# Understanding lattice risks: Many differences between marketing and reality

> Source: <https://blog.cr.yp.to/20260630-risk.html>
> Published: 2026-06-30 21:29:15+00:00

I have a short new page giving
[general context](https://nsa.2026.action.cr.yp.to/)
for the following and links to further information,
so I'll just jump straight into the specific topic here.

Here's a paragraph that appeared on 29 June 2026 as supposed justification for using solo ML-KEM rather than ECC+ML-KEM: "I do not believe the risk of ML-KEM (and ML-DSA) to be severe: there is no known cryptanalysis currently exploiting rank >=2 module structure at these parameters that performs better than generic lattice reduction. Module-LWE also has a (granted, an asymptotic) worst-case-to-average-case reduction - something neither RSA nor ECDLP had."

My reaction to this is: wow, so many mistakes packed together! The two sentences (1) erroneously conflate lattice risks with a narrow slice of those risks, (2) use jargon in a way that tends to hide the narrowing from readers, and (3) still manage to each be simply false. What I'll do in this blog post is unpack the flaws.

**"Known".**
This part of the narrowing is something that I think
readers

But the second sentence doesn't have this narrowing, and I think readers will understand the second sentence as talking about some sort of proactive protection. There are also more problems with both sentences, so let's move along.

**"Cryptanalysis".**
How many readers will realize that this word is another narrowing of the risk surface?

The reference software for Kyber (ML-KEM)
has already gone through three rounds of emergency security patches
for timing attacks: KyberSlash 1, KyberSlash 2, and Clangover.
The *reference* software isn't an isolated example:
the *majority* of Kyber/ML-KEM libraries have issued
[KyberSlash patches](https://kyberslash.cr.yp.to/libraries.html).
The
[KyberSlash paper](https://cr.yp.to/papers.html#kyberslash)
won the best-paper award at CHES 2025.
*However*,
cryptographers typically don't classify timing attacks
as "cryptanalysis".
Even those who do will usually emphasize that it's analysis "of the ML-KEM software";
it's not cryptanalysis "of ML-KEM", meaning the ML-KEM specification.

Similarly,
attacks exploiting bugs,
such as the bugs highlighted in my
[new paper on ML-DSA](https://cr.yp.to/papers.html#mldsa),
don't qualify as cryptanalysis.

For scientists writing different types of papers, it's useful to have words to describe those differences. But users need cryptographic software to be secure. Security compromises often come from mathematical attacks against specs but often come from software problems not visible in the specs.

For years
I've been pointing out risks of failures in PQ specs *and* in PQ software,
and I've been connecting these risks to my recommendations of ECC+PQ.
Look, for example, at how I
[described](https://web.archive.org/web/20220308032457/https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/LVpCs_vjMlE/m/M2uQPfaEAQAJ)
NISTPQC as
"the largest regression *ever* in the
quality of cryptographic software" and said this "will not be easy to fix",
and at how I
[wrote](https://web.archive.org/web/20260603074058/https://mailarchive.ietf.org/arch/msg/spasm/pcISUlnedpExwwLuISP18oR1zxc/)
that "bugs in post-quantum software"
warrant "a blanket rule of always upgrading from ECC to PQ+ECC, *not* discarding the ECC layer".

The software argument is a *really* tough argument
for proponents of solo PQ to respond to.
Readers know that software problems happen all the time,
can easily find examples of problems in ML-KEM and ML-DSA software,
and can even find demos exploiting some of those problems.
There's a basic lack of credibility if a proponent
claims, e.g., that there will be "exceedingly few bugs",
while dodging [basic questions](https://cr.yp.to/papers/mldsa-20260601.pdf#bugdenial)
about how many "exceedingly few" is,
what the justification is supposed to be for that number,
and why that number is supposed to be low enough
to justify *throwing away* a broadly deployed low-cost mitigation.
It's much easier for proponents
to skip the software issue and focus on some other aspect of security.

But, ok, let's also stop talking about software now. There are other problems with the sentences I quoted at the top.

**"Exploiting ... module structure".**
How many readers will realize that the "module" jargon here
is focusing on just

The official Kyber
[security analysis](https://web.archive.org/web/20230310174959/https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf)
includes the following statement:
"The best known attacks against the underlying MLWE problem in Kyber do not make
use of the structure in the lattice. We therefore analyze the hardness of the
MLWE problem as an LWE problem."
The "M" in "MLWE" (and in "ML-KEM") means "module";
the statement here is that the module structure doesn't lose security.

But there's more to the Kyber/ML-KEM attack surface.
For example,
even though the official Kyber documentation claimed
[at the top of Section 1](https://web.archive.org/web/20230310174959/https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf)
that the
"security of Kyber is based on the hardness of solving the
learning-with-errors problem in module lattices (MLWE problem [67])",
page 19 admits that the theorem relating Kyber's security
to MLWE security is a "non-tight reduction".
That's jargon for admitting that the theorem allows Kyber's security level
to be *many bits lower* than the security level of "the underlying MLWE problem".
The documentation doesn't quantify the gap,
presumably because doing so would show a frighteningly large gap.

I have a paper that
[exploits](https://cr.yp.to/papers.html#footloose)
a simpler tightness gap in another lattice-based cryptosystem, FrodoKEM.
For example, the paper shows that if you send 240 ciphertexts
to a `frodokem640`

public key
then one of the ciphertexts will be decrypted by a large-scale attack
that's feasible today.
This is beyond an academic demo,
but it *does* disprove an official FrodoKEM security claim.
That version of FrodoKEM was then officially renamed "ephemeral FrodoKEM"
(which I think means we're supposed to forget this version ever existed)
and was officially replaced with a revised "FrodoKEM".

A [survey](https://eprint.iacr.org/2019/1336)
by Koblitz and Menezes
includes more examples of cryptographic attacks exploiting tightness gaps.

There's a *risk* that Kyber's tightness gaps will turn out to be exploitable too.
This is just one example of the spec risks excluded by the words
"exploiting ... module structure".

**"Rank >=2".**
This is yet another narrowing.
Let me give some context here and then connect the dots.

Craig Gentry introduced an FHE system at STOC 2009 in
a paper "Fully homomorphic encryption using ideal lattices".
The paper has been cited more than 14000 times and is often labeled as a breakthrough.
The standard choice of structure for that system (as in ML-KEM)
uses polynomials modulo xn+1 where n is a power of 2.
It's much more likely for readers to have heard of Gentry's system,
and to have heard of this standard structure,
than to have heard that Gentry's system with this structure
is vulnerable to a quantum polynomial-time attack.

I had a
[February 2014 blog post](https://blog.cr.yp.to/20140213-ideal.html)
pointing out some weaknesses in the underlying ideal-lattice problems,
and then subsequent work took the attack ideas much further.
A [2025 paper by Jean-François Biasse and Fang Song](https://eprint.iacr.org/2025/1797)
presents details of the quantum polynomial-time attack.
(Technically, the speed analysis for the attack
relies on a number-theoretic conjecture,
but there's
[overwhelming evidence](https://cr.yp.to/papers/spherical-20211023.pdf#section.A.3)
for that conjecture.)

There are complicated debates about the security of some ideal lattices beyond the ones used in Gentry's system, but the details don't matter here. What matters is that enough damage has been done to ideal lattices that no expert today would advocate relying on ideal lattices as the foundation of security.

This is radically different from the picture
painted in a
[2012 paper](https://web.archive.org/web/20120510052341/http://eprint.iacr.org/2012/230.pdf)
"On ideal lattices and learning with errors over rings"
by Vadim Lyubashevsky, Chris Peikert, and Oded Regev.
That paper claims to prove "very strong hardness guarantees" for "ring-LWE".
But this proof starts from the *assumption*
"that worst-case problems on ideal lattices are hard",
exactly what I'm saying no expert would advocate relying on today.

A
[2014 paper](https://web.archive.org/web/20150318064546/https://eprint.iacr.org/2014/070.pdf)
"Lattice cryptography for the Internet" by Peikert
similarly claimed that
"both ring-SIS and ring-LWE enjoy strong provable hardness guarantees"
and that this is
“good theoretical evidence
that ring-SIS and ring-LWE are a solid foundation on which to design cryptosystems".
Kyber's direct predecessor NewHope,
introduced in 2015 and submitted in 2017 to the NIST post-quantum competition,
[repeated](https://web.archive.org/web/20190411045044/https://newhopecrypto.org/data/NewHope_2017_12_21.pdf)
this evidence as the final step in its "Provable security reductions"
for its "Justification of security strength".

Maybe ring-LWE is strong. Maybe not. Either way, we now know that pointing to ideal lattices is a poor argument for the strength of ring-LWE.

Kyber was introduced in 2017,
was also submitted to the NIST post-quantum competition,
and, after a series of modifications, was standardized as ML-KEM.
The most obvious difference between NewHope and Kyber
is that NewHope uses ideal lattices, also known as "rank-1 module lattices",
while Kyber uses module lattices of larger rank.
Kyber's
[2017 documentation](https://web.archive.org/web/20190214071008/https://pq-crystals.org/kyber/data/kyber-specification.pdf)
cites various advances in attacks against rank 1
and says that higher rank has "somewhat reduced structure".

Any competent risk assessment will pay attention to this history.
Experts proposed lattice systems that ended up being broken;
that's worrisome!
Kyber's 2017 usage of higher-rank modules
was explicitly in response to advances in attacks.
Continued developments of the same line of attacks have already
[broken](https://ntruprime.cr.yp.to/latticerisks-20211031.pdf#subsection.1.1.2)
a variety of supposed "barriers" and "bounds" for those attacks.
Will the line between rank 1 and higher rank hold up,
or will it turn out to be another of these broken "barriers"?

**"Better than generic lattice reduction".**
This is

Let's look again at FrodoKEM,
supposedly the
["most conservative"](https://web.archive.org/web/20220709220612/https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Crypto/Migration_to_Post_Quantum_Cryptography.pdf?__blob=publicationFile&v=2)
lattice system.

FrodoKEM
[says](https://web.archive.org/web/20230224071445/https://frodokem.org/files/FrodoKEM-specification-20210604.pdf)
it's based on
"the algebraically unstructured, plain LWE problem with conservative parameterizations",
and more specifically that it's a modified
["instantiation and implementation"](https://web.archive.org/web/20230224071445/https://frodokem.org/files/FrodoKEM-specification-20210604.pdf)
of a 2010 paper.
But FrodoKEM is much quieter about one of those modifications,
namely the fact that FrodoKEM drastically increased sizes
compared to the 2010 paper.

The 2010 paper proposed dimension-256 lattices as supposedly taking
["about 2 150 operations"](https://web.archive.org/web/20111206143256/https://eprint.iacr.org/2010/613.pdf)
to break.
The reason FrodoKEM moved to much larger dimensions
is that there were a bunch of attack papers chopping more and more bits out of lattice security levels.
It's not that one paper suddenly did a bunch of damage:
each paper chopped out far fewer bits,
but the

Readers who have heard that
["ML-KEM was fully vetted"](https://web.archive.org/web/20260630121205/https://mailarchive.ietf.org/arch/msg/tls/nVeE4qhVAnLCOfGZcNloENNF34Q/)
during the NIST competition
would imagine that attack improvements have come to an end.
But, wait, then how do we explain an
[October 2025 lattice-attack speedup](https://eprint.iacr.org/2025/1910)?
Or a
[December 2025 lattice-attack speedup](https://eprint.iacr.org/2025/2189)?
Each of these is another paper claiming to cut out a few bits of security.

When is the cliff going to stop crumbling? Are the lattice dimensions used for ML-KEM and FrodoKEM today going to sound as ignorant in 15 years as dimension 256 from the 2010 paper? And what happens if attackers find the improvements before the public does? How can it can make any sense to narrow the risk analysis of lattice-based cryptosystems in a way that excludes every improvement in generic lattice attacks?

**Even after all this narrowing, the first sentence is wrong.**
Let's look again at the claim that
"there is no known cryptanalysis currently exploiting rank >=2
module structure at these parameters that performs better than generic
lattice reduction".

So far I've been emphasizing how the words here are narrowing the risk analysis in a way that excludes a bunch of attacks: "cryptanalysis" excludes software problems such as KyberSlash, "exploiting ... module structure" excludes tightness problems such as the FrodoKEM flaw, "rank >=2" excludes ideal-lattice attacks such as the break of Gentry's original STOC 2009 FHE system, and "better than generic lattice reduction" excludes a neverending series of speedups in generic lattice attacks.

It's content-free to come up with a statement saying
"there are no known attacks meeting the following criteria: ..."
if those criteria are chosen to exclude every attack that *is* known.
This becomes actively misleading
if it's accompanied by not even citing those attacks.

But here's the funny thing: this is an error-prone process when the attack picture keeps changing. It's not that the list of criteria is something stable and well known and well studied. Someone hears about an attack and writes down a criterion that excludes the attack, but that criterion is flimsy and is punctured by the next attack.

A paper appeared in
[February 2026](https://eprint.iacr.org/2026/279)
under the title
"On the concrete hardness gap between MLWE and LWE".
The paper says that it saves a few bits
in attacks against ML-KEM, compared to generic lattice attacks,
by exploiting the structure of the modules used in ML-KEM.

This means it's not true that "there is no known cryptanalysis currently exploiting rank >=2 module structure at these parameters that performs better than generic lattice reduction". Oops.

Maybe the author of that statement
will say "sorry, I meant performs *much* better".
But if your answer to every attack
is to come up with an ad-hoc excuse for ignoring the attack
then you aren't evaluating *risks*.

**"Asymptotic".**
Let's move on to the second sentence:
"Module-LWE also has a (granted, an asymptotic)
worst-case-to-average-case reduction - something neither RSA nor ECDLP
had."

What the word "asymptotic" is actually saying is that
*if ML-KEM were replaced with something much larger*
then the underlying MLWE problems
would have a "worst-case-to-average-case reduction".

Some years ago,
Peikert gave a presentation to a National Academies committee
where he claimed without evidence
that dimensions of "a few thousand" would be enough
for a worst-case-to-average-case reduction
in the simpler context of FrodoKEM.
I was there,
and I think open-source science is important as an error-correction mechanism,
so I
[noted his claim online](https://microblog.cr.yp.to/1142855190174928897/)
and wrote that I would
"love to see a complete proof handling 10000".

In 2021,
Peikert
[highlighted a claim](https://web.archive.org/web/20260630141116/https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/Yx0wZuZP6ag/m/3LKBnrbgBwAJ)
that dimension 1460 was sufficient.
But this claim, which unfortunately has never been withdrawn,
arises from an embarrassing mistake
(conflating an "approximate" lattice problem
with a stronger "exact" lattice problem).

This mistake was pointed out in a
[2023 paper](https://eprint.iacr.org/2023/947)
from Joel Gärtner,
which also invested a lot of effort into writing down a complete proof
and trying to reduce the dimension as far as possible.
It still doesn't manage to get the dimension down to 10000;
not even close.

The maximum ML-KEM dimension is 1024.
Nobody has a worst-case-to-average-case reduction
for such a small lattice dimension.
How many readers will understand that the jargon "asymptotic"
is making a statement about a *different, larger, cryptosystem*?

**"Worst-case-to-average-case reduction - something neither RSA nor ECDLP had".**
Sorry, no, completely wrong.

Let me first review what the jargon means.
A "reduction" from problem P to problem Q
means a way to use a solution to problem Q to solve problem P.
In particular,
a "worst-case-to-average-case" reduction
means a way to use a solver for *random* examples of problem Q
as a way to solve an *arbitrary* example of problem P,
with no P inputs being immune.

As a concrete example, let's solve ECDLP on Curve25519. The input is some curve point sG, where G is the standard Curve25519 generator. Our task is to compute s modulo the order of G.

To reduce this to the average case, simply compute sG+rG where r is chosen randomly modulo the order of G; then use the average-case solver to find s+r modulo the order of G; then subtract r to find s. Done.

(As a side note,
this is actually a *much more powerful* reduction
than the worst-case-to-average-case reduction for lattices.
It's much more efficient.
It doesn't require the cheat of replacing the problem with a bigger problem;
see above regarding [asymptotic](#asymptotics).
It's a "self-reduction" between the worst case and average case
of the *same* problem;
it doesn't inflict a new problem upon people reviewing security.)

Let me also give an example of a worst-case-to-average-case reduction for RSA. The input is some RSA modulus pq, where p and q are secret primes. Our task is to find p and q.

Here's one way to reduce this to the average case. Randomly generate another RSA key. Apply the average-case solver to that. Throw the results away. Then use Shor's algorithm to factor the original input pq into p and q. Done.

This RSA example might seem to be cheating
since it's a *quantum* worst-case-to-average-case reduction
for a cryptosystem that was never supposed to resist quantum computers.
But the literature includes a huge pile of cryptosystems
broken by *non-quantum* attacks,
and each of those breaks gives a *non-quantum* worst-case-to-average-case reduction
for the same cryptosystem.

The correlation between worst-case-to-average-case reductions
and attacks isn't just for the extreme case of broken cryptosystems.
For example,
my
[2015 blog post](https://blog.cr.yp.to/20151120-batchattacks.html)
on multi-target attacks
included comments on how to use an
"attack tool called a 'worst-case-to-average-case reduction'"
to build a square-root discrete-log attack.
This is one of the easiest ways to explain in starting courses on cryptography
that discrete-log problems have a square-root attack.

From a risk-analysis perspective, these connections between worst-case-to-average-case reductions and attacks mean that worst-case-to-average-case reductions are an alarm bell, something to investigate closely as a risk, even if they're not fatal. Statements such as "Module-LWE also has a (granted, an asymptotic) worst-case-to-average-case reduction - something neither RSA nor ECDLP had" are getting the risk analysis wrong by getting the basic facts wrong.

**A procedural note.**
Mistakes happen.
Part of our job as cryptographers is to protect users against those mistakes.

[Many](https://cr.yp.to/papers.html#qrcsp) new PQ designs have been broken,
plus there are many
[further](https://cr.yp.to/papers.html#kyberslash)
[problems](https://cr.yp.to/papers.html#mldsa)
with PQ software.
We're certainly not going to catch all the problems before deployment,
so we also keep ECC around as a negligible-cost part of ECC+PQ
to mitigate the damage of PQ security failures,
like wearing seatbelts in a car to mitigate the damage of car crashes,
rather than throwing ECC away in favor of solo PQ.

This common-sense decision to use ECC+PQ rather than solo PQ is threatened if the risk analyses are so thoroughly botched that people are blinded to the risks of PQ. How do we protect users against these meta-level mistakes in risk analyses?

The literature on computer security, like the broader literature on many other safety topics, gives us an answer: risk analysis is a first-class topic of papers, and risk-analysis errors are corrected the same way that other errors in papers are corrected. This process takes time, but investing that time helps reduce the number of mistakes.

What I find truly horrifying about the paragraph
that I've been commenting on in this blog post
is the procedural context.
The paragraph wasn't part of a collaborative community process of analyzing risks.
The paragraph instead showed up as a last-moment talking point
during a limited-time vote on a
[controversial](20260405-votes.html)
proposal for IETF to standardize solo ML-KEM in TLS,
a [weakened form](20251004-weakened.html#tls)
of the widely deployed ECC+ML-KEM in TLS.
There's just one week left in the voting period.

IETF doublespeak says that this isn't a "vote" and that the document won't be a "standard", but the reality is that it's a vote, and if the vote passes then corporate purchasing managers will understand the resulting document as IETF endorsement of solo ML-KEM.

Standards organizations
aren't supposed to be endorsing controversial proposals.
Each document issued by an IETF working group
is labeled as "consensus of the IETF community".
IETF says that disagreements
["must be resolved by a process of open review and discussion"](https://web.archive.org/web/20251217213247/https://www.rfc-editor.org/rfc/rfc2418.html).
But simply
[charting the debate](20260221-structure.html)
shows that the proponents of solo PQ
have responded only to minor objections
while ignoring every fundamental objection.
The mandated process of discussion to reach consensus
has been replaced by a voting process.

The same document
[lost the previous vote](20260405-votes.html).
So now there's a new vote
with supporters trying to pack the room.
Explicitly in response to that, I've
[called](https://nsa.2026.action.cr.yp.to/)
for volunteers to speak up in opposition.

One good reason to oppose is recognizing that solo PQ creates unnecessary dangers compared to ECC+PQ. But another good reason to oppose is simply to say that, procedurally, disagreements have to be resolved.
