up:: The Threat MOC

Attacking Post-Quantum Cryptography

Post-quantum cryptography can be attacked at four distinct layers, and a serious evaluation has to look at all of them rather than at the algorithm alone. An attacker can go after the underlying hard math of a specific family, run a quantum algorithm against it, exploit how the code runs on a real machine, or manipulate the protocol and the migration around it. This note maps every one of those attack classes, links the full write-up behind each, and states the honest bottom line up front: at the parameter sets NIST standardized, no known attack at any layer breaks ML-KEM, ML-DSA, or SLH-DSA. The attacks that actually compromise deployed systems live at the implementation and protocol layers, not in the math.

Source: NIST IR 8547 (initial public draft), “Transition to Post-Quantum Cryptography Standards,” 2024, NIST.

The short version:

  • The math layer is attacked per family, and each family has its own best attack: lattices fall to lattice reduction and sieving, codes to information-set decoding, multivariate schemes to algebraic attacks, and isogenies to their own specialized breaks.
  • The quantum layer is what makes this whole field exist. Shor’s algorithm breaks classical public-key math outright, Grover’s dents symmetric and hash security, and a handful of other quantum algorithms shape the security margins without breaking the standards.
  • The implementation layer is where real breaks happen. Correct algorithms leak through timing, power, and faults, and ordinary code bugs (bad randomness, error oracles) undo a proven design.
  • The protocol and transition layer is attacked without touching the math at all, by forcing a connection down to its classical algorithm or by recording traffic now to decrypt later.
  • The security estimates that set the parameters are conservative and periodically revised, which is why the categories carry margin. A break of the math would be a research earthquake, and none has landed on the standardized schemes.

Think of a bank vault. You can try to crack the lock mechanism itself, which is the math. You can bring a fundamentally more powerful tool that the lock was never designed to resist, which is the quantum algorithm. You can ignore the lock and read the combination off the manager’s keystrokes or the warmth left on the keypad, which is the implementation attack. Or you can talk the guard into using the old, weaker door, which is the protocol attack. A resource that only studies the lock mechanism tells you almost nothing about whether the vault actually holds.

Layer 1: how is the hardness math attacked, family by family?

Every post-quantum scheme rests on a mathematical problem believed hard to solve, and each problem has a distinct best-known attack that sets the algorithm’s key and signature sizes. This is the layer NIST’s multi-year competition stress-tested hardest.

Lattice-based (ML-KEM, ML-DSA, FN-DSA, FrodoKEM)

The lattice family carries most of the standardized load, so it is the most heavily analyzed. The attacks form a connected toolkit:

Code-based (Classic McEliece, BIKE, HQC)

Multivariate (UOV, MAYO)

Isogeny (SQIsign, and the cautionary SIKE)

  • The SIKE Break: the 2022 classical break of the SIKE key-exchange candidate, the sharpest reminder that newer assumptions carry newer risk. SQIsign survived because it does not expose the same structure.

Hash-based (SLH-DSA, XMSS, LMS)

The hash-based family has the smallest math attack surface, because its security reduces to the properties of the hash function itself. Its exposure is covered under the quantum and multi-target headings below rather than a family-specific math break, which is exactly why it is the conservative choice.

Layer 2: which quantum algorithms threaten cryptography?

These are the quantum algorithms that define the threat model, and the reason the whole transition exists.

The size of the machine those algorithms need is its own subject: see Quantum Resource Estimation, The Threshold Theorem, and Quantum Hardware Roadmaps.

Layer 3: where do real-world breaks actually happen?

A mathematically sound algorithm becomes exploitable in how it runs. This layer, not the math, is where deployed post-quantum systems have actually leaked.

Layer 4: how is the migration attacked without touching the math?

These compromise the system without breaking any algorithm, by attacking the negotiation, the migration, or the data lifecycle.

What does the whole attack surface look like?

LayerAttack classPrimarily threatensBreaks the standards today?
MathLattice reduction / primal + dual / sievingML-KEM, ML-DSA, FN-DSA, FrodoKEMNo
MathDecryption-failure boostingLattice KEMsNo
MathInformation-Set DecodingClassic McEliece, BIKE, HQCNo
Math MinRankUOV, MAYO (broke Rainbow)No (broke a withdrawn scheme)
MathTorsion-point isogeny attackSIKE / SIDHYes, broke SIKE (now withdrawn)
QuantumShor’s AlgorithmRSA, DH, ECC (classical)Breaks classical, not PQC
QuantumGrover’s Algorithm / Grover on AESAES, hashesNo, dents only
Quantum q-sievingIsogeny, some modesNo
ImplementationSide-channel + faultAny real deploymentYes, against unprotected code
ImplementationImplementation bugsAny real deploymentYes, against buggy code
Protocol rollbackHybrid deploymentsYes, forces classical fallback
ProtocolHarvest-now-decrypt-laterLong-lived confidentialityYes, against classical traffic today

Common misconceptions

  • “If the math is proven, the system is secure.” The math is only Layer 1 of four. Most real compromises come from the implementation and protocol layers, where a correct algorithm still leaks or gets downgraded.
  • “A quantum computer breaks post-quantum cryptography.” The point of these schemes is that no known quantum algorithm breaks them at standardized parameters. Shor breaks the classical algorithms they replace, and Grover only dents symmetric strength.
  • “SIKE broke, so post-quantum cryptography is unreliable.” SIKE was one isogeny candidate that exposed a specific structure, caught during evaluation rather than after deployment. The standardized lattice and hash families rest on far older, more-studied problems.
  • “Bigger parameters always mean more security.” For a decryption-failure or multi-target attack, the relationship is subtle, and the security estimate is what maps parameters to real strength.
  • “Once we deploy ML-KEM, the attack surface is closed.” A downgrade attack, a side channel, or a buggy implementation reopens it. Deployment is the start of the security work, and testing is where it is verified.

Questions people ask

Can post-quantum cryptography be broken? Not at the parameters NIST standardized, by any attack known today at any of the four layers. The realistic risks are implementation flaws and protocol downgrades, which are engineering problems with known defenses, rather than a break of the underlying math.

Which attack should I actually worry about? The implementation and protocol layers, because that is where deployed systems fail. Insist on constant-time, validated implementations (see ACVP and PQC Validation) and on hybrids that fail safe against downgrade.

Do the math attacks ever get better? Yes, incrementally, which is why the security estimates are conservative and revised over time. A sudden large improvement would be a major research result, and the standardized families have absorbed decades of such scrutiny without one.

Why does hash-based cryptography have the smallest attack surface? Because its security reduces to the hash function itself, which faces only Grover and multi-target pressure, both well understood. That conservatism is why SLH-DSA exists as the backup signature standard.

Is a side-channel attack a break of the algorithm? No, it is a break of the implementation. The algorithm can be perfectly sound while the code that runs it leaks through timing or power, which is why masking and constant-time coding are mandatory rather than optional.


Everything here is the map, given freely. When your team needs its own post-quantum deployment evaluated across all four layers, the math, the implementation, and the protocol, that’s what an alignment briefing is for.

Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.