up:: The Threat MOC
Attacking Post-Quantum Cryptography
Post-quantum cryptography can be attacked at four distinct layers, and a serious evaluation has to look at all of them rather than at the algorithm alone. An attacker can go after the underlying hard math of a specific family, run a quantum algorithm against it, exploit how the code runs on a real machine, or manipulate the protocol and the migration around it. This note maps every one of those attack classes, links the full write-up behind each, and states the honest bottom line up front: at the parameter sets NIST standardized, no known attack at any layer breaks ML-KEM, ML-DSA, or SLH-DSA. The attacks that actually compromise deployed systems live at the implementation and protocol layers, not in the math.
Source: NIST IR 8547 (initial public draft), “Transition to Post-Quantum Cryptography Standards,” 2024, NIST.
The short version:
- The math layer is attacked per family, and each family has its own best attack: lattices fall to lattice reduction and sieving, codes to information-set decoding, multivariate schemes to algebraic attacks, and isogenies to their own specialized breaks.
- The quantum layer is what makes this whole field exist. Shor’s algorithm breaks classical public-key math outright, Grover’s dents symmetric and hash security, and a handful of other quantum algorithms shape the security margins without breaking the standards.
- The implementation layer is where real breaks happen. Correct algorithms leak through timing, power, and faults, and ordinary code bugs (bad randomness, error oracles) undo a proven design.
- The protocol and transition layer is attacked without touching the math at all, by forcing a connection down to its classical algorithm or by recording traffic now to decrypt later.
- The security estimates that set the parameters are conservative and periodically revised, which is why the categories carry margin. A break of the math would be a research earthquake, and none has landed on the standardized schemes.
Think of a bank vault. You can try to crack the lock mechanism itself, which is the math. You can bring a fundamentally more powerful tool that the lock was never designed to resist, which is the quantum algorithm. You can ignore the lock and read the combination off the manager’s keystrokes or the warmth left on the keypad, which is the implementation attack. Or you can talk the guard into using the old, weaker door, which is the protocol attack. A resource that only studies the lock mechanism tells you almost nothing about whether the vault actually holds.
Layer 1: how is the hardness math attacked, family by family?
Every post-quantum scheme rests on a mathematical problem believed hard to solve, and each problem has a distinct best-known attack that sets the algorithm’s key and signature sizes. This is the layer NIST’s multi-year competition stress-tested hardest.
Lattice-based (ML-KEM, ML-DSA, FN-DSA, FrodoKEM)
The lattice family carries most of the standardized load, so it is the most heavily analyzed. The attacks form a connected toolkit:
- Lattice Reduction (LLL and BKZ): the workhorse, the algorithms that find short lattice vectors and underlie almost every concrete lattice attack.
- The Primal and Dual Attacks: the two concrete strategies for turning an LWE instance into a lattice problem that reduction can solve.
- Lattice Sieving and Enumeration: the two SVP-solver subroutines that BKZ calls, and the memory cost that separates conservative from aggressive security estimates.
- Core-SVP and Lattice Security Estimation: how the bit-security and NIST categories of a lattice scheme are actually computed and revised.
- Structured-Lattice Attacks and the Ring-Structure Question: whether the algebraic structure of Ring-LWE and Module-LWE opens attacks that plain LWE avoids, and why conservatives keep FrodoKEM in reserve.
- Decryption Failures in Lattice KEMs: how a tiny nonzero failure probability becomes a security parameter and the failure-boosting attacks that target it.
Code-based (Classic McEliece, BIKE, HQC)
- Information-Set Decoding: the main attack on code-based schemes, an exponential-time decoding search whose cost sets the famously large public keys of Classic McEliece, BIKE, and HQC.
Multivariate (UOV, MAYO)
- Algebraic Attacks on Multivariate Cryptography: Grobner-basis and MinRank attacks, and the history of multivariate breaks (Rainbow fell to one of these in 2022), which is why UOV and MAYO parameters are set defensively.
Isogeny (SQIsign, and the cautionary SIKE)
- The SIKE Break: the 2022 classical break of the SIKE key-exchange candidate, the sharpest reminder that newer assumptions carry newer risk. SQIsign survived because it does not expose the same structure.
Hash-based (SLH-DSA, XMSS, LMS)
The hash-based family has the smallest math attack surface, because its security reduces to the properties of the hash function itself. Its exposure is covered under the quantum and multi-target headings below rather than a family-specific math break, which is exactly why it is the conservative choice.
Layer 2: which quantum algorithms threaten cryptography?
These are the quantum algorithms that define the threat model, and the reason the whole transition exists.
- Shor’s Algorithm: breaks RSA, Diffie-Hellman, and elliptic curves outright by solving integer factorization and the discrete logarithm problem. This is the catastrophe the standards answer.
- Grover’s Algorithm: a quadratic speedup on unstructured search that halves the effective key strength of symmetric ciphers and hashes, which is a dent rather than a break.
- Grover on AES: the specifics of that dent, why AES-128 drops toward 64-bit search while AES-256 retains a comfortable margin, and why NIST reads Grover as far less threatening than a naive count suggests.
- Simon’s Algorithm and Offline Simon’s Algorithm: quantum attacks that break certain symmetric modes in the strong superposition-query model.
- Quantum Attacks Beyond Shor and Grover: Kuperberg’s subexponential algorithm (the reason some isogeny schemes need care), quantum lattice sieving, and the other algorithms that shape margins without breaking the standardized schemes.
The size of the machine those algorithms need is its own subject: see Quantum Resource Estimation, The Threshold Theorem, and Quantum Hardware Roadmaps.
Layer 3: where do real-world breaks actually happen?
A mathematically sound algorithm becomes exploitable in how it runs. This layer, not the math, is where deployed post-quantum systems have actually leaked.
- Side-Channel Analysis and Differential Power Analysis: recovering secrets from timing, power draw, or electromagnetic emissions rather than from the algorithm.
- Side-Channel and Fault Attacks on PQC: the PQC-specific version, including the KyberSlash timing leak, plus fault injection that forces a signature to reveal its key.
- PQC Implementation Pitfalls: the ordinary-bug class that undoes a proven design, non-constant-time code, reused randomness, decryption-error oracles, and mishandled Fujisaki-Okamoto rejection.
- Masking: the leading defense, splitting secret values so leakage reveals nothing.
Layer 4: how is the migration attacked without touching the math?
These compromise the system without breaking any algorithm, by attacking the negotiation, the migration, or the data lifecycle.
- Downgrade and Rollback Attacks: forcing a hybrid or negotiated connection down to its weaker classical algorithm, which is why “PQC is offered” is a weaker claim than “PQC is used.”
- Harvest Now, Decrypt Later (HNDL) and Store-Now-Decrypt-Later Actor Landscape: recording encrypted traffic today to decrypt once a quantum computer exists, the reason confidentiality is urgent before any machine arrives.
- The Forge-Later Attack: the integrity counterpart, where a broken signature scheme lets an attacker forge trust after the fact.
- Multi-Target and Precomputation Attacks: amortizing effort across many keys or precomputing tables, and the salting and domain-separation defenses.
What does the whole attack surface look like?
| Layer | Attack class | Primarily threatens | Breaks the standards today? |
|---|---|---|---|
| Math | Lattice reduction / primal + dual / sieving | ML-KEM, ML-DSA, FN-DSA, FrodoKEM | No |
| Math | Decryption-failure boosting | Lattice KEMs | No |
| Math | Information-Set Decoding | Classic McEliece, BIKE, HQC | No |
| Math | MinRank | UOV, MAYO (broke Rainbow) | No (broke a withdrawn scheme) |
| Math | Torsion-point isogeny attack | SIKE / SIDH | Yes, broke SIKE (now withdrawn) |
| Quantum | Shor’s Algorithm | RSA, DH, ECC (classical) | Breaks classical, not PQC |
| Quantum | Grover’s Algorithm / Grover on AES | AES, hashes | No, dents only |
| Quantum | q-sieving | Isogeny, some modes | No |
| Implementation | Side-channel + fault | Any real deployment | Yes, against unprotected code |
| Implementation | Implementation bugs | Any real deployment | Yes, against buggy code |
| Protocol | rollback | Hybrid deployments | Yes, forces classical fallback |
| Protocol | Harvest-now-decrypt-later | Long-lived confidentiality | Yes, against classical traffic today |
Common misconceptions
- “If the math is proven, the system is secure.” The math is only Layer 1 of four. Most real compromises come from the implementation and protocol layers, where a correct algorithm still leaks or gets downgraded.
- “A quantum computer breaks post-quantum cryptography.” The point of these schemes is that no known quantum algorithm breaks them at standardized parameters. Shor breaks the classical algorithms they replace, and Grover only dents symmetric strength.
- “SIKE broke, so post-quantum cryptography is unreliable.” SIKE was one isogeny candidate that exposed a specific structure, caught during evaluation rather than after deployment. The standardized lattice and hash families rest on far older, more-studied problems.
- “Bigger parameters always mean more security.” For a decryption-failure or multi-target attack, the relationship is subtle, and the security estimate is what maps parameters to real strength.
- “Once we deploy ML-KEM, the attack surface is closed.” A downgrade attack, a side channel, or a buggy implementation reopens it. Deployment is the start of the security work, and testing is where it is verified.
Questions people ask
Can post-quantum cryptography be broken? Not at the parameters NIST standardized, by any attack known today at any of the four layers. The realistic risks are implementation flaws and protocol downgrades, which are engineering problems with known defenses, rather than a break of the underlying math.
Which attack should I actually worry about? The implementation and protocol layers, because that is where deployed systems fail. Insist on constant-time, validated implementations (see ACVP and PQC Validation) and on hybrids that fail safe against downgrade.
Do the math attacks ever get better? Yes, incrementally, which is why the security estimates are conservative and revised over time. A sudden large improvement would be a major research result, and the standardized families have absorbed decades of such scrutiny without one.
Why does hash-based cryptography have the smallest attack surface? Because its security reduces to the hash function itself, which faces only Grover and multi-target pressure, both well understood. That conservatism is why SLH-DSA exists as the backup signature standard.
Is a side-channel attack a break of the algorithm? No, it is a break of the implementation. The algorithm can be perfectly sound while the code that runs it leaks through timing or power, which is why masking and constant-time coding are mandatory rather than optional.
Everything here is the map, given freely. When your team needs its own post-quantum deployment evaluated across all four layers, the math, the implementation, and the protocol, that’s what an alignment briefing is for.
Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.