May 25, 2026 – On 17 May 2026, Ming-Xing Luo of Southwest Jiaotong University (Chengdu, China) posted Part IV of a four-part preprint series titled “Module Lattice Security” to arXiv. The paper claims that a four-part extension of the CDPR quantum attack breaks ML-KEM (FIPS 203), Falcon (the basis for NIST’s draft FN-DSA/FIPS 206), Hawk, NTRU-HPS, and NTRU-HRSS at all standardized parameter sets using a quantum computer with approximately 1,400 logical qubits and roughly 10⁸ logical gates.
If correct, this would be the most consequential result in post-quantum cryptography since Shor’s algorithm itself. It would mean that the primary NIST post-quantum encryption standard, finalized less than two years ago, is already theoretically broken. Not by Shor’s algorithm, but by a different quantum attack exploiting the algebraic structure of the cyclotomic rings used in lattice-based cryptography.
The paper has not been peer-reviewed. As of 25 May 2026, I have not found a formal rebuttal from the lattice cryptography community. Dr. Jasmine Sandler, a cryptographer at Applied Quantum, and I have spent time working through the four-part series. We want to be clear about what this article is and what it is not: we are not offering a complete rebuttal of Luo’s work, and we recognize that the series contains novel ideas, particularly the cyclotomic tower decomposition for the Principal Ideal Problem. The lattice cryptography experts — Ducas, Peikert, Pellet-Mary, Wesolowski, and their groups — are the right people to render a definitive verdict, and we expect them to do so in the coming weeks.
That said, for a paper making claims of this magnitude, what Jasmine and I found gives us serious pause. The tower PIP algorithm contains what appear to be concrete mathematical errors. Key theorems depend on unproven conjectures, and the scheme-specific extensions contain internal contradictions. These are red flags, not a final judgment. They are the kind of red flags that mean organizations should not panic, and PQC migration plans should not change based on this preprint.
What the episode does reinforce is the importance of crypto-agility. Even if this particular paper fails on its own terms, the fact that a plausible-looking attack on the algebraic structure underlying most NIST PQC standards can appear should sharpen every CISO’s thinking about algorithm substitutability.
The four-part series, posted between 17 April and 17 May 2026, builds on the CDPR attack, a 2016 quantum algorithm by Cramer, Ducas, Peikert, and Regev that recovers short generators of principal ideals in cyclotomic rings. The original CDPR achieves an approximation factor of $$\exp(\tilde{O}(\sqrt{n}))$$, which is too large to break any standardized scheme. A 2017/2021 improvement by Cramer, Ducas, and Wesolowski (CDW) using Stickelberger relations brought the factor down to $$\exp(\tilde{O}(\sqrt{n}))$$ with better constants, but still not enough.
Luo’s series claims three improvements that together reduce the approximation factor to $$\exp(O(\sqrt{\log n}))$$, a qualitative leap from super-polynomial to sub-polynomial:
Part I (17 April 2026) proves Weber’s conjecture ($$h^+_k = 1$$, trivial plus-class number) unconditionally for $$k \le 12$$, removing the dependence on the Generalized Riemann Hypothesis that prior proofs required for $$k \ge 9$$.
Part II (24 April 2026) claims the module-to-ideal reduction, going from Module-LWE (rank $$d = 2, 3,$$ or $$4$$) to the Principal Ideal Problem on a single determinant ideal, introduces only a constant factor $$\alpha_d = O(1)$$ independent of module rank.
Part III (17 May 2026) proves what Luo calls the “Trigamma Theorem”: the per-component standard deviation of the log-embedding of the shortest generator is $$\sigma_d = O(1)$$ regardless of the modulus $$q$$, producing a CVP residual with $$L_\infty$$ norm $$O(\sqrt{\log n})$$ instead of the $$O(\sqrt{n})$$ of original CDPR.
Part IV (17 May 2026) assembles the full pipeline: a “tower PIP” algorithm that processes the cyclotomic field one quadratic extension at a time. It claims the resulting approximation factor $$\gamma \approx 21$$ for ML-KEM-1024, well below the paper’s sufficient key-recovery threshold of $$q/2 = 1664.5$$.
The numerical results from Part IV, for ML-KEM with $$n = 256$$, $$q = 3329$$:
| Scheme | d | γ theory | γ median (sim) | γ 99% (sim) | Threshold q/2 | Margin (99%) |
|---|---|---|---|---|---|---|
| ML-KEM-512 | 2 | 14.5 | 9.6 | 73 | 1664.5 | 23× |
| ML-KEM-768 | 3 | 17.9 | 11.4 | 90 | 1664.5 | 19× |
| ML-KEM-1024 | 4 | 20.6 | 12.9 | 103 | 1664.5 | 16× |
The paper also claims to break Falcon (with large margin), Hawk (with thin or sub-unity formal margin), and NTRU variants (with moderate margin).
Jasmine and I have read all four parts, consulted the existing literature on CDPR and its descendants, and subjected the algorithms and proofs to scrutiny. To be clear: this is not a comprehensive rebuttal. It is a catalog of specific concerns, ranging from concrete errors to unresolved dependencies to internal contradictions, that together prevent us from accepting the paper’s conclusions at face value. The lattice cryptography community will render the final verdict. What follows are the issues we consider most serious.
The quantum heart of the attack is Algorithm 2, a “tower PIP” that processes the cyclotomic field $$\mathbb{Q}(\zeta_8) \subset \mathbb{Q}(\zeta_{16}) \subset \cdots \subset \mathbb{Q}(\zeta_{2^k})$$ one quadratic extension at a time. Two concrete errors undermine it.
The base case treats $$\sqrt{2}$$ as a unit, but it isn’t. Algorithm 2’s base case for $$K_3 = \mathbb{Q}(\zeta_8)$$ states: “Compute the unit $$\xi_3 = \zeta_8 + \zeta_8^{-1} = \sqrt{2}$$.” But $$\sqrt{2}$$ is not a unit in $$\mathbb{Z}[\zeta_8]$$. Its absolute norm is:
$$$N_{K_3/\mathbb{Q}}(\sqrt{2}) = \sigma_1(\sqrt{2}) \cdot \sigma_3(\sqrt{2}) \cdot \sigma_5(\sqrt{2}) \cdot \sigma_7(\sqrt{2}) = (\sqrt{2})(-\sqrt{2})(-\sqrt{2})(\sqrt{2}) = 4$$$
A unit must have norm $$\pm 1$$. The paper’s own definition of cyclotomic units gives $$\xi_a = \sin(a\pi/m)/\sin(\pi/m)$$; for $$m = 8$$ and $$a = 3$$, this evaluates to $$1 + \sqrt{2}$$, not $$\sqrt{2}$$. And $$1 + \sqrt{2}$$ is indeed a unit (norm $$= -1$$). The base case then claims every principal ideal in $$\mathbb{Z}[\zeta_8]$$ is a power of $$\xi_3$$, which is also false. Since the inductive tower construction begins from this base case, the algorithm never gets off the ground as written.
The recursive norm descent uses the wrong ideal. At each tower level $$L$$, Algorithm 2 computes a “norm ideal” $$J_L = N_{K_L/K_L^+}(I_L)$$ and writes it as $$I_L \cdot I_L$$. But the relative norm in a CM (complex multiplication) extension $$K_L/K_L^+$$ is $$N_{K_L/K_L^+}((\alpha)) = (\alpha \bar{\alpha})$$, where $$\bar{\alpha}$$ is the complex conjugate under the nontrivial automorphism of $$K_L/K_L^+$$. That gives the ideal $$I_L \cdot \bar{I}_L$$, not $$I_L \cdot I_L = I_L^2$$. These are different ideals in general, and $$I_L^2$$ is not even naturally an ideal of the totally real subring $$R_L^+$$ without further justification. Because Step 1 of every recursion level depends on $$J_L$$, this error propagates through the entire tower.
These are not matters of interpretation. They can be checked with a few lines of SageMath.
Table 5 claims approximately 1,400 logical qubits suffice for ML-KEM-1024. But Algorithm 2 sets the precision at each tower level to $$b_L = \lceil 10 \cdot L \cdot 2^L \rceil$$ bits and uses $$\Delta r_L = 2^{L-3}$$ quantum registers for the Hidden Subgroup Problem at that level. At the top level $$L = 9$$ (which dominates the cost):
$$$b_9 = 10 \times 9 \times 512 = 46\,080 \text{ bits per register}$$$
With 64 registers at that level ($$\Delta r_9 = 2^6 = 64$$), the exponent registers alone require:
$$$64 \times 46\,080 = 2\,949\,120 \text{ qubits}$$$
That is three orders of magnitude larger than the paper’s headline figure of approximately 1,400. Even setting aside oracle workspace, QFT ancillae, and arithmetic registers, the algorithm’s own precision formula makes the resource table internally inconsistent. We would not repeat the paper’s logical-qubit estimate as an established figure.
The original CDPR attacks ideal lattices (rank-1 modules). ML-KEM uses module lattices of rank $$d = 2, 3,$$ or $$4$$. Part II claims the Gram-Schmidt decomposition of the module basis $$B$$ over the ring $$R$$ produces a triangular matrix whose determinant ideal can be attacked with only a constant-factor penalty ($$\alpha_d \approx 1.17$$). Part IV cites a worst-case analytic bound $$C \le 3.10$$ and a simulation-based bound $$C \le 1.36$$ with probability $$> 0.99$$ at $$n = 256$$, yielding $$\alpha_d = \sqrt{C} \le 1.17$$ for the ranks used in ML-KEM. The balance constant is derived from a Monte Carlo simulation, not a mathematical proof.
The security of Module-LWE was established by Langlois and Stehlé (2015) precisely because modules are believed strictly harder than ideals. The claimed $$O(1)$$ penalty runs counter to a decade of intuition in the module-lattice community. And a fundamental logical question remains unanswered: does recovering a short generator of the determinant ideal $$\det(B)$$ actually yield the individual secret components $$(s_1, s_2)$$ of the Module-LWE instance? The paper never fully proves that solving the attacked ideal problem yields the ML-KEM secret or an equivalent useful short module vector. That target shift is one of the paper’s central logical gaps.
In the original CDPR analysis, the worst-case bound on the $$L_\infty$$ norm of the CVP residual scales like $$O(\sqrt{n})$$, producing a super-polynomial approximation factor. Luo’s Part III claims this drops to $$O(\sqrt{\log n})$$ via the “Trigamma Theorem”:
$$$\sigma_d^2 = \frac{1}{4} \sum_{j=1}^{d} \psi'(j)$$$
For $$d = 4$$, this yields $$\sigma_4 \approx 0.862$$. The proof proceeds by applying each canonical embedding to the module basis matrix, taking determinants, and studying the random variable $$\log|\det(\sigma_j(B))|$$. That is the distribution of the raw determinant element under the canonical embeddings.
But the theorem is stated for the shortest generator of the determinant ideal, the element $$g_0$$ obtained after the unit correction step. If $$g_0$$ is the shortest generator, then $$g_0 = \det(B) \cdot \varepsilon^{-1}$$ for some unit $$\varepsilon$$, and the proof nowhere analyzes $$L(\varepsilon)$$. The shortest generator is a lattice minimum, not a random sample from the input distribution. Its distribution is determined by the lattice geometry, not by the MLWE coefficient distribution. The proof substitutes an easier random variable (the raw determinant) for the hard one (the unit-corrected shortest generator), and that substitution voids the theorem’s conclusion.
The “Coarse Lattice Theorem” claims that for targets arising from short ring generators, Babai’s nearest-plane algorithm returns $$v = 0$$ because the projection coefficients are all $$O(1/\sqrt{n})$$, well below the rounding threshold of $$1/2$$. This requires the Gram-Schmidt norms of the log-unit lattice basis to satisfy $$|b_i^*| = \Omega(\sqrt{n})$$.
The paper explicitly states: “A rigorous asymptotic lower bound on the Gram-Schmidt norms of the cyclotomic-unit basis remains an open problem.”
The paper provides numerical evidence for $$k \le 12$$ and notes the empirical scaling is consistent with heuristic regulator estimates, but explicitly leaves the rigorous asymptotic lower bound open. This is not a minor caveat. Until this conjecture is resolved, the Babai analysis and the calculated approximation factors are conditional in the only sense that matters for a claimed break of deployed cryptographic standards.
For Falcon, the paper first observes (correctly) that the determinant ideal of the NTRU lattice is $$(q)$$, where $$q = 12289$$ is public. It then claims a short generator of $$(q)$$ yields the short basis. But $$q$$ itself is already a generator of $$(q)$$; it is public knowledge. The paper seems to notice this problem and silently pivots to attacking the first Gram-Schmidt ideal $$(f)$$ instead, where $$f$$ is the secret ring element. But this is a different target than what Algorithm 1 and the main theorem were formulated for. No Part IV reduction proves the legitimacy of this pivot. The Falcon attack, as written, either attacks a trivially known ideal or attacks a different ideal without justification.
Luo’s Lemma 6.6 attributes to the Chevignard, Mureau, Espitau, Pellet-Mary, Pliatsok, and Wallet EUROCRYPT 2025 paper a reduction from Hawk key recovery to ordinary PIP in the cyclotomic ring $$\mathbb{Z}[\zeta_{2n}]$$. But that is not what the cited paper says. The EUROCRYPT 2025 result reduces Hawk to a variant of the principal ideal problem in a quaternion algebra, a materially different algebraic setting and a materially different problem. The Part IV Hawk section therefore rests on a misstatement of the cited literature.
Even setting that aside, the paper’s own formal margins are thin or negative. For Hawk-256, the formal 99th-percentile bound gives γ₉₉% = 73 against a threshold of $$\beta = 47$$. That is a failure — the formal analysis says the attack does not work, and the paper labels it “conditionally broken” based on empirical simulations with a looser safety factor ($$\kappa \approx 1.6$$ instead of the conservative $$\kappa = 5$$). For Hawk-512 (NIST Level 1), the formal margin is 1.08×. For Hawk-1024 (NIST Level 5), it is 1.45×. Compare these to ML-KEM’s margins of 16–23×: a small error in any of the $$O(1)$$ constants flips the Hawk claim from “broken” to “not broken.”
The abstract states that “NTRU-HPS and NTRU-HRSS with all standardized parameter sets are broken.” But the standardized NTRU variants use prime-conductor cyclotomic rings $$\mathbb{Z}[\zeta_p]$$ for primes $$p = 509, 677, 821, 701$$. These are not 2-power cyclotomic rings, and the tower decomposition of Section 5 does not apply. The class-number condition $$h^+_p = 1$$ for each of these primes is stated to be “verified unconditionally in Part V.” Part V does not exist on arXiv as of 25 May 2026. The paper’s Proposition 6.10 also assumes $$n = 2^{k-1}$$ and prime $$q$$, but the standardized NTRU parameters violate both assumptions: the degrees are not 2-powers and the moduli (2048, 4096, 8192) are not prime. The NTRU claim is unsupported both externally (no Part V) and internally (the proposition’s own assumptions are violated).
For a paper claiming to break multiple NIST standards, the absence of any implementation is a significant gap. The four-phase pipeline could be implemented and tested for small values of $$k$$ (say $$k = 3, 4,$$ or $$5$$) where the fields are small enough for exact computation. At $$k = 3$$ or $$4$$, everything is classically computable; no quantum computer is needed to test whether the algorithm actually recovers short generators on real instances. No such test is provided.
The 10⁵-trial simulations that produce the γ₉₉% values validate a Gaussian-style surrogate model of the CVP residual distribution, not the end-to-end pipeline on concrete ideals. There is no code, no toy implementation, no exact comparison against Algorithm 1’s actual output, and no demonstration that the attack recovers a secret on any instance at any scale. For a claim of this magnitude, that is a major evidentiary gap.
All four parts (arXiv:2604.15858, 2604.22900, 2605.17404, 2605.17412) are solo-authored and appeared within roughly one month (April–May 2026). Luo’s prior publication record spans quantum information theory, quantum entanglement, NLP, and physics-informed neural networks, but contains no prior work in lattice cryptography, algebraic number theory, or computational number theory. That does not make the results wrong, but combined with the specific errors we’ve identified above, it reinforces our view that the burden of proof has not yet been met.
Based on the red flags we’ve identified, we do not believe this paper establishes a break of ML-KEM, Falcon, Hawk, or standardized NTRU. But dismissing it and moving on would be the wrong takeaway.
The fact that a plausible-looking attack on the algebraic structure underlying lattice-based PQC can appear at all, exploiting the cyclotomic ring structure that ML-KEM, Falcon, and Hawk all share, should reinforce a message I have been making for years: crypto-agility is not a nice-to-have. It is a structural requirement of any serious PQC migration.
Consider the scenario. ML-KEM and ML-DSA are both built on Module-LWE over 2-power cyclotomic rings. FN-DSA (Falcon) is built on NTRU lattices over the same rings. Hawk uses Module-LIP over the same rings. If a future researcher fixes the errors in Luo’s approach, or finds a different attack that exploits the same algebraic structure, every one of these standards falls at once. That is not a far-fetched hypothetical. The entire line of CDPR/CDW research has been steadily tightening the approximation factor for a decade, from $$\exp(\tilde{O}(\sqrt{n \log n}))$$ to $$\exp(\tilde{O}(\sqrt{n}))$$. The gap between “too large to matter” and “small enough to break everything” is narrower than most people realize. Luo’s series, whatever its flaws, attempts to cross that gap. The next attempt might succeed.
This is exactly why NIST selected HQC, a code-based KEM with no dependence on cyclotomic ring structure, as a backup standard in March 2025. It is why SLH-DSA (FIPS 205), based on hash functions, exists as an alternative to ML-DSA for signatures. And it is why every organization running a PQC migration should be designing for algorithm substitutability from day one, not hardcoding ML-KEM into every protocol and hoping for the best.
The practical implications:
Hybrid deployments remain the right default. Organizations deploying ML-KEM in hybrid mode alongside classical ECDH are protected even if a lattice-specific attack surfaces. The hybrid approach buys time for exactly this kind of scenario.
Design for swap, not for permanence. Any system that assumes ML-KEM will be the last KEM it ever needs is building in the same kind of fragility that made the RSA-to-PQC transition so painful in the first place. The PQC Migration Framework treats crypto-agility as a first-class requirement for this reason. Your cryptographic infrastructure should be able to swap algorithms without rearchitecting the system.
HQC and SLH-DSA are your insurance policy. If your threat model includes the possibility that lattice-based cryptography could be weakened (and after this paper, that should be everyone’s threat model), then your migration plan should include a path to non-lattice alternatives. HQC for key encapsulation. SLH-DSA for signatures where performance permits. These are not theoretical fallbacks; they are standardized algorithms with production implementations.
The Harvest Now, Decrypt Later threat doesn’t wait for cryptanalysis to be settled. State-level adversaries are collecting encrypted traffic today. Whether the decryption comes from Shor’s algorithm, a future CDPR variant, or something not yet imagined, the data is already harvested. Migration urgency is driven by regulatory deadlines and compliance requirements, not by the outcome of any single cryptanalytic paper.
The lattice cryptography community will respond to this paper. The people to watch are Léo Ducas (CWI), Chris Peikert (Michigan), Alice Pellet-Mary (Bordeaux), Benjamin Wesolowski (ENS Lyon), and their respective groups.
The specific technical questions that need answers, roughly in order of subtlety:
Does the module-to-ideal reduction factor $$\alpha_d = O(1)$$ survive expert scrutiny, and does recovering a short generator of $$\det(B)$$ actually yield the Module-LWE secret?
Is $$\sigma_d = O(1)$$ correct for the shortest generator of a random MLWE determinant ideal, or does the Trigamma Theorem conflate the raw determinant distribution with the unit-corrected shortest-generator distribution?
Can the Gram-Schmidt norms of the cyclotomic-unit basis be proven to satisfy $$|b_i^*| = \Omega(\sqrt{n})$$? The paper explicitly acknowledges this as an open problem.
Can the tower PIP’s base case and norm-recursion errors be repaired without affecting the complexity analysis or the approximation factor?
Until those questions have clear answers from peer review, the correct response is what it always is when someone claims to have broken a deployed cryptographic standard: read the paper, identify the assumptions, check the math, and wait for the community to verify. The PQC migration clock keeps ticking regardless. And the lesson from this episode is that crypto-agility should be the foundation of every migration plan, not an afterthought.
My company - Applied Quantum - helps governments, enterprises, and investors prepare for both the upside and the risk of quantum technologies. We deliver concise board and investor briefings; demystify quantum computing, sensing, and communications; craft national and corporate strategies to capture advantage; and turn plans into delivery. We help you mitigate the quantum risk by executing crypto‑inventory, crypto‑agility implementation, PQC migration, and broader defenses against the quantum threat. We run vendor due diligence, proof‑of‑value pilots, standards and policy alignment, workforce training, and procurement support, then oversee implementation across your organization. Contact me if you want help.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。