Module Lattice Security (Part IV): Probabilistic Polynomial Quantum Attack on Module-LWE over 2-Power Cyclotomics
Published 17 May 2026 in quant-ph, cs.CR, math.CO, and math.RA | (2605.17412v1)
Abstract: We present a quantum attack on ML-KEM and related 2-power cyclotomic lattice schemes. Combining with Parts I-III, we provide an algorithm and verify the resulting approximation factor satisfies $γ\le 21 < q/2=1665$ for ML-KEM-1024, with a success probability $\ge 0.99$. We apply a tower decomposition of the Principal Ideal Problem (PIP) through the chain $\Q \subset \Q(ζ8) \subset \cdots \subset \Q(ζ{2k})$ which yields a polynomial-time quantum algorithm costing $O(n3 \log2 n)$ gates, $O(n2 \log n)$ qubits, and $\mathrm{poly}(n)$ classical bit operations. We extend the analysis to Falcon, Hawk, and NTRU over 2-power cyclotomic rings. This means that ML-KEM, Falcon, Hawk, NTRU-HPS, and NTRU-HRSS with all standardized parameter sets are broken under quantum attack.
The paper introduces a unified quantum algorithm that reduces module-LWE to short generator recovery using the algebraic properties of 2-power cyclotomic rings.
It employs precise algebraic techniques including tower decomposition and Babai’s nearest-plane algorithm to ensure polynomial-time quantum and classical operations.
Empirical results show approximation factors well below security thresholds, decisively breaking NIST-standard schemes such as Kyber, Falcon, Hawk, and NTRU.
Probabilistic Polynomial-Time Quantum Attacks on Module-LWE over 2-Power Cyclotomics
Introduction and Context
This paper presents a quantum cryptanalytic framework that breaks NIST-standardized module lattice cryptosystems—most notably ML-KEM (Kyber), Falcon, Hawk, and NTRU (over 2-power cyclotomics)—using a unified, provable, and highly efficient quantum algorithm. The central conceptual advance is a tightly integrated analysis and construction leveraging the deep algebraic structure of 2-power cyclotomic number fields, culminating in an attack that achieves a short vector approximation factor γ=exp(O(logn)) and polynomial (in practice, low-degree) quantum circuit complexity. The attack fully resolves critical open questions concerning the feasibility of applying algebraic methods to NIST PQC schemes: whether the “CDPR” attack pipeline yields polynomial-time quantum PIP solutions in practice, and whether the resultant approximation factor γ suffices for total key recovery for all deployed parameter sets.
Algebraic and Algorithmic Foundations
The chosen cryptosystems rely fundamentally on the conjectured hardness of the Module-LWE problem over cyclotomic rings, which is tightly connected to ideal- and module-SVP via worst-case/average-case reductions. Previous quantum attacks, notably the CDPR algorithm, reduce breaking Module-LWE to finding short generators in principal ideals. However, effective execution of this pipeline for cryptanalysis faces two key obstacles: (i) ensuring that every relevant ideal is principal (“class number 1”), (ii) controlling exponential overheads in quantum PIP solvers (often hidden by reliance on the Generalized Riemann Hypothesis or exponential coefficient blow-up).
This work (the fourth in a series) provides an end-to-end resolution:
Structural validation: It proves for all k≤12 (relevant for deployed parameters) that the maximal real subfield has class number 1, so every ideal is principal and the cyclotomic ring has a “PID-like” property.
Precision reduction: It demonstrates that all module-to-ideal reductions and CVP steps, including Babai’s nearest-plane algorithm on the log-unit lattice, admit constant or negligible (sub-polynomial) loss.
Algebraic optimization: It describes a full cyclotomic tower decomposition, reducing polynomial arithmetic and unit group computations to a chain of quadratic field extensions, minimizing computational blowup at every level and avoiding exponentiation of representation size.
Quantum circuit construction: It provides the first explicit, polynomial-time, tower-based quantum PIP algorithm that is immune to previously known coefficient explosions occurring in monolithic approaches.
Main Algorithm and Cryptanalytic Pipeline
The full attack pipeline proceeds as follows:
Module-to-Ideal Reduction: The public key instance is reduced to a principal ideal by Gram-Schmidt over the cyclotomic integer ring, incurring only a constant factor blowup. This is validated by analytic and simulation results (αd≤1.17 for all NIST ML-KEM parameter sets).
Polynomial-Time Quantum PIP: The ideal’s generator is recovered using a novel, quantum, tower PIP algorithm. The approach is recursive: at each level L of the tower, the principal ideal problem and unit group generators are handled using quantum HSP (Hidden Subgroup Problem) algorithms over abelian groups of size polynomial in n; all unit and generator representations remain compressed (i.e., in tower factored form), avoiding exponential expansion.
Log-Unit CVP Solution: The generator’s log-embedding is projected onto the trace-zero subspace, and the Babai nearest-plane algorithm is executed against the log-unit lattice. Rigorous probabilistic analysis of the residual and resultant approximation factor is performed; the target distribution is shown to be sharply centered, with the residual on the order of O(2lnn) per coordinate, independent of q.
Short Generator Recovery: The recovery of the required unit’s exponent is completed using LLL and classical algebraic operations in polynomial time, obtaining the final short generator(s) and thus the original scheme’s secret key.
Numerical Results and Security Implications
Theoretical and empirical validation demonstrates:
ML-KEM-1024: The attack achieves median approximation factor γ≈21, with γ99%≈103, both many orders of magnitude below the γ0 security threshold; simulation on γ1 random instances yields observed maximal γ2 well below the threshold in all cases.
Falcon-1024: For NTRU lattices (γ3, γ4), median γ5, with a 99\%-percentile value of γ6, versus threshold γ7.
Hawk: Even under more restrictive signature norm bounds, empirical margins generally exceed γ8 (γ9+ success rate), except for the smallest parameter set, which the authors classify as “conditionally broken.”
NTRU: The margin between the attack output and the threshold for decryption error remains above an order of magnitude for all standardized parameters.
These results decisively demonstrate that all instantiations of ML-KEM, Falcon, Hawk, and NTRU over 2-power cyclotomic rings, with current standard parameters, are vulnerable to this polynomial-time quantum attack.
Complexity, Extensions, and Relations to Prior Work
The quantum part of the attack consumes k≤120 gates and k≤121 qubits for ML-KEM-1024, comfortably within plausible reach of future large-scale quantum computers. Classical subroutines (log-embedding evaluation, Babai, LLL) are also polynomial.
Key technical advances:
The use of a recursive tower for both norm descent and unit group relation search, providing exponential improvement in representation and oracle evaluation complexity (e.g., bit operations, storage, and quantum circuit width).
The demonstration that Babai's algorithm, under the ring/unit group structure, almost always returns the correct coset when the target is an ideal generator, with deviation controlled by an explicit trigamma function expression for the residual variance.
Removal of hidden assumptions previously necessary (e.g., GRH for low-degree fields; unproven “no coefficient explosion” assertions in quantum PIP).
The analysis rigorously exceeds all prior ideal-SVP and module-SVP quantum attack methods, in sharp contrast to classical BKZ-based approaches, which remain superpolynomial for these parameter regimes.
Extensions to Additional Lattice Schemes
The attack’s applicability is grounded in three explicit algebraic criteria: class number 1 for the real subfield; quadratic extension structure for cyclotomic towers; and precise variance characterization for the module determinant’s log-embedding. Verification for all NIST PQC and similar schemes enables immediate application to ML-KEM, Falcon, Hawk, and NTRU, with only the minimal parameter-specific adjustments in ring arithmetic.
Theoretical and Practical Implications
Theoretical impact: These results clarify the precise quantum security status of ring- and module-based lattice cryptography under algebraic attacks. They indicate that the current “standard lattice” regime (i.e., 2-power cyclotomic rings) does not offer quantum resistance at the approximation factors and parameter sizes chosen by NIST.
Practical impact: Should a scalable, fault-tolerant quantum computer be realized, all analyzed NIST alternatives, including Kyber and Falcon, would be efficiently breakable in quantum polynomial time. This result sharply restricts the plausible space of quantum-secure ring structures for module lattice cryptography and establishes new criteria for future standardization and parameter selection.
Conclusion
This work completes a rigorous, comprehensive analysis demonstrating that module lattice-based cryptosystems standardized over 2-power cyclotomic rings are universally and efficiently vulnerable to algebraic quantum attacks. The methods developed resolve both algorithmic and analytic obstacles, establishing tight cryptanalytic complexity bounds and success probabilities. Future efforts in post-quantum cryptography must explore alternative algebraic structures, field types, or non-principal ideal domains to restore provable hardness against quantum attacks.