Recommended for this list:<p>1. <a href="https://archiv.infsec.ethz.ch/education/fs08/secsem/bleichenbacher98.pdf" rel="nofollow">https://archiv.infsec.ethz.ch/education/fs08/secsem/bleichen...</a> - This is necessary to scare newbies away from implementing textbook RSA<p>2. <a href="https://www.iacr.org/archive/eurocrypt2002/23320530/cbc02_e02d.pdf" rel="nofollow">https://www.iacr.org/archive/eurocrypt2002/23320530/cbc02_e0...</a> - Vaudenay's attack on CBC mode is essential to practitioners<p>3. <a href="https://mega-awry.io/pdf/mega-malleable-encryption-goes-awry.pdf" rel="nofollow">https://mega-awry.io/pdf/mega-malleable-encryption-goes-awry...</a> - A real world attack on Mega's encryption<p>Unfortunately, most interesting cryptanalysis results are easier to find as blog posts than academic papers.<p>For example: the Frozen Heart vulnerability in zero-knowledge proof systems that rely on the weak Fiat-Shamir transform.<p><a href="https://blog.trailofbits.com/2022/04/13/part-1-coordinated-disclosure-of-vulnerabilities-affecting-girault-bulletproofs-and-plonk/" rel="nofollow">https://blog.trailofbits.com/2022/04/13/part-1-coordinated-d...</a><p><a href="https://blog.trailofbits.com/2022/04/15/the-frozen-heart-vulnerability-in-bulletproofs/" rel="nofollow">https://blog.trailofbits.com/2022/04/15/the-frozen-heart-vul...</a><p><a href="https://blog.trailofbits.com/2022/04/18/the-frozen-heart-vulnerability-in-plonk/" rel="nofollow">https://blog.trailofbits.com/2022/04/18/the-frozen-heart-vul...</a><p>These blog posts are great, but they aren't academic papers, so they may not qualify for your list.