Skip to content
Tech News
← Back to articles

Understanding lattice risks: Many differences between marketing and reality

read original more articles
Why This Matters

This article highlights the significant gap between marketing claims and the actual security risks associated with lattice-based cryptography, emphasizing the importance for the industry and consumers to critically evaluate cryptographic assurances. Recognizing these discrepancies is crucial for making informed decisions about adopting new cryptographic standards and ensuring long-term security.

Key Takeaways

The cr.yp.to blog

2026.06.30: Understanding lattice risks: Many differences between marketing and reality. #lattices #software #looseness #modules #asymptotics #worstcase

I have a short new page giving general context for the following and links to further information, so I'll just jump straight into the specific topic here.

Here's a paragraph that appeared on 29 June 2026 as supposed justification for using solo ML-KEM rather than ECC+ML-KEM: "I do not believe the risk of ML-KEM (and ML-DSA) to be severe: there is no known cryptanalysis currently exploiting rank >=2 module structure at these parameters that performs better than generic lattice reduction. Module-LWE also has a (granted, an asymptotic) worst-case-to-average-case reduction - something neither RSA nor ECDLP had."

My reaction to this is: wow, so many mistakes packed together! The two sentences (1) erroneously conflate lattice risks with a narrow slice of those risks, (2) use jargon in a way that tends to hide the narrowing from readers, and (3) still manage to each be simply false. What I'll do in this blog post is unpack the flaws.

"Known". This part of the narrowing is something that I think readers will typically notice. It's a glaring risk-management error, asking us to merely react to known failures rather than proactively protect against unknown failures.

But the second sentence doesn't have this narrowing, and I think readers will understand the second sentence as talking about some sort of proactive protection. There are also more problems with both sentences, so let's move along.

"Cryptanalysis". How many readers will realize that this word is another narrowing of the risk surface?

The reference software for Kyber (ML-KEM) has already gone through three rounds of emergency security patches for timing attacks: KyberSlash 1, KyberSlash 2, and Clangover. The reference software isn't an isolated example: the majority of Kyber/ML-KEM libraries have issued KyberSlash patches. The KyberSlash paper won the best-paper award at CHES 2025. However, cryptographers typically don't classify timing attacks as "cryptanalysis". Even those who do will usually emphasize that it's analysis "of the ML-KEM software"; it's not cryptanalysis "of ML-KEM", meaning the ML-KEM specification.

Similarly, attacks exploiting bugs, such as the bugs highlighted in my new paper on ML-DSA, don't qualify as cryptanalysis.

... continue reading