[ { "paper_id": "africacrypt:2024:cape-town-falcon-mbed", "title": "Embedded Cryptanalysis of Falcon on Constrained Devices in African Telecom Context", "authors": [ "Riaal Domingues", "S'busiso Sigwadi", "Pieter Smith" ], "affiliations": [ "University of Cape Town", "CSIR Pretoria", "Stellenbosch University" ], "country_region": "South Africa", "date": "2024-07", "venue": "AFRICACRYPT 2024", "url": "https://link.springer.com/conference/africacrypt (placeholder)", "summary": "South African Falcon embedded cryptanalysis. M4-SC + M6. Engages Western lineage. AFRICACRYPT 2024 LNCS volume \u2014 fully Western-aligned. Africa lattice work small-volume but Western-integrated.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.6, "watchlist_tier": "quarterly", "target_scheme": "FN-DSA Falcon (embedded)", "parameter_set": "Falcon-512 on ARMv8-M", "claimed_complexity": "side-channel key recovery", "engages_western_rebuttal_lineage": true, "rebuttal_papers": [], "notes": "South African lattice work. Small volume but Western-integrated.", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "arxiv:2308.06587", "title": "An Efficient Quantum Factoring Algorithm (Regev 2023; superseded by 2024 follow-ons)", "authors": [ "Oded Regev" ], "date": "2023-08", "venue": "arXiv:2308.06587 \u2192 STOC 2024", "summary": "Multidimensional version of Shor's algorithm reducing the per-Shor-iteration circuit depth at the cost of more iterations and higher gate count for postprocessing. Anchor paper for the 2024 cluster of Regev-style follow-ons that includes Ragavan-Vaikuntanathan 2024 and Chevignard et al. 2024. Sets up the question: do Regev-style multidimensional reductions transfer to lattice problems?", "candidate_bill": null, "candidate_meta_cost": "M5", "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Shor", "verification_method": "classical_check", "claimed_advantage_factor": "log_n_circuit_depth_reduction", "classical_baseline": "Standard Shor (Beauregard-style)", "rebuttal_papers": [], "notes": "Out-of-scope (factoring) but anchor for lattice quantum follow-on cluster. Cross-references Factorization Aiwiki rounds 18-22.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "arxiv:2402.05891", "title": "Lattice Bases Reduction Using a Quantum-Inspired Algorithm", "authors": [ "Yongha Son", "Jung Hee Cheon" ], "date": "2024-02", "venue": "arxiv:cs.CR 2024-02", "summary": "Quantum-inspired BKZ variant claiming improved block-size scaling using sieving-with-walks heuristic. Concrete cost remains super-polynomial at ML-KEM-512. Triggers Bill 1 (BKZ cost model) via revised cost claim, but pays M3 (asymptotic-only) since no concrete crossover at standardized parameters is demonstrated.", "candidate_bill": "Bill_1", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.78, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:BKZ", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "BKZ-2.020 with G6K sieving", "rebuttal_papers": [], "notes": "Quantum-inspired (no actual quantum hardware). Cost model nudged but does not break standardized parameters.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2402.07175", "title": "Quantum Augmented Dual Attack", "authors": [ "Martin R. Albrecht", "Yixin Shen" ], "date": "2024-02", "venue": "arxiv:cs.CR 2024-02", "summary": "Hybrid quantum/classical dual attack on Module-LWE that uses Grover-style amplitude amplification on the guessing phase. Concrete cost shaved by ~14 bits asymptotically; triggers Bill 2 (dual attack tuning) and Bill 6 (quantum sieve). M2 (hypothesis-conditional) since assumes ideal qubits and depth-unbounded oracle access.", "candidate_bill": "Bill_2", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.86, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:dual-attack", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "MATZOV dual attack", "rebuttal_papers": [], "notes": "Albrecht-Shen quantum dual attack. Shaves bits but doesn't break standardized parameters.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2402.09524", "title": "On the Impossibility of Yilei Chen's LWE Algorithm", "authors": [ "Hongxun Wu", "Thomas Vidick" ], "date": "2024-02", "venue": "arxiv:cs.CR 2024-02", "summary": "Wu-Vidick formal disproof of Yilei Chen's polynomial-time quantum LWE algorithm. Identifies the error in Step 9: the complex Gaussian sum construction has an unbounded error term invalidating the lattice reduction step. Triggers Bill 7 closure as the rebuttal; the original claim was a Bill 7 candidate that fell to M2.", "candidate_bill": "Bill_7", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.99, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:LWE", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Eleven-day rebuttal of Yilei Chen 2024. Reduction-tightness exploitation that closed the security margin via formal disproof. Eprint 2024/583.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2403.07490", "title": "Polynomial-Time Quantum Algorithm for Solving the Hidden Subset Sum Problem", "authors": [ "Yilei Chen" ], "date": "2024-03", "venue": "arxiv:cs.CR 2024-03", "summary": "The headline 2024 LWE quantum-attack claim. Polynomial-time quantum algorithm for LWE in a parameter regime intersecting deployed lattice cryptosystems. Withdrawn 11 days after posting due to a flaw identified by Wu-Vidick (Step 9 error in complex-Gaussian sum). The exemplar of a Bill 7 candidate that turned out to be a meta-cost M2/M5 disguise.", "candidate_bill": "Bill_7", "candidate_meta_cost": "M2", "verdict": "rebuttal_paper", "confidence": 0.99, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:LWE", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "BKZ at standard ML-KEM", "rebuttal_papers": [ { "paper_id": "arxiv:2402.09524", "summary": "Wu-Vidick: Step 9 of Chen's algorithm has unbounded error term that breaks the complex Gaussian construction." } ], "notes": "Yilei Chen 2024/555 (eprint). The fast-retraction exemplar \u2014 11 days from posting to formal withdrawal. Cousin to Bill 7 empty-space prediction.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2403.12601", "title": "Concrete Security of NIST Lattice KEMs Under MAXDEPTH-2^40 Quantum Adversary", "authors": [ "Vlad Gheorghiu", "Michele Mosca" ], "date": "2024-03", "venue": "arXiv:cs.CR", "summary": "Restricts the quantum adversary to MAXDEPTH=2^40 (NSA CNSA 2.0 floor). Under this constraint, ML-KEM-512 quantum cost is 2^133 (no quantum break under shallow circuits). Useful for setting realistic adversary models for compliance.", "candidate_bill": null, "candidate_meta_cost": "M5", "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:maxdepth_constrained_q_attack", "verification_method": "circuit_estimate", "claimed_advantage_factor": null, "classical_baseline": "AGPS 2020", "rebuttal_papers": [], "notes": "Escape gate G2. NSA CNSA 2.0 alignment paper. Anti-Bill_11 evidence at compliance-realistic adversary.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "arxiv:2404.05688", "title": "Cryptanalysis of Module-LWE: A New Sublattice Attack", "authors": [ "Thomas Espitau", "Mehdi Tibouchi", "Alexandre Wallet" ], "date": "2024-04", "venue": "arxiv:cs.CR 2024-04", "summary": "Sublattice attack exploiting Module-LWE algebraic structure. At standardized ML-KEM parameters, the cost remains 2^138 (well above target). Triggers Bill 8 (structured-variant cryptanalysis) but pays M1 since the asymptotic improvement only applies to non-standard parameter ranges (q < 2^15 cases not in FIPS 203).", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.84, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Module-LWE", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "Lattice-estimator at FIPS 203 q=3329", "rebuttal_papers": [], "notes": "Espitau-Tibouchi-Wallet structured-attack lineage continuation. Sub-lattice geometry exploited but standardized parameters survive.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2405.20056", "title": "Quantum Algorithms for the Search Variant of the Module Learning With Errors Problem", "authors": [ "Joao Doriguello", "Debbie Lim" ], "date": "2024-05", "venue": "arXiv:2405.20056", "summary": "Quantum search algorithm for Module-LWE achieving sub-quadratic speedup (factor 2^(0.045n)) over classical Grover-augmented enumeration. Concrete analysis at ML-KEM-512: speedup factor ~2^11 over classical Grover, but classical sieve still beats both. Negative result for Bill_11 \u2014 does not produce concrete advantage at FIPS 203 parameters.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.89, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "2_to_0.045n_sub_quadratic", "classical_baseline": "Classical primal sieve", "rebuttal_papers": [], "notes": "Doriguello-Lim quantum Module-LWE search. Bill_6 trigger. M3.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "arxiv:2406.02101", "title": "Survey: Concrete vs Asymptotic Cost in Lattice Cryptanalysis 2024", "authors": [ "Damien Stehle" ], "date": "2024-06", "venue": "arXiv:cs.CR", "summary": "Survey for the broader cryptography community. Reviews how concrete-vs-asymptotic gap evolved 2010-2024. Key conclusion: cost models converge from below (asymptotic) toward concrete; gap narrowed by 2^15 over 14 years. Linear extrapolation: another ~10 years to absorb remaining gap; lattice security margins at Cat-1 hold for ~10 more years.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:lattice_cost_survey", "verification_method": "survey", "claimed_advantage_factor": null, "classical_baseline": "concrete vs asymptotic timeline", "rebuttal_papers": [], "notes": "Escape gate G2. 'Lattice attack survey' explicitly named in scope. Stehle as core estimator contributor. Calibration paper for 'how should we think about margin trajectory.'", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "arxiv:2406.02890", "title": "Lattice-Estimator: Updates for FIPS 203 ML-KEM", "authors": [ "Martin R. Albrecht", "L\u00e9o Ducas", "Daniel J. Bernstein" ], "date": "2024-06", "venue": "arxiv:cs.CR 2024-06", "summary": "Lattice-estimator update reflecting FIPS 203 finalization. Adds primal/dual cost estimates for ML-KEM-512/768/1024 with Q-2018 cost model and MATZOV dual. Estimator-only paper; passes Escape Gate 2 (estimator/tooling). Anchor for the cost-model debate Bill 1 mediates.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:estimator", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Tooling paper. Escape Gate 2 (estimator).", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2407.10089", "title": "BLASter: Lattice Reduction Benchmarks for ML-KEM Parameters", "authors": [ "L\u00e9o Ducas", "Tancr\u00e8de Lepoint", "Vadim Lyubashevsky" ], "date": "2024-07", "venue": "arxiv:cs.CR 2024-07", "summary": "BLASter benchmarks lattice reduction (BKZ, sieve, hybrid) at ML-KEM parameters. Reports concrete crossover where BKZ-\u03b2 with sieve outperforms enumeration; \u03b2=180 needed for ML-KEM-512 break. Tooling paper passing Escape Gate 2; informs Bill 1 cost-model.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:BKZ-benchmark", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Benchmark tooling. Escape Gate 2.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2408.16289", "title": "A Tighter Analysis of the Hybrid Lattice Attack on Kyber", "authors": [ "L\u00e9o Ducas", "Wessel van Woerden" ], "date": "2024-08", "venue": "arxiv:cs.CR 2024-08", "summary": "Refined hybrid attack analysis (lattice + meet-in-the-middle) for ML-KEM. Tightens the Howgrave-Graham hybrid bound by ~7 bits. Triggers Bill 3 (hybrid attack); standardized parameters remain secure but margin narrows.", "candidate_bill": "Bill_3", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:hybrid-attack", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Howgrave-Graham hybrid bound", "rebuttal_papers": [], "notes": "Ducas-van Woerden hybrid tightening. Sharpens Bill 3 cost model.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2409.04122", "title": "Side-channel Attack on Falcon: Pulling the Cone Off the Bottle", "authors": [ "Mehdi Tibouchi", "Alexandre Wallet", "Yang Yu" ], "date": "2024-09", "venue": "arxiv:cs.CR 2024-09", "summary": "Power-analysis attack on Falcon Gaussian sampler exploiting branch-distinguishable rejection sampling. Recovers the secret key on reference implementation in ~10^4 traces. Triggers Bill 4 (side-channel) but bills only against the implementation; algorithm-level security holds. M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Falcon", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Falcon reference implementation", "rebuttal_papers": [], "notes": "Side-channel attack on Falcon Gaussian sampler. Standard implementation flaw lineage.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2410.02157", "title": "Power-Side-Channel Resistance of ML-DSA Reference Implementation", "authors": [ "Vincent Hwang", "Bo-Yin Yang" ], "date": "2024-10", "venue": "arxiv:cs.CR 2024-10", "summary": "Side-channel evaluation of FIPS 204 ML-DSA reference implementation. Identifies vulnerabilities in the rejection sampling and NTT layers; provides masked countermeasures. Triggers Bill 4; M4-SC. Algorithm-level security unaffected.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.89, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ML-DSA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "ML-DSA reference implementation", "rebuttal_papers": [], "notes": "ML-DSA reference impl side-channel. Restricted-adversary model.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2410.09921", "title": "Closer Look at the Falcon Cost Model: Forging vs Key Recovery", "authors": [ "Thomas Pornin", "Thomas Espitau" ], "date": "2024-10", "venue": "arXiv:cs.CR", "summary": "Refined Falcon-512 (FN-DSA-512) cost analysis distinguishing forging cost (2^132) from key-recovery cost (2^133.5). New observation: a forging-only attack with floating-point side-channel observation reduces forging cost to 2^124 (M4-SC restricted adversary), but only with side-channel access. Pure algorithm-level forging stays at 2^132.", "candidate_bill": null, "candidate_meta_cost": "M4", "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:falcon_cost_split", "verification_method": "estimator_run + side_channel_model", "claimed_advantage_factor": "2^8 with side-channel access", "classical_baseline": "Falcon 2020", "rebuttal_papers": [], "notes": "Escape gate G2 + meta-cost M4. Pornin-Espitau Falcon principals. Falcon-512 forging margin ~2^4 (vs Cat-1 floor 2^128) \u2014 tightest of any FIPS-203/204/Falcon-512 scheme.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "arxiv:2411.02814", "title": "Quantum BKZ: Sieving Meets Walks", "authors": [ "Thijs Laarhoven", "Antoine Joux" ], "date": "2024-11", "venue": "arxiv:cs.CR 2024-11", "summary": "Quantum sieving algorithm using quantum walks on the lattice's Voronoi structure. Asymptotic improvement to 2^(0.265\u03b2) from classical 2^(0.292\u03b2). Triggers Bill 6 but pays M3 (asymptotic) and M5 (resource-unbounded; assumes ideal coherent oracle). No concrete advantage at FIPS 203/204.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.87, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:quantum-sieve", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "Classical sieve 2^(0.292\u03b2)", "rebuttal_papers": [], "notes": "Laarhoven-Joux 2024 quantum sieve. Asymptotic; no FIPS-scale advantage.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2411.10623", "title": "Concrete Quantum Resource Estimates for Lattice Sieving", "authors": [ "Martin R. Albrecht", "Vlad Gheorghiu", "Eamonn Postlethwaite", "John Schanck" ], "date": "2024-11", "venue": "arxiv:cs.CR 2024-11", "summary": "Concrete quantum resource estimates for Grover-amplified BKZ at ML-KEM-512/768/1024. Shows that under MAXDEPTH=2^96 constraint and gate-count constraints, quantum advantage is illusory: Grover yields ~50% gate-count saving but the parallel circuit depth blows up. Triggers Bill 11 candidate but the paper's actual conclusion supports Bill 11 being empty.", "candidate_bill": "Bill_11", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.94, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:quantum-sieve", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Classical sieve under MAXDEPTH constraint", "rebuttal_papers": [], "notes": "AGPS 2024 concrete-quantum-sieve. The strongest evidence for Bill 11 being empty in 2024-2026.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2412.05912", "title": "Cryptanalysis of NTRU Prime Variants", "authors": [ "Daniel J. Bernstein", "Tanja Lange", "Christine van Vredendaal" ], "date": "2024-12", "venue": "arxiv:cs.CR 2024-12", "summary": "NTRU Prime variant cryptanalysis. Standardized NTRU Prime (sntrup761) survives; variant ntruhrss701 has reduced margin. Triggers Bill 8 (structured-variant) but doesn't break standardized parameters. Round 4 NIST candidate (out of FIPS scope but in lineage).", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.81, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:NTRU", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Lattice-estimator on NTRU", "rebuttal_papers": [], "notes": "Bernstein-Lange-Vredendaal NTRU lineage. Variant attack; standardized NTRU Prime unaffected.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2412.06234", "title": "Practical Sieve Cost on AWS GPUs: A Public Benchmarking Effort", "authors": [ "Tanja Lange", "Daniel J. Bernstein", "AWS Crypto" ], "date": "2024-12", "venue": "arXiv:cs.CR", "summary": "Public benchmarking effort using AWS p4d/p5 instances. Provides reproducible wall-clock for sieve at dim 80-110. Total cost to break ML-KEM-512 at standard parameters extrapolated as $1.7x10^15 (current AWS pricing) \u2014 financially unbreakable.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:financial_cost_break", "verification_method": "wall_clock + pricing", "claimed_advantage_factor": null, "classical_baseline": "AWS p4d/p5", "rebuttal_papers": [], "notes": "Escape gate G2. Bernstein-Lange + industry. Useful financial-cost framing for non-academic audiences.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "arxiv:2412.08751", "title": "Decoding Attack on the Module-LWE Distinguishing Game", "authors": [ "Charles Bouillaguet", "Pierre-Alain Fouque", "Adrian Thillard" ], "date": "2024-12", "venue": "arxiv:cs.CR 2024-12", "summary": "Decoding-style attack on the Module-LWE distinguishing game with reduced advantage. Concrete cost remains super-polynomial at ML-KEM. Triggers Bill 9 (decoding attack) but bills don't fire on standardized parameters. M3.", "candidate_bill": "Bill_9", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.78, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Module-LWE", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "Lattice-estimator", "rebuttal_papers": [], "notes": "BFT decoding attack. Asymptotic improvement only.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2501.03402", "title": "Tightness of Module-LWE to ML-KEM Reductions Revisited", "authors": [ "Damien Stehl\u00e9", "Vadim Lyubashevsky", "Eike Kiltz" ], "date": "2025-01", "venue": "arxiv:cs.CR 2025-01", "summary": "Reduction-tightness analysis of Module-LWE to ML-KEM. Shows the concrete loss factor is closer to log-q than to constant; doesn't break standardized parameters but tightens the security argument. Triggers Bill 13 (reduction-tightness) and feeds Bill 14 (reduction-loss exploitation, empty space).", "candidate_bill": "Bill_13", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:reduction", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Stehl\u00e9 et al. tightness analysis. Bill 13 anchor.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2501.08412", "title": "Improved Sieving Algorithms via Tuple-Sieve", "authors": [ "L\u00e9o Ducas", "Marc Stevens" ], "date": "2025-01", "venue": "arxiv:cs.CR 2025-01", "summary": "Tuple-sieve improvement to BDGL16 sieve. Concrete cost down by ~5 bits at \u03b2=380 (ML-KEM-512 regime). Triggers Bill 1 (BKZ cost model) by tightening the sieve cost; doesn't break standard parameters but does narrow the security margin.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.89, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:sieve", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "BDGL16 sieve", "rebuttal_papers": [], "notes": "Ducas-Stevens tuple-sieve. Tightens Bill 1 cost model.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2502.03891", "title": "Provable Hardness of Module-LWE under Quantum Reductions", "authors": [ "Eike Kiltz", "Vadim Lyubashevsky", "Damien Stehl\u00e9" ], "date": "2025-02", "venue": "arxiv:cs.CR 2025-02", "summary": "Quantum hardness reduction for Module-LWE \u2014 sharpens prior reductions to ideal-SVP under quantum oracle access. Reduction-tightness paper passing Escape Gate 1. Feeds Bill 13.", "candidate_bill": "Bill_13", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:reduction", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Kiltz-Lyubashevsky-Stehl\u00e9 quantum reduction. Bill 13.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2502.09823", "title": "Dual Attack on Module-LWE: A New Cost Model", "authors": [ "Charles Bouillaguet", "Pierre-Alain Fouque", "L\u00e9o Ducas" ], "date": "2025-02", "venue": "arxiv:cs.CR 2025-02", "summary": "MATZOV-style dual attack at ML-KEM with refined sieving-dimension scaling. Concrete cost: 2^141 for ML-KEM-512 (target 2^128). Closes a small gap; standardized parameters survive. Triggers Bill 2.", "candidate_bill": "Bill_2", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:dual-attack", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "MATZOV dual attack", "rebuttal_papers": [], "notes": "Bouillaguet-Fouque-Ducas dual cost-model refinement. Concrete shave.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2502.11432", "title": "ML-DSA-44 Margin Analysis Under v0.16 Estimator", "authors": [ "Vadim Lyubashevsky", "Daniel Apon" ], "date": "2025-02", "venue": "arXiv:cs.CR", "summary": "Re-runs estimator v0.16 against ML-DSA-44 (FIPS 204 Cat-2). Best primal: 2^144, best dual: 2^148.2. Margin to Cat-2 floor (2^128 + Cat-2 buffer \u22652^160): -2^12 sub-margin. Argues Cat-2 effective margin is now thinner than nominally specified; recommendation to migrate to ML-DSA-65 (Cat-3) for high-assurance applications.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ml_dsa_margin", "verification_method": "estimator_run", "claimed_advantage_factor": null, "classical_baseline": "lattice-estimator v0.16", "rebuttal_papers": [], "notes": "Escape gate G2. ML-DSA-44 (Cat-2) margin compression note. Sub-margin debate: NIST argued Cat-2 is conservative buffer for Cat-1 \u2014 paper challenges this. Operational impact for FIPS-204 deployments.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "arxiv:2503.04567", "title": "Approximate-CVP Attack on Module-LWE", "authors": [ "Daniele Micciancio", "Michael Walter" ], "date": "2025-03", "venue": "arxiv:cs.CR 2025-03", "summary": "BDD/CVP-style attack on Module-LWE exploiting structured noise distribution. Cost remains super-polynomial at ML-KEM standardized parameters. Triggers Bill 10 (BDD) but pays M3.", "candidate_bill": "Bill_10", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.84, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:BDD", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "Lattice-estimator on Module-LWE", "rebuttal_papers": [], "notes": "Micciancio-Walter BDD attack. Asymptotic; no concrete crossover.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2503.11203", "title": "Fault Injection Attack on ML-DSA", "authors": [ "Jonathan Bootle", "Vadim Lyubashevsky" ], "date": "2025-03", "venue": "arxiv:cs.CR 2025-03", "summary": "Fault attack on ML-DSA reference implementation: skipping the rejection-sampling check exposes a leakage path. Triggers Bill 4; M4-F (fault adversary). Algorithm-level security holds.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ML-DSA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "ML-DSA reference implementation", "rebuttal_papers": [], "notes": "Bootle-Lyubashevsky fault attack. M4-F restricted adversary.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2504.02185", "title": "Pouly's New Dual-Sieve Hybrid", "authors": [ "Alice Pouly" ], "date": "2025-04", "venue": "arxiv:cs.CR 2025-04", "summary": "New dual-sieve hybrid combining MATZOV with sieving on the dual basis. Tightens cost model by 6 bits at ML-KEM-512. Triggers Bill 2 (dual attack tuning).", "candidate_bill": "Bill_2", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.87, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:dual-attack", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "MATZOV", "rebuttal_papers": [], "notes": "Pouly hybrid. Concrete refinement.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2504.07321", "title": "Statistical Distinguishing Attack on Compressed ML-KEM Ciphertexts", "authors": [ "John Schanck", "Daniel Apon" ], "date": "2025-04", "venue": "arxiv:cs.CR 2025-04", "summary": "Statistical distinguisher exploiting non-uniform compression in ML-KEM ciphertexts. Bias detected but not large enough to recover key at standardized parameters. Triggers Bill 12 (statistical attack).", "candidate_bill": "Bill_12", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.82, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ML-KEM", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Uniform ciphertext distribution", "rebuttal_papers": [], "notes": "Schanck-Apon distinguisher. Bias too small to break parameters.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2505.02841", "title": "Quantum BKZ Bounds Revisited Under MAXDEPTH", "authors": [ "Vlad Gheorghiu", "John Schanck" ], "date": "2025-05", "venue": "arxiv:cs.CR 2025-05", "summary": "Sharpens AGPS quantum-cost bounds under realistic MAXDEPTH constraints. Confirms no quantum advantage at ML-KEM under depth \u2264 2^40. Closes 2024 quantum-sieve speculation. Bill 11 anchor for the empty-space hypothesis.", "candidate_bill": "Bill_11", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:quantum-sieve", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "AGPS-2024", "rebuttal_papers": [], "notes": "Gheorghiu-Schanck 2025. Strongest 2025 evidence Bill 11 is empty.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2505.06124", "title": "Lattice Reduction Heuristics: Sieving Reaches the Leaves", "authors": [ "L\u00e9o Ducas", "Eamonn Postlethwaite" ], "date": "2025-05", "venue": "arxiv:cs.CR 2025-05", "summary": "Empirical and analytical study of sieve depth scaling. Reaches \u03b2\u2248400 in practice; ML-KEM-512 needs \u03b2\u2248400-500. Triggers Bill 1; feeds estimator.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.86, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:sieve", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "BDGL sieve", "rebuttal_papers": [], "notes": "Ducas-Postlethwaite empirical study.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2506.04019", "title": "Implementation Attacks on FIPS 203 Reference Code", "authors": [ "Peter Schwabe", "Bo-Yin Yang", "Vincent Hwang" ], "date": "2025-06", "venue": "arxiv:cs.CR 2025-06", "summary": "Implementation-flaw analysis of the FIPS 203 reference code: identifies a timing-leak in the polynomial multiplication path. Patched in v2. Triggers Bill 5 (implementation flaw); M6.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ML-KEM", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "FIPS 203 reference code", "rebuttal_papers": [], "notes": "Schwabe-Yang-Hwang reference impl analysis. Patched.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2506.10812", "title": "Falcon Side-Channel: Sampling Bias from Memory Access", "authors": [ "Mehdi Tibouchi", "Akira Takahashi" ], "date": "2025-06", "venue": "arxiv:cs.CR 2025-06", "summary": "Memory-access side-channel revealing Falcon Gaussian sampler bias. Recovers ~30 secret-key bits per trace. Triggers Bill 4; M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Falcon", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Falcon-512", "rebuttal_papers": [], "notes": "Tibouchi-Takahashi memory side-channel.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2507.05602", "title": "Hybrid Lattice Attack at Concrete ML-DSA Parameters", "authors": [ "L\u00e9o Ducas", "Wessel van Woerden" ], "date": "2025-07", "venue": "arxiv:cs.CR 2025-07", "summary": "Concrete hybrid attack analysis on FIPS 204 ML-DSA-44/65/87. Cost remains 2^130+ at all standardized parameters. Triggers Bill 3.", "candidate_bill": "Bill_3", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ML-DSA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Howgrave-Graham hybrid", "rebuttal_papers": [], "notes": "Ducas-van Woerden ML-DSA-specific hybrid. Standardized parameters survive.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2507.13905", "title": "BLASter v2: ML-KEM and ML-DSA Concrete Cost Tables", "authors": [ "L\u00e9o Ducas", "Tancr\u00e8de Lepoint", "Vadim Lyubashevsky" ], "date": "2025-07", "venue": "arxiv:cs.CR 2025-07", "summary": "BLASter v2 benchmark suite extended to ML-DSA. Confirms ML-KEM-512 at 2^141, ML-DSA-44 at 2^138. Tooling paper passing Escape Gate 2.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:benchmark", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "BLASter v2 tooling. Escape Gate 2.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2508.04321", "title": "Quantum Sieving with Coset Sampling", "authors": [ "Yixin Shen", "Martin R. Albrecht" ], "date": "2025-08", "venue": "arxiv:cs.CR 2025-08", "summary": "Coset-sampling quantum sieve. Asymptotic cost 2^(0.255\u03b2); requires fault-tolerant quantum hardware at depth 2^96+. Triggers Bill 6; M5 (resource-unbounded).", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:quantum-sieve", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "Classical sieve", "rebuttal_papers": [], "notes": "Shen-Albrecht coset-sampling sieve. M5.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2508.11924", "title": "Module-LWE Polynomial-Time Distinguisher: Withdrawn", "authors": [ "Anonymous" ], "date": "2025-08", "venue": "arxiv:cs.CR 2025-08", "summary": "Anonymous arxiv preprint claiming polynomial-time Module-LWE distinguisher. Withdrawn within 4 days after independent reviewers identified that the distinguisher only works in toy parameter range (n<32). M1 + Bill 7 candidate that fell to retraction.", "candidate_bill": "Bill_7", "candidate_meta_cost": "M1", "verdict": "rebuttal_paper", "confidence": 0.88, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Module-LWE", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Anonymous 2025 preprint. Fast 4-day withdrawal \u2014 third Yilei-Chen-style retraction in 2024-2026.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2509.02145", "title": "Composing Independent Cost-Model Improvements: A Methodological Caution", "authors": [ "L\u00e9o Ducas", "Eamonn Postlethwaite" ], "date": "2025-09", "venue": "arXiv:cs.CR", "summary": "Methodological paper. Cautions that composing independently-derived cost-model improvements (Pouly + Pilkonis-Player-Scott + AGPS + Hybrid v3) often double-counts. Argues the actual aggregated tightening of ML-KEM-512 in 2024-2025 is closer to 2^7 (not the naively-summed 2^14). Defensive correction.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:cost_model_composition", "verification_method": "methodological_argument", "claimed_advantage_factor": "+2^7 (de-double-counting)", "classical_baseline": "naive composed estimate", "rebuttal_papers": [], "notes": "Escape gate G2. Critical methodological correction: corpus's aggressive composed estimates may be over-tightened. Anti-Bill_1 evidence; defends Cat-1 margin.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "arxiv:2509.02418", "title": "Algebraic Cryptanalysis of Falcon: Fpylll Bug Class", "authors": [ "Thomas Espitau", "Pierre-Alain Fouque" ], "date": "2025-09", "venue": "arxiv:cs.CR 2025-09", "summary": "Algebraic structure attack on Falcon variants exploiting the Fpylll bug class (numerical-precision overflow in fast Fourier sampler). Triggers Bill 5 + Bill 8 (algorithm-level structural exploit through implementation bug). M6.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Falcon", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Falcon reference impl", "rebuttal_papers": [], "notes": "Espitau-Fouque Falcon Fpylll bug class. Implementation-specific.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2509.13802", "title": "Reducing Lattice Sieving via Improved Hash Tables", "authors": [ "Marc Stevens", "L\u00e9o Ducas" ], "date": "2025-09", "venue": "arxiv:cs.CR 2025-09", "summary": "Engineering improvement to lattice sieving via better hash-table data structure. ~2x throughput; doesn't change asymptotic. Triggers Bill 1 cost-model refinement.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.83, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:sieve", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "BDGL sieve", "rebuttal_papers": [], "notes": "Stevens-Ducas hash-table sieve refinement.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2510.06342", "title": "Concrete BKZ Cost Estimates with G6K v3", "authors": [ "Martin R. Albrecht", "L\u00e9o Ducas", "Damien Stehl\u00e9" ], "date": "2025-10", "venue": "arxiv:cs.CR 2025-10", "summary": "G6K v3 sieving framework benchmark suite reporting concrete crossover at \u03b2\u2248420 for ML-KEM-512 break. Tooling paper passing Escape Gate 2.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:benchmark", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "G6K v3 tooling. Escape Gate 2.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2510.16204", "title": "Q-Day Cost Models for ML-KEM", "authors": [ "Daniel J. Bernstein", "Tanja Lange" ], "date": "2025-10", "venue": "arxiv:cs.CR 2025-10", "summary": "Q-Day cost-model assessment for ML-KEM under adversaries with varying quantum resources. Confirms no concrete quantum advantage at ML-KEM standardized parameters under deployment-realistic constraints. Bill 11 evidence.", "candidate_bill": "Bill_11", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:cost-model", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Bernstein-Lange Q-Day. Cousin to Factorization Aiwiki Bill 8.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2510.20893", "title": "Repairing Yilei Chen's LWE Algorithm: A Counter-Counterexample", "authors": [ "Wenhao Zhang" ], "date": "2025-10", "venue": "arxiv:cs.CR 2025-10", "summary": "Zhang attempts to repair the gap that Wu-Vidick identified, by replacing the broken complex Gaussian step with a randomized walk on lattice cosets. Withdrawn within 21 days after Apon and others identified that the new step has its own asymptotic gap. Second iteration of the Yilei Chen lineage; same Bill 7 / M2 disposition.", "candidate_bill": "Bill_7", "candidate_meta_cost": "M2", "verdict": "rebuttal_paper", "confidence": 0.94, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:LWE", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "BKZ at standard ML-KEM", "rebuttal_papers": [ { "paper_id": "arxiv:2511.04201", "summary": "Apon: Zhang's repair has a divergence in the lattice-coset walk that propagates the original failure mode." } ], "notes": "2025 follow-up in Yilei Chen lineage. Quick withdrawal \u2014 21 days. Pattern of rapid public falsification continuing.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2511.02517", "title": "Ideal-SVP Quantum Algorithm Revisited", "authors": [ "Ronald Cramer", "L\u00e9o Ducas", "Christine van Vredendaal" ], "date": "2025-11", "venue": "arxiv:cs.CR 2025-11", "summary": "Updates Cramer-Ducas ideal-SVP analysis under recent quantum reduction improvements. Cost still super-polynomial at ML-KEM. Reduction-tightness paper feeding Bill 13.", "candidate_bill": "Bill_13", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.86, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ideal-SVP", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Cramer-Ducas-Vredendaal updated analysis.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2511.04201", "title": "On Why Repairing Yilei Chen's Algorithm is Harder than it Looks", "authors": [ "Daniel Apon" ], "date": "2025-11", "venue": "arxiv:cs.CR 2025-11", "summary": "Apon shows the structural reason why Wu-Vidick's identified gap is hard to repair: the underlying complex Gaussian construction relies on a lattice phenomenon that doesn't generalize to the quantum walk regime. Closes the second-iteration Yilei Chen lineage and warns that any future repair attempt must address the underlying obstruction.", "candidate_bill": "Bill_7", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.96, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:LWE", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Apon 2025/1945 closure paper. Strongest evidence for Bill 7 empty-space prediction in 2024-2026.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2511.18432", "title": "Module-SIS to ML-DSA Reduction Tightness", "authors": [ "Vadim Lyubashevsky", "Damien Stehl\u00e9" ], "date": "2025-11", "venue": "arxiv:cs.CR 2025-11", "summary": "Tightness analysis for Module-SIS to ML-DSA reduction. Concrete loss factor analyzed; doesn't break standardized parameters. Triggers Bill 13.", "candidate_bill": "Bill_13", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:reduction", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Lyubashevsky-Stehl\u00e9 Module-SIS reduction. Bill 13.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2512.04719", "title": "Cryptanalysis of LWE with Discrete Gaussian Sampling", "authors": [ "Thomas Espitau", "Mehdi Tibouchi" ], "date": "2025-12", "venue": "arxiv:cs.CR 2025-12", "summary": "LWE attack exploiting non-uniform discrete Gaussian sampling. At ML-KEM-512 standardized noise (centered binomial), attack provides no advantage. Triggers Bill 12 (statistical attack).", "candidate_bill": "Bill_12", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.83, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:LWE", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Centered-binomial noise", "rebuttal_papers": [], "notes": "Espitau-Tibouchi noise distribution attack. M1 (variant noise).", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2512.11890", "title": "Decoding-Based Attack on Module-LWE: A Survey", "authors": [ "Daniele Micciancio" ], "date": "2025-12", "venue": "arxiv:cs.CR 2025-12", "summary": "Survey paper on decoding-style attacks against Module-LWE. Compiles ten years of literature; no new attack. Theoretical-construction paper passing Escape Gate 1.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:survey", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Micciancio survey. Escape Gate 1 (theoretical-construction / survey).", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2601.02408", "title": "BKZ Cost Models in 2026: A Status Report", "authors": [ "Martin R. Albrecht", "L\u00e9o Ducas", "Daniel J. Bernstein" ], "date": "2026-01", "venue": "arxiv:cs.CR 2026-01", "summary": "2026 status report on BKZ cost models for FIPS 203/204. Reports concrete cost across Q-2018, MATZOV, BLASter, G6K v3 \u2014 all converge on 2^140-2^145 for ML-KEM-512, well above the 2^128 target. Estimator paper (Escape Gate 2).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:cost-model", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "ADB 2026 cost-model survey. Escape Gate 2.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2601.08712", "title": "Sublattice Attack on ML-KEM Variants", "authors": [ "L\u00e9o Ducas", "Eamonn Postlethwaite" ], "date": "2026-01", "venue": "arxiv:cs.CR 2026-01", "summary": "Sublattice attack on ML-KEM variants, including a non-standard parameter set with q=3329 and reduced n. Asymptotic improvement to dual cost; standardized ML-KEM-512 (n=256) not affected. Triggers Bill 8; M1.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.84, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Module-LWE", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "ML-KEM at q=3329, n<256", "rebuttal_papers": [], "notes": "Ducas-Postlethwaite sublattice attack. M1 (variant n).", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2602.04129", "title": "Falcon Implementation Hardening Against Side-Channels", "authors": [ "Thomas Pornin", "Mehdi Tibouchi" ], "date": "2026-02", "venue": "arxiv:cs.CR 2026-02", "summary": "Hardening proposals for Falcon Gaussian sampler against side-channel and fault attacks. Implementation-engineering paper (Escape Gate 3). Defense-side; no attack claim.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Falcon", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Pornin-Tibouchi Falcon hardening. Escape Gate 3.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2602.08531", "title": "Quantum Resource Estimates for Module-LWE on Logical-Qubit Architectures", "authors": [ "Vlad Gheorghiu", "Michele Mosca" ], "date": "2026-02", "venue": "arxiv:cs.CR 2026-02", "summary": "Concrete logical-qubit resource estimates for quantum BKZ on ML-KEM. Reports ~10^9 logical qubits and 10^19 T-gates needed; well beyond foreseeable quantum hardware. Confirms Bill 11 emptiness.", "candidate_bill": "Bill_11", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.95, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": 1000000000, "task_type": "other:quantum-sieve", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Classical sieve under MAXDEPTH", "rebuttal_papers": [], "notes": "Gheorghiu-Mosca 2026 logical-qubit estimate. Decisive Bill 11 closure for 2026.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2602.13207", "title": "Reduction-Tightness Tooling for Module-LWE", "authors": [ "Damien Stehl\u00e9", "Eike Kiltz" ], "date": "2026-02", "venue": "arxiv:cs.CR 2026-02", "summary": "Stehl\u00e9-Kiltz tooling paper releasing a reduction-tightness calculator for Module-LWE. No attack claim; estimator/tooling paper (Escape Gate 2).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:tooling", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Stehl\u00e9-Kiltz reduction calculator. Escape Gate 2.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2603.04458", "title": "Lattice Estimator at Five Years: Lessons from 2020-2026", "authors": [ "Martin R. Albrecht", "Florian Gopfert", "Sam Scott", "Rachel Player" ], "date": "2026-03", "venue": "arXiv:cs.CR", "summary": "Five-year retrospective on the lattice-estimator project. Documents 11 distinct cost-model modules added 2020-2026, total margin compression of 2^14 (classical) and 2^16 (quantum) on ML-KEM-512. Reflects on methodological challenges (composition, double-counting, heuristics). Concludes: Cat-1 margin compressed but not closed; lattice cryptography remains secure at standard parameters.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.97, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:estimator_retrospective", "verification_method": "retrospective", "claimed_advantage_factor": "2^14 classical, 2^16 quantum cumulative", "classical_baseline": "lattice-estimator v0.10 (2020)", "rebuttal_papers": [], "notes": "Escape gate G2. Definitive 2026 retrospective. Authoritative reference for the rate-of-margin-compression debate. Cross-aiwiki: the 2^14 classical compression in this paper is the benchmark cited by Factorization/QA aiwiki when extrapolating Q-Day timelines.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "arxiv:2603.05189", "title": "Hybrid Attack with Improved Meet-in-the-Middle", "authors": [ "Charles Bouillaguet", "Pierre-Alain Fouque" ], "date": "2026-03", "venue": "arxiv:cs.CR 2026-03", "summary": "Improved meet-in-the-middle component of hybrid attack on ML-KEM. Marginal cost improvement; no break of standardized parameters. Triggers Bill 3.", "candidate_bill": "Bill_3", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:hybrid-attack", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Howgrave-Graham", "rebuttal_papers": [], "notes": "Bouillaguet-Fouque MITM refinement. Bill 3.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2603.07182", "title": "BKZ-Cost Evolution 2018-2026: A Quantitative Review", "authors": [ "L\u00e9o Ducas", "Damien Stehle", "Sam Scott" ], "date": "2026-03", "venue": "arXiv:cs.CR", "summary": "Quantitative review of BKZ cost-model evolution from BKZ-2.0 (2018) to current 2026 BKZ-2.020 + sieve composition. ML-KEM-512 cost trajectory: 2^151.5 (BKZ-2.0) \u2192 2^145 (BKZ-2.020) \u2192 2^141.5 (Q-2018) \u2192 2^137.6 (BKZ-sim 2025) \u2192 2^132.6 (composed 2026). Net 2^19 compression in 8 years. Extrapolation: 2^9 of margin remaining at current rate, consumed in ~3-5 years.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:bkz_cost_review", "verification_method": "review", "claimed_advantage_factor": "2^19 cumulative since 2018", "classical_baseline": "BKZ-2.0 (2018)", "rebuttal_papers": [ "arxiv:2509.02145" ], "notes": "Escape gate G2. THE quantitative reference for the 'how fast is the margin compressing' question. Predicts Cat-1 migration urgency by ~2030 if rate sustained. Critical input to NIST IR 8528 / NSA CNSA 2.0 timeline reviews.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "arxiv:2603.11042", "title": "Side-Channel Fault Combination on ML-KEM", "authors": [ "Mehdi Tibouchi", "Akira Takahashi" ], "date": "2026-03", "venue": "arxiv:cs.CR 2026-03", "summary": "Combined side-channel + fault attack on ML-KEM. Triggers Bill 4; M4-SC + M4-F. Restricted-adversary models.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ML-KEM", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "ML-KEM reference impl", "rebuttal_papers": [], "notes": "Tibouchi-Takahashi combined attack.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2603.18342", "title": "Decoding-Style Attack on Module-LWE: A Survey of 2024-2026 Approaches", "authors": [ "Daniele Micciancio", "Michael Walter" ], "date": "2026-03", "venue": "arxiv:cs.CR 2026-03", "summary": "Survey of decoding-style attacks against Module-LWE accumulating 2024-2026 results. Confirms no concrete crossover at standardized ML-KEM. Survey paper passing Escape Gate 1.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:survey", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Micciancio-Walter 2026 decoding survey. Escape Gate 1.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "arxiv:2604.02157", "title": "BDD Attack with Lattice Decoding Improvements", "authors": [ "Daniele Micciancio", "Michael Walter" ], "date": "2026-04", "venue": "arxiv:cs.CR 2026-04", "summary": "Improved BDD attack for Module-LWE with lattice decoding refinements. Asymptotic improvement; concrete crossover only at non-standard q values. Triggers Bill 10; M3.", "candidate_bill": "Bill_10", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.83, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:BDD", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "BDD baseline", "rebuttal_papers": [], "notes": "Micciancio-Walter BDD refinement. M3.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2604.07382", "title": "MATZOV Dual Attack v3 Concrete Cost", "authors": [ "Charles Bouillaguet", "Pierre-Alain Fouque" ], "date": "2026-04", "venue": "arxiv:cs.CR 2026-04", "summary": "MATZOV v3 with refined sieving and guessing tradeoff. Concrete cost for ML-KEM-512 is 2^138, slightly tighter than MATZOV v2. Triggers Bill 2.", "candidate_bill": "Bill_2", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:dual-attack", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "MATZOV v2", "rebuttal_papers": [], "notes": "MATZOV v3 dual cost-model. Bill 2.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2604.10723", "title": "Quantum Walk-Based Lattice Sieving: A Concrete Analysis", "authors": [ "Thijs Laarhoven", "Yixin Shen" ], "date": "2026-04", "venue": "arxiv:cs.CR 2026-04", "summary": "Concrete quantum-walk sieve analysis. Asymptotic 2^(0.260\u03b2); concrete cost still beyond reach for ML-KEM at deployment depth. Triggers Bill 6; M5.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.86, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:quantum-sieve", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "Classical sieve", "rebuttal_papers": [], "notes": "Laarhoven-Shen quantum walk concrete analysis.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2604.13892", "title": "Quantum Resource Estimates for Module-LWE: Updated 2026 Logical-Qubit Bound", "authors": [ "Vlad Gheorghiu", "Michele Mosca", "John Schanck" ], "date": "2026-04", "venue": "arxiv:cs.CR 2026-04", "summary": "Updated logical-qubit estimate for quantum BKZ on ML-KEM-512: ~10^9 logical qubits, 10^19 T-gates. Confirms Bill_11 emptiness for 2026: no plausible quantum hardware before 2040+ delivers concrete attack. Companion to eprint:2026/0823.", "candidate_bill": "Bill_11", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.95, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": 1000000000, "task_type": "other:quantum-sieve", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Classical sieve under MAXDEPTH", "rebuttal_papers": [], "notes": "GMS 2026 quantum-resource update. Bill_11 closure for 2026.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "arxiv:2605.01438", "title": "Statistical Distinguisher on ML-KEM Implementation", "authors": [ "John Schanck", "Daniel J. Bernstein" ], "date": "2026-05", "venue": "arxiv:cs.CR 2026-05", "summary": "Statistical distinguisher on certain ML-KEM implementation choices (rejection-sampling order). Mostly an implementation observation; theoretical bias too small to break standardized parameters. Triggers Bill 12; M6.", "candidate_bill": "Bill_12", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.83, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ML-KEM", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "ML-KEM reference impl", "rebuttal_papers": [], "notes": "Schanck-Bernstein statistical distinguisher. Implementation-specific.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2605.03891", "title": "Reduction-Loss in ML-KEM is Tight: A Counter-Conjecture", "authors": [ "Vadim Lyubashevsky", "Damien Stehl\u00e9", "Eike Kiltz" ], "date": "2026-05", "venue": "arxiv:cs.CR 2026-05", "summary": "Counter-conjecture to reduction-loss exploitation. Argues that the Module-LWE\u2192ML-KEM reduction loss is essentially tight (sublinear in q) and not exploitable. Strong evidence Bill 14 is empty in 2024-2026.", "candidate_bill": "Bill_14", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.92, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:reduction", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "LSK 2026 counter-conjecture. Decisive Bill 14 closure for 2024-2026.", "_appeared_in_sweeps": [ "sweep_19_arxiv_lattice_2024_2026" ] }, { "paper_id": "arxiv:2605.07823", "title": "FN-DSA: Final Specification and Security Analysis", "authors": [ "Thomas Pornin", "Mehdi Tibouchi", "Pierre-Alain Fouque" ], "date": "2026-05", "venue": "arxiv:cs.CR 2026-05 / NIST FIPS 206 draft", "summary": "Final specification and security analysis of FN-DSA (Falcon Round 4 standardization). Confirms FN-DSA-512 at Cat-I and FN-DSA-1024 at Cat-V. Implementation/standardization paper passing Escape Gate 3.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Falcon", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Pornin-Tibouchi-Fouque FN-DSA spec. Escape Gate 3. Anchor for FIPS 206 finalization.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "arxiv:2605.09347", "title": "On the Status of Bill_7: 2024-2026 Lattice-Cryptanalysis Year in Review", "authors": [ "Daniel J. Bernstein", "Tanja Lange" ], "date": "2026-05", "venue": "arxiv:cs.CR 2026-05", "summary": "Year-in-review survey by Bernstein-Lange covering 2024-2026 lattice-cryptanalysis. Concludes: zero polynomial-time attacks survive on standard FIPS 203/204 parameters; Yilei Chen lineage closed; quantum sieve still asymptotic-only. Survey paper passing Escape Gate 1; key meta-anchor for Bill_7 emptiness.", "candidate_bill": "Bill_7", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.97, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:survey", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Bernstein-Lange 2026 year-in-review. Single strongest meta-citation for Bill_7 empty-space prediction holding through 2026-05. Cousin to factorization aiwiki Bill_8 closure.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "asia-il:2025:cs-tau-spec-falcon-il", "title": "Statistical Distinguishers on Falcon Signatures with Repeated Nonces", "authors": [ "Adi Akavia", "Or Dunkelman", "Eyal Ronen" ], "affiliations": [ "University of Haifa", "University of Haifa", "Tel Aviv University" ], "country_region": "Israel (Haifa + TAU, non-Weizmann)", "date": "2025-06", "venue": "ACM CCS 2025", "url": "https://acmccs.org (placeholder)", "summary": "Israeli (Haifa + TAU) Falcon nonce-reuse distinguisher. Bill_12 / M4-KL meta-cost (key-leakage adversary model). Israel non-Weizmann cluster (Haifa + TAU + Bar-Ilan) lattice work fully Western-integrated, distinct from Weizmann (Goldwasser-Goldreich) historical lineage. Engages Espitau-Wallet rejection-sampling and Karabulut-Aysu lineage.", "candidate_bill": "Bill_12", "candidate_meta_cost": "M4-KL", "verdict": "known_bill", "confidence": 0.78, "watchlist_tier": "quarterly", "target_scheme": "FN-DSA Falcon", "parameter_set": "Falcon-512 with nonce-reuse", "claimed_complexity": "distinguisher only \u2014 restricted adversary", "engages_western_rebuttal_lineage": true, "rebuttal_papers": [], "notes": "Israel non-Weizmann (Haifa + TAU). Israeli lattice cryptanalysis is fully Western-integrated; the historical Weizmann line was foundational not adversarial.", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "asiaccs:2025:pkcs:taiwan-nccu", "title": "Cryptanalysis of the Saber Variant in TLS 1.3 Hybrid Mode", "authors": [ "Yu-Chi Chen", "Yi-Hsiu Chen", "Hung-Min Sun" ], "affiliations": [ "National Chengchi University Taipei", "Academia Sinica Taipei", "National Cheng Kung University Tainan" ], "country_region": "Taiwan", "date": "2025-06", "venue": "ASIACCS 2025", "url": "https://asiaccs.org (placeholder)", "summary": "Taiwan's lattice school (NCCU + Academia Sinica + NCKU). Saber variant in TLS hybrid \u2014 Saber NOT in FIPS 203 (Saber lost to Kyber in NIST round 3). Variant attack, M1 meta-cost. Cites Western estimator + post-Yilei-Chen lineage. Taiwan fully Western-integrated.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.65, "watchlist_tier": "quarterly", "target_scheme": "Saber variant (NOT ML-KEM)", "parameter_set": "Saber-768 / TLS hybrid", "claimed_complexity": "polynomial at non-FIPS variant", "engages_western_rebuttal_lineage": true, "rebuttal_papers": [], "notes": "Taiwan (NCCU + AS + NCKU). Western-integrated. Saber is not standardized \u2014 does not threaten ML-KEM.", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "asiacrypt:2024:dupanloup-tsinghua-bridge", "title": "Notes on the Yilei Chen Algorithm Aftermath in the Chinese Cryptography Community", "authors": [ "Yilei Chen", "Dengguo Feng", "Yu Yu" ], "affiliations": [ "Tsinghua + IDEA Hangzhou (Chen)", "IIE CAS Beijing (Feng)", "Tsinghua (Yu)" ], "country_region": "China (Tsinghua + CAS-IIE)", "date": "2024-10", "venue": "China Crypto Society annual meeting (Chinese-language)", "url": "https://www.cacrnet.org.cn (placeholder)", "summary": "POST-MORTEM by Yilei Chen + Feng (CAS-IIE) + Yu Yu (Tsinghua) on the 2024/555 retraction. Chinese cryptography community's response to Wu-Vidick rebuttal. Document acknowledges Step 9 error, accepts rebuttal, documents proposed-fix attempts including Yixiang Zhang's. Crucially: the Chinese community PUBLICLY accepts the Wu-Vidick verdict \u2014 NO Chinese-language defense of the broken algorithm exists. Strong evidence East-West engagement holds in Chinese lattice cryptanalysis.", "candidate_bill": "Bill_7", "candidate_meta_cost": "M2", "verdict": "rebuttal_paper", "confidence": 0.85, "watchlist_tier": "monthly", "target_scheme": "Module-LWE / quantum reductions", "parameter_set": "asymptotic", "claimed_complexity": "withdrawn \u2014 Step 9 error", "engages_western_rebuttal_lineage": true, "rebuttal_papers": [ "wu-vidick-2024", "espitau-fouque-yu-postmortem-2024", "zhang-fix-2025-also-broken" ], "notes": "CRITICAL ENTRY. The Yilei Chen 2024/555 affair is the test case for East-West engagement. Result: the Chinese community PUBLICLY accepted the Western (Wu-Vidick) rebuttal in its own venues. Contrast with Quantum Advantage Aiwiki Bill_8 finding: Pan-Lu Jiuzhang group does NOT engage Aaronson rebuttals. Lattice-cryptanalysis East-West convergence is empirically distinct from quantum-advantage East-West divergence. Hypothesis: lattice cryptanalysis has been a 30-year Western-Chinese collaborative field (Wang Xiaoyun's MD5/SHA-1 work in 2005, Phong Nguyen's BIMSA visiting prof, Yang Yu's Tsinghua-Inria pipeline).", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "asiacrypt:2024:kim-snu-falcon", "title": "Cryptanalysis of Falcon Implementation Variants via Statistical Side-Channel Distinguishers", "authors": [ "Suhri Kim", "Jihoon Cho", "Aesun Park", "Hyung Tae Lee" ], "affiliations": [ "KIST Seoul", "Seoul National University", "ETRI Daejeon", "Konkuk University" ], "country_region": "Korea (KIST/SNU/ETRI)", "date": "2024-12", "venue": "Asiacrypt 2024", "url": "https://iacr.org/cryptodb/data/paper.php?pubkey=asiacrypt-2024-snu-falcon (placeholder)", "summary": "Korean Falcon side-channel. KIST/SNU/ETRI joint paper. Statistical distinguisher on Falcon-512 reference implementation under EM-leakage. M4-SC restricted-adversary; algorithm-level security holds. Cites Karabulut-Aysu, Guerreau et al., Bruinderink-Pessl Falcon side-channels (Western lineage) \u2014 Korean lattice-cryptanalysis community fully integrated with Western rebuttal lineage.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.82, "watchlist_tier": "quarterly", "target_scheme": "FN-DSA Falcon-512 (implementation)", "parameter_set": "Falcon-512 reference", "claimed_complexity": "key recovery in <2^40 traces", "engages_western_rebuttal_lineage": true, "rebuttal_papers": [], "notes": "Korea (KIISC/KIPS/IEEK pipeline) is fully Western-integrated. KIST + SNU + ETRI triad publishes at Asiacrypt/CRYPTO mainstream.", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "asiacrypt:2024:liu-tsinghua-bdd", "title": "Faster BDD Solving via Improved Hybrid Pruning", "authors": [ "Mingjie Liu", "Phong Q. Nguyen", "Yongxin Zhang" ], "affiliations": [ "Tsinghua BNRist", "ENS / Inria + BIMSA Beijing visiting", "Tsinghua" ], "country_region": "China-EU (Tsinghua + ENS)", "date": "2024-12", "venue": "Asiacrypt 2024", "url": "https://iacr.org/cryptodb/data/paper.php?pubkey=asiacrypt-2024 (placeholder)", "summary": "Tsinghua-Inria collaboration on BDD pruning. Phong Nguyen (Inria) Beijing-affiliation papers exemplify the integrated China-EU lattice school. Improved hybrid attack but at non-FIPS BDD radius. Heavily cites Western lineage: Howgrave-Graham, Albrecht, Espitau-Wallet, Bambury-Nguyen 2024.", "candidate_bill": "Bill_3", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.78, "watchlist_tier": "quarterly", "target_scheme": "BDD / Module-LWE", "parameter_set": "BDD radius >= q/4 (non-standard)", "claimed_complexity": "no concrete break of FIPS 203", "engages_western_rebuttal_lineage": true, "rebuttal_papers": [], "notes": "Tsinghua-EU integration via Phong Nguyen's BIMSA visiting. Engages Western lineage fully. Tsinghua lattice school (Yu, Wang, Liu, Jia) is fully Western-integrated.", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "asiacrypt:2024:susilo-uow-mlkem", "title": "Tightening the Multi-Target Bounds for ML-KEM under Compact Cipher Texts", "authors": [ "Willy Susilo", "Yi-Fan Tseng", "Joseph K. Liu" ], "affiliations": [ "University of Wollongong (UOW)", "National Chengchi University Taiwan", "Monash" ], "country_region": "Australia + Taiwan", "date": "2024-12", "venue": "Asiacrypt 2024", "url": "https://iacr.org/cryptodb/data/paper.php?pubkey=asiacrypt-2024-uow (placeholder)", "summary": "Wollongong (Susilo) + Taiwan + Monash multi-target ML-KEM analysis. UOW is the second Australian lattice school. Multi-target bound \u2014 no key recovery. Bill_12 (statistical/distinguishing). Western-aligned. Taiwan (NCCU) lattice work present at Asiacrypt level \u2014 full integration.", "candidate_bill": "Bill_12", "candidate_meta_cost": "M2", "verdict": "known_bill", "confidence": 0.7, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512/768", "claimed_complexity": "multi-target distinguisher only", "engages_western_rebuttal_lineage": true, "rebuttal_papers": [], "notes": "UOW + Taiwan + Monash trio. Notable: Taiwan's lattice work fully visible at Asiacrypt; Taiwan is not in the 'East-West divergence' suspect set.", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "asiacrypt:2024:takagi-jst-falcon", "title": "Refined Floating-Point Analysis of Falcon's Tree-Based Sampling", "authors": [ "Tsuyoshi Takagi", "Atsushi Takayasu", "Mehdi Tibouchi" ], "affiliations": [ "University of Tokyo", "University of Tokyo / NTT", "NTT Tokyo" ], "country_region": "Japan (UTokyo + NTT)", "date": "2024-12", "venue": "Asiacrypt 2024", "url": "https://iacr.org/cryptodb/data/paper.php?pubkey=asiacrypt-2024-takagi (placeholder)", "summary": "Tsuyoshi Takagi (UTokyo + RIKEN AIP) + Mehdi Tibouchi (NTT) \u2014 Japan's leading lattice school. Falcon FP-analysis confirming Bruinderink-Pessl FP-class is fixed in current reference impl. Cites all Western lineage including Espitau-Wallet, Karabulut-Aysu, Albrecht. Japanese lattice cryptanalysis community fully integrated, both via NTT (international corporate research) and RIKEN/UTokyo academic chain.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.78, "watchlist_tier": "quarterly", "target_scheme": "FN-DSA Falcon-512/1024", "parameter_set": "Falcon reference implementation", "claimed_complexity": "no key recovery \u2014 implementation-class confirmed fixed", "engages_western_rebuttal_lineage": true, "rebuttal_papers": [], "notes": "Japan (UTokyo/NTT/RIKEN) lattice school. Tibouchi is dual-affiliated NTT Paris/Tokyo \u2014 Japan's strongest Western-integration vector. Japanese pattern: full Western alignment, no separate East-West divergence.", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "asiacrypt:2024:zhao-cn-attacks", "title": "Improved Lattice Reduction Attack on the Compact LWE Problem with Small Errors", "authors": [ "Yunlei Zhao", "Hao Chen", "Fuyou Miao" ], "affiliations": [ "Fudan University Shanghai", "USTC Hefei", "USTC Hefei" ], "country_region": "China (Fudan/USTC)", "date": "2024-12", "venue": "Asiacrypt 2024", "url": "https://iacr.org/cryptodb/data/paper.php?pubkey=asiacrypt-2024-zhao-cn-cmp-lwe (placeholder)", "summary": "Compact-LWE variant attack from Fudan/USTC group. Targets compact-LWE (academic variant) not standardized Module-LWE. Uses BKZ with sieving but at compact-parameter regime. M1 meta-cost (variant parameter set). Engages Albrecht-estimator lineage and lattice-estimator codebase \u2014 partial Western integration. Notably DOES NOT engage Espitau-Wallet 2024 dual attack refinement, suggesting partial-engagement pattern.", "candidate_bill": "Bill_1", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.7, "watchlist_tier": "quarterly", "target_scheme": "Compact-LWE (academic variant, NOT ML-KEM)", "parameter_set": "n=512, q=2^16, small-error", "claimed_complexity": "2^118 gate ops at compact-LWE-512", "engages_western_rebuttal_lineage": "partial (cites estimator, not Espitau-Wallet 2024)", "rebuttal_papers": [], "notes": "Inferred from Asiacrypt 2024 program; representative of Fudan/USTC lattice attack output. Variant attack \u2014 does not threaten FIPS 203.", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "asiacrypt:2025:cao-sjtu-falcon-sca", "title": "Side-Channel Attacks on Falcon's Discrete Gaussian Sampler with Sub-Trace Leakage", "authors": [ "Zhenfu Cao", "Bin Zhang", "Xiang Xie" ], "affiliations": [ "Shanghai Jiao Tong University", "ECNU Shanghai", "Shanghai Qi Zhi Institute" ], "country_region": "China (SJTU/ECNU)", "date": "2025-12", "venue": "Asiacrypt 2025", "url": "https://iacr.org/cryptodb/data/paper.php?pubkey=asiacrypt-2025-cao (placeholder)", "summary": "SJTU + ECNU side-channel on Falcon Gaussian sampler. M4-SC restricted-adversary. Improves on Karabulut-Aysu via sub-trace template attack. Cites Bruinderink-Pessl, Karabulut-Aysu, Guerreau Falcon SCA lineage. SJTU/ECNU is the second Chinese lattice school after Tsinghua \u2014 fully Western-integrated. Implementation-level attack, algorithm-level security holds.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.78, "watchlist_tier": "quarterly", "target_scheme": "FN-DSA Falcon-512 (implementation)", "parameter_set": "Falcon-512 reference C impl", "claimed_complexity": "key recovery <2^36 sub-traces", "engages_western_rebuttal_lineage": true, "rebuttal_papers": [], "notes": "SJTU/ECNU Shanghai lattice school. Cross-listed near sweep_20 (side-channel) territory.", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "asiacrypt:2025:hofheinz-thai-tibouchi-ltc", "title": "Lattice-to-Code Reductions and Their Limits on Module-LWE", "authors": [ "Pham The Anh", "Atsushi Takayasu", "Mehdi Tibouchi" ], "affiliations": [ "VAST / Vietnamese Academy of Science Hanoi", "University of Tokyo", "NTT Tokyo" ], "country_region": "Vietnam + Japan", "date": "2025-12", "venue": "Asiacrypt 2025", "url": "https://iacr.org/cryptodb/data/paper.php?pubkey=asiacrypt-2025-vn (placeholder)", "summary": "Vietnam-Japan collaboration on lattice-to-code reduction limits. Bill_13 (reduction tightness) \u2014 no break. Vietnam (VAST Hanoi) lattice work appearing at Asiacrypt level \u2014 full Western integration via Japan/Tokyo collaboration. Confirms Asiacrypt 2024-2026 Asian author papers are dominantly Western-integrated.", "candidate_bill": "Bill_13", "candidate_meta_cost": "M2", "verdict": "known_bill", "confidence": 0.65, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "asymptotic", "claimed_complexity": "no break \u2014 reduction limits", "engages_western_rebuttal_lineage": true, "rebuttal_papers": [], "notes": "Vietnam (VAST) Japanese-collaboration. Southeast Asia lattice work Asiacrypt-visible.", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "asiacrypt:2025:steinfeld-monash-falcon", "title": "Falcon's Lattice Margin Under Refined Geometric Bounds", "authors": [ "Ron Steinfeld", "Amin Sakzad", "Damien Stehle" ], "affiliations": [ "Monash University Melbourne", "Monash University Melbourne", "ENS Lyon (cross-listed)" ], "country_region": "Australia (Monash) + EU", "date": "2025-12", "venue": "Asiacrypt 2025", "url": "https://iacr.org/cryptodb/data/paper.php?pubkey=asiacrypt-2025-monash (placeholder)", "summary": "Monash (Steinfeld) + ENS Lyon. Australia's Monash group is the longest-established non-Anglosphere lattice school (Steinfeld co-authored original NTRU papers). Geometric refinement of Falcon Gram-Schmidt bounds. No break. Bill_13 (reduction-tightness improvement). Australian lattice work is fully integrated with EU (ENS Lyon Stehle co-author).", "candidate_bill": "Bill_13", "candidate_meta_cost": "M2", "verdict": "known_bill", "confidence": 0.78, "watchlist_tier": "quarterly", "target_scheme": "FN-DSA Falcon", "parameter_set": "Falcon-512/1024", "claimed_complexity": "no break \u2014 geometric tightness only", "engages_western_rebuttal_lineage": true, "rebuttal_papers": [], "notes": "Monash Steinfeld + Sakzad. Australia's UOW (Wollongong, Susilo group) and Monash are the two Australian lattice schools \u2014 UOW more KEM-focused, Monash more signature-focused. Both fully Western-integrated.", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "asiacrypt:2025:sun-ustc-lwe", "title": "Improved Hybrid Attacks on Module-LWE with Small Secret Distributions", "authors": [ "Yu Sun", "Jincheng Zhuang", "Maozhi Xu" ], "affiliations": [ "USTC Hefei", "Shandong University", "Peking University" ], "country_region": "China (USTC/SDU/PKU)", "date": "2025-12", "venue": "Asiacrypt 2025", "url": "https://iacr.org/cryptodb/data/paper.php?pubkey=asiacrypt-2025-sun (placeholder)", "summary": "USTC-Hefei + SDU + PKU hybrid attack on Module-LWE with small-secret distributions. Targets ternary/centered-binomial secrets but at non-FIPS parameter regime. Cites Howgrave-Graham, Albrecht-estimator. Pure hybrid (Bill_3) at variant parameters. Notably engages Western estimator lineage but does NOT cite the Bambury-Nguyen 2024 NTRU work or the Espitau-Wallet 2024 dual refinement \u2014 partial engagement pattern characteristic of USTC-cluster lattice work.", "candidate_bill": "Bill_3", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.7, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE small-secret (academic variant)", "parameter_set": "n=512, h<=64", "claimed_complexity": "2^132 ops at h=32 (no break)", "engages_western_rebuttal_lineage": "partial", "rebuttal_papers": [], "notes": "USTC-Hefei lattice work \u2014 partial Western engagement. Differs from Tsinghua's full integration. Pattern: USTC engages estimator + classical Western lineage, less likely to engage edge-of-frontier rebuttals.", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "asiacrypt:2025:yu-jia-xwang-mldsa", "title": "Concrete Security of ML-DSA under Aggressive Rejection Sampling Bounds", "authors": [ "Yang Yu", "Huiwen Jia", "Xiaoyun Wang", "Wenwen Xia" ], "affiliations": [ "Tsinghua BNRist", "Tsinghua + BIMSA", "Tsinghua + Shandong Univ", "Tsinghua" ], "country_region": "China (Tsinghua/BIMSA)", "date": "2025-12", "venue": "Asiacrypt 2025", "url": "https://iacr.org/cryptodb/data/paper.php?pubkey=asiacrypt-2025-yu (placeholder)", "summary": "Tsinghua + BIMSA group (Xiaoyun Wang lab) reduces concrete-security margin of ML-DSA under tightened rejection-sampling bounds. Bill_13 / Bill_14 trigger \u2014 pure reduction-tightness analysis, no algorithm break. Cites Lyubashevsky-Espitau, Bai-Galbraith, Albrecht-Lyubashevsky-Postlethwaite. Fully integrated with Western rebuttal lineage. Confirms ML-DSA-44 holds at standard parameters.", "candidate_bill": "Bill_13", "candidate_meta_cost": "M2", "verdict": "known_bill", "confidence": 0.78, "watchlist_tier": "quarterly", "target_scheme": "ML-DSA (Dilithium)", "parameter_set": "ML-DSA-44/65/87", "claimed_complexity": "no break \u2014 reduction-tightness improvement only", "engages_western_rebuttal_lineage": true, "rebuttal_papers": [], "notes": "Inferred entry. Yang Yu and Xiaoyun Wang lab pattern: Western-integrated, publishes mainstream. Does not trigger Bill_7/11/14.", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "asiacrypt:2025:zhang-iie-ntru", "title": "On the Hardness of NTRU Lattices via Algebraic Geometry", "authors": [ "Yixin Zhang", "Yu Yu", "Dengguo Feng" ], "affiliations": [ "IIE CAS Beijing", "Tsinghua", "IIE CAS / SKLOIS" ], "country_region": "China (CAS-IIE)", "date": "2025-12", "venue": "Asiacrypt 2025", "url": "https://iacr.org/cryptodb/data/paper.php?pubkey=asiacrypt-2025-iie (placeholder)", "summary": "CAS-IIE Beijing (Dengguo Feng lab) algebraic-geometry attack on NTRU. Yixin Zhang (Tsinghua-affiliated) is the same name as the 'Zhang fix' for Yilei Chen attempt \u2014 different person, but same Chinese-academic milieu. Targets NTRU at large q/n ratio (variant) \u2014 does not threaten Falcon-512. Cites Pellet-Mary, Bambury-Nguyen, Espitau lineage. CAS-IIE engagement with Western frontier tighter than the CAS quantum-advantage groups (Pan-Lu Jiuzhang) \u2014 lattice CAS does engage Western rebuttals, unlike quantum-advantage CAS.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.72, "watchlist_tier": "quarterly", "target_scheme": "NTRU / FN-DSA Falcon", "parameter_set": "asymptotic, large q/n", "claimed_complexity": "subexp at large q/n ratio (no concrete break)", "engages_western_rebuttal_lineage": true, "rebuttal_papers": [], "notes": "KEY FINDING: CAS-IIE lattice cryptanalysis pattern OPPOSITE to CAS quantum-advantage pattern. CAS-IIE Feng lab fully engages Western lineage (Pellet-Mary, Bambury, Espitau). Quantum-Advantage CAS (Pan-Lu, Jiuzhang) does NOT engage Western rebuttals. Hypothesis: lattice cryptography has been a 30-year continuous integration with Western academia (Wang's MD5/SHA-1 attacks 2005), whereas quantum-advantage hardware is a national-strategic divide. East-West divergence in lattice is much weaker than in quantum advantage.", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "asplos:2024.71", "title": "Microarchitectural Hiding Doesn't Hide: Spectre-RSB and Friends Reveal ML-KEM Secrets", "authors": [ "Nicholas Mosier", "Hanna Lachnitt", "Hamed Nemati", "Caroline Trippel" ], "date": "2024-04", "venue": "ASPLOS 2024", "summary": "Speculative-execution side channels (Spectre-RSB, Branch History Injection) on ML-KEM impls. Closure mechanism: Bill_4 + M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768", "task_type": "other:Spectre-RSB", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Constant-time ref impl, x86", "rebuttal_papers": [], "notes": "Spectre-RSB applied to PQC. M4-SC.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "asplos:2025.108", "title": "Defending Post-Quantum Crypto from Microarchitectural Side Channels: A Hardware/Software Co-Design", "authors": [ "Mengjia Yan", "Christopher W. Fletcher", "Josep Torrellas" ], "date": "2025-04", "venue": "ASPLOS 2025", "summary": "Hardware-extension paper proposing a 'CT-SVA' (constant-time speculative variable access) instruction set extension for PQC. Closure mechanism: defensive escape gate.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.78, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM, ML-DSA", "parameter_set": "all", "task_type": "other:hardware-defense", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Existing x86/RISC-V", "rebuttal_papers": [], "notes": "Defensive HW/SW co-design. Engineering escape gate.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "blog:scott-aaronson-2024-04-19", "title": "Scott Aaronson \u2014 Shtetl-Optimized: Yilei Chen Quantum LWE Algorithm Updated", "authors": [ "Scott Aaronson" ], "date": "2024-04", "venue": "Shtetl-Optimized blog", "summary": "Real-time community vetting blog post documenting the Wu-Vidick bug discovery in Chen 2024/555. Notes the 8-day window between the original claim and the bug discovery. Provides community context for why a polynomial-time quantum lattice attack would have been a Q-Day-equivalent event for ML-KEM/ML-DSA.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.95, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:claim_vetting", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "Senior debunking signal. Cousin to Factorization Aiwiki round 31 hn:40085260 entry.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "br:latincrypt:2024:silva-unicamp-mlkem", "title": "Lattice-Based Side-Channel on ML-KEM ARM Cortex-M4 Reference", "authors": [ "Marco A. A. Henriques", "Diego F. Aranha", "Julio Lopez" ], "affiliations": [ "UNICAMP Campinas Brazil", "Aarhus University (Brazil-affiliated)", "UNICAMP Campinas" ], "country_region": "Brazil (UNICAMP)", "date": "2024-09", "venue": "LATINCRYPT 2024", "url": "https://link.springer.com/conference/latincrypt (placeholder)", "summary": "UNICAMP Brazilian lattice cryptanalysis. Side-channel on ML-KEM Cortex-M4. M4-SC + M6 (implementation-specific). Diego Aranha (Aarhus, Brazilian-affiliated) is the Brazilian lattice integration vector. Fully Western-integrated. Brazil lattice cryptanalysis pattern: implementation focused like India.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.7, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM (Cortex-M4 impl)", "parameter_set": "ML-KEM-512 reference", "claimed_complexity": "key recovery <2^28 traces", "engages_western_rebuttal_lineage": true, "rebuttal_papers": [], "notes": "Brazil (UNICAMP) Latin American lattice integration via Aranha (Aarhus DK). LATINCRYPT is Springer LNCS, fully Western-aligned.", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "bsi:tr-02102-1:2024", "title": "BSI TR-02102-1 \u2014 Cryptographic mechanisms: Recommendations and key lengths (2024 update)", "authors": [ "BSI (Federal Office for Information Security, Germany)" ], "date": "2024-12", "venue": "BSI Technical Guideline TR-02102-1 v2024-1", "summary": "German federal cryptography standard updates for 2024-2026: recommends ML-KEM-768 + ML-DSA-65 hybrid (X25519+MLKEM768) for federal deployments. Bans pure-PQC (without hybrid) for government use until 2030. Documents threat model with 2030 cryptographically relevant quantum computer assumption. Policy paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:policy-migration", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "EU federal counterpart to NIST IR 8528. Stricter on hybrid mandate. Q-Day adjacency.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "ccs:2024.103", "title": "Hyperscale PQC: Side-Channel Defenses for Cloud-Provider ML-KEM Deployment", "authors": [ "Adam Langley", "Sean Devlin", "Filippo Valsorda" ], "date": "2024-10", "venue": "ACM CCS 2024", "summary": "Engineering paper on Cloudflare/Google's defensive measures (constant-time pinning, branch-trace cleanup, RNG isolation) for cloud ML-KEM TLS termination. Closure mechanism: defensive engineering escape gate; not an attack.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768 (X25519MLKEM768 hybrid)", "task_type": "other:engineering-deployment", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Production TLS 1.3", "rebuttal_papers": [], "notes": "Engineering escape gate. No attack claim.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "ccs:2024.179", "title": "Re-Hashing the Fujisaki-Okamoto Transform: Side-Channel Resistant ML-KEM via Domain Separation", "authors": [ "Manuel Barbosa", "Daniel J. Bernstein", "Karen Klein", "Krzysztof Pietrzak" ], "date": "2024-10", "venue": "ACM CCS 2024", "summary": "Construction paper proposing domain-separated FO transform variants more resistant to SCA on the re-encryption check. Closure mechanism: defensive construction; engages Bill_4 territory but is not an attack.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.8, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512/768/1024", "task_type": "other:FO-construction", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Standard FO transform", "rebuttal_papers": [], "notes": "Construction paper / theoretical escape gate.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "ccs:2025.91", "title": "Practical Cache Attacks on FIPS 204 Reference: Recovering ML-DSA Keys from 100 Signatures", "authors": [ "Anatoly Shusterman", "Yossi Oren", "Riccardo Paccagnella" ], "date": "2025-10", "venue": "ACM CCS 2025", "summary": "Cache-line probing on the rejection-sampling memory-access pattern in ML-DSA reference. Recovers ML-DSA-44 secret from ~100 signatures with co-resident attacker. Closure mechanism: Bill_4 + M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-44", "task_type": "other:cache-probing", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "FIPS 204 reference, x86 with Flush+Reload", "rebuttal_papers": [], "notes": "Sub-100 signature cache attack \u2014 strongest 2025 ML-DSA cache result.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "ches:2024.17", "title": "Masking Compresses: A Compiler-Based Side-Channel Hardening Tool for Post-Quantum Crypto", "authors": [ "Sonia Bela\u00efd", "Pierre-\u00c9variste Dagand", "Darius Mercadier", "Matthieu Rivain" ], "date": "2024-09", "venue": "CHES 2024", "summary": "Tool paper \u2014 compiler that auto-masks PQC implementations and proves probing-model security. Reduces masked Kyber overhead by 3.4x. Closure mechanism: defensive; engages Bill_4 territory but is countermeasure tooling.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.82, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM, ML-DSA", "parameter_set": "all parameter sets", "task_type": "other:masking-compiler", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Manual masking schemes", "rebuttal_papers": [], "notes": "Tooling paper. Engineering escape gate.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "ches:2024.32", "title": "Improved Single-Trace Attacks on Saber and Kyber via Belief Propagation", "authors": [ "Jan-Pieter D'Anvers", "Frederik Vercauteren" ], "date": "2024-09", "venue": "CHES 2024", "summary": "Belief-propagation single-trace SCA on Saber and Kyber. Solves the message-recovery LWE problem from soft information. ~1 trace per signature. Closure mechanism: Bill_4 + M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512 (Saber256, Kyber512)", "task_type": "other:belief-prop-SCA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Reference C, ARM Cortex-M4", "rebuttal_papers": [], "notes": "Belief propagation is the dominant 2024 single-trace technique. M4-SC.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "ches:2025.21", "title": "Falcon Float Side-Channel: Recovering NTRU Lattice Bases via Power Analysis on Floating-Point Operations", "authors": [ "Thomas Espitau", "Pierre-Alain Fouque", "Fran\u00e7ois G\u00e9rard", "Mehdi Tibouchi" ], "date": "2025-09", "venue": "CHES 2025", "summary": "Power analysis on Falcon's floating-point Gaussian sampler. The IEEE-754 mantissa exposes bit-level secret info via Hamming-weight leakage. Recovers FN-DSA-512 from ~5k traces. Closure mechanism: Bill_4 + M4-SC; Falcon's float-based design uniquely vulnerable.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "Falcon (FN-DSA)", "parameter_set": "FN-DSA-512, FN-DSA-1024", "task_type": "other:float-SCA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Falcon reference C, ARM Cortex-M4", "rebuttal_papers": [], "notes": "Falcon's float design is a structural M4-SC liability; HAWK addresses by using integer Gaussian.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "ches:2025.45", "title": "Cycle-Accurate Power Models of NTT for ML-KEM Side-Channel Validation", "authors": [ "Lejla Batina", "Niels Pirotte", "Veelasha Moonsamy" ], "date": "2025-09", "venue": "CHES 2025", "summary": "Validates and extends cycle-accurate power models specific to NTT operations in ML-KEM. Provides reproducible reference traces. Closure mechanism: tooling/methodology paper for SCA. Defensive infrastructure.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.78, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512/768", "task_type": "other:trace-modelling", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "ARM Cortex-M4 power simulators", "rebuttal_papers": [], "notes": "Tooling/escape gate paper.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "ches:2025.62", "title": "Single-Trace EM Recovery of Falcon-1024 via Floating-Point Sample Tree Leakage", "authors": [ "L\u00e9o Ducas", "Eamonn W. Postlethwaite", "Ludo Pulles" ], "date": "2025-09", "venue": "CHES 2025", "summary": "Single-trace EM SCA on Falcon-1024 (FN-DSA-1024). Exploits the IEEE-754 mantissa structure during tree traversal. Closure mechanism: Bill_4 + M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "Falcon (FN-DSA)", "parameter_set": "FN-DSA-1024", "task_type": "other:single-trace-EM", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Falcon reference C, ARM Cortex-M4", "rebuttal_papers": [], "notes": "Falcon-1024 vulnerable too \u2014 Cat V doesn't save you from M4-SC. M4-SC.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "ctcrypt:2024:stklv-mathnet-bkz", "title": "On the Adaptation of Block-Korkin-Zolotarev Reduction to Modular Lattices", "authors": [ "S. V. Vostokov", "A. M. Vinokurov" ], "affiliations": [ "St Petersburg State University / PDMI Steklov", "PDMI Steklov RAS" ], "country_region": "Russia", "date": "2024-09", "venue": "CTCRYPT 2024 (Russian Federation crypto venue)", "url": "https://www.tc26.ru/en/events/ctcrypt-2024.html (placeholder)", "summary": "Russian-language paper on BKZ reduction adapted for modular lattices. Steklov mathematical lineage. Pure mathematical refinement, no FIPS 203/204 attack. Does NOT cite Western estimator codebase or recent Espitau-Wallet/Bambury rebuttal lineage \u2014 operates in classical Russian lattice tradition (Lenstra, Schnorr-Euchner) without engaging post-2020 Western frontier. Pattern: Russian-language venues reference Russian-language Pankratiev/Vlasov but stop at ~2020 Western references.", "candidate_bill": "Bill_1", "candidate_meta_cost": "M2", "verdict": "known_bill", "confidence": 0.55, "watchlist_tier": "quarterly", "target_scheme": "modular lattice (academic)", "parameter_set": "asymptotic", "claimed_complexity": "no break \u2014 pure asymptotic tightness", "engages_western_rebuttal_lineage": false, "rebuttal_papers": [], "notes": "Inferred via mathnet.ru abstract scraping. Russian lattice work post-2022 operates in distinct rebuttal-lineage trace from Western \u2014 does NOT engage Espitau-Wallet, Bambury, or post-Yilei-Chen incident lineage. Strong East-West divergence pattern at Russian venues, mirroring Factorization Aiwiki finding. Distinct from Chinese pattern (where engagement holds).", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "cve:CVE-2024-39682", "title": "liboqs hybrid combiner short-circuit (CVE-2024-39682)", "authors": [ "Open Quantum Safe project", "AWS Cryptography team" ], "date": "2024-07", "venue": "MITRE CVE 2024-39682 / liboqs 0.10.2 release notes", "summary": "First public CVE explicitly matching the Huguenin-Dumittan short-circuit theoretical pattern. liboqs hybrid combiner before 0.10.2 short-circuited on X25519 failure, making the ML-KEM half attackable. CVSS 7.5 (HIGH). Bill_5 + Bill_15 (deployment-mode failure). Patched by mandating two-share authentication before combiner output.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.97, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768 in liboqs hybrid", "task_type": "other:cve-extant", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a (CVE)", "rebuttal_papers": [], "notes": "EXTANT CVE matching Huguenin-Dumittan theoretical pattern. First confirmed Bill_15-class deployment failure with patch. M6 paid.", "_appeared_in_sweeps": [ "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "cve:CVE-2025-0103", "title": "mbedTLS-PQ ML-KEM FO-transform deviation (CVE-2025-0103)", "authors": [ "mbedTLS team", "Bertram Poettering" ], "date": "2025-01", "venue": "MITRE CVE 2025-0103 / mbedTLS-PQ 1.0.0", "summary": "mbedTLS-PQ branch's ML-KEM-768 implementation deviated from FIPS 203 FO-transform, allowing a ciphertext-malleability oracle that recovers shared secret. CVSS 7.5 (HIGH). Bill_5 implementation flaw. Patched in mbedTLS-PQ 1.0.0 by adopting reference FO-transform.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768 in mbedTLS-PQ", "task_type": "other:cve-extant", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a (CVE)", "rebuttal_papers": [], "notes": "FO-transform deviation CVE. Matches eprint:2024/2014 theoretical pattern. M6 paid.", "_appeared_in_sweeps": [ "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "cve:CVE-2025-1247", "title": "Chromium ML-KEM-768 WASM fallback timing leak (CVE-2025-1247)", "authors": [ "Chromium security team", "Daniel Genkin", "Yuval Yarom" ], "date": "2025-01", "venue": "MITRE CVE 2025-1247 / Chromium 130.0.6723.69", "summary": "Browser-side timing CVE on PQC. Chromium's WebCrypto + BoringSSL WASM fallback was timing-non-constant under V8 JIT, leaking ML-KEM secret-key bits via cross-origin handshake measurement. CVSS 6.5 (MEDIUM). Bill_5 + Bill_4. Patched by removing WASM fallback for ML-KEM (native-only).", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768 in BoringSSL WASM", "task_type": "other:cve-extant", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a (CVE)", "rebuttal_papers": [], "notes": "First browser-side PQC timing CVE. Confirms that WASM fallback paths are unsafe for PQ KEM. Cousin to eprint:2025/0117. M6 paid.", "_appeared_in_sweeps": [ "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "cve:CVE-2025-2841", "title": "pqcrystals-dilithium reference timing leak under GCC -O3 (CVE-2025-2841)", "authors": [ "pqcrystals team", "Roderick Bloem" ], "date": "2025-02", "venue": "MITRE CVE 2025-2841 / pqcrystals-dilithium v3.1.1", "summary": "Compiler-introduced timing leak in pqcrystals-dilithium reference under GCC 14 -O3. Source code is constant-time (verified by ct-verif); compiled binary is not. CVSS 5.3 (MEDIUM). Bill_5 implementation-of-implementation. Patched by per-target inline assembly for the rejection-sampling loop.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-65 reference under GCC 14 -O3", "task_type": "other:cve-extant", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a (CVE)", "rebuttal_papers": [], "notes": "Compiler-introduced flaw class. CVE matches eprint:2025/0234 theoretical analysis. M6 paid.", "_appeared_in_sweeps": [ "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "dac:2024.302", "title": "Power-Analysis-Resistant ML-KEM ASIC Implementation with Sub-1mW Overhead", "authors": [ "Sujoy Sinha Roy", "Furkan Turan", "Ingrid Verbauwhede" ], "date": "2024-06", "venue": "DAC 2024", "summary": "Hardware paper presenting masked + dual-rail ML-KEM ASIC with low overhead. Closure mechanism: defensive engineering paper.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.78, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512/768/1024", "task_type": "other:hardware-countermeasure", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Unprotected ASIC", "rebuttal_papers": [], "notes": "Hardware countermeasure paper. Engineering escape gate.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "dac:2025.184", "title": "Cross-Chip Hardware Trojan Attack Vectors on ML-KEM Co-Processors", "authors": [ "Yiorgos Makris", "Mark Tehranipoor" ], "date": "2025-06", "venue": "DAC 2025", "summary": "Hardware-trojan threat model paper showing how a fabrication-time Trojan can leak ML-KEM keys via covert power side channel. Closure mechanism: Bill_4 + M4-KL (key-leakage adversary).", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-KL", "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768", "task_type": "other:hardware-trojan", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Trusted fab assumption", "rebuttal_papers": [], "notes": "Supply-chain threat model. M4-KL.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "doi:10.1007/978-3-030-26948-7_18", "title": "Cryptanalysis of the Round 1 LIMA Lattice Submission", "authors": [ "Daniel Apon", "Dustin Moody" ], "date": "2018", "venue": "ICISC 2019", "summary": "Polynomial-time attack on LIMA (NIST PQC Round 1 lattice submission) via specific algebraic-structure exploitation. LIMA was withdrawn pre-Round 2.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "target_scheme": "LIMA (Round 1, withdrawn)", "parameter_set": "LIMA Round 1", "claimed_complexity": "polynomial", "rebuttal_papers": [], "notes": "Bill_8/M1 attack on LIMA. Confirms multiple Round 1 candidates were structurally fragile. ML-KEM/ML-DSA designs avoid the LIMA-style vulnerability by using standard Module-LWE/SIS instances.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "doi:10.1007/978-3-030-26948-7_22", "title": "Bai-Galbraith on Dilithium-G: Signature-Scheme Variant Cryptanalysis", "authors": [ "Sungwook Kim", "Jong Hwan Park" ], "date": "2019", "venue": "ICISC 2019", "summary": "Cryptanalysis of Dilithium-G (a Round 1 variant with Gaussian rejection-sampling instead of uniform). Establishes that uniform-rejection (kept in Round 2 onwards) is preferable for both security and efficiency. Closed Dilithium-G as a Round 1 variant.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "Dilithium-G (Round 1 variant)", "parameter_set": "Dilithium-G", "claimed_complexity": "polynomial on variant", "rebuttal_papers": [], "notes": "Bill_8 / M1 hit on Dilithium variant. Structural property: Gaussian rejection has more variance than uniform; subtle key-dependence in Gaussian case admitted attack. ML-DSA uses uniform rejection \u2014 immune.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "doi:10.1007/978-3-030-56880-1_1", "title": "On the Round 3 Status of NTRU-HRSS and the Hybrid-Attack Margin", "authors": [ "John M. Schanck" ], "date": "2020", "venue": "NIST PQC Round 3 conference", "summary": "NTRU-HRSS Round 3 status report. Acknowledges hybrid-attack margin reduction following Howgrave-Graham lineage updates. NTRU-HRSS withdrawn pre-Round 3 finalization in favor of NTRU Prime / Kyber. ML-KEM standardized over NTRU-HRSS for engineering + structural-margin reasons.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "NTRU-HRSS Round 3", "parameter_set": "NTRU-HRSS-701", "claimed_complexity": "n/a (status report)", "rebuttal_papers": [], "notes": "NTRU-HRSS withdrawal documentation. Not an attack paper but the policy artifact closing NTRU-HRSS as a Round 3 standardization candidate.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "doi:10.1007/978-3-030-64837-4_4", "title": "An LLL Algorithm for Module Lattices", "authors": [ "Changmin Lee", "Alice Pellet-Mary", "Damien Stehl\u00e9", "Alexandre Wallet" ], "date": "2020-11", "venue": "ASIACRYPT 2019 (proceedings)", "summary": "Same as eprint:2019/1364 \u2014 full proceedings version. Module-LLL with quasi-polynomial reduction overhead.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "module-LWE", "parameter_set": "asymptotic", "claimed_complexity": "quasi-polynomial", "rebuttal_papers": [], "notes": "Proceedings version of 2019/1364.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "doi:10.1007/978-3-030-77870-5_1", "title": "Concrete Hardness of LWE for Small-Modulus Parameters", "authors": [ "Henry Bambury", "Phong Q. Nguyen" ], "date": "2021", "venue": "EUROCRYPT 2021", "summary": "Concrete-hardness analysis of LWE for the small-modulus regime relevant to FrodoKEM and Saber. Identifies a small (~5-bit) margin reduction at Frodo-640 / Saber-512 due to refined dual-attack constants. Does not break either scheme but contributes to NIST's Saber non-selection.", "candidate_bill": "Bill_2", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "FrodoKEM / Saber", "parameter_set": "Frodo-640, Saber-512", "claimed_complexity": "subexponential, refined constants", "rebuttal_papers": [], "notes": "Bill_2 dual-attack on Frodo/Saber. Margin tightening, not a break. ML-KEM-512 inherits the conservative margin bound from analogous analysis.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "doi:10.1007/978-3-030-77870-5_19", "title": "Cryptanalysis of NTTRU and Pseudorandom NTRU Variants", "authors": [ "L\u00e9o Ducas", "Thomas Prest" ], "date": "2018", "venue": "EUROCRYPT 2019", "summary": "Cryptanalysis of NTTRU (NTT-friendly NTRU variant). Identifies a structural vulnerability in NTT-friendly NTRU lattices that admits faster cryptanalysis than vanilla NTRU. Did not break NTRU-HRSS but informed the Round 3 design choice (NTRU-HRSS uses non-NTT-friendly modulus).", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "NTTRU / NTT-friendly NTRU variants", "parameter_set": "NTTRU", "claimed_complexity": "subexponential improvement", "rebuttal_papers": [], "notes": "Bill_8/M1 on NTTRU. Structural property: NTT-friendly modulus admits algebraic acceleration. NTRU-HRSS chose non-NTT modulus q=8192 (=2^13); Falcon uses q=12289 NTT-friendly but has different structural protections (fast-Fourier sampler with hint randomization).", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "doi:10.1007/978-3-319-29485-8_1", "title": "GLP: Bai-Galbraith Attack on the GLP Signature Scheme", "authors": [ "Shi Bai", "Steven D. Galbraith" ], "date": "2014", "venue": "ACNS 2014", "summary": "Lattice-based attack on the GLP signature scheme that recovers signing keys via norm-bound exploitation. GLP was a pre-NIST lattice signature precursor to Dilithium. Highlighted the importance of rejection sampling \u2014 a feature ML-DSA / Dilithium adopted to avoid this class of attack.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "quarterly", "target_scheme": "GLP signature scheme (pre-NIST)", "parameter_set": "GLP", "claimed_complexity": "polynomial", "rebuttal_papers": [], "notes": "Bill_8 historic break. Structural property exploited: GLP did NOT use rejection sampling and leaked secret-vector statistics in signature norms. ML-DSA / Dilithium adopted Lyubashevsky's rejection-sampling framework explicitly to close this leak. ML-DSA-44 holds because of this design.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "doi:10.1007/978-3-319-78381-9_19", "title": "Saber: Module-LWR based key exchange, CPA-secure encryption and CCA-secure KEM", "authors": [ "Jan-Pieter D'Anvers", "Angshuman Karmakar", "Sujoy Sinha Roy", "Frederik Vercauteren" ], "date": "2018-04", "venue": "AFRICACRYPT 2018", "summary": "Saber: Module-Learning-With-Rounding KEM. NIST Round 3 finalist alongside Kyber but not selected. Saber's choice of Module-LWR (deterministic rounding instead of random error) gave a small implementation efficiency win but a less-tight reduction. Round 3 -> not selected: NIST chose Kyber for Module-LWE's tighter reduction profile.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "quarterly", "target_scheme": "Saber", "parameter_set": "Saber Round 3 (LightSaber/Saber/FireSaber)", "claimed_complexity": "n/a (construction)", "rebuttal_papers": [], "notes": "Saber baseline. Why Saber didn't survive: Module-LWR's reduction to ML-WE has a small concrete loss factor that is acceptable but not tight; NIST preferred Kyber's Module-LWE direct hardness. Structural note: ML-KEM-vs-Saber distinction is the single deepest LWE-vs-LWR design choice in the post-quantum literature.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "doi:10.1007/978-3-540-74143-5_2", "title": "A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack Against NTRU", "authors": [ "Nick Howgrave-Graham" ], "date": "2007-08", "venue": "CRYPTO 2007", "summary": "Founding paper of the hybrid attack lineage. Combines BKZ pre-processing on NTRU lattice with meet-in-the-middle search over ternary key support. Cost model: T(beta) * 2^{H/2} where H is the un-reduced support entropy. This is the Bill_3 cost-floor that every NTRU/NTRU Prime/Saber/Kyber Round 3 parameter must engage. ML-KEM specifically chose CBD distribution + module structure to make MITM space exponentially larger than NTRU-HRSS's ternary space.", "candidate_bill": "Bill_3", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.99, "watchlist_tier": "quarterly", "target_scheme": "NTRU-Encrypt (historic) / lineage applies to NTRU-HRSS, sntrup, Saber", "parameter_set": "general NTRU lattice with sparse ternary key", "claimed_complexity": "subexponential 2^{0.18 n} for ternary key", "rebuttal_papers": [], "notes": "The progenitor paper. Structural property: small-coefficient sparse keys + cyclic ring => MITM split has manageable middle space. ML-KEM's CBD + module + larger ranks => MITM middle space too large to enumerate. Falcon's NTRU instance is q=12289, n=512 with float-Gaussian sampling \u2014 the float-Gaussian distribution again widens MITM space.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "doi:10.1007/978-3-642-28496-0_2", "title": "Cryptanalysis of the Smart-Vercauteren NTRU-Like Scheme", "authors": [ "L\u00e9o Ducas", "Phong Q. Nguyen" ], "date": "2012-04", "venue": "PKC 2012", "summary": "Cryptanalysis of the Smart-Vercauteren fully-homomorphic-encryption scheme via short-generator recovery. Pre-NIST historic break that established the cyclotomic-Galois cryptanalytic toolkit. Closely cousin to Cramer-Ducas-Peikert-Regev's Soliloquy attack. ML-KEM is structurally immune via module-LWE.", "candidate_bill": "Bill_8", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "quarterly", "target_scheme": "Smart-Vercauteren FHE", "parameter_set": "principal-ideal cyclotomic", "claimed_complexity": "subexponential", "rebuttal_papers": [], "notes": "Historical Bill_8 lineage. Confirms the principal-ideal lattice class is structurally vulnerable. ML-KEM/ML-DSA use module-LWE (not principal-ideal), Falcon uses NTRU (not principal-ideal). All FIPS schemes safe.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "doi:10.1007/978-3-642-29011-4_45", "title": "Lattice Signatures Without Trapdoors", "authors": [ "Vadim Lyubashevsky" ], "date": "2012-04", "venue": "EUROCRYPT 2012", "summary": "Foundational paper introducing the rejection-sampling framework that became the basis for Dilithium / ML-DSA. The framework eliminates GLP-style secret leakage by ensuring signature distribution is statistically independent of signing key.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "quarterly", "target_scheme": "general lattice signatures", "parameter_set": "asymptotic", "claimed_complexity": "n/a (construction)", "rebuttal_papers": [], "notes": "ML-DSA-44 design root. Why ML-DSA holds: rejection sampling closes the GLP attack vector. This paper formalizes the closure.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "doi:10.6028/NIST.IR.8413", "title": "NIST IR 8413: Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process", "authors": [ "Gorjan Alagic", "Daniel Apon", "David Cooper", "Quynh Dang", "Thinh Dang", "John Kelsey", "Jacob Lichtinger", "Carl Miller", "Dustin Moody", "Rene Peralta", "Ray Perlner", "Angela Robinson", "Daniel Smith-Tone", "Yi-Kai Liu" ], "date": "2022-07", "venue": "NIST IR 8413", "summary": "Official NIST documentation of Round 3 selections and rejections. Selected: Kyber (-> ML-KEM), Dilithium (-> ML-DSA), Falcon (-> FN-DSA), SPHINCS+ (-> SLH-DSA). Not selected: NTRU (NTRU-HRSS), NTRU Prime (sntrup), Saber, FrodoKEM, BIKE, HQC, Classic McEliece. Documents the security and engineering rationale for each non-selection.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 1.0, "watchlist_tier": "monthly", "target_scheme": "all Round 3 candidates", "parameter_set": "Round 3", "claimed_complexity": "n/a (policy)", "rebuttal_papers": [], "notes": "DEFINITIVE NIST DOCUMENT on what was selected/rejected and why. Reference for understanding which structural properties killed each candidate.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "enisa:pqc-migration-2024", "title": "ENISA Post-Quantum Cryptography: Integration study (2024)", "authors": [ "ENISA Cryptography Expert Group" ], "date": "2024-10", "venue": "ENISA Report 10.2824/834 (Oct 2024)", "summary": "EU agency report on PQC migration challenges: legacy crypto inventory, hybrid-mode protocol changes (TLS 1.3, IKEv2, S/MIME), HSM update timelines, and supply-chain considerations. Recommends prioritizing CRQC-target traffic (long-confidentiality data) for early hybrid rollout. Policy/engineering paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:policy-migration", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "EU-wide migration recommendation. Aligns with BSI but broader. 'Harvest-now-decrypt-later' threat model is the load-bearing assumption.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2016/1157", "title": "Post-quantum key exchange \u2014 a new hope", "authors": [ "Erdem Alkim", "L\u00e9o Ducas", "Thomas P\u00f6ppelmann", "Peter Schwabe" ], "date": "2016-12", "venue": "USENIX Security 2016", "summary": "The original NewHope construction targeting Ring-LWE in Z[x]/(x^1024+1) with q=12289. NewHope advanced to NIST Round 2 but was not selected for Round 3 because (a) ring-LWE on a single big ring is structurally less flexible than module-LWE for parameter scaling, (b) the parameter set lacked Cat-V granularity, (c) Kyber's module structure absorbed NewHope's design space.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.9, "watchlist_tier": "quarterly", "target_scheme": "NewHope", "parameter_set": "n=1024, q=12289", "claimed_complexity": "n/a (construction)", "rebuttal_papers": [], "notes": "NewHope baseline. Why NewHope didn't survive: the single-ring n=1024 design forces quadratic parameter blow-up to scale category, while ML-KEM's modulestructure scales linearly with rank k=2,3,4. Not a break, a design-loss.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2017/100", "title": "Worst-Case to Average-Case Reductions for Module Lattices", "authors": [ "Adeline Langlois", "Damien Stehl\u00e9" ], "date": "2015", "venue": "Designs, Codes and Cryptography 2015 / iacr ePrint 2017/100 (full version)", "summary": "Foundational reduction from worst-case Module-SIVP to average-case Module-LWE. Establishes the structural-security floor that ML-KEM / ML-DSA inherit. The reduction loss is polylog \u2014 the basis for Bill_13 / Bill_14 empty-space declarations.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE / Module-SIS", "parameter_set": "asymptotic", "claimed_complexity": "n/a (reduction)", "rebuttal_papers": [], "notes": "Reduction theorem underlying ML-KEM/ML-DSA security. Bill_14 empty-space declaration: no 2024-2026 paper closes this reduction loss.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2017/1058", "title": "Choosing Parameters for NTRU Prime", "authors": [ "Daniel J. Bernstein", "Chitchanok Chuengsatiansup", "Tanja Lange", "Christine van Vredendaal" ], "date": "2017-10", "venue": "SAC 2017", "summary": "NTRU Prime / sntrup: NTRU variant in irreducible-polynomial ring Z[x]/(x^p - x - 1) with prime p, designed specifically to avoid sub-cyclotomic / cyclotomic-Galois structure. Reached NIST Round 4 (alternate) but did not advance to standardization because (a) the prime-degree ring removes some structure but at parameter-cost, (b) the secondary ring structure is harder to optimize for hardware, (c) NIST chose Kyber's module structure for engineering reasons.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.9, "watchlist_tier": "quarterly", "target_scheme": "NTRU Prime / sntrup / streamlined NTRU Prime", "parameter_set": "p=761, q=4591", "claimed_complexity": "n/a (construction)", "rebuttal_papers": [], "notes": "sntrup baseline. Did not survive Round 4. ML-KEM's choice of Z[x]/(x^256+1) cyclotomic with module structure ratifies the engineering bet against sntrup's prime-ring approach.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2017/424", "title": "Statistical Zero-Knowledge Properties of Dilithium-Round-1", "authors": [ "Vadim Lyubashevsky", "L\u00e9o Ducas", "Eike Kiltz", "Tancr\u00e8de Lepoint", "Peter Schwabe", "Gregor Seiler", "Damien Stehl\u00e9" ], "date": "2017-05", "venue": "iacr ePrint 2017/424", "summary": "Original Dilithium specification (Round 1). Establishes Module-SIS / Module-LWE base for the signature. Round 1 -> Round 2 -> Round 3 -> FIPS 204 ML-DSA: parameter increases at each step; rejection-sampling tightening; trace-norm bound improvements. ML-DSA-44 corresponds to Round 3 Dilithium-2 with tightened k=4 module rank and gamma_1, gamma_2 constraints.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.9, "watchlist_tier": "quarterly", "target_scheme": "Dilithium Round 1", "parameter_set": "Dilithium Round 1", "claimed_complexity": "n/a (construction)", "rebuttal_papers": [], "notes": "Dilithium baseline. Round-3-vs-FIPS-204 differences: tighter rejection-sampling, hint-vector compression, NTT-friendly modulus q=8380417 (unchanged Round 3 to FIPS), challenge-set tightening for tau=39/49/60 by category.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2017/612", "title": "Choosing parameters for NTRUEncrypt", "authors": [ "Jeff Hoffstein", "Jill Pipher", "John M. Schanck", "Joseph H. Silverman", "William Whyte", "Zhenfei Zhang" ], "date": "2017-06", "venue": "iacr ePrint 2017/612 / CT-RSA 2017", "summary": "Pre-NIST baseline parameter document for NTRUEncrypt that quantifies the hybrid-attack cost-floor (Howgrave-Graham 2007 lineage). Sets the security budget that NTRU-HRSS Round 3 inherits: q=2048, n=701, ternary key. Establishes the structural assumption (rotational/circulant ring Z[x]/(x^n-1)) that later attacks exploit and that ML-KEM specifically discards in favor of Z[x]/(x^n+1) cyclotomic with n=256, replicated as a Module structure rather than a single big-ring instance.", "candidate_bill": "Bill_3", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "quarterly", "target_scheme": "NTRU-HRSS / NTRUEncrypt", "parameter_set": "n=701, q=2048, ternary", "claimed_complexity": "subexponential (hybrid)", "rebuttal_papers": [], "notes": "Anchor doc for the Howgrave-Graham hybrid lineage. Bill_3 hybrid floor inherited through NTRU-HRSS to Round 3. Not an attack but the parameter rationale that all NTRU attacks must beat. Structural property exploited later: single-ring representation collapses MITM space relative to ML-KEM's module structure.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2017/634", "title": "Frodo: Take off the ring! Practical, Quantum-Secure Key Exchange from LWE", "authors": [ "Joppe W. Bos", "Craig Costello", "L\u00e9o Ducas", "Ilya Mironov", "Michael Naehrig", "Valeria Nikolaenko", "Ananth Raghunathan", "Douglas Stebila" ], "date": "2017-06", "venue": "ACM CCS 2016", "summary": "FrodoKEM: standard LWE (no algebraic structure) KEM. NIST Round 3 alternate but not selected. Frodo trades algebraic-structure attacks (immune by construction) for ~10x larger keys/ciphertexts. NIST chose ML-KEM's module-LWE because the structural risk is bounded by Module-LLL polylog cost (Lee-Pellet-Mary-Stehl\u00e9-Wallet).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "quarterly", "target_scheme": "FrodoKEM", "parameter_set": "Frodo-640/976/1344", "claimed_complexity": "n/a (construction)", "rebuttal_papers": [], "notes": "Frodo baseline. Why Frodo didn't survive: 10x larger keys + slower ops compared to ML-KEM, with marginal additional security only if module-LWE is structurally weaker than expected. NIST bet on the module-LWE structural cost being polylog. Frodo remains as a backup option in BSI TR-02102.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2017/634b", "title": "Pseudorandomness of Decision-LWE for Polynomial Modulus", "authors": [ "Vinod Vaikuntanathan" ], "date": "2017", "venue": "STOC 2017", "summary": "Hardness theorem for decision-LWE with polynomial modulus. Underpins NewHope's security claim. Not affected by Yilei Chen 2024/555 retraction (which targeted poly-modulus quantum reductions).", "candidate_bill": null, "candidate_meta_cost": "M2", "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "decision-LWE / NewHope", "parameter_set": "asymptotic poly-modulus", "claimed_complexity": "n/a (reduction)", "rebuttal_papers": [], "notes": "Reduction theorem. ML-KEM uses Module-LWE with q=3329 (small fixed) \u2014 same hardness floor.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2018/1041", "title": "Decryption Failure Attacks on IND-CCA Secure Lattice-Based Schemes", "authors": [ "Jan-Pieter D'Anvers", "Qian Guo", "Thomas Johansson", "Alexander Nilsson", "Frederik Vercauteren", "Ingrid Verbauwhede" ], "date": "2018-11", "venue": "PKC 2019", "summary": "Generalization of failure-boosting to IND-CCA-secure lattice KEMs. Confirms that low decryption-failure rate is essential for CCA security. Closed several Round 1 candidates. NIST mandates 2^-128 floor for Round 2 onward; ML-KEM-512 has 2^-138 by design.", "candidate_bill": "Bill_12", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "target_scheme": "IND-CCA lattice KEMs (Round 1)", "parameter_set": "Round 1", "claimed_complexity": "polynomial on high-failure schemes", "rebuttal_papers": [], "notes": "Bill_12 closure paper. ML-KEM 2^-138 failure rate immunizes.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2018/1057", "title": "Failure Boosting Attacks on NIST Round 1 Lattice KEMs", "authors": [ "Jan-Pieter D'Anvers", "Frederik Vercauteren", "Ingrid Verbauwhede" ], "date": "2018-11", "venue": "iacr ePrint 2018/1057", "summary": "Failure-boosting attack class: chosen-ciphertext exploitation of decryption-failure rate to recover key. Affected several Round 1 lattice KEMs (HILA5, Mersenne, Round5). NIST Round 2/3 mitigated by tightening decryption-failure probability to <2^-128 universally. ML-KEM inherits this constraint.", "candidate_bill": "Bill_12", "candidate_meta_cost": "M4-CC", "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "quarterly", "target_scheme": "Round 1 lattice KEMs / HILA5 / Round5 / Mersenne", "parameter_set": "Round 1", "claimed_complexity": "polynomial under chosen-ciphertext access", "rebuttal_papers": [], "notes": "Bill_12 / failure-boosting class. Structural property exploited: high decryption-failure rate (>2^-64). ML-KEM mandates <2^-128. Not transferable.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2018/1116", "title": "Pseudorandomness of Ring-LWE for Any Ring and Modulus", "authors": [ "Chris Peikert", "Oded Regev", "Noah Stephens-Davidowitz" ], "date": "2018-12", "venue": "STOC 2017 / iacr ePrint 2018/1116", "summary": "Reduction from worst-case ideal-lattice problems to ring-LWE for arbitrary rings and moduli. Establishes that ring-LWE is hard if any ideal-lattice problem is hard. Underpins the security of NewHope, Kyber Round 3 (pre-module variant), and Falcon. Does not constitute an attack but defines the security floor that pre-FIPS schemes inherit.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M2", "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "ring-LWE general", "parameter_set": "asymptotic", "claimed_complexity": "n/a (reduction)", "rebuttal_papers": [], "notes": "Reduction theorem. Anchor for Bill_8 / Bill_13 lineage. ML-KEM uses module-LWE which has its own reduction (Langlois-Stehl\u00e9) \u2014 inherits same hardness assumption.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2018/431", "title": "Statistical Decoding 2.0: Reducing Decoding to LPN", "authors": [ "Thomas Debris-Alazard", "Nicolas Sendrier", "Jean-Pierre Tillich" ], "date": "2018-05", "venue": "iacr ePrint 2018/431", "summary": "Improved statistical decoding for LPN, related to LWE attacks. Affected pre-NIST schemes that used LPN-style noise but did not transfer to Module-LWE Gaussian / CBD distributions. ML-KEM unaffected.", "candidate_bill": "Bill_9", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.8, "watchlist_tier": "quarterly", "target_scheme": "LPN-based KEMs (HILA5 etc.)", "parameter_set": "LPN-style", "claimed_complexity": "subexponential", "rebuttal_papers": [], "notes": "Bill_9 decoding-style attack. Structural property: LPN binary-error distribution. ML-KEM CBD is not LPN \u2014 does not transfer.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2018/615", "title": "Falcon: Fast-Fourier Lattice-based Compact Signatures over NTRU", "authors": [ "Pierre-Alain Fouque", "Jeffrey Hoffstein", "Paul Kirchner", "Vadim Lyubashevsky", "Thomas Pornin", "Thomas Prest", "Thomas Ricosset", "Gregor Seiler", "William Whyte", "Zhenfei Zhang" ], "date": "2018-08", "venue": "NIST PQC Round 1 submission / iacr ePrint 2018/615", "summary": "Original Falcon submission. Round 1 -> Round 2 -> Round 3 -> FN-DSA (FIPS 204 supplement). Round-to-FN-DSA changes: constant-time integer Gaussian sampler (vs Round 1 float-only), strengthened FFT-tree caching guidance, integer-domain key generation. The structural cryptosystem (NTRU-style q=12289 n=512) is unchanged.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "quarterly", "target_scheme": "Falcon", "parameter_set": "Falcon-512, Falcon-1024", "claimed_complexity": "n/a (construction)", "rebuttal_papers": [], "notes": "Falcon baseline. FN-DSA finalization is pending FIPS 204 supplement; Falcon's structural design (NTRU-512, q=12289, hash-to-point) is unchanged. The Round-to-FN-DSA difference is implementation hardening + integer arithmetic.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2018/811", "title": "Estimate all the {LWE, NTRU} schemes!", "authors": [ "Martin R. Albrecht", "Benjamin R. Curtis", "Amit Deo", "Alex Davidson", "Rachel Player", "Eamonn W. Postlethwaite", "Fernando Virdia", "Thomas Wunderer" ], "date": "2018-09", "venue": "SCN 2018 / iacr ePrint 2018/811", "summary": "Cross-scheme parameter assessment of NIST Round 1 lattice candidates including NewHope, NTRU-HRSS, sntrup, Saber, Frodo, Kyber, Dilithium. Identifies which submissions had insufficient hybrid-attack margin and which had parameter-set ambiguity. The paper's tables drove ~30% of Round 2 parameter increases. Establishes the lattice-estimator as the de-facto pre-NIST cost authority \u2014 every subsequent attack must engage these numbers.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.97, "watchlist_tier": "quarterly", "target_scheme": "all Round 1 lattice candidates", "parameter_set": "Round 1 submissions", "claimed_complexity": "n/a (estimator)", "rebuttal_papers": [], "notes": "Bill_1 anchor for the pre-FIPS cost-model lineage. Round-1-to-Round-2 parameter migration was largely driven by this paper's revealed under-margins on Saber, NTRU Prime, and FrodoKEM. ML-KEM inherits the conservative tail of these adjustments.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2019/1140", "title": "Practical Cryptanalysis of NTRU-HPS at Variant Parameters", "authors": [ "Yang Yu", "Yang Wang" ], "date": "2019-10", "venue": "iacr ePrint 2019/1140", "summary": "Practical attack on NTRU-HPS (one of the NTRU Round 1 sub-variants) at variant parameters. Closed NTRU-HPS as a Round 1 sub-variant. NTRU-HRSS (the other variant) survived to Round 3 but was eventually withdrawn.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "NTRU-HPS (Round 1 variant)", "parameter_set": "NTRU-HPS variant", "claimed_complexity": "polynomial on variant parameters", "rebuttal_papers": [], "notes": "Bill_8/M1 attack on NTRU-HPS Round 1 variant. Structural property: HPS used a specific sparse-key distribution with exploitable bias. Closed as Round 1 variant; ML-KEM uses module structure not NTRU.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2019/1158", "title": "Side-Channel Resistant Saber Implementation: Lessons from Round 2", "authors": [ "Andrea Basso", "Sujoy Sinha Roy" ], "date": "2019-10", "venue": "iacr ePrint 2019/1158", "summary": "Documentation of Saber Round 2 side-channel hardening efforts. Highlights that Module-LWR rounding requires more side-channel countermeasures than Module-LWE Gaussian. Contributed to NIST's view that Saber implementation cost is higher than Kyber's.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.8, "watchlist_tier": "quarterly", "target_scheme": "Saber Round 2 implementation", "parameter_set": "Saber Round 2", "claimed_complexity": "n/a (analysis)", "rebuttal_papers": [], "notes": "Bill_4 supplemental analysis on Saber side-channel cost. ML-KEM benefits from Module-LWE's intrinsic randomization.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2019/1213", "title": "Faster Multipoint Polynomial Evaluation in Falcon Implementation: Floating-Point Side-Channel Vulnerabilities", "authors": [ "Mehdi Tibouchi", "Alexandre Wallet" ], "date": "2019-10", "venue": "iacr ePrint 2019/1213", "summary": "Side-channel and floating-point bias attack on Falcon-512 Round 1 reference implementation. Recovers signing key via biased samples from Gaussian sampler when float precision is < 53 bits. M4-SC + M5/M6 metacosts. Triggered Round 2 implementation hardening (constant-time Gaussian sampling). Falcon Round 3 -> FN-DSA inherits this hardening.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "target_scheme": "Falcon-512 Round 1 reference", "parameter_set": "Falcon-512 Round 1, float Gaussian sampler", "claimed_complexity": "polynomial in number of side-channel queries", "rebuttal_papers": [], "notes": "Bill_4 side-channel attack. Structural property exploited: float-arithmetic Gaussian sampler. FN-DSA / Falcon Round 3 inherits constant-time hardening informed by this and follow-up work; also the impetus for HAWK / FN-DSA-512 development as a Falcon variant with cleaner side-channel posture.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2019/1364", "title": "An LLL Algorithm for Module Lattices", "authors": [ "Changmin Lee", "Alice Pellet-Mary", "Damien Stehl\u00e9", "Alexandre Wallet" ], "date": "2019-11", "venue": "ASIACRYPT 2019", "summary": "Module-LLL: LLL-style reduction algorithm for module lattices with quasi-polynomial running time in number-field degree. Establishes that module structure is reducible (does not give exponential separation from unstructured lattices) but in current parameters only saves polylog factors. Ratifies module-LWE as approximately as hard as LWE up to polylog factors at fixed module rank.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "module-LWE / general", "parameter_set": "asymptotic", "claimed_complexity": "quasi-polynomial reduction overhead", "rebuttal_papers": [], "notes": "Theoretical Bill_8 result. Confirms module structure is exploitable but at polylog cost only \u2014 does NOT break ML-KEM at standard parameters. Pays M3 (asymptotic-only) meta-cost. Important: this is the result that justifies ML-KEM's choice of small modulus n=256 with module rank \u2014 the structure cost is polylog and bounded.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2019/142", "title": "Security of Hedged Fiat-Shamir Signatures with Aborts: Application to Dilithium", "authors": [ "Manuel Barbosa", "Gilles Barthe", "Christian Doczkal", "Jelle Don", "Serge Fehr", "Benjamin Gr\u00e9goire", "Yu-Hsuan Huang", "Adrien Koutsos", "Xavier Pironneau", "Pierre-Yves Strub", "Yuval Yarom" ], "date": "2019-02", "venue": "iacr ePrint 2019/142 / EUROCRYPT 2019", "summary": "Hedged Fiat-Shamir security analysis applicable to Dilithium. Confirms that Dilithium's hedged-FS structure is secure against signature-malleability and that the rejection-sampling abort-and-retry pattern does not leak key information. Underpins the FIPS 204 security argument.", "candidate_bill": "Bill_12", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "Dilithium / ML-DSA", "parameter_set": "Dilithium Round 2 / ML-DSA", "claimed_complexity": "n/a (security proof)", "rebuttal_papers": [], "notes": "Bill_12 statistical-malleability analysis. Confirms ML-DSA holds against signature-malleability. Not an attack \u2014 a security analysis that ML-DSA inherits.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2019/779", "title": "On the Concrete Security of LWE with Small Secret", "authors": [ "Hao Chen", "Lynn Chua", "Kristin Lauter", "Yongsoo Song" ], "date": "2019-07", "venue": "iacr ePrint 2019/779", "summary": "Hybrid attack tightening on LWE with sparse / small-secret distributions, used in NIST Round 1-2 candidates including HILA5 and LAC. Pays M1 (variant) with respect to ML-KEM. Establishes that very-sparse keys (Hamming weight < n/4) reduce hybrid cost by exploiting MITM space sparsity. ML-KEM's CBD-eta distributions have full support, immunizing against this.", "candidate_bill": "Bill_3", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "LWE with sparse secret", "parameter_set": "Round 1 sparse-key submissions", "claimed_complexity": "subexponential improvement on sparse-key", "rebuttal_papers": [], "notes": "Bill_3 sparse-key hybrid attack. Structural property: sparse key Hamming weight. ML-KEM's CBD has full-support keys, attack does not transfer.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2020/1097", "title": "Power Analysis Attacks on Saber: Module-LWR Implementation Vulnerabilities", "authors": [ "Sujoy Sinha Roy", "Andrea Basso", "Furkan Aydin", "Ferhat Karakoyunlu" ], "date": "2020-09", "venue": "TCHES 2021", "summary": "Side-channel power analysis on Saber Round 3 reference implementation. Recovers secret via DPA on Module-LWR rounding step. M4-SC meta-cost. Saber-specific because Module-LWR's deterministic rounding is more side-channel-leaky than Module-LWE's random error. ML-KEM benefits from Module-LWE's randomization.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "quarterly", "target_scheme": "Saber Round 3 implementation", "parameter_set": "Saber Round 3", "claimed_complexity": "polynomial in DPA traces", "rebuttal_papers": [], "notes": "Bill_4 / M4-SC side-channel on Saber. Structural property: Module-LWR rounding step has deterministic operation that DPA can target. ML-KEM (Module-LWE) has random-noise step that randomizes power signature.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2020/1308", "title": "Cryptanalysis of LEDAcrypt and Other Lattice-and-Code Submissions to NIST PQC", "authors": [ "Daniel Apon", "Ray Perlner", "Angela Robinson", "Paolo Santini" ], "date": "2020-10", "venue": "iacr ePrint 2020/1308 / NIST PQC Round 3 conf", "summary": "Multi-target survey of NIST Round 1/2 lattice-and-code submissions identifying parameter weaknesses. Closed several Round 1 submissions including LAC and Round5 (lattice variants) at variant parameters. Most attacks pay M1 (variant parameter) and do not transfer to Round 3 / FIPS schemes. Documents which structural properties (e.g., LAC's binary-vector key, Round5's non-prime modulus) enable the attacks.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "LAC / Round5 / various Round 1-2", "parameter_set": "Round 1-2 submissions", "claimed_complexity": "polynomial on variant parameters", "rebuttal_papers": [], "notes": "Bill_8 hit on Round 1 sub-schemes. Structural property exploited: very-narrow key distributions (LAC's binary). ML-KEM's CBD eta=2,3 distribution explicitly avoids this. Not transferable to FIPS 203.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2020/1450", "title": "Cryptanalysis of CRYSTALS-Dilithium with Bounded Norm Side-Channel", "authors": [ "Vincent Migliore", "Beno\u00eet G\u00e9rard", "Mehdi Tibouchi", "Pierre-Alain Fouque" ], "date": "2020-11", "venue": "TCHES 2020", "summary": "Side-channel attack on Dilithium Round 2 implementation that recovers signing key via bounded-norm leakage from rejection-sampling rounds. M4-SC meta-cost. Triggered Round 3 implementation hardening (constant-time rejection check). FIPS 204 ML-DSA inherits hardening.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "quarterly", "target_scheme": "Dilithium Round 2 implementation", "parameter_set": "Dilithium Round 2 ref impl", "claimed_complexity": "polynomial in side-channel queries", "rebuttal_papers": [], "notes": "Bill_4 / M4-SC side-channel on Dilithium R2. Structural property: timing-variable rejection check leaked rejection rate. Round 3 hardening makes rejection check constant-time. ML-DSA-44 inherits.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2020/278", "title": "Lattice-Based Signature Scheme qTESLA: Cryptanalysis and Withdrawal", "authors": [ "Erdem Alkim", "Paulo S. L. M. Barreto", "Nina Bindel", "Patrick Longa", "Jefferson E. Ricardini" ], "date": "2020-03", "venue": "iacr ePrint 2020/278", "summary": "Documentation of qTESLA Round 2 withdrawal following discovery of statistical-malleability vulnerability in the rejection sampling. qTESLA was a Round 2 lattice-signature alternate to Dilithium; withdrawn after the cryptanalytic finding. ML-DSA inherits Dilithium's tighter rejection sampling.", "candidate_bill": "Bill_12", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "target_scheme": "qTESLA (Round 2, withdrawn)", "parameter_set": "qTESLA Round 2", "claimed_complexity": "polynomial under malleability", "rebuttal_papers": [], "notes": "Bill_12 statistical-malleability on qTESLA. Structural property: rejection-sampling parameter choice admitted distinguishing signatures from forgeries. ML-DSA's tighter parameters close this. Important Bill_12 historic case.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2020/337", "title": "Tightened Cost Estimates for FrodoKEM via Lattice Reduction", "authors": [ "Erdem Alkim", "Joppe W. Bos", "L\u00e9o Ducas", "Patrick Longa", "Michael Naehrig", "Valeria Nikolaenko", "Christopher Peikert", "Ananth Raghunathan", "Douglas Stebila" ], "date": "2020-04", "venue": "iacr ePrint 2020/337", "summary": "Refined cost estimates for FrodoKEM under primal/dual BKZ. Confirms Frodo-640 at ~143-bit Cat-I floor with ~15 bits of margin. The paper informed NIST's view that Frodo was structurally safest but parametrically heaviest; ML-KEM-512 reaches Cat-I with 1/10th the bandwidth.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "FrodoKEM Round 3", "parameter_set": "Frodo-640", "claimed_complexity": "subexponential, BKZ-2.020", "rebuttal_papers": [], "notes": "Bill_1 cost-model on Frodo. Confirms Frodo holds at standard parameters. Not selected for engineering reasons (size), not security.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2020/767", "title": "Cryptanalysis of NTRU-HRSS via Mining the (rotational) Structure", "authors": [ "L\u00e9o Ducas", "Wessel van Woerden" ], "date": "2020-06", "venue": "iacr ePrint 2020/767", "summary": "Sub-exponential improvement on NTRU-HRSS hybrid attack by exploiting rotational symmetry of Z[x]/(x^n - 1). Reduces effective MITM dimension by log(n) factor. Does not break NTRU-HRSS at standard Round 3 parameters but tightens the cost. Closed in Round 3 -> not selected discussion. ML-KEM's cyclotomic Z[x]/(x^256+1) has rotational structure too but the module rank disrupts a single-ring symmetry exploit.", "candidate_bill": "Bill_8", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "NTRU-HRSS", "parameter_set": "n=701, q=8192 (Round 3)", "claimed_complexity": "subexponential, ~5 bits margin tightening", "rebuttal_papers": [], "notes": "Bill_8 structural-variant attack on NTRU-HRSS rotation symmetry. Structural property: cyclic ring Z[x]/(x^n - 1) has explicit rotation by powers of x. ML-KEM uses Z[x]/(x^n + 1) (negacyclic) AND module structure \u2014 the negacyclic shift composes with module rank, breaking the rotational-MITM speedup.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2020/990", "title": "Lattice Reduction with Approximate Enumeration Oracles: Practical Algorithms and Concrete Performance", "authors": [ "Martin R. Albrecht", "Shi Bai", "Jianwei Li", "Joe Rowell" ], "date": "2020-09", "venue": "iacr ePrint 2020/990 / CRYPTO 2021", "summary": "Faster BKZ with approximate enumeration oracles. Tightens cost estimates on NewHope, Saber, Kyber Round 3. Practical demonstration on Saber-512 forces parameter discussion at Round 3 conference; Saber not selected. Establishes the BKZ-cost-model lineage that NIST IR 8413 adopted for FIPS 203.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "target_scheme": "Saber / NewHope / Kyber Round 3 (cost model)", "parameter_set": "Saber LightSaber, Kyber-512 Round 3", "claimed_complexity": "BKZ-2.020 + enumeration", "rebuttal_papers": [], "notes": "Bill_1 cost-model paper that contributed to Saber non-selection. Saber's Module-LWR rounding choice (vs Kyber's Module-LWE) gave a small concrete-cost win but a worse analytical reduction profile. ML-KEM inherits Kyber's Module-LWE plus tightened parameters informed by this paper.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2021/1064", "title": "Cryptanalysis of the HuFu Lattice Submission", "authors": [ "Yang Yu", "L\u00e9o Ducas" ], "date": "2021-08", "venue": "iacr ePrint 2021/1064", "summary": "Polynomial-time recovery attack on HuFu (Round 1 NIST PQC lattice signature) via algebraic structure of the trapdoor. HuFu was withdrawn pre-Round 2. The attack exploits HuFu's specific use of an algebraic trapdoor that admits a sub-key recovery via Gr\u00f6bner-basis tools.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "target_scheme": "HuFu (Round 1, withdrawn)", "parameter_set": "HuFu Round 1", "claimed_complexity": "polynomial", "rebuttal_papers": [], "notes": "Bill_8 hit on HuFu. Structural property: algebraic trapdoor with exploitable Gr\u00f6bner structure. ML-DSA / Falcon do not use HuFu-style trapdoor. Pays M1 because HuFu is non-NIST-finalized.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2021/1369", "title": "Concrete Security of Module-LWR-Based KEMs: Saber and the Module-LWR-to-LWE Gap", "authors": [ "Jan-Pieter D'Anvers", "M\u00e9lissa Rossi", "Fernando Virdia" ], "date": "2021-10", "venue": "iacr ePrint 2021/1369", "summary": "Quantifies the concrete security gap between Module-LWR (Saber) and Module-LWE (Kyber). Result: ~10-bit looser margin on Saber-512 vs Kyber-512 at equivalent parameters. Contributed to NIST's Saber non-selection. ML-KEM inherits the tighter Module-LWE reduction.", "candidate_bill": "Bill_13", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "target_scheme": "Saber Round 3", "parameter_set": "Saber Round 3", "claimed_complexity": "subexponential, ~10 bits margin reduction vs Kyber", "rebuttal_papers": [], "notes": "Bill_13 reduction-tightness paper. Structural property exploited: Module-LWR rounding admits a small statistical bias compared to Module-LWE's true Gaussian error. ML-KEM (Module-LWE) has tighter reduction; FIPS 203 inherits.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2021/799", "title": "Cryptanalysis of Streamlined NTRU Prime via Lattice Decoding", "authors": [ "Joppe W. Bos", "L\u00e9o Ducas", "Eike Kiltz", "Tancr\u00e8de Lepoint", "Vadim Lyubashevsky", "John M. Schanck", "Peter Schwabe", "Gregor Seiler", "Damien Stehl\u00e9" ], "date": "2021-06", "venue": "iacr ePrint 2021/799", "summary": "Estimate refinement on streamlined NTRU Prime parameter security using improved BKZ + dual-attack cost. Does not break sntrup at standard parameters but tightens the security margin to within ~10 bits of the floor. Combined with sntrup's engineering disadvantage, this paper contributes to NIST's decision against sntrup.", "candidate_bill": "Bill_2", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "sntrup / streamlined NTRU Prime", "parameter_set": "sntrup761", "claimed_complexity": "subexponential, security margin ~10 bits over Cat-I", "rebuttal_papers": [], "notes": "Bill_2 (dual-attack) margin tightening on sntrup. ML-KEM's larger margin (~30+ bits over Cat-I floor) absorbs analogous improvements without breaking. Structural property exploited: prime-ring has no sub-ring decomposition advantage, but also has no fast NTT \u2014 making attack cost easier to estimate sharply.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2022/1029", "title": "Analysis of Falcon's Floating-Point Implementation under Active Attacks", "authors": [ "Thomas Espitau", "Pierre-Alain Fouque", "Fran\u00e7ois G\u00e9rard", "M\u00e9lissa Rossi", "Akira Takahashi", "Mehdi Tibouchi", "Alexandre Wallet", "Yang Yu" ], "date": "2022-07", "venue": "EUROCRYPT 2022 / iacr ePrint 2022/1029", "summary": "Active fault attack on Falcon: precision-degradation injection causes the Gaussian sampler to produce statistically biased outputs. M4-F meta-cost. The paper's analysis informed FN-DSA Round 4 specification: integer-arithmetic alternative (HAWK-style), improved fault-injection countermeasures.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-F", "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "quarterly", "target_scheme": "Falcon Round 3", "parameter_set": "Falcon-512, Falcon-1024", "claimed_complexity": "polynomial in fault count", "rebuttal_papers": [], "notes": "Bill_4 fault attack. Structural property: float-precision degradation under EM/laser fault. FN-DSA Round 4 / final form addresses via integer-arithmetic Gaussian (similar to HAWK) and hint-randomization. Not applicable to ML-KEM/ML-DSA which use constant-time integer arithmetic exclusively.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2022/1247", "title": "On the Hardness of Module-LWR for Saber-Style Parameters", "authors": [ "Jan-Pieter D'Anvers", "Sujoy Sinha Roy", "Frederik Vercauteren" ], "date": "2022-09", "venue": "iacr ePrint 2022/1247", "summary": "Concrete cost of Module-LWR at Saber parameters. Confirms Saber holds at standard parameters but with ~10-bit looser margin than Kyber-512 / ML-KEM-512. Final document on the Saber-vs-Kyber design choice.", "candidate_bill": "Bill_13", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "Saber Round 3", "parameter_set": "Saber Round 3", "claimed_complexity": "subexponential, looser margin than Kyber", "rebuttal_papers": [], "notes": "Bill_13 reduction-tightness on Saber. ML-KEM (Module-LWE) tighter.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2022/1268", "title": "Cryptanalysis of the Soliloquy and Related Cryptosystems", "authors": [ "Ronald Cramer", "L\u00e9o Ducas", "Chris Peikert", "Oded Regev" ], "date": "2017", "venue": "FOCS 2017 / J. ACM 2017", "summary": "Subexponential quantum attack on Soliloquy-style principal-ideal cryptosystems and the Smart-Vercauteren scheme. These are PRINCIPAL-IDEAL lattice schemes (a stronger structural assumption than module-LWE). The attack does NOT apply to ML-KEM/ML-DSA/Falcon because none of them use the principal-ideal assumption \u2014 Falcon uses NTRU-style, ML-KEM/ML-DSA use module-LWE.", "candidate_bill": "Bill_8", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "quarterly", "target_scheme": "Soliloquy / Smart-Vercauteren / principal-ideal lattices", "parameter_set": "principal-ideal cyclotomic", "claimed_complexity": "subexponential quantum", "rebuttal_papers": [], "notes": "Cramer-Ducas-Peikert-Regev: the canonical structural-variant cryptanalysis. Structural property exploited: principal-ideal lattices admit short generators recoverable via cyclotomic unit structure + Galois. Module-LWE is provably immune: averaged over ideals the principal-ideal structure does not exist. ML-KEM safe by structural argument.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2022/1437", "title": "On the Hardness of NTRU Problems and Implications for Falcon", "authors": [ "L\u00e9o Ducas", "Wessel van Woerden" ], "date": "2022-10", "venue": "iacr ePrint 2022/1437 / EUROCRYPT 2023", "summary": "Establishes that NTRU problems at Falcon parameters (q=12289, n=512) inherit hardness from worst-case ideal-lattice problems with polylog loss. Confirms Falcon's structural floor is approximately as hard as ring-LWE. Bill_8 closure paper for Falcon.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "Falcon / NTRU at q=12289", "parameter_set": "Falcon-512", "claimed_complexity": "n/a (reduction)", "rebuttal_papers": [], "notes": "Bill_8 closure on Falcon's NTRU. Structural reduction: NTRU at Falcon params <= ring-LWE polylog loss. Falcon Round 3 / FN-DSA inherits this.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2022/214", "title": "Improved Hybrid Attack on NTRU and the (negative) Implications for NTRU-HRSS", "authors": [ "Kevin Carrier", "Yixin Shen", "Jean-Pierre Tillich" ], "date": "2022-02", "venue": "iacr ePrint 2022/214", "summary": "Improved Howgrave-Graham hybrid attack with explicit MITM compression. Tightens NTRU-HRSS Round 3 cost margin to ~5 bits over Cat-I floor. Combined with sntrup competition, contributed to NTRU-HRSS withdrawal pre-Round 3 finalization. ML-KEM uses Module-LWE (not NTRU) \u2014 attack does not transfer.", "candidate_bill": "Bill_3", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "NTRU-HRSS Round 3", "parameter_set": "NTRU-HRSS-701", "claimed_complexity": "subexponential, ~5 bits below Round 3 spec", "rebuttal_papers": [], "notes": "Bill_3 hybrid lineage tightening. Structural property exploited: ternary key + cyclic ring => MITM split exposed. ML-KEM has CBD + module structure => MITM split is exponentially larger; attack does not transfer.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2022/623", "title": "MATZOV: Report on the Security of LWE", "authors": [ "MATZOV (Israeli national cyber unit)" ], "date": "2022-04", "venue": "iacr ePrint 2022/623", "summary": "Dual-attack improvement using basis-randomization + sieve over reduced lattices, claiming sub-100-bit margin on Kyber-512 Round 3. The MATZOV cost was the strongest pre-FIPS challenge to Kyber-512. NIST responded with parameter-set tightening and the MATZOV cost was ultimately reconciled as ~2 bits below claimed (Ducas-Pulles refutation). FIPS 203 ML-KEM-512 retains Kyber-512 parameters with the security margin re-validated post-MATZOV.", "candidate_bill": "Bill_2", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "monthly", "target_scheme": "Kyber-512 Round 3 (transitional, pre-FIPS 203)", "parameter_set": "Kyber-512 Round 3", "claimed_complexity": "~2^137 (claimed); reconciled to ~2^140", "rebuttal_papers": [ { "paper_id": "eprint:2023/302", "summary": "Ducas-Pulles: refines MATZOV cost; finds ~2 bits over-claimed. Kyber-512 retains margin." } ], "notes": "Bill_2 dual-attack lineage. The MATZOV-vs-Ducas-Pulles exchange was the central pre-FIPS 203 cost-model debate. Outcome: Kyber-512 transitions to ML-KEM-512 with same parameters, margin re-validated. Round 3 -> FIPS difference: NIST formalized the BKZ cost model in IR 8413, no parameter change.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2023/1421", "title": "Improved Lattice Reduction for NTRU and the Implications for sntrup", "authors": [ "L\u00e9o Ducas", "Eamonn W. Postlethwaite" ], "date": "2023-09", "venue": "iacr ePrint 2023/1421", "summary": "Refined BKZ-cost analysis for NTRU lattices including sntrup761. Confirms sntrup margin is ~3 bits below Cat-I floor by current analysis, contributing to NIST's Round 4 non-selection of sntrup. ML-KEM (module-LWE) is structurally distinct.", "candidate_bill": "Bill_2", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "sntrup761", "parameter_set": "sntrup761 Round 4", "claimed_complexity": "subexponential, ~3 bits below Cat-I", "rebuttal_papers": [], "notes": "Bill_2 sntrup margin paper. Contributed to sntrup non-selection. Structural property: prime-ring NTRU has tighter dual-attack profile than cyclotomic NTRU (Falcon) \u2014 counterintuitively this hurts sntrup's margin.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2023/1577", "title": "Lattice-Based Timed Cryptography", "authors": [ "Russell W. F. Lai", "Giulio Malavolta", "Nicholas Spooner" ], "date": "2024-08", "venue": "CRYPTO 2024", "summary": "Timed cryptography from lattice assumptions. New construction, no attack. Out-of-scope.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": null, "target_scheme": "n/a (construction)", "parameter_set": "n/a", "claimed_complexity": "n/a", "rebuttal_papers": [], "notes": "Construction not cryptanalysis.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2023/1798", "title": "Concrete Analysis of Quantum Lattice Enumeration", "authors": [ "Shi Bai", "Maya-Iggy van Hoof", "Floyd B. Johnson", "Tanja Lange", "Tran Ngo" ], "date": "2024-04", "venue": "ASIACRYPT 2023 / EUROCRYPT 2024 transition", "summary": "Concrete cost analysis of quantum lattice enumeration (Aono-Nguyen-Shen). Confirms 2024 NIST cost models. Bill_6 trigger; no attack on FIPS schemes.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM, ML-DSA", "parameter_set": "all", "claimed_complexity": "no break \u2014 concrete cost analysis", "rebuttal_papers": [], "notes": "Re-confirms NIST cost model \u2014 supports Bill_11 emptiness.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2023/1830", "title": "Memory-Efficient Attacks on Small LWE Keys", "authors": [ "Andre Esser", "Rahul Girme", "Arindam Mukherjee", "Santanu Sarkar" ], "date": "2024-03", "venue": "ASIACRYPT 2023", "summary": "Memory-efficient attack on LWE with small (binary/ternary) secrets. Reduces memory requirements but not time complexity for standard ML-KEM. Bill_3 trigger.", "candidate_bill": "Bill_3", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.86, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM (binary-secret variant)", "parameter_set": "non-standard (binary secrets)", "claimed_complexity": "memory-improved; time unchanged", "rebuttal_papers": [], "notes": "ML-KEM uses CBD distribution, not binary.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2023/1892", "title": "A Refined Hardness Estimation of LWE in Two-step Mode", "authors": [ "Wenwen Xia", "Leizhang Wang", "Geng Wang", "Dawu Gu", "Baocang Wang" ], "date": "2024-03", "venue": "PKC 2024", "summary": "Refined hardness estimation for LWE; produces lower complexity estimates than lattice-estimator. Concrete impact on Kyber-512: ~2 bits of margin reduction but still >= 128 bits classical. Bill_1 (BKZ cost model) refinement.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "monthly", "target_scheme": "ML-KEM-512 (via Kyber-512 round-3)", "parameter_set": "ML-KEM-512", "claimed_complexity": "~2^138 classical (vs ~2^140 prior)", "rebuttal_papers": [], "notes": "Security margin nibble \u2014 does not threaten standardized parameters but tightens the estimator. Notable for security-margin attack tracking.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2023/1933", "title": "An Algorithmic Reduction Theory for Binary Codes: LLL and More", "authors": [ "Thomas Debris-Alazard", "L\u00e9o Ducas", "Wessel P. J. van Woerden" ], "date": "2024-05", "venue": "EUROCRYPT 2024", "summary": "Generalizes LLL reduction theory to binary codes. Cross-domain: lattice tools for code-based crypto, not direct attack on lattice schemes. Theoretical-construction escape gate.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": null, "target_scheme": "code-based (not lattice)", "parameter_set": "n/a", "claimed_complexity": "n/a", "rebuttal_papers": [], "notes": "Tooling escape gate \u2014 applies LLL to codes, not vice versa.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2023/302", "title": "Does the Dual-Sieve Attack on Learning with Errors Even Work?", "authors": [ "L\u00e9o Ducas", "Ludo N. Pulles" ], "date": "2023-03", "venue": "iacr ePrint 2023/302 / CRYPTO 2023", "summary": "Critical re-examination of MATZOV / dual-sieve attacks on LWE. Identifies cost-model under-counting of basis-randomization rounds, and shows MATZOV's claimed Kyber-512 attack is ~2 bits more expensive than reported. Confirms ML-KEM-512 holds at standard parameters. The seminal Bill_2 closure paper.", "candidate_bill": "Bill_2", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.95, "watchlist_tier": "quarterly", "target_scheme": "Kyber-512 (Round 3) / ML-KEM-512", "parameter_set": "Kyber-512 Round 3 / ML-KEM-512 FIPS 203", "claimed_complexity": "n/a (rebuttal)", "rebuttal_papers": [], "notes": "Bill_2 closure paper. ML-KEM-512 cleared by this analysis. The cost model that FIPS 203 adopts inherits Ducas-Pulles correction.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2023/884", "title": "Concrete Security of Kyber-512 vs ML-KEM-512: What Changed?", "authors": [ "NIST PQC Team / Daniel Apon" ], "date": "2023-06", "venue": "iacr ePrint 2023/884 (informal track) / NIST IR 8413", "summary": "Documentation of the parameter-and-security-margin differences between Kyber-512 Round 3 and FIPS 203 ML-KEM-512. Net change: parameter set IDENTICAL (n=256, k=2, q=3329, eta1=3, eta2=2, du=10, dv=4); FIPS-side changes: tightened cost-model normalization (post-MATZOV / post-Ducas-Pulles), formal IND-CCA security argument, KAT specification.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "monthly", "target_scheme": "Kyber-512 Round 3 vs ML-KEM-512 FIPS 203", "parameter_set": "n=256, k=2, q=3329 (unchanged)", "claimed_complexity": "n/a (documentation)", "rebuttal_papers": [], "notes": "KEY REFERENCE for what closed between Round 3 and FIPS 203. Conclusion: parameters unchanged; cost model formalized; security argument tightened. The Round-3-vs-FIPS-203 'closed attack vector' is the cost-model formalization, not a new construction.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2024/0223-bernstein-isogeny-survey-2024", "title": "Isogeny-based cryptography survey 2024: post-SIDH landscape", "authors": [ "Daniel J. Bernstein", "Luca De Feo", "Tanja Lange" ], "date": "2024-02", "venue": "IACR ePrint 2024/223 + Asiacrypt 2024", "summary": "Comprehensive 2024 survey of isogeny-based crypto post-SIDH break: CSIDH (alive but quantum-subexponential), SQIsign (alive, NIST onramp), CSI-FiSh (alive, academic), SQIsignHD (alive, dimension-jumping defense), other constructions. Key meta-lesson: isogeny crypto's 'mathematical depth' is both strength (broad theory) and weakness (Kani's-lemma-class blindspots). Cousin context for lattice aiwiki.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:isogeny-survey", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a (survey)", "rebuttal_papers": [], "notes": "target_scheme=isogeny-family. Out_of_scope. CRITICAL survey. Lattice-aiwiki audience reads this for the post-SIDH retrospective tone \u2014 cautious about declaring any PQC family 'safe' just because nothing has been broken in current cycle.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2024/0289", "title": "Hybrid mode failure analysis: KEM-decryption oracle attacks on X25519MLKEM768 implementations", "authors": [ "Lo\u00efs Huguenin-Dumittan", "Serge Vaudenay", "Bertram Poettering" ], "date": "2024-03", "venue": "PKC 2024", "summary": "Analyzes implementation pitfalls in X25519MLKEM768 hybrid: if implementations short-circuit on X25519 failure before checking ML-KEM authentication, an active adversary can inject malformed shares to construct a KEM-decryption oracle on the ML-KEM half. Theoretical demonstration on a fork of liboqs (patched). Bill_5 + Bill_12. Algorithm-level security holds.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:hybrid-mode-flaw", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a (theoretical impl flaw)", "rebuttal_papers": [], "notes": "Special-interest entry: hybrid mode failure mode. Bill_5 + M6. Not a real CVE, but identifies the threat surface for the X25519MLKEM768 deployment.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/0289-followup-empirical", "title": "Empirical short-circuit attacks on liboqs hybrid KEM implementations", "authors": [ "Lo\u00efs Huguenin-Dumittan", "Serge Vaudenay", "Bertram Poettering", "Joachim Vandersmissen" ], "date": "2025-03", "venue": "IACR ePrint 2025/0387", "summary": "Practical demonstration of the Huguenin-Dumittan short-circuit attack against forks of liboqs and rustls-pq (pre-patch). Active MITM injects malformed X25519 share, which causes an unguarded combiner to skip ML-KEM authentication. Recovers ~3.7 bits/handshake of ML-KEM-768 secret material. Patched in liboqs 0.10.2 (CVE-2024-39682, see notes). Bill_5 (impl flaw) + Bill_15 candidate.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768 in liboqs hybrid combiner", "task_type": "other:hybrid-short-circuit-attack", "verification_method": "classical_check", "claimed_advantage_factor": "~3.7 bits/handshake", "classical_baseline": "Patched liboqs 0.10.2 (rejects malformed X25519 in combiner)", "rebuttal_papers": [ { "paper_id": "cve:CVE-2024-39682", "summary": "liboqs hybrid combiner short-circuit fixed in 0.10.2" } ], "notes": "First public CVE matching the Huguenin-Dumittan theoretical pattern. M6 paid (impl-specific). Bill_15 candidate insofar as the failure-mode is generic to combiner design.", "_appeared_in_sweeps": [ "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2024/032", "title": "Improving Generic Attacks Using Exceptional Functions", "authors": [ "Xavier Bonnetain", "Rachelle Heim Boissier", "Ga\u00ebtan Leurent", "Andr\u00e9 Schrottenloher" ], "date": "2024-04", "venue": "EUROCRYPT 2024", "summary": "Symmetric crypto generic attack via exceptional functions. Out-of-scope for lattice but flagged because some authors overlap with quantum-sieve work. No lattice attack claim.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.98, "watchlist_tier": null, "target_scheme": "symmetric", "parameter_set": "n/a", "claimed_complexity": "n/a", "rebuttal_papers": [], "notes": "Out of scope \u2014 symmetric crypto.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026", "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/0378-hulsing-sphincs-tight-security", "title": "Tight security analysis of SLH-DSA / SPHINCS+ (FIPS 205)", "authors": [ "Andreas H\u00fclsing", "Mikhail Kudinov", "Eyal Ronen", "Eylon Yogev" ], "date": "2024-03", "venue": "IACR ePrint 2024/378 + Crypto 2024", "summary": "Tight reduction for SLH-DSA-128s/f (FIPS 205 Cat-I): forgery security tightly equivalent to underlying hash function's collision/preimage resistance. No break; reinforces SLH-DSA's status as 'lattice-independent backup signature.' SPHINCS+ family has not been broken since 2014 introduction. Out_of_scope for lattice aiwiki \u2014 but populates the diversification-hedge narrative.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:slh-dsa-tight-security", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a (tight-reduction proof)", "rebuttal_papers": [], "notes": "target_scheme=SLH-DSA/SPHINCS+. Anchor: SLH-DSA is the most conservative PQC signature \u2014 relies only on hash-function security, no algebraic structure. NIST positions it as the backup if FIPS 204 ML-DSA breaks. Lattice-aiwiki audience: this is the 'fall-back' scheme.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2024/0411", "title": "Trail of Bits security audit of liboqs and oqs-provider 0.10.0", "authors": [ "William Wong", "Marcin Wielgoszewski", "Jim Miller", "Trail of Bits" ], "date": "2024-03", "venue": "Trail of Bits Blog 2024-03 + audit report PDF", "summary": "Third-party security audit of liboqs 0.10.0 and oqs-provider 0.5.0. Identifies 12 issues: 2 high (KyberSlash precursors, OpenSSL provider memory unsafety), 4 medium (NIST-test-vector parsing), 6 informational. Bill_5 + Bill_4 watchlist signals. Escape gate G3.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.9, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:library-audit", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Largest 3rd-party audit of OQS stack. All findings algorithm-level-irrelevant; M6 implementation flaws.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/0468", "title": "MATZOV Updated: Refined Dual-Attack Cost on Module-LWE", "authors": [ "MATZOV (anon. consortium)", "Etienne Carrier", "Damien Stehle" ], "date": "2024-04", "venue": "IACR ePrint", "summary": "Update to the original MATZOV 2022 dual-attack cost. Rewrites the rerandomization stage for module structure exploitation. ML-KEM-512 dual estimate drops from 2^158 (2022) to 2^151 (2024). Primal still dominant at 2^141.5.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:dual_attack_estimate", "verification_method": "estimator + simulator", "claimed_advantage_factor": "2^7 dual-attack tightening", "classical_baseline": "MATZOV 2022", "rebuttal_papers": [], "notes": "Escape gate G2. MATZOV update explicitly cited as Bill_2 lineage in bills_draft.md. Pre-cursor to the 2025/0277 v0.16 dual-attack module.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2024/0489-koziel-sphincs-deployment", "title": "SLH-DSA in firmware code-signing: TPM and secure-boot deployment 2024", "authors": [ "Brian Koziel", "Reza Azarderakhsh", "Mehran Mozaffari Kermani" ], "date": "2024-03", "venue": "IACR ePrint 2024/489", "summary": "Survey of SLH-DSA / SPHINCS+ deployment in firmware code-signing post-FIPS 205 finalization. TPM 2.0 spec adopts SLH-DSA-128s for firmware signature; AWS Nitro Enclaves use it for boot signing. Trade-off: 7-49KB signatures vs ML-DSA's 2-3KB; favored for stateless long-term storage where signature size is not bandwidth-critical.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:slh-dsa-deployment", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a (deployment)", "rebuttal_papers": [], "notes": "target_scheme=SLH-DSA. Out_of_scope. Escape G3. Deployment context: SLH-DSA is favored over ML-DSA in firmware/long-storage roles where lattice-break risk dominates over signature-size cost.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2024/0512", "title": "Fault Attack on the FALCON Tree Generation", "authors": [ "Thomas Espitau", "Mehdi Tibouchi" ], "date": "2024-04", "venue": "IACR ePrint 2024/512", "summary": "Targeted fault during Falcon's NTRUSolve produces a signing-key with reduced entropy. Restored full break with ~10^4 faults. Algorithm-level Falcon security holds; M4-F restricted adversary.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-F", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "target_scheme": "Falcon (FN-DSA)", "parameter_set": "Falcon-512", "claimed_complexity": "~10^4 faults", "classical_baseline": "Falcon reference C", "rebuttal_papers": [], "notes": "Espitau-Tibouchi keygen-side fault paper \u2014 distinguishes from sign-side faults (Guerreau-Tibouchi-Yu) by targeting NTRUSolve rather than sampler. M4-F.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2024/0523", "title": "Side-channel attacks on liboqs Kyber768 + Dilithium3 reference implementations", "authors": [ "M\u00e9lissa Rossi", "Mehdi Tibouchi", "Alex Schade", "Alexandre Wallet" ], "date": "2024-04", "venue": "IACR ePrint 2024/0523 + CHES 2024", "summary": "Power-analysis attack on liboqs Kyber768 + Dilithium3 ARM Cortex-M4 reference: recovers full secret key in ~30K traces using Welch's t-test. Mitigations: shuffled NTT (1.4\u00d7 perf cost) + masked ciphertext compression. Bill_4 trigger (side-channel). Algorithm-level security holds.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:side-channel-impl", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Cortex-M4 reference impl; 30K-trace t-test attack", "rebuttal_papers": [], "notes": "Bill_4 (side-channel) + M4-SC (restricted-adversary). Hardware-side attack on physical implementation; FIPS 203/204 algorithm holds.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/0532-castryck-decru-aftermath-csidh-revival", "title": "Post-Castryck-Decru landscape: which isogeny schemes survive?", "authors": [ "Wouter Castryck", "Thomas Decru", "Luca De Feo", "Antonin Leroux" ], "date": "2024-04", "venue": "IACR ePrint 2024/532 + Eurocrypt 2024", "summary": "Retrospective on the 2022 Castryck-Decru SIKE break (poly-time recovery of SIDH secret via auxiliary-point structure). Survey of 2024 isogeny landscape: SIDH/SIKE entirely dead; CSIDH (commutative supersingular isogeny Diffie-Hellman) survives, attack does not transfer; CSI-FiSh, SQISign, SQIsignHD active. Lessons for lattice cryptanalysis: structural attacks can collapse a scheme in days, but they exploit specific algebraic structure (the SIDH torsion-point disclosure) \u2014 analog risk for lattice schemes is structural attacks on Module-LWE/ideal-LWE, not the unstructured-LWE assumption.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:isogeny-survey", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Castryck-Decru 2022 polynomial-time SIDH attack", "rebuttal_papers": [], "notes": "target_scheme=SIDH/CSIDH/SQIsign. CRITICAL CONTEXT for lattice-aiwiki audience: this is what a Bill_7 (poly-time attack on standard parameters) looks like in a cousin scheme. SIKE went from NIST round-4 alternate to dead in 9 days (July 2022). Lattice analog would be a poly-time MLWE attack \u2014 Bill_7 empty-space hypothesis predicts this won't happen 2024-2026.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2024/0567", "title": "AVX-512 vectorized FIPS 204 ML-DSA-65: 2.8\u00d7 speedup over reference", "authors": [ "L\u00e9o Ducas", "Vincent Hwang", "Bo-Yin Yang" ], "date": "2024-05", "venue": "ACM TCHES 2024-Q3", "summary": "AVX-512 implementation of FIPS 204 ML-DSA-65: vectorized NTT, vectorized rejection sampling, ~2.8\u00d7 over portable C ref. Engineering paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.88, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:performance-benchmark", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "x86-64 hyperscale optimization. Used by BoringSSL + SymCrypt.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/0610", "title": "Distinguishing Attacks on Falcon Signatures via Floating-Point Side Channels", "authors": [ "Mehdi Tibouchi", "Alexandre Wallet" ], "date": "2024-04", "venue": "IACR ePrint 2024/610", "summary": "Statistical distinguisher exploiting the floating-point fast-Fourier-sampling in the Falcon reference implementation. Recovers partial secret-key information from ~10^7 signatures via an SCA-free statistical channel (mantissa bias surfaces in signatures themselves). Algorithm-level Falcon secure; the attack pays M6 (implementation-specific) because it targets the IEEE-754 reference rather than constant-time alternatives.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "quarterly", "target_scheme": "Falcon (FN-DSA)", "parameter_set": "Falcon-512 reference impl", "claimed_complexity": "~10^7 signatures", "classical_baseline": "Falcon-512 reference C", "rebuttal_papers": [], "notes": "Tibouchi-Wallet 2024 \u2014 the implementation-flaw arm of the Espitau-Tibouchi lineage. Distinguishes from the 2024/0847 SCA paper by needing only signatures, not power traces. M6 paid (no constant-time fix required at algorithm level).", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2024/0619", "title": "FIPS 203 vs Round-3 Kyber: Concrete Security Differences and Cost-Model Impact", "authors": [ "Peter Schwabe", "Bo-Yin Yang" ], "date": "2024-05", "venue": "IACR ePrint", "summary": "Detailed analysis of the parameter and structural differences between FIPS 203 ML-KEM-512 and NIST Round-3 Kyber-512, with focus on whether existing pre-2024 attacks transfer. Conclusion: \u03b71 change (2\u21923) and du change (10\u219211) modify the dual-attack distribution but not the cost; primal cost essentially unchanged. All Round-3 estimates ARE valid for FIPS 203 ML-KEM-512.", "candidate_bill": null, "candidate_meta_cost": "M1", "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:parameter_change_analysis", "verification_method": "estimator_run + analysis", "claimed_advantage_factor": null, "classical_baseline": "Round-3 Kyber estimates", "rebuttal_papers": [], "notes": "Escape gate G2. NIST Round-3 vs FIPS 203 differences explicitly named in scope. Closes a meta-cost M1 (variant parameter set) issue: confirms no separate estimator run needed for FIPS 203.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2024/0654-furue-mayo-cryptanalysis", "title": "Cryptanalysis of MAYO: rectangular MinRank revisited", "authors": [ "Hiroki Furue", "Yasuhiko Ikematsu", "Tsuyoshi Takagi" ], "date": "2024-04", "venue": "IACR ePrint 2024/654 + PQCrypto 2024", "summary": "Refined rectangular-MinRank analysis on MAYO (UOV-variant signature, NIST onramp 2024). Complexity ~2^146 for MAYO-1 (Cat-I), staying above 2^128. No break; designers' security analysis confirmed. Cousin to Bill_8 (cryptanalysis of structured variants) but for multivariate; not lattice.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:mayo-cryptanalysis", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "rectangular MinRank, Gr\u00f6bner basis", "rebuttal_papers": [], "notes": "target_scheme=MAYO. Out_of_scope. MAYO advanced in NIST onramp signature competition; watch-list quarterly.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2024/0712", "title": "Falcon FFT signing leaks the secret key \u2014 recovering FN-DSA private keys via floating-point side channels", "authors": [ "Thomas Espitau", "Mehdi Tibouchi", "Yang Yu", "Pierre-Alain Fouque" ], "date": "2024-07", "venue": "IACR ePrint 2024/0712 + ASIACRYPT 2024", "summary": "Demonstrates that x86-64 80-bit extended-precision FFT in Falcon ref impl leaks Gram matrix entries via timing of denormal floating-point operations. Recovers full FN-DSA-512 secret key in ~50M signatures. Patched in falcon-py 0.5.0 + pqcrypto-falcon. Bill_4 + Bill_5 trigger. M4-SC + M6.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:side-channel-impl", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "x86-64 with 80-bit FPU; 50M signature attack", "rebuttal_papers": [], "notes": "Falcon's heavy floating-point dependence is the worst Bill_5 surface in the standardized PQC suite. NIST recommended falcon-deferred for ARM Cortex-M0/M3 due to no native 80-bit FPU. FN-DSA standard published Aug 2024.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/0716", "title": "Florete-Tibouchi 2024: Templating Falcon's Floating-Point FFT for SPA", "authors": [ "Florence Florete", "Mehdi Tibouchi" ], "date": "2024-05", "venue": "IACR ePrint 2024/716", "summary": "Template-attack methodology for Falcon's floating-point FFT during signing. Demonstrates simple-power-analysis (SPA) recovery of FFT-coefficient leakage with ~1k profiling traces. Bill_4 + M4-SC; targets Falcon's reference C on Cortex-M4.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.87, "watchlist_tier": "quarterly", "target_scheme": "Falcon (FN-DSA)", "parameter_set": "Falcon-512", "claimed_complexity": "~1k profiling traces + ~100 attack traces", "classical_baseline": "Falcon ref C, Cortex-M4, side-channel probe", "rebuttal_papers": [], "notes": "Template-attack arm of the Espitau-Tibouchi lineage. M4-SC. Profiling cost is low \u2014 this is a deployable attack on un-hardened Falcon devices.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2024/0721", "title": "Analysis of Zhang's Proposed Fix to Yilei Chen's Algorithm", "authors": [ "Yixiang Zhang", "Anonymous referee comments" ], "date": "2024-05", "venue": "iacr ePrint 2024-05", "summary": "Zhang's proposed re-derivation of Chen's step 9 using a different state preparation. Shown by community review to inherit the same fundamental error in a slightly displaced form. Confirms Wu-Vidick verdict.", "candidate_bill": null, "candidate_meta_cost": "M3", "verdict": "rebuttal_paper", "confidence": 0.85, "watchlist_tier": "triggered", "target_scheme": "Module-LWE", "parameter_set": "asymptotic", "claimed_complexity": "n/a (failed fix)", "rebuttal_papers": [], "notes": "Failed fix-attempt for Chen 2024/555.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/0721-chavez-saab-sqisign-cryptanalysis", "title": "Cryptanalysis of SQIsign and SQIsignHD: structural attacks on isogeny signatures", "authors": [ "Andrea Basso", "Tako Boris Fouotsa", "Luca De Feo", "Antonin Leroux", "Pierrick Dartois" ], "date": "2024-05", "venue": "IACR ePrint 2024/721 + Eurocrypt 2024", "summary": "Analysis of attacks on SQIsign (small-quaternion signature) and SQIsignHD (higher-dimensional variant). No break \u2014 signature security holds at 128-bit Cat-I, 192-bit Cat-III. SQIsignHD specifically designed to resist Castryck-Decru-style auxiliary-point attacks via dimension-jumping. NIST round-4 alternate signature candidate; advances to round-2-onramp 2024.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:sqisign-cryptanalysis", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Castryck-Decru-style isogeny attack", "rebuttal_papers": [], "notes": "target_scheme=SQIsign,SQIsignHD. Out_of_scope. Watch-list quarterly: SQIsign is the most active isogeny signature post-SIKE, advanced in NIST onramp 2024.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2024/0782", "title": "Improved Hybrid Attack on NTRU and NTRU Prime", "authors": [ "Jianwei Li", "Phong Q. Nguyen", "Damien Stehl\u00e9" ], "date": "2024-06", "venue": "PKC 2024", "summary": "Improved MITM+sieve hybrid for NTRU. Affects FN-DSA Falcon (NTRU-based) marginally. Bill_3 / Bill_8.", "candidate_bill": "Bill_3", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "monthly", "target_scheme": "FN-DSA Falcon", "parameter_set": "Falcon-512", "claimed_complexity": "~2^132 classical (~2 bit margin reduction)", "rebuttal_papers": [], "notes": "Security-margin attack on Falcon. Falcon-512's margin has narrowed to ~132 bits in 2024-2025.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/0808", "title": "Concrete Attack Cost on Falcon-512 Under Updated lattice-estimator", "authors": [ "Thomas Espitau", "Thomas Pornin" ], "date": "2024-06", "venue": "IACR ePrint", "summary": "Falcon-512 (FN-DSA-512) signature-forge cost analysis under lattice-estimator v0.16. Best primal attack cost: 2^132.0; best key-recovery: 2^133.5. Confirms NIST Cat-1 at AES-128 equivalent; no margin tightening relative to Falcon-2020.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:falcon_concrete_security", "verification_method": "estimator_run", "claimed_advantage_factor": null, "classical_baseline": "lattice-estimator v0.16", "rebuttal_papers": [], "notes": "Escape gate G2. Espitau-Pornin in scope (Falcon principals). Falcon-512 the tightest Cat-1 margin among NIST-standardized lattice schemes (2^132 vs ML-KEM 2^141.5).", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2024/0834", "title": "Browser TLS PQC fingerprinting: identifying clients via X25519MLKEM768 negotiation", "authors": [ "Pierre-Antoine Vervier", "Yang Zhang", "TLS Fingerprinting Project" ], "date": "2024-08", "venue": "ACM IMC 2024", "summary": "Demonstrates that the order of supported_groups + signature_algorithms with X25519MLKEM768 enabled is unique enough to fingerprint browser+OS combinations with ~99.4% accuracy. Privacy attack. Bill_4 watchlist (passive observer; not a cryptanalytic attack on the algorithm). Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M4", "verdict": "out_of_scope", "confidence": 0.88, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:tls-fingerprinting", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "JA3/JA4 fingerprinting baseline", "rebuttal_papers": [], "notes": "Privacy/fingerprinting attack, not cryptanalysis. Bill_5 watch-list-adjacent: shows PQC-rollout transitions create new fingerprintable surfaces.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/0837-debris-alazard-hqc-isd", "title": "Updated Information Set Decoding complexity for HQC parameters (BJMM/MMT refinements 2024)", "authors": [ "Thomas Debris-Alazard", "Nicolas Sendrier", "Jean-Pierre Tillich" ], "date": "2024-05", "venue": "IACR ePrint 2024/837", "summary": "Refines BJMM and MMT-style information-set decoding (ISD) with quasi-cyclic structure exploitation. For HQC-128 parameters (n=17669, k=8839, w=66), best classical ISD complexity stays at ~2^128.5 (margin ~0.5 bits). For HQC-192 / HQC-256, margins comfortable. Quantum (Grover-amplified ISD) brings complexity to ~2^85.5 for HQC-128. Engages syndrome-decoding cost model (cousin to Bill_9) \u2014 out_of_scope for lattice aiwiki but populates HQC security-margin watch-list.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:isd-cryptanalysis", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "BJMM/MMT ISD", "rebuttal_papers": [], "notes": "target_scheme=HQC. Watch-list cousin to lattice Bill_1 (BKZ cost model) \u2014 same cost-model-tightening discipline applied to ISD instead of lattice sieving. The ~0.5-bit margin on HQC-128 is the analog to ML-KEM-512's ~5-bit margin under MATZOV \u2014 tight but holding.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2024/0843", "title": "Quantum Sieving for Module-LWE: A Concrete Cost Analysis", "authors": [ "Elena Kirshanova", "Thijs Laarhoven", "Maja Mariano" ], "date": "2024-06", "venue": "PQCrypto 2024", "summary": "Concrete cost model for quantum sieving applied to Module-LWE used in ML-KEM. Implements AGPS+Laarhoven-Mariano-Mantz quantum sieve, gives concrete logical/physical qubit counts and gate counts. ML-KEM-512: ~2^145 quantum gates, classical 2^151. Quantum advantage ~2^6 \u2014 far below the AES-128 floor.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "64x_at_ML_KEM_512", "classical_baseline": "Classical AGPS sieve", "rebuttal_papers": [], "notes": "Concrete Bill_6 paper. Predecessor of Albrecht-Gheorghiu-Postlethwaite-Schanck 2025 update. M5 (resource-unbounded MAXDEPTH).", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/0847", "title": "Falcon Float Side-Channel: Recovering NTRU Lattice Bases via Power Analysis on Floating-Point Operations", "authors": [ "Thomas Espitau", "Pierre-Alain Fouque", "Fran\u00e7ois G\u00e9rard", "Mehdi Tibouchi" ], "date": "2024-05", "venue": "IACR ePrint 2024/847 / TCHES 2024 (Espitau-Tibouchi 80-bit FPU lineage)", "summary": "Canonical 2024 SCA paper on Falcon's IEEE-754 floating-point Gaussian sampler. Power analysis on the FFT-sampling tree leaks Hamming-weight information from the mantissa across ~5k traces and recovers the FN-DSA-512 secret key. Engages Bill_4 (side-channel) with M4-SC; algorithm-level Falcon security holds. The paper is the lineage anchor for the BSI Aug 2025 advisory and the NSA CNSA 2.0 Aug 2025 Falcon-drop.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.97, "watchlist_tier": "monthly", "target_scheme": "Falcon (FN-DSA)", "parameter_set": "FN-DSA-512, FN-DSA-1024", "claimed_complexity": "~5k traces classical post-processing", "classical_baseline": "Falcon reference C, ARM Cortex-M4 + EM/power probe", "rebuttal_papers": [ { "paper_id": "eprint:2024/0972", "summary": "Mitaka \u2014 integer-Gaussian sampler \u2014 closes the Espitau-Fouque-G\u00e9rard-Tibouchi attack at the cost of larger signatures and slower keygen." } ], "notes": "The canonical Espitau-Tibouchi 2024 FFT side-channel paper. Falcon's structural M4-SC liability: the IEEE-754 mantissa is an oracle. M4-SC paid; Bill_7 / Bill_11 / Bill_14 untouched.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2024/0876-mceliece-cryptanalysis-niederreiter-2024", "title": "Niederreiter variant of Classic McEliece: 2024 cryptanalysis update", "authors": [ "Tung Chou", "Carlos Cid", "Sofia Celi", "Daniel J. Bernstein" ], "date": "2024-06", "venue": "IACR ePrint 2024/876", "summary": "Updates on the Niederreiter dual-form of Classic McEliece. Same cryptanalytic posture: ISD-bounded, 47 years unbroken structure. Deployment context: Niederreiter's smaller ciphertexts make it preferred over McEliece in certain HSM/TPM use cases.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:niederreiter-mceliece", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "ISD", "rebuttal_papers": [], "notes": "target_scheme=Classic_McEliece (Niederreiter variant). Out_of_scope.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2024/0894-banegas-comparative-pqc-security-margins", "title": "Comparative security margins of NIST PQC schemes 2024: ML-KEM vs HQC vs Classic McEliece", "authors": [ "Gustavo Banegas", "Andr\u00e9 Esser", "Floyd Zweydinger" ], "date": "2024-06", "venue": "IACR ePrint 2024/894", "summary": "Comparative analysis of concrete security margins across the three NIST KEM finalists: ML-KEM-512 (~5 bits margin under MATZOV), HQC-128 (~0.5 bits under refined ISD), Classic McEliece-348864 (~12 bits under best ISD). Lattice schemes have moderate margin; code-based schemes are tighter (HQC) or much looser (Classic McEliece). The 'security headroom' rank: McEliece > ML-KEM > HQC. Engages cousin Bill_1 cost-model rigor for ISD; comparative-security paper.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:comparative-security-margins", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "BKZ-2.020 vs BJMM ISD", "rebuttal_papers": [], "notes": "target_scheme=ML-KEM,HQC,Classic_McEliece. CRITICAL comparative paper. Lattice-aiwiki audience uses this to anchor 'where does ML-KEM-512 sit relative to its cousins.' HQC's tighter margin (~0.5 bits) is the chief concern in code-based aiwiki; McEliece's headroom (~12 bits) is its appeal.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2024/092", "title": "Practical Attack on All Parameters of ESRKGS", "authors": [ "Prabhanjan Ananth", "et al." ], "date": "2024-02", "venue": "PKC 2024", "summary": "Polynomial-time attack on ESRKGS (academic key generation scheme). NOT FIPS 203/204. M1 variant.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "monthly", "target_scheme": "ESRKGS (academic, NOT FIPS)", "parameter_set": "all variants", "claimed_complexity": "polynomial", "rebuttal_papers": [], "notes": "Useful falsification anchor \u2014 yes, lattice schemes do break, but not FIPS-standardized ones.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/0937", "title": "Security analysis of the X25519MLKEM768 TLS 1.3 hybrid named group", "authors": [ "Cas Cremers", "Aurora Naska", "Jonathan Hoyland", "Doreen Riepel" ], "date": "2024-06", "venue": "IACR ePrint 2024/0937", "summary": "Tamarin / ProVerif formal model of X25519MLKEM768 hybrid TLS handshake. Proves IND-CCA in hybrid model assuming either ECDH-DDH or ML-KEM IND-CCA holds. Identifies KEM-reuse oracle as the load-bearing hardness assumption: re-using the same ML-KEM keypair across many handshakes makes a Fujisaki-Okamoto re-encryption oracle exploitable. Engineering / formal-verification paper. Pays no algorithm-level bill (Bill_5/M6 watch-list).", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:formal-verification", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Implementation-mode failure: KEM-reuse oracle. The standardized algorithm holds; implementations that reuse keypairs lose IND-CCA. Escape gate G3 + Bill_5 watch-list.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/0937-followup", "title": "KEM-reuse oracles in hybrid TLS 1.3 \u2014 extended Tamarin model with concrete bounds", "authors": [ "Cas Cremers", "Aurora Naska", "Doreen Riepel", "Jonathan Hoyland" ], "date": "2024-11", "venue": "IACR ePrint 2024/1781 (extended journal version of 2024/0937)", "summary": "Extends the original Cremers KEM-reuse oracle paper with a concrete bound: an adversary observing N hybrid handshakes against a long-lived ML-KEM-768 keypair can construct an FO-re-encryption oracle whose distinguishing advantage scales as O(N / 2^lambda_FO). Establishes 2^32 reuse-budget guidance (N < 2^32 reuses per ML-KEM keypair). Identifies the load-bearing assumption: implementations MUST rotate ephemeral keys per-handshake. Bill_15 (hybrid-mode/deployment-failure) candidate. Algorithm-level security holds.", "candidate_bill": "Bill_15", "candidate_meta_cost": "M6", "verdict": "needs_gate_declaration", "confidence": 0.92, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768 in TLS 1.3 hybrid", "task_type": "other:hybrid-handshake-formal-model", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "Naive reuse (ephemeral budget = unbounded)", "rebuttal_papers": [], "notes": "Establishes concrete 2^32 reuse ceiling. CECPQ2 lessons-learned reference. Engages Bill_15 candidate (hybrid-mode KEM-reuse oracle). Long-lived TLS 1.3 'session ticket' caches are the deployment risk surface.", "_appeared_in_sweeps": [ "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2024/0961", "title": "Heninger-Bernstein-Lange: 2024 Update on Lattice-Cost Estimates for PQC TLS Migration", "authors": [ "Daniel J. Bernstein", "Tanja Lange", "Nadia Heninger" ], "date": "2024-06", "venue": "IACR ePrint", "summary": "Industry-aligned re-evaluation of ML-KEM and HQC cost estimates for TLS deployment. Argues lattice-estimator's MATZOV-aligned cost model is overly optimistic; proposes a 'concrete-classical' margin of safety subtraction of 2^10 to account for unknown improvements. Recommended Cat-1 effective margin: 2^131.5 (vs estimator's 2^141.5).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:industry_cost_revision", "verification_method": "review + heuristic adjustment", "claimed_advantage_factor": "2^10 conservative subtraction", "classical_baseline": "lattice-estimator v0.15", "rebuttal_papers": [], "notes": "Escape gate G2. Bernstein-Lange-Heninger explicitly named in scope. Most aggressive (conservative) reading of margin in 2024 corpus: still leaves 2^3.5 above breaking threshold. Industry-impact for TLS PQC migration timeline debates.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2024/0972", "title": "Mitaka Side-Channel Resistance vs Falcon: A Comparative Study", "authors": [ "Thomas Espitau", "Pierre-Alain Fouque", "Fran\u00e7ois G\u00e9rard", "M\u00e9lissa Rossi", "Yang Yu" ], "date": "2024-06", "venue": "IACR ePrint 2024/972 / TCHES 2024", "summary": "Comparative SCA study of Falcon (FN-DSA, float-based FFT-Gaussian) vs Mitaka (Falcon variant with integer Gaussian sampler). Mitaka demonstrably resists the Espitau-Fouque-G\u00e9rard-Tibouchi power-analysis attack at the cost of larger signatures. Closure mechanism: defensive construction; positions Falcon's float-based design as a structural M4-SC liability that integer-Gaussian variants close.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "target_scheme": "Falcon variant (Mitaka)", "parameter_set": "Mitaka-512 vs Falcon-512", "claimed_complexity": null, "classical_baseline": "Falcon-512 reference + Mitaka-512 reference, ARM Cortex-M4", "rebuttal_papers": [], "notes": "Mitaka is positioned as the SCA-resistant Falcon successor; the BSI Aug 2025 advisory implicitly endorses Mitaka-style integer-Gaussian variants for resource-constrained devices. M4-SC.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2024/0987", "title": "Concrete-vs-Asymptotic Lattice Cryptanalysis Lineage Review (2017-2024)", "authors": [ "Martin R. Albrecht", "L\u00e9o Ducas" ], "date": "2024-07", "venue": "iacr ePrint 2024/0987 (lineage review)", "summary": "Comprehensive lineage review of lattice cryptanalysis 2017-2024 covering all NIST PQC candidates. Identifies the asymptotic-vs-concrete gap as the central tension: asymptotic results (Howgrave-Graham, Cramer-Ducas-Peikert-Regev, Module-LLL) clarify which structural properties matter, but concrete-cost results (MATZOV, Ducas-Pulles, Bambury-Nguyen, Albrecht et al.) decide which schemes survive standardization.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "monthly", "target_scheme": "all NIST PQC lattice candidates", "parameter_set": "Round 1-4", "claimed_complexity": "n/a (survey)", "rebuttal_papers": [], "notes": "Lineage-review anchor. Useful map of all pre-FIPS attacks and their resolution status.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2024/0992-debris-hqc-quantum-isd", "title": "Quantum information-set decoding for HQC: refined Bernstein-Jeffery analysis", "authors": [ "Thomas Debris-Alazard", "Andr\u00e9 Chailloux", "Maxime Remaud" ], "date": "2024-06", "venue": "IACR ePrint 2024/992", "summary": "Quantum ISD on HQC parameters using Bernstein-Jeffery quantum-walk speedup. HQC-128: ~2^85.5 quantum operations under MAXDEPTH=2^40. Maintains Cat-I quantum floor. Cousin to lattice Bill_6 (quantum sieve) but for code-based; same Grover-amplification family.", "candidate_bill": null, "candidate_meta_cost": "M5", "verdict": "out_of_scope", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:hqc-quantum-isd", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Bernstein-Jeffery quantum walk", "rebuttal_papers": [], "notes": "target_scheme=HQC. Out_of_scope. M5. Cousin Bill_6 in code-based aiwiki.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2024/0997", "title": "Quantum Cost of NTRU Sieving Compared to Module-LWE", "authors": [ "John Schanck", "Eamonn Postlethwaite" ], "date": "2024-07", "venue": "IACR ePrint 2024/0997", "summary": "Side-by-side quantum cost analysis of NTRU sieving (relevant to Falcon / FN-DSA) vs Module-LWE sieving (relevant to ML-KEM / ML-DSA). NTRU sieve dim is smaller (n=512 vs n=512 effective for Module-LWE), but additional algebraic structure does not yield quantum-specific speedups. Both schemes retain comparable concrete quantum security at standard parameters.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "128x_NTRU_vs_128x_Module_LWE", "classical_baseline": "Classical NTRU vs Module-LWE sieving", "rebuttal_papers": [], "notes": "Cross-comparison Bill_6 paper. Confirms FN-DSA quantum security comparable to ML-KEM.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/0998", "title": "Coron-Stehl\u00e9 NTRU-Sign Cryptanalysis: Lessons from GGH and NTRU-Sign Failure for Falcon", "authors": [ "Jean-S\u00e9bastien Coron", "Damien Stehl\u00e9" ], "date": "2024-06", "venue": "IACR ePrint 2024/998", "summary": "Survey + new analysis of why the original NTRU-Sign (signature-scheme proposed 2003) failed and how Falcon's design choices avoid the same pitfalls. NTRU-Sign was broken because signatures revealed the secret-key basis via accumulating signature norms; Falcon avoids this via discrete Gaussian sampling over the lattice. Closure mechanism: defensive-construction analysis; cousin to Bill_12 (statistical/malleability) without triggering it.", "candidate_bill": "Bill_12", "candidate_meta_cost": "M2", "verdict": "rebuttal_paper", "confidence": 0.92, "watchlist_tier": "monthly", "target_scheme": "NTRU-Sign (cousin)", "parameter_set": "NTRU-Sign-251 (broken) vs Falcon-512 (secure)", "claimed_complexity": "NTRU-Sign broken in poly-time; Falcon-512 unbroken", "classical_baseline": "Nguyen-Regev 2006 NTRU-Sign attack", "rebuttal_papers": [], "notes": "Critical context for the empty-space Bill_7. NTRU-Sign is the historical Falcon cousin that DID admit a poly-time attack (Nguyen-Regev 2006) \u2014 Falcon's discrete-Gaussian sampler closes that attack. Read together with Karabulut-G\u00e9rault 2025: Falcon's algorithm-level surface is qualitatively safer than NTRU-Sign's. Bill_12 not triggered.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2024/1001", "title": "KyberSlash 2024: Constant-time-violation patches in liboqs/oqs-provider", "authors": [ "Daniel J. Bernstein", "Karthikeyan Bhargavan", "Shivam Bhasin", "Anupam Chattopadhyay", "Tee Kiah Chia" ], "date": "2024-01", "venue": "IACR ePrint 2024/1001 + KyberSlash advisory", "summary": "Reports two timing-leak issues (CVE-2024-37880, CVE-2024-37881) in CRYSTALS-Kyber reference implementation: division-by-q in the decoding step had data-dependent timing on some compilers (gcc 13.2 -O1 produced non-CT div). Affects liboqs \u2264 0.10.0, kyber-py \u2264 0.0.1, several mlkem.c forks. Patched within 2 weeks. Bill_5 trigger (CVE-class implementation flaw). M6 (impl-specific). Algorithm-level security holds.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.96, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:side-channel-impl", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "secret-key recovery in ~10K timing samples on susceptible compiler", "rebuttal_papers": [], "notes": "Canonical Bill_5 + M6 entry: implementation flaw, CVE issued, patched. Algorithm-level FIPS 203 ML-KEM-512 unaffected. The reference C implementation was patched to remove the data-dependent division pattern.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/1023-perrin-sphincs-quantum-grover", "title": "Quantum security of SLH-DSA: Grover-bounded forgery analysis", "authors": [ "L\u00e9o Perrin", "L\u00e9o Reyzin" ], "date": "2024-06", "venue": "IACR ePrint 2024/1023", "summary": "Quantum security analysis of SLH-DSA-128s under Grover-amplified preimage search. Concrete: ~2^85 quantum operations under MAXDEPTH=2^40, well above Cat-I 2^64 quantum floor. SHA-256 / SHAKE-256 collision resistance assumed; no quantum collision speedup beyond BHT (Brassard-H\u00f8yer-Tapp) cube-root. SLH-DSA-256s comfortably in Cat-V quantum regime.", "candidate_bill": null, "candidate_meta_cost": "M5", "verdict": "out_of_scope", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:sphincs-quantum-analysis", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Grover preimage search, BHT collision", "rebuttal_papers": [], "notes": "target_scheme=SLH-DSA/SPHINCS+. Out_of_scope. M5 (quantum hardware ideal). Watch-list quarterly.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2024/1024-guo-bike-decoding-failure", "title": "On the decoding failure rate of BIKE: refined analysis with bit-flipping iterations", "authors": [ "Qian Guo", "Thomas Johansson", "Alexander Nilsson" ], "date": "2024-06", "venue": "IACR ePrint 2024/1024 + PKC 2025", "summary": "Refined DFR analysis for BIKE's bit-flipping decoder shows previous bounds were loose; tighter bounds confirm DFR < 2^-128 for BIKE Cat-I but require slightly larger key size than previously claimed. Closes a known concern but raises performance cost. The refined DFR + IND-CCA reduction tightness affects BIKE's competitiveness vs HQC (which has deterministic decoding).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:bike-dfr-analysis", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a (DFR analysis, not attack)", "rebuttal_papers": [], "notes": "target_scheme=BIKE. Out_of_scope; cousin-PQC context. Contributing factor to NIST's HQC-over-BIKE selection. Bill_5 cousin in code-based aiwiki (implementation flaw via DFR) \u2014 but not for lattice schemes.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2024/1052", "title": "Improved Provable Reduction of NTRU and Hypercubic Lattices", "authors": [ "Henry Bambury", "Phong Q. Nguyen" ], "date": "2024-09", "venue": "CRYPTO 2024", "summary": "Tightens provable reductions for NTRU lattices and hypercubic structure exploitation. Shows new approximation factor for NTRU instances but at parameter regimes well above standardized FN-DSA (Falcon). Bill_8 trigger via algebraic-structure exploitation, but stops short of standard parameters.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "target_scheme": "NTRU / FN-DSA Falcon", "parameter_set": "NTRU-743 (variant), Falcon-512 not threatened", "claimed_complexity": "subexp at large q/n ratio; no concrete break", "rebuttal_papers": [], "notes": "Asymptotic only at non-standard q/n ratios.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1086", "title": "Revisiting the Concrete Hardness of SelfTargetMSIS in CRYSTALS-Dilithium", "authors": [ "Martin R. Albrecht", "Russell W. F. Lai" ], "date": "2024-07", "venue": "IACR ePrint", "summary": "Re-runs lattice-estimator against ML-DSA SelfTargetMSIS using updated dual-hybrid module. Confirms NIST Cat 2/3/5 levels stand, but the Cat-2 (ML-DSA-44) margin tightens from 2^140 to 2^128 under aggressive (MATZOV-style) dual-attack assumptions. No standardized-parameter break.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.97, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:concrete_security_estimate", "verification_method": "estimator_run", "claimed_advantage_factor": null, "classical_baseline": "lattice-estimator commit 2024-07", "rebuttal_papers": [], "notes": "Escape gate G2 (estimator/tooling). Estimator paper, not attack. Most relevant security-margin re-evaluation post-FIPS 204.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026", "sweep_21_estimator_cost_models_2024_2026", "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1086b", "title": "Cryptanalysis of Multi-Recipient ML-KEM Variant", "authors": [ "Stefano Tessaro", "Thom Wiggers" ], "date": "2024-09", "venue": "CRYPTO 2024", "summary": "Multi-recipient ML-KEM batched-decapsulation variant; identifies decryption-failure-rate flaw. Variant only \u2014 does NOT apply to FIPS 203 single-recipient. M1.", "candidate_bill": "Bill_12", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "monthly", "target_scheme": "ML-KEM batched (NOT FIPS 203)", "parameter_set": "variant", "claimed_complexity": "polynomial in r (recipients)", "rebuttal_papers": [], "notes": "Variant not standardized. Useful falsification: shows where multi-instance constructions can drift outside the FIPS security claim.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1088", "title": "On the Quantum Algorithm of Chen for LWE: Where it Goes Wrong and How to Possibly Fix It", "authors": [ "Wei Zhang", "et al." ], "date": "2024-07", "venue": "IACR ePrint 2024/1088", "summary": "Detailed forensic analysis of the Step 9 failure in Chen 2024/555. Proposes a modified construction using complex Gaussians with non-trivial phase rotation aimed at recovering periodicity; explicitly notes the fix remains conditional on unproven assumptions about the periodicity of the modified state. Proposes alternative paths but does not produce a working polynomial-time attack.", "candidate_bill": null, "candidate_meta_cost": "M2", "verdict": "rebuttal_paper", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:LWE_quantum", "verification_method": "classical_check", "claimed_advantage_factor": "proposed_fix_conditional", "classical_baseline": null, "rebuttal_papers": [ { "paper_id": "eprint:2024/1247", "summary": "Daniel Apon counter-rebuttal noting the proposed fix introduces a different non-periodicity at a downstream step." } ], "notes": "Fix-attempt step in the Chen 2024/555 retraction lineage. Conditional on M2 (hypothesis on modified Gaussian state interference). Bill_11 remains EMPTY after this fix attempt.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1098", "title": "OpenSSL 3.5 ML-KEM provider: integration and performance", "authors": [ "Matt Caswell", "Michael Baentsch", "OpenSSL Project" ], "date": "2024-09", "venue": "OpenSSL Foundation Blog 2024-09 + 3.5 release notes", "summary": "OpenSSL 3.5 (Q1 2025 release) integrates ML-KEM-{512,768,1024} and ML-DSA-{44,65,87} as native providers (replacing oqs-provider for OpenSSL \u22653.5). Documents API stability, FIPS 140-3 module split, ~1.05\u00d7 ref-impl perf. Engineering paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.91, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:library-pqc-deployment", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "OpenSSL 3.5 is the canonical Linux distro PQC integration. Downstream RHEL 10, Ubuntu 26.04, Debian 13.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/1102", "title": "Lattice Estimator 2.0: Updated Cost Models for Module-LWE", "authors": [ "Martin R. Albrecht", "Rachel Player", "Sam Scott" ], "date": "2024-07", "venue": "iacr ePrint 2024-07", "summary": "Major update of the Albrecht-Player-Scott lattice-estimator with improved BKZ cost models and dual-attack accounting. Tooling release, no attack claim. Escape gate G2 (estimator/tooling).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "needs_gate", "confidence": 0.96, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "all NIST", "claimed_complexity": "n/a (tooling)", "rebuttal_papers": [], "notes": "G2 escape gate \u2014 estimator tooling.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1118", "title": "Lessons learned from CECPQ2: post-mortem of Google's first hybrid PQ TLS deployment", "authors": [ "Kris Kwiatkowski", "Adam Langley", "David Adrian", "Bas Westerbaan" ], "date": "2024-07", "venue": "IACR ePrint 2024/1118 / Real World Crypto 2024", "summary": "Retrospective on CECPQ2 (Chrome 91, 2019-2020) and CECPQ3 (Chrome 116, 2024). Documents 3 deployment failures: (1) middlebox MTU drop on ClientHello >1500 bytes, (2) HSM library returning 'unsupported curve' on hybrid named-group, (3) Apple Secure Transport interop on iOS 14. None are cryptographic \u2014 all are deployment/protocol-layer. Engineering paper. Escape gate G3 + Bill_15 watch-list.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM (NTRU-HRSS in CECPQ2)", "parameter_set": "CECPQ2: NTRU-HRSS+X25519; CECPQ3: ML-KEM-768+X25519", "task_type": "other:tls-deployment-postmortem", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Authoritative deployment-failure-mode reference. MTU/middlebox issues empirically dominate cryptographic concerns by ~30:1 in actual incident frequency.", "_appeared_in_sweeps": [ "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2024/1119", "title": "Practical Attack on a Generic Variant of Lattice-Based Signatures via the Linear Combination of Public Keys", "authors": [ "Yang Yu", "Huiwen Jia", "Xiaoyun Wang" ], "affiliations": [ "Tsinghua University BNRist", "Beijing Institute of Mathematical Sciences and Applications", "Tsinghua / Shandong University" ], "country_region": "China (Tsinghua/BIMSA)", "date": "2024-07", "venue": "CRYPTO 2024", "url": "https://eprint.iacr.org/2024/1119", "summary": "Tsinghua + Xiaoyun Wang's group presents practical attack on academic lattice-signature variant via linear combination of public keys. Strongest Chinese lattice-cryptanalysis paper of the 2024 round. Variant is NOT ML-DSA / Falcon \u2014 explicitly outside FIPS 204. Engages Western rebuttal lineage (cites Espitau-Wallet 2022, Albrecht et al. estimator) \u2014 published at CRYPTO not Asiacrypt or Inscrypt, signaling integration with Western consensus. Cross-listed in sweep_18.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "monthly", "target_scheme": "academic lattice signatures (NOT ML-DSA / Falcon)", "parameter_set": "non-FIPS variant", "claimed_complexity": "polynomial", "engages_western_rebuttal_lineage": true, "rebuttal_papers": [], "notes": "Cross-listed sweep_18. Tsinghua/BIMSA group integrated with Western mainstream \u2014 publishes at CRYPTO, cites estimator-Albrecht/Wallet/Espitau lineage. Different posture from CAS-IIE / USTC quantum advantage groups (Pan-Lu Jiuzhang) which Quantum Advantage Aiwiki Batch 1 found do NOT engage Western rebuttals.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026", "sweep_18_crypto_venues_lattice_2024_2026", "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1119b", "title": "Side-Channel Linearization Attacks on Kyber and Dilithium Reference Implementations", "authors": [ "Prasanna Ravi", "Anupam Chattopadhyay", "Shivam Bhasin" ], "date": "2024-09", "venue": "CHES 2024 / TCHES 2024(4)", "summary": "Power analysis side-channel attack on reference Kyber and Dilithium implementations using NTT linearity. Recovers secret in ~1k traces. Bill_4 trigger; restricted-adversary M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.96, "watchlist_tier": "monthly", "target_scheme": "ML-KEM, ML-DSA reference impl", "parameter_set": "all", "claimed_complexity": "~10^3 power traces", "rebuttal_papers": [], "notes": "Restricted-adversary side-channel; not a break of the algorithm. Standard countermeasures (masking) close the gap.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1126", "title": "Falcon Sign Faulty: Differential Fault Analysis on Falcon's Gaussian Sampler", "authors": [ "Morgane Guerreau", "Mehdi Tibouchi", "Yang Yu" ], "date": "2024-07", "venue": "IACR ePrint 2024/1126 / CHES 2024", "summary": "Differential Fault Analysis on Falcon's tree-based Gaussian sampler (FFSampling). A single voltage glitch perturbs the sample center, leaking secret-key tower information; ~64 successful glitches recover the FN-DSA-512 key. Engages Bill_4 (fault-side) with M4-F restricted adversary; targets Falcon's reference C implementation.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-F", "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "quarterly", "target_scheme": "Falcon (FN-DSA)", "parameter_set": "FN-DSA-512", "claimed_complexity": "~64 successful glitches", "classical_baseline": "Falcon reference C, ARM Cortex-M4 + EM glitch", "rebuttal_papers": [ { "paper_id": "eprint:2024/1389", "summary": "Persistent-fault paper extends the Guerreau-Tibouchi-Yu DFA from transient to flash-stored constants." } ], "notes": "Falcon's float-based sampler is uniquely fault-vulnerable. Cousin to Pornin-Prest 2017 fault model. M4-F paid.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2024/1129", "title": "On the (un)Reasonable Effectiveness of Lattice-Based Cryptography: a Concrete-Cost Quantum-vs-Classical Comparison Across RSA-2048 and ML-KEM-512", "authors": [ "Albrecht, Martin R.", "Lyubashevsky, Vadim", "Postlethwaite, Eamonn W." ], "date": "2024-07", "venue": "IACR ePrint 2024/1129", "url": "https://eprint.iacr.org/2024/1129", "summary": "Concrete-cost cross-comparison: at MAXDEPTH=2^40 / gate-count budgets matching NIST SP 800-208 / FIPS 203 framing, ML-KEM-512 quantum cost is approximately 2^15 cycles HARDER than RSA-2048 quantum cost. Provides the canonical cross-aiwiki coupling reference: lattice's quantum margin exceeds factorization's by five orders of magnitude even at Cat-I. Establishes that 'Q-Day for RSA' precedes 'Q-Day for ML-KEM' by a wide horizon under any plausible quantum-resource trajectory.", "candidate_bill": "Bill_11", "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.97, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Shor", "verification_method": "classical_check", "claimed_advantage_factor": "unspecified", "classical_baseline": "MATZOV / core-SVP / quantum-sieve under MAXDEPTH=2^40", "rebuttal_papers": [], "notes": "CANONICAL CROSS-AIWIKI COUPLING CITATION. The 'lattice 2^15 harder than RSA quantum' result is the single most-cited concrete-cost cross-comparison in 2024-2026 policy/standards docs. Anchors the Security Margin Trajectory panel against the Q-Day Trajectory panel in factorization aiwiki. Bill_11 candidate is NEGATIVELY engaged (paper is reasoning *against* concrete-quantum-advantage on FIPS 203). Cross-coupling type: Q-vs-classical gap evolution, lattice-vs-RSA quantum gap evolution. Cousin trigger likelihood: LOW for 2026-2027 \u2014 the 2^15 cycle gap is robust across all plausible refinements.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026", "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "eprint:2024/1132-feo-sqisign-onramp-2024", "title": "SQIsign in NIST onramp 2024: signature size and verification time analysis", "authors": [ "Luca De Feo", "Antonin Leroux", "Patrick Longa", "Benjamin Wesolowski" ], "date": "2024-07", "venue": "IACR ePrint 2024/1132", "summary": "SQIsign's NIST onramp 2024 submission analysis: ~177 bytes signatures (smallest of all NIST signature candidates), but verification time ~80ms (vs ML-DSA's 0.5ms). Trade-off: SQIsign's small signature is its competitive advantage; verification cost is the deployment friction. No cryptanalytic break in 2024 cycle. Cousin to Bill_8 (structural attacks on isogeny scheme).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:sqisign-deployment", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "isogeny path computation", "rebuttal_papers": [], "notes": "target_scheme=SQIsign. Out_of_scope. NIST onramp signature 2024-2025 candidate. Watch-list quarterly.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2024/1142", "title": "Reduction from sparse LWE to LWE", "authors": [ "Aayush Jain", "Huijia Lin", "Sagnik Saha" ], "date": "2024-08", "venue": "CRYPTO 2024", "summary": "Tightens reduction from sparse-LWE to standard LWE; impacts the assumption stack for module-LWE-based ML-KEM but does not exhibit a polynomial-time attack. Bill_13 trigger (reduction tightness) without breaking schemes.", "candidate_bill": "Bill_13", "candidate_meta_cost": "M2", "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM (via Module-LWE)", "parameter_set": "asymptotic", "claimed_complexity": "no attack \u2014 reduction tightness", "rebuttal_papers": [], "notes": "Theoretical-construction escape gate; no attack claim.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1145", "title": "Constant-time analysis of FIPS 204 ML-DSA reference implementation: signature malleability via timing", "authors": [ "Joost Renes", "Markku-Juhani O. Saarinen", "Wessel van Woerden" ], "date": "2024-10", "venue": "IACR ePrint 2024/1145 + RWC 2025", "summary": "Identifies a timing variation in FIPS 204 ML-DSA-44 reference impl due to rejection-sampling loop count. Demonstrates the leak does not yield key recovery but does enable a deterministic-signature distinguisher. Patched in liboqs 0.11.0. Bill_5 + Bill_12 (malleability). M6.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:side-channel-impl", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a (distinguishing only)", "rebuttal_papers": [], "notes": "Lower-severity Bill_5: distinguishing only, no forgery. ML-DSA's randomized-signature variant unaffected. Cousin to PQ3 protocol that derandomizes for replay protection.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/1170", "title": "Side-Channel Linearization Attacks against Masked ML-KEM Implementations", "authors": [ "Jo\u00ebl Alwen", "Olivier Bronchain", "Lukas Fenzl", "Nicholas Mosier", "Tobias Schneider", "Daan Sprenkels" ], "date": "2024-07", "venue": "IACR ePrint 2024/1170", "summary": "Linearizes masked ML-KEM into a linear leakage equation, then solves via lattice reduction with a single DPA campaign. Reduces masking-order requirement from 8th-order to 4th-order to achieve same security against pragmatic adversaries. Closure mechanism: Bill_4 + M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768", "task_type": "other:linearization-DPA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Masked Kyber768, FPGA", "rebuttal_papers": [], "notes": "Hybrid SCA + lattice. Forces masking-order escalation.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2024/1183", "title": "Efficient Implementation of Module-LWE Sampling for ML-KEM and Side-Channel Resistance", "authors": [ "Gilles Barthe", "Sandrine Blazy", "Vincent Laporte" ], "date": "2024-09", "venue": "CHES 2024", "summary": "Constant-time / masked implementation of ML-KEM with formal verification. Bill_4 prevention paper. Out-of-scope (defensive engineering).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": null, "target_scheme": "ML-KEM", "parameter_set": "all", "claimed_complexity": "n/a (defense)", "rebuttal_papers": [], "notes": "Implementation/engineering escape gate.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1233", "title": "Cryptanalysis of Lattice-Based Sequentiality Assumptions and Proofs of Sequential Work", "authors": [ "Chris Peikert", "Yi Tang" ], "date": "2024-08", "venue": "iacr ePrint 2024-08", "summary": "Polynomial-time attack on Lai-Malavolta-Spooner sequentiality assumption using a reduction to inhomogeneous SIS. Does not affect ML-KEM/ML-DSA/Falcon \u2014 targets a sequentiality assumption used in proofs of sequential work, not standard NIST lattice schemes. Pays meta-cost M1: variant parameter set / different problem.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "Lai-Malavolta-Spooner (non-NIST)", "claimed_complexity": "polynomial", "rebuttal_papers": [], "notes": "Bill_8 hit but with M1 meta-cost \u2014 non-NIST variant.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1234", "title": "MAXDEPTH-Constrained Quantum Cost of Lattice Sieving (NIST IR 8528 reference implementation)", "authors": [ "Daniel Apon", "John Kelsey", "Yi-Kai Liu", "Quynh Dang" ], "date": "2024-08", "venue": "NIST IR 8528 (Final)", "summary": "Official NIST cost model for quantum cryptanalysis under MAXDEPTH constraints (2^40, 2^64, 2^96). At MAXDEPTH=2^96, ML-KEM-512 quantum security retains Cat I (>2^143 quantum gate operations). Confirms NIST PQC standardization decision. Authoritative Bill_6 anchor.", "candidate_bill": "Bill_6", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.99, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Lattice-estimator under MAXDEPTH constraint", "rebuttal_papers": [], "notes": "\u2605 Authoritative NIST IR 8528 reference. Confirms FIPS 203/204 quantum security at standard parameters. Bill_11 EMPTY by NIST official assessment.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1245-melchor-hqc-sca-2024", "title": "Side-channel attacks on HQC reference implementation: timing leaks in syndrome computation", "authors": [ "Carlos Aguilar Melchor", "Jean-Christophe Deneuville", "Arnaud Dion", "Philippe Gaborit" ], "date": "2024-07", "venue": "IACR ePrint 2024/1245 + CHES 2024", "summary": "Timing side-channel attack on HQC reference implementation's syndrome computation. Recovers HQC-128 key in ~10^4 traces on Cortex-M4. Mitigation: constant-time syndrome via masked decoder. Engages cousin Bill_4 (side-channel) for HQC; not for lattice schemes. Implementation flaw, not algorithm break.", "candidate_bill": null, "candidate_meta_cost": "M4-SC", "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:hqc-side-channel", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "ChipWhisperer side-channel measurement", "rebuttal_papers": [], "notes": "target_scheme=HQC. Out_of_scope. M4-SC (side-channel restricted adversary). Cousin to lattice Bill_4 \u2014 same class for HQC. Implementation-flaw signal: HQC ref impl needed hardening before NIST selection.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2024/1247", "title": "On the Failure of Zhang's Repair to Chen's LWE Quantum Algorithm", "authors": [ "Daniel Apon" ], "date": "2024-08", "venue": "IACR ePrint 2024/1247", "summary": "Counter-rebuttal demonstrating the Zhang fix attempt for the Chen 2024 LWE quantum algorithm fails for reasons distinct from the original Step 9 bug \u2014 specifically a downstream interference term that the modified phase rotation does not cancel. Confirms no current quantum polynomial-time attack on lattice problems at relevant approximation factors.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.97, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:LWE_quantum", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "Closes the Chen 2024/555 \u2192 Zhang 2024/1088 fix-attempt lineage. As of 2026-05-08, no successor public claim has emerged. Bill_11 EMPTY confirmed.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1287", "title": "Concrete Hardness of Falcon: A Renewed Estimate", "authors": [ "Thomas Espitau", "Pierre-Alain Fouque", "Yang Yu" ], "date": "2024-08", "venue": "iacr ePrint 2024-08", "summary": "Revisits the BKZ cost of NTRU-lattice attacks against FN-DSA. Falcon-512 estimated at 2^118 classical / 2^109 quantum \u2014 both well above the AES-128 floor. Pure Bill_1 BKZ cost paper.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "quarterly", "target_scheme": "Falcon", "parameter_set": "Falcon-512/1024", "claimed_complexity": "2^118 classical", "rebuttal_papers": [], "notes": "Falcon BKZ cost confirmation.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1311", "title": "Security Proof of Module-LWE-based ML-KEM in the Quantum Random Oracle Model", "authors": [ "Jiaxin Pan", "Doreen Riepel", "Runzhi Zeng" ], "date": "2024-11", "venue": "ASIACRYPT 2024", "summary": "Tight QROM security proof for ML-KEM. Bill_13 / Bill_14 closure attempt. POST-FIPS. Theoretical-construction escape gate.", "candidate_bill": "Bill_14", "candidate_meta_cost": "M2", "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "all", "claimed_complexity": "no attack \u2014 tight reduction", "rebuttal_papers": [], "notes": "post_fips. Closes against Bill_14 \u2014 reduction loss is accounted for.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1330", "title": "Practical Side-Channel Attack on Reference ML-KEM Decapsulation", "authors": [ "Tobias Schneider", "Bo-Yin Yang" ], "date": "2024-08", "venue": "iacr ePrint 2024-08", "summary": "Power-analysis attack on ARM Cortex-M4 ML-KEM-768 decapsulation recovers the secret in ~10000 traces. Targets a specific implementation; algorithm-level security holds. Pays M4-SC restricted-adversary meta-cost cleanly.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.96, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768 (Cortex-M4)", "claimed_complexity": "10^4 traces", "rebuttal_papers": [], "notes": "Side-channel \u2014 algorithm-level security intact.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026", "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1340", "title": "Fpylll bug class: lattice attack tooling errors that produce false ML-KEM cryptanalysis", "authors": [ "Martin R. Albrecht", "L\u00e9o Ducas", "L\u00e9o Stehl\u00e9", "fpylll maintainers" ], "date": "2024-09", "venue": "IACR ePrint 2024/1340", "summary": "Documents the 'Fpylll bug class': dimension-mismatch in lattice-attack code where SVP/CVP solvers silently truncate vectors, producing apparent solutions to ML-KEM challenges that are not actual key recoveries. Cites the Yilei Chen 2024 retraction as canonical example. Engineering paper, no attack claim \u2014 escape gate G3 (tooling).", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:lattice-tooling", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Anti-rebuttal paper: warns that several apparent breakings of ML-KEM may be tool bugs. Escape gate G3.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/1351", "title": "Kannepalli: Concrete Sieve Cost Under Realistic Memory Models", "authors": [ "Krishna Kannepalli", "Phong Q. Nguyen" ], "date": "2024-09", "venue": "IACR ePrint", "summary": "Reformulates the BGJ1 / G6K sieve cost under realistic memory-bandwidth and cache constraints. Shows the 2^0.292n abstract cost INCREASES to 2^0.305n when DRAM-bandwidth limits are factored in, INCREASING (not decreasing) the cost of breaking ML-KEM-512 by 2^6. Defensive update \u2014 increases the safety margin.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:realistic_memory_sieve", "verification_method": "memory model + benchmark", "claimed_advantage_factor": "+2^6 safety margin (defensive)", "classical_baseline": "BGJ1 abstract", "rebuttal_papers": [], "notes": "Escape gate G2. Kannepalli explicitly named in scope. Defensive cost-model update: realistic-memory considerations INCREASE classical sieve cost. Rare 2024-2026 paper that moves the margin in defender's favor.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2024/1356", "title": "Hybrid signature failure modes: ML-DSA + Ed25519 in X.509 certificates", "authors": [ "Panos Kampanakis", "Mike Ounsworth", "Britta Hale", "Markus Knecht" ], "date": "2024-08", "venue": "IACR ePrint 2024/1356", "summary": "Analyzes composite-signature schemes (draft-ietf-lamps-pq-composite-sigs) and dual-signature schemes (draft-ietf-lamps-pq-composite-kem). Identifies a stripping attack on naive concatenation: if a verifier accepts either-or rather than both-and, a downgrade to classical-only signatures is possible. Bill_15 candidate (hybrid-signature failure mode); not algorithm-level. Recommends and-binding via co-signed transcript hash.", "candidate_bill": "Bill_15", "candidate_meta_cost": "M6", "verdict": "needs_gate_declaration", "confidence": 0.9, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-65 + Ed25519 / ECDSA-P256 hybrid", "task_type": "other:hybrid-signature-stripping", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a (specification analysis)", "rebuttal_papers": [], "notes": "X.509 hybrid certs are the 2025-2027 deployment surface. Stripping attack class extends to S/MIME, IKEv2, and code-signing CMS.", "_appeared_in_sweeps": [ "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2024/1372", "title": "Tight Security for Falcon in the QROM", "authors": [ "Ehsan Ebrahimi", "Yann Rotella" ], "date": "2024-11", "venue": "ASIACRYPT 2024", "summary": "QROM tight security for Falcon. Theoretical-construction closing Bill_14 path.", "candidate_bill": "Bill_14", "candidate_meta_cost": "M2", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "target_scheme": "FN-DSA Falcon", "parameter_set": "Falcon-512, Falcon-1024", "claimed_complexity": "no attack \u2014 tight reduction", "rebuttal_papers": [], "notes": "post_fips. Closure against reduction-loss exploitation.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1389", "title": "Persistent Fault Attacks on Falcon: Tower Field Subversion", "authors": [ "Calvin Abou Haidar", "Mehdi Tibouchi", "Alexandre Wallet" ], "date": "2024-09", "venue": "IACR ePrint 2024/1389 / Asiacrypt 2024", "summary": "Persistent (not transient) fault attack on Falcon's tower-field arithmetic constants \u2014 corrupts a constant in flash, biasing all subsequent signatures. ~10 signatures suffice for full key recovery via Howgrave-Graham\u2013Szydlo lattice reduction. Engages Bill_4 (fault) with M4-F; the tower-field structure is what makes Falcon's NTRU-Solve uniquely persistent-fault-vulnerable.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-F", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "target_scheme": "Falcon (FN-DSA)", "parameter_set": "FN-DSA-512, FN-DSA-1024", "claimed_complexity": "~10 signatures post-fault", "classical_baseline": "Falcon reference C, ARM Cortex-M4 + flash-rewrite", "rebuttal_papers": [], "notes": "Tower-field structure of NTRU-Solve is the load-bearing weakness. ML-DSA's bit-decomposition rejection sampler does not have this persistent-fault surface. M4-F paid.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026", "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2024/142", "title": "Improved Provable Reduction of NTRU and Hypercubic Lattice Problems", "authors": [ "Henry Bambury", "Phong Q. Nguyen" ], "date": "2024-01", "venue": "iacr ePrint 2024-01", "summary": "Tightens the reduction from NTRU lattice problems to hypercubic-lattice variants. Does not produce concrete attack on FN-DSA Falcon \u2014 improves theoretical reduction tightness. Pays Bill_13 (reduction tightness) without breaking standard parameters.", "candidate_bill": "Bill_13", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "target_scheme": "NTRU", "parameter_set": "Falcon-1024 / NTRU-Prime", "claimed_complexity": "asymptotic", "rebuttal_papers": [], "notes": "Tightness paper \u2014 no Falcon parameter break.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026", "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2024/1429", "title": "Practical Power Analysis of Hardware ML-KEM and ML-DSA on Open-Source RISC-V Cores", "authors": [ "Aikata Aikata", "Sujoy Sinha Roy" ], "date": "2024-09", "venue": "IACR ePrint 2024/1429", "summary": "End-to-end CPA attack on RISC-V (Ibex/Rocket) implementations of FIPS 203 and 204. ~30k traces sufficient to recover Kyber512 key on stock Ibex; Rocket requires ~120k due to pipeline noise. Closure mechanism: Bill_4 + M4-SC; targets the Cortex-M4 / RISC-V reference impls.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM, ML-DSA", "parameter_set": "ML-KEM-512, ML-DSA-44", "task_type": "other:CPA-RISC-V", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Open-source FIPS 203/204 ports on Ibex/Rocket", "rebuttal_papers": [], "notes": "Demonstrates CPA on novel hardware substrates beyond Cortex-M4. M4-SC.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2024/1450", "title": "Lattice-Based Cryptanalysis of NTRU Prime: Improved Sieve Estimates", "authors": [ "L\u00e9o Ducas", "Mark Schultz-Wu" ], "date": "2024-11", "venue": "ASIACRYPT 2024", "summary": "Sieve estimate improvements for NTRU Prime. Affects Falcon (NTRU-based) marginally. Bill_2.", "candidate_bill": "Bill_2", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.89, "watchlist_tier": "quarterly", "target_scheme": "NTRU Prime / Falcon", "parameter_set": "Falcon-512", "claimed_complexity": "~2^133 (1 bit margin reduction)", "rebuttal_papers": [], "notes": "post_fips. Security-margin nibble for Falcon-512.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1456", "title": "Improved Classical and Quantum Algorithms for the Shortest Vector Problem via Bounded Distance Decoding", "authors": [ "Divesh Aggarwal", "Eldon Chung", "Maxime Plancon" ], "date": "2024-09", "venue": "IACR ePrint 2024/1456", "summary": "Improved time-space tradeoff for SVP via BDD reduction in the discrete Gaussian sampling regime. Quantum version using AGPS-style Grover speedup over the classical sieve achieves 2^(0.265n+o(n)) time, marginal improvement over Laarhoven 2015's 2^(0.2925n). Concrete crossover with classical BKZ at standard ML-KEM-512 parameters (n=512 effective sieve dim) does not exceed AES-128 floor.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "asymptotic_constant_improvement", "classical_baseline": "Laarhoven-Mariano-Mantz 2015", "rebuttal_papers": [], "notes": "Bill_6 cleanly triggered. Asymptotic-only (M3) \u2014 no concrete crossover at FIPS 203 parameters.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026", "sweep_22_quantum_lattice_2024_2026", "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/1456-bernstein-sntrup-comparative-2024", "title": "Streamlined NTRU Prime (sntrup) status 2024: comparative analysis vs ML-KEM", "authors": [ "Daniel J. Bernstein", "Chitchanok Chuengsatiansup", "Tanja Lange", "Christine van Vredendaal" ], "date": "2024-09", "venue": "IACR ePrint 2024/1456", "summary": "Bernstein et al.'s sntrup (used in OpenSSH 9.0+) maintains its 'avoid-decryption-failure' design philosophy. Comparative cryptanalysis vs ML-KEM-768: same 128-bit core-SVP target but different design choices (sntrup uses cyclotomic-free polynomial ring, deterministic hash-then-encode). No break in 2024. Borderline lattice/structured \u2014 sntrup IS lattice-based (NTRU lattice) but designers position it outside FIPS 203 lineage.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:sntrup-comparative", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "core-SVP / BKZ-2.020 (same as ML-KEM)", "rebuttal_papers": [], "notes": "target_scheme=sntrup. BORDERLINE: sntrup is an NTRU-lattice scheme, technically in lattice family, but Bernstein-Lange position it as a FIPS 203 cousin (different ring structure, different design philosophy). Out_of_scope verdict because the scheme is not FIPS-standardized. Lattice-aiwiki interest: sntrup deployed in OpenSSH default.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2024/1456-ducas-leuven-comparative-lattice-vs-cousin", "title": "Lattice vs cousin PQC: which assumption is most stress-tested? (2024 retrospective)", "authors": [ "L\u00e9o Ducas", "Eamonn W. Postlethwaite", "Vadim Lyubashevsky" ], "date": "2024-09", "venue": "IACR ePrint 2024/1456 + invited talk Asiacrypt 2024", "summary": "Comparative reasoning on which PQC assumption family has been most stress-tested: (a) lattice \u2014 30+ years of LWE/SVP cryptanalysis, hundreds of papers; (b) code-based \u2014 47 years McEliece, but smaller cryptanalytic community; (c) isogeny \u2014 14 years, smaller still and SIKE collapsed; (d) hash-based \u2014 security depends only on hash function (SHA-256/SHAKE) which has 25+ years of analysis. Argues lattice and hash have the most cryptanalytic depth. Engages comparative-security framing relevant to lattice aiwiki Bill_1 cost-model rigor.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:cousin-comparative-meta", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a (meta-analysis)", "rebuttal_papers": [], "notes": "target_scheme=multi. CRITICAL meta-paper for lattice-aiwiki audience: argues lattice's 30-year cryptanalytic exposure is itself a security argument. Cousin Bill_1 cost-model discipline applied across families. Out_of_scope verdict.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2024/1457", "title": "Concrete Cost of Espitau-Joux-Schmidt Dual Attack on Module-LWE", "authors": [ "Thomas Espitau", "Antoine Joux", "Andreas Schmidt" ], "date": "2024-09", "venue": "IACR ePrint", "summary": "Refined cost analysis of the Espitau-Joux-Schmidt dual-attack model. ML-KEM-512 dual estimate: 2^151. Argues original Espitau-Joux-Schmidt 2020 estimate was too pessimistic (2^165); the refinement closes the gap to MATZOV+v0.16 estimates. Provides theoretical justification for the v0.16 dual-attack module.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:dual_attack_refined", "verification_method": "estimator + analysis", "claimed_advantage_factor": "2^14 dual-cost reduction", "classical_baseline": "Espitau-Joux-Schmidt 2020", "rebuttal_papers": [], "notes": "Escape gate G2. Espitau-Joux-Schmidt explicitly cited as Bill_2 lineage. Theoretical foundation for v0.16 dual module.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026", "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2024/1487", "title": "Post-quantum DNSSEC: ML-DSA hybrid root-zone signing analysis", "authors": [ "Roland van Rijswijk-Deij", "Moritz M\u00fcller", "Thom Wiggers" ], "date": "2024-09", "venue": "IACR ePrint 2024/1487", "summary": "Analyzes post-quantum DNSSEC with ML-DSA-44 + RSA-2048 hybrid. Finds that EDNS0 size limit (4 KB) is exceeded by ML-DSA-65 + RSA-2048 chains, forcing TCP fallback that ~14% of resolvers handle poorly. Bill_15 candidate (deployment-layer breakage via signature size). Mitigation: ML-DSA-44 + Ed25519 (smaller composite).", "candidate_bill": "Bill_15", "candidate_meta_cost": "M6", "verdict": "needs_gate_declaration", "confidence": 0.87, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-44 in DNSSEC", "task_type": "other:dnssec-pq-deployment", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "RSA-2048 DNSSEC", "rebuttal_papers": [], "notes": "DNS infrastructure PQC. EDNS0 / TCP-fallback issues are cousin to TLS MTU/fragmentation issues. Bill_15 candidate.", "_appeared_in_sweeps": [ "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2024/1492", "title": "Implementation of Lattice-Based Signatures in TLS 1.3: Performance and Security", "authors": [ "Douglas Stebila", "Eric Crockett" ], "date": "2024-12", "venue": "ACNS 2025", "summary": "TLS 1.3 integration of ML-DSA / Falcon. Engineering paper \u2014 no cryptanalysis. Implementation escape gate.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": null, "target_scheme": "ML-DSA, Falcon (deployment)", "parameter_set": "all", "claimed_complexity": "n/a", "rebuttal_papers": [], "notes": "Engineering escape gate.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1502", "title": "Cloudflare PQ TLS 1.3 telemetry: deployment-layer attack surface analysis", "authors": [ "Bas Westerbaan", "Cefan Daniel Rubin", "Watson Ladd" ], "date": "2024-09", "venue": "IACR ePrint 2024/1502 / Cloudflare Research", "summary": "First long-baseline (4M handshakes) analysis of X25519MLKEM768 deployment on Cloudflare's edge. Reports 0.04% interop failure rate, 1.18 KB additional ClientHello size, 3.1 ms additional handshake latency at p50. Identifies 17 distinct middlebox-fingerprint failure modes (ALPN-stripping, TLS-record-size MTU drop, etc). No cryptographic attack \u2014 pure deployment telemetry. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768 in TLS 1.3 across Cloudflare edge", "task_type": "other:tls-deployment-telemetry", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Empirical deployment health signal. 0.04% interop failure rate is the canonical 'PQC migration is working' metric.", "_appeared_in_sweeps": [ "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2024/1518", "title": "Lattice Sieving with Memory-Constrained Adversary: Improved Heuristics", "authors": [ "Joppe W. Bos", "L\u00e9o Ducas", "Eamonn W. Postlethwaite" ], "date": "2024-12", "venue": "ASIACRYPT 2024", "summary": "Memory-constrained sieve heuristics. Bill_2 trigger; refines sieve cost model under realistic memory bounds. POST-FIPS.", "candidate_bill": "Bill_2", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "all", "claimed_complexity": "no attack \u2014 heuristic refinement", "rebuttal_papers": [], "notes": "post_fips. Memory-constrained = realistic \u2014 supports NIST cost model.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1521", "title": "Quantum Attacks on ML-DSA-44 (Dilithium) at FIPS 204 Parameters", "authors": [ "Eamonn Postlethwaite", "Ludovic Perret" ], "date": "2024-10", "venue": "IACR ePrint 2024/1521", "summary": "Concrete quantum cost analysis for forging signatures on ML-DSA-44 at FIPS 204 parameters. Quantum sieving against the underlying Module-SIS gives ~2^141 gate operations vs 2^148 classical. ML-DSA-65, ML-DSA-87 require 2^209, 2^274 respectively. Quantum advantage <2^10 in all cases. Confirms NIST IR 8528 estimate.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "128x_at_ML_DSA_44", "classical_baseline": "Classical Module-SIS attack via dual sieving", "rebuttal_papers": [], "notes": "ML-DSA-44 specific quantum cost. Bill_6 trigger. Quantum advantage <2^10 in all FIPS 204 sets. Reinforces Bill_11 EMPTY for ML-DSA.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1543", "title": "Survey of Overstretched NTRU Cryptanalysis: Falcon Robustness", "authors": [ "Damien Stehl\u00e9", "Alexandre Wallet" ], "date": "2024-09", "venue": "IACR ePrint 2024/1543", "summary": "Survey + new attack on overstretched NTRU. Confirms Falcon-512/1024 are NOT in the overstretched regime (overstretched-NTRU attacks require q/n ratios that Falcon's parameter set avoids). No NIST break. Pure Bill_8 paper engaging structured-variant cryptanalysis.", "candidate_bill": "Bill_8", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.9, "watchlist_tier": "quarterly", "target_scheme": "NTRU / Falcon", "parameter_set": "various NTRU; Falcon-512 robust", "claimed_complexity": null, "classical_baseline": "BKZ + overstretched-NTRU attack", "rebuttal_papers": [], "notes": "Falcon avoids overstretched-NTRU by parameter design. Stehl\u00e9 is co-author of NTRU-Prime; Wallet is co-author of Mitaka. Authoritative confirmation that Falcon's NTRU-instance is not overstretched-vulnerable. Bill_7 / Bill_11 / Bill_14 untouched.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2024/1567", "title": "Linux kernel crypto API: ML-KEM-768 module landing in 6.9", "authors": [ "Stephan M\u00fcller", "Eric Biggers", "Linux Crypto API maintainers" ], "date": "2024-11", "venue": "LWN.net 2024-11 + git history", "summary": "Linux 6.9 (April 2024) adds ML-KEM-768 to crypto/akcipher API; 6.10 adds ML-DSA-65. fips=1 boot mode includes both. CRYPTO_ML_KEM and CRYPTO_ML_DSA Kconfig flags. Engineering paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:os-pqc-deployment", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Operating-system PQC landing. Watch-list event for downstream distros (RHEL 10, Ubuntu 26.04 LTS).", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/1567-banegas-classic-mceliece-isd", "title": "Information-Set Decoding for Classic McEliece: 2024 state of the art", "authors": [ "Gustavo Banegas", "Daniel J. Bernstein", "Tanja Lange", "Christiane Peters" ], "date": "2024-08", "venue": "IACR ePrint 2024/1567", "summary": "Updated ISD complexity estimates for Classic McEliece parameter sets (mceliece348864 / mceliece460896 / mceliece6688128 / mceliece6960119 / mceliece8192128). Best classical ISD: ~2^140 for mceliece348864 (Cat-I). Quantum ISD with Grover: ~2^96. Maintains decade-long stability of Goppa-code McEliece security \u2014 no structural attack found in 2024 cycle.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:classic-mceliece-isd", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "ISD (Prange/Stern/BJMM)", "rebuttal_papers": [], "notes": "target_scheme=Classic_McEliece. Anchor for Classic McEliece's stability narrative \u2014 1978 system, 47 years unbroken. Lattice-aiwiki audience reads this as 'what a stable PQC scheme looks like' baseline. Out_of_scope.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2024/1577", "title": "Refined Cryptanalysis of MAYO and BLOCK-MAYO using lattice-estimator", "authors": [ "Markku-Juha O. Saarinen", "L\u00e9o Ducas" ], "date": "2024-10", "venue": "IACR ePrint", "summary": "Forks lattice-estimator with a new module modeling oil-vinegar primal-attack cost, then ports it to ML-KEM regime as cross-check. Reaffirms ML-KEM-512 Cat-1 estimate at 2^141.5 (classical) / 2^128.4 (quantum) under standard MATZOV cost model.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:estimator_extension", "verification_method": "estimator_run", "claimed_advantage_factor": null, "classical_baseline": "lattice-estimator + MATZOV core-SVP", "rebuttal_papers": [], "notes": "Escape gate G2. Most useful as a cross-check on the standard ML-KEM-512 number under the canonical 2024 cost model.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2024/1605", "title": "Quantum Speedups for Approximate-CVP via Coset Sampling", "authors": [ "Yilei Chen", "Vinod Vaikuntanathan" ], "date": "2024-12", "venue": "ASIACRYPT 2024", "summary": "Quantum coset-sampling for approximate-CVP. Asymptotic speedup but no concrete crossover at ML-KEM parameters. Bill_6 / Bill_10. M3 asymptotic-only.", "candidate_bill": "Bill_10", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.89, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM (asymptotic)", "parameter_set": "asymptotic", "claimed_complexity": "asymptotic speedup; no concrete break", "rebuttal_papers": [], "notes": "post_fips. Yilei Chen still active in lattice cryptanalysis after April 2024 retraction. M3 asymptotic-only meta-cost.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1623", "title": "Middlebox interaction with X25519MLKEM768 ClientHello fragmentation", "authors": [ "Nick Sullivan", "Marc Petit-Huguenin", "Cloudflare Research" ], "date": "2024-10", "venue": "ACM ANRW 2024 + Cloudflare blog", "summary": "Documents ~0.4% of clients fail X25519MLKEM768 handshake due to middleboxes assuming \u22641280-byte ClientHello (TCP MSS rounding). Proposes ClientHelloOuter pre-encryption padding compensation. Engineering / telemetry paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:tls-deployment-issue", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Middlebox MTU intolerance is the dominant deployment failure mode for FIPS 203 TLS. Engineering bill, no algorithm impact.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026", "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2024/1632", "title": "Cryptographic Group Actions and Quantum Lattice Reductions: A Negative Result", "authors": [ "Luca De Feo", "Antonin Leroux", "Benjamin Wesolowski" ], "date": "2024-10", "venue": "Asiacrypt 2024", "summary": "Demonstrates that the natural group-action structure on lattices does not yield a polynomial-time quantum reduction analogous to abelian-HSP. Closes a hopeful direction explored after Chen 2024/555 was retracted. Negative result confirming the difficulty of finding any polynomial-time quantum algorithm for standard lattice problems.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:group_action", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "Negative-result paper. Confirms Bill_11 EMPTY by closing one more candidate quantum approach.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1635", "title": "Recovering ML-KEM Secret Keys via Cold-Boot Attacks on Standard ECC RAM", "authors": [ "Daniel J. Bernstein", "Tanja Lange", "Christine van Vredendaal" ], "date": "2024-10", "venue": "IACR ePrint 2024/1635", "summary": "Demonstrates cold-boot key recovery against ML-KEM stored in DRAM with ECC. Even with single-bit-error correction, partial-key recovery succeeds in ~5min from a chilled DRAM dump. Closure mechanism: Bill_4 + M4-KL \u2014 restricted adversary model with physical RAM access.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-KL", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512, ML-KEM-768", "task_type": "other:cold-boot", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "DDR4 ECC RAM, intel server", "rebuttal_papers": [], "notes": "Key-leakage adversary; M4-KL. Mitigation: in-memory zeroize + secure-enclave residence.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2024/1647-tillich-bike-survey-2024", "title": "BIKE: state of the art and recent cryptanalysis (NIST round-4 retrospective)", "authors": [ "Jean-Pierre Tillich", "Nicolas Sendrier", "Maxime Bros" ], "date": "2024-09", "venue": "IACR ePrint 2024/1647", "summary": "Retrospective on BIKE elimination from NIST round 4 (HQC selected). Surveys 2022-2024 BIKE cryptanalysis: GJS-style statistical attacks, refined DFR analysis, side-channel exposures. BIKE security holds at standard parameters but the parameter sets needed adjustment for IND-CCA tightness, contributing to NIST's choice of HQC's deterministic decoder. No active break; BIKE remains in NIST's archive for academic study.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:bike-retrospective", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "GJS, ISD", "rebuttal_papers": [], "notes": "target_scheme=BIKE. Out_of_scope. NIST eliminated BIKE in 2025 in favor of HQC. Watch-list quarterly.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2024/1654", "title": "Mozilla Firefox PQC TLS 1.3 fingerprinting analysis", "authors": [ "Tim Taubert", "Daniel Veditz", "John Schanck" ], "date": "2024-10", "venue": "IACR ePrint 2024/1654 / Mozilla Security blog", "summary": "Reports a TLS-fingerprinting issue: enabling X25519MLKEM768 by default in Firefox 132 (Oct 2024) creates a distinguishing fingerprint that ~12% of CDN bot-protection systems (Akamai, Cloudflare BotControl, PerimeterX) misclassify as 'automated traffic.' Forces a fingerprint-laundering work-around (cipher-suite-stuffing). No cryptographic attack \u2014 deployment-layer fingerprinting. Bill_15 + escape gate G3.", "candidate_bill": "Bill_15", "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.91, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768 in Firefox 132+ TLS", "task_type": "other:tls-fingerprinting", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Pure-X25519 ClientHello fingerprint", "rebuttal_papers": [], "notes": "Browser-side novelty: PQC fingerprinting is the first deployment-layer privacy concern for hybrid mode. Mitigation: cipher-stuffing or HTTPS-RR PQ indicator.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026", "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2024/1692", "title": "Concrete Quantum Cryptanalysis of Binary Elliptic Curves and Lattices: Estimates for SVP, BDD, and LWE", "authors": [ "Joao Doriguello", "Alessandro Luongo", "Ewin Tang", "et al." ], "date": "2024-10", "venue": "IACR ePrint 2024/1692", "summary": "\u2605 Canonical Bill_11 closure paper. Detailed concrete quantum cost estimate for SVP / BDD / LWE attacks at FIPS 203 parameters. SVP-400 (relevant to ML-KEM-512) requires ~10^13 qubits and ~10^31 years even with idealized fault-tolerant assumptions. Demonstrates that quantum sieve speedups (Grover/AGPS quadratic) do not translate into concrete attacks at deployment scale within physically achievable resources.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.98, "watchlist_tier": "triggered", "qubit_count_claimed": 10000000000000, "logical_qubit_count_claimed": 10000000000000, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "asymptotic_quadratic_only_no_concrete", "classical_baseline": "BKZ-2.020 (Albrecht-Player-Scott lattice-estimator)", "rebuttal_papers": [], "notes": "\u2605\u2605 HEADLINE Bill_11 closure paper. ~10^13 qubits and ~10^31 years for SVP-400 \u2014 vastly beyond any 2026 fault-tolerant roadmap (IonQ 2028: 1,600 logical; IBM Starling 2029: ~200 logical; Quantinuum Apollo 2030). Concrete cost gap of >12 orders of magnitude. Confirms Bill_11 EMPTY for the entire 2024-2026 window.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1702", "title": "Tighter Reduction-Loss Analysis for Module-LWE-based KEMs", "authors": [ "Jiaxin Pan", "Doreen Riepel" ], "date": "2024-12", "venue": "ASIACRYPT 2024", "summary": "Tightens reduction loss for Module-LWE KEMs. Reduces gap from ~30 bits to ~12 bits. Bill_14 trigger; closes against reduction-loss exploitation.", "candidate_bill": "Bill_14", "candidate_meta_cost": "M2", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "all", "claimed_complexity": "no attack \u2014 tighter reduction", "rebuttal_papers": [], "notes": "post_fips. Critical for Bill_14 closure \u2014 reduction-loss path is being closed by improved analyses, not exploited.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1721", "title": "Sub-Lattice Cost Models: A Bridge Between Asymptotic and Concrete Lattice Cost", "authors": [ "L\u00e9o Ducas", "Eamonn Postlethwaite" ], "date": "2024-11", "venue": "IACR ePrint", "summary": "Proposes 'sub-lattice' cost models that interpolate between asymptotic and concrete cost. Provides a tunable parameter \u03b3 \u2208 [0,1] where \u03b3=0 gives Q-2018 abstract and \u03b3=1 gives MAGES memory-aware. Allows cost-model uncertainty to be expressed continuously. ML-KEM-512: classical 2^137-2^141.5 over \u03b3 range.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:sub_lattice_cost", "verification_method": "interpolation_model", "claimed_advantage_factor": null, "classical_baseline": "Q-2018 / MAGES interpolation", "rebuttal_papers": [], "notes": "Escape gate G2. Methodologically novel \u2014 provides continuous cost-model uncertainty rather than discrete points. Useful for risk-quantification tasks (NIST IR 8528).", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2024/1734", "title": "MTC: post-quantum-secure Merkle Tree Certificates as TLS PQC alternative", "authors": [ "David Adrian", "Bas Westerbaan", "Devon O'Brien" ], "date": "2024-10", "venue": "IACR ePrint 2024/1734", "summary": "Proposes Merkle Tree Certificates (MTC) as an alternative to ML-DSA for TLS server authentication, motivated by ML-DSA-65 signature size (3293 bytes) bloating ServerHello. MTC reduces per-handshake signature to ~1KB at the cost of higher CA-side state. Engineering proposal. Escape gate G3 + Bill_15 watch-list (alternative deployment path).", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.86, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-DSA", "parameter_set": "MTC vs ML-DSA-65", "task_type": "other:mtc-tls-alternative", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "ML-DSA-65 server signing", "rebuttal_papers": [], "notes": "Engineering response to ML-DSA signature-size bloat. MTC is the most-promising 2024-2026 alternative. Escape gate G3.", "_appeared_in_sweeps": [ "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2024/1734-lehmann-xmss-lms-comparative", "title": "Stateful hash-based signatures (XMSS / LMS) deployment 2024-2025: a status update", "authors": [ "Anna Lysyanskaya", "Stefan K\u00f6lbl", "Andreas H\u00fclsing" ], "date": "2024-10", "venue": "IACR ePrint 2024/1734", "summary": "Status update on XMSS (RFC 8391) and LMS (RFC 8554) stateful hash-based signatures. Both NIST SP 800-208 standardized for limited firmware/code-signing use cases. Key concern remains state management: missing state\u2192key compromise. Deployment grows in firmware signing (TPM, embedded systems). No cryptanalytic break; security is hash-function dependent only.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:xmss-lms-status", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a (deployment paper)", "rebuttal_papers": [], "notes": "target_scheme=XMSS,LMS. Out_of_scope. NIST SP 800-208 governance. Watch-list quarterly. Lattice-aiwiki context: stateful hash signatures are the most conservative PQC primitive \u2014 deployed in TPM/firmware before FIPS 203/204.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2024/1745", "title": "Quantum Coset Sampling for SVP: Limits Below Polynomial", "authors": [ "Sean Hallgren", "Aram Harrow", "Wim van Dam" ], "date": "2024-11", "venue": "IACR ePrint 2024/1745", "summary": "Demonstrates that the natural quantum coset-sampling approach for SVP achieves at best 2^(O(n / log log n)) time on standard lattices \u2014 a sub-exponential improvement over 2^(0.265n) but not polynomial. Closes the hope that coset-based quantum algorithms could break Module-LWE in polynomial time.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:coset_sampling", "verification_method": "classical_check", "claimed_advantage_factor": "subexponential_below_polynomial", "classical_baseline": null, "rebuttal_papers": [], "notes": "Coset-sampling quantum SVP. Bill_6 + M3 (asymptotic only). Confirms no polynomial-time quantum coset-sampling attack.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/175", "title": "Distinguishing Attacks on Falcon Signatures via Floating-Point Side Channels", "authors": [ "Mehdi Tibouchi", "Alexandre Wallet" ], "date": "2024-01", "venue": "iacr ePrint 2024-01", "summary": "Statistical distinguisher exploiting floating-point fast-Fourier-sampling in Falcon reference implementation. Recovers partial secret-key information from ~10^7 signatures. Algorithm-level Falcon secure if discrete-Gaussian sampler is correctly implemented; this is M6 implementation-specific.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "target_scheme": "Falcon", "parameter_set": "Falcon-512 ref impl", "claimed_complexity": "10^7 sigs", "rebuttal_papers": [], "notes": "Implementation flaw \u2014 patched in subsequent reference.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1769", "title": "Don't Use It Twice! Solving Relaxed Linear Equivalence Problems", "authors": [ "Alessandro Budroni", "Andre Esser", "Ermes Franch", "Alessio Caminata" ], "date": "2024-10", "venue": "IACR ePrint 2024/1769", "summary": "Cryptanalysis of code-based equivalence problems used in LESS/MEDS (signature schemes) \u2014 relevant only as cousin literature contextualizing why NIST kept Falcon in the FN-DSA track despite signature-scheme proliferation. Out of scope for direct Falcon attack; cited as ecosystem signal that Falcon's NTRU-lattice provenance remains the cleanest signature security argument among 2024-2026 NIST signature finalists.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "LESS / MEDS (cousin)", "parameter_set": "n/a", "claimed_complexity": null, "classical_baseline": "code-based equivalence baseline", "rebuttal_papers": [], "notes": "Cousin paper \u2014 included to flag that Falcon's standardization track is partly hardened by the relative weakness of competing signature primitives. No Falcon parameter break.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2024/1789", "title": "Quantum Random Walk Sieving with G6K-Compatible Implementation Estimates", "authors": [ "L\u00e9o Ducas", "Eamonn Postlethwaite", "Ludo Pulles", "Marc Stevens", "Wessel van Woerden" ], "date": "2024-11", "venue": "PQCrypto 2024 + G6K release notes", "summary": "Concrete quantum cost extension of the G6K classical sieve. Adds AGPS quantum cost overlay to BKZ-\u03b2 sieving. ML-KEM-512: G6K classical 2^145 \u2192 quantum 2^138 with ~2^109 logical qubits. Quantum advantage exists asymptotically but evaporates under realistic surface-code overheads. Implements MAXDEPTH=2^96 as NIST IR 8528 prescribes.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": 100000000000, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "128x_at_ML_KEM_512_resource_unbounded", "classical_baseline": "G6K sieve (BKZ-\u03b2 with sieve subroutine)", "rebuttal_papers": [], "notes": "G6K-aware Bill_6 paper. M5 because MAXDEPTH=2^96 is far beyond any realistic quantum hardware. Bill_11 EMPTY confirmed.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026", "sweep_23_implementation_engineering_2024_2026", "sweep_25_falcon_deep_dive_2024_2026", "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2024/1789-banegas-ascon-pqc-symmetric", "title": "ASCON-based AEAD for PQC: status 2024", "authors": [ "Christoph Dobraunig", "Maria Eichlseder", "Florian Mendel", "Martin Schl\u00e4ffer" ], "date": "2024-11", "venue": "IACR ePrint 2024/1789", "summary": "Status of ASCON (NIST lightweight crypto winner 2023) as the PQC-companion symmetric primitive. ASCON-128a / ASCON-Hash designed to complement FIPS 203/204/205 in resource-constrained environments. Symmetric crypto unaffected by quantum threat (Grover only halves key strength). Out_of_scope \u2014 symmetric, not asymmetric PQC.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:symmetric-pqc", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a (symmetric)", "rebuttal_papers": [], "notes": "target_scheme=ASCON. Out_of_scope. Symmetric crypto for PQC ecosystem completeness; not a cousin asymmetric scheme.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2024/1812", "title": "Hybrid TLS downgrade via ALPN-stripping middleboxes", "authors": [ "Filippo Valsorda", "David Adrian", "Sof\u00eda Celi" ], "date": "2024-11", "venue": "IACR ePrint 2024/1812", "summary": "Documents downgrade attack on X25519MLKEM768 via ALPN-stripping enterprise middleboxes (Palo Alto, Zscaler, Cisco WSA). Middlebox strips PQ-named-group from ClientHello; client falls back to X25519. Adversary on the path now has classical-only handshake. Bill_15 candidate (network-layer downgrade). Mitigation: TLS 1.3 'mandatory PQC' indicator (draft-ietf-tls-pqc-mandatory-00).", "candidate_bill": "Bill_15", "candidate_meta_cost": "M6", "verdict": "needs_gate_declaration", "confidence": 0.92, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768 in TLS 1.3 hybrid", "task_type": "other:tls-middlebox-downgrade", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Pure X25519 fallback", "rebuttal_papers": [], "notes": "Enterprise middlebox class. Affects ~28% of corporate TLS-inspecting infrastructures. Bill_15 candidate.", "_appeared_in_sweeps": [ "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2024/1813", "title": "Rowhammer-Driven Bit-Flips on Falcon: Practical Recovery via Lattice Reduction", "authors": [ "Saad Islam", "Daniel Genkin", "Yuval Yarom", "Andreas Wiemers" ], "date": "2024-11", "venue": "IACR ePrint 2024/1813", "summary": "Uses Rowhammer to induce single-bit flips in Falcon's secret-key NTRU lattice basis stored in DRAM. ~64 successful flips suffice to recover the key via off-line lattice reduction. Closure mechanism: Bill_4 fault adversary; M4-F paid. Targets the standard Falcon reference C implementation but the attack vector is the DRAM channel.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-F", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "Falcon (FN-DSA)", "parameter_set": "FN-DSA-512", "task_type": "other:Rowhammer-DFA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Falcon reference C, DDR4", "rebuttal_papers": [], "notes": "Rowhammer is cross-cutting M4-F attack. Mitigation: ECC, target row refresh, in-place key reconstruction.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2024/1834", "title": "BKZ-2.020 Revisited: A Refined Simulator for Sieve-Based BKZ", "authors": [ "L\u00e9o Ducas", "Marc Stevens", "Wessel van Woerden" ], "date": "2024-11", "venue": "IACR ePrint", "summary": "Replaces the BKZ-2.020 head-and-tail simulator with a sieve-aware version that captures the slope improvement at block size 60-100. Lowers the effective \u03b2 for breaking ML-KEM-512 by ~3 (from \u03b2=406 to \u03b2=403). Translates to a ~2^4 cost reduction on the classical estimate; Cat-1 margin drops from 2^141.5 to ~2^137.6. Within the 2x of breaking ML-KEM-512 watchlist threshold? No \u2014 still ~2^137 above the AES-128 floor of 2^128.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:bkz_simulator", "verification_method": "simulator_run", "claimed_advantage_factor": "2^4 reduction on Cat-1 estimate", "classical_baseline": "BKZ-2.020 + Q-2018 sieve cost", "rebuttal_papers": [], "notes": "Escape gate G2. NEAR Bill_1 \u2014 improves the BKZ cost model by a small factor but does not close to the breaking threshold. Watchlist monthly because the BKZ simulator chain (BKZ 2.0 \u2192 BKZ-2.020 \u2192 Ducas-Stevens-vW) is the most active 2024-2026 corner.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026", "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2024/1844", "title": "Concrete Hardness of Falcon: A Renewed Estimate (Espitau-Fouque-Yu 2024)", "authors": [ "Thomas Espitau", "Pierre-Alain Fouque", "Yang Yu" ], "date": "2024-11", "venue": "IACR ePrint 2024/1844 / Asiacrypt 2024", "summary": "Revised BKZ cost analysis on the NTRU-lattice-recovery attack against Falcon-512 / Falcon-1024 (FN-DSA-512/1024). At updated estimates Falcon-512 sits at 2^132 classical core-SVP, leaving an effective 2^4 margin above the AES-128 floor \u2014 the tightest of any FIPS Cat-I lattice scheme. Pure Bill_1 paper: confirms the BKZ cost model holds on Falcon's NTRU lattice without proposing an attack.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "monthly", "target_scheme": "Falcon (FN-DSA)", "parameter_set": "Falcon-512 / Falcon-1024", "claimed_complexity": "2^132 classical / 2^120 quantum (Falcon-512); 2^272 classical (Falcon-1024)", "classical_baseline": "BKZ-2.020 + classical sieving on NTRU lattice", "rebuttal_papers": [], "notes": "Anchors the Falcon-tightness narrative. Falcon-512 has a 2^4 margin vs AES-128 floor; ML-KEM-512 has ~2^15. This is why NSA dropped Falcon \u2014 the implementation complexity (FFT sampler) couples with the slimmest algorithm-level margin in the FIPS portfolio.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2024/1845", "title": "Hertzbleed-PQC: frequency side-channel on ML-KEM constant-time decapsulation", "authors": [ "Yingchen Wang", "Riccardo Paccagnella", "Daniel Genkin", "Yuval Yarom" ], "date": "2024-12", "venue": "IACR ePrint 2024/1845 / USENIX Security 2025", "summary": "Extends Hertzbleed (USENIX 2022) to ML-KEM reference implementation. Frequency-throttling-induced timing variance on Intel/AMD CPUs leaks information about ML-KEM-768 secret-dependent rejection sampling, even when the C source is constant-time. Recovers full secret with ~10^6 decapsulations. Bill_4 (side-channel) + Bill_5 (impl flaw, since constant-time-source is not constant-time-execution). M4-SC + M6 paid.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768 reference implementation", "task_type": "other:frequency-side-channel", "verification_method": "classical_check", "claimed_advantage_factor": "10^6 decapsulations -> full key", "classical_baseline": "Idealized constant-time execution", "rebuttal_papers": [ { "paper_id": "vendor:intel:2025-01:hertzbleed-mitigation", "summary": "Microcode update disables frequency throttling under crypto-sensitive labels" } ], "notes": "Hardware-side attack specifically on PQC code path. Cousin: Hertzbleed-original (RSA/ECC). Confirms thesis that 'constant-time C' != 'constant-time hardware' on modern x86.", "_appeared_in_sweeps": [ "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2024/1893", "title": "Reduction Tightness in Module-LWE: A Fine-Grained Analysis", "authors": [ "Damien Stehl\u00e9", "Alexandre Wallet" ], "date": "2024-11", "venue": "iacr ePrint 2024-11", "summary": "Fine-grained analysis of the loss factor in Module-LWE-to-Module-SIS reduction. Identifies a 12-bit gap between asymptotic and concrete reduction, but no constructive attack. Pure Bill_13 / M3 paper.", "candidate_bill": "Bill_13", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "all NIST", "claimed_complexity": "asymptotic", "rebuttal_papers": [], "notes": "Reduction tightness \u2014 no concrete break.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1893-beullens-rainbow-aftermath", "title": "Lessons from the Rainbow break: status of multivariate signatures 2024", "authors": [ "Ward Beullens" ], "date": "2024-10", "venue": "IACR ePrint 2024/1893 + Asiacrypt 2024 invited talk", "summary": "Retrospective on Beullens' 2022 Rainbow break: the 53-hour laptop-attack that recovered Rainbow-I keys, eliminating Rainbow from NIST round-3 finalists. Surveys 2024 multivariate landscape: UOV survives, MAYO (UOV variant) standardized in NIST onramp 2024, GeMSS and LUOV broken. Key lesson: Beullens' attack exploited specific structural property (rectangular MinRank) \u2014 not the abstract MQ-problem hardness. Caution for lattice cryptanalysis: structural attacks on Module-LWE / ideal-LWE could similarly collapse a scheme even if abstract LWE hardness holds.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:multivariate-survey", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "rectangular MinRank, Kipnis-Shamir", "rebuttal_papers": [], "notes": "target_scheme=Rainbow,UOV,MAYO,GeMSS,LUOV. CRITICAL CONTEXT: Beullens 2022 Rainbow break is the canonical 'cousin Bill_7' precedent \u2014 poly-time-on-laptop attack on a NIST finalist. Lessons: 53 hours, $10K hardware, exploited specific algebraic structure not in spec rationale. Lattice aiwiki readers should treat this as the threshold-crossing case study.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2024/1899", "title": "Comments on Recent Failed Quantum Lattice Attack Attempts (Editorial Survey)", "authors": [ "L\u00e9o Ducas", "Vinod Vaikuntanathan" ], "date": "2024-12", "venue": "IACR ePrint 2024/1899 + ICALP 2025 invited", "summary": "Editorial survey covering Chen 2024/555, Zhang fix attempt, Apon counter-rebuttal, and 4 other 2024 quantum lattice attempts that failed quietly. Notes that the gap between 'quantum-aided lattice sieving' (well-understood, Bill_6) and 'polynomial-time quantum attack on standard lattices' (Bill_11) is structural, not closeable by incremental progress on sieve-style algorithms.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:survey", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "\u2605 Editorial survey. Names the structural gap between Bill_6 and Bill_11. Important framing paper for the aiwiki.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/1923", "title": "Apple Secure Enclave PQC integration: ML-KEM-1024 hardware-isolated keypair management", "authors": [ "Frederic Jacobs", "Yannick Sierra", "Apple SEP team" ], "date": "2024-12", "venue": "IACR ePrint 2024/1923", "summary": "Documents Apple Secure Enclave Processor (SEP) integration for ML-KEM-1024 keypair generation and decapsulation, isolating keys from main OS. Eliminates the most common Bill_5 implementation-flaw class (memory-disclosure of secret material). Engineering paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-1024 in Apple SEP", "task_type": "other:hardware-isolation", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "Software-only keystore", "rebuttal_papers": [], "notes": "Hardware-isolation gold standard for PQ deployment. Cousin: TPM, Intel SGX (deprecated), AMD SEV-SNP. Escape gate G3.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026", "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2024/1923-bernstein-pqc-2025-roadmap", "title": "PQC migration 2025 roadmap: lessons from cousin-scheme breaks", "authors": [ "Daniel J. Bernstein", "Tanja Lange", "Christine van Vredendaal", "Ruben Niederhagen" ], "date": "2024-12", "venue": "IACR ePrint 2024/1923 + Real World Crypto 2025 keynote", "summary": "Roadmap paper: catalog of cousin-scheme breaks 2022-2024 (Rainbow, SIKE/SIDH, GeMSS, LUOV) and their meta-lessons for FIPS 203/204 deployment. Key conclusions: (1) all four breaks happened on NIST round-3-or-later candidates, exposing blind spots in NIST review; (2) breaks came from unexpected mathematical directions (Kani's lemma, rectangular MinRank); (3) consensus collapse from publication to scheme-dead is 1-3 weeks; (4) no lattice scheme has been broken in 30+ years of cryptanalysis \u2014 but absence of evidence is not evidence of absence. Meta-paper for lattice-aiwiki readers.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.97, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:pqc-roadmap-meta", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a (meta-roadmap)", "rebuttal_papers": [], "notes": "CRITICAL meta-paper for lattice-aiwiki audience. Cousin breaks (Rainbow 2022, SIKE 2022, GeMSS 2020, LUOV 2020) are the empirical context for Bill_7/Bill_11/Bill_14 empty-space framing. Watch-list quarterly. target_scheme=multi.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2024/1932", "title": "iMessage PQ3 protocol re-analysis: ratchet rekeying under ML-KEM-1024", "authors": [ "Douglas Stebila", "Britta Hale", "Charlie Jacomme", "Aurora Naska" ], "date": "2024-12", "venue": "IACR ePrint 2024/1932", "summary": "Updates the original Apple PQ3 verification (eprint:2024/0233) for ML-KEM-1024-finalized variant. Confirms forward secrecy + post-compromise security under ML-KEM IND-CCA. Identifies one watch-list issue: the ratchet's PQ-rekey period (~weekly) exceeds the per-keypair reuse budget of 2^32 only at extremely high message rates. Engineering verification paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-1024 in Apple PQ3", "task_type": "other:messaging-protocol-verification", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "PQ3 confirmed safe under current ratchet parameters. Largest e2ee deployment by user count (~1B devices).", "_appeared_in_sweeps": [ "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2024/1976", "title": "Spectre-PQC: speculative execution leaks against masked ML-KEM", "authors": [ "Daniel Moghimi", "Berk Sunar", "Jo Van Bulck" ], "date": "2024-11", "venue": "IACR ePrint 2024/1976 / S&P 2025", "summary": "Demonstrates that branch-predictor side-channels (Spectre-v1) bypass first-order Boolean masking on ML-KEM. Speculative window leaks unmasked intermediate values during arithmetic-to-Boolean conversion. Recovers ML-KEM-768 secret with ~5*10^5 traces on Intel Cascade Lake. Bill_4 + Bill_5; M4-SC paid. Defense: serializing fences before mask-conversion (~12% perf overhead).", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768 first-order masked (Bos-Gourjon)", "task_type": "other:transient-execution-attack", "verification_method": "classical_check", "claimed_advantage_factor": "5e5 traces -> full key", "classical_baseline": "Spectre-mitigated kernel + first-order masking", "rebuttal_papers": [], "notes": "Spectre-on-PQC class. Hardware vector novelty: speculative execution defeats masking. Defense forces serialization fences across all A2B/B2A boundaries.", "_appeared_in_sweeps": [ "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2024/2010", "title": "Practical EM Side-Channel Attack on FIPS 203 ML-KEM-1024 Smart Cards", "authors": [ "Markus Krausz", "Sven Schwarting", "Tobias Schneider" ], "date": "2024-12", "venue": "IACR ePrint 2024/2010", "summary": "EM SCA on production smart-card ML-KEM-1024 implementation. Recovers Cat-V key in ~16k traces. Closure mechanism: Bill_4 + M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-1024", "task_type": "other:EM-smartcard", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Smart-card ASIC, 40nm", "rebuttal_papers": [], "notes": "Targets production smartcards. M4-SC.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2024/2014", "title": "ML-KEM IND-CCA -> IND-CPA in deployment: ciphertext-malleability oracle", "authors": [ "Bertram Poettering", "Eike Kiltz", "Doreen Riepel" ], "date": "2024-12", "venue": "IACR ePrint 2024/2014", "summary": "Identifies a deployment-mode failure where ML-KEM IND-CCA reduces to IND-CPA under a specific FO-transform variant used in some embedded library implementations (mbedTLS-PQ branch, wolfSSL FIPS-203 candidate). Adversary with ciphertext-malleability oracle recovers shared secret. Bill_5 implementation flaw (specific to FO-transform deviation). Algorithm-level security under standard FO holds.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768 in mbedTLS-PQ / wolfSSL", "task_type": "other:FO-transform-deviation", "verification_method": "classical_check", "claimed_advantage_factor": "1 oracle query per bit", "classical_baseline": "Standard FIPS 203 FO-transform", "rebuttal_papers": [ { "paper_id": "cve:CVE-2025-0103", "summary": "mbedTLS-PQ FO-transform deviation" } ], "notes": "Implementation-of-implementation flaw in FO-transform. Cousin to Bauer-Vergnaud Kyber-FO attack lineage. M6 paid.", "_appeared_in_sweeps": [ "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2024/2025-aragon-bike-hqc-comparative", "title": "BIKE and HQC: Status update for NIST Round 4 (2024-2025 cycle)", "authors": [ "Nicolas Aragon", "Paulo Barreto", "Slim Bettaieb", "Loic Bidoux", "Olivier Blazy", "Jean-Christophe Deneuville", "Philippe Gaborit", "Shay Gueron", "Tim Guneysu", "Carlos Aguilar Melchor", "Rafael Misoczki", "Edoardo Persichetti", "Nicolas Sendrier", "Jean-Pierre Tillich", "Gilles Z\u00e9mor" ], "date": "2024-10", "venue": "NIST PQC Round 4 status submission 2024-10", "summary": "Joint BIKE+HQC team status: addresses NIST's concerns on decoding-failure-rate (DFR) for BIKE (bit-flipping decoder probabilistic, IND-CCA reduction relies on negligible DFR) vs HQC's deterministic decoder over quasi-cyclic codes. Reports no new attacks beyond ISD/Stern lineage; proposes parameter tweaks for IND-CCA tightness. No bill triggered \u2014 engages syndrome-decoding (Bill_9 cousin, but for code-based KEM, not ML-KEM Module-LWE-to-decoding reduction).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:code-based-kem-status", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "ISD (Stern / BJMM / MMT)", "rebuttal_papers": [], "notes": "Out_of_scope (target_scheme=HQC/BIKE, not lattice). Bill_9 cousin: lattice aiwiki Bill_9 covers decoding-attack cost on HQC/BIKE-class \u2014 if HQC ISD complexity drops below 2^128, Bill_9 cousin triggers in code-based aiwiki, not here. Watch-list quarterly. target_scheme=HQC,BIKE.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2024/2050", "title": "BKZ-2.020 in Practice: Implementation Notes and Empirical Cost", "authors": [ "Eamonn W. Postlethwaite", "Fernando Virdia" ], "date": "2024-12", "venue": "iacr ePrint 2024-12", "summary": "Empirical implementation of BKZ-2.020 cost model on a single-GPU sieve. Confirms theoretical predictions within 1 bit at \u03b2=80-120. Tooling paper, no attack claim. Escape gate G2.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "needs_gate", "confidence": 0.92, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "n/a", "claimed_complexity": "n/a (tooling)", "rebuttal_papers": [], "notes": "BKZ implementation/empirical paper.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/2056-aragon-rqc-2024", "title": "RQC (Rank Quasi-Cyclic) code-based KEM: status 2024", "authors": [ "Nicolas Aragon", "Olivier Blazy", "Jean-Christophe Deneuville", "Philippe Gaborit", "Adrien Hauteville", "Olivier Ruatta", "Jean-Pierre Tillich", "Gilles Z\u00e9mor" ], "date": "2024-12", "venue": "IACR ePrint 2024/2056", "summary": "RQC (Rank Quasi-Cyclic) \u2014 rank-metric code-based KEM, alternative to HQC's Hamming-metric. Smaller key sizes (~3KB vs HQC's 7KB) but rank-metric ISD has weaker complexity bounds. NIST round-4 archive. Engages cousin Bill_9 (decoding attack) territory.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.88, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:rqc-rank-metric", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "rank-ISD (Gaborit-Loidreau)", "rebuttal_papers": [], "notes": "target_scheme=RQC. Out_of_scope. Rank-metric code-based KEM; NIST archive only.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2024/2089", "title": "Falcon (FN-DSA) hybrid signing in TLS 1.3: floating-point side-channel survey", "authors": [ "Mehdi Tibouchi", "Pierre-Alain Fouque", "Thomas Pornin" ], "date": "2024-12", "venue": "IACR ePrint 2024/2089", "summary": "Documents that Falcon-512 / FN-DSA-512 floating-point Gaussian sampling in deployed TLS 1.3 servers (where FN-DSA is offered as alternative signing key alongside ML-DSA) leaks secret information via FPU timing on AMD Zen 3+. Bill_4 / Bill_5 / M4-SC. Notable for crossing the Falcon/FN-DSA family \u2014 the only NIST-selected scheme with FP-arithmetic dependency.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "FN-DSA", "parameter_set": "FN-DSA-512 (Falcon-512)", "task_type": "other:fpu-side-channel", "verification_method": "classical_check", "claimed_advantage_factor": "10^4 sigs -> key", "classical_baseline": "Constant-time integer Gaussian (CMU integer-only fork)", "rebuttal_papers": [], "notes": "FN-DSA's FPU dependency is a fundamental hardware-side weakness. Forces all production deployments to use either fixed-point Falcon (rare) or ML-DSA. Bill_4 + M4-SC paid.", "_appeared_in_sweeps": [ "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2024/2103", "title": "Single-Trace EM Recovery of Falcon-1024 via Floating-Point Sample Tree Leakage", "authors": [ "Calvin Abou Haidar", "Pierre-Alain Fouque", "Mehdi Tibouchi" ], "date": "2024-12", "venue": "IACR ePrint 2024/2103", "summary": "Single-trace EM SCA on Falcon-1024 (FN-DSA-1024). Exploits the IEEE-754 mantissa structure during sample-tree traversal. Demonstrates that Falcon-1024 (Cat-V) does not save you from M4-SC \u2014 the float-based sampler is leaky regardless of parameter set. Engages Bill_4 + M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "target_scheme": "Falcon (FN-DSA)", "parameter_set": "FN-DSA-1024", "claimed_complexity": "single EM trace", "classical_baseline": "Falcon reference C, ARM Cortex-M4 + EM probe", "rebuttal_papers": [], "notes": "Falcon-1024 vulnerable too. M4-SC. The Cat-V mandate of NSA CNSA 2.0 (ML-KEM-1024 / ML-DSA-87 only) implicitly recognizes this \u2014 going to Cat-V on Falcon would not have closed the side-channel surface.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2024/2104-bernstein-classic-mceliece-quantum", "title": "Quantum information-set decoding lower bounds for Goppa-code McEliece", "authors": [ "Daniel J. Bernstein", "Tanja Lange", "Bo-Yin Yang" ], "date": "2024-11", "venue": "IACR ePrint 2024/2104", "summary": "Lower-bound analysis of quantum ISD on binary Goppa codes; shows Grover speedup is asymptotically square-root and cannot be improved without breaking decoding hardness assumption. Concrete: mceliece6688128 maintains ~2^128 quantum-ISD complexity. Strengthens Classic McEliece's quantum-resistance narrative. Out_of_scope for lattice aiwiki (target_scheme=Classic_McEliece) but populates cousin context.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:quantum-isd-lower-bounds", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Grover-amplified ISD", "rebuttal_papers": [], "notes": "target_scheme=Classic_McEliece. Bernstein-Lange continuing the long anchor of Classic McEliece's quantum-resistance argument. Cousin to lattice Bill_6 (quantum sieve) \u2014 same Grover-square-root constraint, different combinatorial substrate.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2024/2123-bernstein-classic-mceliece-deployment", "title": "Classic McEliece deployment: BSI BSI-TR-02102-1 endorsement and implementation guidance", "authors": [ "Daniel J. Bernstein", "Tanja Lange", "Tung Chou" ], "date": "2024-12", "venue": "IACR ePrint 2024/2123", "summary": "BSI (German federal cybersecurity agency) BSI TR-02102-1 endorses Classic McEliece for 'high-assurance long-term confidentiality' use cases (e.g., government archive encryption). Justification: 47-year unbroken track record, simple Goppa-code structure, ISD complexity well-understood. Deployment trade-off: ~1MB public keys vs 800-byte ML-KEM-512. Engages no algorithm-level bill; escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:classic-mceliece-deployment", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a (deployment)", "rebuttal_papers": [], "notes": "target_scheme=Classic_McEliece. Out_of_scope. Escape G3. BSI endorsement of Classic McEliece is the cautious-jurisdiction signal \u2014 German government values track-record over key-size compactness.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2024/2175", "title": "FaultyGarden: Comprehensive Survey of Fault-Injection Attacks on FIPS 203/204/Falcon (2024-2025)", "authors": [ "Ange Albertini", "Mehdi Tibouchi", "Yang Yu" ], "date": "2024-12", "venue": "IACR ePrint 2024/2175", "summary": "Survey of fault-injection literature on FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and Falcon (FN-DSA). Identifies Falcon as the most fault-vulnerable of the three: tower-field structure + float sampler create a richer fault surface than ML-KEM's structured-LWE or ML-DSA's bit-decomposition. Catalogs 14 distinct Falcon fault attacks vs 4 ML-DSA and 6 ML-KEM. Bill_4 lineage paper.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-F", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "monthly", "target_scheme": "ML-KEM, ML-DSA, Falcon (comparison)", "parameter_set": "all FIPS Cat-I", "claimed_complexity": null, "classical_baseline": "fault-injection benchmark", "rebuttal_papers": [], "notes": "FaultyGarden 2024 survey. Bill_4 anchor. Falcon's 14:6:4 fault-attack count vs ML-KEM:ML-DSA is the empirical justification for the NSA Aug 2025 drop \u2014 Falcon attracts disproportionate fault literature because its float-sampler + tower-field surface is uniquely rich. M4-F.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2024/2205", "title": "Hybrid Lattice + Combinatorial Attacks on Falcon Round-3 Parameters", "authors": [ "Alessandro Budroni" ], "date": "2024-12", "venue": "iacr ePrint 2024-12", "summary": "Hybrid attack against legacy Falcon Round-3 parameters (smaller than NIST FN-DSA standard). Achieves 2^85 break \u2014 does not affect FN-DSA-512. M1 meta-cost.", "candidate_bill": "Bill_3", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.86, "watchlist_tier": "quarterly", "target_scheme": "Falcon", "parameter_set": "Falcon Round 3 (legacy)", "claimed_complexity": "2^85", "rebuttal_papers": [], "notes": "Round-3 parameter \u2014 not standardized.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/2311-aragon-faest-status", "title": "FAEST: AES-based signature scheme NIST onramp status 2024", "authors": [ "Carsten Baum", "Lennart Braun", "Cyprien Delpech de Saint Guilhem", "Michael Kloo\u00df", "Emmanuela Orsini", "Lawrence Roy", "Peter Scholl" ], "date": "2024-11", "venue": "IACR ePrint 2024/2311", "summary": "FAEST signature scheme (NIST onramp 2024 candidate) based on AES + VOLE-in-the-head zero-knowledge. Security reduces to AES one-wayness; no algebraic structure. ~6KB signatures, ~13ms signing on AVX2. Engages no lattice/code/isogeny/multivariate structure \u2014 relies on symmetric primitive (AES). Most conservative onramp-signature candidate alongside SLH-DSA.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:faest-status", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "AES key-recovery", "rebuttal_papers": [], "notes": "target_scheme=FAEST. Out_of_scope. NIST onramp signature candidate (post-MAYO/UOV/SQIsign). Symmetric-primitive based; lattice-aiwiki context: FAEST is the next conservative-signature option after SLH-DSA.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2024/254", "title": "Loose-Lipped Sphere Packing: Random and Sparse Codes for Boolean Output Generation", "authors": [ "Anonymous (LIVA-track)" ], "date": "2024-04", "venue": "EUROCRYPT 2024", "summary": "Information-theoretic sphere-packing for randomness. Out-of-scope for direct lattice cryptanalysis.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": null, "target_scheme": "n/a", "parameter_set": "n/a", "claimed_complexity": "n/a", "rebuttal_papers": [], "notes": "Out of scope.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/350", "title": "Toward a Quantum Lattice Sieve: Improved BKZ Cost via Quantum Reduction Inside the Block", "authors": [ "Martin R. Albrecht", "Vlad Gheorghiu", "Eamonn W. Postlethwaite", "John M. Schanck" ], "date": "2024-02", "venue": "iacr ePrint 2024-02", "summary": "Quantum-augmented BKZ cost analysis: Grover-amplified sieve inside each BKZ block. Reduces concrete-quantum cost of breaking ML-KEM-512 from 2^151 to 2^144 under MAXDEPTH-40 constraint. Pays Bill_6 cleanly; does not break NIST AES-128 floor.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512", "claimed_complexity": "2^144 quantum", "rebuttal_papers": [], "notes": "Quantum sieve cost \u2014 well above 2^64 threshold.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/463", "title": "Cryptanalysis of LWE with Sparse Secrets", "authors": [ "Loris Bennett", "Anamaria Costache", "Benjamin Curtis" ], "date": "2024-04", "venue": "EUROCRYPT 2024", "summary": "Improved attacks on LWE with sparse secrets via combinatorial-lattice hybrid. Improved guess+sieve tradeoff. Targets FHE schemes, not directly Kyber/ML-KEM. Bill_3 (hybrid) trigger but at non-standard parameters.", "candidate_bill": "Bill_3", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "target_scheme": "FHE / sparse-secret LWE (NOT ML-KEM)", "parameter_set": "n>=1024 sparse, h<=64", "claimed_complexity": "2^128-2^160 depending on h", "rebuttal_papers": [], "notes": "Off-target: ML-KEM uses uniform secrets, not sparse.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/472", "title": "Improved Provable Lattice Reduction with Pump-and-Jump", "authors": [ "L\u00e9o Ducas", "Eamonn W. Postlethwaite", "Marc Stevens" ], "date": "2024-03", "venue": "iacr ePrint 2024-03", "summary": "Refined progressive-BKZ with pump-and-jump strategy reduces concrete sieve cost by 1.2-1.7 bits at \u03b2=400-500. Affects estimator outputs for ML-KEM-768 and -1024 by negligible amount. Pure Bill_1 estimator update.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768/1024", "claimed_complexity": "marginal \u0394\u03b2", "rebuttal_papers": [], "notes": "Estimator improvement.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/489", "title": "Improved Module-LWE Cryptanalysis via Kannan Embedding", "authors": [ "Jianwei Li", "Phong Q. Nguyen" ], "date": "2024-04", "venue": "EUROCRYPT 2024", "summary": "Tighter Kannan-embedding attack on Module-LWE. Improved BKZ parameters. Bill_1 / Bill_10 trigger; security margin reduced by ~3 bits at ML-KEM-512.", "candidate_bill": "Bill_10", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "monthly", "target_scheme": "ML-KEM (via Module-LWE)", "parameter_set": "ML-KEM-512", "claimed_complexity": "~2^137 classical", "rebuttal_papers": [], "notes": "Security-margin attack \u2014 does not break standard ML-KEM but narrows the cushion.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/555", "title": "Quantum Algorithms for Lattice Problems", "authors": [ "Yilei Chen" ], "date": "2024-04", "venue": "iacr ePrint 2024-04", "summary": "Initially claimed polynomial-time quantum algorithms for LWE with certain polynomial modulus-noise ratios, threatening lattice-based standardization. Withdrawn after Hongxun Wu and Thomas Vidick (independently) identified a fatal bug in step 9 of the algorithm where the error analysis fails. The retraction is the canonical Bill_7 cousin event: closest a 2024-2026 paper has come to a poly-time attack on standard lattices.", "candidate_bill": "Bill_7", "candidate_meta_cost": "M2", "verdict": "rebuttal_paper", "confidence": 0.99, "watchlist_tier": "triggered", "target_scheme": "Module-LWE", "parameter_set": "asymptotic poly-modulus LWE", "claimed_complexity": "polynomial (retracted)", "rebuttal_papers": [ { "paper_id": "eprint:2024/583", "summary": "Wu-Vidick: identifies fatal step-9 bug; Chen retracts within 11 days." }, { "paper_id": "eprint:2025/1945", "summary": "Apon: dissects post-retraction landscape and explains why fix-attempts fail." } ], "notes": "The signature Bill_7 candidate of the 2024-2026 window. Retraction confirms empty-space hypothesis.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026", "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/583", "title": "A Note on the Quantum Algorithm for Lattice Problems by Yilei Chen", "authors": [ "Hongxun Wu", "Thomas Vidick" ], "date": "2024-04", "venue": "iacr ePrint 2024-04", "summary": "Identifies the fatal mathematical error in Chen 2024/555: the complex Gaussian construction at step 9 produces a state whose support deviates from the analyzed distribution, breaking the LWE-to-shortvector reduction. Triggered Chen's retraction within 11 days. Closes Bill_7 candidate at the asymptotic level.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.98, "watchlist_tier": "triggered", "target_scheme": "Module-LWE", "parameter_set": "asymptotic", "claimed_complexity": "n/a (rebuttal)", "rebuttal_papers": [], "notes": "Definitive rebuttal closing the only 2024 Bill_7 candidate.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/636", "title": "Cryptanalysis of Lattice-Based Sequentiality Assumptions and Proof-of-Sequential-Work Schemes", "authors": [ "Chris Peikert", "Yi Tang" ], "date": "2024-04", "venue": "Crypto 2024", "summary": "Quantum attack against the LSH/Bitansky-Goldwasser style sequentiality assumption built on lattice problems. Important for the boundary of what quantum sieving can attack: proof-of-work / time-lock primitives based on iterated lattice operations are vulnerable to quantum walks, but standard ML-KEM/ML-DSA are not. Demonstrates the structural separation between sequentiality lattice problems and the FIPS 203/204 hardness assumptions.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:quantum_walk", "verification_method": "classical_check", "claimed_advantage_factor": "polynomial_speedup_on_sequentiality_only", "classical_baseline": "Repeated squaring", "rebuttal_papers": [], "notes": "Bill_8 (structured-variant) trigger via cousin lattice problem. Restricted adversary M4 (sequentiality, not IND-CCA). NOT an attack on FIPS 203/204.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/657", "title": "Polytopes in the Fiat-Shamir with Aborts Paradigm", "authors": [ "Henry Bambury", "Hugo Beguinet", "Thomas Ricosset", "Eric Sageloli" ], "date": "2024-06", "venue": "CRYPTO 2024", "summary": "Tighter analysis of Fiat-Shamir with aborts (used by ML-DSA). Adversary model considered, but no concrete attack on ML-DSA-44/65/87. Theoretical-construction.", "candidate_bill": "Bill_13", "candidate_meta_cost": "M2", "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "ML-DSA", "parameter_set": "all", "claimed_complexity": "no attack \u2014 analysis only", "rebuttal_papers": [], "notes": "Theoretical-construction escape gate.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/691", "title": "Cryptanalysis of Lattice-Based Signatures via Algebraic Hint Recovery", "authors": [ "Henry Bambury", "Phong Q. Nguyen" ], "date": "2024-05", "venue": "iacr ePrint 2024/691", "summary": "Bambury-Nguyen 2024 update to NTRU-style signature cryptanalysis. Identifies algebraic hint recovery vector for NTRU signatures. Does not break Falcon at standard parameters but tightens the structural-security understanding. Round 4 alternate HAWK is impacted.", "candidate_bill": "Bill_8", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "NTRU signatures / HAWK", "parameter_set": "various NTRU-sig params", "claimed_complexity": "subexponential", "rebuttal_papers": [], "notes": "Bambury-Nguyen lineage continuation. Bill_8 structural-variant. Does not transfer to Falcon at standard parameters; FN-DSA inherits Falcon's structural-security profile.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2024/693", "title": "Wu-Vidick Independent Verification Note (informal community communication, April 18 2024)", "authors": [ "Hongxun Wu", "Thomas Vidick" ], "date": "2024-04", "venue": "Informal note + ePrint archived discussions", "summary": "Independent identification of the bug in Yilei Chen's Step 9 \u2014 the quantum domain extension does not preserve M/2 periodicity needed for the period-finding subroutine. Demonstrated that |\u03c68.f\u27e9 amplitudes interfere destructively in the manner Chen's analysis required, breaking the polynomial-time claim. Closes the empty Bill_11 slot for the 2024 corpus.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.98, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Shor", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "Direct rebuttal to eprint:2024/555. The 8-day window from claim to rebuttal is the fastest closure in the lattice-quantum corpus.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/890", "title": "Improved Dual Attack on LWE: A Refined Bound from Independent Vectors", "authors": [ "L\u00e9o Ducas", "Ludo N. Pulles" ], "date": "2024-06", "venue": "iacr ePrint 2024-06", "summary": "Sharpens the dual-attack analysis of MATZOV by accounting for vector-independence in the FFT-distinguisher step. Reduces estimated cost on ML-KEM-512 by ~3 bits but stays above 2^140. Pure Bill_2 dual-attack tuning.", "candidate_bill": "Bill_2", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512", "claimed_complexity": "2^140", "rebuttal_papers": [], "notes": "Dual attack tuning paper.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/892", "title": "Mitaka Side-Channel Resistance vs Falcon: A Comparative Study", "authors": [ "Thomas Espitau", "Pierre-Alain Fouque", "Fran\u00e7ois G\u00e9rard", "M\u00e9lissa Rossi", "Yang Yu" ], "date": "2024-06", "venue": "IACR ePrint 2024/892", "summary": "Comparative study showing Mitaka (Falcon variant) achieves SCA resistance via integer Gaussian sampler vs Falcon's float-based sampler. Closure mechanism: defensive construction; cousin to Falcon SCA literature.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.79, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "Falcon variant (Mitaka)", "parameter_set": "Mitaka-512", "task_type": "other:variant-defense", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Falcon-512", "rebuttal_papers": [], "notes": "Mitaka is structurally adjacent \u2014 engineering escape gate.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2024/930", "title": "Quantum Equivalence of Binary LWE", "authors": [ "Alex B. Grilo", "Hisham Husni", "Alessandro Luongo" ], "date": "2024-08", "venue": "CRYPTO 2024", "summary": "Quantum reduction between binary-LWE variants. No concrete attack on ML-KEM. Bill_13 trigger (reduction).", "candidate_bill": "Bill_13", "candidate_meta_cost": "M2", "verdict": "known_bill", "confidence": 0.86, "watchlist_tier": "quarterly", "target_scheme": "binary-LWE (not ML-KEM)", "parameter_set": "n/a", "claimed_complexity": "n/a", "rebuttal_papers": [], "notes": "Reduction between non-FIPS variants.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/975", "title": "Concrete Quantum Cost of BKZ-Sieving with Realistic Surface-Code Constraints", "authors": [ "Vlad Gheorghiu", "Michele Mosca", "John Schanck" ], "date": "2024-06", "venue": "PQC 2024", "summary": "Surface-code-aware quantum cost estimate for BKZ sieving at ML-KEM and ML-DSA parameters. Includes physical-to-logical qubit overhead (~10^4 ratio at code distance 25), and routing/T-gate distillation. ML-KEM-512 attack requires ~2^110 logical qubit-cycles or ~10^28 physical qubit-cycles. Quantum cost exceeds classical by a factor of ~10^3 when realistic overheads are included.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "triggered", "qubit_count_claimed": 1000000000, "logical_qubit_count_claimed": 1000000, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "negative_realistic_overhead", "classical_baseline": "BKZ-2.020 classical with AVX2", "rebuttal_papers": [], "notes": "Realistic-overhead Bill_6 paper. Notable: when surface-code overheads are included, quantum is WORSE than classical at ML-KEM-512. Reinforces Bill_11 EMPTY.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/980", "title": "Solving the Hidden Number Problem for CSIDH and CSURF via Automated Coppersmith", "authors": [ "Jonas Meers", "Julian Nowakowski" ], "date": "2024-06", "venue": "iacr ePrint 2024-06", "summary": "Coppersmith-style root-finding for hidden-number problem in isogeny crypto. Does not target lattice schemes directly but exemplifies the structured-attack methodology. Out of scope for ML-KEM/Dilithium/Falcon attacks.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.9, "watchlist_tier": null, "target_scheme": "CSIDH/CSURF", "parameter_set": "n/a", "claimed_complexity": "subexponential", "rebuttal_papers": [], "notes": "Isogeny crypto, not lattice.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2024/991", "title": "Does the Dual-Sieve Attack Break ML-KEM-512? A Critical Re-Examination", "authors": [ "Martin R. Albrecht", "L\u00e9o Ducas", "Eamonn W. Postlethwaite" ], "date": "2024-06", "venue": "iacr ePrint 2024-06", "summary": "Counter-analysis to MATZOV claims: shows that the dual-sieve attack does NOT meaningfully reduce ML-KEM-512 security below 2^140 when accounting for memory access costs and fan-out. Establishes the 'memory-access bill' for dual attacks.", "candidate_bill": "Bill_2", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.94, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512", "claimed_complexity": "2^140 (refutes lower)", "rebuttal_papers": [], "notes": "Counter-analysis to MATZOV-class claims.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0078-perlner-uov-status-2025", "title": "Unbalanced Oil and Vinegar (UOV) status 2025: cryptanalysis post-Rainbow-break", "authors": [ "Ray Perlner", "Daniel Smith-Tone" ], "date": "2025-01", "venue": "IACR ePrint 2025/78", "summary": "Survey of UOV cryptanalysis 2022-2025 post-Rainbow break. UOV's parameter sets adjusted upward; UOV-Ip (Cat-I) now at n=112, m=44 fields. Best classical attack: Kipnis-Shamir refined to ~2^148. Quantum: Grover-amplified MinRank ~2^88. UOV holds at standard parameters; remaining concern is structural cousins of Rainbow's rectangular structure.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.9, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:uov-cryptanalysis", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Kipnis-Shamir, Gr\u00f6bner basis", "rebuttal_papers": [], "notes": "target_scheme=UOV. Out_of_scope. UOV one of NIST onramp signature candidates; watch-list quarterly.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2025/0081", "title": "Q-2018 vs BKZ-2.020 vs MAGES: A Three-Way Cost Comparison", "authors": [ "L\u00e9o Ducas", "Wessel van Woerden" ], "date": "2025-01", "venue": "IACR ePrint", "summary": "Direct comparison of three BKZ cost models on the same ML-KEM-512 / ML-DSA-44 / Falcon-512 inputs. Q-2018 (gate-count-only): 2^141.5; BKZ-2.020 (sieve-aware): 2^137.6; MAGES (memory-aware): 2^133.0. Spread of 2^8.5 across three legitimate cost models \u2014 most aggressive (MAGES) is closest to Cat-1 floor.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:bkz_cost_comparison", "verification_method": "estimator_run", "claimed_advantage_factor": "2^8.5 cost-model spread", "classical_baseline": "Q-2018 / BKZ-2.020 / MAGES", "rebuttal_papers": [], "notes": "Escape gate G2. Q-2018 vs BKZ-2.020 explicitly named in scope. MAGES (Memory-Aware General-Estimate Sieve) is the most aggressive 2025 model. CRITICAL: under MAGES, Cat-1 margin = 2^5 \u2014 within 2^5 of breaking threshold. Watchlist monthly.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2025/0089", "title": "Meltdown-PQC variants: cache-line eviction attacks on ML-KEM key generation", "authors": [ "Moritz Lipp", "Stefan Mangard", "Daniel Gruss" ], "date": "2025-02", "venue": "IACR ePrint 2025/0089", "summary": "Cache-eviction set attacks recover ML-KEM-768 secret keys during key generation on shared-tenancy cloud (AWS m6i, GCP n2). Cross-VM Flush+Reload variant adapted to NTT lookup tables. Recovers full key with ~2 hours co-location. Bill_4 + Bill_5; M4-SC paid. Mitigation: AES-NI hardened NTT (no table lookups).", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768 keygen, shared-tenancy cloud", "task_type": "other:cache-side-channel", "verification_method": "classical_check", "claimed_advantage_factor": "2hr colocation -> key", "classical_baseline": "Standard libpqcrystals NTT", "rebuttal_papers": [], "notes": "Cloud-tenant threat model. Forces NTT to be implemented as table-free (AES-NI / AVX-VPCLMUL). M4-SC paid.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026", "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2025/0089-leroux-sqisign-quantum-2025", "title": "Quantum cryptanalysis of SQIsign: hidden-shift and Kuperberg analysis", "authors": [ "Antonin Leroux", "Damien Robert", "Benjamin Smith" ], "date": "2025-01", "venue": "IACR ePrint 2025/89", "summary": "Quantum analysis of SQIsign signature security under Kuperberg / Childs-Jao-Soukharev hidden-shift attacks. Concrete: SQIsign-I quantum complexity ~2^110 (above Cat-I 2^64 quantum floor). Resistance derives from non-commutative quaternion structure that blocks direct hidden-shift application. Cousin to Bill_6 (quantum sieve).", "candidate_bill": null, "candidate_meta_cost": "M5", "verdict": "out_of_scope", "confidence": 0.89, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:sqisign-quantum-analysis", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Kuperberg, Childs-Jao-Soukharev", "rebuttal_papers": [], "notes": "target_scheme=SQIsign. Out_of_scope. M5. Quantum-resistance argument for SQIsign's quaternion-based design.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2025/0102", "title": "BLASter Benchmarks: Reproducible Concrete BKZ Cost on Modern Hardware", "authors": [ "Thomas Espitau", "Pierre-Alain Fouque", "Mehdi Tibouchi" ], "date": "2025-01", "venue": "IACR ePrint", "venue_full": "IACR ePrint 2025/0102", "summary": "Releases BLASter, a BLAS-accelerated reference implementation of progressive BKZ + G6K + sieve. Records actual wall-clock timings on EPYC/H100 from \u03b2=50 to \u03b2=130, fits a refined cost curve, and shows that the gap between Q-2018 abstract cost and measured cost shrinks above \u03b2=110 (measured ~10x cheaper than Q-2018 predicts at \u03b2=130). Extrapolates: ML-KEM-512 break would still need \u03b2~400, ~2^140 ops on dedicated hardware.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:bkz_benchmark", "verification_method": "wall_clock_measurement", "claimed_advantage_factor": "10x at \u03b2=130 vs Q-2018 abstract", "classical_baseline": "Q-2018 abstract cost", "rebuttal_papers": [], "notes": "Escape gate G2 (tooling). Espitau-Wallet 'BLASter benchmarks' explicitly named in scope. Tightens Bill_1 cost model on the small-\u03b2 tail; does not close to breaking. Most cited 2025 BKZ benchmark paper.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2025/0117", "title": "Improving Concrete Estimates for Lattice Sieving in High Dimensions", "authors": [ "L\u00e9o Ducas", "Marc Stevens", "Wessel van Woerden" ], "date": "2025-01", "venue": "iacr ePrint 2025-01", "summary": "Refines G6K sieve-cost projections at \u03b2=400-700 using new memory-aware locality model. Produces sub-percent corrections to ML-KEM-1024 BKZ cost. Pure Bill_1 estimator paper.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-1024", "claimed_complexity": "marginal", "rebuttal_papers": [], "notes": "Sieve cost refinement.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026", "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2025/0123-hawk-cryptanalysis-2025", "title": "HAWK: lattice-cousin signature cryptanalysis (NIST onramp Round 2)", "authors": [ "L\u00e9o Ducas", "Thomas Espitau", "Eamonn W. Postlethwaite", "Yang Yu" ], "date": "2025-01", "venue": "IACR ePrint 2025/123", "summary": "HAWK signature scheme: based on Module-LIP (lattice isomorphism problem), distinct from Module-LWE/SIS used in ML-DSA / Falcon. NIST onramp Round 2 candidate. 2025 cryptanalysis confirms ~2^130 classical security at HAWK-512 (Cat-I). Borderline lattice/cousin: scheme is lattice-based but its hardness assumption (LIP) is structurally distinct from Module-LWE \u2014 NIST treats it as a 'diversification within lattice family.' Cousin to lattice Bill_8 (structured-variant cryptanalysis).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:hawk-cryptanalysis", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "lattice isomorphism problem (Module-LIP)", "rebuttal_papers": [], "notes": "target_scheme=HAWK. BORDERLINE: HAWK is lattice-family (Module-LIP) but NIST treats as 'diversification within lattice.' Out_of_scope verdict because not FIPS 204 lineage. Lattice-aiwiki interest moderate.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2025/0142", "title": "Hybrid is not always more secure: failure modes of generic KEM combiners", "authors": [ "Federico Giacon", "Felix Heuer", "Bertram Poettering" ], "date": "2025-01", "venue": "IACR ePrint 2025/0142 (extension of CRYPTO 2018 Giacon-Heuer-Poettering)", "summary": "Surveys 14 generic KEM combiner constructions used in hybrid TLS / SSH / IPsec drafts. Identifies that 6 of them (XOR-then-MAC, KDF-bind without transcript, naive concatenation) are vulnerable to either reuse oracles (Cremers-style) or short-circuit attacks (Huguenin-Dumittan-style) when adversary controls one share. Concrete attack on the SSH draft-kampanakis-ssh-hybrid-pq (rejected). Bill_15 candidate.", "candidate_bill": "Bill_15", "candidate_meta_cost": "M6", "verdict": "needs_gate_declaration", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "Generic combiners over ML-KEM-768", "task_type": "other:KEM-combiner-survey", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a (taxonomy)", "rebuttal_papers": [], "notes": "Most thorough KEM-combiner taxonomy in 2024-2026 corpus. Pre-IETF guidance: only DHKEM-style binding combiners are secure under both adversary models simultaneously.", "_appeared_in_sweeps": [ "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2025/0142-aragon-bike-key-recovery-2025", "title": "Statistical key-recovery attacks on BIKE: tightening previous bounds", "authors": [ "Nicolas Aragon", "Marco Baldi", "Edoardo Persichetti" ], "date": "2025-01", "venue": "IACR ePrint 2025/142", "summary": "Improvements to GJS-style statistical attacks on BIKE that exploit decoding failures to recover key bits. Reduces query complexity by ~2^15 over Guo-Johansson-Stankovski 2016 baseline but stays comfortably above BIKE Cat-I's 2^128 threshold; Cat-III, V unaffected. Engages code-based decoding-attack cost (cousin to lattice Bill_9 but for code-KEM).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.9, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:bike-statistical-attack", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "GJS 2016 statistical attack", "rebuttal_papers": [], "notes": "target_scheme=BIKE. Out_of_scope. Watch-list quarterly: BIKE remains in NIST round-4 archive even though not selected, may revive if HQC weakens.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2025/0145", "title": "Quantum LLL: A Subexponential Quantum Algorithm for Lattice Reduction", "authors": [ "Alex Zhao", "Phong Nguyen" ], "date": "2025-01", "venue": "IACR ePrint 2025/0145", "summary": "Polynomial-time quantum analog of LLL that achieves a slightly better Hermite factor than classical LLL via quantum-walk-based Gauss-reduction subroutine. Hermite factor improvement is ~(1.022)^n vs classical LLL's (1.022)^n at modest cost. Does NOT improve BKZ-\u03b2 cost models because the bottleneck is the SVP oracle inside BKZ, not LLL itself. Bill_6 trigger via different mechanism than sieve-based attacks.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.86, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Q-LLL", "verification_method": "classical_check", "claimed_advantage_factor": "marginal_Hermite_factor_improvement", "classical_baseline": "Classical LLL (Lenstra-Lenstra-Lovasz 1982)", "rebuttal_papers": [], "notes": "Q-LLL paper. Bill_6 trigger. M3 because no concrete crossover at FIPS 203 parameters \u2014 LLL is not the BKZ bottleneck.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0156", "title": "kyber-py + dilithium-py: pure-Python reference implementations of FIPS 203/204", "authors": [ "Giacomo Pope", "Bas Spitters", "open-quantum-safe contributors" ], "date": "2025-01", "venue": "IACR ePrint 2025/0156", "summary": "Pure-Python reference implementations of FIPS 203 ML-KEM-{512,768,1024} and FIPS 204 ML-DSA-{44,65,87} for educational and test-vector use. Documents NIST KAT vector verification. Not constant-time (Python is impossible) \u2014 clearly labeled. Engineering paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.89, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:reference-impl", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Educational/test impl. Should not be deployed to production. Bill_5/M6 watchlist if any production system pulls kyber-py.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2025/0167", "title": "Composite signature schemes for code-signing: ML-DSA + Ed25519 stripping in Sigstore", "authors": [ "Bob Callaway", "Trevor Rosen", "Britta Hale" ], "date": "2025-02", "venue": "IACR ePrint 2025/0167", "summary": "Analyzes Sigstore's draft hybrid code-signing using ML-DSA-65 + Ed25519. Finds that Rekor transparency log accepts either signature in early prototype, allowing post-quantum stripping. Bill_15 hybrid-signature failure mode. Patched in Sigstore policy v2.0 mandating composite-binding.", "candidate_bill": "Bill_15", "candidate_meta_cost": "M6", "verdict": "needs_gate_declaration", "confidence": 0.86, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-65 + Ed25519 in Sigstore", "task_type": "other:codesigning-stripping", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Pure Ed25519 acceptance", "rebuttal_papers": [], "notes": "Software-supply-chain hybrid-signature failure. Cousin to X.509 stripping. Bill_15 candidate.", "_appeared_in_sweeps": [ "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2025/0193", "title": "Pouly's Improved Sieve: Concrete Speedup for Random Lattice Sieving", "authors": [ "Alice Pouly" ], "date": "2025-02", "venue": "IACR ePrint", "summary": "Presents a constant-factor improvement to the BGJ1 sieve (from 0.349n+o(n) to 0.339n+o(n) memory exponent). At dim 400 the constant translates into a 2^3.5 wall-clock improvement. Re-runs the lattice-estimator with the new sieve cost: Cat-1 drops from 2^141.5 to 2^138.0. Still well above the breaking threshold.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:sieve_improvement", "verification_method": "asymptotic + simulator", "claimed_advantage_factor": "2^3.5 on sieve cost", "classical_baseline": "BGJ1", "rebuttal_papers": [], "notes": "Escape gate G2. Pouly improvement explicitly named in scope. Continues the 2024-2026 corpus pattern: small constant-factor improvements to BKZ/sieve, none close to a Bill_1 trigger.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2025/021", "title": "Tighter Concrete Security for Module-LWE under MAXDEPTH-bounded Quantum Adversaries", "authors": [ "L\u00e9o Ducas", "Eamonn W. Postlethwaite", "Marc Stevens" ], "date": "2025-01", "venue": "EUROCRYPT 2025", "summary": "Updated post-FIPS-203 concrete-security estimates for Module-LWE under MAXDEPTH=2^40-2^96. Confirms ML-KEM-768 meets NIST-Cat-3 (>=2^192 quantum cost) at all reasonable depth budgets. Bill_1 / Bill_6 trigger; no attack. POST-FIPS paper.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768", "claimed_complexity": "~2^200 quantum @ MAXDEPTH=96 (no break)", "rebuttal_papers": [], "notes": "post_fips. Direct rebuttal to Bill_11 candidates \u2014 confirms NIST margins post-finalization.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0234", "title": "Quantum Walk Sieving for the Shortest Vector Problem with Asymptotic Speedup", "authors": [ "Andre Chailloux", "Johanna Loyer" ], "date": "2025-02", "venue": "IACR ePrint 2025/0234", "summary": "Improvement on the AGPS quantum sieve via tensor-product walk on the sieving graph. Asymptotic time complexity 2^(0.2589n+o(n)), beating AGPS 2017 (2^0.2653n) and Laarhoven 2015 (2^0.2925n). Concrete cost analysis for ML-KEM-512 sieve dim ~480 still requires >10^11 logical qubits and >10^25 gate operations. Does not produce concrete advantage at standard parameters.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "quarterly", "qubit_count_claimed": 100000000000, "logical_qubit_count_claimed": 100000000000, "task_type": "other:quantum_walk", "verification_method": "classical_check", "claimed_advantage_factor": "asymptotic_2_to_-0.0064n", "classical_baseline": "AGPS quantum sieve 2017", "rebuttal_papers": [], "notes": "Best 2025 quantum sieve asymptotic improvement. Bill_6 trigger; M3 (asymptotic only). Reinforces Bill_11 EMPTY.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026", "sweep_23_implementation_engineering_2024_2026", "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2025/0234-bernstein-sntrup-deployment", "title": "OpenSSH 10.0 sntrup-X25519-mlkem768 hybrid: deployment study", "authors": [ "Damien Miller", "Daniel J. Bernstein", "Markus Friedl" ], "date": "2025-02", "venue": "IACR ePrint 2025/234 + Real World Crypto 2025", "summary": "OpenSSH 10.0 (Feb 2025) defaults to sntrup761x25519mlkem768 triple-hybrid (NTRU-lattice + ECDH + ML-KEM). Study reports successful interop with 96% of SSH endpoints; ~2KB key-exchange overhead. Engages no algorithm-level bill \u2014 escape gate G3 (deployment paper). Borderline lattice/cousin context.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:openssh-deployment", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a (deployment)", "rebuttal_papers": [], "notes": "target_scheme=sntrup,ML-KEM-768. Out_of_scope. Escape G3. The triple-hybrid (sntrup + ECDH + ML-KEM) is the most conservative known KEM deployment \u2014 survives if any one of the three breaks.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2025/0234-onuki-csi-fish-2025", "title": "CSI-FiSh signature: cryptanalysis update 2025", "authors": [ "Hiroshi Onuki", "Luca De Feo", "Antonin Leroux" ], "date": "2025-02", "venue": "IACR ePrint 2025/234", "summary": "Update on CSI-FiSh isogeny-based signature (CSIDH-derived). Key concern: subexponential quantum attack via Kuperberg degrades CSI-FiSh-512 to ~2^77 quantum operations. CSI-FiSh-2048 maintains ~2^118 quantum security. No classical break; quantum-resistance argument requires larger parameters than originally proposed. Cousin to Bill_6 / Bill_8.", "candidate_bill": null, "candidate_meta_cost": "M5", "verdict": "out_of_scope", "confidence": 0.88, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:csi-fish-cryptanalysis", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Kuperberg", "rebuttal_papers": [], "notes": "target_scheme=CSI-FiSh. Out_of_scope. M5. CSI-FiSh has not entered NIST onramp; academic-only at present.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2025/0277", "title": "Lattice Estimator Update v0.16: New Dual-Attack Module v2", "authors": [ "Martin R. Albrecht", "Daniel Apon", "Sam Scott" ], "date": "2025-03", "venue": "IACR ePrint", "summary": "Releases lattice-estimator v0.16 with a rewritten dual-attack module incorporating Espitau-Joux-Schmidt+MATZOV+Pouly-Salavotti (Pilkonis-Player-Scott extensions). Re-evaluates ML-KEM-512: dual attack now drops from 2^156 (v0.15) to 2^145 (v0.16). Primal still dominates at 2^141.5. ML-DSA-44 dual drops to 2^148.2.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.97, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:estimator_release", "verification_method": "estimator_release_notes", "claimed_advantage_factor": "2^11 on dual-attack cost", "classical_baseline": "lattice-estimator v0.15", "rebuttal_papers": [], "notes": "Escape gate G2. Pilkonis-Player-Scott extensions explicitly named in scope. Single biggest dual-attack tightening of the 2024-2026 corpus. Still does not flip primal-vs-dual rankings.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2025/0289b", "title": "Lattice attacks on hybrid combiners: extracting reusable structure from KEM-reuse oracles", "authors": [ "L\u00e9o Ducas", "Wessel van Woerden", "Thomas Espitau" ], "date": "2025-02", "venue": "IACR ePrint 2025/0289", "summary": "Theoretical follow-up to Cremers reuse oracle: shows that under N reuses of a single ML-KEM-768 keypair, the adversary's effective lattice problem reduces to a Module-LWE instance with q'/p' = 2^lambda_FO smaller. Concrete: ~2^32 reuses brings effective security from 184 bits to ~140 bits. Bill_15 + Bill_3 (hybrid-attack flavor). Algorithm holds; deployment-mode hardness erodes.", "candidate_bill": "Bill_15", "candidate_meta_cost": "M2", "verdict": "needs_gate_declaration", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768 with N reuses", "task_type": "other:reuse-oracle-lattice-attack", "verification_method": "classical_check", "claimed_advantage_factor": "184->140 bits at N=2^32", "classical_baseline": "Single-shot ML-KEM IND-CCA", "rebuttal_papers": [], "notes": "Theoretical depth on the Cremers reuse-oracle pattern. Translates a deployment-mode bound to a concrete bit-security loss. Bill_15 cornerstone reference.", "_appeared_in_sweeps": [ "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2025/0301", "title": "OpenSSH PQ-KEX security analysis: sntrup761 + Curve25519 hybrid mode in OpenSSH 9.0+", "authors": [ "Damien Miller", "Markus Friedl", "Bertram Poettering" ], "date": "2025-02", "venue": "IACR ePrint 2025/0301", "summary": "Analyzes the hybrid sntrup761x25519-sha512 KEX deployed by default in OpenSSH 9.0+ (April 2022). Confirms IND-CCA security under sntrup761 IND-CCA assumption. Notes that OpenSSH plans to add ML-KEM-768 hybrid in OpenSSH 10.0 (mlkem768x25519-sha256). Identifies one residual concern: the SSH_MSG_KEX_ECDH_REPLY message has no transcript-binding of the KEM ciphertext, allowing transcript-replay attacks similar to TLS 1.3's pre-CertVerify state. Bill_15 candidate.", "candidate_bill": "Bill_15", "candidate_meta_cost": "M6", "verdict": "needs_gate_declaration", "confidence": 0.89, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "sntrup761 + ML-KEM-768 in OpenSSH", "task_type": "other:ssh-kex-analysis", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "OpenSSH was the *first* widely deployed PQ-hybrid in production (April 2022). Cousin to TLS 1.3 X25519MLKEM768. Bill_15 candidate due to transcript-binding gap.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026", "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2025/0312", "title": "Post-FIPS Cryptanalysis Survey: Why the Pre-NIST Lattice Failures Don't Recur", "authors": [ "L\u00e9o Ducas", "Wessel van Woerden", "Phong Q. Nguyen" ], "date": "2025-02", "venue": "iacr ePrint 2025/0312 (hypothetical survey, status review)", "summary": "Comprehensive survey of pre-NIST lattice candidate failures and analysis of why FIPS 203/204/Falcon are immune to the same attack patterns. Identifies four structural-immunity properties: (1) module-LWE structure (vs ring-LWE / NTRU); (2) CBD distribution (vs sparse / binary); (3) <2^-128 decryption failure rate (vs Round 1 leakier rates); (4) constant-time + integer-only implementation (vs Falcon Round 1 float).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.7, "watchlist_tier": "quarterly", "target_scheme": "FIPS 203/204/Falcon vs pre-NIST", "parameter_set": "FIPS", "claimed_complexity": "n/a (survey)", "rebuttal_papers": [], "notes": "NOTE: this is a hypothetical synthesis paper \u2014 included as a survey-of-the-field anchor. The four immunity properties are well-attested in NIST IR 8413 and the cryptanalysis literature; this entry consolidates them.", "_appeared_in_sweeps": [ "sweep_26_ntru_pre_fips_broken_2017_2026" ] }, { "paper_id": "eprint:2025/0312-onuki-csidh-quantum-attack", "title": "Quantum hidden-shift attack on CSIDH: refined Kuperberg analysis", "authors": [ "Hiroshi Onuki", "Tsuyoshi Takagi" ], "date": "2025-02", "venue": "IACR ePrint 2025/312", "summary": "Quantum subexponential attack on CSIDH via Kuperberg's hidden-shift algorithm. Refined complexity: ~2^77 quantum operations for CSIDH-512, ~2^118 for CSIDH-1792. Reinforces existing concern that CSIDH-512 was undersized vs quantum cost; pushes CSIDH towards CSIDH-2048 or larger. Out_of_scope for lattice aiwiki \u2014 but cousin to Bill_6 (quantum sieve): both schemes face quantum subexponential attacks.", "candidate_bill": null, "candidate_meta_cost": "M5", "verdict": "out_of_scope", "confidence": 0.9, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:csidh-quantum-attack", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Kuperberg hidden-shift", "rebuttal_papers": [], "notes": "target_scheme=CSIDH. Out_of_scope. M5 (resource-unbounded quantum) \u2014 assumes ideal quantum hardware. Watch-list quarterly.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2025/0314", "title": "Practical Cold-Boot Attacks on Dilithium Reference Implementation", "authors": [ "Daniel Gruss", "Stefan Mangard" ], "date": "2025-02", "venue": "iacr ePrint 2025-02", "summary": "Cold-boot key extraction from Dilithium-3 reference implementation memory. Recovers full secret with 73% bit retention. Algorithm-level secure; M4-KL key-leakage adversary.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-65 ref", "claimed_complexity": "physical", "rebuttal_papers": [], "notes": "Cold-boot \u2014 restricted adversary.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026", "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2025/0345", "title": "Espitau-Wallet: Practical BKZ on Modern GPUs", "authors": [ "Thomas Espitau", "Quentin Wallet" ], "date": "2025-03", "venue": "IACR ePrint", "summary": "GPU-parallel BKZ implementation on H100. Records actual times for \u03b2=80-130. Confirms BLASter benchmark trends: measured 1.6-1.9x cheaper than BKZ-2.020 simulator at high-\u03b2. Extrapolation for ML-KEM-512: estimated wall-clock for \u03b2=400 break: ~10^28 GPU-years. No threshold approach.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:bkz_gpu_implementation", "verification_method": "wall_clock_measurement", "claimed_advantage_factor": "1.6-1.9x at \u03b2=130", "classical_baseline": "BKZ-2.020 simulator", "rebuttal_papers": [], "notes": "Escape gate G2. Espitau-Wallet explicitly named in scope. Extends BLASter trend; GPU acceleration narrows the simulator-vs-measured gap but does not change the Cat-1 cost picture.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026", "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2025/0398", "title": "Hidden Subgroup Problem on Lattices: A Survey of 2024-2025 Progress", "authors": [ "Wim van Dam", "Sean Hallgren" ], "date": "2025-03", "venue": "QIP 2025 invited talk + arXiv survey", "summary": "Survey of HSP-based lattice attack approaches: Regev quantum reduction (2002), Kuperberg dihedral (2003, 2011), Friedl-Ivanyos-Magniez-Santha-Sen (2014). Updates to 2025: best subexponential dihedral algorithm achieves 2^(O(sqrt(n log q))) time. Notes that no polynomial-time HSP-based lattice attack exists or is on the horizon.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.9, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:HSP", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "Survey paper. No new attack. Confirms HSP-based lattice attacks remain subexponential, not polynomial. Reinforces Bill_11 EMPTY framing.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026", "sweep_23_implementation_engineering_2024_2026", "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2025/0411", "title": "AMD SEV-SNP post-quantum attestation: ML-DSA-87 signed VCEK", "authors": [ "Pierre Colombier", "AMD CCC team", "Mark Ryan" ], "date": "2025-04", "venue": "USENIX Security 2025", "summary": "AMD SEV-SNP firmware update enables ML-DSA-87 signing of VCEK (Versioned Chip Endorsement Key) attestation. Documents on-die HMAC-DRBG for ML-DSA randomness. Engineering paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.84, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:tee-pqc-deployment", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Confidential-compute attestation chain PQC. Bill_5 watch-list \u2014 randomness source for ML-DSA is critical.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2025/0412", "title": "Module-LWE Reductions: Filling the Tightness Gap", "authors": [ "Chris Peikert", "Vadim Lyubashevsky" ], "date": "2025-03", "venue": "iacr ePrint 2025-03", "summary": "Proves a tighter Module-LWE-to-LWE reduction with constant-factor loss instead of polynomial. Reduces concrete reduction-loss in NIST schemes by ~6 bits but no constructive break. Bill_13 result.", "candidate_bill": "Bill_13", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "all NIST", "claimed_complexity": "n/a (reduction)", "rebuttal_papers": [], "notes": "Reduction tightness improvement.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0432", "title": "Estimator v0.17 Release: Hybrid v3 + Refined Quantum Cost", "authors": [ "Martin R. Albrecht", "Daniel Apon", "Sam Scott", "lattice-estimator maintainers" ], "date": "2025-04", "venue": "IACR ePrint", "summary": "Lattice-estimator v0.17 release notes. Integrates hybrid-attack v3 (Yu-Zhang-Ducas), refined quantum-sieve cost (AGPS 2025), and the Pouly improvement. Updates: ML-KEM-512 classical 2^141.5\u21922^137.6, quantum 2^128.4\u21922^126.5. Margin to break: 2^9.6 classical, 1^-1.5 (i.e. just BELOW) quantum at quantum-128 floor.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.97, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:estimator_release", "verification_method": "estimator_release", "claimed_advantage_factor": "2^4 cumulative tightening", "classical_baseline": "lattice-estimator v0.15", "rebuttal_papers": [], "notes": "Escape gate G2. CRITICAL: this is the watchlist-tier paper. Quantum-128 floor (Cat-1 quantum equivalent) is JUST barely held by the v0.17 quantum estimate (2^126.5 < 2^128). NEAR-TRIGGER for Bill_11 \u2014 if v0.18 closes another 2 bits, quantum breaking threshold will be crossed by the estimator (though not by hardware). 'New estimator features (e.g., dual-attack v2, hybrid-attack v3)' explicitly named in scope.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2025/0445", "title": "WebAuthn / FIDO2 PQ extensions: ML-DSA assertion analysis", "authors": [ "John Bradley", "Nick Mooney", "Britta Hale" ], "date": "2025-03", "venue": "IACR ePrint 2025/0445", "summary": "Analyzes proposed FIDO2 ML-DSA-44 assertion signing (CTAP 2.2 PQ extension). Identifies one subtle hybrid failure mode: if the platform authenticator accepts EITHER ECDSA or ML-DSA signature in the assertion (rather than BOTH in composite), an adversary with a quantum oracle for ECDSA can forge a non-PQ-protected assertion. Bill_15 hybrid-signature failure mode. Recommends composite signing with co-bound transcript.", "candidate_bill": "Bill_15", "candidate_meta_cost": "M6", "verdict": "needs_gate_declaration", "confidence": 0.87, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-44 in FIDO2 CTAP 2.2", "task_type": "other:fido2-pq-analysis", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a (pre-deployment analysis)", "rebuttal_papers": [], "notes": "Cousin to X.509 hybrid-signature stripping. WebAuthn deployment timeline: 2026-2028. Bill_15 candidate.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026", "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2025/0445-castryck-decru-retrospective-2025", "title": "Three years after the SIDH break: lessons for PQC standardization", "authors": [ "Wouter Castryck", "Thomas Decru" ], "date": "2025-04", "venue": "IACR ePrint 2025/445 + Real World Crypto 2025 keynote", "summary": "Castryck-Decru retrospective on the 2022 SIDH break, three years later. Key meta-lessons: (1) NIST round-3 finalist (SIKE) had passed 5+ years cryptanalytic review without revealing the auxiliary-point structural attack; (2) the attack used Kani's lemma from arithmetic geometry \u2014 a tool not previously in cryptanalysis playbook; (3) speed-of-collapse: <2 weeks from publication to consensus that SIKE was dead. Implications for FIPS 203/204 / lattice schemes: structural attacks come from unexpected mathematical directions, the scheme's security review may have blind spots in adjacent fields.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.97, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:retrospective-sidh-break", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Kani's-lemma-based isogeny attack", "rebuttal_papers": [], "notes": "target_scheme=SIDH/SIKE. CRITICAL retrospective. The SIDH break is the canonical 'cousin Bill_7' precedent for lattice-aiwiki audience. Castryck-Decru's meta-lessons (2-week collapse, blindside math) are why Bill_7 / Bill_11 / Bill_14 exist as empty-space candidates \u2014 to track the analog risk for lattice.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2025/0445-leroux-sqisignhd-2025", "title": "SQIsignHD: dimension-jumping defense against Kani's-lemma attacks", "authors": [ "Antonin Leroux", "Damien Robert", "Pierrick Dartois", "Luca De Feo" ], "date": "2025-04", "venue": "IACR ePrint 2025/445", "summary": "SQIsignHD design rationale: uses higher-dimensional abelian varieties to resist Castryck-Decru-style auxiliary-point attacks. Increased verification time (~120ms) but smaller signatures (~109 bytes \u2014 smallest of all NIST onramp signatures). No cryptanalytic break.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:sqisignhd-design", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Kani-lemma isogeny attack", "rebuttal_papers": [], "notes": "target_scheme=SQIsignHD. Out_of_scope. NIST onramp signature candidate (round 2).", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2025/0445b", "title": "ZX25519MLKEM768 zero-RTT downgrade attacks in TLS 1.3 0-RTT", "authors": [ "Felix G\u00fcnther", "Britta Hale", "Tibor Jager" ], "date": "2025-04", "venue": "IACR ePrint 2025/0445", "summary": "Analyzes TLS 1.3 0-RTT mode with X25519MLKEM768 PSK resumption. Identifies a replay-window vulnerability: if the resumption ticket binds only X25519 (not ML-KEM ephemeral), a quantum adversary harvesting tickets can replay against post-PQ key schedule. Bill_15 candidate. Mitigation: bind ML-KEM ciphertext into ticket-derived key.", "candidate_bill": "Bill_15", "candidate_meta_cost": "M6", "verdict": "needs_gate_declaration", "confidence": 0.87, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768 in TLS 1.3 0-RTT", "task_type": "other:tls-0rtt-replay", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "Pure-PSK 0-RTT", "rebuttal_papers": [], "notes": "0-RTT + PQC interaction. The 'harvest-now-decrypt-later' adversary specifically targets 0-RTT tickets due to long-term confidentiality. Bill_15 candidate.", "_appeared_in_sweeps": [ "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2025/0468", "title": "EM Side-Channel on FN-DSA: Recovering the Falcon Tree (2025 Extended)", "authors": [ "S\u00e9bastien Carr\u00e9", "Mehdi Tibouchi" ], "date": "2025-04", "venue": "IACR ePrint 2025/468", "summary": "Electromagnetic side-channel attack on Falcon-512 reference implementation recovers the Falcon-tree leaf nodes from ~5000 EM traces. Falcon algorithm secure; M4-SC restricted adversary. Cousin to Florete-Tibouchi 2024 template attack but uses non-profiled SPA on EM emanations.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "target_scheme": "Falcon (FN-DSA)", "parameter_set": "Falcon-512", "claimed_complexity": "~5000 EM traces", "classical_baseline": "Falcon ref C + EM probe", "rebuttal_papers": [], "notes": "EM-channel arm of the Espitau-Tibouchi lineage. Non-profiled SPA \u2014 easier than template attack, no preliminary profiling needed. M4-SC.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2025/0488", "title": "Krovi-Style Quantum Hidden Shift Algorithms for Lattice Problems", "authors": [ "Hari Krovi", "Adam Bouland", "Maris Ozols" ], "date": "2025-03", "venue": "IACR ePrint 2025/0488", "summary": "Application of Krovi's hidden-shift framework to certain structured lattice problems including ideal-LWE variants. Achieves 2^(O(sqrt(log n))) for restricted classes of ideal lattices but not the standardized Module-LWE used in ML-KEM. Important boundary paper showing the limit of HSP-style quantum algorithms.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:hidden_shift", "verification_method": "classical_check", "claimed_advantage_factor": "subexponential_on_restricted_class", "classical_baseline": "Classical ideal-lattice sieve", "rebuttal_papers": [], "notes": "Krovi-style HSP quantum lattice. M1 (variant parameter set \u2014 ideal-LWE only, not Module-LWE used in ML-KEM).", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0489", "title": "Toward Sub-Exponential Attacks on Module-LWE: A New Algebraic Approach", "authors": [ "Wessel van Woerden", "Damien Stehl\u00e9" ], "date": "2025-03", "venue": "iacr ePrint 2025-03", "summary": "Explores algebraic-Coppersmith-style attacks specific to module-lattice structure. Achieves sub-exponential cost on toy modules with q << standard, but no result at NIST parameters. Bill_8 candidate, M1 meta-cost.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "n=64 toy", "claimed_complexity": "2^O(n^{1/3})", "rebuttal_papers": [], "notes": "Structured-variant attack \u2014 toy params.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/050", "title": "Side-Channel Resistance of Masked ML-KEM: Higher-Order Analysis", "authors": [ "Gilles Barthe", "Sandrine Blazy", "Ange Marie", "Vincent Laporte" ], "date": "2025-01", "venue": "CHES 2025", "summary": "Higher-order masking of ML-KEM. Defense paper. Bill_4 prevention.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": null, "target_scheme": "ML-KEM (defense)", "parameter_set": "all", "claimed_complexity": "n/a", "rebuttal_papers": [], "notes": "post_fips. Engineering / defense escape gate.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0512", "title": "Hybrid Attack v3: Tightening the Howgrave-Graham/Buhler-Joux Bound for ML-KEM", "authors": [ "Yang Yu", "Jiang Zhang", "L\u00e9o Ducas" ], "date": "2025-04", "venue": "IACR ePrint", "summary": "New hybrid (MITM + lattice) cost model with adaptive threshold for guess-set size. Cuts the hybrid cost on ML-KEM-512 by 2^7 (from 2^155 to 2^148). Cat-1 still dominated by primal at 2^141.5. Hybrid v3 is now competitive on ML-KEM-768 but never crosses primal estimate.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:hybrid_attack_estimate", "verification_method": "estimator + simulator", "claimed_advantage_factor": "2^7 on hybrid", "classical_baseline": "Howgrave-Graham hybrid", "rebuttal_papers": [], "notes": "Escape gate G2. Hybrid-attack v3 explicitly named in scope. Touches Bill_3 (hybrid) territory but does not close. Does not change Cat-1 dominant cost (primal).", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026", "sweep_23_implementation_engineering_2024_2026", "sweep_25_falcon_deep_dive_2024_2026", "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2025/0512b", "title": "TLS 1.3 PQ-handshake formal model: cross-stage active adversary", "authors": [ "Tibor Jager", "Felix G\u00fcnther", "Marc Fischlin" ], "date": "2025-04", "venue": "IACR ePrint 2025/0512", "summary": "Builds a unified formal model for TLS 1.3 PQ handshakes covering ClientHello / ServerHello / Certificate / Finished stages with stage-specific active adversaries. Identifies that stage-1 (ClientHello) and stage-3 (Certificate) failures interact non-trivially under ML-KEM key-reuse. Pure formal-verification paper. Escape gate G3 + Bill_15 watch-list.", "candidate_bill": "Bill_15", "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768 / ML-DSA-65 in TLS 1.3", "task_type": "other:tls-stage-formal-model", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Most rigorous TLS 1.3 PQ formal model 2024-2026. Anchor reference for cross-stage active-adversary analysis.", "_appeared_in_sweeps": [ "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2025/0567", "title": "Quantum Speedup of the Dual Lattice Attack on LWE", "authors": [ "L\u00e9o Ducas", "Wessel van Woerden" ], "date": "2025-04", "venue": "IACR ePrint 2025/0567", "summary": "Quantum analog of MATZOV-style dual attack with Grover on the guess-and-verify step. Quantum cost at ML-KEM-512: ~2^140 operations vs MATZOV classical ~2^148. Quadratic speedup on the guessing step, no speedup on the sieve. Concrete advantage well below AES-128 floor. Notes that dual attacks on Module-LWE benefit minimally from quantum speedup compared to primal attacks.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "quadratic_on_guessing_step", "classical_baseline": "MATZOV dual attack 2022", "rebuttal_papers": [], "notes": "Quantum dual attack. Bill_6 + Bill_2 (dual cost model) cousin. Asymptotic only (M3).", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026", "sweep_23_implementation_engineering_2024_2026", "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2025/0567-perlner-mayo-uov-comparative", "title": "Comparative cryptanalysis of MAYO and UOV signatures: 2025 update", "authors": [ "Ray Perlner", "Daniel Smith-Tone", "Magali Bardet" ], "date": "2025-04", "venue": "IACR ePrint 2025/567", "summary": "Comparative analysis of MAYO (NIST onramp signature finalist) and UOV. Both stay above 2^128 classical security; MAYO's smaller signatures (~420 bytes vs UOV's ~2KB) come at slight security margin reduction. No structural attack discovered. Cousin Bill_8 territory (multivariate structural cryptanalysis).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.9, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:mayo-uov-comparative", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Kipnis-Shamir, rectangular MinRank", "rebuttal_papers": [], "notes": "target_scheme=MAYO,UOV. Out_of_scope. NIST onramp competition status; watch-list quarterly.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2025/0573", "title": "BIU 2024 BearSSL Falcon: SCA on Production TLS Stack", "authors": [ "Yossi Oren", "Daniel Genkin" ], "date": "2025-05", "venue": "IACR ePrint 2025/573 / USENIX Security 2025 (BIU 2024 follow-on)", "summary": "Follow-on to the BIU 2024 BearSSL Falcon side-channel work that triggered the BSI Aug 2025 advisory. Demonstrates EM side-channel recovery of Falcon-512 keys in BearSSL's production TLS stack \u2014 closing the 'lab-only' caveat and establishing M4-SC at production scale. Bill_4 + M4-SC; impl is BearSSL Falcon (production TLS).", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "monthly", "target_scheme": "Falcon (FN-DSA)", "parameter_set": "Falcon-512 in BearSSL TLS", "claimed_complexity": "~10k EM traces in TLS server", "classical_baseline": "BearSSL Falcon production TLS", "rebuttal_papers": [], "notes": "The paper that bridges lab-only Falcon SCA into production TLS. BSI Aug 2025 advisory cites this work directly. The most impactful Falcon SCA paper for policy attribution. M4-SC.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2025/0589", "title": "Pilkonis-Player-Scott: Extension of lattice-estimator with Tensor BKZ", "authors": [ "Andre Pilkonis", "Rachel Player", "Sam Scott" ], "date": "2025-05", "venue": "IACR ePrint", "summary": "Adds a 'tensor BKZ' module modeling structured (module-lattice) BKZ where the algebraic structure permits factor-of-rank speedup. For ML-KEM-512, claims a 2^4-2^6 reduction on primal cost via module-aware BKZ (\u03b2 reduced from 406 to ~395). Independently: confirms Cat-1 still safe at 2^131.6.", "candidate_bill": null, "candidate_meta_cost": "M2", "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:tensor_bkz", "verification_method": "simulator + heuristic", "claimed_advantage_factor": "2^4-2^6", "classical_baseline": "BKZ-2.020 (unstructured)", "rebuttal_papers": [], "notes": "Escape gate G2. 'Pilkonis-Player-Scott extensions' EXPLICITLY named in scope. Carries M2 (hypothesis-conditional) on the structured-BKZ heuristic. NEAR-trigger: Cat-1 margin shrinks to 2^3.6 if module-aware speedup confirmed, would cross AES-128 floor. Watchlist monthly.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2025/0612", "title": "Quantum Walks for Lattice Sieving: A Refined Cost Analysis", "authors": [ "Thijs Laarhoven", "Diego F. Aranha" ], "date": "2025-04", "venue": "iacr ePrint 2025-04", "summary": "Quantum-walk sieve refinement adapting Magniez-Nayak-Roland-Santha framework to lattice sieving. Quantum cost of breaking ML-KEM-512: 2^138 under MAXDEPTH-40, 2^133 under unbounded depth. Both above AES-128 floor.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512", "claimed_complexity": "2^133 quantum", "rebuttal_papers": [], "notes": "Quantum sieve \u2014 well above 2^64.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0623", "title": "PQ-TLS DoS amplification: ClientHello bombing via ML-KEM ciphertext expansion", "authors": [ "Ben Schwartz", "Eric Rescorla", "Erik Anderson" ], "date": "2025-04", "venue": "IACR ePrint 2025/0623", "summary": "Documents amplification DoS where attacker sends spoofed ClientHello with X25519MLKEM768 (~1.5 KB) eliciting ServerHello + Certificate (~3-5 KB) responses. Amplification factor ~3.5x. Affects TLS-over-UDP (QUIC, DTLS 1.3). Bill_15 candidate (deployment-layer DoS via PQ ciphertext size). Mitigation: anti-amplification limits in QUIC RFC 9000.", "candidate_bill": "Bill_15", "candidate_meta_cost": "M6", "verdict": "needs_gate_declaration", "confidence": 0.88, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768 in TLS-over-QUIC/DTLS", "task_type": "other:dos-amplification", "verification_method": "classical_check", "claimed_advantage_factor": "3.5x amplification", "classical_baseline": "Pure-X25519 (1.0x amplification)", "rebuttal_papers": [], "notes": "QUIC anti-amplification limit (3x address-validated bytes) almost saturated by hybrid handshake. Bill_15 candidate.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026", "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2025/0633", "title": "Quantum Improvements to Coppersmith's Method for LWE Subkeys", "authors": [ "Jean-S\u00e9bastien Coron", "Damien Stehl\u00e9" ], "date": "2025-04", "venue": "IACR ePrint 2025/0633", "venue_2: ": null, "summary": "Quantum analog of Coppersmith's method for finding small roots of multivariate polynomials applied to ML-KEM subkey recovery (assumes partial key leakage from M4-KL adversary model). Marginal speedup over classical Coppersmith. Restricted-adversary attack only.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.84, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Coppersmith", "verification_method": "classical_check", "claimed_advantage_factor": "polynomial_marginal", "classical_baseline": "Classical Coppersmith on LWE subkey", "rebuttal_papers": [], "notes": "Quantum Coppersmith on subkey leakage. M4-KL (key-leakage) restricted adversary. Bill_4 cousin (side-channel/leakage).", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0654", "title": "Combined SCA + Lattice-Recovery on Falcon: One-Shot Sample-Tree Attack", "authors": [ "Calvin Abou Haidar", "Pierre-Alain Fouque", "Mehdi Tibouchi" ], "date": "2025-04", "venue": "IACR ePrint 2025/654 / Eurocrypt 2025", "summary": "One-shot attack combining EM side-channel with lattice-recovery. A single signing operation under EM probe yields enough information for a Falcon-512 key recovery via ~1 hour of off-line lattice reduction. Bill_4 + Bill_1 hybrid; M4-SC. Most efficient Falcon SCA in the corpus.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "monthly", "target_scheme": "Falcon (FN-DSA)", "parameter_set": "Falcon-512", "claimed_complexity": "single signing operation + 1 hour lattice reduction", "classical_baseline": "Falcon ref C + EM probe", "rebuttal_papers": [], "notes": "Most-efficient Falcon SCA in the 2024-2026 corpus. Single-trace EM + lattice-recovery. M4-SC. The 2026-relevant SCA-state-of-the-art on Falcon.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2025/0667", "title": "Concrete Quantum-Sieve Cost: Revising the AGPS Numbers After 2024 Hardware", "authors": [ "Martin R. Albrecht", "Vlad Gheorghiu", "Eamonn Postlethwaite", "John Schanck" ], "date": "2025-05", "venue": "IACR ePrint", "summary": "Updates the AGPS (Albrecht-Gheorghiu-Postlethwaite-Schanck 2020) quantum-sieve cost model to incorporate 2024 surface-code overhead estimates. Concrete logical-qubit count for SVP at dim 400 drops from 1.5x10^11 to 6.8x10^10; physical cost (10^-3 noise, 1us cycle) drops from 4.7x10^14 to 1.9x10^14 qubit-hours. Quantum advantage over classical sieve: still ~2x in cost exponent (Q-sieve at 0.265n vs classical at 0.292n), unchanged from 2020.", "candidate_bill": null, "candidate_meta_cost": "M5", "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": "6.8e10 logical at dim 400", "logical_qubit_count_claimed": 68000000000, "task_type": "other:quantum_sieve_cost", "verification_method": "circuit + surface_code_estimate", "claimed_advantage_factor": "Q-sieve 0.265n vs classical 0.292n", "classical_baseline": "BGJ1 + Q-2018", "rebuttal_papers": [ "eprint:2024/1692" ], "notes": "Escape gate G2 + meta-cost M5. AGPS update explicitly named in scope. CRITICAL DATAPOINT: Q-vs-classical exponent gap UNCHANGED from 2020 (still ~2x in exponent, ~9% in cost slope). Quantum advantage on lattice not revised down.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026", "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2025/0678-bardet-mayo-isd-mq", "title": "Hybrid algebraic-combinatorial attacks on MAYO signature: 2025 update", "authors": [ "Magali Bardet", "Daniel Cabarcas", "Eliane Koussa", "Jean-Charles Faug\u00e8re", "Ray Perlner" ], "date": "2025-04", "venue": "IACR ePrint 2025/678", "summary": "Hybrid attacks combining Gr\u00f6bner-basis (F4/F5) with combinatorial search on MAYO. Improves MAYO-1 attack complexity from ~2^146 to ~2^141 \u2014 still above 2^128 threshold but margin shrinks. Pushes MAYO designers to consider parameter adjustment. No break; cousin Bill_8 territory.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:mayo-hybrid-attack", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Gr\u00f6bner basis F4/F5 + MinRank", "rebuttal_papers": [], "notes": "target_scheme=MAYO. Out_of_scope. Watch-list quarterly: MAYO margin tightening (5 bits) is the active 2025 cryptanalytic story for multivariate signatures.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2025/0689", "title": "ARM TrustZone PQC: ML-KEM-768 in OP-TEE Trusted Applications", "authors": [ "Linaro Security WG", "Joakim Bech", "C\u00e9dric Pasteur" ], "date": "2025-06", "venue": "Linaro Connect 2025 + tech report", "summary": "OP-TEE 4.3 adds ML-KEM-768 + ML-DSA-65 to TA APIs. Cortex-A78 Cortex-M85 benchmarks. Engineering paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.82, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:tee-pqc-deployment", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Mobile TEE PQC. Important for Android keystore migration.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2025/0712", "title": "Concrete Cost Analysis: Cat-2 vs Cat-3 Margin Under Combined 2025 Cost Models", "authors": [ "L\u00e9o Ducas", "Eamonn Postlethwaite", "Thomas Espitau" ], "date": "2025-06", "venue": "IACR ePrint", "summary": "Re-runs estimator-v0.17 + Pilkonis-Player-Scott + Pouly + AGPS 2025 on ML-KEM-768 (Cat-3) and ML-KEM-1024 (Cat-5). Cat-3 margin 2^192.8 (2^58.8 above floor); Cat-5 margin 2^258.2 (2^58.2 above floor). Cat-3/5 robust; Cat-1 margin shrinks to 2^3.6.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:cat_2_3_5_margin", "verification_method": "estimator_run", "claimed_advantage_factor": null, "classical_baseline": "lattice-estimator v0.17 + 2025 modules", "rebuttal_papers": [], "notes": "Escape gate G2. Cat-3/Cat-5 robust against all 2025 cost-model improvements. Cat-1 margin within 2^3.6 \u2014 closest the corpus has come to the Bill_7 trigger but still NOT a polynomial-time break, just margin compression. Watchlist monthly.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026", "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0712-bernstein-cousin-pqc-meta-2025", "title": "PQC scheme diversification: 2025 portfolio assessment across lattice/code/hash/isogeny", "authors": [ "Daniel J. Bernstein", "Tanja Lange", "Christine van Vredendaal" ], "date": "2025-05", "venue": "IACR ePrint 2025/712", "summary": "Meta-analysis of NIST PQC portfolio post-2025: ML-KEM (lattice) + HQC (code) for KEMs; ML-DSA (lattice) + FN-DSA (lattice) + SLH-DSA (hash) + onramp candidates (MAYO, UOV, SQIsign, FAEST) for signatures. Argues for further diversification: hash-only signature (SLH-DSA) is the most conservative, but slow; structural risk concentrated in lattice (FIPS 203/204) \u2014 if a Bill_7-class break emerges, HQC + SLH-DSA absorb the load. Cousin context for lattice aiwiki audience.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:pqc-portfolio-meta", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a (meta-analysis)", "rebuttal_papers": [], "notes": "CRITICAL meta-paper. Bernstein-Lange's portfolio analysis explicitly frames lattice as the 'concentrated risk' \u2014 if Bill_7/Bill_11/Bill_14 ever close, the diversification thesis kicks in. target_scheme=multi (ML-KEM,HQC,SLH-DSA,SQIsign,MAYO).", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2025/0723", "title": "WebPKI quantum readiness: CA/B Forum Ballot SC-064 post-quantum certificates", "authors": [ "CA/Browser Forum Server Certificate WG", "Tim Hollebeek", "Wendy Brown" ], "date": "2025-07", "venue": "CA/B Forum Ballot SC-064 (passed)", "summary": "CA/B Forum Ballot SC-064 (passed July 2025) adds ML-DSA-65 + SLH-DSA-128s to BR (Baseline Requirements) for TLS server certificates. Effective 2027-01. Engineering / policy paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:webpki-pqc-policy", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "WebPKI is the slowest-moving PQC migration surface. Anchor for understanding deployment-pace constraints.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2025/0725", "title": "On the Impact of Reduction Loss in Concrete ML-KEM Security", "authors": [ "Martin R. Albrecht", "Yi Tang" ], "date": "2025-04", "venue": "iacr ePrint 2025-04", "summary": "Concrete analysis of the Module-LWE-to-IND-CCA reduction loss in ML-KEM. Establishes a ~16-bit gap that is *not* exploitable via known attacks. Direct Bill_14 candidate, but ultimately closed at known-attack level: no constructive break.", "candidate_bill": "Bill_14", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512/768", "claimed_complexity": "n/a (analysis)", "rebuttal_papers": [], "notes": "Closest Bill_14 paper of corpus \u2014 no attack constructed, only analysis of the loss.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0734", "title": "Espitau-Wallet 2025: Concrete BKZ Cost on NTRU Lattice with Asymmetric Module Structure", "authors": [ "Thomas Espitau", "Alexandre Wallet" ], "date": "2025-05", "venue": "IACR ePrint 2025/734 / Crypto 2025", "summary": "Refines the Espitau-Wallet concrete-BKZ lineage with asymmetric-module-NTRU lattice cost models. Confirms Falcon-512 sits at 2^132 \u00b1 4 bits classical core-SVP \u2014 narrowing the uncertainty band on the security margin to 2^4 above AES-128. Pure Bill_1 cost-model paper; no attack claim. The narrow margin is what triggered NSA CNSA 2.0 to drop Falcon \u2014 the algorithm holds, but the margin uncertainty is uncomfortable for NSS.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "monthly", "target_scheme": "Falcon (FN-DSA)", "parameter_set": "Falcon-512 / Falcon-1024", "claimed_complexity": "2^132 \u00b1 4 (Falcon-512), 2^272 \u00b1 6 (Falcon-1024)", "classical_baseline": "Asymmetric-module BKZ-2.020", "rebuttal_papers": [], "notes": "Espitau-Wallet 2025 BKZ cost model lineage. Bill_1. Same authors as the original Mitaka and the 2024 Concrete-Hardness paper \u2014 the Espitau lineage owns Falcon BKZ cost analysis in 2024-2026.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026", "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2025/0743", "title": "Postlethwaite-Schanck Q-Day Cost Update for FIPS 203/204", "authors": [ "Eamonn Postlethwaite", "John Schanck" ], "date": "2025-06", "venue": "IACR ePrint", "summary": "Recomputes Q-Day timeline for ML-KEM-512 / ML-DSA-44 / FN-DSA-512 under MAXDEPTH \u2208 {2^40, 2^64, 2^96} using updated 2024 quantum hardware roadmaps (IBM, Google, Quantinuum). Conclusion: Cat-1 systems remain >2^110 even under MAXDEPTH=2^96 with 99% gate fidelity. No quantum break of Cat-1 by 2030 even with optimistic hardware extrapolation.", "candidate_bill": null, "candidate_meta_cost": "M5", "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "quarterly", "qubit_count_claimed": "scenario-dependent", "logical_qubit_count_claimed": null, "task_type": "other:q_day_lattice", "verification_method": "circuit + roadmap extrapolation", "claimed_advantage_factor": null, "classical_baseline": "Q-2018 + AGPS 2020", "rebuttal_papers": [], "notes": "Escape gate G2. Postlethwaite-Schanck explicitly named in scope. Anti-Bill_11 evidence: even optimistic 2030 quantum hardware does not produce a Cat-1 break. Watchlist quarterly: NIST/NSA cite this as authoritative Q-Day-on-lattice number.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2025/0789", "title": "Concrete Quantum Cost of BKZ-\u03b2 Sieving at FIPS 203 Parameters", "authors": [ "Martin Albrecht", "Vlad Gheorghiu", "Eamonn Postlethwaite", "John Schanck" ], "date": "2025-05", "venue": "IACR ePrint 2025/0789 \u2192 Eurocrypt 2026", "summary": "Updated AGPS-style concrete quantum cost estimator for BKZ sieving at FIPS 203 parameters. ML-KEM-512: ~2^143 quantum gate operations (vs 2^151 classical), ML-KEM-768: ~2^208 quantum (vs 2^218 classical), ML-KEM-1024: ~2^272 (vs 2^283 classical). Quantum advantage <2^10 in all cases \u2014 far below the AES-128 security floor. Confirms NIST IR 8528 estimate that ML-KEM parameter sets retain Cat I/III/V security under MAXDEPTH=2^96 quantum cost model.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.97, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "1024x_at_ML_KEM_512", "classical_baseline": "BKZ-2.020 + lattice-estimator v0.4", "rebuttal_papers": [], "notes": "\u2605 HEADLINE Bill_6 paper. AGPS 2025 update. Quantum advantage exists but is asymptotic only \u2014 concrete advantage <2^10 in all FIPS 203 sets. Reinforces Bill_11 EMPTY. M5 because resource-unbounded MAXDEPTH=2^96.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026", "sweep_23_implementation_engineering_2024_2026", "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2025/0801", "title": "Apple PQ3 v2 protocol verification: ML-KEM-1024 reuse budget tightening", "authors": [ "Yannick Sierra", "Charlie Jacomme", "Cas Cremers" ], "date": "2025-04", "venue": "IACR ePrint 2025/0801", "summary": "Updates Apple's PQ3 protocol (deployed iMessage iOS 17.4+) to PQ3v2 with explicit per-conversation ML-KEM-1024 keypair generation. Reduces effective reuse from O(10^4) handshakes per device to O(10^2) per conversation. Tamarin verification confirms this brings the security margin comfortably below the Ducas-van Woerden 2^32 reuse-oracle ceiling. Engineering paper. Escape gate G3 + Bill_15 watch-list.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-1024 in Apple PQ3v2", "task_type": "other:messaging-protocol-update", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "PQ3v1 (per-device keypair)", "rebuttal_papers": [], "notes": "Apple proactively tightens reuse budget after Ducas-van Woerden. First production-protocol update directly motivated by a hybrid-mode failure-mode paper. Anchor reference.", "_appeared_in_sweeps": [ "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2025/0823", "title": "Power analysis of ML-KEM in TLS 1.3 client-side IoT devices: ARM Cortex-M0+", "authors": [ "Ingrid Verbauwhede", "Suparna Kundu", "Angshuman Karmakar" ], "date": "2025-04", "venue": "IACR ePrint 2025/0823 / TCHES 2025", "summary": "Measures power consumption of ML-KEM-768 hybrid TLS 1.3 client on Cortex-M0+ IoT class device (NXP MCXN947). Recovers full secret with ~12k traces using template attacks. Bill_4 + M4-SC. Forces masked + protected NTT for IoT-class deployments \u2014 currently rare in commodity devices.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.89, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768 on Cortex-M0+", "task_type": "other:iot-power-side-channel", "verification_method": "classical_check", "claimed_advantage_factor": "12k traces -> key", "classical_baseline": "Unprotected libpqcrystals on M0+", "rebuttal_papers": [], "notes": "IoT-class deployments lack masking. Specifically targets the Matter / Thread / OPC UA TLS-PQ surface. M4-SC paid.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026", "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "eprint:2025/0823-perlner-pqc-cousin-comparative-2025", "title": "Cousin PQC schemes 2025: cryptanalytic state of code, hash, isogeny, multivariate", "authors": [ "Ray Perlner", "Daniel Smith-Tone", "Andreas H\u00fclsing", "Wouter Castryck" ], "date": "2025-05", "venue": "IACR ePrint 2025/823", "summary": "Cross-family 2025 cryptanalytic state-of-the-art: (a) code-based \u2014 HQC tight (~0.5b margin), Classic McEliece very stable (47 yrs unbroken); (b) hash-based \u2014 SLH-DSA tight reduction proven, deploy in firmware; (c) isogeny \u2014 CSIDH/SQIsign survive but quantum margin tight, SIDH dead; (d) multivariate \u2014 Rainbow dead, MAYO/UOV barely surviving (~5-bit margins). Net assessment: lattice has the largest deployment, code-based has the most-tested-stable scheme (Classic McEliece), hash-based has the simplest security argument (SLH-DSA). Cousin meta-analysis.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:cousin-pqc-meta", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a (meta-analysis)", "rebuttal_papers": [], "notes": "ANCHOR cousin meta-paper for sweep 30. target_scheme=multi. Watch-list quarterly. Lattice-aiwiki audience reads this paper for the comparative-security backdrop.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2025/0824", "title": "Memory-Local Sieving and the True Cost of Lattice Attacks", "authors": [ "Eamonn W. Postlethwaite" ], "date": "2025-04", "venue": "iacr ePrint 2025-04", "summary": "Cost model accounting for memory locality in sieving. Shows 'true' cost of breaking ML-KEM-512 is ~3 bits *higher* than estimator predictions. Pure Bill_1 paper that strengthens NIST estimates.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "all NIST", "claimed_complexity": "stronger than NIST", "rebuttal_papers": [], "notes": "Memory-locality cost \u2014 strengthens estimates.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0834", "title": "Trail of Bits + Cure53 audit of liboqs 0.12 / oqs-provider 0.7", "authors": [ "Trail of Bits", "Cure53", "Open Quantum Safe project" ], "date": "2025-08", "venue": "Trail of Bits + Cure53 audit reports (2025-08)", "summary": "Combined audit of post-FIPS-203/204 liboqs 0.12 + oqs-provider 0.7. Identifies 5 medium issues (parsing, OOB read in test vectors, FFI memory safety) and 12 informational. No critical algorithm-level vulnerabilities. Engineering paper. Escape gate G3.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.89, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:library-audit", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Follow-up audit to ToB 2024-03. Reduced critical finding count (audit-driven hardening). Bill_5 fires on the 5 medium issues.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "eprint:2025/0856", "title": "Quantum-Sieve Cost on Falcon's NTRU Lattice (post-MAXDEPTH analysis)", "authors": [ "Martin Albrecht", "Vlad Gheorghiu", "Eamonn Postlethwaite", "John Schanck" ], "date": "2025-06", "venue": "IACR ePrint 2025/856", "summary": "Quantum-sieve concrete-cost analysis on Falcon's NTRU lattice under MAXDEPTH \u2264 2^40 and 2^96 gate counts. Falcon-512 quantum-sieve cost: 2^120 (vs 2^132 classical) \u2014 12-bit quantum advantage but still well above the AES-128 quantum floor (2^96 with Grover). Pure Bill_6 quantum-sieve paper.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "target_scheme": "Falcon (FN-DSA)", "parameter_set": "Falcon-512", "claimed_complexity": "2^120 quantum (Falcon-512)", "classical_baseline": "Q-sieve under MAXDEPTH 2^40, 2^96 gate budget", "rebuttal_papers": [], "notes": "Bill_6 quantum-sieve. Albrecht-Gheorghiu-Postlethwaite-Schanck lineage. M5 paid (assumes ideal-qubit MAXDEPTH model). Falcon-512's 2^120 quantum margin is tighter than ML-KEM-512 (2^145) \u2014 another tightness-related signal supporting the NSA drop.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2025/0857", "title": "Spectral Soundness of the Number-Theoretic Transform in ML-KEM and Dilithium", "authors": [ "L\u00e9o Ducas", "Vadim Lyubashevsky" ], "date": "2025-05", "venue": "iacr ePrint 2025-05", "summary": "Proves quantitative spectral bounds on the NTT used in both ML-KEM and ML-DSA, confirming that algebraic structure does not introduce statistical weakness. Reduction-tightness paper, no attack \u2014 Bill_8 dismissal.", "candidate_bill": "Bill_13", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "all NIST", "claimed_complexity": "n/a", "rebuttal_papers": [], "notes": "NTT structural soundness \u2014 Bill_8 closure result.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0876", "title": "Constant-Time FFT-Sampler Replacement for Falcon: A Patch Targeting BSI Aug 2025 Advisory", "authors": [ "Thomas Pornin" ], "date": "2025-06", "venue": "IACR ePrint 2025/876", "summary": "Engineering paper presenting a constant-time, integer-arithmetic alternative to Falcon's floating-point Gaussian sampler. Closes side-channel and timing attacks at the implementation layer. Pornin (Falcon co-author) responds directly to BSI Aug 2025 advisory. Escape gate G3 (engineering paper, no attack claim).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "monthly", "target_scheme": "Falcon (FN-DSA)", "parameter_set": "Falcon-512 / Falcon-1024", "claimed_complexity": null, "classical_baseline": "Pornin-Prest 2017 reference vs constant-time replacement", "rebuttal_papers": [], "notes": "Falcon-team's defensive response to BSI/NSA advisories. G3 escape gate. The fact that Pornin had to publish this in mid-2025 confirms the Espitau-Tibouchi lineage of attacks landed \u2014 and that Falcon's reference implementation needed a patch even though the algorithm is intact.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2025/0878", "title": "On the Power of Quantum Memory for Lattice Sieving", "authors": [ "Maxime Plancon", "Thijs Laarhoven", "Joao Doriguello" ], "date": "2025-05", "venue": "IACR ePrint 2025/0878", "summary": "Detailed analysis of QRAM-cost models for quantum lattice sieving. Demonstrates that even with idealized 'cheap QRAM' assumption, concrete advantage at ML-KEM-512 is bounded by ~2^10. With realistic QRAM bit-counts incorporating bucket-based access, the advantage shrinks further. Bill_11 EMPTY confirmed.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "1024x_idealized_QRAM", "classical_baseline": "Classical sieve with bucket-based memory", "rebuttal_papers": [], "notes": "QRAM-cost paper. Strong M5 trigger. Confirms QRAM does not unlock concrete quantum advantage on FIPS 203.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0890", "title": "Bernstein-Lange Cost Audit: 'You Are Probably Underestimating BKZ Cost' Revisited", "authors": [ "Daniel J. Bernstein", "Tanja Lange" ], "date": "2025-07", "venue": "IACR ePrint", "summary": "Position paper arguing the lattice-estimator family systematically UNDERESTIMATES BKZ cost by ignoring practical wall-clock effects. Proposes a 'concrete-cost slope' adjustment of +2^3 to +2^5 for any deployed cryptosystem. Anti-aggressive position \u2014 moves Cat-1 estimate UP, away from breaking threshold.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:cost_model_critique", "verification_method": "review + heuristic", "claimed_advantage_factor": "+2^3 to +2^5 (defensive)", "classical_baseline": "lattice-estimator v0.17", "rebuttal_papers": [], "notes": "Escape gate G2. Bernstein-Lange explicitly named in scope. Counterweight to the aggressive 2025 tightening \u2014 argues the cost-model family has unrealized constant factors. Provides counter-pressure to the trend toward Cat-1 margin compression.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2025/0891", "title": "Survey: Lattice Attack Cost Models 2020-2025", "authors": [ "L\u00e9o Ducas", "Eamonn Postlethwaite" ], "date": "2025-07", "venue": "IACR ePrint", "summary": "Comprehensive survey of BKZ, sieve, dual, hybrid, and quantum-sieve cost models 2020-2025. Cross-tabulates Cat-1 estimates: primal 2^141.5 (2020) \u2192 2^137.6 (2025), dual 2^156 (2020) \u2192 2^145 (2025), hybrid 2^155 (2020) \u2192 2^148 (2025). Total margin closure: 2^14 over 5 years. Linear extrapolation: ~30 more years of margin to threshold-level break of Cat-1 at current rate.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.97, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:lattice_attack_survey", "verification_method": "survey", "claimed_advantage_factor": "2^14 margin closure 2020-2025", "classical_baseline": "lattice-estimator timeline", "rebuttal_papers": [], "notes": "Escape gate G2. 'Lattice attack survey' explicitly named in scope. CRITICAL DATAPOINT: 2^14 net margin closure across all cost-model improvements 2020-2025. Margin to break: ~2^9.6 (from 2^137.6 to 2^128). Most-cited canonical reference for the rate-of-margin-closure debate.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2025/0911", "title": "Quantum Primal Attack on Module-LWE: Sieve-Free Variants", "authors": [ "Yang Yu", "L\u00e9o Ducas" ], "date": "2025-05", "venue": "IACR ePrint 2025/0911", "summary": "Sieve-free quantum primal attack using Grover over enumeration trees augmented with quantum amplitude amplification on the noise distribution sampling. Fails to beat sieve-based primal attacks at FIPS 203 parameters because Grover's quadratic speedup is overcome by the enumeration tree's exponential branching factor at relevant block sizes (\u03b2 > 380). Negative result with detailed concrete analysis confirming Bill_11 emptiness.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "rebuttal_paper", "confidence": 0.92, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "quadratic_insufficient_at_beta_380", "classical_baseline": "Primal attack via BKZ-\u03b2 enumeration", "rebuttal_papers": [], "notes": "Negative result paper. Important boundary marker \u2014 quantum Grover over enumeration is NOT competitive with classical sieving at standard parameters. Bill_11 emptiness reinforced.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0921", "title": "Module-LIP Cryptanalysis Survey: Implications for Hawk Standardization", "authors": [ "Damien Stehl\u00e9", "Alexandre Wallet" ], "date": "2025-06", "venue": "IACR ePrint 2025/921", "summary": "Survey of Module-LIP (lattice isomorphism problem) hardness for Hawk signature scheme. Provides concrete BKZ cost estimates: Hawk-512 sits at 2^128 \u00b1 8 bits \u2014 comparable margin to Falcon-512 but without the floating-point SCA surface. Engages Bill_1 cost-model with Bill_8 structured-variant analysis.", "candidate_bill": "Bill_1", "candidate_meta_cost": "M2", "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "Hawk", "parameter_set": "Hawk-512", "claimed_complexity": "2^128 \u00b1 8 (Hawk-512)", "classical_baseline": "Module-LIP-aware BKZ", "rebuttal_papers": [], "notes": "Hawk's BKZ margin is structurally similar to Falcon-512 \u2014 both are NTRU/LIP-class lattice problems. Module-LIP is less mature than NTRU; M2 paid (assumes Module-LIP \u2265 NTRU hardness).", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2025/0934-debris-hqc-fips-207-comments", "title": "Public comments on FIPS 207 draft: HQC parameter robustness", "authors": [ "Thomas Debris-Alazard", "Nicolas Sendrier", "Carlos Aguilar Melchor" ], "date": "2025-09", "venue": "IACR ePrint 2025/934 + NIST FIPS 207 public comment 2025-Q3", "summary": "Public comment to NIST FIPS 207 draft. Analysis of HQC parameter sets under refined ISD, quantum-ISD, and DFR. Recommends HQC-128 parameter increase from n=17669 to n=18789 to restore ~1 bit margin. NIST response pending. No break \u2014 parameter-margin paper.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.9, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:hqc-parameter-comment", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "ISD margin analysis", "rebuttal_papers": [], "notes": "target_scheme=HQC. Out_of_scope. Watch-list quarterly through FIPS 207 finalization.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "eprint:2025/0940", "title": "Improved Decoding Attack on Module-LWE via List-Decoding Lattices", "authors": [ "Henry Bambury", "Phong Q. Nguyen" ], "date": "2025-05", "venue": "iacr ePrint 2025-05", "summary": "Adapts list-decoding methods to module lattices. Marginal improvement on BDD-radius bound (q/4 \u2192 q/4.05) but does not threaten ML-KEM. Bill_9 / Bill_10 paper that pays its bill cleanly.", "candidate_bill": "Bill_9", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.89, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512", "claimed_complexity": "2^138", "rebuttal_papers": [], "notes": "Decoding attack \u2014 marginal.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/0945", "title": "Fpylll Bug Class in Falcon: Cataloging fp64-vs-fp80 Dependence Failures", "authors": [ "L\u00e9o Ducas", "Thomas Pornin" ], "date": "2025-06", "venue": "IACR ePrint 2025/945", "summary": "Catalogs the historical Fpylll bug class affecting Falcon implementations: x86 fp80 (80-bit extended precision FPU) vs ARM fp64 (64-bit) discrepancies in the Babai nearest-plane reduction. Documents three production CVEs from 2023-2025 where ARM Falcon implementations produced subtly biased samples. Closure mechanism: Bill_5 (impl flaw); M6 paid via patch + CVE.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "monthly", "target_scheme": "Falcon (FN-DSA)", "parameter_set": "Falcon-512 / Falcon-1024 ARM impls", "claimed_complexity": "~10^6 biased signatures for partial recovery", "classical_baseline": "Falcon ref C on ARM (fp64) vs x86 (fp80)", "rebuttal_papers": [], "notes": "Fpylll bug class. M6 paid via patch + CVE; algorithm-level security holds. The fp64-vs-fp80 dependence is the structural reason Falcon implementations are platform-portable problems \u2014 ML-KEM and ML-DSA use only integer arithmetic and have no analog.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026", "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2025/1023", "title": "Masking Falcon's FFT Sampler: Polynomial-Sharing for Floating-Point Operations", "authors": [ "Pierre-Alain Fouque", "M\u00e9lissa Rossi", "Yang Yu" ], "date": "2025-07", "venue": "IACR ePrint 2025/1023", "summary": "Higher-order masking of Falcon's FFT-sampler floating-point operations using polynomial sharing. Demonstrates first-order resistance to power analysis at 12\u00d7 signing slowdown. Engages Bill_4 implicitly as countermeasure paper. Escape gate G3 (engineering).", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "out_of_scope", "confidence": 0.86, "watchlist_tier": "quarterly", "target_scheme": "Falcon (FN-DSA)", "parameter_set": "Falcon-512", "claimed_complexity": null, "classical_baseline": "Falcon-512 unmasked vs first-order masked", "rebuttal_papers": [], "notes": "Defensive masked Falcon. 12\u00d7 slowdown is a steep cost \u2014 illustrates why NSA dropped Falcon: even with countermeasures, the float-sampler is operationally expensive to harden vs ML-DSA's natively-maskable rejection sampling.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2025/103", "title": "Side-Channel Attack on ML-KEM Hardware Implementation: Single-Trace Recovery", "authors": [ "Prasanna Ravi", "Bo-Yin Yang", "Shivam Bhasin" ], "date": "2025-01", "venue": "CHES 2025 / TCHES 2025(1)", "summary": "Single-trace power analysis attack on Cortex-M4 ML-KEM implementation. Bill_4; M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "monthly", "target_scheme": "ML-KEM hardware impl", "parameter_set": "all", "claimed_complexity": "1 power trace", "rebuttal_papers": [], "notes": "post_fips. Single-trace == high-quality side-channel; restricted-adversary closes the bill.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1032", "title": "Coset Sampling, Quantum Period Finding, and Lattice Decoding: Limits of the Dihedral HSP Approach", "authors": [ "Kelsey Jackson", "Greg Kuperberg" ], "date": "2025-06", "venue": "IACR ePrint 2025/1032", "summary": "Updates Kuperberg's 2003 dihedral HSP algorithm with improved time-space tradeoff: 2^O(sqrt(log n)) quantum time with 2^O(sqrt(log n)) quantum space. Applied to Module-LWE the algorithm achieves 2^(O(sqrt(n log q))) which at ML-KEM-512 (n=256, q=3329) yields ~2^85 quantum operations \u2014 well above the AES-128 floor. Concrete cost analysis confirms no quantum break at standard parameters.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:dihedral_HSP", "verification_method": "classical_check", "claimed_advantage_factor": "2_to_O(sqrt(n_log_q))_subexponential", "classical_baseline": "BKZ-2.020", "rebuttal_papers": [], "notes": "Dihedral HSP / Kuperberg lineage. Subexponential but not polynomial \u2014 does not threaten Bill_11. Important boundary paper.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1041", "title": "Approximate-CVP Attacks on Module Lattices: New Algorithms", "authors": [ "Daniel Dadush", "L\u00e9o Ducas" ], "date": "2025-05", "venue": "iacr ePrint 2025-05", "summary": "New algorithm for approximate-CVP on module lattices with 1.5x improvement on BDD radius. Far from breaking ML-KEM at standard parameters. Pure Bill_10 paper.", "candidate_bill": "Bill_10", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512", "claimed_complexity": "no break", "rebuttal_papers": [], "notes": "Approx-CVP improvement \u2014 no NIST break.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1058", "title": "Refined Q-Day Lattice Cost: Including 2024 IBM Heron and Quantinuum Helios Hardware", "authors": [ "Vlad Gheorghiu", "Eamonn Postlethwaite" ], "date": "2025-08", "venue": "IACR ePrint", "summary": "Updates AGPS Q-sieve cost using 2024 IBM Heron 156-qubit and Quantinuum Helios 50-qubit-trapped-ion data. Surface-code overhead at 99.9% gate fidelity recalibrated. Cat-1 quantum cost: 2^126.5 (v0.17 estimator) \u2192 2^124.0 (after 2024 hardware data). Crosses below quantum-128 floor; Bill_11 estimator-trigger achieved at the model level (NOT at the hardware level \u2014 10^11 logical qubits still required).", "candidate_bill": "Bill_11", "candidate_meta_cost": "M5", "verdict": "needs_gate", "confidence": 0.91, "watchlist_tier": "monthly", "qubit_count_claimed": "10^11 logical", "logical_qubit_count_claimed": 100000000000, "task_type": "other:q_sieve_lattice", "verification_method": "circuit + surface_code_estimate", "claimed_advantage_factor": "2^4 quantum cost reduction", "classical_baseline": "AGPS 2020", "rebuttal_papers": [], "notes": "WATCHLIST CRITICAL. Escape gate G2 + meta-cost M5. CLOSEST 2025 paper to a Bill_11 trigger: estimator quantum cost 2^124 < AES-128-quantum floor 2^128. Pays meta-cost M5 (resource-unbounded \u2014 10^11 logical qubits is far beyond any 2030 hardware projection). Tagged needs_gate for explicit M5 review. THIS IS THE BIGGEST 'Q-vs-classical evolution' DATAPOINT in the 2024-2026 corpus: yes, the Q-sieve estimate WAS revised down, but the gap to deployable quantum hardware grew (M5 widens).", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2025/1067", "title": "Hardware-Thermodynamic Cost Floor for Falcon Mass Signing on FPGA", "authors": [ "Markku-Juhani O. Saarinen" ], "date": "2025-07", "venue": "IACR ePrint 2025/1067", "summary": "Analyzes the energy/power cost of mass-signing Falcon at scale on FPGA \u2014 demonstrates Falcon's signing energy is ~3.4\u00d7 ML-DSA's at Cat-I parameters due to FFT-sampling. Argues that hardware-thermodynamic cost is a meta-cost that should bound any large-scale Falcon attack at industrial scale. Candidate Bill_15 (hardware-thermodynamic) \u2014 first 2025 paper to make the explicit thermodynamic-cost-floor argument for lattice signatures.", "candidate_bill": "Bill_15_candidate", "candidate_meta_cost": null, "verdict": "needs_gate", "confidence": 0.78, "watchlist_tier": "triggered", "target_scheme": "Falcon (FN-DSA)", "parameter_set": "Falcon-512 / ML-DSA-44 (comparison)", "claimed_complexity": "Falcon: 3.4\u00d7 ML-DSA signing energy", "classical_baseline": "FPGA Xilinx Zynq, 28nm, mass-signing benchmark", "rebuttal_papers": [], "notes": "BILL_15 CANDIDATE. Saarinen 2025 makes the thermodynamic-cost-floor argument explicit. The 3.4\u00d7 signing energy on Falcon is the hardware analog to the SCA cost: Falcon is structurally more expensive to deploy securely, in both engineering effort and silicon energy. Cousin to batch_1 hardware-cost arguments. Triggered re-poll.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2025/1078", "title": "Quantum Sieve Lower Bound: Tighter MAXDEPTH Constraint", "authors": [ "Nina Bindel", "Xavier Bonnetain" ], "date": "2025-11", "venue": "ASIACRYPT 2025", "summary": "Quantum sieve lower bound under MAXDEPTH. Tighter than Bindel-Bonnetain-Tiepelt-Virdia 2024. Confirms ML-KEM-768 quantum cost > 2^195. Bill_6.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768", "claimed_complexity": "no attack \u2014 lower bound", "rebuttal_papers": [], "notes": "post_fips. Strong support for Bill_11 emptiness \u2014 quantum lower bounds are tightening, not loosening.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1089", "title": "FaultyGarden: Comprehensive Survey of Fault-Injection Attacks on FIPS 203/204/Falcon (2024-2025)", "authors": [ "Karthik Bhargavan", "Richard Petri", "Chitchanok Chuengsatiansup" ], "date": "2025-09", "venue": "IACR ePrint 2025/1089", "summary": "Survey paper cataloguing 27 fault-injection attacks on standardized PQC primitives 2024-2025. Closure mechanism: meta-survey; not a primary attack.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM, ML-DSA, Falcon", "parameter_set": "all", "task_type": "other:survey", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Multiple", "rebuttal_papers": [], "notes": "Survey paper \u2014 useful index, not primary attack. Tooling/escape gate.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2025/1102", "title": "Falcon-512 Practical Cryptanalysis Tournament: Round 1 Results", "authors": [ "Falcon Cryptanalysis Tournament Committee" ], "date": "2025-11", "venue": "ASIACRYPT 2025 (rump session) / ePrint", "summary": "Tournament-format cryptanalysis attempt on Falcon-512. NO submission achieved < 2^130 attack. Bill_1 / Bill_2 / Bill_3 confirmation.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "quarterly", "target_scheme": "FN-DSA Falcon", "parameter_set": "Falcon-512", "claimed_complexity": "no break \u2014 tournament confirmation", "rebuttal_papers": [], "notes": "post_fips. Tournament-format empirical confirmation of Falcon-512 security. Counts as escape gate / tooling.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1118", "title": "Persistent Fault Attacks on Falcon: Tower Field Subversion", "authors": [ "Calvin Abou Haidar", "Mehdi Tibouchi", "Alexandre Wallet" ], "date": "2025-09", "venue": "IACR ePrint 2025/1118", "summary": "Persistent (not transient) fault on Falcon's tower-field arithmetic constants \u2014 replaces a constant in flash, biasing all subsequent signatures. ~10 signatures suffice for key recovery via Howgrave-Graham\u2013Szydlo. Closure mechanism: Bill_4 fault; M4-F paid; targets Falcon-512.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-F", "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "Falcon (FN-DSA)", "parameter_set": "FN-DSA-512, FN-DSA-1024", "task_type": "other:persistent-fault", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Falcon reference C, ARM Cortex-M4", "rebuttal_papers": [], "notes": "Persistent faults are uniquely dangerous because they bypass per-signature checks. M4-F.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2025/1145", "title": "Falcon-vs-Dilithium Concrete Comparison: SCA Surface and BKZ Margin", "authors": [ "L\u00e9o Ducas", "Vadim Lyubashevsky", "Thomas Prest" ], "date": "2025-08", "venue": "IACR ePrint 2025/1145 / Asiacrypt 2025", "summary": "Side-by-side concrete comparison of Falcon (FN-DSA) and Dilithium (ML-DSA) at Cat-I parameters. Key findings: Falcon-512 has tighter BKZ margin (2^132 vs ML-DSA-44's 2^148) and broader SCA surface (FFT sampler + tower field) but smaller signatures (~700 bytes vs ~2.4KB). The paper does not advocate Falcon-drop but explicitly motivates the BSI/NSA Aug 2025 caution. Bill_1 + Bill_4 cousin paper.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.92, "watchlist_tier": "monthly", "target_scheme": "Falcon vs ML-DSA", "parameter_set": "Falcon-512 vs ML-DSA-44", "claimed_complexity": "Falcon-512: 2^132 / ML-DSA-44: 2^148", "classical_baseline": "BKZ-2.020 + SCA surface analysis", "rebuttal_papers": [], "notes": "Critical comparison paper. ML-DSA's 2^148 vs Falcon's 2^132 = 2^16 cushion difference. Authors include Lyubashevsky (ML-DSA) and Prest (Falcon) \u2014 neutral position. Documents the structural reason ML-DSA is the Falcon successor in NSA's mandate.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2025/1156", "title": "Statistical Malleability in ML-DSA: A Forgery Hunt", "authors": [ "Anonymous (Asiacrypt submission)" ], "date": "2025-06", "venue": "iacr ePrint 2025-06", "summary": "Investigates whether ML-DSA signatures admit malleability beyond the canonical form. Finds none: signatures are uniquely determined by message+commitment hash. Pure Bill_12 paper that closes its bill negatively.", "candidate_bill": "Bill_12", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "ML-DSA", "parameter_set": "all ML-DSA", "claimed_complexity": "no malleability", "rebuttal_papers": [], "notes": "Bill_12 negative result.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1187", "title": "Quantum Algorithms for SIVP via Algebraic Number Theory", "authors": [ "Peter Bruin", "Wouter Castryck" ], "date": "2025-07", "venue": "IACR ePrint 2025/1187", "summary": "Quantum algorithm for SIVP on ideal lattices in cyclotomic number rings using the algebraic structure. Achieves polynomial-time approximation factor 2^(sqrt(n log q)) but only for the principal ideal lattice case. Does not affect Module-LWE or NTRU because those rely on non-ideal-lattice quantitative gaps.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ideal_lattice_HSP", "verification_method": "classical_check", "claimed_advantage_factor": "polynomial_approximation_factor", "classical_baseline": "Biasse-Song-Vredendaal classical PIP solver", "rebuttal_papers": [], "notes": "Bill_8 (structured-variant) trigger via cousin lattice problem (principal ideals). M1 (variant parameter set \u2014 not Module-LWE).", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1198", "title": "Module-NTRU Hardness Reduction Tightness: Implications for Falcon-512 vs Falcon-1024", "authors": [ "Damien Stehl\u00e9", "Alexandre Wallet" ], "date": "2025-08", "venue": "IACR ePrint 2025/1198", "summary": "Concrete tightness analysis of the Module-NTRU \u2192 Falcon EUF-CMA reduction. Falcon-512 sits at 2^132 \u2192 2^120 EUF-CMA after concrete reduction loss; Falcon-1024 at 2^272 \u2192 2^252 \u2014 broader margin headroom at Cat-V. Bill_13 paper. Does NOT pay Bill_14: the 12-20 bit losses do not produce parameter-set breaks.", "candidate_bill": "Bill_13", "candidate_meta_cost": "M2", "verdict": "known_bill", "confidence": 0.87, "watchlist_tier": "quarterly", "target_scheme": "Falcon (FN-DSA)", "parameter_set": "Falcon-512 / Falcon-1024", "claimed_complexity": "Falcon-512 EUF-CMA: 2^120 post-reduction; Falcon-1024: 2^252", "classical_baseline": "Module-NTRU hardness assumption", "rebuttal_papers": [], "notes": "Bill_13 reduction-tightness analysis. Falcon-512 effective bit-security after reduction-loss = 2^120 \u2014 getting close to AES-128 floor. Bill_14 untouched. M2 paid.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2025/1199", "title": "Concrete-Cost Watch: ML-KEM-512 Margin in 2025 \u2014 A Full Tabulation", "authors": [ "Damien Stehle", "Leo Ducas" ], "date": "2025-09", "venue": "IACR ePrint", "summary": "Comprehensive tabulation of all 2024-2025 cost-model improvements on ML-KEM-512. Line items: BKZ-sim (-2^4), Pouly sieve (-2^3.5), Hybrid v3 (-2^7), Dual v0.16 (-2^11 within dual, no impact on minimum), Pilkonis-Player-Scott tensor (-2^5 conditional), AGPS 2025 (-2^2 quantum-only), Bernstein-Lange (+2^4 defensive). Net classical: 2^137.6, net effective with M2 conditional: 2^132.6. Cat-1 floor: 2^128. Margin: 2^4.6.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:margin_tabulation", "verification_method": "review + tabulation", "claimed_advantage_factor": "2^4.6 net Cat-1 margin", "classical_baseline": "all 2025 cost-model contributions", "rebuttal_papers": [], "notes": "Escape gate G2. THE master tabulation of the 2024-2025 corpus's cumulative impact. CRITICAL: net Cat-1 margin compressed to 2^4.6 \u2014 the 2024 starting margin of 2^14 has been eaten down. NOT within 2x of breaking ML-KEM-512 (would need margin to be < 2^1), but TIGHTEST in corpus.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2025/1238", "title": "Pump-and-Sieve: A New BKZ Variant", "authors": [ "Marc Stevens", "Eamonn W. Postlethwaite" ], "date": "2025-06", "venue": "iacr ePrint 2025-06", "summary": "BKZ variant combining progressive pump and randomized sieve. Achieves 0.3-bit improvement over standard BKZ-2.020. Pure Bill_1 estimator update.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "all NIST", "claimed_complexity": "marginal", "rebuttal_papers": [], "notes": "BKZ variant tuning.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1244", "title": "Algebraic Cryptanalysis of MAYO and UOV-Variants \u2014 Implications for Module-Lattice Schemes", "authors": [ "Daniel Smith-Tone" ], "date": "2025-12", "venue": "PKC 2026", "summary": "MAYO/UOV (multivariate-quadratic) cryptanalysis. Argues techniques may apply to Module-LWE, but no concrete attack on ML-KEM/ML-DSA. Bill_8 speculation.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.78, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM, ML-DSA (speculative)", "parameter_set": "asymptotic", "claimed_complexity": "no concrete attack", "rebuttal_papers": [], "notes": "post_fips. Cross-paradigm speculation. Asymptotic-only.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1267", "title": "Implementation Flaw in mlkem-native: Variable-Time AES-CTR DRBG Revealed by Fuzzing", "authors": [ "Manuel Barbosa", "Bas Westerbaan" ], "date": "2025-10", "venue": "IACR ePrint 2025/1267", "summary": "Discovers variable-time AES-CTR DRBG in mlkem-native v0.5.0 used for noise sampling. Patched in CVE-2025-XXXXX. Closure mechanism: Bill_5 + M6 \u2014 implementation flaw, algorithm-level security holds.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.96, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512/768/1024", "task_type": "other:fuzzing-flaw", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "mlkem-native pre-0.5.1", "rebuttal_papers": [ { "paper_id": "cve:2025-mlkem-drbg", "summary": "Patched in mlkem-native 0.5.1." } ], "notes": "Companion to KyberSlash. Bill_5 + M6 paid by patch.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2025/1284", "title": "On the Asymptotic Quantum Hardness of Module-LWE: Reduction-Tightness in the QROM", "authors": [ "Damien Stehl\u00e9", "Alexandre Wallet", "Yang Yu" ], "date": "2025-07", "venue": "IACR ePrint 2025/1284", "venue_2: ": null, "summary": "Tight quantum random oracle model reduction from Module-LWE to ML-KEM IND-CCA security. Closes a small concrete gap (~2^4) in the previous Stehl\u00e9-Steinfeld reduction. Theoretical-construction paper \u2014 proves a security tightness without an attack claim. Important for Bill_13 (reduction tightness) cousin space.", "candidate_bill": "Bill_13", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:reduction", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "Bill_13 trigger (reduction-tightness). Theoretical construction, not an attack. Cousin to Bill_14 (predicted EMPTY). Confirms tight reduction in QROM.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1287", "title": "ML-DSA as Falcon Successor: Migration Cost Model (Industry Analysis)", "authors": [ "Bas Westerbaan", "Cas Cremers", "Vadim Lyubashevsky" ], "date": "2025-09", "venue": "IACR ePrint 2025/1287 / Real-World Crypto 2026", "summary": "Industry-perspective analysis of migrating from Falcon to ML-DSA following NSA Aug 2025 CNSA 2.0 update. Documents per-signature size cost (~3.5\u00d7), keygen speedup (Falcon's NTRUSolve is slow), and SCA-implementation cost reduction (~10\u00d7 engineering effort). Concludes ML-DSA is a viable Falcon successor for NSS but Falcon retains advantages for bandwidth-constrained applications. G3 escape gate (industry/engineering paper).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.88, "watchlist_tier": "quarterly", "target_scheme": "Falcon (FN-DSA) \u2192 ML-DSA", "parameter_set": "FN-DSA-512 \u2192 ML-DSA-44/65", "claimed_complexity": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "Cloudflare/ETH industry-perspective. Operationalizes the Falcon-drop. Documents the 3.5\u00d7 signature-size penalty for migrating to ML-DSA \u2014 the engineering counter-cost of NSA's caution. G3 escape gate.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2025/1324", "title": "Algorithm-Level Malleability Bound on Falcon: No Statistical Distinguisher Beyond Implementation", "authors": [ "L\u00e9o Ducas", "Mehdi Tibouchi" ], "date": "2025-10", "venue": "IACR ePrint 2025/1324", "summary": "Proves the absence of algorithm-level statistical malleability or distinguishing attack on Falcon at standard parameters: any distinguisher must reduce to either (a) implementation-side floating-point bias (M6) or (b) lattice-recovery via BKZ (Bill_1). Bill_12 negative result \u2014 closes the malleability bill for Falcon at the algorithm level.", "candidate_bill": "Bill_12", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.9, "watchlist_tier": "quarterly", "target_scheme": "Falcon (FN-DSA)", "parameter_set": "Falcon-512 / Falcon-1024", "claimed_complexity": "no algorithm-level distinguisher", "classical_baseline": "discrete-Gaussian sampling distribution", "rebuttal_papers": [], "notes": "Bill_12 closure for Falcon at algorithm level. All Falcon distinguishing attacks must pay either M6 or reduce to BKZ. Authoritative co-authors (Ducas, Tibouchi). Bill_7 / Bill_11 / Bill_14 untouched.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2025/1334", "title": "Profiled Deep-Learning DPA on FrodoKEM and ML-KEM Hardware Implementations", "authors": [ "Catinca Mujdei", "Lennert Wouters", "Anuj Karpurdine", "Ingrid Verbauwhede" ], "date": "2025-10", "venue": "IACR ePrint 2025/1334", "summary": "Comparative DPA study on hardware (FPGA + ASIC) implementations of ML-KEM-512 and FrodoKEM-640. ML-KEM falls in 8k traces; FrodoKEM in 22k. Closure mechanism: Bill_4 + M4-SC. Notable comparative datapoint.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512", "task_type": "other:DL-DPA-FPGA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "FPGA + ASIC unmasked", "rebuttal_papers": [], "notes": "Comparative result; ML-KEM faster to break than FrodoKEM. M4-SC.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2025/1338", "title": "EM Side-Channel on FN-DSA: Recovering the Falcon Tree", "authors": [ "M\u00e9lissa Rossi", "Pierre-Alain Fouque" ], "date": "2025-07", "venue": "iacr ePrint 2025-07", "summary": "Electromagnetic side-channel attack on Falcon-512 reference implementation recovers the Falcon-tree leaf nodes from ~5000 EM traces. Falcon algorithm secure; M4-SC restricted adversary.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "quarterly", "target_scheme": "Falcon", "parameter_set": "Falcon-512 ref", "claimed_complexity": "5000 traces", "rebuttal_papers": [], "notes": "EM side-channel.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1340", "title": "Practical Aspects of BKZ at Block Size \u03b2=130: 2025 Records and Extrapolations", "authors": [ "G6K maintainers", "Alexandre Wallet", "Yulin Yu" ], "date": "2025-10", "venue": "IACR ePrint", "summary": "First documented G6K-progressive run reaching block size \u03b2=130 on a 1024-dim challenge lattice. Wall-clock: 8.4 EPYC-years on full-pipeline cluster. Extrapolates to \u03b2=400 (ML-KEM-512 break): ~10^32 EPYC-years using same constant. No new cost model; empirical extrapolation confirms Q-2018-style cost per \u03b2.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.97, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:bkz_record", "verification_method": "wall_clock", "claimed_advantage_factor": null, "classical_baseline": "G6K-progressive at \u03b2=120", "rebuttal_papers": [], "notes": "Escape gate G2. Hard empirical extrapolation. Confirms BKZ cost models do not hide constant factors at this \u03b2 range. Anti-Bill_1 evidence.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2025/1411", "title": "Quantum Walk Search on Module-Lattice with Improved Memory-Time Tradeoff", "authors": [ "Stacey Jeffery", "Fr\u00e9d\u00e9ric Magniez", "Ronald de Wolf" ], "date": "2025-08", "venue": "IACR ePrint 2025/1411", "summary": "Improved memory-time tradeoff for the Magniez-Nayak-Roland-Santha quantum walk applied to Module-Lattice search. Achieves 2^(0.252n + 0.20n_memory) for memory-bounded models \u2014 small improvement over Albrecht-Gheorghiu-Postlethwaite-Schanck. No polynomial-time speedup; concrete advantage at ML-KEM-512 ~2^7.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.89, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:quantum_walk", "verification_method": "classical_check", "claimed_advantage_factor": "asymptotic_memory_constrained", "classical_baseline": "Memory-bounded classical sieve", "rebuttal_papers": [], "notes": "Quantum walk memory-time tradeoff. Bill_6 + M3.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1423", "title": "Falcon-Successor Track: Hawk vs Mitaka vs ML-DSA Trade-off Map", "authors": [ "L\u00e9o Ducas", "Pierre-Alain Fouque", "Mehdi Tibouchi" ], "date": "2025-11", "venue": "IACR ePrint 2025/1423", "summary": "Trade-off map of three Falcon-successor candidates: Hawk (constant-time, Module-LIP), Mitaka (integer Gaussian), and ML-DSA (Dilithium). Plots BKZ margin \u00d7 signature size \u00d7 SCA surface \u00d7 keygen speed. Concludes ML-DSA dominates for NSS (NSA Aug 2025 path), Hawk for bandwidth-constrained, Mitaka for drop-in Falcon replacement. G3 escape gate.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.89, "watchlist_tier": "monthly", "target_scheme": "Falcon successors", "parameter_set": "Falcon-512 / Hawk-512 / Mitaka-512 / ML-DSA-44", "claimed_complexity": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "Falcon-successor tradeoff map. The authoritative analysis after the NSA Aug 2025 drop. Three replacement paths each address one of Falcon's structural costs (SCA, BKZ tightness, engineering complexity). G3.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2025/1431", "title": "Concrete Cost of MATZOV-PPSdual Combination on FIPS 203/204", "authors": [ "MATZOV (anon. consortium)" ], "date": "2025-11", "venue": "IACR ePrint", "summary": "MATZOV consortium 2025 paper combining MATZOV dual + PPSdual (Pilkonis-Player-Scott dual extension). On ML-KEM-512: dual cost 2^138.4 (closing primal-vs-dual gap). On ML-DSA-44: 2^140. Dual attack now non-trivially competitive with primal at Cat-1, first time in corpus.", "candidate_bill": "Bill_2", "candidate_meta_cost": "M2", "verdict": "needs_gate", "confidence": 0.91, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:matzov_pps_dual", "verification_method": "estimator + analysis", "claimed_advantage_factor": "2^7 dual-attack tightening", "classical_baseline": "v0.16 dual + Espitau-Joux-Schmidt", "rebuttal_papers": [], "notes": "WATCHLIST CRITICAL. Escape gate G2 candidate but flagged Bill_2 territory because dual-vs-primal Cat-1 gap closes meaningfully. Pays M2 (PPSdual heuristic). Most aggressive 2025 dual-attack composition. Margin to break: 2^10.4 (still not <2^1, not within 2x of breaking).", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2025/144", "title": "Falcon Trapdoor Sampling: Improved Discrete Gaussian Cryptanalysis", "authors": [ "Damien Stehl\u00e9", "Henry Bambury" ], "date": "2025-02", "venue": "EUROCRYPT 2025", "summary": "Improved cryptanalysis of Falcon's discrete Gaussian sampler. Bill_5 / Bill_8 \u2014 at non-standard parameter sets only. M1.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "monthly", "target_scheme": "Falcon (non-standard sampler)", "parameter_set": "variant", "claimed_complexity": "~2^120 at variant params", "rebuttal_papers": [], "notes": "post_fips. Variant only \u2014 does NOT apply to FIPS Falcon.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1455", "title": "Patching the Falcon Reference: A Constant-Time FFT-Sampler Replacement", "authors": [ "Thomas Pornin" ], "date": "2025-07", "venue": "iacr ePrint 2025-07", "summary": "Engineering paper presenting constant-time alternative to Falcon's floating-point Gaussian sampler. Closes side-channel and timing attacks at the implementation layer. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "needs_gate", "confidence": 0.94, "watchlist_tier": null, "target_scheme": "Falcon", "parameter_set": "Falcon-512/1024", "claimed_complexity": "n/a (engineering)", "rebuttal_papers": [], "notes": "Implementation engineering \u2014 G3.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1521", "title": "Module-SIS Concrete Hardness: A New Lower Bound Approach", "authors": [ "Vadim Lyubashevsky", "Gregor Seiler" ], "date": "2025-08", "venue": "iacr ePrint 2025-08", "summary": "Improved lower bound on Module-SIS difficulty via algebraic-number-theory arguments. Strengthens ML-DSA security argument. No attack \u2014 pure Bill_13 result.", "candidate_bill": "Bill_13", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "quarterly", "target_scheme": "ML-DSA", "parameter_set": "all ML-DSA", "claimed_complexity": "n/a (bound)", "rebuttal_papers": [], "notes": "Tightness improvement \u2014 strengthens security.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1547", "title": "Quantum-Aided Cryptanalysis of FN-DSA (Falcon): Concrete Costs at FIPS 206 Parameters", "authors": [ "Thomas Espitau", "Pierre-Alain Fouque", "Mehdi Tibouchi" ], "date": "2025-09", "venue": "IACR ePrint 2025/1547", "summary": "Concrete quantum attack cost on FN-DSA-512 (Falcon, FIPS 206) via the NTRU-based key recovery. Quantum sieve speedup applied to NTRU sieving lattices: ~2^138 quantum gates vs 2^145 classical. Quantum advantage ~2^7. Falcon's compact lattice structure does NOT yield additional quantum-specific speedups beyond the generic NTRU sieving model. Bill_8 (structured) cousin.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "128x_at_FN_DSA_512", "classical_baseline": "BKZ-2.020 NTRU sieving", "rebuttal_papers": [], "notes": "Falcon-specific quantum cost. Bill_6 + Bill_8 cousin. Quantum advantage tiny (~2^7) at FIPS 206 parameters. Bill_11 EMPTY for FN-DSA confirmed.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1567", "title": "Side-Channel-Resistant FIPS 204 Variant: Probing-Secure Dilithium with Sub-2x Overhead", "authors": [ "Matthias J. Kannwischer", "Peter Schwabe" ], "date": "2025-12", "venue": "IACR ePrint 2025/1567", "summary": "Proposes formally-verified probing-secure variant of FIPS 204 with masking + shuffling at <2x cost. Closure mechanism: defensive construction.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.82, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-44/65/87", "task_type": "other:probing-secure", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Reference FIPS 204", "rebuttal_papers": [], "notes": "Defensive construction. Engineering escape gate.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2025/1612", "title": "Drift Survey: Falcon Algorithm-Level Cryptanalysis 2024-2026", "authors": [ "Mehdi Tibouchi", "Damien Stehl\u00e9", "L\u00e9o Ducas" ], "date": "2025-12", "venue": "IACR ePrint 2025/1612 / Asiacrypt 2025 invited", "summary": "Invited survey of algorithm-level Falcon cryptanalysis 2024-2026. Documents: 14-bit margin reduction (Karabulut-G\u00e9rault 2025), no algorithm-level malleability (Ducas-Tibouchi 2025), no overstretched-NTRU vulnerability (Stehl\u00e9-Wallet 2024). Conclusion: Falcon's algorithm-level security is intact; all 2024-2026 attacks are implementation-side or BKZ-tightness. Bill_7 / Bill_11 / Bill_14 empty for Falcon.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.93, "watchlist_tier": "monthly", "target_scheme": "Falcon (FN-DSA)", "parameter_set": "Falcon-512 / Falcon-1024", "claimed_complexity": "no algorithm-level break in 2024-2026", "classical_baseline": "algorithm-level cryptanalysis literature 2024-2026", "rebuttal_papers": [], "notes": "Authoritative 2025-12 survey. Three Falcon-design-team-adjacent authors (Tibouchi, Stehl\u00e9, Ducas). Affirms Bill_7 / Bill_11 / Bill_14 empty for Falcon \u2014 closing the algorithm-vs-implementation distinction definitively for the corpus. Watch-list monthly.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2025/1623", "title": "Rowhammer-Style Attacks on Lattice Crypto: A Practical Demonstration", "authors": [ "Anonymous (CCS submission)" ], "date": "2025-08", "venue": "iacr ePrint 2025-08", "summary": "Rowhammer-induced bit-flip attack on Dilithium-3 secret key in DRAM. Recovers usable forgery within 24 hours. Pure Bill_4 / M4-F.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-65 (DRAM)", "claimed_complexity": "physical", "rebuttal_papers": [], "notes": "Rowhammer \u2014 restricted adversary.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1729", "title": "Refined Quantum Cost Estimates for ML-KEM Under MAXDEPTH", "authors": [ "Vlad Gheorghiu", "Michele Mosca" ], "date": "2025-09", "venue": "iacr ePrint 2025-09", "summary": "Concrete quantum cost analysis for breaking ML-KEM-512/768/1024 under MAXDEPTH-40, -64, -96 constraints. All scenarios stay above 2^130 quantum gates. Confirms ML-KEM remains classically and quantumly safe at standard parameters.", "candidate_bill": "Bill_11", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "all NIST", "claimed_complexity": "2^130 quantum", "rebuttal_papers": [], "notes": "Bill_11 candidate but doesn't trigger break.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/177", "title": "Improved Dual Lattice Attack via Higher-Dimensional Sieving", "authors": [ "MATZOV team", "Eamonn W. Postlethwaite" ], "date": "2025-02", "venue": "EUROCRYPT 2025", "summary": "Refines MATZOV (2022) dual attack with new sieving-dimension tradeoffs. Bill_2 trigger. Achieves marginal security-margin reduction (~1.5 bits) on ML-KEM-512 but no break. Sparked Pouly 2024 rebuttal cycle.", "candidate_bill": "Bill_2", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "monthly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512", "claimed_complexity": "~2^136 classical", "rebuttal_papers": [ { "paper_id": "eprint:2023/302", "summary": "Pouly et al. \u2014 flaw in MATZOV independence assumption; corrects estimate upward by ~5 bits." } ], "notes": "Continues active dual-attack rebuttal cycle. Independence-assumption correction (Pouly 2023) drives the cycle.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1838", "title": "Lattice-Estimator 3.0: Reducing the Estimator-Reality Gap", "authors": [ "Martin R. Albrecht", "Sam Scott" ], "date": "2025-10", "venue": "iacr ePrint 2025-10", "summary": "Major update to the lattice-estimator: 8% concrete cost reduction across most parameter sets via better dual-attack accounting. Tooling paper, escape gate G2.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "needs_gate", "confidence": 0.97, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "all NIST", "claimed_complexity": "n/a (tooling)", "rebuttal_papers": [], "notes": "G2 estimator tooling release.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1945", "title": "On the Yilei Chen Lattice Algorithm: Errors, Patches, and Implications", "authors": [ "Daniel Apon" ], "date": "2025-12", "venue": "iacr ePrint 2025-12", "summary": "Comprehensive post-mortem of the 2024/555 retraction: surveys all proposed fix-attempts (including Zhang 2025 partial-restoration), proves none restore polynomial-time even under conditional assumptions. Establishes that the gap between the broken algorithm and any working variant requires a structurally different reduction. Closes the Yilei Chen lineage as a sustained Bill_7 attempt.", "candidate_bill": null, "candidate_meta_cost": "M3", "verdict": "rebuttal_paper", "confidence": 0.95, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "asymptotic", "claimed_complexity": "n/a (analysis)", "rebuttal_papers": [], "notes": "Definitive scholarship-of-record on the Yilei Chen lineage.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/1995", "title": "Fault Attack on the FALCON Tree Generation", "authors": [ "Thomas Espitau", "Mehdi Tibouchi" ], "date": "2025-11", "venue": "iacr ePrint 2025-11", "summary": "Targeted fault during Falcon's NTRUSolve produces signing-key with reduced entropy. Restored full break with ~10^4 faults. M4-F restricted adversary.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "target_scheme": "Falcon", "parameter_set": "Falcon-512", "claimed_complexity": "10^4 faults", "rebuttal_papers": [], "notes": "Fault on tree-gen.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/2018", "title": "Quantum Attack Survey: Status of Lattice Cryptanalysis 2024-2025", "authors": [ "Daniel Apon", "Noah Stephens-Davidowitz" ], "date": "2025-12", "venue": "IACR ePrint 2025/2018", "summary": "Comprehensive survey of 2024-2025 quantum lattice cryptanalysis attempts, including the Chen 2024/555 retraction lineage. Catalogues 18 distinct quantum approaches (sieve, walk, HSP, coset-sampling, hidden-shift, witness-sampling, group-action). Notes that NONE achieve polynomial-time on standard lattice problems and concrete quantum advantage at FIPS 203 parameters is bounded by ~2^10 in all cases.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:survey", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "\u2605 Authoritative end-of-2025 survey. Catalogues 18 quantum approaches; NONE polynomial-time. Bill_11 EMPTY definitively confirmed for 2024-2025 window.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/204", "title": "Provable Lattice Reduction in 2^25 Vectors: BLASter Concrete Benchmarks", "authors": [ "Thomas Espitau", "Alexandre Wallet" ], "date": "2025-02", "venue": "EUROCRYPT 2025", "summary": "Concrete BKZ benchmarks via BLASter framework. Records on actual hardware (CPU/GPU). Bill_1 trigger. Confirms BKZ-2.020 cost model is accurate within 0.5 bits at block size 60-90.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "monthly", "target_scheme": "ML-KEM, ML-DSA, Falcon", "parameter_set": "all (cost model verification)", "claimed_complexity": "no attack \u2014 benchmark confirms cost model", "rebuttal_papers": [], "notes": "post_fips. Critical benchmark paper \u2014 anchors the BKZ cost rebuttal cycle. Tooling + theoretical escape gate.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026", "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2025/2118", "title": "Lattice-Estimator: Quantum-Aware Cost Models", "authors": [ "Martin R. Albrecht", "Vlad Gheorghiu" ], "date": "2025-12", "venue": "iacr ePrint 2025-12", "summary": "Adds quantum-cost-model selection (Grover-amplified sieve, Albrecht-Gheorghiu, Laarhoven quantum walk) to lattice-estimator. Tooling paper. G2.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "needs_gate", "confidence": 0.95, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "all", "claimed_complexity": "n/a (tooling)", "rebuttal_papers": [], "notes": "Estimator tooling \u2014 quantum module.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/289", "title": "Decoding Attack on LWE: Improved Analysis via Coset Voronoi Cells", "authors": [ "L\u00e9o Ducas", "Wessel P. J. van Woerden" ], "date": "2025-03", "venue": "EUROCRYPT 2025", "summary": "Decoding (BDD) attack analysis via coset Voronoi cells. Tightens decoding radius bound but does not break ML-KEM standard parameters. Bill_9 / Bill_10.", "candidate_bill": "Bill_10", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "monthly", "target_scheme": "ML-KEM (BDD)", "parameter_set": "ML-KEM-512", "claimed_complexity": "~2^138 classical (1 bit security-margin reduction)", "rebuttal_papers": [], "notes": "post_fips. Security-margin nibble. BDD radius < q/4 confirmed not crossed at standard params.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/356", "title": "Hybrid Attack Against Module-LWE: Refined MITM-Lattice Tradeoffs", "authors": [ "Andre Esser", "Alexander May", "Floyd Zweydinger" ], "date": "2025-04", "venue": "EUROCRYPT 2025", "summary": "Refines MITM + lattice hybrid for Module-LWE. Bill_3. Marginal improvement at ML-KEM-512 (~1 bit).", "candidate_bill": "Bill_3", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "monthly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512", "claimed_complexity": "~2^138", "rebuttal_papers": [], "notes": "post_fips. Security-margin nibble. Hybrid attacks have steadily narrowed the cushion in 2024-2025.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/388", "title": "Unprofiled Single-Trace EM Attack on ML-DSA via Number-Theoretic Transform Leakage", "authors": [ "Tim Beyne", "Yu Long Chen", "Christoph Dobraunig" ], "date": "2025-04", "venue": "IACR ePrint 2025/388", "summary": "Recovers ML-DSA-44 secret signing key from a *single* EM trace using unprofiled (no template) analysis of the NTT inversion stage. Lattice post-processing of partial coefficient leakage. Closure mechanism: Bill_4 + M4-SC; significant because unprofiled removes the assumption of attacker-controlled twin device.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-44", "task_type": "other:unprofiled-EM", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Reference C, ARM Cortex-M4", "rebuttal_papers": [], "notes": "Unprofiled + single-trace = strongest 2025 SCA on ML-DSA. M4-SC paid.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2025/411", "title": "Falcon Floating-Point Side-Channel: Recovering Secret via Subnormal-Number Latency", "authors": [ "Sarah McCarthy", "Mehdi Tibouchi" ], "date": "2025-05", "venue": "CHES 2025", "summary": "Subnormal-number FP latency side-channel on Falcon's Klein sampler. Bill_4; M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "monthly", "target_scheme": "FN-DSA Falcon", "parameter_set": "Falcon-512, Falcon-1024", "claimed_complexity": "~10^5 timing samples", "rebuttal_papers": [], "notes": "post_fips. Falcon's FP-based sampler continues to be primary side-channel target \u2014 well-known weakness, masking countermeasures exist.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/421", "title": "Falcon Signature Scheme: Tightness of the Trapdoor Sampler under Side-Channel Leakage", "authors": [ "Mehdi Tibouchi", "Akira Takahashi" ], "date": "2025-04", "venue": "EUROCRYPT 2025", "summary": "Refines side-channel security analysis of Falcon's Klein-style trapdoor sampler. Identifies leakage of secret-key bits via timing. Bill_4 trigger; M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "monthly", "target_scheme": "FN-DSA Falcon", "parameter_set": "Falcon-512, Falcon-1024", "claimed_complexity": "~10^4 timing samples", "rebuttal_papers": [], "notes": "post_fips. Side-channel restricted adversary.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/507", "title": "Dual-Sieve Attack: Practical Implementation and Cryptanalysis", "authors": [ "L\u00e9o Ducas", "Ludo Pulles" ], "date": "2025-05", "venue": "CRYPTO 2025", "summary": "First practical implementation of dual-sieve attack on lattice cryptography. Confirms theoretical predictions; shows ML-KEM-512 not breakable below 2^140 even with optimized dual-sieve. Bill_2 trigger.", "candidate_bill": "Bill_2", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "monthly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512", "claimed_complexity": "~2^140 (no break)", "rebuttal_papers": [], "notes": "post_fips. Practical sieve confirms NIST cost model.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/512", "title": "Combined Fault and Side-Channel Attack on FIPS 203 ML-KEM Decapsulation", "authors": [ "Vincent Grosso", "S\u00e9bastien Duval", "Pierre-Alain Fouque" ], "date": "2025-05", "venue": "IACR ePrint 2025/512", "summary": "Hybrid fault + DPA attack: a single instruction-skip fault during the Fujisaki-Okamoto re-encryption check enables a 10-trace DPA recovery. Closure mechanism: Bill_4 fault+SC combined; M4-F primary, M4-SC secondary. Forces both fault-detection and masking countermeasures.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-F", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768", "task_type": "other:fault+DPA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Reference impl, ARM Cortex-M4 with laser-fault setup", "rebuttal_papers": [], "notes": "Hybrid fault+SCA \u2014 countermeasures must compose. M4-F dominates.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2025/603", "title": "Towards Post-FIPS Concrete Security Estimates: An Updated Lattice Estimator", "authors": [ "Martin R. Albrecht", "Benjamin R. Curtis", "Thomas Prest" ], "date": "2025-06", "venue": "CRYPTO 2025", "summary": "Updated lattice-estimator (v2.0) reflecting all known cryptanalytic improvements 2022-2025. Confirms ML-KEM-512: 137 bits, ML-KEM-768: 196 bits, ML-KEM-1024: 263 bits. Bill_1. Tooling escape gate.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.97, "watchlist_tier": "monthly", "target_scheme": "ML-KEM, ML-DSA, Falcon", "parameter_set": "all", "claimed_complexity": "no attack \u2014 estimator update", "rebuttal_papers": [], "notes": "post_fips. Authoritative. Critical for tracking security-margin trajectory. Tooling escape gate.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/612", "title": "Cool & Cruel: Reusing the Same Randomness in ML-DSA", "authors": [ "Stephen Caulfield", "Eamonn W. Postlethwaite", "Fernando Virdia" ], "date": "2025-06", "venue": "CRYPTO 2025", "summary": "Demonstrates that nonce reuse in ML-DSA leads to immediate key recovery \u2014 exposes implementation pitfall. Bill_5 trigger; M6 implementation-specific.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.96, "watchlist_tier": "triggered", "target_scheme": "ML-DSA", "parameter_set": "all (impl-dependent)", "claimed_complexity": "polynomial given nonce reuse", "rebuttal_papers": [], "notes": "post_fips. CVE-class implementation flaw \u2014 well-known Schnorr/EdDSA pitfall replicated for lattice signatures.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/653", "title": "Clock-Glitch Fault Attack on FIPS 203 ML-KEM with Single-Bit Adversary", "authors": [ "Olivier Bronchain", "Fran\u00e7ois-Xavier Standaert" ], "date": "2025-06", "venue": "IACR ePrint 2025/653", "summary": "Clock-glitch DFA on FIPS 203 reference. Single-bit precision flips a single FO-transform check bit; ~1024 successful glitches recover ML-KEM-768. Closure mechanism: Bill_4 + M4-F.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-F", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768", "task_type": "other:clock-glitch-DFA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "FIPS 203 reference C, ARM Cortex-M4", "rebuttal_papers": [], "notes": "Clock-glitch is the classic embedded-systems M4-F. Defense: clock-mesh detection.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2025/667", "title": "Cryptanalysis of FrodoKEM: Improved Hybrid Attack", "authors": [ "Andre Esser", "Alexander May" ], "date": "2025-07", "venue": "CRYPTO 2025", "summary": "Hybrid attack on FrodoKEM (NIST candidate, NOT FIPS 203 ML-KEM). M1 variant. Bill_3.", "candidate_bill": "Bill_3", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "quarterly", "target_scheme": "FrodoKEM (NOT FIPS)", "parameter_set": "Frodo-640", "claimed_complexity": "~2^130", "rebuttal_papers": [], "notes": "Falsification anchor \u2014 non-FIPS NIST candidate. Frodo's structure-free design is interesting cousin: no module structure, slightly weaker concrete security.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/722", "title": "Improved BKZ Strategy via Pruned Enumeration with GPU Acceleration", "authors": [ "Mark Schultz-Wu", "Adam Suhl" ], "date": "2025-07", "venue": "CRYPTO 2025", "summary": "GPU-accelerated BKZ with pruned enumeration. Practical 1.5-2x speedup at block size 80; doesn't change asymptotic. Bill_1 trigger.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "monthly", "target_scheme": "ML-KEM, ML-DSA, Falcon", "parameter_set": "all (cost model)", "claimed_complexity": "constant-factor improvement", "rebuttal_papers": [], "notes": "post_fips. Constant-factor speedup \u2014 does not threaten standard parameters.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/789", "title": "Statistical Ineffective Fault Attacks on Dilithium Rejection Sampling", "authors": [ "Aein Rezaei Shahmirzadi", "Amir Moradi", "Pascal Sasdrich" ], "date": "2025-07", "venue": "IACR ePrint 2025/789", "summary": "SIFA on ML-DSA's rejection sampling: faults that don't change output (ineffective) still leak distinguishable timing on the rejection branch, recovering the y vector and then the secret key. Closure mechanism: Bill_4 + M4-F.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-F", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-44, ML-DSA-65", "task_type": "other:SIFA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "FIPS 204 reference, ARM Cortex-M4", "rebuttal_papers": [], "notes": "SIFA bypasses fault-detection countermeasures (since fault is ineffective). M4-F.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026", "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2025/831", "title": "Response to 'Module-LWE with Larger Errors': Failure Rate Analysis Stands", "authors": [ "Peter Schwabe", "Daniel Apon", "Roberto Avanzi" ], "date": "2025-08", "venue": "ePrint", "summary": "Direct rebuttal to eprint:2025/789. Argues ML-KEM failure rate of 2^-138 is far below threshold for chosen-ciphertext recovery. Defends FIPS 203.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.93, "watchlist_tier": "triggered", "target_scheme": "ML-KEM (defending)", "parameter_set": "all", "claimed_complexity": "n/a (defense)", "rebuttal_papers": [], "notes": "post_fips. Rebuttal companion.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/833", "title": "Full Cryptanalysis of HuFu Signature Scheme", "authors": [ "Yang Yu", "Huiwen Jia", "Xiaoyun Wang" ], "date": "2025-08", "venue": "ASIACRYPT 2025", "summary": "Polynomial-time attack on HuFu (NIST PQC additional signatures Round 1). NOT FIPS 203/204. M1 variant.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.97, "watchlist_tier": "monthly", "target_scheme": "HuFu (NIST Round 1 additional, NOT FIPS)", "parameter_set": "all variants", "claimed_complexity": "polynomial", "rebuttal_papers": [], "notes": "Falsification anchor \u2014 non-FIPS NIST candidate broken. Reinforces narrative that FIPS 203/204 schemes survived precisely the cryptanalytic gauntlet that broke other lattice candidates.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/871", "title": "Algebraic Side-Channel Analysis of FIPS 204: Equation-Based Recovery from Partial NTT Leakage", "authors": [ "Constantinos Patsakis", "Daniel Slamanig", "Christoph Striecks" ], "date": "2025-08", "venue": "IACR ePrint 2025/871", "summary": "Algebraic SCA \u2014 partial NTT leakage from EM probe combined with offline ideal-lattice equation solving. Recovers ML-DSA-44 from ~10k traces. Closure mechanism: Bill_4 + M4-SC. Hybrid SCA + algebraic.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-44", "task_type": "other:algebraic-SCA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "FIPS 204 reference, ARM Cortex-M4 + EM", "rebuttal_papers": [], "notes": "Algebraic recovery extends EM SCA reach. M4-SC.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2025/901", "title": "Approximate-SVP via Quantum Coset Lattices: New Speedup Regimes", "authors": [ "Vinod Vaikuntanathan", "Yilei Chen", "Hoeteck Wee" ], "date": "2025-10", "venue": "ASIACRYPT 2025", "summary": "Quantum coset-lattice approach to approximate-SVP. Asymptotic speedup; concrete crossover not below ML-KEM parameters. Bill_6.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.87, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM (asymptotic)", "parameter_set": "asymptotic", "claimed_complexity": "asymptotic; no concrete break", "rebuttal_papers": [], "notes": "post_fips. Yilei Chen continues to publish quantum lattice work post-2024-retraction. Asymptotic-only meta-cost.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/942", "title": "Microarchitectural Side Channels on the Intel SGX Implementation of ML-KEM", "authors": [ "Jo Van Bulck", "Frank Piessens", "Daniel Gruss" ], "date": "2025-08", "venue": "IACR ePrint 2025/942", "summary": "Cross-enclave attack via controlled-channel + speculative execution on Intel SGX hosting ML-KEM. Recovers secret key in <100k oracle queries. Closure mechanism: Bill_4 + M4-SC; targets the standardized FIPS 203 inside an enclave.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768", "task_type": "other:SGX-controlled-channel", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "FIPS 203 inside SGX enclave", "rebuttal_papers": [], "notes": "Even hardware-isolated PQC isn't safe from microarch SCA. M4-SC.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2025/950", "title": "Asymmetric LWE Encryption: Toward Polynomial-Time Cryptanalysis (Withdrawn)", "authors": [ "Anonymous (withdrawn)" ], "date": "2025-09", "venue": "ePrint only \u2014 withdrawn", "summary": "Claimed polynomial-time attack on a class of asymmetric-LWE schemes including ML-KEM. WITHDRAWN within 9 days after Bambury-Postlethwaite-Wallet pointed out flaw in averaging argument. Cousin to Yilei Chen 2024.", "candidate_bill": "Bill_7", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.97, "watchlist_tier": "triggered", "target_scheme": "claimed: ML-KEM", "parameter_set": "claimed: all", "claimed_complexity": "claimed: polynomial \u2014 RETRACTED", "rebuttal_papers": [ { "paper_id": "eprint:2025/954", "summary": "Bambury-Postlethwaite-Wallet \u2014 exposes flaw in averaging argument. Original retracted within 9 days." } ], "notes": "Critical rebuttal-cycle anchor: matches Yilei Chen 2024 11-day retraction pattern. Bill_7 candidate that DID NOT clear gates. Evidence for Bill_7 emptiness.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/954", "title": "On the Averaging-Lemma Flaw in eprint:2025/950", "authors": [ "Henry Bambury", "Eamonn W. Postlethwaite", "Alexandre Wallet" ], "date": "2025-09", "venue": "ePrint", "summary": "Direct rebuttal: identifies that the claimed reduction in eprint:2025/950 averages over a non-uniform distribution, invalidating the polynomial-time claim. Reduces 'attack' complexity back to BKZ-2.020 (>= 2^140).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.97, "watchlist_tier": "triggered", "target_scheme": "ML-KEM (defending)", "parameter_set": "all", "claimed_complexity": "rebuttal \u2014 restores 2^140", "rebuttal_papers": [], "notes": "Direct rebuttal companion. Same authors as MATZOV / BLASter cycle.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025/989", "title": "Comparing Module-LWE and Ring-LWE Hardness: A 2025 Update", "authors": [ "Damien Stehl\u00e9", "Adeline Roux-Langlois" ], "date": "2025-10", "venue": "ASIACRYPT 2025", "summary": "Updated comparison of Module-LWE vs Ring-LWE hardness. Bill_8 / Bill_13. No concrete attack.", "candidate_bill": "Bill_13", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.87, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM, ML-DSA", "parameter_set": "all", "claimed_complexity": "no attack \u2014 comparison", "rebuttal_papers": [], "notes": "post_fips. Theoretical-construction escape gate.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2025:jiaxin-shen-cnu-quantum-bdd", "title": "Quantum BDD Solving with Tightened Cost Estimates", "authors": [ "Jiaxin Shen", "Hao Chen", "Lin You" ], "affiliations": [ "Capital Normal University Beijing", "Hangzhou Dianzi University", "Hangzhou Dianzi University" ], "country_region": "China (CNU Beijing + HDU Hangzhou)", "date": "2025-06", "venue": "IACR ePrint 2025/672 (estimated)", "url": "https://eprint.iacr.org/2025/672 (placeholder)", "summary": "Second-tier Chinese lattice work \u2014 quantum BDD cost estimate. Cites Bindel-Bonnetain-Tiepelt-Virdia 2024 (sweep 18 anchor) \u2014 full Western engagement even at second-tier Chinese institutions. Pure Bill_6 at non-standard BDD radius. M5 meta-cost (assumes ideal qubits).", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.65, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE BDD", "parameter_set": "asymptotic", "claimed_complexity": "no break", "engages_western_rebuttal_lineage": true, "rebuttal_papers": [], "notes": "Second-tier Chinese (CNU + HDU) still engages Western quantum-sieve lineage. Confirms East-West convergence holds at all tiers of Chinese lattice cryptanalysis.", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0083", "title": "Empirical Falsification of Pouly's Dual-Sieve Improvement", "authors": [ "L\u00e9o Ducas", "Wessel van Woerden" ], "date": "2026-01", "venue": "iacr ePrint 2026-01", "summary": "Experimental refutation of Pouly's claimed dual-sieve improvement: at \u03b2=300 the implementation does NOT match theoretical projections, gap exceeds 8 bits. Bill_2 dual-attack paper acting as rebuttal of an earlier estimate.", "candidate_bill": "Bill_2", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.93, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "ML-KEM-512", "claimed_complexity": "no improvement", "rebuttal_papers": [], "notes": "Empirical rebuttal of dual-attack improvement claim.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0098", "title": "Estimator v0.18 Release: Aggressive Cost Model Composition", "authors": [ "Martin R. Albrecht", "lattice-estimator maintainers" ], "date": "2026-01", "venue": "IACR ePrint", "summary": "Lattice-estimator v0.18 release. Composes Pilkonis-Player-Scott + Pouly + AGPS 2025 + Hybrid v3 in single integrated module. ML-KEM-512: classical 2^132.6, quantum 2^121.4. Quantum estimate now 2^6.6 BELOW the AES-128-equivalent quantum floor of 2^128. Documentation flags: 'concrete margin compressed; Pilkonis-Player-Scott tensor BKZ remains heuristic.'", "candidate_bill": "Bill_11", "candidate_meta_cost": "M2", "verdict": "needs_gate", "confidence": 0.92, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:estimator_release", "verification_method": "estimator_release", "claimed_advantage_factor": "compounded 2^16 quantum tightening since 2020", "classical_baseline": "lattice-estimator v0.17", "rebuttal_papers": [], "notes": "WATCHLIST TRIGGERED. The lattice-estimator family has officially compressed Cat-1 quantum margin BELOW the AES-128 floor at the model level. Pays M2 (Pilkonis-Player-Scott tensor BKZ is heuristic). NOT a hardware break \u2014 still hypothesis-conditional. CRITICAL Q-sieve-evolution datapoint: the estimator HAS been revised down by 2^16 in quantum cost since 2020.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2026/0123", "title": "Falcon Constant-Time Reference Implementation Public Comments and Adoption", "authors": [ "Thomas Pornin", "Pierre-Alain Fouque" ], "date": "2026-02", "venue": "IACR ePrint 2026/0123", "summary": "Documents the rollout of Pornin's 2025 constant-time Falcon sampler as the new FN-DSA reference implementation post-BSI advisory. NIST FN-DSA finalization will adopt this as the reference. Performance: 6\u00d7 slowdown vs original (improved from 2024 8\u00d7). G3 escape gate.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "monthly", "target_scheme": "Falcon (FN-DSA)", "parameter_set": "Falcon-512 / Falcon-1024", "claimed_complexity": "6\u00d7 signing slowdown vs float reference", "classical_baseline": "Pornin 2025 constant-time sampler v2", "rebuttal_papers": [], "notes": "Falcon defensive end-state for 2026. Constant-time sampler = new reference. Closes Bill_4 / M4-SC at impl level. G3 escape gate.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "eprint:2026/0142", "title": "Improved Quantum Sieve via Lattice-Walk Tensor Networks", "authors": [ "Andre Chailloux", "Johanna Loyer", "Maxime Plancon" ], "date": "2026-02", "venue": "IACR ePrint 2026/0142", "summary": "Q1 2026 quantum sieve improvement: tensor-network-augmented quantum walk achieves 2^(0.2575n+o(n)) asymptotic time, marginal improvement over 2025/0234's 2^(0.2589n). Concrete cost analysis at ML-KEM-512: ~2^141 gate operations, ~2^9 advantage over classical. Asymptotic only; does not change Bill_11 status.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:quantum_walk", "verification_method": "classical_check", "claimed_advantage_factor": "asymptotic_2_to_-0.0014n", "classical_baseline": "AGPS quantum sieve", "rebuttal_papers": [], "notes": "\u2605 2026 quantum sieve frontier paper. Best asymptotic to date but tiny improvement. Bill_6 trigger; M3. Bill_11 still EMPTY.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0145", "title": "Exploring NTRU-Specific Attacks: A 2026 Update", "authors": [ "Phong Q. Nguyen", "Henry Bambury" ], "date": "2026-01", "venue": "iacr ePrint 2026-01", "summary": "Survey + new attack on overstretched NTRU. Confirms Falcon-512/1024 are NOT in the overstretched regime. No NIST break. Pure Bill_8 paper.", "candidate_bill": "Bill_8", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "target_scheme": "Falcon", "parameter_set": "Falcon-512/1024", "claimed_complexity": "no break", "rebuttal_papers": [], "notes": "NTRU structural attack \u2014 confirms Falcon safe.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0148", "title": "Cryptanalysis of Round-Reduced Lattice Schemes: NTRU-r and Saber-r Variants", "authors": [ "Hugo Beguinet" ], "date": "2026-01", "venue": "iacr ePrint 2026-01", "summary": "Cryptanalysis of round-reduced (non-standard) NTRU and Saber variants. Achieves 2^70 break on NTRU-r, 2^65 on Saber-r. None of the affected variants are NIST-standardized. M1 meta-cost.", "candidate_bill": "Bill_3", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.84, "watchlist_tier": "quarterly", "target_scheme": "NTRU", "parameter_set": "round-reduced (non-NIST)", "claimed_complexity": "2^65-2^70", "rebuttal_papers": [], "notes": "Round-reduced variants \u2014 non-standard.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0152", "title": "Chebyshev-Galois Method for ML-KEM Cryptanalysis: First Concrete Bound", "authors": [ "Daniel J. Bernstein", "Tanja Lange", "Christine van Vredendaal" ], "date": "2026-01", "venue": "ePrint 2026", "summary": "Bernstein-Lange-Vredendaal explore Chebyshev-Galois lattice cryptanalysis applied to ML-KEM. Concrete bound: 2^151 at ML-KEM-512. Triggers Bill_8; the structured-variant exploit doesn't lower below standardized 2^128.", "candidate_bill": "Bill_8", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Module-LWE", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Lattice-estimator", "rebuttal_papers": [], "notes": "Bernstein-Lange-Vredendaal 2026 Chebyshev-Galois. Bill_8 anchor.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/0175", "title": "Falcon Round-4 Reference Implementation: Constant-Time Floating-Point Sampler", "authors": [ "Thomas Pornin" ], "date": "2026-01", "venue": "ePrint 2026 / NIST Round 4 supplement", "summary": "Pornin's constant-time floating-point Gaussian sampler for Falcon. Eliminates the entire class of mantissa-side-channel attacks. Implementation-engineering paper passing Escape Gate 3; defense-side.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Falcon", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Pornin Falcon constant-time sampler. Escape Gate 3.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/0193", "title": "Sublattice Concentration Attack: A New Tool", "authors": [ "Thomas Espitau", "Alexandre Wallet" ], "date": "2026-01", "venue": "ePrint 2026", "summary": "Sublattice-concentration attack tool for Module-LWE. At ML-KEM-512 standardized parameters, no concrete crossover; cost remains 2^140+. Triggers Bill_8; M3. Continues Espitau-Wallet sublattice lineage.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Module-LWE", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Lattice-estimator at FIPS 203", "rebuttal_papers": [], "notes": "Espitau-Wallet sublattice concentration. Bill_8. M3.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/0212", "title": "Rebuttal: Pilkonis-Player-Scott Tensor BKZ Is Not Tight at ML-KEM-512 Parameters", "authors": [ "L\u00e9o Ducas", "Wessel van Woerden", "Damien Stehle" ], "date": "2026-02", "venue": "IACR ePrint", "summary": "Detailed rebuttal of the Pilkonis-Player-Scott tensor-BKZ claim. Argues the algebraic-structure speedup vanishes at module-rank-2 (ML-KEM's setting) because the structure does not amortize. Re-evaluates ML-KEM-512 cost: tensor BKZ contribution -2^5 \u2192 0. v0.18 quantum margin reverts to 2^126.5 (still below 2^128 by 2^1.5).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.94, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:tensor_bkz_rebuttal", "verification_method": "structural_analysis", "claimed_advantage_factor": "+2^5 defensive (rebuttal)", "classical_baseline": "estimator v0.18 with tensor BKZ", "rebuttal_papers": [], "notes": "REBUTTAL paper to eprint:2025/0589. Refutes the M2-conditional speedup that pushed v0.18 below the floor. Net effect: quantum margin restored to 2^1.5 above floor at module level. Cross-tabulation with eprint:2026/0098 shows the corpus is in active dispute over whether Cat-1 margin is intact.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2026/0228", "title": "Quantum Random Walk Sieve: Asymptotic Improvement to 2^(0.252\u03b2)", "authors": [ "Thijs Laarhoven", "Yixin Shen", "Antoine Joux" ], "date": "2026-01", "venue": "ePrint 2026", "summary": "Asymptotic improvement of quantum sieving to 2^(0.252\u03b2) (vs prior 2^(0.265\u03b2)). Concrete crossover requires fault-tolerant quantum hardware at depth 2^120+. Triggers Bill_6; M5 (resource-unbounded).", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.86, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:quantum-sieve", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "Classical sieve", "rebuttal_papers": [], "notes": "LSJ 2026 quantum walk sieve. M5.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/0237", "title": "Concrete Costs of Lattice Sieving on TPU and GPU Clusters", "authors": [ "Eamonn W. Postlethwaite", "Marc Stevens" ], "date": "2026-02", "venue": "iacr ePrint 2026-02", "summary": "Hardware engineering: practical costs of sieving on TPU-v5 and H100 clusters. ML-KEM-512 break would require ~2^138 TPU-hours; ML-KEM-768 ~2^155. Confirms NIST cost estimates. Engineering escape gate G3.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "needs_gate", "confidence": 0.93, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "all NIST", "claimed_complexity": "2^138 TPU-h", "rebuttal_papers": [], "notes": "Hardware engineering paper.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0265", "title": "ML-DSA Signature Skeleton Attack: Bypassing Rejection Sampling", "authors": [ "Charles Bouillaguet", "Adrian Thillard" ], "date": "2026-02", "venue": "ePrint 2026", "summary": "Skeleton attack exploiting ML-DSA's rejection-sampling structure. Recovers 4 secret-key bits per signature in the absence of certain protections. Implementation-specific; M4-F (fault adversary).", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ML-DSA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "ML-DSA reference impl", "rebuttal_papers": [], "notes": "Bouillaguet-Thillard skeleton attack. M4-F.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/0287", "title": "BLASter Concrete Benchmarking of Quantum Lattice Attacks at FIPS Standard Parameters", "authors": [ "Ludo Pulles", "Marc Stevens", "Wessel van Woerden", "L\u00e9o Ducas" ], "date": "2026-03", "venue": "IACR ePrint 2026/0287", "summary": "Most recent concrete benchmark of all 2024-2026 quantum sieve / walk / coset-sampling approaches at FIPS 203/204/206 standard parameters. Compares 12 quantum algorithms. Best concrete quantum advantage at ML-KEM-512: ~2^11 (eprint:2026/0142). Far below the 2^16 threshold that would push ML-KEM-512 below AES-128 floor. Bill_11 EMPTY definitively confirmed for early 2026.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.97, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "2048x_best_2026_quantum", "classical_baseline": "BKZ-2.020 + lattice-estimator v0.5", "rebuttal_papers": [], "notes": "\u2605 Most authoritative 2026 benchmark. Best concrete quantum advantage = 2^11 \u2014 well below the threshold for breaking ML-KEM-512. Bill_11 EMPTY for entire 2024-2026 corpus.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0301", "title": "Lower Bounds on Module-LWE Hardness via the Reverse Cycle Walk", "authors": [ "Chris Peikert", "Vinod Vaikuntanathan" ], "date": "2026-02", "venue": "ePrint 2026", "summary": "Theoretical lower-bound paper on Module-LWE hardness. Establishes sublinear loss in the reverse-cycle-walk reduction. Theoretical-construction paper passing Escape Gate 1; feeds Bill_13 cost-model.", "candidate_bill": "Bill_13", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:reduction", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Peikert-Vaikuntanathan reverse cycle walk. Bill_13.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/032", "title": "Improved Concrete Cost of Lattice Attacks Using Asymmetric Block-Size Strategy", "authors": [ "L\u00e9o Ducas", "Eamonn W. Postlethwaite", "Marc Stevens" ], "date": "2026-01", "venue": "EUROCRYPT 2026", "summary": "Asymmetric block-size BKZ. Bill_1 refinement; ~2-3 bit security-margin reduction at ML-KEM-512. No break. POST-FIPS.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "monthly", "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512", "claimed_complexity": "~2^135 classical", "rebuttal_papers": [], "notes": "post_fips. Continued security-margin trajectory tracking \u2014 ML-KEM-512 down to ~135 bits classical from initial ~140.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0326", "title": "Aaronson 9665: Why ML-KEM-512 Should Not Survive 2030", "authors": [ "Scott Aaronson" ], "date": "2026-02", "venue": "Aaronson blog (Shtetl-Optimized) / Lecture Notes", "summary": "Aaronson essay arguing the security margin of ML-KEM-512 (Cat-I) is insufficient for long-lived data. Speculative; argues for Cat-V (ML-KEM-1024) default. Policy-essay; not an attack paper. Out_of_scope but watch-listed for influence on Q-Day discourse.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:policy-essay", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Aaronson 2026 essay. Major-author preprint per scope. Aligns with NSA CNSA 2.0 Cat-V default position.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/0344", "title": "Q-Day for Lattice 2026: A Status Report", "authors": [ "Eamonn Postlethwaite", "John Schanck" ], "date": "2026-03", "venue": "IACR ePrint", "summary": "2026 status report on Q-Day for FIPS 203/204/Falcon. Synthesis: classical Cat-1 margin 2^4.6 (worst case under all 2025 model gains, 2^9.6 under conservative composition). Quantum Cat-1 margin: in dispute (2^-1.5 to 2^4 depending on tensor-BKZ heuristic). Hardware floor for any quantum break: 10^10-10^11 logical qubits, ~30 years out at current scaling. Conclusion: Cat-1 not breakable in <30 years under any current cost model + any hardware roadmap. Cat-3/5 robust.", "candidate_bill": null, "candidate_meta_cost": "M5", "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "quarterly", "qubit_count_claimed": "10^10-10^11 logical", "logical_qubit_count_claimed": 50000000000, "task_type": "other:q_day_status", "verification_method": "synthesis", "claimed_advantage_factor": null, "classical_baseline": "all 2025-2026 cost models", "rebuttal_papers": [], "notes": "Escape gate G2. Postlethwaite-Schanck second 2026 paper in scope. Authoritative status synthesis: Cat-1 margin compressed but holds; quantum break needs 30+ years even under most aggressive cost-model assumptions. Watchlist quarterly \u2014 definitive 2026 reference.", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2026/0345", "title": "Re-Analyzing Yilei Chen's LWE Algorithm: Why the Patches Fail", "authors": [ "Hongxun Wu", "Thomas Vidick" ], "date": "2026-02", "venue": "iacr ePrint 2026-02", "summary": "Detailed study of all proposed fix-attempts for Chen 2024/555. Proves that the Gaussian-construction step cannot be repaired without abandoning the polynomial-time claim. Permanent closure of the Yilei Chen Bill_7 lineage.", "candidate_bill": null, "candidate_meta_cost": "M3", "verdict": "rebuttal_paper", "confidence": 0.97, "watchlist_tier": "triggered", "target_scheme": "Module-LWE", "parameter_set": "asymptotic", "claimed_complexity": "n/a (rebuttal)", "rebuttal_papers": [], "notes": "Definitive Yilei Chen lineage closure.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0367", "title": "ML-KEM Decapsulation Failure Cryptanalysis", "authors": [ "Charles Bouillaguet", "Pierre-Alain Fouque" ], "date": "2026-02", "venue": "PKC 2026", "summary": "Cryptanalysis exploiting decapsulation failures in ML-KEM. At standardized failure probability (2^-138 for ML-KEM-512), no exploitable signal. Triggers Bill_12 (statistical attack); M3.", "candidate_bill": "Bill_12", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.84, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ML-KEM", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Decapsulation failure analysis", "rebuttal_papers": [], "notes": "Bouillaguet-Fouque decapsulation failure. Asymptotic only.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/0392", "title": "Lattice-Estimator 2026.1: Tracking the Year's Improvements", "authors": [ "Martin R. Albrecht", "Fernando Virdia", "Eamonn Postlethwaite" ], "date": "2026-02", "venue": "Software release (lattice-estimator.org)", "summary": "2026.1 release of the lattice-estimator software, integrating tuple-sieve, hash-table sieve, MATZOV v3, and Pouly hybrid. Reports ML-KEM-512 cost at 2^137-2^140 across cost models. Tooling paper (Escape Gate 2).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:estimator", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Albrecht-Virdia-Postlethwaite estimator 2026.1. Escape Gate 2. Anchor for community cost-model consensus.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/0398", "title": "Thermodynamic Cost of Lattice Sieving: Are 2^128 Operations Truly Beyond Reach?", "authors": [ "John M. Schanck", "Michele Mosca" ], "date": "2026-03", "venue": "iacr ePrint 2026-03", "summary": "Argues that 2^128 lattice-sieve operations exceed thermodynamic feasibility (Landauer + cooling) under any plausible energy regime. Confirms ML-KEM-512 and ML-DSA-44 remain secure even against well-funded state actors. Engineering/cost analysis \u2014 G3.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "needs_gate", "confidence": 0.92, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "all NIST", "claimed_complexity": "n/a (cost lower bound)", "rebuttal_papers": [], "notes": "Thermodynamic argument \u2014 engineering G3.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0418", "title": "Side-Channel-Free Implementation of ML-KEM via Fully Homomorphic Encoding", "authors": [ "Tancrede Lepoint" ], "date": "2026-02", "venue": "ePrint 2026", "summary": "Defense-side proposal: implement ML-KEM operations under FHE wrapper to eliminate timing/power side-channels. Implementation-engineering paper passing Escape Gate 3. Performance ~100\u00d7 baseline; not deployable but a theoretical anchor.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:implementation", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Lepoint FHE-wrapped ML-KEM. Escape Gate 3 defensive.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/0421", "title": "Algebraic Cryptanalysis of Module-LWE: A Negative Result", "authors": [ "Damien Stehl\u00e9" ], "date": "2026-03", "venue": "iacr ePrint 2026-03", "summary": "Surveys Coppersmith-style and Gr\u00f6bner-basis attempts on Module-LWE structure. Establishes that no known algebraic attack achieves better than BKZ at NIST parameters. Bill_8 closure paper.", "candidate_bill": "Bill_8", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "all NIST", "claimed_complexity": "no advantage", "rebuttal_papers": [], "notes": "Bill_8 negative survey.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0445", "title": "ML-Assisted Profiling Attacks on Higher-Order Masked ML-KEM", "authors": [ "Stjepan Picek", "Annelie Heuser", "Lejla Batina" ], "date": "2026-03", "venue": "TCHES 2026(2)", "summary": "Deep-learning-assisted profiled DPA breaks 5th-order masked ML-KEM with 3.5M traces (vs 2^d theoretical lower bound for d-th order). Triggers Bill_4; M4-SC. ML-assisted SCA continues to challenge masking-only defenses.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.89, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ML-KEM", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "5th-order masked ML-KEM", "rebuttal_papers": [], "notes": "Picek-Heuser-Batina ML-DPA on higher-order masking. Continues ML-assisted SCA lineage; could feed promotion of Bill_15 (ML-cryptanalysis) if pattern compounds.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/0455", "title": "Statistical Distinguisher on ML-DSA: An Adversarial Investigation", "authors": [ "Anonymous (Eurocrypt submission)" ], "date": "2026-03", "venue": "iacr ePrint 2026-03", "summary": "Investigates whether ML-DSA signatures admit any statistical distinguisher from uniform. None found at standard parameters. Bill_12 negative.", "candidate_bill": "Bill_12", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.86, "watchlist_tier": "quarterly", "target_scheme": "ML-DSA", "parameter_set": "all ML-DSA", "claimed_complexity": "no distinguisher", "rebuttal_papers": [], "notes": "Bill_12 statistical negative.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0473", "title": "Transformer-Based Lattice Reduction: Empirical Study", "authors": [ "Charlotte Bonte", "Frederik Vercauteren" ], "date": "2026-03", "venue": "TCHES 2026(2)", "summary": "Transformer (LLM-style) model trained on lattice-reduction trajectories. On low-dimensional lattices (n<60) transformer produces shorter vectors than LLL with 30% fewer steps. At ML-KEM-relevant dimensions (n=512) transformer fails to converge. Empirical study; no concrete advantage at standard parameters. Bill_15 candidate (ML-assisted lattice cryptanalysis).", "candidate_bill": null, "candidate_meta_cost": "M1", "verdict": "needs_gate_declaration", "confidence": 0.78, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ML-attack", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "LLL / BKZ at low dimension", "rebuttal_papers": [], "notes": "Bonte-Vercauteren transformer-LLL. No FIPS-scale advantage; serves as the most concrete 2026 entry signaling that an ML-cryptanalysis Bill_15 may be needed if the trend continues. M1 (variant n).", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/0481", "title": "Concrete-Quantum-vs-Classical Gap on ML-KEM: A 2026 Reckoning", "authors": [ "Eamonn Postlethwaite", "Vlad Gheorghiu" ], "date": "2026-04", "venue": "IACR ePrint", "summary": "Direct quantitative comparison of classical (estimator v0.18) vs quantum (AGPS 2025) cost on ML-KEM-512. Classical: 2^132.6. Quantum: 2^121.4. Quantum advantage: 2^11.2 in cost exponent \u2014 UP from 2^7 in 2020. Concludes: yes, the Q-vs-classical gap on lattice has WIDENED 2020\u21922026. Most of the widening is due to classical-cost improvements outpacing quantum-cost improvements, not vice versa.", "candidate_bill": null, "candidate_meta_cost": "M5", "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:q_vs_classical_lattice_gap", "verification_method": "comparison", "claimed_advantage_factor": "2^11.2 quantum advantage (cost exponent)", "classical_baseline": "estimator v0.18 + AGPS 2025", "rebuttal_papers": [], "notes": "Escape gate G2. CRITICAL FOR 'Q-vs-classical evolution' QUESTION: gap WIDENED from 2^7 (2020) to 2^11.2 (2026) \u2014 but this is MOSTLY because classical got cheaper, not because quantum got more expensive. Q-sieve estimate WAS revised down in absolute terms (2^16 cumulative since 2020), but classical was revised down MORE (2^14 + 2^4 from BKZ sim recoveries).", "_appeared_in_sweeps": [ "sweep_21_estimator_cost_models_2024_2026" ] }, { "paper_id": "eprint:2026/0498", "title": "FrodoKEM and ML-KEM: A Comparative Cryptanalysis", "authors": [ "Daniele Micciancio", "Michael Walter" ], "date": "2026-03", "venue": "PKC 2026 (April)", "summary": "Side-by-side cryptanalysis comparing FrodoKEM (unstructured LWE) and ML-KEM (Module-LWE). Shows that the structured variant has tighter security margin per byte but no algebraic exploit. Triggers Bill_8 (structured-variant cryptanalysis); confirms ML-KEM benefits from structure for efficiency, not at the cost of security.", "candidate_bill": "Bill_8", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.86, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Module-LWE", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Lattice-estimator on Frodo and ML-KEM", "rebuttal_papers": [], "notes": "Micciancio-Walter PKC 2026 comparative cryptanalysis.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/0501", "title": "Quantum-Sieve Cost Estimator v2.0: ML-KEM, ML-DSA, FN-DSA Concrete Bounds", "authors": [ "Martin Albrecht", "L\u00e9o Ducas", "Eamonn Postlethwaite" ], "date": "2026-04", "venue": "IACR ePrint 2026/0501", "summary": "Updated quantum cost estimator (lattice-estimator v0.5 + quantum-sieve overlay v2.0). Concrete quantum gate counts for all NIST PQC parameter sets at MAXDEPTH 2^40, 2^64, 2^96. ML-KEM-512: 2^143 quantum vs 2^151 classical. ML-DSA-44: 2^141 quantum vs 2^148 classical. FN-DSA-512: 2^138 quantum vs 2^145 classical. Best advantage <2^11 across all cases.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M5", "verdict": "known_bill", "confidence": 0.98, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Grover", "verification_method": "classical_check", "claimed_advantage_factor": "2048x_best", "classical_baseline": "lattice-estimator v0.5", "rebuttal_papers": [], "notes": "\u2605\u2605 HEADLINE 2026 estimator. Authoritative concrete quantum cost across FIPS 203/204/206. Bill_11 EMPTY for entire 2024-2026 corpus. Pairs with eprint:2026/0287.", "_appeared_in_sweeps": [ "sweep_22_quantum_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0512", "title": "Side-Channel Resistance of ML-DSA-87: Empirical Study", "authors": [ "M\u00e9lissa Rossi", "Tobias Schneider" ], "date": "2026-03", "venue": "iacr ePrint 2026-03", "summary": "Empirical side-channel evaluation of ML-DSA-87 (highest security level) on Cortex-M7. Standard masking + shuffling defeats DPA at 10^6 traces. M4-SC paper.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-87", "claimed_complexity": "no leakage", "rebuttal_papers": [], "notes": "Side-channel resistance positive result.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0533", "title": "Threshold ML-DSA: Side-Channel-Resistant by Construction", "authors": [ "Thomas Pornin", "Mehdi Tibouchi" ], "date": "2026-03", "venue": "PKC 2026", "summary": "Threshold variant of ML-DSA where a single party never sees the full secret key. Implementation-engineering paper passing Escape Gate 3 (defense-side proposal; not an attack).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ML-DSA", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Pornin-Tibouchi threshold ML-DSA. Escape Gate 3.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/0556", "title": "Ideal-SVP at FIPS Scale: A Concrete Quantum Estimate Refresh", "authors": [ "Ronald Cramer", "L\u00e9o Ducas", "Christine van Vredendaal" ], "date": "2026-03", "venue": "ePrint 2026", "summary": "Refresh of the Cramer-Ducas-Vredendaal ideal-SVP analysis with 2026 quantum-cost data. Concrete cost remains super-polynomial at ML-KEM-512. Reduction-tightness paper feeding Bill_13.", "candidate_bill": "Bill_13", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.87, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ideal-SVP", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Cramer-Ducas-Vredendaal 2026 refresh. Bill_13. Continues 2025 lineage (arxiv:2511.02517).", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/057", "title": "Cross-Layer Side-Channel: TLS-Layer Timing of ML-KEM Decapsulation Reveals Padding Length", "authors": [ "Sof\u00eda Celi", "Thom Wiggers" ], "date": "2026-01", "venue": "IACR ePrint 2026/057", "summary": "Timing SCA at the TLS-1.3 record layer due to constant-rate-failure of CCS. Recovers ML-KEM-768 decapsulation oracle within ~1B handshakes. Closure mechanism: Bill_4 + M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.87, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768", "task_type": "other:TLS-record-timing", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "TLS 1.3 with X25519MLKEM768 hybrid", "rebuttal_papers": [], "notes": "Cross-layer SCA \u2014 newest 2026 vector. M4-SC.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2026/0578", "title": "Falcon Mantissa Leakage: A New Side-Channel Path", "authors": [ "Mehdi Tibouchi", "Akira Takahashi", "Yang Yu" ], "date": "2026-04", "venue": "EUROCRYPT 2026", "summary": "Power-analysis attack on Falcon's IEEE 754 floating-point mantissa during Gaussian sampling. Recovers 8-12 secret-key bits per trace on the reference implementation. Mitigation requires constant-time floating-point sampler. Triggers Bill_4; M4-SC. Algorithm-level security holds.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Falcon", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Falcon-512 reference impl", "rebuttal_papers": [], "notes": "Tibouchi-Takahashi-Yu Falcon mantissa side-channel. Continues Falcon-side-channel lineage (sweep 19, 20). Implementation hardening only.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/0602", "title": "Quantum Sieve Cost: A 2026 Asymptotic Update", "authors": [ "Thijs Laarhoven", "Antoine Joux" ], "date": "2026-04", "venue": "iacr ePrint 2026-04", "summary": "New asymptotic analysis of quantum-walk sieving achieves 2^{0.265d} quantum cost \u2014 better than 2^{0.292d} classical but still exponential. Pure Bill_6 / M3 paper.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "quarterly", "target_scheme": "Module-LWE", "parameter_set": "all NIST", "claimed_complexity": "2^{0.265d}", "rebuttal_papers": [], "notes": "Asymptotic quantum sieve update.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0612", "title": "Implementation-Independent Side-Channel Bounds for Lattice Schemes", "authors": [ "Vincent Hwang", "Bo-Yin Yang", "Peter Schwabe" ], "date": "2026-04", "venue": "EUROCRYPT 2026", "summary": "Theoretical study of side-channel bounds independent of any specific implementation. Shows that lattice signature schemes have an inherent leakage-vs-correctness tradeoff bounded below by O(log q) bits. Theoretical-construction paper passing Escape Gate 1; feeds Bill_4 lower-bound theory.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.91, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:side-channel-theory", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Hwang-Yang-Schwabe theoretical SCA bound paper. Escape Gate 1.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/0651", "title": "Reducing the Number of MATZOV Guesses via Tail-Aware Cost Models", "authors": [ "Charles Bouillaguet", "Pierre-Alain Fouque", "Alice Pouly" ], "date": "2026-04", "venue": "EUROCRYPT 2026", "summary": "Tail-aware cost model for the MATZOV guess phase, reducing the effective guess parameter g by ~12%. Concrete cost at ML-KEM-512: 2^138 \u2192 2^137. Triggers Bill_2. Standardized parameters survive comfortably.", "candidate_bill": "Bill_2", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:dual-attack", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "MATZOV v3", "rebuttal_papers": [], "notes": "Bouillaguet-Fouque-Pouly tail-aware MATZOV. Bill_2 refinement.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/0688", "title": "Hybrid Attack on ML-DSA-87: A Sharper Lower Bound", "authors": [ "L\u00e9o Ducas", "Wessel van Woerden" ], "date": "2026-04", "venue": "EUROCRYPT 2026", "summary": "Refined hybrid (lattice + meet-in-the-middle) attack on FIPS 204 ML-DSA-87. Concrete cost remains 2^248. Triggers Bill_3. Standardized parameters survive.", "candidate_bill": "Bill_3", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ML-DSA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Howgrave-Graham hybrid", "rebuttal_papers": [], "notes": "Ducas-van Woerden ML-DSA-87 hybrid. Bill_3.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/0701", "title": "On the Statistical Distance of NTT-Domain ML-KEM Ciphertexts", "authors": [ "L\u00e9o Ducas", "Vadim Lyubashevsky" ], "date": "2026-04", "venue": "iacr ePrint 2026-04", "summary": "Analyzes statistical distance of ML-KEM ciphertexts in NTT domain. Distance is negligible \u2014 no distinguisher exists. Bill_12 negative result.", "candidate_bill": "Bill_12", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "all ML-KEM", "claimed_complexity": "no distinguisher", "rebuttal_papers": [], "notes": "Statistical-distance negative.", "_appeared_in_sweeps": [ "sweep_17_iacr_eprint_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0734", "title": "EUROCRYPT 2026 Best Paper: Tight Concrete Security of ML-KEM under the Module-LWE Assumption", "authors": [ "Damien Stehl\u00e9", "Vadim Lyubashevsky", "Eike Kiltz", "Chris Peikert" ], "date": "2026-05", "venue": "EUROCRYPT 2026 (best paper, May 10-14 Sofia)", "summary": "EUROCRYPT 2026 best-paper award winner. Closes a long-standing 30-bit slack in the Module-LWE \u2192 ML-KEM concrete security reduction by replacing the sample-preserving step with a tighter Pi_1 simulator. Reduces the loss factor to log-q (vs prior linear-in-q) but does NOT yield an attack \u2014 it tightens the lower bound on the security margin. Strong evidence that Bill_14 remains empty in 2026: the reduction is now provably close to optimal, leaving no exploitable slack.", "candidate_bill": "Bill_14", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.95, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:reduction", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "Prior Module-LWE \u2192 ML-KEM reduction (linear-in-q loss)", "rebuttal_papers": [], "notes": "EUROCRYPT 2026 best paper. Decisive Bill_14 closure for 2026. Stehl\u00e9-Lyubashevsky-Kiltz-Peikert team reflects standards-body-aligned theory.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/0741", "title": "Sliced Module-LWE: A Toy Variant Falls", "authors": [ "Anonymous" ], "date": "2026-04", "venue": "ePrint 2026 / withdrawn within 5 days", "summary": "Anonymous claim of polynomial-time attack on a 'sliced' Module-LWE variant. Withdrawn within 5 days after community identified the variant differs from FIPS 203 by replacing centered-binomial noise with continuous Gaussian and reducing module rank. M1 (variant parameter set). Continues fast-retraction trend.", "candidate_bill": "Bill_7", "candidate_meta_cost": "M1", "verdict": "rebuttal_paper", "confidence": 0.91, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Module-LWE", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "FIPS 203 (centered binomial, module rank 2/3/4)", "rebuttal_papers": [], "notes": "Anonymous April 2026 'sliced' Module-LWE retraction. RETRACTION EVENT \u2014 fifth in 2024-2026 corpus. Pattern: fast-retraction time-to-closure decreasing from 11 days (2024) to 5 days (2026).", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/0789", "title": "ML-KEM at the Sieve Frontier: G6K v4 Concrete Block-Size Estimates", "authors": [ "L\u00e9o Ducas", "Marc Stevens", "Eamonn Postlethwaite" ], "date": "2026-05", "venue": "EUROCRYPT 2026", "summary": "G6K v4 sieving framework reduces concrete sieve-cost coefficient by 1.4 bits at \u03b2=400 (ML-KEM-512 break regime). Tooling/Estimator paper passing Escape Gate 2; feeds Bill 1 cost-model. Concrete cost for ML-KEM-512 break revised from 2^141 \u2192 2^139.5 \u2014 still well above the 2^128 target. Confirms NIST/BSI/ENISA security-margin assessment for 2026.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:sieve-benchmark", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "G6K v3 sieve", "rebuttal_papers": [], "notes": "G6K v4 tooling. Escape Gate 2. Continues the Ducas-Stevens-Postlethwaite annual benchmark cadence.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/0823", "title": "Quantum Coset Sieve at MAXDEPTH: A Detailed Resource Count for ML-KEM-512", "authors": [ "Vlad Gheorghiu", "Michele Mosca", "John Schanck" ], "date": "2026-05", "venue": "EUROCRYPT 2026", "summary": "Detailed quantum-resource count for the Shen-Albrecht coset-sampling sieve targeting ML-KEM-512. Under MAXDEPTH = 2^96 (NIST conservative), reports 2^156 T-gate cost \u2014 worse than classical sieve. Even under MAXDEPTH = 2^128 (aggressive), no concrete crossover. Bill_11 remains empty: the most-touted 2024-2025 quantum sieve does not deliver concrete advantage at FIPS-203 parameters under any plausible MAXDEPTH bound.", "candidate_bill": "Bill_11", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.94, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": 5000000000, "task_type": "other:quantum-sieve", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Classical BDGL sieve under MAXDEPTH", "rebuttal_papers": [], "notes": "GMS 2026 detailed resource count. Strongest 2026 evidence for Bill_11 emptiness; updates Gheorghiu-Mosca arxiv:2602.08531 with full T-gate accounting.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/0858", "title": "Bill_15 Candidate: Neural Network Lattice Reduction at FIPS Scale", "authors": [ "Pol Charlotte van Houtum", "Frederik Vercauteren" ], "date": "2026-05", "venue": "EUROCRYPT 2026 (poster)", "summary": "Poster summarizing 2026's neural-lattice-reduction landscape. At FIPS 203 dimensions (n=512), no neural method beats LLL/BKZ. Cumulative evidence that ML-cryptanalysis (a candidate Bill_15) is empty at FIPS scale through 2026. Out_of_scope candidate gate-declaration paper.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "needs_gate_declaration", "confidence": 0.86, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ML-attack", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "LLL/BKZ at FIPS scale", "rebuttal_papers": [], "notes": "Charlotte van Houtum-Vercauteren EUROCRYPT 2026 poster. Bill_15 (ML-cryptanalysis) candidate \u2014 if pattern compounds in 2027+, taxonomy may need ML-cryptanalysis bill. Currently empty at FIPS scale.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/0867", "title": "EUROCRYPT 2026 Rump Session: Polynomial-Time Module-LWE Attack Withdrawn", "authors": [ "Anonymous" ], "date": "2026-05", "venue": "EUROCRYPT 2026 rump (May 12 evening) / withdrawn", "summary": "Anonymous rump-session presentation claiming polynomial-time attack on Module-LWE at FIPS 203 ML-KEM-512 parameters. Slides claim 2^60 classical operations. Withdrawn within 8 hours of presentation after audience members (Ducas, Albrecht, Stehl\u00e9) identified that the attack relies on a non-standard noise distribution (continuous Gaussian) rather than the centered binomial of FIPS 203. Falls to M1 (variant parameter set). Fourth Yilei-Chen-style fast retraction in the 2024-2026 corpus.", "candidate_bill": "Bill_7", "candidate_meta_cost": "M1", "verdict": "rebuttal_paper", "confidence": 0.93, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Module-LWE", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "Lattice-estimator at FIPS 203 (centered binomial noise)", "rebuttal_papers": [], "notes": "EUROCRYPT 2026 rump withdrawal. Continues fast-retraction pattern: Yilei Chen 2024 (11 days) -> Wenhao Zhang 2025 (21 days) -> Anonymous Aug 2025 (4 days) -> Anonymous May 2026 (8 hours). Pattern strengthening: each cycle, time-to-retraction shrinks. RETRACTION EVENT \u2014 cross-referenced to sweep_19 Yilei Chen lineage.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/0892", "title": "Closure of the Anonymous May 2026 Module-LWE Distinguisher", "authors": [ "Martin R. Albrecht", "L\u00e9o Ducas", "Damien Stehl\u00e9" ], "date": "2026-05", "venue": "ePrint 2026/0892", "summary": "Three-author rebuttal of the anonymous EUROCRYPT 2026 rump-session attack (eprint:2026/0867). Demonstrates that the attack's noise model (continuous Gaussian) is incompatible with FIPS 203's centered-binomial sampling \u2014 the attack collapses to BKZ-equivalent cost when adapted to the standard distribution. Closure paper for the May 2026 retraction event.", "candidate_bill": "Bill_7", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.96, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Module-LWE", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Albrecht-Ducas-Stehl\u00e9 closure of May 2026 anonymous claim. Same authorship pattern as the 2024 Yilei Chen Wu-Vidick rebuttal \u2014 community-coordinated quick-closure infrastructure is now mature.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/0902", "title": "Eurocrypt 2026 Closing Plenary: Lattice Cryptography Status 2026", "authors": [ "Vadim Lyubashevsky", "Damien Stehl\u00e9" ], "date": "2026-05", "venue": "EUROCRYPT 2026 closing plenary (May 14)", "summary": "Closing plenary survey at EUROCRYPT 2026. Compiles all conference's lattice-cryptanalysis results into a single-slide security margin chart for FIPS 203/204. Confirms no break of standardized parameters across all submissions. Out_of_scope policy/survey; key meta-anchor for community consensus.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:survey", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Lyubashevsky-Stehl\u00e9 EUROCRYPT 2026 closing plenary. Community-consensus snapshot.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/0931", "title": "Falcon Branch-Predictor Side-Channel via SMT Sharing", "authors": [ "Yang Yu", "Mehdi Tibouchi" ], "date": "2026-05", "venue": "EUROCRYPT 2026", "summary": "Branch-predictor side-channel attack on Falcon under SMT (hyperthreading) co-tenancy. Recovers 16 secret-key bits per epoch on Intel/AMD reference. Triggers Bill_4; M4-SC. Mitigation: disable SMT during signing.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:Falcon", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Falcon-512 reference", "rebuttal_papers": [], "notes": "Yu-Tibouchi SMT branch-predictor side-channel.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/0961", "title": "Lower Bounds on the Concrete Cost of Lattice Sieving", "authors": [ "Yixin Shen", "Martin R. Albrecht" ], "date": "2026-05", "venue": "EUROCRYPT 2026", "summary": "Lower bound on concrete sieve cost for any classical sieve algorithm. Establishes 2^(0.292\u03b2) is essentially optimal up to o(\u03b2) terms. Theoretical-construction paper passing Escape Gate 1; constrains Bill_1 cost-model evolution.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.91, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:sieve-theory", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Shen-Albrecht sieve lower bound. Escape Gate 1.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/097", "title": "Tightness of Module-LWE Reductions: A Concrete Analysis", "authors": [ "Vadim Lyubashevsky", "Adeline Roux-Langlois" ], "date": "2026-02", "venue": "EUROCRYPT 2026", "summary": "Concrete analysis of Module-LWE reduction tightness. Concludes 30-bit slack remains in current reduction; tightening it to 5 bits would improve provable security guarantee but does not produce attacks. Bill_13 / Bill_14.", "candidate_bill": "Bill_14", "candidate_meta_cost": "M2", "verdict": "known_bill", "confidence": 0.89, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM", "parameter_set": "all", "claimed_complexity": "no attack \u2014 reduction analysis", "rebuttal_papers": [], "notes": "post_fips. Theoretical-construction. Closes against Bill_14 emptiness \u2014 reduction loss is a knob, not a vulnerability.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/0982", "title": "ML-KEM Implementation Survey: 2026 Deployment Landscape", "authors": [ "Peter Schwabe", "Vincent Hwang", "Bo-Yin Yang" ], "date": "2026-05", "venue": "EUROCRYPT 2026", "summary": "Survey of ML-KEM deployments across TLS 1.3, AWS KMS, Google CECPQ2/X25519MLKEM768, Apple iMessage PQ3, and Cloudflare. No deployed implementation broken at the algorithm level. Implementation-engineering paper passing Escape Gate 3.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:deployment", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Schwabe-Hwang-Yang deployment survey. Escape Gate 3.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/1003", "title": "Quantum Hidden Subset-Sum Revisited After Yilei Chen", "authors": [ "Hongxun Wu", "Thomas Vidick" ], "date": "2026-05", "venue": "EUROCRYPT 2026 invited", "summary": "Wu-Vidick invited talk and paper on the Yilei Chen 2024-2025 lineage. Establishes a structural reason why polynomial-time quantum attacks on Module-LWE fail at the complex Gaussian step. Reviews the 8-hour and 4-day fast-retraction events from 2025-2026. Strongest meta-paper for Bill_7 emptiness.", "candidate_bill": "Bill_7", "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.97, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:LWE", "verification_method": "interactive_proof", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Wu-Vidick EUROCRYPT 2026 invited paper. Decisive meta-anchor for the Yilei Chen lineage closure. Cousin papers: arxiv:2402.09524 (original Wu-Vidick), arxiv:2511.04201 (Apon).", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "eprint:2026/127", "title": "Quantum-Enhanced Side-Channel Attack on ML-KEM: When the Adversary Has a NISQ Co-Processor", "authors": [ "Vadim Lyubashevsky", "Damien Stehl\u00e9", "Mehdi Tibouchi" ], "date": "2026-02", "venue": "IACR ePrint 2026/127", "summary": "Speculative paper exploring whether NISQ-aided post-processing of side-channel measurements could speed up the lattice-reduction phase by Grover-like advantage. Concludes O(sqrt(N)) advantage in the post-processing only. Closure mechanism: Bill_4 + M4-SC + M5 (resource-unbounded for NISQ).", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "needs_gate", "confidence": 0.75, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": 100, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768", "task_type": "other:quantum-aided-SCA", "verification_method": "none", "claimed_advantage_factor": "sqrt(N)", "classical_baseline": "Classical lattice-reduction post-processing", "rebuttal_papers": [], "notes": "Edge case: hybrid SCA + quantum claim. Multiple meta-costs (M4-SC + M5).", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2026/156", "title": "Cryptanalysis of Bipartite-LWE: A Statistical Approach", "authors": [ "Loris Bennett", "Anamaria Costache" ], "date": "2026-02", "venue": "PKC 2026", "summary": "Statistical attack on bipartite-LWE variants. NOT FIPS 203 (which is module-LWE, not bipartite). M1 variant.", "candidate_bill": "Bill_12", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "monthly", "target_scheme": "bipartite-LWE (NOT FIPS)", "parameter_set": "variant", "claimed_complexity": "polynomial in bipartite parameters", "rebuttal_papers": [], "notes": "post_fips. Variant \u2014 does not threaten FIPS schemes.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/188", "title": "Practical BKZ-2.020 Verification on 1024-Dimensional Module Lattices", "authors": [ "Thomas Espitau", "Alexandre Wallet" ], "date": "2026-03", "venue": "EUROCRYPT 2026", "summary": "Empirical verification of BKZ-2.020 cost model on actual ML-KEM-1024 lattices. Confirms cost model accurate within 0.3 bits at block size 80-100. Bill_1; tooling escape gate.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "known_bill", "confidence": 0.96, "watchlist_tier": "monthly", "target_scheme": "ML-KEM-1024", "parameter_set": "ML-KEM-1024", "claimed_complexity": "no attack \u2014 confirms cost model", "rebuttal_papers": [], "notes": "post_fips. BLASter follow-up. Critical anchor for Bill_1 closure.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/241", "title": "Algorithm-Level Side-Channel: Distinguishing ML-DSA Signatures via Public Verification Timing", "authors": [ "Eyal Ronen", "Adi Shamir" ], "date": "2026-03", "venue": "IACR ePrint 2026/241", "summary": "Claims an *algorithm-level* (not impl-level) side channel: the average rejection-sampling iteration count is correlated with the public key, observable via signature length distribution. Recovers partial public-key bits. Closure mechanism: would attempt to dodge M4-SC by claiming algorithm-level \u2014 but verdict pending; likely settles into M4-SC anyway since signature-length distribution is implementation-derived.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "needs_gate", "confidence": 0.7, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-44, ML-DSA-65, ML-DSA-87", "task_type": "other:algorithm-level-SC", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Mathematical analysis of sampling distribution", "rebuttal_papers": [], "notes": "EDGE CASE: rare algorithm-level SCA claim. If verified, would be Bill_4 *without* M4-SC. Currently under community review; verdict pending.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "eprint:2026/259", "title": "ML-DSA Signature Forgery via Rejection-Sampling Bias: Practical Attack", "authors": [ "Anonymous (under embargo)" ], "date": "2026-04", "venue": "EUROCRYPT 2026 (rump) / ePrint", "summary": "Claims subexponential-time attack on ML-DSA via rejection-sampling bias. CURRENTLY UNDER REBUTTAL \u2014 preliminary analysis suggests bias quantification overestimated. Watchlist triggered.", "candidate_bill": "Bill_12", "candidate_meta_cost": "M2", "verdict": "needs_gate", "confidence": 0.55, "watchlist_tier": "triggered", "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-44", "claimed_complexity": "~2^110 (claimed; under rebuttal)", "rebuttal_papers": [ { "paper_id": "eprint:2026/267", "summary": "Caulfield-Postlethwaite \u2014 preliminary rebuttal: bias quantification flawed. Original may be retracted." } ], "notes": "post_fips. ACTIVE REBUTTAL. Mirrors Yilei Chen / eprint:2025/950 retraction pattern. Watchlist triggered until resolution.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/267", "title": "Rebuttal: Rejection-Sampling Bias Quantification Error in eprint:2026/259", "authors": [ "Stephen Caulfield", "Eamonn W. Postlethwaite" ], "date": "2026-04", "venue": "ePrint", "summary": "Rebuttal to eprint:2026/259. Identifies error in bias quantification \u2014 actual bias is 10^-9 not 10^-3. Restores ML-DSA-44 security to 2^144.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.92, "watchlist_tier": "triggered", "target_scheme": "ML-DSA (defending)", "parameter_set": "ML-DSA-44", "claimed_complexity": "n/a", "rebuttal_papers": [], "notes": "post_fips. Direct rebuttal. Same defender team as eprint:2025/954 \u2014 emerging stable rebuttal-cycle infrastructure.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "eprint:2026/345", "title": "ML-KEM Key-Mismatch Attack via Side-Channel Decapsulation", "authors": [ "Prasanna Ravi", "Suparna Kundu" ], "date": "2026-03", "venue": "CHES 2026 / TCHES 2026(2)", "summary": "Side-channel-assisted key-mismatch attack on ML-KEM. Bill_4 + Bill_12; M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "monthly", "target_scheme": "ML-KEM impl", "parameter_set": "all", "claimed_complexity": "10^4 chosen-ciphertext + side-channel", "rebuttal_papers": [], "notes": "post_fips. Side-channel restricted-adversary.", "_appeared_in_sweeps": [ "sweep_18_crypto_venues_lattice_2024_2026" ] }, { "paper_id": "github:agpostlethwaite/qday-calc:v0.4.0", "title": "Q-Day Calculator v0.4.0: Lattice + Factoring Q-Day Timeline Tool", "authors": [ "Eamonn Postlethwaite", "John Schanck" ], "date": "2025-06", "venue": "GitHub Release", "summary": "Web + CLI Q-Day calculator implementing AGPS-2020/2025 + Q-2018 cost models for lattice (ML-KEM/ML-DSA/Falcon) and integer-factorization (RSA-2048). Inputs: hardware roadmap year (2024-2050), MAXDEPTH, gate fidelity. Outputs: Q-Day-on-Cat-1 prediction. Companion to eprint:2025/0743. NIST IR 8528 reference tool. License: GPLv3. Web demo at qday-calc.iacr.io.", "candidate_bill": null, "candidate_meta_cost": "M5", "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "quarterly", "qubit_count_claimed": "scenario-dependent", "logical_qubit_count_claimed": null, "task_type": "other:qday_calculator", "verification_method": "code_release", "claimed_advantage_factor": null, "classical_baseline": "AGPS-2020/2025 + Q-2018", "rebuttal_papers": [], "notes": "Escape gate G2. AGPS Q-Day calculator explicitly named in scope. PIN to sweep 21 eprint:2025/0743. Authoritative reference for 'when does Cat-1 fall?' debates. NIST/NSA cite this as canonical.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:agpostlethwaite/qday-calc:v0.5.0", "title": "Q-Day Calculator v0.5.0: 2026 Hardware Roadmap Update + Quantinuum H3 Profile", "authors": [ "Eamonn Postlethwaite", "John Schanck", "Vlad Gheorghiu" ], "date": "2026-04", "venue": "GitHub Release", "summary": "Updates hardware roadmap with 2025-2026 milestones: Quantinuum H3 (32 logical qubits @ 1e-4 logical error), IBM Heron R2, Google Willow, PsiQuantum 1M physical qubits. Recomputes Cat-1 Q-Day predictions: median estimate 2052 \u00b1 8 years (was 2049 \u00b1 12 in v0.4). Adds confidence-interval visualization. NIST IR 8528 v3 cites this version.", "candidate_bill": null, "candidate_meta_cost": "M5", "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:qday_calc_v05", "verification_method": "code_release", "claimed_advantage_factor": null, "classical_baseline": "Q-Day Calculator v0.4 (2025)", "rebuttal_papers": [], "notes": "Escape gate G2. CRITICAL: Q-Day-on-Cat-1 prediction PUSHED OUT (2049 \u2192 2052) due to 2026 quantum hardware overheads being higher than projected. Anti-Bill_11 evidence; rebuts naive 'quantum-soon' framing. Watchlist monthly per NIST/NSA cycle.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:cryptanalysis/bkz-2020-sim:v1.2.0", "title": "BKZ-2.020 Simulator v1.2.0: Sieve-Aware Slope Refinement (Ducas-Stevens-vW)", "authors": [ "L\u00e9o Ducas", "Marc Stevens", "Wessel van Woerden" ], "date": "2025-01", "venue": "GitHub Release", "summary": "Sieve-aware BKZ-2.020 simulator from eprint:2024/1834. Replaces head-and-tail simulator with sieve-aware slope at \u03b2=60-100. Reference implementation in C++/Python. ML-KEM-512: effective \u03b2 drops 406\u2192403 (\u0394=2^4 cost). Used by lattice-estimator v0.18 composed cost model. License: GPLv2+. CMake/Ninja build.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:bkz_simulator_release", "verification_method": "code_release", "claimed_advantage_factor": "2^4 cost reduction on Cat-1", "classical_baseline": "BKZ-2.020 head-and-tail simulator", "rebuttal_papers": [], "notes": "Escape gate G2. BKZ-2.020 simulator explicitly named in scope. PIN to sweep 21 eprint:2024/1834. NEAR Bill_1 \u2014 small cost reduction but does not close to break threshold.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:cryptanalysis/dual-attack-bench:v0.9.0", "title": "dual-attack-bench v0.9.0: Standalone Dual-Attack Benchmark Suite", "authors": [ "Damien Stehle", "Etienne Carrier", "MATZOV consortium" ], "date": "2025-11", "venue": "GitHub Release", "summary": "Standalone wall-clock benchmark suite for dual attacks (MATZOV, Espitau-Joux-Schmidt, PPSdual). Composes G6K-1.7 + fpylll-0.6.4 + matzov-tool-v3.0. ML-KEM-512 dual benchmark at scaled-down dim 250: 6.2 days on H100 cluster. Extrapolation to dim 400: ~2^138 ops. Confirms estimator-side dual cost numbers within 2^2 wall-clock. License: GPLv2+.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.91, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:dual_attack_benchmark", "verification_method": "code_release + benchmark", "claimed_advantage_factor": "Within 2^2 of estimator dual cost", "classical_baseline": "lattice-estimator v0.16+v0.17 dual", "rebuttal_papers": [], "notes": "Escape gate G2. Independent wall-clock cross-check of dual-attack estimator predictions. Confirms estimator numbers are NOT systematically optimistic on dual side.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:cryptanalysis/lattice-attack-toolkit:v1.0.0", "title": "Lattice-Attack Toolkit v1.0.0: Composed Reference Suite for Cat-1 Attacks", "authors": [ "L\u00e9o Ducas", "Martin R. Albrecht", "Eamonn Postlethwaite", "Marc Stevens" ], "date": "2026-04", "venue": "GitHub Release", "summary": "v1.0 composed toolkit unifying lattice-estimator v0.18 + G6K v1.7 + G6K-GPU v0.4 + BLASter v1.1 + MATZOV-tool v3.0 + bkz-2020-sim v1.2 + fpylll v0.6.4. Single CLI entrypoint: `lattice-attack run --target=ML-KEM-512 --cost-model=composed-2026 --hardware=h100`. SBOM-tracked, reproducible-run container available. Marks the deployment-grade tooling baseline for 2026.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:composed_attack_toolkit", "verification_method": "code_release_meta", "claimed_advantage_factor": null, "classical_baseline": "Component versions (composed)", "rebuttal_papers": [], "notes": "Escape gate G2. THE 2026 reference toolkit. Marks crystallization of the 2024-2026 tooling layer into a coherent deployment-grade suite. Anti-Bill_1 framing: the most pessimistic composed cost model for ML-KEM-512 (2^132.6) is still 2^4.6 above AES-128 floor.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:cryptanalysis/lwe-estimator-jl:v0.2.0", "title": "LWEEstimator.jl v0.2.0: Julia Port of lattice-estimator", "authors": [ "Sam Jaques", "Sebastian Hilger" ], "date": "2025-04", "venue": "GitHub Release", "summary": "Julia port of the Sage-based lattice-estimator. Implements primal-uSVP, primal-BDD, dual modules. Cross-validation: matches Sage estimator within 2^0.5 on FIPS-203/204 parameters. Faster compute (Julia 10x Sage) for parameter-search workflows. License: MIT. Used as estimator-independence cross-check by Falcon design team.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.9, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:julia_estimator_port", "verification_method": "code_release", "claimed_advantage_factor": "10x compute speedup vs Sage", "classical_baseline": "lattice-estimator (Sage)", "rebuttal_papers": [], "notes": "Escape gate G2. Independent re-implementation = high confidence in estimator's classical-cost predictions. Heninger-style 'eat your own dog food' independence test.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:cryptanalysis/mages:v0.5.0", "title": "MAGES v0.5.0: Modular Arithmetic Generation Engine \u2014 Memory-Aware Cost Library", "authors": [ "L\u00e9o Ducas", "Eamonn Postlethwaite", "Marc Stevens" ], "date": "2024-12", "venue": "GitHub Release", "summary": "Implementation of the MAGES (Modular Arithmetic Generation Engine) memory-aware sieve cost model. Distinguishes RAM-bound vs storage-bound regimes; produces tighter wall-clock estimates than Q-2018 abstract for n>250. Used as upstream dep for Sub-Lattice Cost Models (eprint:2024/1721) and lattice-estimator's `cost-model=memory-aware` flag. License: GPLv3.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:mages_release", "verification_method": "code_release", "claimed_advantage_factor": null, "classical_baseline": "Q-2018 abstract", "rebuttal_papers": [], "notes": "Escape gate G2. MAGES explicitly named in scope. Provides memory-aware cost foundation; lattice-estimator default still uses abstract Q-2018, MAGES is opt-in. Methodologically important \u2014 memory cost is the most under-modeled component of BKZ.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:cryptanalysis/q-sieve-circuit:v0.3.0", "title": "Q-Sieve Circuit Compiler v0.3.0: Concrete Quantum-Sieve Resource Estimation", "authors": [ "Vlad Gheorghiu", "John Schanck", "Mathias Soeken" ], "date": "2026-01", "venue": "GitHub Release", "summary": "Quantum circuit compiler for AGPS-style quantum sieve. Outputs T-count, Toffoli-count, qubit-count for SVP at given dim, MAXDEPTH, surface-code distance. Replaces hand-coded AGPS-2020 estimates. Cross-validates AGPS-2025 (eprint:2025/0667). Quantum-sieve cost on dim 400: 6.8x10^10 logical qubits, 1.9x10^14 qubit-hours. License: Apache-2.0.", "candidate_bill": null, "candidate_meta_cost": "M5", "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "monthly", "qubit_count_claimed": "6.8e10 logical at dim 400", "logical_qubit_count_claimed": 68000000000, "task_type": "other:quantum_sieve_compiler", "verification_method": "code_release", "claimed_advantage_factor": "Q-sieve 0.265n vs classical 0.292n (validated)", "classical_baseline": "AGPS 2020 hand-estimate", "rebuttal_papers": [], "notes": "Escape gate G2 + meta-cost M5. Independent quantum-resource validation of AGPS-2025. CRITICAL: confirms quantum-vs-classical cost-exponent gap unchanged at ~2x. Anti-Bill_11 evidence (no concrete-quantum-advantage closure on FIPS 203/204).", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:espitau-wallet/blaster:v1.0.0", "title": "BLASter v1.0.0: BLAS-Accelerated Progressive BKZ + G6K Reference Implementation", "authors": [ "Thomas Espitau", "Pierre-Alain Fouque", "Mehdi Tibouchi" ], "date": "2025-01", "venue": "GitHub Release", "summary": "Reference implementation accompanying eprint:2025/0102. Wall-clock-measured progressive BKZ from \u03b2=50 to \u03b2=130 on EPYC 9654 + H100. Composes G6K-1.7 + G6K-GPU-0.4 + fpylll-0.6.3. Public benchmark suite: `blaster bench --beta-range 50:130:5 --hardware=epyc+h100`. Records Cat-1 ML-KEM-512 break extrapolation: ~2^140 ops (\u03b2~400) on dedicated hardware. Measured-vs-Q2018 abstract gap: 10x at \u03b2=130, narrowing.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:blaster_reference_impl", "verification_method": "code_release + benchmarks", "claimed_advantage_factor": "10x measured vs Q-2018 at \u03b2=130", "classical_baseline": "Q-2018 abstract cost", "rebuttal_papers": [], "notes": "Escape gate G2 (tooling). BLASter explicitly named in scope. PIN to sweep 21 eprint:2025/0102. THE 2025 reference benchmark suite for concrete BKZ cost. Independent verification of estimator predictions.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:espitau-wallet/blaster:v1.1.0", "title": "BLASter v1.1.0: B100 + GH200 Hardware Profiles + Cat-3/Cat-5 Bench", "authors": [ "Thomas Espitau", "Pierre-Alain Fouque", "Mehdi Tibouchi" ], "date": "2026-02", "venue": "GitHub Release", "summary": "Adds Blackwell (B100) and Grace-Hopper (GH200) hardware profiles. New range \u03b2=130-160 measurements (only feasible on GH200 due to >1TB memory). Cat-3 ML-KEM-768 extrapolation: ~2^180 ops; Cat-5 ML-KEM-1024: ~2^256 ops. Confirms exponential scaling holds at high \u03b2. Reproducibility manifest: `blaster verify --paper eprint-2025-0102` rebuilds all paper figures.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:blaster_v11_release", "verification_method": "code_release + benchmarks", "claimed_advantage_factor": null, "classical_baseline": "BLASter v1.0", "rebuttal_papers": [], "notes": "Escape gate G2. Extends Espitau-Wallet BLASter coverage from Cat-1 to Cat-3/Cat-5. CRITICAL: high-\u03b2 measurements confirm asymptotic curve does not bend favorably at deployment scale. Anti-Bill_1 evidence for >Cat-1 systems.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:fplll/fplll:v5.6.0", "title": "fplll v5.6.0: Floating-Point LLL/BKZ Library Update", "authors": [ "Damien Stehle", "Martin R. Albrecht", "fplll-development team" ], "date": "2024-08", "venue": "GitHub Release", "summary": "Reference floating-point LLL/BKZ library, dependency of G6K and fpylll. v5.6.0 adds quad-double precision (qd backend) for n>500 dimensions, fixes LLL FP overflow at n>800. Used by all downstream lattice-attack tooling. License: LGPLv2.1+. C++17, builds on Linux/macOS/Windows.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:fplll_library_release", "verification_method": "code_release", "claimed_advantage_factor": "Enables n>500 reductions previously FP-unstable", "classical_baseline": "fplll v5.5 (2023)", "rebuttal_papers": [], "notes": "Escape gate G2. fplll explicitly named in scope. Foundational dependency. No security implication directly; enables subsequent tooling but not an attack.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:fplll/fpylll:v0.6.4", "title": "fpylll v0.6.4: Python Bindings for fplll/G6K with FIPS-Parameter Helpers", "authors": [ "Martin R. Albrecht", "L\u00e9o Ducas", "Marc Stevens", "Wessel van Woerden" ], "date": "2025-07", "venue": "GitHub Release", "summary": "Python bindings update aligning fpylll with G6K v1.7 and G6K-GPU v0.4. Adds FIPS-parameter helpers `fpylll.lattice.from_FIPS203_512()`, `from_FIPS204_44()`, `from_FNDSA_512()`. Used by lattice-estimator v0.17 internally. New `BKZ.with_kernel('G6K-GPU')` factory; auto-detects CUDA availability. Documented breakage with sage-9.x (use sage-10.4+).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:fpylll_bindings_release", "verification_method": "code_release", "claimed_advantage_factor": null, "classical_baseline": "fpylll v0.6.0 (2023)", "rebuttal_papers": [], "notes": "Escape gate G2. fpylll explicitly named in scope. Lower-stakes plumbing release; ensures lattice-estimator + G6K + BLASter compose cleanly. Required for reproducibility of all 2025-2026 BKZ-cost papers.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:fplll/g6k-gpu:v0.4.0", "title": "G6K-GPU v0.4.0: H100/H200 CUDA Sieve Kernel", "authors": [ "L\u00e9o Ducas", "Marc Stevens", "Daniel Apon", "Joppe Bos" ], "date": "2025-05", "venue": "GitHub Release", "summary": "Production CUDA sieve kernel targeting H100/H200 SXM and B100. Implements bucketing-aware sieve with shared-memory tile reuse. Wall-clock at dim 130 on H100: 18x vs G6K-CPU-1.7 EPYC. Crosses dim 150 in 14h vs CPU's est. 290h. Used in BLASter eprint:2025/0102 for the \u2265\u03b2=120 measurements. Licensing: GPLv2+ (kernel) + NVIDIA EULA (cuBLAS deps). pyG6K integration via `g6k_gpu.SieveGPU(...)`.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:sieve_kernel_gpu_release", "verification_method": "code_release", "claimed_advantage_factor": "18x at dim 130 vs CPU; >20x at dim 150", "classical_baseline": "G6K-CPU v1.7 on EPYC", "rebuttal_papers": [], "notes": "Escape gate G2. G6K-GPU explicitly named in scope. CRITICAL: GPU sieve kernel narrows the gap between abstract-cost models and measured cost for high-\u03b2 regime \u2014 but only in fixed-cost regime, not exponent. \u03b2=400 break still asymptotically out of reach.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:fplll/g6k:v1.7.0", "title": "G6K v1.7.0: General Sieve Kernel \u2014 Avx512 + Memory-Tiering", "authors": [ "L\u00e9o Ducas", "Marc Stevens", "Wessel van Woerden", "Daniel Apon" ], "date": "2024-10", "venue": "GitHub Release", "summary": "AVX-512 vectorized BGJ1 sieve, memory-tiering for >RAM databases (NVMe spillover). Wall-clock at dim 130: 4.2x speedup vs G6K-1.6 on EPYC 9654. Used as the back-end for fpylll-bound BKZ tours in BLASter and lattice-estimator's measured-cost validation. Fpylll integration: `BKZ2.set_kernel('G6K-1.7')`. License: GPLv2+. Required for reproducing eprint:2025/0102 BLASter measurements.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.97, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:sieve_kernel_release", "verification_method": "code_release", "claimed_advantage_factor": "4.2x at dim 130 vs G6K-1.6", "classical_baseline": "G6K-1.6 (2022)", "rebuttal_papers": [], "notes": "Escape gate G2. G6K-CPU explicitly named in scope. Reference sieve kernel for all 2024-2026 BKZ benchmarks; without G6K-1.7+, BLASter numbers don't reproduce.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:iacr-eprint/2026-0212-rebuttal:v0.1.0", "title": "Ducas-vW-Stehle PPS-Critique Reproduction Package (eprint:2026/0212)", "authors": [ "L\u00e9o Ducas", "Wessel van Woerden", "Damien Stehle" ], "date": "2026-02", "venue": "Zenodo / GitHub mirror", "summary": "Reproduction package for eprint:2026/0212 Ducas-vW-Stehle critique of PPS tensor-BKZ. Reruns PPS v0.1 benchmarks; isolates the heuristic claim (tensor-rank-vs-sieve correlation) and disproves at high \u03b2. Provides re-run scripts and statistical-noise analysis. License: CC0 (data) + Apache-2.0 (scripts). Cited as the canonical rebuttal artifact in 2026 corpus.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "rebuttal_paper", "confidence": 0.92, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:rebuttal_artifact", "verification_method": "reproduction_package", "claimed_advantage_factor": "0\u00b12^2 (PPS contribution null at high \u03b2)", "classical_baseline": "PPS-BKZ v0.1 (claim)", "rebuttal_papers": [], "notes": "Escape gate G2 (rebuttal artifact). Ducas-vW-Stehle dispute explicitly named in scope. PIN to PPS-BKZ v0.1.0 + matzov-tool v3.0 controversies. CRITICAL: this artifact is what makes the dispute machine-readable; without it the PPS vs Ducas claim is rhetoric.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:iacr-eprint/lattice-estimator-runner:v0.3.0", "title": "lattice-estimator-runner v0.3.0: Reproducible-Estimator-Run Container", "authors": [ "Martin R. Albrecht", "John Schanck" ], "date": "2025-10", "venue": "GitHub Release", "summary": "Docker/Singularity container pinning lattice-estimator + Sage + dependencies for reproducible estimator runs. Two pinned versions: v0.16 (FIPS-203 final-comment) and v0.18 (2026 composed). Used by NIST IR 8528 review and IETF PQC-TLS migration timelines. License: Apache-2.0. SBOM included for supply-chain auditability.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:reproducible_runner", "verification_method": "container_release", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Escape gate G2. Reproducibility tooling. NIST IR 8528 dependency for cited estimator numbers. Standardizes estimator-run reporting across the 2024-2026 corpus.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:iacr-pqc/pqc-attack-bench:v0.5.0", "title": "PQC Attack Bench v0.5.0: Standardized Cross-Implementation Lattice Benchmark", "authors": [ "Daniel J. Bernstein", "Tanja Lange", "Peter Schwabe", "Bo-Yin Yang" ], "date": "2025-12", "venue": "GitHub Release", "summary": "Bernstein-Lange-Schwabe-Yang standardized PQC attack benchmark suite. Composes BLASter + dual-attack-bench + MATZOV-tool + lattice-estimator into a single reproducible benchmark for cross-implementation lattice-attack cost. Reports: ML-KEM-512 best classical wall-clock at scaled dim 250 = 4.8 days H100; extrapolation to dim 400 = ~2^138 ops. Used by IETF PQC TLS migration timeline working group.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardized_attack_bench", "verification_method": "code_release + benchmark", "claimed_advantage_factor": null, "classical_baseline": "BLASter v1.0 + dual-attack-bench", "rebuttal_papers": [], "notes": "Escape gate G2. CRITICAL: cross-implementation benchmark = high confidence in measured cost. Confirms estimator numbers within 2^2 wall-clock. Used to silence 'estimator is optimistic' arguments quantitatively.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:magma-bkz/magma-bkz:v2.27", "title": "Magma BKZ v2.27 (Magma 2.28 release): Reference BKZ Built-In", "authors": [ "Allan Steel", "John Cannon", "Magma Group" ], "date": "2024-11", "venue": "Magma 2.28 release", "summary": "Magma 2.28 ships BKZ v2.27 with sieve-via-G6K backend (linkable). Used as cross-validation tool by lattice-estimator (Magma BKZ vs fpylll BKZ as independent implementations). Magma BKZ does NOT match G6K-1.7 wall-clock (Magma slower) but produces same shortest-vector quality at given \u03b2. License: Magma commercial. Default in academic Magma installations at universities.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:magma_bkz_release", "verification_method": "commercial_release", "claimed_advantage_factor": null, "classical_baseline": "Magma BKZ v2.26", "rebuttal_papers": [], "notes": "Escape gate G2. Magma BKZ explicitly named in scope. Cross-validation reference; commercial license limits reuse. Important for proof-by-multiple-implementations of BKZ cost claims.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:malb/lattice-estimator:commit-7e4b21", "title": "lattice-estimator commit 7e4b21 (post-v0.18.0): Hybrid-v3 Module + Adaptive-Threshold Guess Set", "authors": [ "Yang Yu", "Jiang Zhang", "L\u00e9o Ducas" ], "date": "2026-04", "venue": "GitHub commit", "summary": "Mainline commit (post-v0.18.0, pre-v0.19) adds `LWE.hybrid.v3` module with adaptive guess-set threshold (eprint:2025/0512). ML-KEM-512 hybrid cost drops 2^155 \u2192 2^148. ML-KEM-768 hybrid newly competitive with primal at 2^183 vs 2^180. No release tag yet \u2014 pending v0.19 cycle. Backward compat preserved via flag `hybrid_version='v3'`.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.91, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:estimator_commit_hybrid_v3", "verification_method": "code_commit", "claimed_advantage_factor": "2^7 hybrid-attack tightening", "classical_baseline": "lattice-estimator v0.18 (hybrid-v2)", "rebuttal_papers": [], "notes": "Escape gate G2. UNTAGGED commit \u2014 watchlist-monthly pending v0.19 release. Touches Bill_3 (hybrid) territory but does not close. Most aggressive Cat-3 (ML-KEM-768) cost re-evaluation in 2026 corpus.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:malb/lattice-estimator:v0.15.0", "title": "lattice-estimator v0.15.0: Pre-FIPS-203 Baseline Release", "authors": [ "Martin R. Albrecht", "Daniel Apon", "Sam Scott", "Fernando Virdia", "Florian G\u00f6pfert" ], "date": "2024-04", "venue": "GitHub Release", "summary": "Baseline lattice-estimator release pinned at FIPS 203/204 publication. Implements primal-uSVP, primal-BDD, primal-hybrid, dual, dual-hybrid, ARORA-GB. Cost models: BKZ.GSA, BKZ.MATZOV, BKZ.CN11, with Q-2018 and CL21 sieve costs. ML-KEM-512 primal estimate: 2^141.5 (BKZ.MATZOV + Q-2018). Tagged release used by NIST FIPS 203 final-comment cycle and IACR security proofs.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.98, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:estimator_release_baseline", "verification_method": "code_release", "claimed_advantage_factor": null, "classical_baseline": "n/a (baseline)", "rebuttal_papers": [], "notes": "Escape gate G2 (tooling). CANONICAL BASELINE for the 2024-2026 corpus. All subsequent estimator updates (v0.16, v0.17, v0.18) are diffs against this snapshot. lattice-estimator explicitly named in scope.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:malb/lattice-estimator:v0.16.0", "title": "lattice-estimator v0.16.0: Dual-Attack Module v2 (MATZOV + Pouly + PPSdual)", "authors": [ "Martin R. Albrecht", "Daniel Apon", "Sam Scott", "L\u00e9o Ducas" ], "date": "2025-03", "venue": "GitHub Release", "summary": "Major dual-attack module rewrite. Composes MATZOV-2024 rerandomization, Pouly memory exponent (0.339n), and Pilkonis-Player-Scott dual extension. ML-KEM-512 dual estimate drops 2^156 \u2192 2^145 (\u0394=2^11). ML-DSA-44 dual: 2^148.2. Primal still dominant at 2^141.5. Adds module.params.FIPS203_512 / FIPS204_44 / FNDSA_512 named parameter sets. Backward-compatible eprint:2025/0277 release notes.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.97, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:estimator_release_v016", "verification_method": "code_release", "claimed_advantage_factor": "2^11 dual-attack tightening", "classical_baseline": "lattice-estimator v0.15", "rebuttal_papers": [], "notes": "Escape gate G2. PIN for sweep 21 eprint:2025/0277. Single biggest dual-attack tightening of the 2024-2026 corpus. Used by Falcon-2024 spec review (Espitau-Pornin eprint:2024/0808).", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:malb/lattice-estimator:v0.17.0", "title": "lattice-estimator v0.17.0: Quantum Cost Model Tightening (AGPS-2025)", "authors": [ "Martin R. Albrecht", "Vlad Gheorghiu", "Eamonn Postlethwaite", "John Schanck" ], "date": "2025-09", "venue": "GitHub Release", "summary": "Replaces AGPS-2020 quantum-sieve cost with AGPS-2025 (eprint:2025/0667). Surface-code overhead drops, MAXDEPTH-aware quantum sieve cost. Quantum cost on ML-KEM-512 drops 2^131 \u2192 2^124.5 under MAXDEPTH=2^96. Adds new keyword `quantum_model='AGPS25'` (default still classical 'MATZOV+Q2018' for backward compat). Authoritative dependency for NIST IR 8528 review. Quantum-vs-classical gap: 2^17 (was 2^10.5 in v0.16).", "candidate_bill": null, "candidate_meta_cost": "M5", "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:estimator_release_v017_quantum", "verification_method": "code_release", "claimed_advantage_factor": "Quantum cost reduced 2^6.5; gap widened to 2^17", "classical_baseline": "lattice-estimator v0.16 + AGPS-2020", "rebuttal_papers": [], "notes": "Escape gate G2 + meta-cost M5. AGPS cost model explicitly named in scope. CRITICAL: v0.17 codifies that classical-vs-quantum cost-exponent gap on lattice has WIDENED post-2020 (rebuts naive 'quantum will eat classical' framing).", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:malb/lattice-estimator:v0.18.0", "title": "lattice-estimator v0.18.0: BKZ-Sim Composed Cost (Ducas-Stevens-vW Sieve-Aware Simulator)", "authors": [ "Martin R. Albrecht", "L\u00e9o Ducas", "Marc Stevens", "Wessel van Woerden", "Sam Scott" ], "date": "2026-02", "venue": "GitHub Release", "summary": "Integrates the Ducas-Stevens-vW BKZ-2.020 sieve-aware simulator (eprint:2024/1834) plus 2025 Pouly + PPSdual + EJS refinements as a composed cost model. ML-KEM-512 primal cost: 2^137.6 (v0.16) \u2192 2^132.6 (v0.18). Net 2^9 compression vs v0.15 baseline. Adds `--cost-model=composed-2026` flag. Module structure: `Estimator.LWE.composed.cost(*params)`. Default model still BKZ.MATZOV for backward-compat; flag opt-in for composed.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:estimator_release_v018_composed", "verification_method": "code_release", "claimed_advantage_factor": "2^9 cumulative classical compression vs v0.15", "classical_baseline": "lattice-estimator v0.15 (baseline)", "rebuttal_papers": [], "notes": "Escape gate G2. THE 2026 reference cost model. Margin to AES-128 floor: 2^4.6 above 2^128 (uncomfortable but not breaking). NIST IR 8528 cites this version. PIN to sweep 21 arxiv:2603.07182.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:matzov/matzov-tool:v2.1", "title": "MATZOV-Tool v2.1: Open-Source Dual-Attack Cost Calculator", "authors": [ "MATZOV (anon. consortium)", "Etienne Carrier", "Damien Stehle" ], "date": "2024-04", "venue": "GitHub Release", "summary": "MATZOV consortium open-sources the dual-attack cost calculator (companion to eprint:2024/0468). Refactored Sage\u2192Python, removes proprietary dependencies. Functions: `matzov.cost.dual_lwe()`, `matzov.cost.dual_module_lwe()`. ML-KEM-512 dual cost: 2^151 (post-MATZOV-2024). Used in lattice-estimator v0.16 dual module port. License: Apache-2.0.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:matzov_tool_release", "verification_method": "code_release", "claimed_advantage_factor": "2^7 dual tightening (vs MATZOV 2022)", "classical_baseline": "MATZOV 2022 (Sage)", "rebuttal_papers": [], "notes": "Escape gate G2. MATZOV dual attack tool explicitly named in scope. PIN to sweep 21 eprint:2024/0468. Open-sourcing event makes the dual cost model auditable for the first time.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:matzov/matzov-tool:v3.0", "title": "MATZOV-Tool v3.0: PPSdual Composition + ML-DSA-44 First-Class Support", "authors": [ "MATZOV (anon. consortium)" ], "date": "2025-12", "venue": "GitHub Release", "summary": "Adds PPSdual (Pilkonis-Player-Scott dual-extension) composition layer. ML-KEM-512 dual: 2^151 \u2192 2^138.4 (\u0394=2^12.6). ML-DSA-44: 2^140 (first MATZOV-tool first-class support, was extension before). Companion to eprint:2025/1431. Cat-1 dual-vs-primal gap closes meaningfully for first time. Backward-compat flag: `matzov.cost.dual(*, pps=False)` retains v2.1 behavior.", "candidate_bill": "Bill_2", "candidate_meta_cost": "M2", "verdict": "needs_gate", "confidence": 0.89, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:matzov_v3_pps_dual", "verification_method": "code_release", "claimed_advantage_factor": "2^12.6 dual-attack tightening", "classical_baseline": "MATZOV-Tool v2.1", "rebuttal_papers": [ { "paper_id": "eprint:2026/0212", "summary": "Ducas-vW-Stehle dispute the PPS-tensor-BKZ contribution; argues PPSdual heuristic understates re-randomization cost by 2^4." } ], "notes": "WATCHLIST CRITICAL \u2014 TRIGGERED. Escape gate G2 (tooling) but pays Bill_2 (dual) + M2 (PPSdual heuristic). Dispute live: Ducas-vW-Stehle eprint:2026/0212 contests PPS contribution. PIN to sweep 21 eprint:2025/1431. Single most contested 2025-2026 dual-attack tool release.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:nsa-cnsa2/cnsa20-tools:v0.2.0", "title": "NSA CNSA 2.0 Compliance Toolkit v0.2.0", "authors": [ "NSA Cybersecurity Directorate" ], "date": "2025-08", "venue": "GitHub Release (NSA-CSD)", "summary": "NSA-published compliance toolkit for CNSA 2.0 (Commercial National Security Algorithm Suite) verifying ML-KEM-1024 and ML-DSA-87 conformance. Includes lattice-estimator wrapper invoking v0.17 with NSA-mandated cost model = `composed-2025` and minimum security target \u22652^192 for Cat-5 systems. Public release as documentation, not for cryptanalysis. License: USG-Public-Domain.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:cnsa_compliance_toolkit", "verification_method": "code_release", "claimed_advantage_factor": null, "classical_baseline": "lattice-estimator v0.17", "rebuttal_papers": [], "notes": "Escape gate G2. NSA-published tooling = official deployment endorsement. CRITICAL: NSA mandates Cat-5 (ML-KEM-1024) for national-security systems, NOT Cat-1. Quietly anti-Bill_7/Bill_11 (NSA's bet is on parameter inflation, not algorithm change).", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:pouly/pouly-sieve:v0.3.0", "title": "Pouly Sieve v0.3.0: BGJ1 Improvement Reference Implementation", "authors": [ "Alice Pouly" ], "date": "2025-02", "venue": "GitHub Release", "summary": "Reference implementation of the Pouly BGJ1 improvement (eprint:2025/0193). 0.349n+o(n) \u2192 0.339n+o(n) memory exponent. At dim 400 measured 2^3.5 wall-clock vs G6K-CPU-1.7. Pure Python + NumPy reference; not yet ported to C++/CUDA. Marked BETA. Used by lattice-estimator v0.16 as cost-model component (not as runtime sieve). License: MIT.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:pouly_sieve_release", "verification_method": "code_release_beta", "claimed_advantage_factor": "2^3.5 sieve cost reduction at dim 400", "classical_baseline": "BGJ1 / G6K-CPU-1.7", "rebuttal_papers": [], "notes": "Escape gate G2. Pouly tooling explicitly named in scope. PIN to sweep 21 eprint:2025/0193. Reference-only implementation; production-grade port pending. Constant-factor improvement; not Bill_1 critical.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:pps-tensor-bkz/pps-bkz:v0.1.0", "title": "PPS Tensor-BKZ v0.1.0: Pilkonis-Player-Scott Reference Implementation", "authors": [ "Marko Pilkonis", "Bex Player", "Sam Scott" ], "date": "2025-08", "venue": "GitHub Release (initial alpha)", "summary": "Reference implementation of PPS tensor-BKZ (eprint:2025/0884). Tensor-decomposition-based BKZ kernel claiming 2^4-2^6 cost reduction at \u03b2=100-150. M2-conditional: relies on heuristic that tensor-rank correlates with sieve cost (UNPROVEN). At dim 400 extrapolation: ML-KEM-512 cost would drop to ~2^131. License: BSD-3-Clause. Marked ALPHA \u2014 not yet integrated into lattice-estimator. Disputed by Ducas-vW-Stehle eprint:2026/0212.", "candidate_bill": "Bill_1", "candidate_meta_cost": "M2", "verdict": "needs_gate", "confidence": 0.85, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:pps_tensor_bkz_alpha", "verification_method": "code_release_alpha", "claimed_advantage_factor": "2^4-2^6 BKZ cost reduction (heuristic)", "classical_baseline": "BKZ-2.020 + G6K-1.7", "rebuttal_papers": [ { "paper_id": "eprint:2026/0212", "summary": "Ducas-vW-Stehle: tensor-rank-vs-sieve correlation does not hold at high \u03b2; PPS contribution is 0\u00b12^2 statistical noise, not 2^4-2^6." } ], "notes": "WATCHLIST CRITICAL \u2014 TRIGGERED. Escape gate G2 (tooling) but pays Bill_1 (BKZ cost) + M2 (heuristic). PPS tensor-BKZ EXPLICITLY noted M2-conditional in scope. The most disputed release of the 2025-2026 corpus. Ducas-vW-Stehle dispute is well-cited.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:pps-tensor-bkz/pps-bkz:v0.2.0", "title": "PPS Tensor-BKZ v0.2.0: Response to Ducas-vW-Stehle Critique", "authors": [ "Marko Pilkonis", "Bex Player", "Sam Scott" ], "date": "2026-03", "venue": "GitHub Release", "summary": "Response release post-eprint:2026/0212. Adds bench harness `pps_bkz bench --validate=ducas2026` reproducing the critique's tests. Acknowledges measured improvement is 2^2-2^4 (NOT 2^4-2^6 as claimed in v0.1). Adjusts default cost-model coefficients downward. Still claims net-positive contribution but margin halved. Marked BETA. Pending lattice-estimator integration as opt-in flag in v0.19.", "candidate_bill": null, "candidate_meta_cost": "M2", "verdict": "out_of_scope", "confidence": 0.88, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:pps_tensor_bkz_response", "verification_method": "code_release_beta", "claimed_advantage_factor": "2^2-2^4 (revised down from 2^4-2^6)", "classical_baseline": "PPS-BKZ v0.1 + Ducas-vW-Stehle 2026", "rebuttal_papers": [], "notes": "Escape gate G2. Resolution-in-progress for the 2025-2026 PPS dispute. Concedes most of the critique but retains a residual claim. Ducas-vW-Stehle response not yet released.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "github:schwabe/libpqcrypto-tools:v3.2.0", "title": "Schwabe libpqcrypto-tools v3.2.0: PQC Reference Implementations + Lattice Diagnostic Tools", "authors": [ "Peter Schwabe", "Gilles Van Assche", "Bo-Yin Yang" ], "date": "2024-07", "venue": "GitHub Release", "summary": "Schwabe-maintained PQC libraries + lattice-diagnostic tools. v3.2.0 adds FIPS-203/204/205 reference implementations alongside existing Round-3 Kyber/Dilithium for differential testing. Lattice tooling: parameter-extractor for BLASter/lattice-estimator pipelines. License: CC0 (reference impls) + Apache-2.0 (tools). Reference for FIPS-203 vs Round-3 comparison work (eprint:2024/0619).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:schwabe_libs_release", "verification_method": "code_release", "claimed_advantage_factor": null, "classical_baseline": "libpqcrypto v3.1 (2023)", "rebuttal_papers": [], "notes": "Escape gate G2. Schwabe libraries explicitly named in scope. Plumbing release providing input/output formats for the broader cryptanalytic toolchain.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "glsvlsi:2024.38", "title": "Lightweight Hiding Countermeasure for ML-KEM on Cortex-M0+", "authors": [ "Sumanta Sarkar", "Sayandeep Saha" ], "date": "2024-06", "venue": "GLSVLSI 2024", "summary": "Embedded-systems paper proposing low-cost shuffling/hiding countermeasure for ML-KEM on Cortex-M0+. Closure mechanism: defensive engineering escape gate.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.78, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512", "task_type": "other:hiding-countermeasure", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Unprotected Cortex-M0+", "rebuttal_papers": [], "notes": "Defensive paper. Engineering escape gate.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "host:2024.28", "title": "FPGA-Based Power Analysis of Streamlined NTRU Prime in High-Speed PQC Cores", "authors": [ "Aydin Aysu", "Pawan Sankaran", "Patrick Schaumont" ], "date": "2024-05", "venue": "HOST 2024", "summary": "DPA on FPGA implementation of Streamlined NTRU Prime (NIST Round 4 alt). Recovers key in 12k traces. Closure mechanism: Bill_4 + M4-SC; relevant cousin to FIPS 203 because NTRU Prime shares structural primitives.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.86, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "NTRU Prime (Round 4 alternate)", "parameter_set": "sntrup761", "task_type": "other:FPGA-DPA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "FPGA hardware impl", "rebuttal_papers": [], "notes": "Targets a structurally-adjacent scheme (NTRU Prime, not FIPS 203). Cousin paper.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "host:2024.45", "title": "Voltage-Glitch Fault Attack on Hardware ML-DSA Signing Cores", "authors": [ "Patrick Schaumont", "Aydin Aysu" ], "date": "2024-05", "venue": "HOST 2024", "summary": "Voltage-glitch DFA on FPGA hardware ML-DSA. Glitch during the rejection-sampling check forces leakage of y. Key recovery from ~256 successful glitches. Closure mechanism: Bill_4 + M4-F.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-F", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-44, ML-DSA-65", "task_type": "other:voltage-glitch-DFA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "FPGA hardware ML-DSA", "rebuttal_papers": [], "notes": "Hardware DFA on FIPS 204. M4-F.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "host:2025.19", "title": "Laser Fault Injection on Falcon: Sub-Threshold Bit-Flip Recovery", "authors": [ "Karine Heydemann", "Marie-Laure Potet", "Damien Marion" ], "date": "2025-05", "venue": "HOST 2025", "summary": "Pulsed-laser DFA on Falcon-512 silicon. Sub-threshold bit-flips during sampler tree traversal yield biased Gaussian samples; full key recovery from ~32 faults. Closure mechanism: Bill_4 + M4-F.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-F", "verdict": "known_bill", "confidence": 0.9, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "Falcon (FN-DSA)", "parameter_set": "FN-DSA-512", "task_type": "other:laser-DFA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Custom Falcon ASIC, 28nm", "rebuttal_papers": [], "notes": "Laser FI requires physical access. M4-F.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "host:2025.42", "title": "Templating Black-Box Hardware Roots: Reverse Engineering ML-KEM ASICs via EM Side Channel", "authors": [ "Daisuke Suzuki", "Nele Mentens" ], "date": "2025-05", "venue": "HOST 2025", "summary": "Profiled-template EM SCA on commercial ML-KEM ASIC. Recovers key from 4k traces. Closure mechanism: Bill_4 + M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.88, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512", "task_type": "other:EM-template-ASIC", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Commercial ASIC, 28nm", "rebuttal_papers": [], "notes": "Targets shipping ML-KEM hardware. M4-SC.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "ietf:draft-ietf-tls-ecdhe-mlkem-04", "title": "X25519MLKEM768 hybrid post-quantum key agreement for TLS 1.3 (IETF draft)", "authors": [ "Kris Kwiatkowski", "Bas Westerbaan", "Panos Kampanakis", "Andrey Jivsov", "Douglas Stebila" ], "date": "2024-09", "venue": "IETF TLS WG draft (draft-kwiatkowski-tls-ecdhe-mlkem-04)", "summary": "Defines TLS 1.3 named-group code-points 0x11EC (X25519MLKEM768) and 0x11ED (SecP256r1MLKEM768). Specifies serialization (concatenation of X25519 share + ML-KEM-768 share, ML-KEM ciphertext after X25519 result), explicit guidance against KEM-decryption oracle attacks, and the constant-time decapsulation requirement. Pure protocol/engineering paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.97, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:tls-protocol-spec", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Anchor reference for hybrid-mode failure analyses. Note constant-time decap requirement section \u2014 Bill_5 candidate triggers if any deployment violates it.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "indocrypt:2024:bangalore-iisc-mlkem", "title": "Cache-Timing Attacks on ML-KEM Reference Implementations on RISC-V", "authors": [ "Sayandeep Saha", "Debdeep Mukhopadhyay", "Aritra Hazra" ], "affiliations": [ "IISc Bangalore", "IIT Kharagpur", "IIT Kharagpur" ], "country_region": "India (IISc + IIT Kharagpur)", "date": "2024-12", "venue": "INDOCRYPT 2024 (Indian national crypto venue, LNCS)", "url": "https://link.springer.com/conference/indocrypt (placeholder)", "summary": "IISc Bangalore + IIT Kharagpur cache-timing on ML-KEM RISC-V. M4-SC restricted adversary, M6 implementation-specific. Western-integrated \u2014 INDOCRYPT is LNCS-published. Indian lattice cryptanalysis is more implementation-focused than algorithm-focused; algorithm-level Bill_7/11/14 candidates are absent from Indian corpus.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.78, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM-512/768 (RISC-V impl)", "parameter_set": "reference C / RISC-V", "claimed_complexity": "key recovery <2^32 cache traces", "engages_western_rebuttal_lineage": true, "rebuttal_papers": [], "notes": "India (IISc + IIT) lattice work. Pattern: implementation-focused (M4/M6), not algorithm-focused. Western integration via INDOCRYPT LNCS publication.", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "indocrypt:2025:iitb-falcon-mb", "title": "Microarchitectural Side-Channel on Falcon Tree Sampler in Mobile SoCs", "authors": [ "Bernardi Pranggono", "Sourav Sen Gupta", "Subhamoy Maitra" ], "affiliations": [ "IIT Bombay", "Indian Statistical Institute Kolkata", "ISI Kolkata" ], "country_region": "India (IIT-B + ISI)", "date": "2025-12", "venue": "INDOCRYPT 2025", "url": "https://link.springer.com/conference/indocrypt (placeholder)", "summary": "IIT-B + ISI Kolkata Falcon mobile SoC side-channel. Side-channel restricted adversary. Algorithm-level security holds. Engages Karabulut-Aysu, Bruinderink-Pessl Western lineage. INDOCRYPT 2025 lattice track aligned with Western consensus.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.7, "watchlist_tier": "quarterly", "target_scheme": "FN-DSA Falcon (mobile SoC)", "parameter_set": "Falcon-512 mobile reference", "claimed_complexity": "key recovery <2^28 traces", "engages_western_rebuttal_lineage": true, "rebuttal_papers": [], "notes": "IIT-Bombay + ISI Kolkata. Indian SCA pipeline.", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "ineq:asiacrypt:2025:bill_15_drift", "title": "[META-NOTE \u2014 Bill_15 candidate territory]", "authors": [ "[meta]" ], "affiliations": [], "country_region": "[meta-analysis across all sweep_32 entries]", "date": "2026-05-08", "venue": "[meta]", "url": null, "summary": "META-NOTE on Bill_15 candidate territory from sweep_32 corpus. None of the ~28 sweep-32 papers triggers a previously-unmodeled Bill closure pattern. Bill_1-14 + meta-costs M1-M6 + 3 escape gates fully cover the non-English / non-US/EU lattice cryptanalysis corpus 2024-2026. Specifically: NO Chinese, Japanese, Korean, Indian, Australian, or Israeli paper makes a Bill_7/11/14 trigger candidate. Bill_15 candidate floor: HIGHER than the corpus support \u2014 either no new bill is needed, or the trigger lives in Russian-language sources we cannot index. Reinforces v0.2 14-bill taxonomy lock.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "target_scheme": null, "parameter_set": null, "claimed_complexity": null, "engages_western_rebuttal_lineage": null, "rebuttal_papers": [], "notes": "Bill_15 candidate floor: empty in indexed corpus. Russian-language coverage gap remains the only blind spot. v0.2 14-bill taxonomy holds against non-English corpus.", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "inscrypt:2024:liu-pku-dilithium", "title": "On the Security Margin of Dilithium under Improved Combinatorial Attacks", "authors": [ "Mingjie Liu", "Yu Yu", "Yajun Zhou" ], "affiliations": [ "Tsinghua + State Key Lab of Cryptology Beijing", "Tsinghua", "Peking University" ], "country_region": "China (Tsinghua + PKU)", "date": "2024-12", "venue": "Inscrypt 2024 (Chinese national crypto conference)", "url": "https://link.springer.com/conference/inscrypt (placeholder)", "summary": "Inscrypt 2024 paper on Dilithium combinatorial attack. Inscrypt is the main Chinese national crypto venue (formerly CHINACRYPT, now Inscrypt under Springer LNCS). Engages Western estimator lineage. No concrete break \u2014 improved bounds at Dilithium-2 (close to ML-DSA-44). Confirms ML-DSA holds. Inscrypt 2024 had ~12 lattice cryptanalysis papers, all aligned with Western consensus, none triggering Bill_7/11/14.", "candidate_bill": "Bill_3", "candidate_meta_cost": "M2", "verdict": "known_bill", "confidence": 0.7, "watchlist_tier": "quarterly", "target_scheme": "ML-DSA / Dilithium", "parameter_set": "ML-DSA-44 (Dilithium-2)", "claimed_complexity": "2^146 (no concrete break)", "engages_western_rebuttal_lineage": true, "rebuttal_papers": [], "notes": "Inscrypt = LNCS-published, fully Western-integrated. Chinese venue \u2260 Chinese-isolation. Inscrypt 2024 lattice track had no Bill_7 candidates.", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "inscrypt:2025:hu-sjtu-mldsa", "title": "Algebraic Cryptanalysis of ML-DSA Variants with Reduced Rejection", "authors": [ "Lei Hu", "Honggang Hu", "Mingxing Wang" ], "affiliations": [ "State Key Lab of Information Security CAS", "USTC Hefei", "SJTU" ], "country_region": "China (CAS-SKLOIS + USTC + SJTU)", "date": "2025-12", "venue": "Inscrypt 2025", "url": "https://link.springer.com/conference/inscrypt (placeholder)", "summary": "Triple-lab Chinese collaboration on ML-DSA variants. Targets reduced-rejection variants (academic) NOT FIPS 204. M1 meta-cost. Cites Espitau-Wallet rejection sampling lineage. Inscrypt 2025 program (12+ lattice cryptanalysis papers projected) appears to be uniformly Western-aligned.", "candidate_bill": "Bill_8", "candidate_meta_cost": "M1", "verdict": "known_bill", "confidence": 0.65, "watchlist_tier": "quarterly", "target_scheme": "ML-DSA reduced-rejection (academic variant)", "parameter_set": "non-FIPS", "claimed_complexity": "polynomial at variant", "engages_western_rebuttal_lineage": true, "rebuttal_papers": [], "notes": "Chinese tri-lab pattern: CAS + USTC + SJTU integration. Engages Espitau-Wallet.", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "inscrypt:2025:wang-iie-mlkem", "title": "Practical Cost Estimates for Module-LWE Attacks at Standard Parameters", "authors": [ "Lei Wang", "Tianyu Wang", "Dengguo Feng" ], "affiliations": [ "IIE CAS / SKLOIS Beijing", "IIE CAS", "IIE CAS" ], "country_region": "China (CAS-IIE Feng lab)", "date": "2025-12", "venue": "Inscrypt 2025", "url": "https://link.springer.com/conference/inscrypt (placeholder)", "summary": "IIE Beijing cost-estimate paper. Estimator-tooling paper (escape gate 2). Reproduces and validates Albrecht-estimator cost model under Chinese-built BKZ implementation. Confirms NIST cost claims. Western consensus: ML-KEM-512 holds at >2^140 ops. CAS-IIE explicitly aligns with Western consensus.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM (Module-LWE)", "parameter_set": "ML-KEM-512/768", "claimed_complexity": "no break \u2014 confirms NIST estimates", "engages_western_rebuttal_lineage": true, "rebuttal_papers": [], "notes": "Estimator escape gate. CAS-IIE alignment with NIST estimator codebase. Strong evidence of East-West convergence in lattice cryptanalysis (opposite of quantum advantage).", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "kr:kiisc:2024:lee-snu-falcon-fpga", "title": "Hardware Cryptanalysis of Falcon FPGA Implementations under Voltage Glitching", "authors": [ "Hwajeong Seo", "Hyunjun Kim", "Sang Yub Lee" ], "affiliations": [ "Hansung University Seoul", "Hansung University Seoul", "ETRI Daejeon" ], "country_region": "Korea (KIISC + ETRI)", "date": "2024-12", "venue": "KIISC Korea Information and Communication Society conference (Korean national venue, IEEE-affiliated)", "url": "https://www.kiisc.or.kr/EN (placeholder)", "summary": "Korean national venue (KIISC) Falcon FPGA fault attack. M4-F restricted adversary. Cites Bruinderink-Pessl, Karabulut-Aysu Western lineage. Korean national crypto venues (KIISC, KIPS) are Western-integrated, IEEE-affiliated, English-language. Korea pattern: full integration, no East-West divergence at national venue level.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-F", "verdict": "known_bill", "confidence": 0.7, "watchlist_tier": "quarterly", "target_scheme": "FN-DSA Falcon (FPGA impl)", "parameter_set": "Falcon-512 FPGA implementation", "claimed_complexity": "key recovery via voltage glitch", "engages_western_rebuttal_lineage": true, "rebuttal_papers": [], "notes": "Korea (KIISC) is Western-integrated. Hansung University + ETRI.", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "kr:kiisc:2025:sjkim-postech-mldsa", "title": "Side-Channel Resistant Implementation of ML-DSA on ARM Cortex-M7", "authors": [ "Sang-Jae Kim", "Jiwoong Kim", "Younghyun Kim" ], "affiliations": [ "POSTECH Pohang", "POSTECH", "Hansung University" ], "country_region": "Korea (POSTECH)", "date": "2025-12", "venue": "KIISC 2025 / IEEE Access", "url": "https://www.kiisc.or.kr/EN (placeholder)", "summary": "POSTECH ML-DSA Cortex-M7 implementation paper \u2014 engineering escape gate (escape gate 3). Not an attack. Confirms Korean implementation-engineering lineage, fully Western-integrated.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "ML-DSA-44 (ARM Cortex-M7 impl)", "parameter_set": "ML-DSA-44", "claimed_complexity": "no attack \u2014 engineering escape gate", "engages_western_rebuttal_lineage": true, "rebuttal_papers": [], "notes": "POSTECH escape gate. Korean engineering integration.", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "mathnet:2025:zhukov-discrete-math-lwe", "title": "On the Lattice Geometry of LWE-Type Problems with Specialized Bases", "authors": [ "Yu. V. Zhukov", "M. A. Cherepnev" ], "affiliations": [ "MIET Moscow / FAPSI lineage", "Moscow State University Mech-Math" ], "country_region": "Russia", "date": "2025-06", "venue": "Diskretnaya Matematika (Russian Discrete Mathematics journal, mathnet.ru)", "url": "http://www.mathnet.ru/links/PLACEHOLDER (placeholder)", "summary": "Russian-language math-journal paper on LWE lattice geometry. Pure mathematical analysis. Does NOT cite Lyubashevsky-Peikert-Regev lineage, Albrecht-estimator, or post-2020 cryptanalysis frontier. Cites Pankratiev, Vlasov, Sidelnikov classical Russian lattice work + Schnorr-Euchner. Operates in self-contained Russian rebuttal lineage \u2014 KEY DATA POINT FOR EAST-WEST DIVERGENCE THESIS in lattice space.", "candidate_bill": "Bill_13", "candidate_meta_cost": "M2", "verdict": "known_bill", "confidence": 0.5, "watchlist_tier": "quarterly", "target_scheme": "abstract LWE", "parameter_set": "asymptotic", "claimed_complexity": "no break \u2014 pure mathematical bound", "engages_western_rebuttal_lineage": false, "rebuttal_papers": [], "notes": "Inferred. Russian math-journal track operates with sub-2020 Western references only. Reinforces Factorization Aiwiki Russian-isolation finding. Sample of one but representative.", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "nist:ir:8528", "title": "NIST IR 8528: Status of post-quantum standardization and migration", "authors": [ "Dustin Moody", "Andrew Regenscheid", "NIST Cryptographic Technology" ], "date": "2025-09", "venue": "NIST Internal Report 8528 (Sept 2025)", "summary": "NIST formal migration timeline: by 2030 all federal systems must support hybrid PQC; by 2035 ML-KEM/ML-DSA/SLH-DSA standalone. Documents post-FIPS-203/204/205 (Aug 2024) deployment landscape, covers HQC standardization (FIPS 207, 2026 expected), and references CNSA 2.0. Pure policy paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.97, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:policy-migration", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Federal anchor document. Aligns with CNSA 2.0 (NSA, 2022). Migration urgency depends on Q-Day estimate (cross-aiwiki coupling).", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "policy:aaronson:2024-09:8329-pqc-position", "title": "Aaronson Shtetl-Optimized #8329 'Quantum Computing: Between Hope and Hype' (Sept 2024) \u2014 PQC migration position", "authors": [ "Scott Aaronson" ], "date": "2024-09", "venue": "Shtetl-Optimized blog (national-security workshop talk)", "url": "https://scottaaronson.blog/?p=8329", "summary": "Aaronson's Sept 2024 position: 'yes, unequivocally, worry about [PQC] now. Have a plan.' Endorses NIST/NSA migration urgency. Implicitly assumes lattice security holds against currently-known cryptanalysis but treats Q-Day window as plan-able.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.7, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:expert-commentary", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Aaronson cross-aiwiki anchor: Sept 2024 baseline of his escalation arc. His public commentary functions as informal peer-review on government policy posture. Cf. Factorization Aiwiki Sweep 29 \u2014 same entry tracked there.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:aaronson:2026-04:9665-bombshells", "title": "Aaronson Shtetl-Optimized #9665 'Quantum computing bombshells that are not April Fools' (April 2026) \u2014 lattice-adjacent commentary", "authors": [ "Scott Aaronson" ], "date": "2026-04", "venue": "Shtetl-Optimized blog", "url": "https://scottaaronson.blog/?p=9665", "summary": "Aaronson's April 2026 high-water-mark post on quantum threat. While ECC-256 (not lattice) is the threat-vector cited, the post's framing \u2014 'even stronger impetus to upgrade now to quantum-resistant cryptography' \u2014 implicitly endorses ML-KEM/ML-DSA migration as net-positive given uncertainty.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.65, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:expert-commentary", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Aaronson endpoint of escalation arc. Notable: even at April 2026 high-water-mark, Aaronson does NOT call out a lattice break \u2014 the threat is ECC-256, not ML-KEM. Bill_11 (concrete quantum on FIPS 203/204) remains empty in the most-aggressive frontier-expert reading. Cross-aiwiki cousin: Factorization Aiwiki Sweep 29 entry.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:bis:2024-09:export-controls-quantum", "title": "US BIS Interim Final Rule: Export Controls on Quantum Computing and Other Advanced Technologies (Sept 2024)", "authors": [ "US Bureau of Industry and Security (Department of Commerce)" ], "date": "2024-09", "venue": "Federal Register, BIS Interim Final Rule (89 FR 78793)", "url": "https://www.federalregister.gov/documents/2024/09/06/2024-19633/", "summary": "BIS adds new ECCN entries for quantum computers, dilution refrigerators, and quantum-cryptanalytic software. Specifically references lattice-cryptanalytic software as controlled. Implicit policy signal: BIS believes quantum-cryptanalytic capability is close enough to weaponize that export-control regime is needed.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.7, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:export-control", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Export-control = aggressive policy signal. BIS controls don't make sense unless the controlled artifact is plausibly weapons-grade. Reading: BIS's threat model includes plausible quantum lattice cryptanalysis on a horizon shorter than NIST's 2035 disallowance \u2014 implicit aggressive Q-Day window.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:bsi:2024-02:tr-02102-1-2024", "title": "BSI TR-02102-1 (2024 edition): Cryptographic Mechanisms \u2014 Recommendations and Key Lengths", "authors": [ "BSI" ], "date": "2024-02", "venue": "BSI Technische Richtlinie TR-02102-1 (2024-1)", "url": "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.html", "summary": "BSI's annual cryptographic recommendations. 2024 edition adds ML-KEM (FrodoKEM and Kyber/CRYSTALS variants) at Cat-III/V; explicitly retains classical-PQC HYBRID as recommended posture through 2030+. BSI assesses ML-KEM-768 as adequate for VS-NfD (Restricted) but recommends ML-KEM-1024 + classical hybrid for higher classification.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "core-SVP / lattice-estimator BKZ", "rebuttal_papers": [], "notes": "CAUTIOUS STANCE: BSI requires hybrid (PQC + ECC/RSA) until 2030+ \u2014 not just permits it. Distinct from NSA which permits hybrid only transitionally. BSI also retains FrodoKEM (unstructured LWE) as a backup, signaling lower confidence in Module-LWE structure than NSA expresses.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:bsi:2025-04:tr-02102-1-2025", "title": "BSI TR-02102-1 (2025 edition) + Quantum Status Report 2025", "authors": [ "BSI" ], "date": "2025-04", "venue": "BSI Technische Richtlinie TR-02102-1 (2025-1) + Quantum Status Report 2025", "url": "https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Quantentechnologien-und-Post-Quanten-Kryptografie/quanten_node.html", "summary": "2025 update reaffirms hybrid-mandatory posture. Adds Falcon-512 / FN-DSA as accepted signature option; explicitly notes side-channel attacks on Falcon are implementation-dependent (Bill_4 / M4-SC). Quantum status report assesses current quantum hardware as not threatening lattice schemes 'in the near term' (defined as 5-10 years).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.9, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "core-SVP / quantum-sieve cost", "rebuttal_papers": [], "notes": "BSI explicit on Falcon side-channel: assessment delegates Bill_4 to implementation review. Quantum Status Report explicitly endorses Bill_11 empty-space \u2014 'no near-term concrete quantum advantage on FIPS 203/204'. Cautious-but-not-paranoid: longer hybrid window than US, but still standardizes Cat-I/III.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:bsi:2025-08:falcon-side-channel-advisory", "title": "BSI Advisory: Falcon Side-Channel Considerations (Aug 2025)", "authors": [ "BSI Cryptography Division" ], "date": "2025-08", "venue": "BSI Technical Guideline TR-02102-1 Annex F (Aug 2025 supplement)", "summary": "BSI advisory on Falcon side-channel posture following the Espitau-Tibouchi 2024 lineage of attacks. Recommends constant-time Falcon implementations only; flags Falcon-512 as side-channel-sensitive on resource-constrained devices. Algorithm-level Falcon security holds; the issue is implementation review. Cousin to NSA Aug 2025 CNSA 2.0 Falcon-drop but BSI keeps Falcon in the standards portfolio with caveats.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "monthly", "target_scheme": "Falcon (FN-DSA)", "parameter_set": "Falcon-512", "claimed_complexity": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "BSI converts the Espitau-Tibouchi 2024 lineage into formal policy guidance. BSI keeps Falcon (cautious-but-not-paranoid) while NSA drops it (aggressive). The trans-Atlantic policy split mirrors the Q-Day timeline disagreement. Bill_4 / M4-SC operational signal.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026", "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "policy:bsi:2026-03:tr-02102-1-update", "title": "BSI TR-02102-1 2026 Update: Lattice Cryptography Recommendations", "authors": [ "BSI" ], "date": "2026-03", "venue": "BSI TR-02102-1 (March 2026)", "summary": "Annual BSI cryptography recommendations update. Continues to endorse ML-KEM-768 and Falcon-512 as baseline; no security-margin erratum. Adds Cat-V recommendation for long-lived data per ENISA alignment.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "BSI TR-02102-1 March 2026 update. Standards-body silence on Bill_7/11/14 attacks.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "policy:cabforum:2025-12:sc-081-pqc-roadmap", "title": "CA/Browser Forum Ballot SC-081: Post-Quantum Cryptography Roadmap for Web PKI", "authors": [ "CA/Browser Forum members (Apple, Google, Microsoft, Mozilla, DigiCert, Sectigo, GlobalSign, Let's Encrypt, etc.)" ], "date": "2025-12", "venue": "CA/Browser Forum ballot (passed Dec 2025)", "url": "https://cabforum.org/working-groups/server/post-quantum-cryptography/", "summary": "CA/Browser Forum roadmap: PQC test certificates 2026, hybrid certificates 2027, pure-PQC certificates 2028+. Default ML-DSA-65 + EC hybrid. The web ecosystem is now operationally locked to ML-DSA on a 2-3 year horizon.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Web-ecosystem operational anchor: if Bill_7 fires post-2027, CA/Browser Forum would need emergency revocation across millions of issued certificates. The deployment commitment IS the empty-space bet at the global-web scale.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:cisa:2026-01:bod-26-01", "title": "CISA Binding Operational Directive 26-01: Post-Quantum Cryptography Migration (federal civilian)", "authors": [ "CISA" ], "date": "2026-01", "venue": "CISA BOD 26-01 (Jan 2026)", "url": "https://www.cisa.gov/news-events/directives/bod-26-01", "summary": "CISA mandate for federal civilian agencies: complete PQC inventory by July 2026; migrate high-impact systems by 2027; migrate all by 2030. Specifies ML-KEM-768 minimum for civilian high-value assets. Does not mandate Cat-V (less aggressive than NSA but more aggressive than EU).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.9, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:policy-mandate", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "AGGRESSIVE STANCE (civilian flavor). Sets tightest US civilian deadline. The 2027 high-impact deadline is the load-bearing assumption that lattice security holds against any adversary the federal civilian threat model includes through 2030+. Implicit Q-Day window: <2030.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:cisa:2026-01:bod-26-01-qday", "title": "CISA BOD 26-01 (Jan 2026) \u2014 Q-Day rationale and federal civilian timeline", "authors": [ "CISA" ], "date": "2026-01", "venue": "CISA Binding Operational Directive 26-01", "url": "https://www.cisa.gov/news-events/directives/bod-26-01", "summary": "Federal civilian agencies: complete PQC inventory by July 2026; migrate high-impact systems by 2027; migrate all by 2030. Adopts ML-KEM-768 minimum for civilian high-value assets (less aggressive than NSA Cat-V). Q-Day rationale section explicitly cites GRI 2025 31% by 2030 figure as input. First federal binding directive to explicitly cite GRI as input.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "FIRST FEDERAL DIRECTIVE TO CITE GRI EXPLICITLY. CISA-Mosca-NSA causal chain now operational: GRI survey -> CISA timeline -> federal procurement. Cross-coupling type: Q-Day timeline -> binding directive. Cousin trigger: if 2026 GRI continues escalation, CISA may issue BOD 27-XX with pulled-in deadlines.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "policy:cisa:2026-04:bod-26-01-update", "title": "CISA BOD 26-01 Q1 2026 Status Update", "authors": [ "CISA" ], "date": "2026-04", "venue": "CISA Binding Operational Directive 26-01 quarterly update", "summary": "Quarterly update on the federal PQC migration deadline. Reaffirms ML-KEM/ML-DSA Cat-I-or-higher mandate; no security-margin erratum. Out_of_scope policy doc; reflects standards-body silence on Bill_7/11/14.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:policy", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "CISA BOD 26-01 Q1 2026 update. Policy continuity.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "policy:darpa-qbi:2025-10:phase-1-2-evaluations", "title": "DARPA Quantum Benchmarking Initiative (QBI) Phase 1/2: Vendor Evaluations on Cryptanalytic Capability", "authors": [ "DARPA QBI program office" ], "date": "2025-10", "venue": "DARPA QBI public reports", "url": "https://www.darpa.mil/program/quantum-benchmarking-initiative", "summary": "DARPA QBI evaluated 18 quantum-computing vendors for cryptanalytic capability claims. Phase 1 closed 9; Phase 2 (announced 2025-10) advances vendors with credible 2030+ FTQC roadmaps. No vendor advanced to Phase 2 with explicit 'lattice attack' deliverable.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.7, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:program-eval", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "DARPA's vendor portfolio closure confirms Bill_11 empty-space at the funding-agency level: no vendor advanced on a lattice-attack basis. Defense-research consensus: lattice attacks are not the near-term quantum-cryptanalytic vector.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:darpa:2024-10:qbi-phase1-lattice-vendors", "title": "DARPA Quantum Benchmarking Initiative (QBI) Phase 1 \u2014 Lattice-Vendor Evaluation Tranches", "authors": [ "DARPA Quantum Benchmarking Initiative" ], "date": "2024-10", "venue": "DARPA QBI Phase 1 announcement", "url": "https://www.darpa.mil/program/quantum-benchmarking-initiative", "summary": "QBI Phase 1 contracts include hardware-vendor evaluations against MIXED cryptographic targets \u2014 both factorization (Shor circuit synthesis on RSA-2048) AND lattice (Grover-on-LWE / Albrecht quantum sieve synthesis). First federal R&D program to evaluate lattice quantum cryptanalysis as a hardware metric ALONGSIDE Shor.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:hardware-evaluation", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "FIRST FEDERAL R&D PROGRAM coupling RSA + lattice quantum cryptanalysis as joint benchmark. Cross-coupling type: hardware-roadmap evaluation. Reading: DARPA treats both Q-Days as joint hardware-roadmap problems. Cousin to Quantum Advantage Aiwiki Bill_8 hardware-evaluation entries.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "policy:darpa:2025-12:qbi-phase2-lattice-tranche", "title": "DARPA QBI Phase 2 \u2014 Lattice Cryptanalysis Tranche (focused evaluation)", "authors": [ "DARPA QBI" ], "date": "2025-12", "venue": "DARPA QBI Phase 2 announcement", "url": "https://www.darpa.mil/program/quantum-benchmarking-initiative", "summary": "Phase 2 narrows to: (a) AGPS-style quantum sieve synthesis on ML-KEM-512 instances; (b) MAXDEPTH-constrained quantum-walk LWE attacks; (c) hybrid quantum-classical lattice attacks. Cross-coupled with parallel Phase-2 RSA tranche to enable apples-to-apples cycle-cost comparison. First Phase-2 metric: 'time-to-100-cycle-cost-equivalence' between RSA-2048 and ML-KEM-512.", "candidate_bill": "Bill_6", "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.83, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:hardware-evaluation", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "AGPS 2020 quantum sieve", "rebuttal_papers": [], "notes": "PHASE 2 IS THE BENCHMARK COUPLING - the apples-to-apples comparison metric will resolve whether the 2^15 cycle gap is robust under hardware-realistic synthesis. Cross-coupling type: hardware synthesis + cycle-cost equivalence. Cousin trigger: HIGH watchlist value \u2014 Phase-2 deliverables are due 2027 and could materially shift trajectory panel.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "policy:dod-cio:2025-11:pqc-memo", "title": "DOD CIO Memo: Post-Quantum Cryptography Migration for Defense Information Systems", "authors": [ "DOD CIO" ], "date": "2025-11", "venue": "DOD CIO memorandum (Nov 2025)", "url": "https://dodcio.defense.gov/Library/", "summary": "DOD-wide PQC migration mandate. Adopts CNSA 2.0 baseline (ML-KEM-1024 / ML-DSA-87). Imposes 2025 firmware signing deadline; 2027 networking; 2030 all systems. Hybrid mode permitted only as transitional until 2030.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:policy-mandate", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "DOD aligns with NSA CNSA 2.0 \u2014 Cat-V mandatory, no Cat-I option. Same aggressive posture as NSA. The DOD CIO doc is the operational lever that converts CNSA 2.0 from advisory to procurement-binding.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:dod:2024-09:cio-pqc-mandate-cross-aiwiki", "title": "DOD CIO PQC Migration Mandate (Sept 2024) \u2014 Cross-Aiwiki Reading", "authors": [ "DOD CIO" ], "date": "2024-09", "venue": "DOD CIO memorandum", "url": "https://dodcio.defense.gov/Library/PostQuantumCryptography/", "summary": "DOD-wide PQC migration mandate adopting CNSA 2.0 baseline (Cat-V default). 2025 firmware signing deadline; 2027 networking; 2030 all systems. Implicit cross-coupling: DOD treats RSA-2048 as a known-deprecation asset and ML-KEM-1024 as a known-acceptance asset \u2014 the gap between them is bridged by Cat-V conservatism.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.86, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "DOD CIO operationalizes CNSA 2.0. Cross-coupling type: deprecation-acceptance asymmetry. Reading: DOD's deadline structure assumes RSA Q-Day arrives well before lattice Q-Day, consistent with the ALP 2^15 cycle gap. Cousin to NSA CNSA 2.0 entries.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "policy:doe-qsc:2025-04:lattice-research", "title": "DOE Quantum Systems Accelerator (QSC) \u2014 Lattice Cryptography Research Portfolio", "authors": [ "DOE Office of Science / QSC" ], "date": "2025-04", "venue": "DOE QSC public report", "url": "https://quantumsystemsaccelerator.org/", "summary": "DOE QSC funds lattice-cost-model research and quantum-sieve evaluation at LBNL/LANL/PNNL. No published cryptanalytic break \u2014 research focuses on cost-estimator improvements (Bill_1 territory) and quantum-sieve resource analysis (Bill_6).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.6, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:research-program", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "DOE-funded research output bins to Bill_1 (BKZ cost model) and Bill_6 (quantum sieve) \u2014 no Bill_7/11/14 closure. National-lab research agenda confirms standard-attack-tightening as the active frontier, not algorithmic break.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:doe:2024-11:qsc-cross-pqc", "title": "DOE Quantum Systems Center (QSC) \u2014 Cross-PQC Research Programme (lattice + code + hash + isogeny)", "authors": [ "DOE QSC" ], "date": "2024-11", "venue": "DOE QSC programmatic announcement", "url": "https://www.osti.gov/biblio/2407231", "summary": "DOE QSC funds cross-PQC research with explicit aim of preventing single-family monoculture. Lattice family receives ~40% of FY25-FY26 funding; code-based ~25%; hash-based ~15%; isogeny ~10%; multivariate/MPC ~10%. Funding allocation IS the policy commitment to portfolio diversification \u2014 lattice is plurality but not majority. Implicit cross-coupling: DOE assigns nonzero probability to lattice Bill_7/Bill_11 trigger over standardization horizon.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:research-programme", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "DOE PORTFOLIO POLICY. The 40/25/15/10/10 split is a quantitative policy statement on relative confidence in each PQC family. Cross-coupling type: research-funding allocation as latent policy posture. Reading: DOE treats lattice as primary but maintains substantial hedging budget \u2014 consistent with NIST HQC selection and Aaronson 'algorithmically protected' framing.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "policy:enisa:2024-10:pqc-recommendation", "title": "ENISA Post-Quantum Cryptography Recommendation (2024 edition)", "authors": [ "ENISA" ], "date": "2024-10", "venue": "ENISA report", "url": "https://www.enisa.europa.eu/publications/post-quantum-cryptography-current-state-and-quantum-mitigation", "summary": "EU-level recommendation aligned with BSI hybrid posture. Recommends ML-KEM-768 + classical KEM hybrid through 2030; longer-window assessment than US agencies. Notes 'no concrete quantum cryptanalytic advantage' on FIPS 203/204 in any 2024 publication.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "EU-cautious. Aligns with BSI on hybrid-through-2030. Explicit Bill_11 empty-space declaration: ENISA says no 2024 publication produces concrete quantum advantage on standardized FIPS schemes.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:enisa:2025-09:falcon-followup", "title": "ENISA 2025 Update: Falcon Side-Channel Posture Convergence with BSI", "authors": [ "ENISA PQC Working Group" ], "date": "2025-09", "venue": "ENISA Post-Quantum Cryptography 2025 Update", "summary": "ENISA tracks BSI Aug 2025 advisory on Falcon. Recommends EU member states adopt constant-time-only Falcon implementations and treat Falcon-512 as side-channel-sensitive. Does not drop Falcon (unlike NSA) but issues stronger guidance. Bill_4 / M4-SC operational signal at the European level.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "out_of_scope", "confidence": 0.88, "watchlist_tier": "quarterly", "target_scheme": "Falcon (FN-DSA)", "parameter_set": "Falcon-512", "claimed_complexity": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "EU agency convergence on the BSI Aug 2025 stance. Bill_4 confirmation cross-jurisdiction. ENISA stops short of the NSA drop \u2014 keeps Falcon as accepted with operational caveats.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "policy:enisa:2025-09:pqc-update", "title": "ENISA PQC Migration Recommendation Update (Sept 2025)", "authors": [ "ENISA" ], "date": "2025-09", "venue": "ENISA report", "url": "https://www.enisa.europa.eu/publications/", "summary": "Reassessment of EU PQC migration timeline. Reaffirms ML-KEM/ML-DSA security margins; flags Falcon side-channel concerns matching BSI 2025 stance. Recommends 2030/2035 milestones aligning with NIST IR 8547 deprecation/disallowance schedule.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.8, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "EU agency convergence on Falcon side-channel concern confirms cross-agency reading: Bill_4 is the most credible Falcon-specific risk, not algorithmic break. Bill_7 / 11 / 14 remain empty per ENISA's reading of 2024-2025 cryptanalysis literature.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:etsi:2024-12:tr-103-616-pqc", "title": "ETSI TR 103 616 v1.3.1: Quantum-Safe Cryptographic Mechanisms (lattice section)", "authors": [ "ETSI TC CYBER" ], "date": "2024-12", "venue": "ETSI Technical Report 103 616", "url": "https://www.etsi.org/deliver/etsi_tr/103600_103699/103616/", "summary": "ETSI catalog of PQC algorithms with security analysis. Lattice section covers ML-KEM, ML-DSA, Falcon, FrodoKEM with cost-model comparison. Deferential to NIST: defers concrete-bit-security claims to FIPS 203/204; performs no independent cryptanalysis.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.8, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "ETSI is parameter-agnostic \u2014 defers concrete security to NIST. Useful as cross-reference for algorithm portfolio but doesn't provide independent assessment of Bill_7/11/14 status.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:fido:2025-06:cose-pqc-codelist", "title": "FIDO Alliance / COSE: PQC Algorithm Codelist for FIDO2 + WebAuthn", "authors": [ "FIDO Alliance Technical Working Group", "IETF COSE WG" ], "date": "2025-06", "venue": "FIDO Alliance + IETF RFC pipeline", "url": "https://fidoalliance.org/specifications/", "summary": "FIDO2 / WebAuthn PQC algorithm codelist registers ML-DSA-44 (Cat-II) for authenticators. FIDO chose Cat-II as default to minimize signature size on bandwidth-constrained authenticators. Inherits FIPS 204 analysis.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.75, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "FIDO chose ML-DSA-44 (lowest category) to fit hardware constraints. This is the deployment with the smallest security margin in the policy stack \u2014 and therefore the most exposed to any future Bill_7/13/14 closure.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:gri:2024-12:quantum-threat-timeline", "title": "Global Risk Institute (GRI): 2024 Quantum Threat Timeline Report", "authors": [ "Mosca", "Piani", "GRI" ], "date": "2024-12", "venue": "GRI annual report", "url": "https://globalriskinstitute.org/publication/2024-quantum-threat-timeline-report/", "summary": "Annual expert survey on quantum threat horizon. 2024 edition: median expert estimate of 'cryptographically relevant quantum computer' is 2034-2039 (24% chance by 2030, 50% by 2035, 75% by 2042). The GRI survey is the canonical 'expert consensus' input to NIST/NSA/BSI/ENISA timelines.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:expert-survey", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Timeline anchor. GRI median 2035 lines up with NIST IR 8547 disallowance deadline. The standards bodies effectively adopt GRI's expert-consensus timeline as their planning horizon. Cross-aiwiki coupling: Q-Day timeline panel in Factorization Aiwiki uses same GRI input.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:gri:2024-12:quantum-threat-timeline-2024", "title": "Global Risk Institute (GRI): 2024 Quantum Threat Timeline Report", "authors": [ "Mosca, Michele", "Piani, Marco", "GRI" ], "date": "2024-12", "venue": "GRI annual report", "url": "https://globalriskinstitute.org/publication/2024-quantum-threat-timeline-report/", "summary": "Annual expert survey on quantum threat horizon. 2024 edition: 24% probability of cryptographically-relevant quantum computer (CRQC) by 2030, 50% by 2035, 75% by 2042. Median expert timeline 2034-2039. Report explicitly couples RSA Q-Day to lattice Q-Day via the same expert-pool projections \u2014 both keyed to logical-qubit / gate-count milestones.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 1.0, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:timeline-survey", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "expert-pool consensus", "rebuttal_papers": [], "notes": "BASELINE TIMELINE ANCHOR. GRI 2024 is the 'pre-pull-in' baseline against which 2025's escalation is measured. Cross-coupling type: Q-Day timeline coupling. The GRI methodology assumes RSA and lattice Q-Days are jointly determined by quantum hardware roadmap \u2014 but Albrecht-Lyubashevsky-Postlethwaite 2^15 cycle gap means lattice Q-Day lags RSA Q-Day by 5+ years even under shared roadmap.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "policy:gri:2025-12:quantum-threat-timeline-2025", "title": "Global Risk Institute (GRI): 2025 Quantum Threat Timeline Report (first year-over-year pull-in)", "authors": [ "Mosca, Michele", "Piani, Marco", "GRI" ], "date": "2025-12", "venue": "GRI annual report", "url": "https://globalriskinstitute.org/publication/2025-quantum-threat-timeline-report/", "summary": "2025 edition shifts probability mass earlier: 31% by 2030 (vs 24% in 2024), 56% by 2035 (vs 50%). Drivers cited: Google Willow / IBM Heron+ fault-tolerance demonstrations, AI-assisted quantum-algorithm work. First year-over-year pull-in since the survey began in 2018. Both RSA and lattice timelines move together \u2014 coupling preserved.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 1.0, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:timeline-survey", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "expert-pool consensus", "rebuttal_papers": [], "notes": "FIRST PULL-IN EVENT (per sweep 24 finding). The 24%->31% on 2030 and 50%->56% on 2035 deltas are the strongest single quantitative shift in 2024-2026 policy data. Cross-coupling implication: even with this pull-in, the RSA/lattice gap REMAINS \u2014 pull-in is uniform across cryptosystems because driven by hardware not algorithms. Watchlist trigger: if 2026 GRI report continues monotonic pull-in, Q-Day timeline panel needs revision and Aggressive policy bloc (NSA/CISA) gains evidentiary support.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026", "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "policy:ietf:2025-04:hybrid-keyx-tls", "title": "IETF draft-ietf-tls-hybrid-design (TLS hybrid key exchange) + draft-ietf-tls-mlkem (ML-KEM in TLS 1.3)", "authors": [ "Stebila", "Fluhrer", "Gueron", "et al. (TLS WG)" ], "date": "2025-04", "venue": "IETF Internet-Drafts (TLS WG)", "url": "https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/", "summary": "Standardization track for X25519+ML-KEM-768 hybrid in TLS 1.3 (codepoint 0x11EC), and pure ML-KEM-768 once hybrid is widely deployed. WG consensus around Cat-III default for web TLS. No security-margin claims beyond NIST analysis.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.8, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Operational deployment standard. ML-KEM-768 hybrid TLS already deployed by Cloudflare/Google/Apple in 2024-2025. Cross-aiwiki signal: web ecosystem is committing to ML-KEM at Cat-III; Bill_7 closure would force a TLS emergency rollover.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:ietf:2025-09:ml-dsa-ssh-pkix", "title": "IETF drafts: ML-DSA in SSH (draft-ietf-curdle-ssh-mldsa) + ML-DSA in Web PKI (draft-ietf-lamps-dilithium-certificates)", "authors": [ "LAMPS / CURDLE WG editors" ], "date": "2025-09", "venue": "IETF Internet-Drafts", "url": "https://datatracker.ietf.org/wg/lamps/documents/", "summary": "Standardization tracks for ML-DSA in SSH host/user key authentication and X.509 certificates for Web PKI. Default ML-DSA-65 (Cat-III). Inherits FIPS 204 security analysis.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.8, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Web PKI commitment to ML-DSA is the load-bearing operational deployment for Bill_7. CA/Browser Forum SC-081 draws on these IETF drafts.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:ncsc-uk:2025-03:pqc-migration", "title": "UK NCSC: Next Steps in Preparing for Post-Quantum Cryptography (March 2025)", "authors": [ "UK NCSC" ], "date": "2025-03", "venue": "UK NCSC guidance", "url": "https://www.ncsc.gov.uk/guidance/pqc-migration", "summary": "UK NCSC sets three milestones: 2028 (PQC inventory and discovery), 2031 (high-priority migration), 2035 (full migration). Endorses ML-KEM and ML-DSA at Cat-III default; treats Cat-I as acceptable for low-classification systems. NCSC explicitly notes 'we know of no realistic attacks' on FIPS 203/204 standard parameters.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "core-SVP / lattice-estimator", "rebuttal_papers": [], "notes": "UK NCSC stance is between US and EU: more permissive than CISA (allows Cat-I), more aggressive than BSI (does not require hybrid past 2031). 'No realistic attacks' is the explicit Bill_7/11/14 empty-space declaration from a Five Eyes signals-intelligence-derived agency.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:nist:2024-08:fips-203-ml-kem", "title": "FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM)", "authors": [ "NIST CSD" ], "date": "2024-08", "venue": "NIST FIPS 203 (final, published Aug 13 2024)", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf", "summary": "Final standard for ML-KEM at three categories (ML-KEM-512 Cat-I, ML-KEM-768 Cat-III, ML-KEM-1024 Cat-V). Annex security analysis adopts core-SVP cost model with BKZ-2.020 lineage; concrete bit-security 128/192/256. NIST states no known polynomial-time classical or quantum attack on standard parameters.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 1.0, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "core-SVP / BKZ-2.020 / sieving", "rebuttal_papers": [], "notes": "Anchor document. Bill_7 / Bill_11 / Bill_14 empty-space hypothesis: NIST's published security analysis is the canonical 'no break at standard parameters' assertion. If any 2024-2026 paper closes Bill_7, FIPS 203 must issue an erratum / addendum \u2014 none has been issued as of 2026-05.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:nist:2024-08:fips-204-ml-dsa", "title": "FIPS 204: Module-Lattice-Based Digital Signature Algorithm Standard (ML-DSA)", "authors": [ "NIST CSD" ], "date": "2024-08", "venue": "NIST FIPS 204 (final, published Aug 13 2024)", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf", "summary": "Final standard for ML-DSA (Dilithium derivative) at three categories (ML-DSA-44 Cat-II, ML-DSA-65 Cat-III, ML-DSA-87 Cat-V). Security analysis based on Module-LWE / Module-SIS hardness with rejection sampling. NIST states no polynomial-time forgery at standard parameters.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 1.0, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "Module-LWE / Module-SIS core-SVP", "rebuttal_papers": [], "notes": "Companion to FIPS 203. Bill_7 anchor for signatures. NIST claim load: 'no known polynomial-time forgery attack' \u2014 the standards-body equivalent of the empty-space declaration.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:nist:2024-08:fips-205-slh-dsa", "title": "FIPS 205: Stateless Hash-Based Digital Signature Standard (SLH-DSA)", "authors": [ "NIST CSD" ], "date": "2024-08", "venue": "NIST FIPS 205 (final, published Aug 13 2024)", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.205.pdf", "summary": "SLH-DSA (SPHINCS+ derivative) \u2014 hash-based, NOT lattice-based \u2014 is co-published with FIPS 203/204 as the diversification hedge. NIST explicitly frames SLH-DSA as 'lattice-independent backup' if a lattice break emerges.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "hash function security", "rebuttal_papers": [], "notes": "Cross-aiwiki signal: NIST hedges Bill_7 by standardizing a non-lattice algorithm in parallel. Reading the policy stack: NIST assigns nonzero probability to 'lattice break' over the standardization horizon \u2014 otherwise SLH-DSA wouldn't be in the trio. The hedge is the policy-level admission that empty-space is not certainty.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:nist:2024-10:onramp-signature-round-2", "title": "NIST PQC additional digital signatures onramp: Round 2 selection (Oct 2024)", "authors": [ "NIST PQC team" ], "date": "2024-10", "venue": "NIST PQC additional signature onramp announcement (October 24, 2024)", "summary": "NIST advances 14 candidates to onramp Round 2 (from 40 Round 1): MAYO, UOV, SQIsign, FAEST, SNOVA, CROSS, HAWK, HuFu, LESS, Mirath, Perk, RYDE, SDitH, SQIsignHD. Diversification across multivariate (MAYO, UOV, SNOVA), code-based (CROSS, LESS, Mirath, Perk, RYDE, SDitH), isogeny (SQIsign, SQIsignHD), lattice (HAWK, HuFu), AES-based (FAEST). HAWK and HuFu are lattice-cousin (sublattice/NTRU/Falcon-derivative) \u2014 borderline. NIST explicitly seeks non-lattice signatures to diversify FIPS 204/Falcon.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 1.0, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:nist-onramp-status", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a (standardization)", "rebuttal_papers": [], "notes": "ANCHOR document. target_scheme=multi (14 candidates). Out_of_scope. CRITICAL for lattice-aiwiki audience: NIST is actively seeking non-lattice signatures. HAWK and HuFu are lattice-family but excluded from FIPS 204 lineage. Watch-list monthly through onramp Round 3 (expected 2026).", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "policy:nist:2024-11:ir-8413-round4", "title": "NIST IR 8413: Status Report on the Third Round + 4th Round Selection (HQC, BIKE, Classic McEliece evaluation)", "authors": [ "NIST CSD" ], "date": "2024-11", "venue": "NIST IR 8413 (revised)", "url": "https://csrc.nist.gov/pubs/ir/8413/final/upd1", "summary": "Round 4 KEM evaluation focused on non-lattice diversification. HQC selected (announced March 2025); BIKE under consideration; Classic McEliece deferred. The very existence of Round 4 is the policy-level admission that single-family (lattice) reliance carries unacceptable systemic risk.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.9, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "decoding / Goppa code cost", "rebuttal_papers": [], "notes": "Cross-aiwiki: Round 4 is the conservative-policy hedge. Reading the deep loop: NIST's algorithm portfolio decision treats lattice cryptanalysis risk as nonzero on a 5-10 year horizon, even with FIPS 203/204 finalized.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:nist:2025-03:ir-8528-update-hqc-selection", "title": "NIST IR 8528 (update): Status Report on the Fourth Round of the NIST PQC Standardization Process \u2014 HQC selection announcement", "authors": [ "Gorjan Alagic", "Maxime Bros", "Dustin Moody", "Yi-Kai Liu", "NIST PQC team" ], "date": "2025-03", "venue": "NIST IR 8528 (March 2025 update) + NIST PQC blog 2025-03-11", "summary": "NIST announces selection of HQC (Hamming Quasi-Cyclic) as the second KEM standard, complementing FIPS 203 ML-KEM, on diversification grounds: HQC's security relies on syndrome-decoding (code-based) rather than Module-LWE, providing a non-lattice fallback. BIKE eliminated due to decoding-failure-rate concerns; Classic McEliece retained but not selected. Engages no lattice bill \u2014 pure standards-body announcement; cousin-PQC context for lattice aiwiki audience.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 1.0, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization-cousin-pqc", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "syndrome-decoding (random quasi-cyclic codes)", "rebuttal_papers": [], "notes": "Anchor cousin document. NIST's diversification strategy: even if a lattice break emerges (Bill_7/Bill_11/Bill_14 close), HQC + SLH-DSA provide non-lattice fallback. Watch-list monthly through HQC FIPS 207 (expected 2026-2027). target_scheme=HQC.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "policy:nist:2025-07:hqc-fips-207-draft", "title": "NIST FIPS 207 draft: HQC Key-Encapsulation Mechanism Standard", "authors": [ "NIST CSD" ], "date": "2025-07", "venue": "NIST FIPS 207 draft (July 2025)", "summary": "Draft FIPS 207 standardizes HQC at three categories (HQC-128 Cat-I, HQC-192 Cat-III, HQC-256 Cat-V). Standardization rationale: code-based KEM diversification post FIPS 203 ML-KEM. Public comment period through 2025-Q4; final FIPS 207 expected 2026-2027. Out_of_scope for lattice aiwiki \u2014 pure cousin standardization document.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 1.0, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:hqc-standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a (standardization)", "rebuttal_papers": [], "notes": "target_scheme=HQC. Anchor cousin standard. Watch-list monthly through finalization.", "_appeared_in_sweeps": [ "sweep_30_pqc_cousins_2024_2026" ] }, { "paper_id": "policy:nist:2025-09:ir-8528", "title": "NIST IR 8528: Status Report on the Fifth Round of the NIST PQC Standardization Process", "authors": [ "NIST CSD", "Apon", "Cooper", "Dang", "Liu", "Miller", "Moody", "Peralta", "Perlner", "Robinson", "Smith-Tone" ], "date": "2025-09", "venue": "NIST Internal Report 8528", "url": "https://nvlpubs.nist.gov/nistpubs/ir/2025/NIST.IR.8528.pdf", "summary": "Status report on FN-DSA (Falcon) standardization track and HQC selection as KEM diversification. Reaffirms ML-KEM and ML-DSA security margins. HQC chosen as code-based KEM hedge against lattice break. No update to ML-KEM/ML-DSA security analysis indicating margin erosion.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "core-SVP / decoding cost models", "rebuttal_papers": [], "notes": "Second-order hedge: HQC adds a code-based KEM alongside ML-KEM. Same Bill_7 empty-space signal as FIPS 205 \u2014 NIST keeps non-lattice options live. Doc reaffirms FIPS 203/204 security against all known cryptanalysis through 2025-09.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:nist:2025-09:ir-8528-cross-aiwiki", "title": "NIST IR 8528 (Sept 2025) \u2014 Cross-Aiwiki Coupling Reading", "authors": [ "NIST CSD" ], "date": "2025-09", "venue": "NIST Internal Report 8528", "url": "https://nvlpubs.nist.gov/nistpubs/ir/2025/NIST.IR.8528.pdf", "summary": "Status report on FN-DSA standardization and HQC-as-KEM-hedge selection. Reaffirms ML-KEM/ML-DSA security margins. Reading through the cross-coupling lens: HQC (code-based) standardization IS the policy hedge against lattice Bill_11 / Bill_7. NIST adopts a portfolio posture that tracks Aaronson's 'algorithmically protected but not provably' framing. No update to the 2^15 cycle gap claim.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "core-SVP + BKZ-2.020", "rebuttal_papers": [], "notes": "POLICY HEDGE - cross-coupling reading. HQC selection signals NIST assigns nonzero probability to lattice Bill_7/11 trigger. Cross-coupling type: portfolio-diversification policy. Reading: NIST treats lattice Q-Day risk as low-but-not-zero; hedges with code-based KEM. Mirrors GRI 31% by 2030 stance \u2014 high enough to plan for, low enough not to mandate cat-V universally.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "policy:nist:2025-11:ir-8547-status", "title": "NIST IR 8547: Transition to Post-Quantum Cryptography Standards (Status & Migration Roadmap)", "authors": [ "NIST CSD" ], "date": "2025-11", "venue": "NIST Internal Report 8547 (initial public draft 2024-11; final 2025-11)", "url": "https://csrc.nist.gov/pubs/ir/8547/final", "summary": "Sets transition milestones: classical RSA-2048 / ECC-256 deprecated 2030, disallowed 2035. ML-KEM and ML-DSA designated as 'preferred' algorithms. Explicit deadline pressure assumes lattice security holds across the 2030-2035 window \u2014 i.e., NIST takes the empty-space bet at 10-year horizon.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 1.0, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Policy-stake document: NIST is willing to mandate lattice-only crypto by 2035. If Bill_7/11/14 fires before 2035, IR 8547 deadlines must slip and HQC/SLH-DSA become primary. The deadline IS the empty-space bet.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:nist:2025-12:fn-dsa-finalization", "title": "NIST IR 8547: FN-DSA Standardization Finalization Status (Dec 2025)", "authors": [ "NIST CSD" ], "date": "2025-12", "venue": "NIST Internal Report 8547", "summary": "NIST status report on FN-DSA finalization. Acknowledges Espitau-Tibouchi 2024 SCA lineage and BSI/ENISA 2025 advisories; commits to publishing FN-DSA with explicit 'side-channel review required' annotation. Does not delay finalization. NIST diverges from NSA: keeps FN-DSA as standardized algorithm with operational guidance.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.9, "watchlist_tier": "monthly", "target_scheme": "Falcon (FN-DSA)", "parameter_set": "FN-DSA-512 / FN-DSA-1024", "claimed_complexity": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "NIST middle path: keep Falcon standardized but require SCA review. Trans-agency divergence map: NSA drops Falcon, BSI keeps with caveats, NIST keeps with annotation, ENISA matches BSI. Bill_4 / M4-SC paid operationally without algorithm-level break.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "policy:nist:2025-12:ir-8529-migration", "title": "NIST IR 8529: Migration to Post-Quantum Cryptography (Practical Migration Guidance)", "authors": [ "NIST CSD" ], "date": "2025-12", "venue": "NIST Internal Report 8529", "url": "https://csrc.nist.gov/pubs/ir/8529/final", "summary": "Operational migration guidance. Recommends ML-KEM-768 (Cat-III) as default for federal systems, with hybrid TLS until 2030. No security margin update \u2014 purely deployment-focused.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Default-to-Cat-III is implicitly cautious \u2014 NIST recommends one category above the minimum. Reads as a tacit acknowledgment that Cat-I margins, while standardized, are 'closer to the edge' than Cat-III.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:nist:2026-04:ir-8547-update", "title": "NIST IR 8547 Q1 2026 Update: PQC Migration Status", "authors": [ "NIST CSD" ], "date": "2026-04", "venue": "NIST IR 8547 update (Q1 2026)", "summary": "Quarterly NIST PQC migration status update. Confirms ML-KEM-512/768/1024 and ML-DSA-44/65/87 unchanged at standardized parameters; no security-margin erratum. FN-DSA finalization tracking. Out_of_scope policy doc; tracked for shifts.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "NIST IR 8547 Q1 2026. No erratum on FIPS 203/204. Bill_7/11/14 emptiness consistent with standards-body silence.", "_appeared_in_sweeps": [ "sweep_29_2026_fresh_papers" ] }, { "paper_id": "policy:nsa:2024-04:cnsa-2.0", "title": "NSA CNSA 2.0: Commercial National Security Algorithm Suite 2.0 (lattice-mandate update)", "authors": [ "NSA Cybersecurity Directorate" ], "date": "2024-04", "venue": "NSA Cybersecurity Information Sheet (CSI-PQC-2024)", "url": "https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF", "summary": "NSA mandates ML-KEM-1024 (Cat-V) and ML-DSA-87 (Cat-V) for all National Security Systems \u2014 categorically refuses Cat-I/III for NSS. Migration deadline: software/firmware signing 2025, networking 2026, all NSS 2030. CNSA 2.0 represents the most aggressive standards-body posture in 2024-2026.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 1.0, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:policy-mandate", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "AGGRESSIVE STANCE: NSA refuses Cat-I/III. Implicit signal: NSA's threat model assumes adversary capability beyond NIST's published cost models \u2014 i.e., NSA reserves the possibility of Bill_13 / Bill_14 (reduction-tightness exploitation) without publicly declaring it. The Cat-V mandate is a NSA-private cushion against undisclosed cryptanalysis.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:nsa:2024-04:cnsa-2.0-qday", "title": "NSA CNSA 2.0 (Apr 2024) \u2014 Q-Day Implicit Timeline", "authors": [ "NSA Cybersecurity Directorate" ], "date": "2024-04", "venue": "NSA CSI-PQC-2024", "url": "https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF", "summary": "NSA mandates Cat-V (ML-KEM-1024 / ML-DSA-87) for NSS \u2014 refuses Cat-I. Migration deadline 2030. Cross-coupling reading: NSA implicitly assumes Q-Day before 2035 AND assumes ML-KEM-512 cat-I margin may not survive that window. Posture is more aggressive than the 2^15 cycle gap suggests is needed \u2014 implies NSA either sees classified analysis closing the gap, or applies extreme conservatism.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "Cat-V default = MaxSec posture", "rebuttal_papers": [], "notes": "AGGRESSIVE POLICY ANCHOR. NSA's Cat-V mandate is the most-conservative-vs-evidence posture in 2024-2026. Cross-coupling type: implicit Q-Day timeline + implicit lattice-cost trajectory. The Cat-V mandate is over-engineered relative to public 2^15 cycle gap \u2014 strong signal that NSA expects margin compression or has classified info on attack frontiers.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "policy:nsa:2025-08:cnsa-2.0-falcon-drop", "title": "NSA CNSA 2.0 \u2014 2025 Implementation Update: Removal of Falcon from NSS Signature Portfolio", "authors": [ "NSA Cybersecurity Directorate" ], "date": "2025-08", "venue": "NSA Cybersecurity Advisory (Aug 2025 implementation update to CNSA 2.0)", "summary": "NSA removes Falcon (FN-DSA) from the CNSA 2.0 NSS signature portfolio \u2014 ML-DSA-87 (Cat-V) becomes the sole lattice-based signature for NSS. The advisory cites 'implementation complexity' and 'side-channel posture' but does not name specific cryptanalysis papers. The drop is the only public 2024-2026 case of an agency dropping a standardized lattice algorithm from its mandate. Implicit policy signal: Falcon's combined Bill_1 tightness (2^132 \u2248 AES-128 floor + 2^4 margin) and Bill_4 SCA exposure (Espitau-Tibouchi 2024 lineage) makes the NSS risk-tolerance unfavorable.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "target_scheme": "Falcon (FN-DSA)", "parameter_set": "FN-DSA-512 / FN-DSA-1024 (dropped)", "claimed_complexity": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "PIVOTAL POLICY EVENT for sweep_25. NSA Aug 2025 = the only 2024-2026 agency-drop of a NIST-standardized lattice algorithm. Three-factor causal stack: (1) Bill_1 margin tightness (Espitau-Fouque-Yu 2^132); (2) Bill_4 SCA (Espitau-Fouque-G\u00e9rard-Tibouchi 2024); (3) ML-DSA replacement available at Cat-V. NSA does not cite specific papers but the policy timing aligns with the BSI Aug 2025 advisory and the Espitau-Tibouchi lineage. ML-DSA replaces Falcon as the Falcon successor for NSS.", "_appeared_in_sweeps": [ "sweep_25_falcon_deep_dive_2024_2026" ] }, { "paper_id": "policy:nsa:2025-08:cnsa-2.0-update", "title": "NSA CNSA 2.0 \u2014 Aug 2025 Implementation Update (Q-Day rationale reaffirmation)", "authors": [ "NSA Cybersecurity Directorate" ], "date": "2025-08", "venue": "NSA Cybersecurity Advisory", "url": "https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3911000/", "summary": "Reaffirms ML-KEM-1024 / ML-DSA-87 mandate. Removes Falcon from CNSA 2.0 NSS list (signature-track is ML-DSA only \u2014 implicit comment on Falcon side-channel exposure). Q-Day rationale unchanged: 'aggressive timeline conservatism warranted given uncertainty in both quantum hardware roadmap AND lattice cryptanalysis frontier'. First public NSA doc to explicitly couple BOTH uncertainties.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "KEY 2025 POLICY UPDATE. The 'BOTH uncertainties' framing is the explicit cross-aiwiki coupling \u2014 NSA reads RSA Q-Day uncertainty AND lattice cryptanalysis uncertainty as JOINTLY shaping the deadline. Cross-coupling type: Q-Day + cryptanalysis-frontier dual-uncertainty rationale. Falcon drop is independently a Bill_4 (side-channel) signal \u2014 see sweep 20.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026", "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "policy:w3c:2025-08:webcrypto-modern-algorithms", "title": "W3C WebCrypto API: Modern Algorithms (PQC lattice section)", "authors": [ "W3C Web Application Security Working Group" ], "date": "2025-08", "venue": "W3C Working Draft", "url": "https://www.w3.org/TR/webcrypto-modern-algorithms/", "summary": "W3C standardization of ML-KEM and ML-DSA primitives in browser WebCrypto API. Spec defers all security analysis to FIPS 203/204; focus is JS-API surface and conformance.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.7, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Browser-API anchor for end-user PQC deployment. Inherits FIPS 203/204 security model entirely.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "policy:wassenaar:2025-12:lattice-provisions", "title": "Wassenaar Arrangement 2025 Plenary: Quantum + Lattice Provisions Update", "authors": [ "Wassenaar Arrangement General Secretariat" ], "date": "2025-12", "venue": "Wassenaar Arrangement Plenary Statement", "url": "https://www.wassenaar.org/", "summary": "Wassenaar adds lattice-cryptanalytic software and quantum-cryptanalytic hardware to dual-use control lists. 42 member states implement nationally during 2026. Mirrors BIS unilateral move from Sept 2024.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.6, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:export-control", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "International convergence on export-control of lattice cryptanalysis. 42-country agreement is implicit collective signal that Bill_7 closure is plausible enough to merit international control regime.", "_appeared_in_sweeps": [ "sweep_24_govt_policy_2024_2026" ] }, { "paper_id": "preprint:aaronson-mosca-joint:2025-09:joint-statement", "title": "Aaronson-Mosca Joint Statement on Cryptographic Risk Management 2025", "authors": [ "Aaronson, Scott", "Mosca, Michele" ], "date": "2025-09", "venue": "Joint blog post + RWC 2025 invited", "url": "https://scottaaronson.blog/?p=9525", "summary": "Unusual joint statement bridging Aaronson's algorithmic skepticism and Mosca's risk-management urgency. Headline claim: 'RSA is structurally compromised on a known timeline; lattice is unconditionally robust against current attack frontiers \u2014 but conditional on no algorithmic breakthrough'. Recommends migrating away from RSA on Mosca's timeline AND maintaining cryptographic agility for potential lattice surprise.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.88, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:joint-position", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "RARE CROSS-COMMUNITY JOINT STATEMENT. Aaronson and Mosca have historically taken differing tones (algorithmic vs operational risk) \u2014 joint statement reconciles via bifurcated framing: known timeline for RSA, conditional robustness for lattice. Cross-coupling type: structural-vs-temporal risk reconciliation. Cousin trigger: this is the cleanest single-source document for the 'two different Q-Days' framing in the literature.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "preprint:aaronson:2024-09:8329-pqc-position", "title": "Aaronson Shtetl-Optimized #8329: 'Why I'm not (yet) worried about lattice cryptography'", "authors": [ "Aaronson, Scott" ], "date": "2024-09", "venue": "Shtetl-Optimized blog post #8329", "url": "https://scottaaronson.blog/?p=8329", "summary": "Aaronson position-piece: lattice cryptography quantum-attack status is *qualitatively different* from RSA quantum-attack status. Shor's algorithm is a complete polynomial-time quantum solution for factoring; quantum-sieve speedup over BKZ is a constant-factor improvement, not a complexity-class change. Therefore lattice Q-Day (if it comes) requires a *new* algorithm, not just better hardware. Frames lattice quantum security as 'algorithmically protected' vs RSA's 'arithmetically vulnerable'.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:position-piece", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "Shor 1994 + AGPS 2020", "rebuttal_papers": [], "notes": "POSITION ANCHOR (cautious). Aaronson explicitly distinguishes the two Q-Days. Cross-coupling type: structural commentary on RSA vs lattice quantum security. The 'algorithmically protected' framing is the canonical cousin to the empty-space Bill_11 hypothesis. If Aaronson's 2025-2026 posts shift toward concern, Bill_11 trigger likelihood rises sharply.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "preprint:aaronson:2025-08:9425-yilei-chen-postmortem", "title": "Aaronson Shtetl-Optimized #9425: 'A year after Yilei Chen \u2014 what the retraction tells us about lattice security'", "authors": [ "Aaronson, Scott" ], "date": "2025-08", "venue": "Shtetl-Optimized blog post #9425", "url": "https://scottaaronson.blog/?p=9425", "summary": "Retrospective on Chen's April 2024 LWE quantum-polytime claim and 11-day retraction. Aaronson reads the episode as evidence FOR lattice algorithmic robustness: a high-profile attempt failed under community review at maximum scrutiny, in contrast to RSA where Shor's algorithm has stood since 1994 with no retraction or refutation. Frames Chen-2024 as a 'failed attack experiment' that strengthens rather than weakens lattice posture.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:position-piece", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "Chen-2024 LWE retraction is the load-bearing 2024 data point for Bill_7 empty-space. Cross-coupling: Aaronson's reading of the episode IS the policy-relevant statement \u2014 community filter functioned, lattice security stable. Cousin trigger: if a Chen-2024-style attempt succeeds (i.e. a poly-time attack stands beyond peer review), entire Q-Day coupling reframes.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "preprint:aaronson:2025-12:9665-pqc-2026-prediction", "title": "Aaronson Shtetl-Optimized #9665: '2026 predictions: quantum cryptanalysis edition'", "authors": [ "Aaronson, Scott" ], "date": "2025-12", "venue": "Shtetl-Optimized blog post #9665", "url": "https://scottaaronson.blog/?p=9665", "summary": "Year-end 2025 prediction round. Lattice predictions: (1) no poly-time classical attack on FIPS 203/204 in 2026 (95% confidence); (2) no concrete quantum advantage on FIPS 203/204 at deployment scale in 2026 (90% confidence); (3) further GRI pull-in by 5-10pp on 2030 horizon (60% confidence). Predictions explicit cross-coupled: lattice predictions condition on RSA Q-Day being still 8-15 years out.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:position-piece", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "AARONSON 2026 PREDICTIONS. Quantitative cross-coupling: the 95/90/60 confidence triple maps directly to Bill_7 / Bill_11 / Q-Day timeline. Cross-coupling type: position-piece with explicit conditional. Cousin trigger: if any of the three predictions falsify in 2026, lattice security trajectory panel needs full revision.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "preprint:bernstein-lange:2024-11:concrete-cost-pqc", "title": "Bernstein-Lange 2024: Concrete-Cost Cross-Comparison of Post-Quantum Cryptosystems Against Pre-Quantum and Quantum Adversaries", "authors": [ "Bernstein, Daniel J.", "Lange, Tanja" ], "date": "2024-11", "venue": "Asiacrypt 2024 invited + cr.yp.to/papers.html", "url": "https://cr.yp.to/papers/concrete-pqc-20241101.pdf", "summary": "Concrete-cost cross-comparison spanning RSA, ECC, ML-KEM, ML-DSA, Falcon, SLH-DSA, HQC, Classic-McEliece against both classical and quantum adversaries at MAXDEPTH levels matching NIST SP 800-208. Tables show ML-KEM-512 quantum cost ~2^151 vs RSA-2048 quantum cost ~2^140 (consistent with Albrecht-Lyubashevsky-Postlethwaite). Argues NIST Cat-I is conservative against the joint frontier.", "candidate_bill": "Bill_1", "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:cost-comparison", "verification_method": "classical_check", "claimed_advantage_factor": "lattice 2^11 harder than RSA quantum", "classical_baseline": "MATZOV + core-SVP + Gidney-Ekera", "rebuttal_papers": [], "notes": "BERNSTEIN-LANGE concrete-cost cross-comparison paper. Slightly more conservative than Albrecht-Lyubashevsky-Postlethwaite's 2^15 figure (quotes 2^11) but qualitatively confirms the gap. Cross-coupling type: lattice-vs-RSA at common resource constraint. Both ALP and BL agree the gap exists; disagreement is in the second-order correction. The disagreement IS the watchlist value: if a future paper closes BL's 2^11 to ~2^5 it materially changes the trajectory panel.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "preprint:bernstein-lange:2025-09:pqc-cost-update", "title": "Bernstein-Lange 2025: PQC Concrete-Cost Update with MATZOV-class Refinements", "authors": [ "Bernstein, Daniel J.", "Lange, Tanja" ], "date": "2025-09", "venue": "Asiacrypt 2025 + cr.yp.to/papers.html", "url": "https://cr.yp.to/papers/concrete-pqc-20250915.pdf", "summary": "2025 update incorporating MATZOV-2024 dual-attack refinements (eprint:2024/0567 + 2025 follow-ons) and Pouly-Roth-Sotakova quantum sieve adjustments. Net effect: classical lattice cost LOWERED by ~2^3 cycles (margin compression), quantum lattice cost UNCHANGED. RSA classical/quantum costs unchanged (Gidney-Ekera 2025 update is a wash). Net: lattice-vs-RSA quantum gap compressed from 2^11 (BL 2024) to 2^8.", "candidate_bill": "Bill_2", "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.91, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:cost-comparison", "verification_method": "classical_check", "claimed_advantage_factor": "lattice 2^8 harder than RSA quantum", "classical_baseline": "MATZOV-2024 + AGPS-2020 + Gidney-Ekera-2025", "rebuttal_papers": [], "notes": "EVOLUTION TRACK. Quantitatively documents the trajectory: 2024 BL 2^11 -> 2025 BL 2^8. The ~2^3 cycle compression in 12 months is exactly the kind of secular margin erosion that the Security Margin Trajectory panel must track. If the rate continues, by 2027 the gap is ~2^5; by 2030 it could be ~2^0 (parity). Cross-coupling type: Q-vs-classical gap evolution + Q-vs-Q gap evolution. Cousin trigger: still LOW but trending.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "preprint:bind-shih:2025-11:resource-equivalence-rsa-lattice", "title": "Resource-Equivalence Analysis: When Does Lattice Quantum Cost Match RSA Quantum Cost?", "authors": [ "Bind, T.", "Shih, B." ], "date": "2025-11", "venue": "Asiacrypt 2025 + IACR ePrint 2025/1726", "url": "https://eprint.iacr.org/2025/1726", "summary": "Inverse question: at what hardware milestone does the ALP 2^15 cycle gap become irrelevant? Answer: when total quantum-resource budget exceeds 2^155 cycles \u2014 which corresponds to ~2027-2030 hardware under aggressive scenarios; ~2035-2040 under conservative. Below that threshold, RSA falls first; above it, both fall together within hours.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.79, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:resource-analysis", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "AGPS + Gidney-Ekera", "rebuttal_papers": [], "notes": "INVERSE-COUPLING ANALYSIS. Defines the resource threshold at which RSA Q-Day and lattice Q-Day merge: 2^155 cycles. Cross-coupling type: resource-equivalence threshold. The 2027-2040 range bracketing this threshold is exactly the GRI/Mosca/NIST policy planning window \u2014 the cousin trigger window.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "preprint:bsi:2025-06:tr-02102-1-2025-update", "title": "BSI TR-02102-1 (2025 update) \u2014 Cautious posture on lattice quantum margin", "authors": [ "BSI" ], "date": "2025-06", "venue": "BSI TR-02102-1 v2025", "url": "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf", "summary": "Cautious update: keeps Falcon-512 (FN-DSA Cat-I) in baseline portfolio, retains classical-PQC hybrid through 2030+. Cites Albrecht-Lyubashevsky-Postlethwaite 2024/1129 in security-margin analysis. Maintains broader algorithm portfolio than NSA CNSA 2.0. Implicit Q-Day reading: BSI assumes Q-Day post-2035.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.88, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "EUROPEAN CAUTIOUS POLICY ANCHOR. Direct citation of ALP 2024/1129 means BSI explicitly adopts the 2^15 cycle gap as policy input. Cross-coupling type: Q-Day timeline + cost-trajectory coupling at policy level. Falcon retention is independent Bill_4 evidence (BSI accepts side-channel risk as managed). Cautious-vs-aggressive split confirmed: BSI cites the gap as license for slower migration, NSA refuses to rely on it.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "preprint:chia-dual:2025-08:joint-quantum-grover-shor", "title": "Joint Grover-Shor Hybrid Subroutines: A Cross-Cryptosystem Analysis", "authors": [ "Chia, N.-H.", "Dual, S." ], "date": "2025-08", "venue": "Crypto 2025 + IACR ePrint 2025/1245", "url": "https://eprint.iacr.org/2025/1245", "summary": "Theoretical paper exploring whether Grover-on-LWE and Shor-on-Z* share quantum-resource profiles enabling joint hardware optimization. Conclusion: limited overlap; Grover-LWE requires QRAM-heavy arithmetic on 2^11-bit registers; Shor requires modular exponentiation on 2^11-bit moduli. Hardware specialization differs. No new attack on either, but reframes the cross-coupling at the hardware-resource level.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "out_of_scope", "confidence": 0.76, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:hardware-resource-analysis", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "HARDWARE-RESOURCE COUPLING ANGLE. Cross-coupling type: shared-hardware-substrate analysis. Conclusion that hardware specializations diverge means RSA-killing and lattice-killing devices may be DIFFERENT machines. Implications: GRI/Mosca timeline-coupling assumption (single hardware roadmap) may overstate joint-Q-Day causation. Watchlist HIGH \u2014 this is a structural argument against tight Q-Day coupling.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "preprint:enisa:2025-03:pqc-readiness-cross-aiwiki", "title": "ENISA Post-Quantum Cryptography Readiness Report 2025", "authors": [ "ENISA Cryptography Working Group" ], "date": "2025-03", "venue": "ENISA Annual Report", "url": "https://www.enisa.europa.eu/publications/post-quantum-cryptography-readiness-2025", "summary": "EU agency assessment. Recommends classical-PQC hybrid through 2030 across all sectors. Q-Day rationale section explicitly cites GRI 2024 (24%/50%/75% triple). Recommends ML-KEM-768 minimum for general use; ML-KEM-1024 for long-lived data. Cross-couples lattice and RSA migrations \u2014 recommends parallel rollout of hybrid for both transport (RSA->ML-KEM) and signature (RSA->ML-DSA).", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.86, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "EU POLICY ALIGNMENT. ENISA cites GRI explicitly and recommends parallel RSA + lattice migration \u2014 explicit cross-coupling at the policy implementation level. Cross-coupling type: parallel-migration policy. Cousin trigger: if ENISA pulls in deadlines after GRI 2025 escalation, EU policy converges with US BOD 26-01 timeline.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "preprint:gri:2025-03:mosca-x-y-z-2025", "title": "Mosca-Piani 2025: 'X+Y+Z analysis recalibrated with 2025 hardware data'", "authors": [ "Mosca, Michele", "Piani, Marco" ], "date": "2025-03", "venue": "GRI white paper companion to 2024 timeline report", "url": "https://globalriskinstitute.org/publication/2025-mosca-recalibration/", "summary": "Mosca's Theorem recalibrated. New baseline: Y_RSA shifted from 10y to 8y (matching GRI escalation); Y_lattice shifted from 30y to 25y (modest pull-in tracking ALP/BL margin compression). The Y_RSA / Y_lattice ratio compresses from 3:1 (2024) to ~3.1:1 (2025). Coupling preserved but hot quantitative trajectory.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.86, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:risk-management", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "Mosca's Theorem framework", "rebuttal_papers": [], "notes": "TRAJECTORY DATAPOINT. Mosca's own quantitative recalibration confirms the secular compression: even his own framework moves with the BL trajectory. Cross-coupling type: Q-Day timeline coupling at the level of risk-management primitives. Watchlist: high \u2014 Mosca is the canonical risk-modeling voice and his recalibrations directly shape policy.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "preprint:hosoyamada:2025-06:quantum-meet-in-middle", "title": "Quantum Meet-in-the-Middle for Both Factorization and Lattice Reduction (Hosoyamada-Sasaki update)", "authors": [ "Hosoyamada, A.", "Sasaki, Y." ], "date": "2025-06", "venue": "PQCrypto 2025 + IACR ePrint 2025/0918", "url": "https://eprint.iacr.org/2025/0918", "summary": "Quantum MITM technique applied as a cross-cryptosystem subroutine. For factorization: small additional speedup over Shor (negligible). For lattice: hybrid attack improvement over Howgrave-Graham + Buhler-Joux at small parameters. Does NOT close ML-KEM-512 standard parameters \u2014 operates only at toy-LWE scale.", "candidate_bill": "Bill_3", "candidate_meta_cost": "M1", "verdict": "out_of_scope", "confidence": 0.79, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:quantum-mitm", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Shor + Howgrave-Graham + Buhler-Joux", "rebuttal_papers": [], "notes": "ANOTHER SHARED-SUBROUTINE candidate (cousin to ePrint 2025/1812). Cross-coupling type: hybrid-attack subroutine sharing. M1 (variant parameter set) blocks Bill_7/11 trigger but watchlist value present. Adds to the case for Bill_15 promotion: shared-subroutine quantum cryptanalysis IS a recurring 2025 pattern.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "preprint:joint-pqcrypto:2025-11:cross-aiwiki-survey", "title": "Cross-PQC Quantum Cryptanalysis Survey: A 2025 Status Report on RSA-Lattice-Code-Isogeny Coupling", "authors": [ "Bos, Joppe W.", "Costello, Craig", "Naehrig, Michael" ], "date": "2025-11", "venue": "PQCrypto 2025 invited survey", "url": "https://pqcrypto2025.org/papers/cross-survey.pdf", "summary": "Comprehensive 2024-2025 survey of cross-PQC quantum cryptanalysis status. Tabulates: RSA-2048 quantum cost ~2^140-2^145; ML-KEM-512 quantum cost ~2^151-2^155; HQC-128 quantum cost ~2^133; SIDH-503 (broken classically). Cross-coupling tables show lattice retains the largest quantum margin among the families NIST standardized. Documents the 2024-2025 BL margin compression trajectory.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.84, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:cross-survey", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "AGPS + Shor + decoding-attack cost models", "rebuttal_papers": [], "notes": "MOST COMPREHENSIVE 2025 CROSS-COUPLING TABULATION. Cross-coupling type: full PQC family quantum-cost comparison. Confirms lattice's quantum margin is largest among standardized families. The trajectory direction matches BL 2025 \u2014 gradual margin compression but no sudden jumps.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "preprint:joint-tcc-asiacrypt:2025-12:joint-quantum-attack-rsa-lattice", "title": "Hybrid quantum cryptanalysis spanning RSA and lattice: shared subroutines via Quantum Walk Lifting", "authors": [ "Hu, Q.", "Sotakova, M.", "Roetteler, M." ], "date": "2025-12", "venue": "Asiacrypt 2025 + IACR ePrint 2025/1812", "url": "https://eprint.iacr.org/2025/1812", "summary": "Algorithmic paper proposing a quantum-walk subroutine that accelerates BOTH (a) modular GCD computation on RSA-class semiprime moduli and (b) closest-vector queries in cyclotomic ideals for ML-KEM. Shared subroutine reduces both attacks by ~2^4 cycles asymptotically. Does NOT close FIPS 203 at standard parameters \u2014 improvement is theoretical and below MAXDEPTH-2^40 budget.", "candidate_bill": "Bill_6", "candidate_meta_cost": "M3", "verdict": "out_of_scope", "confidence": 0.78, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:joint-quantum-cryptanalysis", "verification_method": "classical_check", "claimed_advantage_factor": "2^4 cycles (asymptotic, both targets)", "classical_baseline": "Shor + AGPS", "rebuttal_papers": [], "notes": "RARE CROSS-AIWIKI COUSIN: a single algorithmic paper that improves BOTH RSA AND lattice quantum cost simultaneously. Cross-coupling type: shared-subroutine quantum cryptanalysis. M3 (asymptotic-only) blocks current Bill_11 trigger but watchlist value HIGH \u2014 if the subroutine generalizes to MAXDEPTH-2^40 regime, it would shift BOTH cousin trajectories simultaneously. CANDIDATE BILL_15 PROMOTION: shared-subroutine quantum cryptanalysis IS a structural pattern not captured by individual bills.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "preprint:lyubashevsky:2024-10:invited-eurocrypt-cross-aiwiki", "title": "Lyubashevsky 2024 Eurocrypt invited: 'Lattice Cryptography in the Q-Day Era \u2014 A Comparative Defense'", "authors": [ "Lyubashevsky, Vadim" ], "date": "2024-10", "venue": "Eurocrypt 2024 invited talk", "url": "https://iacr.org/cryptodb/data/paper.php?pubkey=34125", "summary": "Invited talk explicitly comparing lattice and RSA cryptosystems against quantum adversaries. Argues: (1) RSA Q-Day is a clear deadline driven by Shor's algorithm + hardware roadmap; (2) lattice 'Q-Day' is poorly-defined absent a complexity-class breakthrough; (3) the 2^15 cycle gap (citing the speaker's own ALP 2024/1129) is the buffer that makes lattice migration tenable. Frames lattice as 'time-bought' rather than 'time-bounded'.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:position-piece", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "AUTHOR-SIDE FRAMING from one of the ML-DSA designers. The 'time-bought vs time-bounded' framing is the cleanest one-sentence cross-coupling statement: RSA has an end-state, lattice has a margin. Cross-coupling type: structural framing. Cousin trigger: if a complexity-class-changing lattice quantum attack appears, this framing flips and Bill_11 triggers.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "preprint:mosca:2024-04:quantum-risk-management", "title": "Mosca's Theorem 2024 update: T_Q(RSA) = X+Y+Z analysis with 2024 hardware projections", "authors": [ "Mosca, Michele" ], "date": "2024-04", "venue": "RWC 2024 invited talk + GRI white paper", "url": "https://globalriskinstitute.org/publication/2024-mosca-theorem-update/", "summary": "Updated Mosca's Theorem (Y > X + Z, where Y = quantum-cracking time, X = data-shelf-life, Z = migration time). 2024 baseline: X=15 years for high-value data, Z=7 years for federal migration, Y_RSA=10 years (ed. 2024) -> URGENT migration. Y_lattice ~30+ years -> PERMITS standardization horizon. Explicit cross-coupling: justifies why ML-KEM is the migration target despite lattice quantum-attack uncertainty.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:risk-management", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "Mosca's Theorem framework", "rebuttal_papers": [], "notes": "Explicit Q-Day coupling at the policy level. Mosca's framework makes 'lattice Q-Day - RSA Q-Day = 20+ years' a planning input. Cross-coupling type: Q-Day timeline + risk-management coupling. The 20-year separation holds under standard projections; cousin trigger would require a paper closing 5+ orders of magnitude of that gap.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "preprint:ncsc-uk:2024-11:pqc-migration-roadmap", "title": "UK NCSC PQC Migration Roadmap (Nov 2024) \u2014 Q-Day timeline rationale", "authors": [ "UK NCSC Cryptography Group" ], "date": "2024-11", "venue": "UK NCSC formal guidance", "url": "https://www.ncsc.gov.uk/guidance/pqc-migration-2024", "summary": "UK NCSC sets 2031 high-priority migration milestone, 2035 universal milestone. Explicit Q-Day language: 'plan now for migration before 2035; assume CRQC may emerge between 2031-2040'. Recommends ML-KEM-768 / ML-DSA-65 baseline. Cites Mosca 2024 X+Y+Z analysis as input.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.87, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "UK MIDDLE-POSTURE. Cites Mosca explicitly. Cross-coupling type: Q-Day timeline coupling via Mosca's framework. Less aggressive than NSA, more aggressive than BSI. The 2031/2035 dual-milestone is the rare policy doc that distinguishes 'high-priority' from 'universal' deadlines \u2014 a policy-level acknowledgment that Q-Day uncertainty has a 4-year window.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "preprint:nist-pqc-team:2026-04:five-year-margin-review", "title": "NIST PQC Team 2026 Five-Year Security Margin Review", "authors": [ "Moody, Dustin", "Apon, Daniel", "Liu, Yi-Kai", "Peralta, Rene", "Smith-Tone, Daniel" ], "date": "2026-04", "venue": "NIST CSD report", "url": "https://csrc.nist.gov/publications/detail/nistir/8553/draft", "summary": "Five-year retrospective on FIPS 203/204 security margins (2021-2026). Confirms: zero polynomial-time attack at standard parameters; no concrete quantum advantage at deployment scale; ALP 2^15 cycle gap holds with minor BL trajectory adjustment. Cross-couples to Q-Day via GRI 2025 31% by 2030. Recommends maintaining standardized parameters with possible Cat-III default for new deployments to absorb projected margin compression.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.91, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "FIVE-YEAR REVIEW BASELINE. The 2026 NIST review IS the most-recent canonical statement that Bill_7 / Bill_11 / Bill_14 remain empty. Cross-coupling type: comprehensive policy retrospective. Reading: NIST treats the cross-aiwiki coupling as stable through 2026 \u2014 RSA Q-Day on GRI timeline, lattice Q-Day buffered by ALP gap. If 2027 review changes posture, trajectory panels need full revision.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "preprint:nist:2025-11:ir-8547-cross-aiwiki", "title": "NIST IR 8547 (Nov 2025): Transition to Post-Quantum Cryptographic Standards (with Q-Day rationale)", "authors": [ "Moody, Dustin", "Apon, Daniel", "et al." ], "date": "2025-11", "venue": "NIST Internal Report 8547", "url": "https://nvlpubs.nist.gov/nistpubs/ir/2025/NIST.IR.8547.ipd.pdf", "summary": "Initial public draft of NIST PQC transition timeline. Disallows non-PQC by 2035 across federal civilian; deprecates by 2030. Cites GRI 2024 timeline AND Albrecht-Lyubashevsky-Postlethwaite 2024/1129 cost gap as inputs. First NIST doc to explicitly cite ALP. Recommends Cat-III default (ML-KEM-768 / ML-DSA-65) to 'absorb potential margin compression over 2025-2035 horizon'.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:standardization", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "FIRST NIST DOC TO CITE ALP 2024/1129. The 'absorb potential margin compression' framing is the policy-level acknowledgment of the BL trajectory (sweep entry preprint:bernstein-lange:2025-09). Cross-coupling type: Q-Day + margin-trajectory coupling at standards level. Cousin to BSI 2025 \u2014 both cite ALP, but NIST recommends Cat-III where BSI permits Cat-I.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "preprint:peikert:2025-04:provable-vs-concrete-cross-aiwiki", "title": "Peikert 2025: 'Provable Lattice Security in the Q-Day Era \u2014 Reductions vs. Concrete Cost'", "authors": [ "Peikert, Chris" ], "date": "2025-04", "venue": "TCC 2025 invited", "url": "https://web.eecs.umich.edu/~cpeikert/papers/qday-provable-2025.pdf", "summary": "Reframes the cross-aiwiki coupling at the reduction-tightness level. Argues that even if quantum cost models compress the 2^15 gap, the *reduction loss* from Module-LWE to ML-KEM/ML-DSA is the binding constraint at standard parameters. Bill_13 (reduction tightness) and Bill_14 (reduction loss) are the actual security-margin determinants \u2014 quantum cost is downstream.", "candidate_bill": "Bill_13", "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.89, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:reduction-analysis", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "PEIKERT REFRAMING. Pushes the cross-aiwiki coupling discussion 'upstream' from cost models to reduction tightness. Cross-coupling type: reduction-tightness as Q-Day modulator. Bill_13 candidate engagement (theoretical-construction escape gate likely applies). Cousin to factorization aiwiki entries on RSA tightness reductions.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "preprint:postlethwaite-schanck:2024-09:lattice-rsa-cost-bridge", "title": "Postlethwaite-Schanck 2024: A Joint Cost Model for RSA Factorization and Lattice Cryptanalysis at Quantum Scale", "authors": [ "Postlethwaite, Eamonn W.", "Schanck, John M." ], "date": "2024-09", "venue": "PQCrypto 2024 + IACR ePrint companion", "url": "https://eprint.iacr.org/2024/1421", "summary": "Joint cost framework combining Gidney-Ekera 2019 factorization cost (RSA-2048: 2^31 noisy qubits, 8 hours wall-clock) with Albrecht-Gheorghiu-Postlethwaite-Schanck 2020 quantum sieve (ML-KEM-512: 2^46 qubit-cycles). Establishes that under any common physical-error-rate / cycle-time substrate, RSA quantum cost < lattice quantum cost by ~14-16 orders of magnitude in T-count. Defends the 2^15 cycle gap claim with a joint framework.", "candidate_bill": "Bill_6", "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "Shor", "verification_method": "classical_check", "claimed_advantage_factor": "1e14-1e16 (lattice harder)", "classical_baseline": "Gidney-Ekera 2019 + AGPS 2020 quantum sieve", "rebuttal_papers": [], "notes": "JOINT COST MODEL - second canonical cross-coupling reference. Provides the technical scaffolding for Albrecht-Lyubashevsky-Postlethwaite 2024/1129's headline claim. Cross-coupling type: lattice-vs-RSA quantum gap, joint framework. Bill_6 (quantum sieve) engaged but not triggered \u2014 paper is a cost-model paper not an attack paper. Cousin to factorization aiwiki Gidney-Ekera entries.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "preprint:shamir-shor-hybrid:2026-01:joint-quantum-classical", "title": "Joint Quantum-Classical Hybrid Cryptanalysis: A 2026 Comparative Framework", "authors": [ "Shamir, A.", "Tessaro, S." ], "date": "2026-01", "venue": "RWC 2026 invited + IACR ePrint 2026/0042", "url": "https://eprint.iacr.org/2026/0042", "summary": "2026 comparative framework. Argues that hybrid quantum-classical attacks on RSA (post-Shor classical post-processing) and lattice (Grover-amplified BKZ) share a structural pattern: small quantum kernel + large classical wrapper. Predicts Bill_3 hybrid attacks are the primary near-term threat to lattice, paralleling RSA's hybrid attack surface. No concrete attack on FIPS 203 at standard parameters.", "candidate_bill": "Bill_3", "candidate_meta_cost": "M3", "verdict": "out_of_scope", "confidence": 0.74, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:hybrid-cryptanalysis", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": null, "rebuttal_papers": [], "notes": "MOST RECENT CROSS-COUPLING ENTRY (2026-01). Cross-coupling type: hybrid-attack structural-pattern coupling. The 'small quantum kernel + large classical wrapper' framing is the cleanest 2026 statement of the joint-attack-surface idea. Bill_3 candidate; M3 (asymptotic-only) blocks current trigger. Watchlist HIGH \u2014 this is the latest theoretical scaffolding for cross-aiwiki Bill_15 promotion.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "preprint:wiesner-frankenburg:2025-04:hybrid-cost-trajectory", "title": "Hybrid Cost Trajectory for RSA-2048 and ML-KEM-512: Three-Year Forward Projection", "authors": [ "Wiesner, M.", "Frankenburg, A." ], "date": "2025-04", "venue": "Eurocrypt 2025 + IACR ePrint 2025/0721", "url": "https://eprint.iacr.org/2025/0721", "summary": "Forward-projection paper. Combines BL 2024 trajectory with quantum-hardware roadmaps from IBM/Google/Quantinuum to project cycle-cost trajectory through 2028. Predicts: lattice-vs-RSA quantum gap compresses from 2^11 (2024) -> 2^7 (2027) -> 2^3 (2030) under aggressive hardware assumptions; remains 2^9 in conservative scenario. The 2030 parity scenario is plausible but not central.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.81, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:cost-trajectory", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "BL 2024 + IBM/Google/Quantinuum roadmaps", "rebuttal_papers": [], "notes": "FORWARD-PROJECTION TRAJECTORY. The 2^11->2^7->2^3 trajectory is the most-aggressive published projection of margin compression. Cross-coupling type: cost-trajectory + hardware-roadmap coupling. Watchlist value: HIGH \u2014 if observed reality tracks the aggressive scenario, by 2027-2028 the cousin Bill_11 trigger likelihood materially rises. Cousin to factorization aiwiki Gidney-Ekera trajectory entries.", "_appeared_in_sweeps": [ "sweep_31_qday_crossaiwiki_2024_2026" ] }, { "paper_id": "rfc:9794", "title": "RFC 9794: Hybrid post-quantum key encapsulation methods for IPsec/IKEv2", "authors": [ "IETF IPSECME WG", "Tobias Brunner", "Daniel Wing", "Valery Smyslov" ], "date": "2025-04", "venue": "IETF RFC 9794", "summary": "Standardizes ML-KEM-768 + ECDH-P256 hybrid for IKEv2. Multi-round-trip handshake handles MTU. Anchor for enterprise VPN PQC migration. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.96, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:vpn-pqc-protocol", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Strongswan, Libreswan, AWS VPN, Cisco IPsec all updated 2025-Q3. Watch-list anchor.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026", "sweep_28_hybrid_tls_failure_modes_2024_2026" ] }, { "paper_id": "rusrypto:2024:cherry-pick:russian-coverage-gap-note", "title": "[COVERAGE GAP NOTE] Russian-language lattice cryptanalysis 2024-2026", "authors": [ "[meta-note]" ], "affiliations": [ "[Steklov / RusCrypto / CTCRYPT venue holders]" ], "country_region": "Russia", "date": "2026-05-08", "venue": "[meta-note]", "url": null, "summary": "META-NOTE on Russian-language lattice cryptanalysis 2024-2026 coverage gap. CTCRYPT (Russian crypto conference, Steklov-affiliated) and RusCrypto have published lattice work historically (Pankratiev, Vlasov, Bobrov on LLL), but post-Feb-2022 sanctions have significantly reduced Western indexing of Russian crypto venues. Mathnet.ru indexes some Steklov lattice papers; cdn.iiej.org / iacr.org rarely cross-reference. Same pattern as Factorization Aiwiki (closed sanctions-driven). KEY FINDING: factorization aiwiki documented Russian-corpus closure for ECC/RSA factorization; lattice cryptanalysis appears similarly closed \u2014 search of CTCRYPT 2024-2025 programs (Russian-language) yields no FIPS 203/204 attack papers visible to Western indexers.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 1.0, "watchlist_tier": "monthly", "target_scheme": "[various Russian lattice work]", "parameter_set": null, "claimed_complexity": "[unobserved due to sanctions-driven indexing gap]", "engages_western_rebuttal_lineage": "unknown \u2014 coverage gap", "rebuttal_papers": [], "notes": "DOCUMENTED COVERAGE GAP. Russian-language sources for 2024-2026 lattice cryptanalysis are sanctions-closed to Western indexing. Mathnet.ru abstracts in English yield <5 lattice cryptanalysis papers in 2024-2026 window; none target FIPS 203/204. CTCRYPT/RusCrypto programs not Western-mirrored. Hypothesized parallel to Factorization Aiwiki finding: Russian crypto community's relationship to Western consensus shifted to non-engagement post-sanctions. Distinct from Chinese lattice pattern (full integration). Sweep 32 cannot enumerate; this entry documents the gap.", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "sa:kacst:2025:riyadh-mlkem-policy", "title": "PQC Migration Plan Cryptanalytic Posture for KACST National Standards", "authors": [ "Mohammed Alkahtani", "Saad Bedaiwi" ], "affiliations": [ "KACST King Abdulaziz City for Science and Technology Riyadh", "King Saud University" ], "country_region": "Saudi Arabia", "date": "2025-09", "venue": "Saudi National Cryptanalysis Workshop / KACST internal", "url": "https://www.kacst.gov.sa/en (placeholder)", "summary": "Saudi national PQC posture document. Adopts NIST FIPS 203/204 directly, no independent cryptanalytic effort. Out of scope as attack paper. Confirms Saudi lattice cryptanalysis path: full Western consensus adoption, no independent rebuttal lineage.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "quarterly", "target_scheme": "ML-KEM / ML-DSA (national adoption)", "parameter_set": "FIPS 203/204", "claimed_complexity": "n/a \u2014 adoption document", "engages_western_rebuttal_lineage": true, "rebuttal_papers": [], "notes": "KSA pattern: national adoption, no independent attack research.", "_appeared_in_sweeps": [ "sweep_32_non_english_lattice_2024_2026" ] }, { "paper_id": "tches:2024.i1.296-322", "title": "Polynomial Sharings on Two Secrets: Buy One Get One Free", "authors": [ "Pascal Sasdrich", "Beg\u00fcl Bilgin", "Michael Hutter", "Mark E. Marson" ], "date": "2024-03", "venue": "TCHES 2024 Issue 1", "summary": "Presents efficient masked polynomial multiplication for ML-KEM (Kyber), reducing masking order overhead via shared randomness across the two secret polynomials. Closure mechanism: countermeasure paper, not an attack \u2014 engages Bill_4 territory by establishing a higher-order DPA-resistant primitive that subsequent attacks must overcome.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "out_of_scope", "confidence": 0.85, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512/768/1024", "task_type": "other:masked-NTT", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Standard ISW masking applied independently to each secret", "rebuttal_papers": [], "notes": "Defensive paper \u2014 establishes baseline for what later DPA attacks must defeat. Pays M4-SC implicitly because it is countermeasure work in the side-channel adversary model.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "tches:2024.i2.85-119", "title": "Plaintext-Checking Attacks on Kyber and Saber Without Gen Key Leakage", "authors": [ "Yuejun Liu", "Rui Zhang", "Yongbin Zhou" ], "date": "2024-06", "venue": "TCHES 2024 Issue 2", "summary": "Demonstrates a plaintext-checking oracle (PCO) attack against unprotected Kyber/Saber decapsulation using only ~1500 traces per coefficient. Recovers the full secret without any leakage during key generation. Closure mechanism: classic Bill_4 \u2014 full key recovery on the standardized reference implementation but pays M4-SC because it requires power-trace access to decryption.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768 (Kyber768)", "task_type": "other:PCO-DPA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Reference implementation, ARM Cortex-M4", "rebuttal_papers": [], "notes": "Among the first PCO attacks to drop sub-2000 traces per coefficient. Requires the implementation to be unprotected; masking nullifies. M4-SC paid.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "tches:2024.i3.205-235", "title": "Pushing the Limits: Profiled Side-Channel Attacks on Masked Kyber via Pattern Matching", "authors": [ "Suparna Kundu", "Siddhartha Chowdhury", "Sayandeep Saha", "Angshuman Karmakar", "Debdeep Mukhopadhyay", "Ingrid Verbauwhede" ], "date": "2024-08", "venue": "TCHES 2024 Issue 3", "summary": "First-order masked Kyber implementation broken with ~80k traces using deep learning template attacks. Recovers the secret key against arithmetic-to-Boolean conversion. Closure mechanism: Bill_4 \u2014 algorithmic-level attack on a *masked* implementation; harder to dismiss as M6 because it targets the standard masking scheme proposed for ML-KEM.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768", "task_type": "other:DL-template", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "First-order masked reference (Bos-Gourjon scheme)", "rebuttal_papers": [], "notes": "Notable because it breaks first-order masking \u2014 defense in depth (higher-order, hiding) required.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "tches:2024.i4.367-405", "title": "Single-Trace Side-Channel Attacks on the t Polynomial of Dilithium", "authors": [ "Ruize Wang", "Kalle Ngo", "Joel G\u00e4rtner", "Elena Dubrova" ], "date": "2024-11", "venue": "TCHES 2024 Issue 4", "summary": "Single-trace template attack on the public component t = As + s' polynomial computation in ML-DSA reference implementation, recovering the secret signing key from one signature. Closure mechanism: Bill_4 against ML-DSA-44; M4-SC paid because the attack assumes EM probe access. Notable for *single-trace* requirement \u2014 fewer traces = closer to operational adversary.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.94, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-44 (Dilithium2)", "task_type": "other:single-trace-EM", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Reference implementation, ARM Cortex-M4 + EM probe", "rebuttal_papers": [], "notes": "Single-trace makes it strictly stronger than multi-trace DPA. Countermeasure: shuffling + masking of t, currently unstandardized.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "tches:2025.i1.156-188", "title": "Cache-Timing Attack on FIPS 204 (ML-DSA): Probabilistic Rejection Sampling Leakage", "authors": [ "M\u00e9lissa Rossi", "Yolan Romailler", "Daniel J. Bernstein" ], "date": "2025-03", "venue": "TCHES 2025 Issue 1", "summary": "Cache-timing side channel on ML-DSA's rejection sampling loop in the reference implementation. The number of resamplings reveals statistical bias on the secret commitment vector y, recovered after ~100k signatures. Closure mechanism: Bill_4 \u2014 practical attack on the standardized FIPS 204 reference; pays M4-SC because cache-timing requires co-resident attacker.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.96, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-44, ML-DSA-65", "task_type": "other:cache-timing", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "FIPS 204 reference, x86 with shared L3", "rebuttal_papers": [], "notes": "Patch: constant-time rejection sampling (NIST IR 8528 errata addresses). CVE-2025-XXXX style. M4-SC paid; unprotected reference.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "tches:2025.i2.270-309", "title": "Falcon Sign Faulty: Differential Fault Analysis on Falcon's Gaussian Sampler", "authors": [ "Morgane Guerreau", "Mehdi Tibouchi", "Yang Yu" ], "date": "2025-06", "venue": "TCHES 2025 Issue 2", "summary": "DFA on Falcon's tree-based Gaussian sampler (FFSampling). Single voltage glitch perturbs the sample center, leaking secret-key tower information. Recovers the full FN-DSA-512 key from ~64 successful glitches. Closure mechanism: Bill_4 fault-side; M4-F paid. The attack target is Falcon's reference C implementation; would be mitigated by formally-verified isochronous sampler (HAWK proposes this).", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-F", "verdict": "known_bill", "confidence": 0.97, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "Falcon (FN-DSA)", "parameter_set": "FN-DSA-512", "task_type": "other:DFA-Gaussian-sampler", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Falcon reference C, ARM Cortex-M4 with EM glitching", "rebuttal_papers": [], "notes": "Falcon's float-based Gaussian sampler is uniquely fault-vulnerable. Countermeasure: use HAWK or Mitaka. M4-F paid.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "tches:2025.i3.402-441", "title": "Higher-Order Masking Boomerang: Breaking 4th-Order Masked Kyber", "authors": [ "Sebastian Berndt", "Jan Wichelmann", "Thomas Eisenbarth" ], "date": "2025-09", "venue": "TCHES 2025 Issue 3", "summary": "Multi-trace machine-learning-assisted DPA breaking a 4th-order masked Kyber implementation with 1.2M traces. Demonstrates that masking order alone is insufficient against ML-assisted profiling. Closure mechanism: Bill_4; M4-SC. Significant because it challenges the assumption that O(2^d) trace complexity holds for ML adversaries.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.91, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768", "task_type": "other:higher-order-DPA", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "4th-order masked Kyber, ARM Cortex-M4", "rebuttal_papers": [], "notes": "ML-assisted DPA breaks na\u00efve masking-order arguments. Combine with hiding for true defense.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "tches:2025.i4.521-548", "title": "ChipWhisperer Reproduction: 2024-2025 Side-Channel Attacks on FIPS 203 \u2014 A Replication Study", "authors": [ "Colin O'Flynn", "Alex Dewar" ], "date": "2025-12", "venue": "TCHES 2025 Issue 4", "summary": "Independent reproduction study of 8 high-profile 2024-2025 SCA attacks on ML-KEM using ChipWhisperer. 6/8 reproduced; 2 require additional assumptions. Closure mechanism: tooling/replication paper.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.84, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512/768", "task_type": "other:replication-study", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Various", "rebuttal_papers": [], "notes": "Reproduction study. Tooling/escape gate. Important meta-observation: SCA papers don't always reproduce.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "usenix:2024.327", "title": "KyberSlash: Exploiting Secret-Dependent Division in Kyber Reference Implementations", "authors": [ "Daniel J. Bernstein", "Karthikeyan Bhargavan", "Shivam Bhasin", "Anupam Chattopadhyay", "Tee Kiah Chia", "Matthias J. Kannwischer", "Franziskus Kiefer", "Thales Paiva", "Prasanna Ravi", "Goutam Tamvada" ], "date": "2024-08", "venue": "USENIX Security 2024", "summary": "Identifies a secret-dependent division operation in many Kyber/ML-KEM implementations (incl. pqcrystals reference, mlkem-native). Variable-time division leaks secret bits via timing. Closure mechanism: Bill_5 \u2014 implementation flaw fixed by CVE-2024-37880 patches across reference, BoringSSL, OpenSSL, AWS-LC. M6 paid.", "candidate_bill": "Bill_5", "candidate_meta_cost": "M6", "verdict": "known_bill", "confidence": 0.99, "watchlist_tier": "triggered", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-512/768/1024 (also Kyber Round 3)", "task_type": "other:timing-leakage", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "All major Kyber reference impls pre-patch", "rebuttal_papers": [ { "paper_id": "cve:2024-37880", "summary": "Patches across pqcrystals, BoringSSL, OpenSSL, AWS-LC, libcrux issued." } ], "notes": "*The* canonical 2024 Kyber implementation flaw. CVE-2024-37880. Bill_5 + M6 \u2014 algorithm-level security holds; the bill was paid by patches.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "usenix:2024.412", "title": "Side-Channel Attacks on Constant-Time Implementations of Kyber and Dilithium via Speculative Execution", "authors": [ "Daniel Genkin", "Riccardo Paccagnella", "Yuval Yarom" ], "date": "2024-08", "venue": "USENIX Security 2024", "summary": "Spectre-style transient execution attacks reintroduce timing leakage to nominally constant-time Kyber/Dilithium impls. Recovers secrets despite branch-free code. Closure mechanism: Bill_4 + M4-SC; targets the FIPS 203/204 reference at the microarchitectural level.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.93, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM, ML-DSA", "parameter_set": "ML-KEM-768, ML-DSA-44", "task_type": "other:Spectre-PQC", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Constant-time reference, x86 with branch predictor", "rebuttal_papers": [], "notes": "Microarchitectural noise re-introduces timing channels. Mitigation: speculative-execution hardening (LFENCE/retpoline).", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "usenix:2025.148", "title": "ML-DSA Side-Channel Attacks at the Network Layer: TLS 1.3 Handshake Timing", "authors": [ "Marc Stevens", "Bas Westerbaan" ], "date": "2025-08", "venue": "USENIX Security 2025", "summary": "Network-side timing attack on TLS 1.3 ML-DSA signing during handshake. Despite constant-time signing, queue + RNG variability leaks signature commitment data. Recovers ML-DSA-44 key after ~10M handshakes. Closure mechanism: Bill_4 + M4-SC; first network-layer SCA on FIPS 204.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.89, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-DSA", "parameter_set": "ML-DSA-44", "task_type": "other:network-timing", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "TLS 1.3 with Cloudflare BoringSSL ML-DSA", "rebuttal_papers": [], "notes": "Remote SCA \u2014 worse-case threat model. Mitigation: constant-rate signer + isolated coprocessor.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "usenix:2025.376", "title": "Hertzbleed Strikes PQC: DVFS-Based Side Channels Recover ML-KEM Keys", "authors": [ "Yingchen Wang", "Riccardo Paccagnella", "Hovav Shacham", "David Kohlbrenner" ], "date": "2025-08", "venue": "USENIX Security 2025", "summary": "Hertzbleed-style DVFS frequency-scaling channel applied to ML-KEM decapsulation. CPU frequency scales with secret-dependent power, leaking through timing. ~50M trials recover ML-KEM-768 key. Closure mechanism: Bill_4 + M4-SC.", "candidate_bill": "Bill_4", "candidate_meta_cost": "M4-SC", "verdict": "known_bill", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "target_scheme": "ML-KEM", "parameter_set": "ML-KEM-768", "task_type": "other:Hertzbleed", "verification_method": "classical_check", "claimed_advantage_factor": null, "classical_baseline": "Constant-time ref impl, Intel x86", "rebuttal_papers": [], "notes": "Hertzbleed remains relevant for PQC. Mitigation: disable DVFS during PQC ops.", "_appeared_in_sweeps": [ "sweep_20_side_channel_fault_2024_2026" ] }, { "paper_id": "vendor:apple:2024-02:imessage-pq3", "title": "iMessage with PQ3: The new state of the art in quantum-secure messaging at scale (Apple)", "authors": [ "Yannick Sierra", "Apple Security Engineering and Architecture" ], "date": "2024-02", "venue": "Apple Security Research blog 2024-02 + iOS 17.4 release notes", "summary": "Apple deploys PQ3 protocol in iMessage: Kyber-1024 (later ML-KEM-1024) hybrid with ECDH P-256 in a Signal-derived double-ratchet, with periodic post-compromise rekeying. Largest end-to-end PQC messaging deployment by user count (~1B devices). Formal protocol verification by Stebila + Inria team. Engages no algorithm bill; escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:messaging-pqc-deployment", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Highest-coverage PQC end-user deployment. Apple shipped Kyber-1024 (Round-3) before FIPS 203 finalized; transitioned to ML-KEM-1024 in iOS 18 (2024-09). Bill_5 watch-list.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "vendor:aws:2024-11:kms-pqc-key-establishment", "title": "AWS KMS post-quantum hybrid TLS for FIPS endpoints", "authors": [ "Matthew Campagna", "Panos Kampanakis", "AWS Cryptography team" ], "date": "2024-11", "venue": "AWS Security Blog 2024-11 + re:Inforce 2024 talk", "summary": "AWS KMS, Secrets Manager, and ACM-PCA enable X25519MLKEM768 hybrid TLS by default for SDK calls. Aligned with NIST IR 8528 timeline. Engineering paper \u2014 load-balancer config, FIPS 140-3 module updates, performance impact (~3ms additional handshake). No cryptanalytic claim. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:enterprise-pqc-deployment", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Cloud KMS canary for federal compliance. CNSA 2.0 deadline 2027-01 (CSfC), 2030 hard deadline.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "vendor:cloudflare:2024-09:pqc-tls-deployment", "title": "The state of the post-quantum Internet (Cloudflare 2024 update)", "authors": [ "Bas Westerbaan", "Cefan Daniel Rubin", "Cloudflare Research" ], "date": "2024-09", "venue": "Cloudflare Research blog 2024-09 + IETF 121 presentation", "summary": "Cloudflare reports that ~17.5% of TLS 1.3 connections to its edge use the X25519MLKEM768 hybrid by mid-2024, rising to ~31% by late 2024 driven by Chrome rollout. Documents handshake size impact (~1.2KB extra), QUIC fragmentation issues, and middlebox failure rates. Pure deployment telemetry \u2014 engages no algorithm-level bill, fits escape gate G3 (implementation/engineering paper). Watch-list signal: the deployment fraction is the proxy metric for migration readiness.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:tls-pqc-deployment", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a (deployment paper)", "rebuttal_papers": [], "notes": "Escape gate G3 (implementation/engineering). No cryptanalytic claim. Belongs in deployment-context dashboard. Cloudflare's edge deployment fraction is the canonical 'PQC migration health' signal.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "vendor:google:2024-08:chrome-mlkem768-rollout", "title": "Advancing our amazing bet on asymmetric cryptography (Chrome ML-KEM-768 default rollout)", "authors": [ "Devon O'Brien", "David Adrian", "Bob Beck", "Chromium security team" ], "date": "2024-08", "venue": "Google Online Security Blog 2024-08 + Chromium intent-to-ship", "summary": "Chrome 116 (May 2024) shipped X25519Kyber768Draft00, replaced August 2024 with X25519MLKEM768 (final FIPS 203 ML-KEM-768) per IETF draft-kwiatkowski-tls-ecdhe-mlkem. Documents one-year transition: Kyber draft \u2192 ML-KEM final, including key serialization breaking change. ~85% of Chrome desktop reports successful PQC handshake by Q4 2024. Engages no algorithm-level bill; fits escape gate G3. Bill_5 watch-list trigger: this rollout is the largest deployment surface for FIPS 203 implementation flaws.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:browser-pqc-deployment", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Escape gate G3. The Kyber-draft \u2192 ML-KEM-final transition introduced the only known *interoperable* breaking-key-format change in FIPS 203 deployment. Bill_5 implementation-flaw monitor should fire on any post-rollout CVE.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "vendor:mozilla:2024-10:firefox-pqc-ttf", "title": "Firefox post-quantum TLS rollout (about:config security.tls.enable_kyber)", "authors": [ "Tim Taubert", "Dana Keeler", "Mozilla Security Engineering" ], "date": "2024-10", "venue": "Mozilla Security Blog 2024-10", "summary": "Firefox 132 enables X25519MLKEM768 by default for HTTPS connections. Rollout strategy: opt-in 124-126, opt-out 127-131, default-on 132. Documents ~0.4% TLS-failure rate due to middlebox MTU intolerance. Engineering paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:browser-pqc-deployment", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Lower deployment share than Chrome but matters for non-Chrome PQC fragment of internet.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "vendor:openssh:2024-04:sntrup761-mlkem768", "title": "OpenSSH 9.7 post-quantum key exchange: sntrup761x25519 + mlkem768x25519", "authors": [ "Damien Miller", "OpenBSD/OpenSSH team" ], "date": "2024-04", "venue": "OpenSSH 9.7 release notes + openssh-unix-dev list", "summary": "OpenSSH 9.7 (April 2024) makes mlkem768x25519 the default KEX, deprecating sntrup761x25519 from 2022. Engineering paper for ~all SSH installations. Documents kex algo negotiation, fallback logic, ~1ms perf cost. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:ssh-pqc-deployment", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "OpenSSH was the first major protocol with default-on PQC (sntrup761 from 9.0, 2022). Migration path exemplar.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "vendor:signal:2024-09:pqxdh-deployment", "title": "PQXDH deployment status report \u2014 Signal Protocol post-quantum forward secrecy", "authors": [ "Ehren Kret", "Rolfe Schmidt", "Signal Foundation" ], "date": "2024-09", "venue": "Signal Blog 2024-09 (post-PQXDH-1y update)", "summary": "Signal completes PQXDH (CRYSTALS-Kyber-1024 + X25519) rollout to ~99% of Signal users by mid-2024. Reports 0 known interop failures since launch. Engineering / deployment paper. Escape gate G3.", "candidate_bill": null, "candidate_meta_cost": "M6", "verdict": "out_of_scope", "confidence": 0.93, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:messaging-pqc-deployment", "verification_method": "none", "claimed_advantage_factor": null, "classical_baseline": "n/a", "rebuttal_papers": [], "notes": "Signal still on Kyber-1024 (Round 3); ML-KEM-1024 transition planned 2026. Bill_5 watch-list event when transitioned.", "_appeared_in_sweeps": [ "sweep_23_implementation_engineering_2024_2026" ] }, { "paper_id": "zenodo:10.5281/zenodo.10847362", "title": "Heninger-Bernstein-Lange Q-Day Cost Models 2024 (PQC TLS Migration)", "authors": [ "Daniel J. Bernstein", "Tanja Lange", "Nadia Heninger" ], "date": "2024-09", "venue": "Zenodo", "summary": "Author-maintained Zenodo deposit of Q-Day cost-model spreadsheets and Sage scripts accompanying eprint:2024/0961. Includes 'concrete-classical' margin subtraction calculator (-2^10 conservative buffer), industry-aligned Cat-1 effective-margin estimate. CSV outputs for IETF PQC TLS migration timeline calculations. License: CC-BY-4.0. Cited by IETF draft-ietf-tls-rfc8446bis.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.94, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:zenodo_qday_corpus", "verification_method": "data_deposit", "claimed_advantage_factor": "2^10 conservative buffer (Cat-1 effective margin 2^131.5)", "classical_baseline": "lattice-estimator v0.15", "rebuttal_papers": [], "notes": "Escape gate G2. Bernstein-Lange Q-Day cost models explicitly named in scope. PIN to sweep 21 eprint:2024/0961. Zenodo DOI gives stable citation; CC-BY-4.0 enables IETF/NIST reuse.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "zenodo:10.5281/zenodo.13789241", "title": "AGPS-2025 Quantum-Sieve Cost Tables: Companion Data to eprint:2025/0667", "authors": [ "Martin R. Albrecht", "Vlad Gheorghiu", "Eamonn Postlethwaite", "John Schanck" ], "date": "2025-05", "venue": "Zenodo", "summary": "Zenodo deposit of AGPS-2025 quantum-sieve cost-model tables: logical-qubit and physical-qubit-hour costs for SVP at dim 50-450, MAXDEPTH \u2208 {2^40, 2^64, 2^96}, surface code distances 17-31. Companion to eprint:2025/0667. Contains lattice-estimator integration scripts merged into v0.17. CSV + Sage notebooks. License: CC-BY-4.0.", "candidate_bill": null, "candidate_meta_cost": "M5", "verdict": "out_of_scope", "confidence": 0.95, "watchlist_tier": "monthly", "qubit_count_claimed": "6.8e10 logical at dim 400", "logical_qubit_count_claimed": 68000000000, "task_type": "other:agps2025_data_deposit", "verification_method": "data_deposit", "claimed_advantage_factor": "Q-sieve 0.265n vs classical 0.292n (unchanged)", "classical_baseline": "AGPS 2020", "rebuttal_papers": [], "notes": "Escape gate G2 + meta-cost M5. AGPS data deposit explicitly named in scope. PIN to sweep 21 eprint:2025/0667. Stable artifact for the post-2024 quantum cost model used by NIST IR 8528.", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] }, { "paper_id": "zenodo:10.5281/zenodo.14028192", "title": "Falcon-2024 Concrete-Security Reference Spreadsheet (Espitau-Pornin)", "authors": [ "Thomas Espitau", "Thomas Pornin" ], "date": "2024-06", "venue": "Zenodo", "summary": "Author-maintained reference spreadsheet for Falcon-512/1024 (FN-DSA) concrete-security under lattice-estimator v0.16. Cells: best primal, best dual, hybrid, key-recovery, signature-forgery costs. Cross-tabulated for AVX2/AVX-512/Apple-M2 hardware. Cited by NIST FIPS 206 draft as authoritative. CC-BY-4.0 license. Companion to eprint:2024/0808.", "candidate_bill": null, "candidate_meta_cost": null, "verdict": "out_of_scope", "confidence": 0.92, "watchlist_tier": "quarterly", "qubit_count_claimed": null, "logical_qubit_count_claimed": null, "task_type": "other:falcon_spreadsheet_deposit", "verification_method": "data_deposit", "claimed_advantage_factor": null, "classical_baseline": "lattice-estimator v0.16", "rebuttal_papers": [], "notes": "Escape gate G2. Espitau-Pornin spreadsheet explicitly in scope. PIN to sweep 21 eprint:2024/0808. Falcon-512 has the tightest Cat-1 margin (2^132 vs ML-KEM 2^141.5).", "_appeared_in_sweeps": [ "sweep_27_estimator_code_releases_2024_2026" ] } ]