{"slug": "understanding-lattice-risks-many-differences-between-marketing-and-reality", "title": "Understanding lattice risks: Many differences between marketing and reality", "summary": "Cryptographer Daniel J. Bernstein criticizes claims that ML-KEM (Kyber) is low-risk, arguing that proponents narrow the definition of risk to exclude timing attacks and software bugs. He highlights KyberSlash vulnerabilities and ML-DSA bugs as evidence that post-quantum cryptography faces significant implementation risks, advocating for hybrid ECC+PQ approaches instead of solo PQ.", "body_md": "I have a short new page giving\n[general context](https://nsa.2026.action.cr.yp.to/)\nfor the following and links to further information,\nso I'll just jump straight into the specific topic here.\n\nHere's a paragraph that appeared on 29 June 2026 as supposed justification for using solo ML-KEM rather than ECC+ML-KEM: \"I do not believe the risk of ML-KEM (and ML-DSA) to be severe: there is no known cryptanalysis currently exploiting rank >=2 module structure at these parameters that performs better than generic lattice reduction. Module-LWE also has a (granted, an asymptotic) worst-case-to-average-case reduction - something neither RSA nor ECDLP had.\"\n\nMy reaction to this is: wow, so many mistakes packed together! The two sentences (1) erroneously conflate lattice risks with a narrow slice of those risks, (2) use jargon in a way that tends to hide the narrowing from readers, and (3) still manage to each be simply false. What I'll do in this blog post is unpack the flaws.\n\n**\"Known\".**\nThis part of the narrowing is something that I think\nreaders\n\nBut the second sentence doesn't have this narrowing, and I think readers will understand the second sentence as talking about some sort of proactive protection. There are also more problems with both sentences, so let's move along.\n\n**\"Cryptanalysis\".**\nHow many readers will realize that this word is another narrowing of the risk surface?\n\nThe reference software for Kyber (ML-KEM)\nhas already gone through three rounds of emergency security patches\nfor timing attacks: KyberSlash 1, KyberSlash 2, and Clangover.\nThe *reference* software isn't an isolated example:\nthe *majority* of Kyber/ML-KEM libraries have issued\n[KyberSlash patches](https://kyberslash.cr.yp.to/libraries.html).\nThe\n[KyberSlash paper](https://cr.yp.to/papers.html#kyberslash)\nwon the best-paper award at CHES 2025.\n*However*,\ncryptographers typically don't classify timing attacks\nas \"cryptanalysis\".\nEven those who do will usually emphasize that it's analysis \"of the ML-KEM software\";\nit's not cryptanalysis \"of ML-KEM\", meaning the ML-KEM specification.\n\nSimilarly,\nattacks exploiting bugs,\nsuch as the bugs highlighted in my\n[new paper on ML-DSA](https://cr.yp.to/papers.html#mldsa),\ndon't qualify as cryptanalysis.\n\nFor scientists writing different types of papers, it's useful to have words to describe those differences. But users need cryptographic software to be secure. Security compromises often come from mathematical attacks against specs but often come from software problems not visible in the specs.\n\nFor years\nI've been pointing out risks of failures in PQ specs *and* in PQ software,\nand I've been connecting these risks to my recommendations of ECC+PQ.\nLook, for example, at how I\n[described](https://web.archive.org/web/20220308032457/https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/LVpCs_vjMlE/m/M2uQPfaEAQAJ)\nNISTPQC as\n\"the largest regression *ever* in the\nquality of cryptographic software\" and said this \"will not be easy to fix\",\nand at how I\n[wrote](https://web.archive.org/web/20260603074058/https://mailarchive.ietf.org/arch/msg/spasm/pcISUlnedpExwwLuISP18oR1zxc/)\nthat \"bugs in post-quantum software\"\nwarrant \"a blanket rule of always upgrading from ECC to PQ+ECC, *not* discarding the ECC layer\".\n\nThe software argument is a *really* tough argument\nfor proponents of solo PQ to respond to.\nReaders know that software problems happen all the time,\ncan easily find examples of problems in ML-KEM and ML-DSA software,\nand can even find demos exploiting some of those problems.\nThere's a basic lack of credibility if a proponent\nclaims, e.g., that there will be \"exceedingly few bugs\",\nwhile dodging [basic questions](https://cr.yp.to/papers/mldsa-20260601.pdf#bugdenial)\nabout how many \"exceedingly few\" is,\nwhat the justification is supposed to be for that number,\nand why that number is supposed to be low enough\nto justify *throwing away* a broadly deployed low-cost mitigation.\nIt's much easier for proponents\nto skip the software issue and focus on some other aspect of security.\n\nBut, ok, let's also stop talking about software now. There are other problems with the sentences I quoted at the top.\n\n**\"Exploiting ... module structure\".**\nHow many readers will realize that the \"module\" jargon here\nis focusing on just\n\nThe official Kyber\n[security analysis](https://web.archive.org/web/20230310174959/https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf)\nincludes the following statement:\n\"The best known attacks against the underlying MLWE problem in Kyber do not make\nuse of the structure in the lattice. We therefore analyze the hardness of the\nMLWE problem as an LWE problem.\"\nThe \"M\" in \"MLWE\" (and in \"ML-KEM\") means \"module\";\nthe statement here is that the module structure doesn't lose security.\n\nBut there's more to the Kyber/ML-KEM attack surface.\nFor example,\neven though the official Kyber documentation claimed\n[at the top of Section 1](https://web.archive.org/web/20230310174959/https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf)\nthat the\n\"security of Kyber is based on the hardness of solving the\nlearning-with-errors problem in module lattices (MLWE problem [67])\",\npage 19 admits that the theorem relating Kyber's security\nto MLWE security is a \"non-tight reduction\".\nThat's jargon for admitting that the theorem allows Kyber's security level\nto be *many bits lower* than the security level of \"the underlying MLWE problem\".\nThe documentation doesn't quantify the gap,\npresumably because doing so would show a frighteningly large gap.\n\nI have a paper that\n[exploits](https://cr.yp.to/papers.html#footloose)\na simpler tightness gap in another lattice-based cryptosystem, FrodoKEM.\nFor example, the paper shows that if you send 240 ciphertexts\nto a `frodokem640`\n\npublic key\nthen one of the ciphertexts will be decrypted by a large-scale attack\nthat's feasible today.\nThis is beyond an academic demo,\nbut it *does* disprove an official FrodoKEM security claim.\nThat version of FrodoKEM was then officially renamed \"ephemeral FrodoKEM\"\n(which I think means we're supposed to forget this version ever existed)\nand was officially replaced with a revised \"FrodoKEM\".\n\nA [survey](https://eprint.iacr.org/2019/1336)\nby Koblitz and Menezes\nincludes more examples of cryptographic attacks exploiting tightness gaps.\n\nThere's a *risk* that Kyber's tightness gaps will turn out to be exploitable too.\nThis is just one example of the spec risks excluded by the words\n\"exploiting ... module structure\".\n\n**\"Rank >=2\".**\nThis is yet another narrowing.\nLet me give some context here and then connect the dots.\n\nCraig Gentry introduced an FHE system at STOC 2009 in\na paper \"Fully homomorphic encryption using ideal lattices\".\nThe paper has been cited more than 14000 times and is often labeled as a breakthrough.\nThe standard choice of structure for that system (as in ML-KEM)\nuses polynomials modulo xn+1 where n is a power of 2.\nIt's much more likely for readers to have heard of Gentry's system,\nand to have heard of this standard structure,\nthan to have heard that Gentry's system with this structure\nis vulnerable to a quantum polynomial-time attack.\n\nI had a\n[February 2014 blog post](https://blog.cr.yp.to/20140213-ideal.html)\npointing out some weaknesses in the underlying ideal-lattice problems,\nand then subsequent work took the attack ideas much further.\nA [2025 paper by Jean-François Biasse and Fang Song](https://eprint.iacr.org/2025/1797)\npresents details of the quantum polynomial-time attack.\n(Technically, the speed analysis for the attack\nrelies on a number-theoretic conjecture,\nbut there's\n[overwhelming evidence](https://cr.yp.to/papers/spherical-20211023.pdf#section.A.3)\nfor that conjecture.)\n\nThere are complicated debates about the security of some ideal lattices beyond the ones used in Gentry's system, but the details don't matter here. What matters is that enough damage has been done to ideal lattices that no expert today would advocate relying on ideal lattices as the foundation of security.\n\nThis is radically different from the picture\npainted in a\n[2012 paper](https://web.archive.org/web/20120510052341/http://eprint.iacr.org/2012/230.pdf)\n\"On ideal lattices and learning with errors over rings\"\nby Vadim Lyubashevsky, Chris Peikert, and Oded Regev.\nThat paper claims to prove \"very strong hardness guarantees\" for \"ring-LWE\".\nBut this proof starts from the *assumption*\n\"that worst-case problems on ideal lattices are hard\",\nexactly what I'm saying no expert would advocate relying on today.\n\nA\n[2014 paper](https://web.archive.org/web/20150318064546/https://eprint.iacr.org/2014/070.pdf)\n\"Lattice cryptography for the Internet\" by Peikert\nsimilarly claimed that\n\"both ring-SIS and ring-LWE enjoy strong provable hardness guarantees\"\nand that this is\n“good theoretical evidence\nthat ring-SIS and ring-LWE are a solid foundation on which to design cryptosystems\".\nKyber's direct predecessor NewHope,\nintroduced in 2015 and submitted in 2017 to the NIST post-quantum competition,\n[repeated](https://web.archive.org/web/20190411045044/https://newhopecrypto.org/data/NewHope_2017_12_21.pdf)\nthis evidence as the final step in its \"Provable security reductions\"\nfor its \"Justification of security strength\".\n\nMaybe ring-LWE is strong. Maybe not. Either way, we now know that pointing to ideal lattices is a poor argument for the strength of ring-LWE.\n\nKyber was introduced in 2017,\nwas also submitted to the NIST post-quantum competition,\nand, after a series of modifications, was standardized as ML-KEM.\nThe most obvious difference between NewHope and Kyber\nis that NewHope uses ideal lattices, also known as \"rank-1 module lattices\",\nwhile Kyber uses module lattices of larger rank.\nKyber's\n[2017 documentation](https://web.archive.org/web/20190214071008/https://pq-crystals.org/kyber/data/kyber-specification.pdf)\ncites various advances in attacks against rank 1\nand says that higher rank has \"somewhat reduced structure\".\n\nAny competent risk assessment will pay attention to this history.\nExperts proposed lattice systems that ended up being broken;\nthat's worrisome!\nKyber's 2017 usage of higher-rank modules\nwas explicitly in response to advances in attacks.\nContinued developments of the same line of attacks have already\n[broken](https://ntruprime.cr.yp.to/latticerisks-20211031.pdf#subsection.1.1.2)\na variety of supposed \"barriers\" and \"bounds\" for those attacks.\nWill the line between rank 1 and higher rank hold up,\nor will it turn out to be another of these broken \"barriers\"?\n\n**\"Better than generic lattice reduction\".**\nThis is\n\nLet's look again at FrodoKEM,\nsupposedly the\n[\"most conservative\"](https://web.archive.org/web/20220709220612/https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Crypto/Migration_to_Post_Quantum_Cryptography.pdf?__blob=publicationFile&v=2)\nlattice system.\n\nFrodoKEM\n[says](https://web.archive.org/web/20230224071445/https://frodokem.org/files/FrodoKEM-specification-20210604.pdf)\nit's based on\n\"the algebraically unstructured, plain LWE problem with conservative parameterizations\",\nand more specifically that it's a modified\n[\"instantiation and implementation\"](https://web.archive.org/web/20230224071445/https://frodokem.org/files/FrodoKEM-specification-20210604.pdf)\nof a 2010 paper.\nBut FrodoKEM is much quieter about one of those modifications,\nnamely the fact that FrodoKEM drastically increased sizes\ncompared to the 2010 paper.\n\nThe 2010 paper proposed dimension-256 lattices as supposedly taking\n[\"about 2 150 operations\"](https://web.archive.org/web/20111206143256/https://eprint.iacr.org/2010/613.pdf)\nto break.\nThe reason FrodoKEM moved to much larger dimensions\nis that there were a bunch of attack papers chopping more and more bits out of lattice security levels.\nIt's not that one paper suddenly did a bunch of damage:\neach paper chopped out far fewer bits,\nbut the\n\nReaders who have heard that\n[\"ML-KEM was fully vetted\"](https://web.archive.org/web/20260630121205/https://mailarchive.ietf.org/arch/msg/tls/nVeE4qhVAnLCOfGZcNloENNF34Q/)\nduring the NIST competition\nwould imagine that attack improvements have come to an end.\nBut, wait, then how do we explain an\n[October 2025 lattice-attack speedup](https://eprint.iacr.org/2025/1910)?\nOr a\n[December 2025 lattice-attack speedup](https://eprint.iacr.org/2025/2189)?\nEach of these is another paper claiming to cut out a few bits of security.\n\nWhen is the cliff going to stop crumbling? Are the lattice dimensions used for ML-KEM and FrodoKEM today going to sound as ignorant in 15 years as dimension 256 from the 2010 paper? And what happens if attackers find the improvements before the public does? How can it can make any sense to narrow the risk analysis of lattice-based cryptosystems in a way that excludes every improvement in generic lattice attacks?\n\n**Even after all this narrowing, the first sentence is wrong.**\nLet's look again at the claim that\n\"there is no known cryptanalysis currently exploiting rank >=2\nmodule structure at these parameters that performs better than generic\nlattice reduction\".\n\nSo far I've been emphasizing how the words here are narrowing the risk analysis in a way that excludes a bunch of attacks: \"cryptanalysis\" excludes software problems such as KyberSlash, \"exploiting ... module structure\" excludes tightness problems such as the FrodoKEM flaw, \"rank >=2\" excludes ideal-lattice attacks such as the break of Gentry's original STOC 2009 FHE system, and \"better than generic lattice reduction\" excludes a neverending series of speedups in generic lattice attacks.\n\nIt's content-free to come up with a statement saying\n\"there are no known attacks meeting the following criteria: ...\"\nif those criteria are chosen to exclude every attack that *is* known.\nThis becomes actively misleading\nif it's accompanied by not even citing those attacks.\n\nBut here's the funny thing: this is an error-prone process when the attack picture keeps changing. It's not that the list of criteria is something stable and well known and well studied. Someone hears about an attack and writes down a criterion that excludes the attack, but that criterion is flimsy and is punctured by the next attack.\n\nA paper appeared in\n[February 2026](https://eprint.iacr.org/2026/279)\nunder the title\n\"On the concrete hardness gap between MLWE and LWE\".\nThe paper says that it saves a few bits\nin attacks against ML-KEM, compared to generic lattice attacks,\nby exploiting the structure of the modules used in ML-KEM.\n\nThis means it's not true that \"there is no known cryptanalysis currently exploiting rank >=2 module structure at these parameters that performs better than generic lattice reduction\". Oops.\n\nMaybe the author of that statement\nwill say \"sorry, I meant performs *much* better\".\nBut if your answer to every attack\nis to come up with an ad-hoc excuse for ignoring the attack\nthen you aren't evaluating *risks*.\n\n**\"Asymptotic\".**\nLet's move on to the second sentence:\n\"Module-LWE also has a (granted, an asymptotic)\nworst-case-to-average-case reduction - something neither RSA nor ECDLP\nhad.\"\n\nWhat the word \"asymptotic\" is actually saying is that\n*if ML-KEM were replaced with something much larger*\nthen the underlying MLWE problems\nwould have a \"worst-case-to-average-case reduction\".\n\nSome years ago,\nPeikert gave a presentation to a National Academies committee\nwhere he claimed without evidence\nthat dimensions of \"a few thousand\" would be enough\nfor a worst-case-to-average-case reduction\nin the simpler context of FrodoKEM.\nI was there,\nand I think open-source science is important as an error-correction mechanism,\nso I\n[noted his claim online](https://microblog.cr.yp.to/1142855190174928897/)\nand wrote that I would\n\"love to see a complete proof handling 10000\".\n\nIn 2021,\nPeikert\n[highlighted a claim](https://web.archive.org/web/20260630141116/https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/Yx0wZuZP6ag/m/3LKBnrbgBwAJ)\nthat dimension 1460 was sufficient.\nBut this claim, which unfortunately has never been withdrawn,\narises from an embarrassing mistake\n(conflating an \"approximate\" lattice problem\nwith a stronger \"exact\" lattice problem).\n\nThis mistake was pointed out in a\n[2023 paper](https://eprint.iacr.org/2023/947)\nfrom Joel Gärtner,\nwhich also invested a lot of effort into writing down a complete proof\nand trying to reduce the dimension as far as possible.\nIt still doesn't manage to get the dimension down to 10000;\nnot even close.\n\nThe maximum ML-KEM dimension is 1024.\nNobody has a worst-case-to-average-case reduction\nfor such a small lattice dimension.\nHow many readers will understand that the jargon \"asymptotic\"\nis making a statement about a *different, larger, cryptosystem*?\n\n**\"Worst-case-to-average-case reduction - something neither RSA nor ECDLP had\".**\nSorry, no, completely wrong.\n\nLet me first review what the jargon means.\nA \"reduction\" from problem P to problem Q\nmeans a way to use a solution to problem Q to solve problem P.\nIn particular,\na \"worst-case-to-average-case\" reduction\nmeans a way to use a solver for *random* examples of problem Q\nas a way to solve an *arbitrary* example of problem P,\nwith no P inputs being immune.\n\nAs a concrete example, let's solve ECDLP on Curve25519. The input is some curve point sG, where G is the standard Curve25519 generator. Our task is to compute s modulo the order of G.\n\nTo reduce this to the average case, simply compute sG+rG where r is chosen randomly modulo the order of G; then use the average-case solver to find s+r modulo the order of G; then subtract r to find s. Done.\n\n(As a side note,\nthis is actually a *much more powerful* reduction\nthan the worst-case-to-average-case reduction for lattices.\nIt's much more efficient.\nIt doesn't require the cheat of replacing the problem with a bigger problem;\nsee above regarding [asymptotic](#asymptotics).\nIt's a \"self-reduction\" between the worst case and average case\nof the *same* problem;\nit doesn't inflict a new problem upon people reviewing security.)\n\nLet me also give an example of a worst-case-to-average-case reduction for RSA. The input is some RSA modulus pq, where p and q are secret primes. Our task is to find p and q.\n\nHere's one way to reduce this to the average case. Randomly generate another RSA key. Apply the average-case solver to that. Throw the results away. Then use Shor's algorithm to factor the original input pq into p and q. Done.\n\nThis RSA example might seem to be cheating\nsince it's a *quantum* worst-case-to-average-case reduction\nfor a cryptosystem that was never supposed to resist quantum computers.\nBut the literature includes a huge pile of cryptosystems\nbroken by *non-quantum* attacks,\nand each of those breaks gives a *non-quantum* worst-case-to-average-case reduction\nfor the same cryptosystem.\n\nThe correlation between worst-case-to-average-case reductions\nand attacks isn't just for the extreme case of broken cryptosystems.\nFor example,\nmy\n[2015 blog post](https://blog.cr.yp.to/20151120-batchattacks.html)\non multi-target attacks\nincluded comments on how to use an\n\"attack tool called a 'worst-case-to-average-case reduction'\"\nto build a square-root discrete-log attack.\nThis is one of the easiest ways to explain in starting courses on cryptography\nthat discrete-log problems have a square-root attack.\n\nFrom a risk-analysis perspective, these connections between worst-case-to-average-case reductions and attacks mean that worst-case-to-average-case reductions are an alarm bell, something to investigate closely as a risk, even if they're not fatal. Statements such as \"Module-LWE also has a (granted, an asymptotic) worst-case-to-average-case reduction - something neither RSA nor ECDLP had\" are getting the risk analysis wrong by getting the basic facts wrong.\n\n**A procedural note.**\nMistakes happen.\nPart of our job as cryptographers is to protect users against those mistakes.\n\n[Many](https://cr.yp.to/papers.html#qrcsp) new PQ designs have been broken,\nplus there are many\n[further](https://cr.yp.to/papers.html#kyberslash)\n[problems](https://cr.yp.to/papers.html#mldsa)\nwith PQ software.\nWe're certainly not going to catch all the problems before deployment,\nso we also keep ECC around as a negligible-cost part of ECC+PQ\nto mitigate the damage of PQ security failures,\nlike wearing seatbelts in a car to mitigate the damage of car crashes,\nrather than throwing ECC away in favor of solo PQ.\n\nThis common-sense decision to use ECC+PQ rather than solo PQ is threatened if the risk analyses are so thoroughly botched that people are blinded to the risks of PQ. How do we protect users against these meta-level mistakes in risk analyses?\n\nThe literature on computer security, like the broader literature on many other safety topics, gives us an answer: risk analysis is a first-class topic of papers, and risk-analysis errors are corrected the same way that other errors in papers are corrected. This process takes time, but investing that time helps reduce the number of mistakes.\n\nWhat I find truly horrifying about the paragraph\nthat I've been commenting on in this blog post\nis the procedural context.\nThe paragraph wasn't part of a collaborative community process of analyzing risks.\nThe paragraph instead showed up as a last-moment talking point\nduring a limited-time vote on a\n[controversial](20260405-votes.html)\nproposal for IETF to standardize solo ML-KEM in TLS,\na [weakened form](20251004-weakened.html#tls)\nof the widely deployed ECC+ML-KEM in TLS.\nThere's just one week left in the voting period.\n\nIETF doublespeak says that this isn't a \"vote\" and that the document won't be a \"standard\", but the reality is that it's a vote, and if the vote passes then corporate purchasing managers will understand the resulting document as IETF endorsement of solo ML-KEM.\n\nStandards organizations\naren't supposed to be endorsing controversial proposals.\nEach document issued by an IETF working group\nis labeled as \"consensus of the IETF community\".\nIETF says that disagreements\n[\"must be resolved by a process of open review and discussion\"](https://web.archive.org/web/20251217213247/https://www.rfc-editor.org/rfc/rfc2418.html).\nBut simply\n[charting the debate](20260221-structure.html)\nshows that the proponents of solo PQ\nhave responded only to minor objections\nwhile ignoring every fundamental objection.\nThe mandated process of discussion to reach consensus\nhas been replaced by a voting process.\n\nThe same document\n[lost the previous vote](20260405-votes.html).\nSo now there's a new vote\nwith supporters trying to pack the room.\nExplicitly in response to that, I've\n[called](https://nsa.2026.action.cr.yp.to/)\nfor volunteers to speak up in opposition.\n\nOne good reason to oppose is recognizing that solo PQ creates unnecessary dangers compared to ECC+PQ. But another good reason to oppose is simply to say that, procedurally, disagreements have to be resolved.", "url": "https://wpnews.pro/news/understanding-lattice-risks-many-differences-between-marketing-and-reality", "canonical_source": "https://blog.cr.yp.to/20260630-risk.html", "published_at": "2026-06-30 21:29:15+00:00", "updated_at": "2026-06-30 21:50:39.798688+00:00", "lang": "en", "topics": ["ai-safety", "ai-policy"], "entities": ["Daniel J. Bernstein", "ML-KEM", "Kyber", "ML-DSA", "KyberSlash", "NIST", "ECC"], "alternates": {"html": "https://wpnews.pro/news/understanding-lattice-risks-many-differences-between-marketing-and-reality", "markdown": "https://wpnews.pro/news/understanding-lattice-risks-many-differences-between-marketing-and-reality.md", "text": "https://wpnews.pro/news/understanding-lattice-risks-many-differences-between-marketing-and-reality.txt", "jsonld": "https://wpnews.pro/news/understanding-lattice-risks-many-differences-between-marketing-and-reality.jsonld"}}