Iso/iec 24759:2025 |work| -

“Add new case: Kalshira. 2.2B records. Cause: module vendor skipped §8.47 to save 3% on validation cost. Standard was sufficient. Implementation was not.”

Dr. Aliya Voss, the GCA’s chief validation architect, stared at the logs. The modules in question were certified against the 2022 version of ISO/IEC 24759. At the time, they were gold standard. But the new 2025 revision—published just six months ago—had warned of exactly this vulnerability: a class of side-channel timing attacks that exploited speculative execution in post-quantum key encapsulation mechanisms. iso/iec 24759:2025

Now, a state actor had weaponized that drift. “Add new case: Kalshira

By 2028, every cryptographic module submitted for validation had to include a “24759:2025 conformance pedigree.” The Kalshira name became a verb in security audits: “Don’t Kalshira your RNG testing.” Standard was sufficient

2027

Not hacked. Turned.

Aliya grabbed a red pen and flipped to the back of the 24759:2025 standard—the section no one reads: Informative Annex M – Case Studies of Test Failures . She wrote in the margin: