| 2023 |
KyberSlash (Kyber/ML-KEM) |
Timing Attack (Division) |
Critical (Key Leak) |
Secret-dependent division timings in decapsulation allowed key recovery. Patched Dec 2023 |
| 2022 |
FrodoKEM (NIST Round 3) |
Performance / Parameter Flaw |
High (Discarded) |
Daniel J Bernstein revealed FrodoKEM640 security margin flaws. Discarded due to low performance |
| 2019 |
Ideal Lattice Variants |
Algebraic Structure Weakness |
Moderate (Theoretical) |
Research (CDW17) confirmed ideal lattices weaker than generic lattices. Shift to Module-LWE. |
| 2014 |
Ideal Lattices (Generic) |
Subfield-Logarithm Attack |
Moderate (Theoretical) |
Bernstein demonstrated structural weaknesses in power-of-2 cyclotomic fields |
| 2006 |
GGH Signature Scheme |
Parallelepiped-Learning Attack |
Total Break |
Nguyen & Regev fully broke the signature scheme, recovering secret key from multiple signatures |
| 1999 |
GGH Encryption Scheme |
Design Flaw (CVP) |
Total Break |
Phong Q Nguyen published critical flaw. Scheme leaked private key info. Now obsolete |