Module Lattice Security (Part IV): Probabilistic Polynomial Quantum Attack on Module-LWE over 2-Power Cyclotomics

TL;DR

This paper introduces a quantum algorithm that effectively breaks several lattice-based cryptographic schemes over 2-power cyclotomic rings, demonstrating their vulnerability to quantum attacks.

Contribution

It develops a polynomial-time quantum attack on ML-KEM and related schemes, extending the analysis to multiple cryptographic protocols over 2-power cyclotomic rings.

Findings

Successfully breaks ML-KEM-1024 with high probability

Extends attack to Falcon, Hawk, and NTRU schemes

Provides a quantum algorithm with polynomial gate and qubit complexity

Abstract

We present a quantum attack on ML-KEM and related 2-power cyclotomic lattice schemes. Combining with Parts I-III, we provide an algorithm and verify the resulting approximation factor satisfies $\gamma \le 21 < q/2=1665$ for ML-KEM-1024, with a success probability $\ge 0.99$. We apply a tower decomposition of the Principal Ideal Problem (PIP) through the chain $\Q \subset \Q(\zeta_8) \subset \cdots \subset \Q(\zeta_{2^k})$ which yields a polynomial-time quantum algorithm costing $O(n^3 \log^2 n)$ gates, $O(n^2 \log n)$ qubits, and $\mathrm{poly}(n)$ classical bit operations. We extend the analysis to Falcon, Hawk, and NTRU over 2-power cyclotomic rings. This means that ML-KEM, Falcon, Hawk, NTRU-HPS, and NTRU-HRSS with all standardized parameter sets are broken under quantum attack.