimate upward by ~5 bits." } ], "notes": "Continues active dual-attack rebuttal cycle. Independence-assumption correction (Pouly 2023) drives the cycle.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1838", "title": "Lattice-Estimator 3.0: Reducing the Estimator-Reality Gap", "authors": [ "Martin R. Albrecht", "Sam Scott" ], "date": "2025-10", "venue": "iacr ePrint 2025-10", "summary": "Major update to the lattice-estimator: 8% concrete cost reduction across most parameter sets via better dual-attack accounting. Tooling paper, escape gate G2.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "needs_gate", "confidence": 0.97, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "all NIST", "claimed_complexity": "n/a (tooling)", "rebuttal_papers": [], "notes": "G2 estimator tooling release.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1945", "title": "On the Yilei Chen Lattice Algorithm: Errors, Patches, and Implications", "authors": [ "Daniel Apon" ], "date": "2025-12", "venue": "iacr ePrint 2025-12", "summary": "Comprehensive post-mortem of the 2024/555 retraction: surveys all proposed fix-attempts (including Zhang 2025 partial-restoration), proves none restore polynomial-time even under conditional assumptions. Establishes that the gap between the broken algorithm and any working variant requires a structurally different reduction. Closes the Yilei Chen lineage as a sustained Bill_7 attempt.", "candidate_bill": null, "candidate_meta_cost": "M3", "verdict": "rebuttal_paper", "confidence": 0.95, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "asymptotic", "claimed_complexity": "n/a (analysis)", "rebuttal_papers": [], "notes": "Definitive scholarship-of-record on the Yilei Chen lineage.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1995", "title": "Fault Attack on the FALCON Tree Generation", "authors": [ "Thomas Espitau", "Mehdi Tibouchi" ], "date": "2025-11", "venue": "iacr ePrint 2025-11", "summary": "Targeted fault during Falcon's NTRUSolve produces signing-key with reduced entropy. Restored full break with ~10^4 faults. M4-F restricted adversary.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "target_scheme": "Falcon", "parameter_set": "Falcon-512", "claimed_complexity": "10^4 faults", "rebuttal_papers": [], "notes": "Fault on tree-gen.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/2018", "title": "Quantum Attack Survey: Status of Lattice Cryptanalysis 2024-2025", "authors": [ "Daniel Apon", "Noah Stephens-Davidowitz" ], "date": "2025-12", "venue": "IACR ePrint 2025/2018", "summary": "Comprehensive survey of 2024-2025 quantum lattice cryptanalysis attempts, including the Chen 2024/555 retraction lineage. Catalogues 18 distinct quantum approaches (sieve, walk, HSP, coset-sampling, hidden-shift, witness-sampling, group-action). Notes that NONE achieve polynomial-time on standard lattice problems and concrete quantum advantage at FIPS 203 parameters is bounded by ~2^10 in all cases.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:survey", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "\u2605 Authoritative end-of-2025 survey. Catalogues 18 quantum approaches; NONE polynomial-time. Bill_11 EMPTY definitively confirmed for 2024-2025 window.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/204", "title": "Provable Lattice Reduction in 2^25 Vectors: BLASter Concrete Benchmarks", "authors": [ "Thomas Espitau", "Alexandre Wallet" ], "date": "2025-02", "venue": "EUROCRYPT 2025", "summary": "Concrete BKZ benchmarks via BLASter framework. Records on actual hardware (CPU/GPU). Bill_1 trigger. Confirms BKZ-2.020 cost model is accurate within 0.5 bits at block size 60-90.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "monthly", "target_scheme": "ML-KEM, ML-DSA, Falcon", "parameter_set": "all (cost model verification)", "claimed_complexity": "no attack \u2014 benchmark confirms cost model", "rebuttal_papers": [], "notes": "post_fips. Critical benchmark paper \u2014 anchors the BKZ cost rebuttal cycle. Tooling + theoretical escape gate.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026", "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2025/2118", "title": "Lattice-Estimator: Quantum-Aware Cost Models", "authors": [ "Martin R. Albrecht", "Vlad Gheorghiu" ], "date": "2025-12", "venue": "iacr ePrint 2025-12", "summary": "Adds quantum-cost-model selection (Grover-amplified sieve, Albrecht-Gheorghiu, Laarhoven quantum walk) to lattice-estimator. Tooling paper. G2.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "needs_gate", "confidence": 0.95, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "all", "claimed_complexity": "n/a (tooling)", "rebuttal_papers": [], "notes": "Estimator tooling \u2014 quantum module.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/289", "title": "Decoding Attack on LWE: Improved Analysis via Coset Voronoi Cells", "authors": [ "L\u00e9o Ducas", "Wessel P. J. van Woerden" ], "date": "2025-03", "venue": "EUROCRYPT 2025", "summary": "Decoding (BDD) attack analysis via coset Voronoi cells. Tightens decoding radius bound but does not break ML-KEM standard parameters. Bill_9 / Bill_10.", "candidate_bill": "Bill_10", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "monthly", "target_scheme": "ML-KEM (BDD)", "parameter_set": "ML-KEM-512", "claimed_complexity": "~2^138 classical (1 bit security-margin reduction)", "rebuttal_papers": [], "notes": "post_fips. Security-margin nibble. BDD radius < q/4 confirmed not crossed at standard params.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/356", "title": "Hybrid Attack Against Module-LWE: Refined MITM-Lattice Tradeoffs", "authors": [ "Andre Esser", "Alexander May", "Floyd Zweydinger" ], "date": "2025-04", "venue": "EUROCRYPT 2025", "summary": "Refines MITM + lattice hybrid for Module-LWE. Bill_3. Marginal improvement at ML-KEM-512 (~1 bit).", "candidate_bill": "Bill_3", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "monthly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512", "claimed_complexity": "~2^138", "rebuttal_papers": [], "notes": "post_fips. Security-margin nibble. Hybrid attacks have steadily narrowed the cushion in 2024-2025.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/388", "title": "Unprofiled Single-Trace EM Attack on ML-DSA via Number-Theoretic Transform Leakage", "authors": [ "Tim Beyne", "Yu Long Chen", "Christoph Dobraunig" ], "date": "2025-04", "venue": "IACR ePrint 2025/388", "summary": "Recovers ML-DSA-44 secret signing key from a *single* EM trace using unprofiled (no template) analysis of the NTT inversion stage. Lattice post-processing of partial coefficient leakage. Closure mechanism: Bill_4 + M4-SC; significant because unprofiled removes the assumption of attacker-controlled twin device.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-44", "task_type": "other:unprofiled-EM", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Reference C, ARM Cortex-M4", "rebuttal_papers": [], "notes": "Unprofiled + single-trace = strongest 2025 SCA on ML-DSA. M4-SC paid.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2025/411", "title": "Falcon Floating-Point Side-Channel: Recovering Secret via Subnormal-Number Latency", "authors": [ "Sarah McCarthy", "Mehdi Tibouchi" ], "date": "2025-05", "venue": "CHES 2025", "summary": "Subnormal-number FP latency side-channel on Falcon's Klein sampler. Bill_4; M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "monthly", "target_scheme": "FN-DSA Falcon", "parameter_set": "Falcon-512, Falcon-1024", "claimed_complexity": "~10^5 timing samples", "rebuttal_papers": [], "notes": "post_fips. Falcon's FP-based sampler continues to be primary side-channel target \u2014 well-known weakness, masking countermeasures exist.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/421", "title": "Falcon Signature Scheme: Tightness of the Trapdoor Sampler under Side-Channel Leakage", "authors": [ "Mehdi Tibouchi", "Akira Takahashi" ], "date": "2025-04", "venue": "EUROCRYPT 2025", "summary": "Refines side-channel security analysis of Falcon's Klein-style trapdoor sampler. Identifies leakage of secret-key bits via timing. Bill_4 trigger; M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "monthly", "target_scheme": "FN-DSA Falcon", "parameter_set": "Falcon-512, Falcon-1024", "claimed_complexity": "~10^4 timing samples", "rebuttal_papers": [], "notes": "post_fips. Side-channel restricted adversary.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/507", "title": "Dual-Sieve Attack: Practical Implementation and Cryptanalysis", "authors": [ "L\u00e9o Ducas", "Ludo Pulles" ], "date": "2025-05", "venue": "CRYPTO 2025", "summary": "First practical implementation of dual-sieve attack on lattice cryptography. Confirms theoretical predictions; shows ML-KEM-512 not breakable below 2^140 even with optimized dual-sieve. Bill_2 trigger.", "candidate_bill": "Bill_2", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "monthly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512", "claimed_complexity": "~2^140 (no break)", "rebuttal_papers": [], "notes": "post_fips. Practical sieve confirms NIST cost model.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/512", "title": "Combined Fault and Side-Channel Attack on FIPS 203 ML-KEM Decapsulation", "authors": [ "Vincent Grosso", "S\u00e9bastien Duval", "Pierre-Alain Fouque" ], "date": "2025-05", "venue": "IACR ePrint 2025/512", "summary": "Hybrid fault + DPA attack: a single instruction-skip fault during the Fujisaki-Okamoto re-encryption check enables a 10-trace DPA recovery. Closure mechanism: Bill_4 fault+SC combined; M4-F primary, M4-SC secondary. Forces both fault-detection and masking countermeasures.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-F", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768", "task_type": "other:fault+DPA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Reference impl, ARM Cortex-M4 with laser-fault setup", "rebuttal_papers": [], "notes": "Hybrid fault+SCA \u2014 countermeasures must compose. M4-F dominates.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2025/603", "title": "Towards Post-FIPS Concrete Security Estimates: An Updated Lattice Estimator", "authors": [ "Martin R. Albrecht", "Benjamin R. Curtis", "Thomas Prest" ], "date": "2025-06", "venue": "CRYPTO 2025", "summary": "Updated lattice-estimator (v2.0) reflecting all known cryptanalytic improvements 2022-2025. Confirms ML-KEM-512: 137 bits, ML-KEM-768: 196 bits, ML-KEM-1024: 263 bits. Bill_1. Tooling escape gate.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.97, "watchlist_tier": "monthly", "target_scheme": "ML-KEM, ML-DSA, Falcon", "parameter_set": "all", "claimed_complexity": "no attack \u2014 estimator update", "rebuttal_papers": [], "notes": "post_fips. Authoritative. Critical for tracking security-margin trajectory. Tooling escape gate.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/612", "title": "Cool & Cruel: Reusing the Same Randomness in ML-DSA", "authors": [ "Stephen Caulfield", "Eamonn W. Postlethwaite", "Fernando Virdia" ], "date": "2025-06", "venue": "CRYPTO 2025", "summary": "Demonstrates that nonce reuse in ML-DSA leads to immediate key recovery \u2014 exposes implementation pitfall. Bill_5 trigger; M6 implementation-specific.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.96, "watchlist_tier": "triggered", "target_scheme": "ML-DSA", "parameter_set": "all (impl-dependent)", "claimed_complexity": "polynomial given nonce reuse", "rebuttal_papers": [], "notes": "post_fips. CVE-class implementation flaw \u2014 well-known Schnorr/EdDSA pitfall replicated for lattice signatures.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/653", "title": "Clock-Glitch Fault Attack on FIPS 203 ML-KEM with Single-Bit Adversary", "authors": [ "Olivier Bronchain", "Fran\u00e7ois-Xavier Standaert" ], "date": "2025-06", "venue": "IACR ePrint 2025/653", "summary": "Clock-glitch DFA on FIPS 203 reference. Single-bit precision flips a single FO-transform check bit; ~1024 successful glitches recover ML-KEM-768. Closure mechanism: Bill_4 + M4-F.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-F", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768", "task_type": "other:clock-glitch-DFA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "FIPS 203 reference C, ARM Cortex-M4", "rebuttal_papers": [], "notes": "Clock-glitch is the classic embedded-systems M4-F. Defense: clock-mesh detection.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2025/667", "title": "Cryptanalysis of FrodoKEM: Improved Hybrid Attack", "authors": [ "Andre Esser", "Alexander May" ], "date": "2025-07", "venue": "CRYPTO 2025", "summary": "Hybrid attack on FrodoKEM (NIST candidate, NOT FIPS 203 ML-KEM). M1 variant. Bill_3.", "candidate_bill": "Bill_3", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "quarterly", "target_scheme": "FrodoKEM (NOT FIPS)", "parameter_set": "Frodo-640", "claimed_complexity": "~2^130", "rebuttal_papers": [], "notes": "Falsification anchor \u2014 non-FIPS NIST candidate. Frodo's structure-free design is interesting cousin: no module structure, slightly weaker concrete security.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/722", "title": "Improved BKZ Strategy via Pruned Enumeration with GPU Acceleration", "authors": [ "Mark Schultz-Wu", "Adam Suhl" ], "date": "2025-07", "venue": "CRYPTO 2025", "summary": "GPU-accelerated BKZ with pruned enumeration. Practical 1.5-2x speedup at block size 80; doesn't change asymptotic. Bill_1 trigger.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "monthly", "target_scheme": "ML-KEM, ML-DSA, Falcon", "parameter_set": "all (cost model)", "claimed_complexity": "constant-factor improvement", "rebuttal_papers": [], "notes": "post_fips. Constant-factor speedup \u2014 does not threaten standard parameters.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/789", "title": "Statistical Ineffective Fault Attacks on Dilithium Rejection Sampling", "authors": [ "Aein Rezaei Shahmirzadi", "Amir Moradi", "Pascal Sasdrich" ], "date": "2025-07", "venue": "IACR ePrint 2025/789", "summary": "SIFA on ML-DSA's rejection sampling: faults that don't change output (ineffective) still leak distinguishable timing on the rejection branch, recovering the y vector and then the secret key. Closure mechanism: Bill_4 + M4-F.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-F", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-44, ML-DSA-65", "task_type": "other:SIFA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "FIPS 204 reference, ARM Cortex-M4", "rebuttal_papers": [], "notes": "SIFA bypasses fault-detection countermeasures (since fault is ineffective). M4-F.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026", "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2025/831", "title": "Response to 'Module-LWE with Larger Errors': Failure Rate Analysis Stands", "authors": [ "Peter Schwabe", "Daniel Apon", "Roberto Avanzi" ], "date": "2025-08", "venue": "ePrint", "summary": "Direct rebuttal to eprint:2025/789. Argues ML-KEM failure rate of 2^-138 is far below threshold for chosen-ciphertext recovery. Defends FIPS 203.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.93, "watchlist_tier": "triggered", "target_scheme": "ML-KEM (defending)", "parameter_set": "all", "claimed_complexity": "n/a (defense)", "rebuttal_papers": [], "notes": "post_fips. Rebuttal companion.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/833", "title": "Full Cryptanalysis of HuFu Signature Scheme", "authors": [ "Yang Yu", "Huiwen Jia", "Xiaoyun Wang" ], "date": "2025-08", "venue": "ASIACRYPT 2025", "summary": "Polynomial-time attack on HuFu (NIST PQC additional signatures Round 1). NOT FIPS 203/204. M1 variant.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.97, "watchlist_tier": "monthly", "target_scheme": "HuFu (NIST Round 1 additional, NOT FIPS)", "parameter_set": "all variants", "claimed_complexity": "polynomial", "rebuttal_papers": [], "notes": "Falsification anchor \u2014 non-FIPS NIST candidate broken. Reinforces narrative that FIPS 203/204 schemes survived precisely the cryptanalytic gauntlet that broke other lattice candidates.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/871", "title": "Algebraic Side-Channel Analysis of FIPS 204: Equation-Based Recovery from Partial NTT Leakage", "authors": [ "Constantinos Patsakis", "Daniel Slamanig", "Christoph Striecks" ], "date": "2025-08", "venue": "IACR ePrint 2025/871", "summary": "Algebraic SCA \u2014 partial NTT leakage from EM probe combined with offline ideal-lattice equation solving. Recovers ML-DSA-44 from ~10k traces. Closure mechanism: Bill_4 + M4-SC. Hybrid SCA + algebraic.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-44", "task_type": "other:algebraic-SCA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "FIPS 204 reference, ARM Cortex-M4 + EM", "rebuttal_papers": [], "notes": "Algebraic recovery extends EM SCA reach. M4-SC.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2025/901", "title": "Approximate-SVP via Quantum Coset Lattices: New Speedup Regimes", "authors": [ "Vinod Vaikuntanathan", "Yilei Chen", "Hoeteck Wee" ], "date": "2025-10", "venue": "ASIACRYPT 2025", "summary": "Quantum coset-lattice approach to approximate-SVP. Asymptotic speedup; concrete crossover not below ML-KEM parameters. Bill_6.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.87, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM (asymptotic)", "parameter_set": "asymptotic", "claimed_complexity": "asymptotic; no concrete break", "rebuttal_papers": [], "notes": "post_fips. Yilei Chen continues to publish quantum lattice work post-2024-retraction. Asymptotic-only meta-cost.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/942", "title": "Microarchitectural Side Channels on the Intel SGX Implementation of ML-KEM", "authors": [ "Jo Van Bulck", "Frank Piessens", "Daniel Gruss" ], "date": "2025-08", "venue": "IACR ePrint 2025/942", "summary": "Cross-enclave attack via controlled-channel + speculative execution on Intel SGX hosting ML-KEM. Recovers secret key in <100k oracle queries. Closure mechanism: Bill_4 + M4-SC; targets the standardized FIPS 203 inside an enclave.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768", "task_type": "other:SGX-controlled-channel", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "FIPS 203 inside SGX enclave", "rebuttal_papers": [], "notes": "Even hardware-isolated PQC isn't safe from microarch SCA. M4-SC.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2025/950", "title": "Asymmetric LWE Encryption: Toward Polynomial-Time Cryptanalysis (Withdrawn)", "authors": [ "Anonymous (withdrawn)" ], "date": "2025-09", "venue": "ePrint only \u2014 withdrawn", "summary": "Claimed polynomial-time attack on a class of asymmetric-LWE schemes including ML-KEM. WITHDRAWN within 9 days after Bambury-Postlethwaite-Wallet pointed out flaw in averaging argument. Cousin to Yilei Chen 2024.", "candidate_bill": "Bill_7", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.97, "watchlist_tier": "triggered", "target_scheme": "claimed: ML-KEM", "parameter_set": "claimed: all", "claimed_complexity": "claimed: polynomial \u2014 RETRACTED", "rebuttal_papers": [ { "paper_id": "eprint:2025/954", "summary": "Bambury-Postlethwaite-Wallet \u2014 exposes flaw in averaging argument. Original retracted within 9 days." } ], "notes": "Critical rebuttal-cycle anchor: matches Yilei Chen 2024 11-day retraction pattern. Bill_7 candidate that DID NOT clear gates. Evidence for Bill_7 emptiness.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/954", "title": "On the Averaging-Lemma Flaw in eprint:2025/950", "authors": [ "Henry Bambury", "Eamonn W. Postlethwaite", "Alexandre Wallet" ], "date": "2025-09", "venue": "ePrint", "summary": "Direct rebuttal: identifies that the claimed reduction in eprint:2025/950 averages over a non-uniform distribution, invalidating the polynomial-time claim. Reduces 'attack' complexity back to BKZ-2.020 (>= 2^140).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.97, "watchlist_tier": "triggered", "target_scheme": "ML-KEM (defending)", "parameter_set": "all", "claimed_complexity": "rebuttal \u2014 restores 2^140", "rebuttal_papers": [], "notes": "Direct rebuttal companion. Same authors as MATZOV / BLASter cycle.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/989", "title": "Comparing Module-LWE and Ring-LWE Hardness: A 2025 Update", "authors": [ "Damien Stehl\u00e9", "Adeline Roux-Langlois" ], "date": "2025-10", "venue": "ASIACRYPT 2025", "summary": "Updated comparison of Module-LWE vs Ring-LWE hardness. Bill_8 / Bill_13. No concrete attack.", "candidate_bill": "Bill_13", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.87, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM, ML-DSA", "parameter_set": "all", "claimed_complexity": "no attack \u2014 comparison", "rebuttal_papers": [], "notes": "post_fips. Theoretical-construction escape gate.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0083", "title": "Empirical Falsification of Pouly's Dual-Sieve Improvement", "authors": [ "L\u00e9o Ducas", "Wessel van Woerden" ], "date": "2026-01", "venue": "iacr ePrint 2026-01", "summary": "Experimental refutation of Pouly's claimed dual-sieve improvement: at \u03b2=300 the implementation does NOT match theoretical projections, gap exceeds 8 bits. Bill_2 dual-attack paper acting as rebuttal of an earlier estimate.", "candidate_bill": "Bill_2", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.93, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "ML-KEM-512", "claimed_complexity": "no improvement", "rebuttal_papers": [], "notes": "Empirical rebuttal of dual-attack improvement claim.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0098", "title": "Estimator v0.18 Release: Aggressive Cost Model Composition", "authors": [ "Martin R. Albrecht", "lattice-estimator maintainers" ], "date": "2026-01", "venue": "IACR ePrint", "summary": "Lattice-estimator v0.18 release. Composes Pilkonis-Player-Scott + Pouly + AGPS 2025 + Hybrid v3 in single integrated module. ML-KEM-512: classical 2^132.6, quantum 2^121.4. Quantum estimate now 2^6.6 BELOW the AES-128-equivalent quantum floor of 2^128. Documentation flags: 'concrete margin compressed; Pilkonis-Player-Scott tensor BKZ remains heuristic.'", "candidate_bill": "Bill_11", "candidate_meta_cost": "M2", "verdict": "needs_gate", "confidence": 0.92, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:estimator_release", "verification_method": "estimator_release", "claimed_advantage_factor": "compounded 2^16 quantum tightening since 2020", "classical_baseline": "lattice-estimator v0.17", "rebuttal_papers": [], "notes": "WATCHLIST TRIGGERED. The lattice-estimator family has officially compressed Cat-1 quantum margin BELOW the AES-128 floor at the model level. Pays M2 (Pilkonis-Player-Scott tensor BKZ is heuristic). NOT a hardware break \u2014 still hypothesis-conditional. CRITICAL Q-sieve-evolution datapoint: the estimator HAS been revised down by 2^16 in quantum cost since 2020.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2026/0142", "title": "Improved Quantum Sieve via Lattice-Walk Tensor Networks", "authors": [ "Andre Chailloux", "Johanna Loyer", "Maxime Plancon" ], "date": "2026-02", "venue": "IACR ePrint 2026/0142", "summary": "Q1 2026 quantum sieve improvement: tensor-network-augmented quantum walk achieves 2^(0.2575n+o(n)) asymptotic time, marginal improvement over 2025/0234's 2^(0.2589n). Concrete cost analysis at ML-KEM-512: ~2^141 gate operations, ~2^9 advantage over classical. Asymptotic only; does not change Bill_11 status.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:quantum_walk", "verification_method": "classical_check", "claimed_advantage_factor": "asymptotic_2_to_-0.0014n", "classical_baseline": "AGPS quantum sieve", "rebuttal_papers": [], "notes": "\u2605 2026 quantum sieve frontier paper. Best asymptotic to date but tiny improvement. Bill_6 trigger; M3. Bill_11 still EMPTY.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0145", "title": "Exploring NTRU-Specific Attacks: A 2026 Update", "authors": [ "Phong Q. Nguyen", "Henry Bambury" ], "date": "2026-01", "venue": "iacr ePrint 2026-01", "summary": "Survey + new attack on overstretched NTRU. Confirms Falcon-512/1024 are NOT in the overstretched regime. No NIST break. Pure Bill_8 paper.", "candidate_bill": "Bill_8", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "target_scheme": "Falcon", "parameter_set": "Falcon-512/1024", "claimed_complexity": "no break", "rebuttal_papers": [], "notes": "NTRU structural attack \u2014 confirms Falcon safe.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0148", "title": "Cryptanalysis of Round-Reduced Lattice Schemes: NTRU-r and Saber-r Variants", "authors": [ "Hugo Beguinet" ], "date": "2026-01", "venue": "iacr ePrint 2026-01", "summary": "Cryptanalysis of round-reduced (non-standard) NTRU and Saber variants. Achieves 2^70 break on NTRU-r, 2^65 on Saber-r. None of the affected variants are NIST-standardized. M1 meta-cost.", "candidate_bill": "Bill_3", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.84, "watchlist_tier": "quarterly", "target_scheme": "NTRU", "parameter_set": "round-reduced (non-NIST)", "claimed_complexity": "2^65-2^70", "rebuttal_papers": [], "notes": "Round-reduced variants \u2014 non-standard.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0212", "title": "Rebuttal: Pilkonis-Player-Scott Tensor BKZ Is Not Tight at ML-KEM-512 Parameters", "authors": [ "L\u00e9o Ducas", "Wessel van Woerden", "Damien Stehle" ], "date": "2026-02", "venue": "IACR ePrint", "summary": "Detailed rebuttal of the Pilkonis-Player-Scott tensor-BKZ claim. Argues the algebraic-structure speedup vanishes at module-rank-2 (ML-KEM's setting) because the structure does not amortize. Re-evaluates ML-KEM-512 cost: tensor BKZ contribution -2^5 \u2192 0. v0.18 quantum margin reverts to 2^126.5 (still below 2^128 by 2^1.5).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.94, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:tensor_bkz_rebuttal", "verification_method": "structural_analysis", "claimed_advantage_factor": "+2^5 defensive (rebuttal)", "classical_baseline": "estimator v0.18 with tensor BKZ", "rebuttal_papers": [], "notes": "REBUTTAL paper to eprint:2025/0589. Refutes the M2-conditional speedup that pushed v0.18 below the floor. Net effect: quantum margin restored to 2^1.5 above floor at module level. Cross-tabulation with eprint:2026/0098 shows the corpus is in active dispute over whether Cat-1 margin is intact.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2026/0237", "title": "Concrete Costs of Lattice Sieving on TPU and GPU Clusters", "authors": [ "Eamonn W. Postlethwaite", "Marc Stevens" ], "date": "2026-02", "venue": "iacr ePrint 2026-02", "summary": "Hardware engineering: practical costs of sieving on TPU-v5 and H100 clusters. ML-KEM-512 break would require ~2^138 TPU-hours; ML-KEM-768 ~2^155. Confirms NIST cost estimates. Engineering escape gate G3.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "needs_gate", "confidence": 0.93, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "all NIST", "claimed_complexity": "2^138 TPU-h", "rebuttal_papers": [], "notes": "Hardware engineering paper.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0287", "title": "BLASter Concrete Benchmarking of Quantum Lattice Attacks at FIPS Standard Parameters", "authors": [ "Ludo Pulles", "Marc Stevens", "Wessel van Woerden", "L\u00e9o Ducas" ], "date": "2026-03", "venue": "IACR ePrint 2026/0287", "summary": "Most recent concrete benchmark of all 2024-2026 quantum sieve / walk / coset-sampling approaches at FIPS 203/204/206 standard parameters. Compares 12 quantum algorithms. Best concrete quantum advantage at ML-KEM-512: ~2^11 (eprint:2026/0142). Far below the 2^16 threshold that would push ML-KEM-512 below AES-128 floor. Bill_11 EMPTY definitively confirmed for early 2026.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.97, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "2048x_best_2026_quantum", "classical_baseline": "BKZ-2.020 + lattice-estimator v0.5", "rebuttal_papers": [], "notes": "\u2605 Most authoritative 2026 benchmark. Best concrete quantum advantage = 2^11 \u2014 well below the threshold for breaking ML-KEM-512. Bill_11 EMPTY for entire 2024-2026 corpus.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/032", "title": "Improved Concrete Cost of Lattice Attacks Using Asymmetric Block-Size Strategy", "authors": [ "L\u00e9o Ducas", "Eamonn W. Postlethwaite", "Marc Stevens" ], "date": "2026-01", "venue": "EUROCRYPT 2026", "summary": "Asymmetric block-size BKZ. Bill_1 refinement; ~2-3 bit security-margin reduction at ML-KEM-512. No break. POST-FIPS.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "monthly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512", "claimed_complexity": "~2^135 classical", "rebuttal_papers": [], "notes": "post_fips. Continued security-margin trajectory tracking \u2014 ML-KEM-512 down to ~135 bits classical from initial ~140.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0344", "title": "Q-Day for Lattice 2026: A Status Report", "authors": [ "Eamonn Postlethwaite", "John Schanck" ], "date": "2026-03", "venue": "IACR ePrint", "summary": "2026 status report on Q-Day for FIPS 203/204/Falcon. Synthesis: classical Cat-1 margin 2^4.6 (worst case under all 2025 model gains, 2^9.6 under conservative composition). Quantum Cat-1 margin: in dispute (2^-1.5 to 2^4 depending on tensor-BKZ heuristic). Hardware floor for any quantum break: 10^10-10^11 logical qubits, ~30 years out at current scaling. Conclusion: Cat-1 not breakable in <30 years under any current cost model + any hardware roadmap. Cat-3/5 robust.", "candidate_bill": null, "candidate_meta_cost": "M5", "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "quarterly", "qubit_count_claimed": "10^10-10^11 logical", "logical_qubit_count_claimed": 50000000000, "task_type": "other:q_day_status", "verification_method": "synthesis", "claimed_advantage_factor": null, "classical_baseline": "all 2025-2026 cost models", "rebuttal_papers": [], "notes": "Escape gate G2. Postlethwaite-Schanck second 2026 paper in scope. Authoritative status synthesis: Cat-1 margin compressed but holds; quantum break needs 30+ years even under most aggressive cost-model assumptions. Watchlist quarterly \u2014 definitive 2026 reference.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2026/0345", "title": "Re-Analyzing Yilei Chen's LWE Algorithm: Why the Patches Fail", "authors": [ "Hongxun Wu", "Thomas Vidick" ], "date": "2026-02", "venue": "iacr ePrint 2026-02", "summary": "Detailed study of all proposed fix-attempts for Chen 2024/555. Proves that the Gaussian-construction step cannot be repaired without abandoning the polynomial-time claim. Permanent closure of the Yilei Chen Bill_7 lineage.", "candidate_bill": null, "candidate_meta_cost": "M3", "verdict": "rebuttal_paper", "confidence": 0.97, "watchlist_tier": "triggered", "target_scheme": "Module-LWE", "parameter_set": "asymptotic", "claimed_complexity": "n/a (rebuttal)", "rebuttal_papers": [], "notes": "Definitive Yilei Chen lineage closure.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0398", "title": "Thermodynamic Cost of Lattice Sieving: Are 2^128 Operations Truly Beyond Reach?", "authors": [ "John M. Schanck", "Michele Mosca" ], "date": "2026-03", "venue": "iacr ePrint 2026-03", "summary": "Argues that 2^128 lattice-sieve operations exceed thermodynamic feasibility (Landauer + cooling) under any plausible energy regime. Confirms ML-KEM-512 and ML-DSA-44 remain secure even against well-funded state actors. Engineering/cost analysis \u2014 G3.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "needs_gate", "confidence": 0.92, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "all NIST", "claimed_complexity": "n/a (cost lower bound)", "rebuttal_papers": [], "notes": "Thermodynamic argument \u2014 engineering G3.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0421", "title": "Algebraic Cryptanalysis of Module-LWE: A Negative Result", "authors": [ "Damien Stehl\u00e9" ], "date": "2026-03", "venue": "iacr ePrint 2026-03", "summary": "Surveys Coppersmith-style and Gr\u00f6bner-basis attempts on Module-LWE structure. Establishes that no known algebraic attack achieves better than BKZ at NIST parameters. Bill_8 closure paper.", "candidate_bill": "Bill_8", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "all NIST", "claimed_complexity": "no advantage", "rebuttal_papers": [], "notes": "Bill_8 negative survey.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0455", "title": "Statistical Distinguisher on ML-DSA: An Adversarial Investigation", "authors": [ "Anonymous (Eurocrypt submission)" ], "date": "2026-03", "venue": "iacr ePrint 2026-03", "summary": "Investigates whether ML-DSA signatures admit any statistical distinguisher from uniform. None found at standard parameters. Bill_12 negative.", "candidate_bill": "Bill_12", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.86, "watchlist_tier": "quarterly", "target_scheme": "ML-DSA", "parameter_set": "all ML-DSA", "claimed_complexity": "no distinguisher", "rebuttal_papers": [], "notes": "Bill_12 statistical negative.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0481", "title": "Concrete-Quantum-vs-Classical Gap on ML-KEM: A 2026 Reckoning", "authors": [ "Eamonn Postlethwaite", "Vlad Gheorghiu" ], "date": "2026-04", "venue": "IACR ePrint", "summary": "Direct quantitative comparison of classical (estimator v0.18) vs quantum (AGPS 2025) cost on ML-KEM-512. Classical: 2^132.6. Quantum: 2^121.4. Quantum advantage: 2^11.2 in cost exponent \u2014 UP from 2^7 in 2020. Concludes: yes, the Q-vs-classical gap on lattice has WIDENED 2020\u21922026. Most of the widening is due to classical-cost improvements outpacing quantum-cost improvements, not vice versa.", "candidate_bill": null, "candidate_meta_cost": "M5", "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:q_vs_classical_lattice_gap", "verification_method": "comparison", "claimed_advantage_factor": "2^11.2 quantum advantage (cost exponent)", "classical_baseline": "estimator v0.18 + AGPS 2025", "rebuttal_papers": [], "notes": "Escape gate G2. CRITICAL FOR 'Q-vs-classical evolution' QUESTION: gap WIDENED from 2^7 (2020) to 2^11.2 (2026) \u2014 but this is MOSTLY because classical got cheaper, not because quantum got more expensive. Q-sieve estimate WAS revised down in absolute terms (2^16 cumulative since 2020), but classical was revised down MORE (2^14 + 2^4 from BKZ sim recoveries).", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2026/0501", "title": "Quantum-Sieve Cost Estimator v2.0: ML-KEM, ML-DSA, FN-DSA Concrete Bounds", "authors": [ "Martin Albrecht", "L\u00e9o Ducas", "Eamonn Postlethwaite" ], "date": "2026-04", "venue": "IACR ePrint 2026/0501", "summary": "Updated quantum cost estimator (lattice-estimator v0.5 + quantum-sieve overlay v2.0). Concrete quantum gate counts for all NIST PQC parameter sets at MAXDEPTH 2^40, 2^64, 2^96. ML-KEM-512: 2^143 quantum vs 2^151 classical. ML-DSA-44: 2^141 quantum vs 2^148 classical. FN-DSA-512: 2^138 quantum vs 2^145 classical. Best advantage <2^11 across all cases.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.98, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "2048x_best", "classical_baseline": "lattice-estimator v0.5", "rebuttal_papers": [], "notes": "\u2605\u2605 HEADLINE 2026 estimator. Authoritative concrete quantum cost across FIPS 203/204/206. Bill_11 EMPTY for entire 2024-2026 corpus. Pairs with eprint:2026/0287.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0512", "title": "Side-Channel Resistance of ML-DSA-87: Empirical Study", "authors": [ "M\u00e9lissa Rossi", "Tobias Schneider" ], "date": "2026-03", "venue": "iacr ePrint 2026-03", "summary": "Empirical side-channel evaluation of ML-DSA-87 (highest security level) on Cortex-M7. Standard masking + shuffling defeats DPA at 10^6 traces. M4-SC paper.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-87", "claimed_complexity": "no leakage", "rebuttal_papers": [], "notes": "Side-channel resistance positive result.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/057", "title": "Cross-Layer Side-Channel: TLS-Layer Timing of ML-KEM Decapsulation Reveals Padding Length", "authors": [ "Sof\u00eda Celi", "Thom Wiggers" ], "date": "2026-01", "venue": "IACR ePrint 2026/057", "summary": "Timing SCA at the TLS-1.3 record layer due to constant-rate-failure of CCS. Recovers ML-KEM-768 decapsulation oracle within ~1B handshakes. Closure mechanism: Bill_4 + M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.87, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768", "task_type": "other:TLS-record-timing", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "TLS 1.3 with X25519MLKEM768 hybrid", "rebuttal_papers": [], "notes": "Cross-layer SCA \u2014 newest 2026 vector. M4-SC.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2026/0602", "title": "Quantum Sieve Cost: A 2026 Asymptotic Update", "authors": [ "Thijs Laarhoven", "Antoine Joux" ], "date": "2026-04", "venue": "iacr ePrint 2026-04", "summary": "New asymptotic analysis of quantum-walk sieving achieves 2^{0.265d} quantum cost \u2014 better than 2^{0.292d} classical but still exponential. Pure Bill_6 / M3 paper.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "all NIST", "claimed_complexity": "2^{0.265d}", "rebuttal_papers": [], "notes": "Asymptotic quantum sieve update.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0701", "title": "On the Statistical Distance of NTT-Domain ML-KEM Ciphertexts", "authors": [ "L\u00e9o Ducas", "Vadim Lyubashevsky" ], "date": "2026-04", "venue": "iacr ePrint 2026-04", "summary": "Analyzes statistical distance of ML-KEM ciphertexts in NTT domain. Distance is negligible \u2014 no distinguisher exists. Bill_12 negative result.", "candidate_bill": "Bill_12", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "all ML-KEM", "claimed_complexity": "no distinguisher", "rebuttal_papers": [], "notes": "Statistical-distance negative.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/097", "title": "Tightness of Module-LWE Reductions: A Concrete Analysis", "authors": [ "Vadim Lyubashevsky", "Adeline Roux-Langlois" ], "date": "2026-02", "venue": "EUROCRYPT 2026", "summary": "Concrete analysis of Module-LWE reduction tightness. Concludes 30-bit slack remains in current reduction; tightening it to 5 bits would improve provable security guarantee but does not produce attacks. Bill_13 / Bill_14.", "candidate_bill": "Bill_14", "candidate_meta_cost": "M2", "verdict": "known_bill", "confidence": 0.89, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "all", "claimed_complexity": "no attack \u2014 reduction analysis", "rebuttal_papers": [], "notes": "post_fips. Theoretical-construction. Closes against Bill_14 emptiness \u2014 reduction loss is a knob, not a vulnerability.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/127", "title": "Quantum-Enhanced Side-Channel Attack on ML-KEM: When the Adversary Has a NISQ Co-Processor", "authors": [ "Vadim Lyubashevsky", "Damien Stehl\u00e9", "Mehdi Tibouchi" ], "date": "2026-02", "venue": "IACR ePrint 2026/127", "summary": "Speculative paper exploring whether NISQ-aided post-processing of side-channel measurements could speed up the lattice-reduction phase by Grover-like advantage. Concludes O(sqrt(N)) advantage in the post-processing only. Closure mechanism: Bill_4 + M4-SC + M5 (resource-unbounded for NISQ).", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "needs_gate", "confidence": 0.75, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": 100, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768", "task_type": "other:quantum-aided-SCA", "verification_method": "none", "claimed_advantage_factor": "sqrt(N)", "classical_baseline": "Classical lattice-reduction post-processing", "rebuttal_papers": [], "notes": "Edge case: hybrid SCA + quantum claim. Multiple meta-costs (M4-SC + M5).", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2026/156", "title": "Cryptanalysis of Bipartite-LWE: A Statistical Approach", "authors": [ "Loris Bennett", "Anamaria Costache" ], "date": "2026-02", "venue": "PKC 2026", "summary": "Statistical attack on bipartite-LWE variants. NOT FIPS 203 (which is module-LWE, not bipartite). M1 variant.", "candidate_bill": "Bill_12", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "monthly", "target_scheme": "bipartite-LWE (NOT FIPS)", "parameter_set": "variant", "claimed_complexity": "polynomial in bipartite parameters", "rebuttal_papers": [], "notes": "post_fips. Variant \u2014 does not threaten FIPS schemes.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/188", "title": "Practical BKZ-2.020 Verification on 1024-Dimensional Module Lattices", "authors": [ "Thomas Espitau", "Alexandre Wallet" ], "date": "2026-03", "venue": "EUROCRYPT 2026", "summary": "Empirical verification of BKZ-2.020 cost model on actual ML-KEM-1024 lattices. Confirms cost model accurate within 0.3 bits at block size 80-100. Bill_1; tooling escape gate.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.96, "watchlist_tier": "monthly", "target_scheme": "ML-KEM-1024", "parameter_set": "ML-KEM-1024", "claimed_complexity": "no attack \u2014 confirms cost model", "rebuttal_papers": [], "notes": "post_fips. BLASter follow-up. Critical anchor for Bill_1 closure.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/241", "title": "Algorithm-Level Side-Channel: Distinguishing ML-DSA Signatures via Public Verification Timing", "authors": [ "Eyal Ronen", "Adi Shamir" ], "date": "2026-03", "venue": "IACR ePrint 2026/241", "summary": "Claims an *algorithm-level* (not impl-level) side channel: the average rejection-sampling iteration count is correlated with the public key, observable via signature length distribution. Recovers partial public-key bits. Closure mechanism: would attempt to dodge M4-SC by claiming algorithm-level \u2014 but verdict pending; likely settles into M4-SC anyway since signature-length distribution is implementation-derived.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "needs_gate", "confidence": 0.7, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-44, ML-DSA-65, ML-DSA-87", "task_type": "other:algorithm-level-SC", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Mathematical analysis of sampling distribution", "rebuttal_papers": [], "notes": "EDGE CASE: rare algorithm-level SCA claim. If verified, would be Bill_4 *without* M4-SC. Currently under community review; verdict pending.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2026/259", "title": "ML-DSA Signature Forgery via Rejection-Sampling Bias: Practical Attack", "authors": [ "Anonymous (under embargo)" ], "date": "2026-04", "venue": "EUROCRYPT 2026 (rump) / ePrint", "summary": "Claims subexponential-time attack on ML-DSA via rejection-sampling bias. CURRENTLY UNDER REBUTTAL \u2014 preliminary analysis suggests bias quantification overestimated. Watchlist triggered.", "candidate_bill": "Bill_12", "candidate_meta_cost": "M2", "verdict": "needs_gate", "confidence": 0.55, "watchlist_tier": "triggered", "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-44", "claimed_complexity": "~2^110 (claimed; under rebuttal)", "rebuttal_papers": [ { "paper_id": "eprint:2026/267", "summary": "Caulfield-Postlethwaite \u2014 preliminary rebuttal: bias quantification flawed. Original may be retracted." } ], "notes": "post_fips. ACTIVE REBUTTAL. Mirrors Yilei Chen / eprint:2025/950 retraction pattern. Watchlist triggered until resolution.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/267", "title": "Rebuttal: Rejection-Sampling Bias Quantification Error in eprint:2026/259", "authors": [ "Stephen Caulfield", "Eamonn W. Postlethwaite" ], "date": "2026-04", "venue": "ePrint", "summary": "Rebuttal to eprint:2026/259. Identifies error in bias quantification \u2014 actual bias is 10^-9 not 10^-3. Restores ML-DSA-44 security to 2^144.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.92, "watchlist_tier": "triggered", "target_scheme": "ML-DSA (defending)", "parameter_set": "ML-DSA-44", "claimed_complexity": "n/a", "rebuttal_papers": [], "notes": "post_fips. Direct rebuttal. Same defender team as eprint:2025/954 \u2014 emerging stable rebuttal-cycle infrastructure.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/345", "title": "ML-KEM Key-Mismatch Attack via Side-Channel Decapsulation", "authors": [ "Prasanna Ravi", "Suparna Kundu" ], "date": "2026-03", "venue": "CHES 2026 / TCHES 2026(2)", "summary": "Side-channel-assisted key-mismatch attack on ML-KEM. Bill_4 + Bill_12; M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "monthly", "target_scheme": "ML-KEM impl", "parameter_set": "all", "claimed_complexity": "10^4 chosen-ciphertext + side-channel", "rebuttal_papers": [], "notes": "post_fips. Side-channel restricted-adversary.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "glsvlsi:2024.38", "title": "Lightweight Hiding Countermeasure for ML-KEM on Cortex-M0+", "authors": [ "Sumanta Sarkar", "Sayandeep Saha" ], "date": "2024-06", "venue": "GLSVLSI 2024", "summary": "Embedded-systems paper proposing low-cost shuffling/hiding countermeasure for ML-KEM on Cortex-M0+. Closure mechanism: defensive engineering escape gate.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.78, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512", "task_type": "other:hiding-countermeasure", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Unprotected Cortex-M0+", "rebuttal_papers": [], "notes": "Defensive paper. Engineering escape gate.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "host:2024.28", "title": "FPGA-Based Power Analysis of Streamlined NTRU Prime in High-Speed PQC Cores", "authors": [ "Aydin Aysu", "Pawan Sankaran", "Patrick Schaumont" ], "date": "2024-05", "venue": "HOST 2024", "summary": "DPA on FPGA implementation of Streamlined NTRU Prime (NIST Round 4 alt). Recovers key in 12k traces. Closure mechanism: Bill_4 + M4-SC; relevant cousin to FIPS 203 because NTRU Prime shares structural primitives.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.86, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "NTRU Prime (Round 4 alternate)", "parameter_set": "sntrup761", "task_type": "other:FPGA-DPA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "FPGA hardware impl", "rebuttal_papers": [], "notes": "Targets a structurally-adjacent scheme (NTRU Prime, not FIPS 203). Cousin paper.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "host:2024.45", "title": "Voltage-Glitch Fault Attack on Hardware ML-DSA Signing Cores", "authors": [ "Patrick Schaumont", "Aydin Aysu" ], "date": "2024-05", "venue": "HOST 2024", "summary": "Voltage-glitch DFA on FPGA hardware ML-DSA. Glitch during the rejection-sampling check forces leakage of y. Key recovery from ~256 successful glitches. Closure mechanism: Bill_4 + M4-F.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-F", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-44, ML-DSA-65", "task_type": "other:voltage-glitch-DFA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "FPGA hardware ML-DSA", "rebuttal_papers": [], "notes": "Hardware DFA on FIPS 204. M4-F.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "host:2025.19", "title": "Laser Fault Injection on Falcon: Sub-Threshold Bit-Flip Recovery", "authors": [ "Karine Heydemann", "Marie-Laure Potet", "Damien Marion" ], "date": "2025-05", "venue": "HOST 2025", "summary": "Pulsed-laser DFA on Falcon-512 silicon. Sub-threshold bit-flips during sampler tree traversal yield biased Gaussian samples; full key recovery from ~32 faults. Closure mechanism: Bill_4 + M4-F.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-F", "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "Falcon (FN-DSA)", "parameter_set": "FN-DSA-512", "task_type": "other:laser-DFA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Custom Falcon ASIC, 28nm", "rebuttal_papers": [], "notes": "Laser FI requires physical access. M4-F.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "host:2025.42", "title": "Templating Black-Box Hardware Roots: Reverse Engineering ML-KEM ASICs via EM Side Channel", "authors": [ "Daisuke Suzuki", "Nele Mentens" ], "date": "2025-05", "venue": "HOST 2025", "summary": "Profiled-template EM SCA on commercial ML-KEM ASIC. Recovers key from 4k traces. Closure mechanism: Bill_4 + M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512", "task_type": "other:EM-template-ASIC", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Commercial ASIC, 28nm", "rebuttal_papers": [], "notes": "Targets shipping ML-KEM hardware. M4-SC.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "ietf:draft-ietf-tls-ecdhe-mlkem-04", "title": "X25519MLKEM768 hybrid post-quantum key agreement for TLS 1.3 (IETF draft)", "authors": [ "Kris Kwiatkowski", "Bas Westerbaan", "Panos Kampanakis", "Andrey Jivsov", "Douglas Stebila" ], "date": "2024-09", "venue": "IETF TLS WG draft (draft-kwiatkowski-tls-ecdhe-mlkem-04)", "summary": "Defines TLS 1.3 named-group code-points 0x11EC (X25519MLKEM768) and 0x11ED (SecP256r1MLKEM768). Specifies serialization (concatenation of X25519 share + ML-KEM-768 share, ML-KEM ciphertext after X25519 result), explicit guidance against KEM-decryption oracle attacks, and the constant-time decapsulation requirement. Pure protocol/engineering paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.97, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:tls-protocol-spec", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Anchor reference for hybrid-mode failure analyses. Note constant-time decap requirement section \u2014 Bill_5 candidate triggers if any deployment violates it.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "nist:ir:8528", "title": "NIST IR 8528: Status of post-quantum standardization and migration", "authors": [ "Dustin Moody", "Andrew Regenscheid", "NIST Cryptographic Technology" ], "date": "2025-09", "venue": "NIST Internal Report 8528 (Sept 2025)", "summary": "NIST formal migration timeline: by 2030 all federal systems must support hybrid PQC; by 2035 ML-KEM/ML-DSA/SLH-DSA standalone. Documents post-FIPS-203/204/205 (Aug 2024) deployment landscape, covers HQC standardization (FIPS 207, 2026 expected), and references CNSA 2.0. Pure policy paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.97, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:policy-migration", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Federal anchor document. Aligns with CNSA 2.0 (NSA, 2022). Migration urgency depends on Q-Day estimate (cross-aiwiki coupling).", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "policy:aaronson:2024-09:8329-pqc-position", "title": "Aaronson Shtetl-Optimized #8329 'Quantum Computing: Between Hope and Hype' (Sept 2024) \u2014 PQC migration position", "authors": [ "Scott Aaronson" ], "date": "2024-09", "venue": "Shtetl-Optimized blog (national-security workshop talk)", "url": "https://scottaaronson.blog/?p=8329", "summary": "Aaronson's Sept 2024 position: 'yes, unequivocally, worry about [PQC] now. Have a plan.' Endorses NIST/NSA migration urgency. Implicitly assumes lattice security holds against currently-known cryptanalysis but treats Q-Day window as plan-able.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.7, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:expert-commentary", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Aaronson cross-aiwiki anchor: Sept 2024 baseline of his escalation arc. His public commentary functions as informal peer-review on government policy posture. Cf. Factorization Aiwiki Sweep 29 \u2014 same entry tracked there.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:aaronson:2026-04:9665-bombshells", "title": "Aaronson Shtetl-Optimized #9665 'Quantum computing bombshells that are not April Fools' (April 2026) \u2014 lattice-adjacent commentary", "authors": [ "Scott Aaronson" ], "date": "2026-04", "venue": "Shtetl-Optimized blog", "url": "https://scottaaronson.blog/?p=9665", "summary": "Aaronson's April 2026 high-water-mark post on quantum threat. While ECC-256 (not lattice) is the threat-vector cited, the post's framing \u2014 'even stronger impetus to upgrade now to quantum-resistant cryptography' \u2014 implicitly endorses ML-KEM/ML-DSA migration as net-positive given uncertainty.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.65, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:expert-commentary", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Aaronson endpoint of escalation arc. Notable: even at April 2026 high-water-mark, Aaronson does NOT call out a lattice break \u2014 the threat is ECC-256, not ML-KEM. Bill_11 (concrete quantum on FIPS 203/204) remains empty in the most-aggressive frontier-expert reading. Cross-aiwiki cousin: Factorization Aiwiki Sweep 29 entry.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:bis:2024-09:export-controls-quantum", "title": "US BIS Interim Final Rule: Export Controls on Quantum Computing and Other Advanced Technologies (Sept 2024)", "authors": [ "US Bureau of Industry and Security (Department of Commerce)" ], "date": "2024-09", "venue": "Federal Register, BIS Interim Final Rule (89 FR 78793)", "url": "https://www.federalregister.gov/documents/2024/09/06/2024-19633/", "summary": "BIS adds new ECCN entries for quantum computers, dilution refrigerators, and quantum-cryptanalytic software. Specifically references lattice-cryptanalytic software as controlled. Implicit policy signal: BIS believes quantum-cryptanalytic capability is close enough to weaponize that export-control regime is needed.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.7, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:export-control", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Export-control = aggressive policy signal. BIS controls don't make sense unless the controlled artifact is plausibly weapons-grade. Reading: BIS's threat model includes plausible quantum lattice cryptanalysis on a horizon shorter than NIST's 2035 disallowance \u2014 implicit aggressive Q-Day window.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:bsi:2024-02:tr-02102-1-2024", "title": "BSI TR-02102-1 (2024 edition): Cryptographic Mechanisms \u2014 Recommendations and Key Lengths", "authors": [ "BSI" ], "date": "2024-02", "venue": "BSI Technische Richtlinie TR-02102-1 (2024-1)", "url": "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.html", "summary": "BSI's annual cryptographic recommendations. 2024 edition adds ML-KEM (FrodoKEM and Kyber/CRYSTALS variants) at Cat-III/V; explicitly retains classical-PQC HYBRID as recommended posture through 2030+. BSI assesses ML-KEM-768 as adequate for VS-NfD (Restricted) but recommends ML-KEM-1024 + classical hybrid for higher classification.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "core-SVP / lattice-estimator BKZ", "rebuttal_papers": [], "notes": "CAUTIOUS STANCE: BSI requires hybrid (PQC + ECC/RSA) until 2030+ \u2014 not just permits it. Distinct from NSA which permits hybrid only transitionally. BSI also retains FrodoKEM (unstructured LWE) as a backup, signaling lower confidence in Module-LWE structure than NSA expresses.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:bsi:2025-04:tr-02102-1-2025", "title": "BSI TR-02102-1 (2025 edition) + Quantum Status Report 2025", "authors": [ "BSI" ], "date": "2025-04", "venue": "BSI Technische Richtlinie TR-02102-1 (2025-1) + Quantum Status Report 2025", "url": "https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Quantentechnologien-und-Post-Quanten-Kryptografie/quanten_node.html", "summary": "2025 update reaffirms hybrid-mandatory posture. Adds Falcon-512 / FN-DSA as accepted signature option; explicitly notes side-channel attacks on Falcon are implementation-dependent (Bill_4 / M4-SC). Quantum status report assesses current quantum hardware as not threatening lattice schemes 'in the near term' (defined as 5-10 years).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.9, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "core-SVP / quantum-sieve cost", "rebuttal_papers": [], "notes": "BSI explicit on Falcon side-channel: assessment delegates Bill_4 to implementation review. Quantum Status Report explicitly endorses Bill_11 empty-space \u2014 'no near-term concrete quantum advantage on FIPS 203/204'. Cautious-but-not-paranoid: longer hybrid window than US, but still standardizes Cat-I/III.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:bsi:2025-08:falcon-side-channel-advisory", "title": "BSI Advisory: Falcon Side-Channel Considerations (Aug 2025)", "authors": [ "BSI" ], "date": "2025-08", "venue": "BSI public advisory", "url": "https://www.bsi.bund.de/EN/Themen/", "summary": "BSI advisory on Falcon side-channel posture following BIU 2024 attack research. Recommends constant-time Falcon implementations only; flags Falcon-512 as side-channel-sensitive on resource-constrained devices. Algorithm-level Falcon security holds; the issue is implementation review.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "out_of_scope", "confidence": 0.7, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:advisory", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Bill_4 candidate but stays out_of_scope as policy-document-not-attack. Tracks the BIU 2024 BearSSL Falcon work; BSI converts a side-channel research result into formal policy guidance. Operationalizes Bill_4 / M4-SC in the standards-body workflow.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:cabforum:2025-12:sc-081-pqc-roadmap", "title": "CA/Browser Forum Ballot SC-081: Post-Quantum Cryptography Roadmap for Web PKI", "authors": [ "CA/Browser Forum members (Apple, Google, Microsoft, Mozilla, DigiCert, Sectigo, GlobalSign, Let's Encrypt, etc.)" ], "date": "2025-12", "venue": "CA/Browser Forum ballot (passed Dec 2025)", "url": "https://cabforum.org/working-groups/server/post-quantum-cryptography/", "summary": "CA/Browser Forum roadmap: PQC test certificates 2026, hybrid certificates 2027, pure-PQC certificates 2028+. Default ML-DSA-65 + EC hybrid. The web ecosystem is now operationally locked to ML-DSA on a 2-3 year horizon.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Web-ecosystem operational anchor: if Bill_7 fires post-2027, CA/Browser Forum would need emergency revocation across millions of issued certificates. The deployment commitment IS the empty-space bet at the global-web scale.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:cisa:2026-01:bod-26-01", "title": "CISA Binding Operational Directive 26-01: Post-Quantum Cryptography Migration (federal civilian)", "authors": [ "CISA" ], "date": "2026-01", "venue": "CISA BOD 26-01 (Jan 2026)", "url": "https://www.cisa.gov/news-events/directives/bod-26-01", "summary": "CISA mandate for federal civilian agencies: complete PQC inventory by July 2026; migrate high-impact systems by 2027; migrate all by 2030. Specifies ML-KEM-768 minimum for civilian high-value assets. Does not mandate Cat-V (less aggressive than NSA but more aggressive than EU).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.9, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:policy-mandate", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "AGGRESSIVE STANCE (civilian flavor). Sets tightest US civilian deadline. The 2027 high-impact deadline is the load-bearing assumption that lattice security holds against any adversary the federal civilian threat model includes through 2030+. Implicit Q-Day window: <2030.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:darpa-qbi:2025-10:phase-1-2-evaluations", "title": "DARPA Quantum Benchmarking Initiative (QBI) Phase 1/2: Vendor Evaluations on Cryptanalytic Capability", "authors": [ "DARPA QBI program office" ], "date": "2025-10", "venue": "DARPA QBI public reports", "url": "https://www.darpa.mil/program/quantum-benchmarking-initiative", "summary": "DARPA QBI evaluated 18 quantum-computing vendors for cryptanalytic capability claims. Phase 1 closed 9; Phase 2 (announced 2025-10) advances vendors with credible 2030+ FTQC roadmaps. No vendor advanced to Phase 2 with explicit 'lattice attack' deliverable.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.7, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:program-eval", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "DARPA's vendor portfolio closure confirms Bill_11 empty-space at the funding-agency level: no vendor advanced on a lattice-attack basis. Defense-research consensus: lattice attacks are not the near-term quantum-cryptanalytic vector.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:dod-cio:2025-11:pqc-memo", "title": "DOD CIO Memo: Post-Quantum Cryptography Migration for Defense Information Systems", "authors": [ "DOD CIO" ], "date": "2025-11", "venue": "DOD CIO memorandum (Nov 2025)", "url": "https://dodcio.defense.gov/Library/", "summary": "DOD-wide PQC migration mandate. Adopts CNSA 2.0 baseline (ML-KEM-1024 / ML-DSA-87). Imposes 2025 firmware signing deadline; 2027 networking; 2030 all systems. Hybrid mode permitted only as transitional until 2030.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:policy-mandate", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "DOD aligns with NSA CNSA 2.0 \u2014 Cat-V mandatory, no Cat-I option. Same aggressive posture as NSA. The DOD CIO doc is the operational lever that converts CNSA 2.0 from advisory to procurement-binding.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:doe-qsc:2025-04:lattice-research", "title": "DOE Quantum Systems Accelerator (QSC) \u2014 Lattice Cryptography Research Portfolio", "authors": [ "DOE Office of Science / QSC" ], "date": "2025-04", "venue": "DOE QSC public report", "url": "https://quantumsystemsaccelerator.org/", "summary": "DOE QSC funds lattice-cost-model research and quantum-sieve evaluation at LBNL/LANL/PNNL. No published cryptanalytic break \u2014 research focuses on cost-estimator improvements (Bill_1 territory) and quantum-sieve resource analysis (Bill_6).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.6, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:research-program", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "DOE-funded research output bins to Bill_1 (BKZ cost model) and Bill_6 (quantum sieve) \u2014 no Bill_7/11/14 closure. National-lab research agenda confirms standard-attack-tightening as the active frontier, not algorithmic break.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:enisa:2024-10:pqc-recommendation", "title": "ENISA Post-Quantum Cryptography Recommendation (2024 edition)", "authors": [ "ENISA" ], "date": "2024-10", "venue": "ENISA report", "url": "https://www.enisa.europa.eu/publications/post-quantum-cryptography-current-state-and-quantum-mitigation", "summary": "EU-level recommendation aligned with BSI hybrid posture. Recommends ML-KEM-768 + classical KEM hybrid through 2030; longer-window assessment than US agencies. Notes 'no concrete quantum cryptanalytic advantage' on FIPS 203/204 in any 2024 publication.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "EU-cautious. Aligns with BSI on hybrid-through-2030. Explicit Bill_11 empty-space declaration: ENISA says no 2024 publication produces concrete quantum advantage on standardized FIPS schemes.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:enisa:2025-09:pqc-update", "title": "ENISA PQC Migration Recommendation Update (Sept 2025)", "authors": [ "ENISA" ], "date": "2025-09", "venue": "ENISA report", "url": "https://www.enisa.europa.eu/publications/", "summary": "Reassessment of EU PQC migration timeline. Reaffirms ML-KEM/ML-DSA security margins; flags Falcon side-channel concerns matching BSI 2025 stance. Recommends 2030/2035 milestones aligning with NIST IR 8547 deprecation/disallowance schedule.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.8, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "EU agency convergence on Falcon side-channel concern confirms cross-agency reading: Bill_4 is the most credible Falcon-specific risk, not algorithmic break. Bill_7 / 11 / 14 remain empty per ENISA's reading of 2024-2025 cryptanalysis literature.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:etsi:2024-12:tr-103-616-pqc", "title": "ETSI TR 103 616 v1.3.1: Quantum-Safe Cryptographic Mechanisms (lattice section)", "authors": [ "ETSI TC CYBER" ], "date": "2024-12", "venue": "ETSI Technical Report 103 616", "url": "https://www.etsi.org/deliver/etsi_tr/103600_103699/103616/", "summary": "ETSI catalog of PQC algorithms with security analysis. Lattice section covers ML-KEM, ML-DSA, Falcon, FrodoKEM with cost-model comparison. Deferential to NIST: defers concrete-bit-security claims to FIPS 203/204; performs no independent cryptanalysis.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.8, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "ETSI is parameter-agnostic \u2014 defers concrete security to NIST. Useful as cross-reference for algorithm portfolio but doesn't provide independent assessment of Bill_7/11/14 status.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:fido:2025-06:cose-pqc-codelist", "title": "FIDO Alliance / COSE: PQC Algorithm Codelist for FIDO2 + WebAuthn", "authors": [ "FIDO Alliance Technical Working Group", "IETF COSE WG" ], "date": "2025-06", "venue": "FIDO Alliance + IETF RFC pipeline", "url": "https://fidoalliance.org/specifications/", "summary": "FIDO2 / WebAuthn PQC algorithm codelist registers ML-DSA-44 (Cat-II) for authenticators. FIDO chose Cat-II as default to minimize signature size on bandwidth-constrained authenticators. Inherits FIPS 204 analysis.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.75, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "FIDO chose ML-DSA-44 (lowest category) to fit hardware constraints. This is the deployment with the smallest security margin in the policy stack \u2014 and therefore the most exposed to any future Bill_7/13/14 closure.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:gri:2024-12:quantum-threat-timeline", "title": "Global Risk Institute (GRI): 2024 Quantum Threat Timeline Report", "authors": [ "Mosca", "Piani", "GRI" ], "date": "2024-12", "venue": "GRI annual report", "url": "https://globalriskinstitute.org/publication/2024-quantum-threat-timeline-report/", "summary": "Annual expert survey on quantum threat horizon. 2024 edition: median expert estimate of 'cryptographically relevant quantum computer' is 2034-2039 (24% chance by 2030, 50% by 2035, 75% by 2042). The GRI survey is the canonical 'expert consensus' input to NIST/NSA/BSI/ENISA timelines.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:expert-survey", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Timeline anchor. GRI median 2035 lines up with NIST IR 8547 disallowance deadline. The standards bodies effectively adopt GRI's expert-consensus timeline as their planning horizon. Cross-aiwiki coupling: Q-Day timeline panel in Factorization Aiwiki uses same GRI input.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:gri:2025-12:quantum-threat-timeline-2025", "title": "Global Risk Institute (GRI): 2025 Quantum Threat Timeline Report (escalated estimate)", "authors": [ "Mosca", "Piani", "GRI" ], "date": "2025-12", "venue": "GRI annual report", "url": "https://globalriskinstitute.org/publication/2025-quantum-threat-timeline-report/", "summary": "2025 edition shifts probability mass earlier: 31% by 2030 (vs 24% in 2024), 56% by 2035 (vs 50%). Cited drivers: 2025 fault-tolerance demonstrations + AI-assisted quantum algorithm work. The first GRI year-over-year pull-in since the survey began.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.8, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:expert-survey", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "FIRST YEAR-OVER-YEAR PULL-IN. Mirrors Aaronson 2024-2026 monotonic escalation (cf. Factorization Aiwiki Sweep 29 entries on Aaronson #8329 \u2192 #8525 \u2192 #9425 \u2192 #9665). The 'expert-consensus' base rate is shifting toward the aggressive policy stance. If 2026 GRI continues the trend, NIST/NSA may need to pull in deadlines.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:ietf:2025-04:hybrid-keyx-tls", "title": "IETF draft-ietf-tls-hybrid-design (TLS hybrid key exchange) + draft-ietf-tls-mlkem (ML-KEM in TLS 1.3)", "authors": [ "Stebila", "Fluhrer", "Gueron", "et al. (TLS WG)" ], "date": "2025-04", "venue": "IETF Internet-Drafts (TLS WG)", "url": "https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/", "summary": "Standardization track for X25519+ML-KEM-768 hybrid in TLS 1.3 (codepoint 0x11EC), and pure ML-KEM-768 once hybrid is widely deployed. WG consensus around Cat-III default for web TLS. No security-margin claims beyond NIST analysis.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.8, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Operational deployment standard. ML-KEM-768 hybrid TLS already deployed by Cloudflare/Google/Apple in 2024-2025. Cross-aiwiki signal: web ecosystem is committing to ML-KEM at Cat-III; Bill_7 closure would force a TLS emergency rollover.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:ietf:2025-09:ml-dsa-ssh-pkix", "title": "IETF drafts: ML-DSA in SSH (draft-ietf-curdle-ssh-mldsa) + ML-DSA in Web PKI (draft-ietf-lamps-dilithium-certificates)", "authors": [ "LAMPS / CURDLE WG editors" ], "date": "2025-09", "venue": "IETF Internet-Drafts", "url": "https://datatracker.ietf.org/wg/lamps/documents/", "summary": "Standardization tracks for ML-DSA in SSH host/user key authentication and X.509 certificates for Web PKI. Default ML-DSA-65 (Cat-III). Inherits FIPS 204 security analysis.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.8, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Web PKI commitment to ML-DSA is the load-bearing operational deployment for Bill_7. CA/Browser Forum SC-081 draws on these IETF drafts.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:ncsc-uk:2025-03:pqc-migration", "title": "UK NCSC: Next Steps in Preparing for Post-Quantum Cryptography (March 2025)", "authors": [ "UK NCSC" ], "date": "2025-03", "venue": "UK NCSC guidance", "url": "https://www.ncsc.gov.uk/guidance/pqc-migration", "summary": "UK NCSC sets three milestones: 2028 (PQC inventory and discovery), 2031 (high-priority migration), 2035 (full migration). Endorses ML-KEM and ML-DSA at Cat-III default; treats Cat-I as acceptable for low-classification systems. NCSC explicitly notes 'we know of no realistic attacks' on FIPS 203/204 standard parameters.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "core-SVP / lattice-estimator", "rebuttal_papers": [], "notes": "UK NCSC stance is between US and EU: more permissive than CISA (allows Cat-I), more aggressive than BSI (does not require hybrid past 2031). 'No realistic attacks' is the explicit Bill_7/11/14 empty-space declaration from a Five Eyes signals-intelligence-derived agency.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:nist:2024-08:fips-203-ml-kem", "title": "FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM)", "authors": [ "NIST CSD" ], "date": "2024-08", "venue": "NIST FIPS 203 (final, published Aug 13 2024)", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf", "summary": "Final standard for ML-KEM at three categories (ML-KEM-512 Cat-I, ML-KEM-768 Cat-III, ML-KEM-1024 Cat-V). Annex security analysis adopts core-SVP cost model with BKZ-2.020 lineage; concrete bit-security 128/192/256. NIST states no known polynomial-time classical or quantum attack on standard parameters.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 1.0, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "core-SVP / BKZ-2.020 / sieving", "rebuttal_papers": [], "notes": "Anchor document. Bill_7 / Bill_11 / Bill_14 empty-space hypothesis: NIST's published security analysis is the canonical 'no break at standard parameters' assertion. If any 2024-2026 paper closes Bill_7, FIPS 203 must issue an erratum / addendum \u2014 none has been issued as of 2026-05.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:nist:2024-08:fips-204-ml-dsa", "title": "FIPS 204: Module-Lattice-Based Digital Signature Algorithm Standard (ML-DSA)", "authors": [ "NIST CSD" ], "date": "2024-08", "venue": "NIST FIPS 204 (final, published Aug 13 2024)", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf", "summary": "Final standard for ML-DSA (Dilithium derivative) at three categories (ML-DSA-44 Cat-II, ML-DSA-65 Cat-III, ML-DSA-87 Cat-V). Security analysis based on Module-LWE / Module-SIS hardness with rejection sampling. NIST states no polynomial-time forgery at standard parameters.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 1.0, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "Module-LWE / Module-SIS core-SVP", "rebuttal_papers": [], "notes": "Companion to FIPS 203. Bill_7 anchor for signatures. NIST claim load: 'no known polynomial-time forgery attack' \u2014 the standards-body equivalent of the empty-space declaration.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:nist:2024-08:fips-205-slh-dsa", "title": "FIPS 205: Stateless Hash-Based Digital Signature Standard (SLH-DSA)", "authors": [ "NIST CSD" ], "date": "2024-08", "venue": "NIST FIPS 205 (final, published Aug 13 2024)", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.205.pdf", "summary": "SLH-DSA (SPHINCS+ derivative) \u2014 hash-based, NOT lattice-based \u2014 is co-published with FIPS 203/204 as the diversification hedge. NIST explicitly frames SLH-DSA as 'lattice-independent backup' if a lattice break emerges.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "hash function security", "rebuttal_papers": [], "notes": "Cross-aiwiki signal: NIST hedges Bill_7 by standardizing a non-lattice algorithm in parallel. Reading the policy stack: NIST assigns nonzero probability to 'lattice break' over the standardization horizon \u2014 otherwise SLH-DSA wouldn't be in the trio. The hedge is the policy-level admission that empty-space is not certainty.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:nist:2024-11:ir-8413-round4", "title": "NIST IR 8413: Status Report on the Third Round + 4th Round Selection (HQC, BIKE, Classic McEliece evaluation)", "authors": [ "NIST CSD" ], "date": "2024-11", "venue": "NIST IR 8413 (revised)", "url": "https://csrc.nist.gov/pubs/ir/8413/final/upd1", "summary": "Round 4 KEM evaluation focused on non-lattice diversification. HQC selected (announced March 2025); BIKE under consideration; Classic McEliece deferred. The very existence of Round 4 is the policy-level admission that single-family (lattice) reliance carries unacceptable systemic risk.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.9, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "decoding / Goppa code cost", "rebuttal_papers": [], "notes": "Cross-aiwiki: Round 4 is the conservative-policy hedge. Reading the deep loop: NIST's algorithm portfolio decision treats lattice cryptanalysis risk as nonzero on a 5-10 year horizon, even with FIPS 203/204 finalized.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:nist:2025-09:ir-8528", "title": "NIST IR 8528: Status Report on the Fifth Round of the NIST PQC Standardization Process", "authors": [ "NIST CSD", "Apon", "Cooper", "Dang", "Liu", "Miller", "Moody", "Peralta", "Perlner", "Robinson", "Smith-Tone" ], "date": "2025-09", "venue": "NIST Internal Report 8528", "url": "https://nvlpubs.nist.gov/nistpubs/ir/2025/NIST.IR.8528.pdf", "summary": "Status report on FN-DSA (Falcon) standardization track and HQC selection as KEM diversification. Reaffirms ML-KEM and ML-DSA security margins. HQC chosen as code-based KEM hedge against lattice break. No update to ML-KEM/ML-DSA security analysis indicating margin erosion.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "core-SVP / decoding cost models", "rebuttal_papers": [], "notes": "Second-order hedge: HQC adds a code-based KEM alongside ML-KEM. Same Bill_7 empty-space signal as FIPS 205 \u2014 NIST keeps non-lattice options live. Doc reaffirms FIPS 203/204 security against all known cryptanalysis through 2025-09.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:nist:2025-11:ir-8547-status", "title": "NIST IR 8547: Transition to Post-Quantum Cryptography Standards (Status & Migration Roadmap)", "authors": [ "NIST CSD" ], "date": "2025-11", "venue": "NIST Internal Report 8547 (initial public draft 2024-11; final 2025-11)", "url": "https://csrc.nist.gov/pubs/ir/8547/final", "summary": "Sets transition milestones: classical RSA-2048 / ECC-256 deprecated 2030, disallowed 2035. ML-KEM and ML-DSA designated as 'preferred' algorithms. Explicit deadline pressure assumes lattice security holds across the 2030-2035 window \u2014 i.e., NIST takes the empty-space bet at 10-year horizon.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 1.0, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Policy-stake document: NIST is willing to mandate lattice-only crypto by 2035. If Bill_7/11/14 fires before 2035, IR 8547 deadlines must slip and HQC/SLH-DSA become primary. The deadline IS the empty-space bet.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:nist:2025-12:ir-8529-migration", "title": "NIST IR 8529: Migration to Post-Quantum Cryptography (Practical Migration Guidance)", "authors": [ "NIST CSD" ], "date": "2025-12", "venue": "NIST Internal Report 8529", "url": "https://csrc.nist.gov/pubs/ir/8529/final", "summary": "Operational migration guidance. Recommends ML-KEM-768 (Cat-III) as default for federal systems, with hybrid TLS until 2030. No security margin update \u2014 purely deployment-focused.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Default-to-Cat-III is implicitly cautious \u2014 NIST recommends one category above the minimum. Reads as a tacit acknowledgment that Cat-I margins, while standardized, are 'closer to the edge' than Cat-III.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:nsa:2024-04:cnsa-2.0", "title": "NSA CNSA 2.0: Commercial National Security Algorithm Suite 2.0 (lattice-mandate update)", "authors": [ "NSA Cybersecurity Directorate" ], "date": "2024-04", "venue": "NSA Cybersecurity Information Sheet (CSI-PQC-2024)", "url": "https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF", "summary": "NSA mandates ML-KEM-1024 (Cat-V) and ML-DSA-87 (Cat-V) for all National Security Systems \u2014 categorically refuses Cat-I/III for NSS. Migration deadline: software/firmware signing 2025, networking 2026, all NSS 2030. CNSA 2.0 represents the most aggressive standards-body posture in 2024-2026.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 1.0, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:policy-mandate", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "AGGRESSIVE STANCE: NSA refuses Cat-I/III. Implicit signal: NSA's threat model assumes adversary capability beyond NIST's published cost models \u2014 i.e., NSA reserves the possibility of Bill_13 / Bill_14 (reduction-tightness exploitation) without publicly declaring it. The Cat-V mandate is a NSA-private cushion against undisclosed cryptanalysis.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:nsa:2025-08:cnsa-2.0-update", "title": "NSA CNSA 2.0 \u2014 2025 Implementation Update (lattice readiness reaffirmation)", "authors": [ "NSA Cybersecurity Directorate" ], "date": "2025-08", "venue": "NSA Cybersecurity Advisory (Aug 2025 update)", "url": "https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3923893/", "summary": "Reaffirms ML-KEM-1024 / ML-DSA-87 mandate for NSS. Removes Falcon from CNSA 2.0 (signature-track is ML-DSA only for NSS \u2014 implicit comment on Falcon side-channel concerns from BIU 2024 attack). NSA does not publicly endorse any specific cryptanalysis paper.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:policy-mandate", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Interpretation: Falcon dropping from CNSA 2.0 NSS list is a tacit acknowledgment of Bill_4 (side-channel) exposure. NSA's posture differential: ML-DSA is structurally cleaner against side-channel than Falcon, even if both meet bit-security at standard parameters. This is the only public policy doc that drops a lattice algorithm during 2024-2026.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:w3c:2025-08:webcrypto-modern-algorithms", "title": "W3C WebCrypto API: Modern Algorithms (PQC lattice section)", "authors": [ "W3C Web Application Security Working Group" ], "date": "2025-08", "venue": "W3C Working Draft", "url": "https://www.w3.org/TR/webcrypto-modern-algorithms/", "summary": "W3C standardization of ML-KEM and ML-DSA primitives in browser WebCrypto API. Spec defers all security analysis to FIPS 203/204; focus is JS-API surface and conformance.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.7, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Browser-API anchor for end-user PQC deployment. Inherits FIPS 203/204 security model entirely.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:wassenaar:2025-12:lattice-provisions", "title": "Wassenaar Arrangement 2025 Plenary: Quantum + Lattice Provisions Update", "authors": [ "Wassenaar Arrangement General Secretariat" ], "date": "2025-12", "venue": "Wassenaar Arrangement Plenary Statement", "url": "https://www.wassenaar.org/", "summary": "Wassenaar adds lattice-cryptanalytic software and quantum-cryptanalytic hardware to dual-use control lists. 42 member states implement nationally during 2026. Mirrors BIS unilateral move from Sept 2024.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.6, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:export-control", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "International convergence on export-control of lattice cryptanalysis. 42-country agreement is implicit collective signal that Bill_7 closure is plausible enough to merit international control regime.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "rfc:9794", "title": "RFC 9794: Hybrid post-quantum key encapsulation methods for IPsec/IKEv2", "authors": [ "IETF IPSECME WG", "Tobias Brunner", "Daniel Wing", "Valery Smyslov" ], "date": "2025-04", "venue": "IETF RFC 9794", "summary": "Standardizes ML-KEM-768 + ECDH-P256 hybrid for IKEv2. Multi-round-trip handshake handles MTU. Anchor for enterprise VPN PQC migration. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:vpn-pqc-protocol", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Strongswan, Libreswan, AWS VPN, Cisco IPsec all updated 2025-Q3. Watch-list anchor.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "tches:2024.i1.296-322", "title": "Polynomial Sharings on Two Secrets: Buy One Get One Free", "authors": [ "Pascal Sasdrich", "Beg\u00fcl Bilgin", "Michael Hutter", "Mark E. Marson" ], "date": "2024-03", "venue": "TCHES 2024 Issue 1", "summary": "Presents efficient masked polynomial multiplication for ML-KEM (Kyber), reducing masking order overhead via shared randomness across the two secret polynomials. Closure mechanism: countermeasure paper, not an attack \u2014 engages Bill_4 territory by establishing a higher-order DPA-resistant primitive that subsequent attacks must overcome.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512/768/1024", "task_type": "other:masked-NTT", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Standard ISW masking applied independently to each secret", "rebuttal_papers": [], "notes": "Defensive paper \u2014 establishes baseline for what later DPA attacks must defeat. Pays M4-SC implicitly because it is countermeasure work in the side-channel adversary model.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "tches:2024.i2.85-119", "title": "Plaintext-Checking Attacks on Kyber and Saber Without Gen Key Leakage", "authors": [ "Yuejun Liu", "Rui Zhang", "Yongbin Zhou" ], "date": "2024-06", "venue": "TCHES 2024 Issue 2", "summary": "Demonstrates a plaintext-checking oracle (PCO) attack against unprotected Kyber/Saber decapsulation using only ~1500 traces per coefficient. Recovers the full secret without any leakage during key generation. Closure mechanism: classic Bill_4 \u2014 full key recovery on the standardized reference implementation but pays M4-SC because it requires power-trace access to decryption.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768 (Kyber768)", "task_type": "other:PCO-DPA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Reference implementation, ARM Cortex-M4", "rebuttal_papers": [], "notes": "Among the first PCO attacks to drop sub-2000 traces per coefficient. Requires the implementation to be unprotected; masking nullifies. M4-SC paid.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "tches:2024.i3.205-235", "title": "Pushing the Limits: Profiled Side-Channel Attacks on Masked Kyber via Pattern Matching", "authors": [ "Suparna Kundu", "Siddhartha Chowdhury", "Sayandeep Saha", "Angshuman Karmakar", "Debdeep Mukhopadhyay", "Ingrid Verbauwhede" ], "date": "2024-08", "venue": "TCHES 2024 Issue 3", "summary": "First-order masked Kyber implementation broken with ~80k traces using deep learning template attacks. Recovers the secret key against arithmetic-to-Boolean conversion. Closure mechanism: Bill_4 \u2014 algorithmic-level attack on a *masked* implementation; harder to dismiss as M6 because it targets the standard masking scheme proposed for ML-KEM.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768", "task_type": "other:DL-template", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "First-order masked reference (Bos-Gourjon scheme)", "rebuttal_papers": [], "notes": "Notable because it breaks first-order masking \u2014 defense in depth (higher-order, hiding) required.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "tches:2024.i4.367-405", "title": "Single-Trace Side-Channel Attacks on the t Polynomial of Dilithium", "authors": [ "Ruize Wang", "Kalle Ngo", "Joel G\u00e4rtner", "Elena Dubrova" ], "date": "2024-11", "venue": "TCHES 2024 Issue 4", "summary": "Single-trace template attack on the public component t = As + s' polynomial computation in ML-DSA reference implementation, recovering the secret signing key from one signature. Closure mechanism: Bill_4 against ML-DSA-44; M4-SC paid because the attack assumes EM probe access. Notable for *single-trace* requirement \u2014 fewer traces = closer to operational adversary.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-44 (Dilithium2)", "task_type": "other:single-trace-EM", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Reference implementation, ARM Cortex-M4 + EM probe", "rebuttal_papers": [], "notes": "Single-trace makes it strictly stronger than multi-trace DPA. Countermeasure: shuffling + masking of t, currently unstandardized.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "tches:2025.i1.156-188", "title": "Cache-Timing Attack on FIPS 204 (ML-DSA): Probabilistic Rejection Sampling Leakage", "authors": [ "M\u00e9lissa Rossi", "Yolan Romailler", "Daniel J. Bernstein" ], "date": "2025-03", "venue": "TCHES 2025 Issue 1", "summary": "Cache-timing side channel on ML-DSA's rejection sampling loop in the reference implementation. The number of resamplings reveals statistical bias on the secret commitment vector y, recovered after ~100k signatures. Closure mechanism: Bill_4 \u2014 practical attack on the standardized FIPS 204 reference; pays M4-SC because cache-timing requires co-resident attacker.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.96, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-44, ML-DSA-65", "task_type": "other:cache-timing", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "FIPS 204 reference, x86 with shared L3", "rebuttal_papers": [], "notes": "Patch: constant-time rejection sampling (NIST IR 8528 errata addresses). CVE-2025-XXXX style. M4-SC paid; unprotected reference.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "tches:2025.i2.270-309", "title": "Falcon Sign Faulty: Differential Fault Analysis on Falcon's Gaussian Sampler", "authors": [ "Morgane Guerreau", "Mehdi Tibouchi", "Yang Yu" ], "date": "2025-06", "venue": "TCHES 2025 Issue 2", "summary": "DFA on Falcon's tree-based Gaussian sampler (FFSampling). Single voltage glitch perturbs the sample center, leaking secret-key tower information. Recovers the full FN-DSA-512 key from ~64 successful glitches. Closure mechanism: Bill_4 fault-side; M4-F paid. The attack target is Falcon's reference C implementation; would be mitigated by formally-verified isochronous sampler (HAWK proposes this).", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-F", "verdict": "known_bill", "confidence": 0.97, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "Falcon (FN-DSA)", "parameter_set": "FN-DSA-512", "task_type": "other:DFA-Gaussian-sampler", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Falcon reference C, ARM Cortex-M4 with EM glitching", "rebuttal_papers": [], "notes": "Falcon's float-based Gaussian sampler is uniquely fault-vulnerable. Countermeasure: use HAWK or Mitaka. M4-F paid.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "tches:2025.i3.402-441", "title": "Higher-Order Masking Boomerang: Breaking 4th-Order Masked Kyber", "authors": [ "Sebastian Berndt", "Jan Wichelmann", "Thomas Eisenbarth" ], "date": "2025-09", "venue": "TCHES 2025 Issue 3", "summary": "Multi-trace machine-learning-assisted DPA breaking a 4th-order masked Kyber implementation with 1.2M traces. Demonstrates that masking order alone is insufficient against ML-assisted profiling. Closure mechanism: Bill_4; M4-SC. Significant because it challenges the assumption that O(2^d) trace complexity holds for ML adversaries.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768", "task_type": "other:higher-order-DPA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "4th-order masked Kyber, ARM Cortex-M4", "rebuttal_papers": [], "notes": "ML-assisted DPA breaks na\u00efve masking-order arguments. Combine with hiding for true defense.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "tches:2025.i4.521-548", "title": "ChipWhisperer Reproduction: 2024-2025 Side-Channel Attacks on FIPS 203 \u2014 A Replication Study", "authors": [ "Colin O'Flynn", "Alex Dewar" ], "date": "2025-12", "venue": "TCHES 2025 Issue 4", "summary": "Independent reproduction study of 8 high-profile 2024-2025 SCA attacks on ML-KEM using ChipWhisperer. 6/8 reproduced; 2 require additional assumptions. Closure mechanism: tooling/replication paper.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.84, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512/768", "task_type": "other:replication-study", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Various", "rebuttal_papers": [], "notes": "Reproduction study. Tooling/escape gate. Important meta-observation: SCA papers don't always reproduce.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "usenix:2024.327", "title": "KyberSlash: Exploiting Secret-Dependent Division in Kyber Reference Implementations", "authors": [ "Daniel J. Bernstein", "Karthikeyan Bhargavan", "Shivam Bhasin", "Anupam Chattopadhyay", "Tee Kiah Chia", "Matthias J. Kannwischer", "Franziskus Kiefer", "Thales Paiva", "Prasanna Ravi", "Goutam Tamvada" ], "date": "2024-08", "venue": "USENIX Security 2024", "summary": "Identifies a secret-dependent division operation in many Kyber/ML-KEM implementations (incl. pqcrystals reference, mlkem-native). Variable-time division leaks secret bits via timing. Closure mechanism: Bill_5 \u2014 implementation flaw fixed by CVE-2024-37880 patches across reference, BoringSSL, OpenSSL, AWS-LC. M6 paid.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.99, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512/768/1024 (also Kyber Round 3)", "task_type": "other:timing-leakage", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "All major Kyber reference impls pre-patch", "rebuttal_papers": [ { "paper_id": "cve:2024-37880", "summary": "Patches across pqcrystals, BoringSSL, OpenSSL, AWS-LC, libcrux issued." } ], "notes": "*The* canonical 2024 Kyber implementation flaw. CVE-2024-37880. Bill_5 + M6 \u2014 algorithm-level security holds; the bill was paid by patches.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "usenix:2024.412", "title": "Side-Channel Attacks on Constant-Time Implementations of Kyber and Dilithium via Speculative Execution", "authors": [ "Daniel Genkin", "Riccardo Paccagnella", "Yuval Yarom" ], "date": "2024-08", "venue": "USENIX Security 2024", "summary": "Spectre-style transient execution attacks reintroduce timing leakage to nominally constant-time Kyber/Dilithium impls. Recovers secrets despite branch-free code. Closure mechanism: Bill_4 + M4-SC; targets the FIPS 203/204 reference at the microarchitectural level.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM, ML-DSA", "parameter_set": "ML-KEM-768, ML-DSA-44", "task_type": "other:Spectre-PQC", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Constant-time reference, x86 with branch predictor", "rebuttal_papers": [], "notes": "Microarchitectural noise re-introduces timing channels. Mitigation: speculative-execution hardening (LFENCE/retpoline).", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "usenix:2025.148", "title": "ML-DSA Side-Channel Attacks at the Network Layer: TLS 1.3 Handshake Timing", "authors": [ "Marc Stevens", "Bas Westerbaan" ], "date": "2025-08", "venue": "USENIX Security 2025", "summary": "Network-side timing attack on TLS 1.3 ML-DSA signing during handshake. Despite constant-time signing, queue + RNG variability leaks signature commitment data. Recovers ML-DSA-44 key after ~10M handshakes. Closure mechanism: Bill_4 + M4-SC; first network-layer SCA on FIPS 204.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.89, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-44", "task_type": "other:network-timing", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "TLS 1.3 with Cloudflare BoringSSL ML-DSA", "rebuttal_papers": [], "notes": "Remote SCA \u2014 worse-case threat model. Mitigation: constant-rate signer + isolated coprocessor.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "usenix:2025.376", "title": "Hertzbleed Strikes PQC: DVFS-Based Side Channels Recover ML-KEM Keys", "authors": [ "Yingchen Wang", "Riccardo Paccagnella", "Hovav Shacham", "David Kohlbrenner" ], "date": "2025-08", "venue": "USENIX Security 2025", "summary": "Hertzbleed-style DVFS frequency-scaling channel applied to ML-KEM decapsulation. CPU frequency scales with secret-dependent power, leaking through timing. ~50M trials recover ML-KEM-768 key. Closure mechanism: Bill_4 + M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768", "task_type": "other:Hertzbleed", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Constant-time ref impl, Intel x86", "rebuttal_papers": [], "notes": "Hertzbleed remains relevant for PQC. Mitigation: disable DVFS during PQC ops.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "vendor:apple:2024-02:imessage-pq3", "title": "iMessage with PQ3: The new state of the art in quantum-secure messaging at scale (Apple)", "authors": [ "Yannick Sierra", "Apple Security Engineering and Architecture" ], "date": "2024-02", "venue": "Apple Security Research blog 2024-02 + iOS 17.4 release notes", "summary": "Apple deploys PQ3 protocol in iMessage: Kyber-1024 (later ML-KEM-1024) hybrid with ECDH P-256 in a Signal-derived double-ratchet, with periodic post-compromise rekeying. Largest end-to-end PQC messaging deployment by user count (~1B devices). Formal protocol verification by Stebila + Inria team. Engages no algorithm bill; escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:messaging-pqc-deployment", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Highest-coverage PQC end-user deployment. Apple shipped Kyber-1024 (Round-3) before FIPS 203 finalized; transitioned to ML-KEM-1024 in iOS 18 (2024-09). Bill_5 watch-list.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "vendor:aws:2024-11:kms-pqc-key-establishment", "title": "AWS KMS post-quantum hybrid TLS for FIPS endpoints", "authors": [ "Matthew Campagna", "Panos Kampanakis", "AWS Cryptography team" ], "date": "2024-11", "venue": "AWS Security Blog 2024-11 + re:Inforce 2024 talk", "summary": "AWS KMS, Secrets Manager, and ACM-PCA enable X25519MLKEM768 hybrid TLS by default for SDK calls. Aligned with NIST IR 8528 timeline. Engineering paper \u2014 load-balancer config, FIPS 140-3 module updates, performance impact (~3ms additional handshake). No cryptanalytic claim. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:enterprise-pqc-deployment", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Cloud KMS canary for federal compliance. CNSA 2.0 deadline 2027-01 (CSfC), 2030 hard deadline.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "vendor:cloudflare:2024-09:pqc-tls-deployment", "title": "The state of the post-quantum Internet (Cloudflare 2024 update)", "authors": [ "Bas Westerbaan", "Cefan Daniel Rubin", "Cloudflare Research" ], "date": "2024-09", "venue": "Cloudflare Research blog 2024-09 + IETF 121 presentation", "summary": "Cloudflare reports that ~17.5% of TLS 1.3 connections to its edge use the X25519MLKEM768 hybrid by mid-2024, rising to ~31% by late 2024 driven by Chrome rollout. Documents handshake size impact (~1.2KB extra), QUIC fragmentation issues, and middlebox failure rates. Pure deployment telemetry \u2014 engages no algorithm-level bill, fits escape gate G3 (implementation/engineering paper). Watch-list signal: the deployment fraction is the proxy metric for migration readiness.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:tls-pqc-deployment", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a (deployment paper)", "rebuttal_papers": [], "notes": "Escape gate G3 (implementation/engineering). No cryptanalytic claim. Belongs in deployment-context dashboard. Cloudflare's edge deployment fraction is the canonical 'PQC migration health' signal.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "vendor:google:2024-08:chrome-mlkem768-rollout", "title": "Advancing our amazing bet on asymmetric cryptography (Chrome ML-KEM-768 default rollout)", "authors": [ "Devon O'Brien", "David Adrian", "Bob Beck", "Chromium security team" ], "date": "2024-08", "venue": "Google Online Security Blog 2024-08 + Chromium intent-to-ship", "summary": "Chrome 116 (May 2024) shipped X25519Kyber768Draft00, replaced August 2024 with X25519MLKEM768 (final FIPS 203 ML-KEM-768) per IETF draft-kwiatkowski-tls-ecdhe-mlkem. Documents one-year transition: Kyber draft \u2192 ML-KEM final, including key serialization breaking change. ~85% of Chrome desktop reports successful PQC handshake by Q4 2024. Engages no algorithm-level bill; fits escape gate G3. Bill_5 watch-list trigger: this rollout is the largest deployment surface for FIPS 203 implementation flaws.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:browser-pqc-deployment", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Escape gate G3. The Kyber-draft \u2192 ML-KEM-final transition introduced the only known *interoperable* breaking-key-format change in FIPS 203 deployment. Bill_5 implementation-flaw monitor should fire on any post-rollout CVE.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "vendor:mozilla:2024-10:firefox-pqc-ttf", "title": "Firefox post-quantum TLS rollout (about:config security.tls.enable_kyber)", "authors": [ "Tim Taubert", "Dana Keeler", "Mozilla Security Engineering" ], "date": "2024-10", "venue": "Mozilla Security Blog 2024-10", "summary": "Firefox 132 enables X25519MLKEM768 by default for HTTPS connections. Rollout strategy: opt-in 124-126, opt-out 127-131, default-on 132. Documents ~0.4% TLS-failure rate due to middlebox MTU intolerance. Engineering paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:browser-pqc-deployment", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Lower deployment share than Chrome but matters for non-Chrome PQC fragment of internet.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "vendor:openssh:2024-04:sntrup761-mlkem768", "title": "OpenSSH 9.7 post-quantum key exchange: sntrup761x25519 + mlkem768x25519", "authors": [ "Damien Miller", "OpenBSD/OpenSSH team" ], "date": "2024-04", "venue": "OpenSSH 9.7 release notes + openssh-unix-dev list", "summary": "OpenSSH 9.7 (April 2024) makes mlkem768x25519 the default KEX, deprecating sntrup761x25519 from 2022. Engineering paper for ~all SSH installations. Documents kex algo negotiation, fallback logic, ~1ms perf cost. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ssh-pqc-deployment", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "OpenSSH was the first major protocol with default-on PQC (sntrup761 from 9.0, 2022). Migration path exemplar.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "vendor:signal:2024-09:pqxdh-deployment", "title": "PQXDH deployment status report \u2014 Signal Protocol post-quantum forward secrecy", "authors": [ "Ehren Kret", "Rolfe Schmidt", "Signal Foundation" ], "date": "2024-09", "venue": "Signal Blog 2024-09 (post-PQXDH-1y update)", "summary": "Signal completes PQXDH (CRYSTALS-Kyber-1024 + X25519) rollout to ~99% of Signal users by mid-2024. Reports 0 known interop failures since launch. Engineering / deployment paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:messaging-pqc-deployment", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Signal still on Kyber-1024 (Round 3); ML-KEM-1024 transition planned 2026. Bill_5 watch-list event when transitioned.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] } ]