Predicting Module-Lattice Reduction

Is module-lattice reduction better than unstructured lattice reduction? This question was highlighted as ‘Q8’ in the Kyber NIST standardization submission (Avanzi et al., 2021), as potentially affecting the concrete security of Kyber and other module-lattice-based schemes. Foundational works on module-lattice reduction (Lee, Pellet-Mary, Stehlé, and Wallet, ASIACRYPT 2019; Mukherjee and Stephens-Davidowitz, CRYPTO 2020) confirmed the existence of such module variants of LLL and block-reduction algorithms, but focus only on provable worst-case asymptotic behavior. In this work, we present a concrete average-case analysis of module-lattice reduction. Specifically, we address the question of the expected slope after running module-BKZ, and pinpoint the discriminant $Δ_K$ of the number field at hand as the main quantity driving this slope. We convert this back into a gain or loss on the blocksize $β$: module-BKZ in a number field $K$ of degree $d$ requires an SVP oracle of dimension $β+ \log(|Δ_K| / d^d)β/(d\log β) + o(β/ \log β)$ to reach the same slope as unstructured BKZ with blocksize $β$. This asymptotic summary hides further terms that we predict concretely using experimentally verified heuristics. Incidentally, we provide the first open-source implementation of module-BKZ for some cyclotomic fields. For power-of-two cyclotomic fields, we have $|Δ_K| = d^d$, and conclude that module-BKZ requires a blocksize larger than its unstructured counterpart by $d-1+o(1)$. On the contrary, for all other cyclotomic fields we have $|Δ_K| < d^d$, so module-BKZ provides a sublinear $Θ(β/\log β)$ gain on the required blocksize, yielding a subexponential speedup of $\exp(Θ(β/\log β))$.

💡 Research Summary

The paper tackles a fundamental open question in post‑quantum cryptography: whether lattice reduction algorithms that exploit the module structure of lattices (module‑BKZ) outperform the classical, structure‑agnostic BKZ algorithm. This question, labeled “Q8” in the Kyber NIST submission, directly impacts concrete security estimates for Kyber, ML‑KEM, ML‑DSA and a wide range of other module‑lattice‑based schemes.

The authors adopt a concrete average‑case perspective, focusing on the “slope” of a reduced basis after BKZ convergence, which is a standard proxy for basis quality. Their analysis identifies the discriminant ΔK of the underlying number field K as the decisive parameter governing the slope. By deriving a heuristic expression for the “equivalent blocksize” β_eq – the blocksize that module‑BKZ must use to achieve the same slope as unstructured BKZ with blocksize β – they obtain the formula

 β_eq ≈ β + (ln|ΔK| / d)·β / (d·ln β) + d − 1,

where d is the degree of K. The first additive term captures the influence of the discriminant, while the constant term d − 1 appears only when |ΔK| = d^d, i.e., for power‑of‑two cyclotomic fields.

For power‑of‑two cyclotomics (the fields used in the current NIST standards), the discriminant term vanishes, leaving a penalty of roughly d − 1 on the blocksize. In practice this means that module‑BKZ must use a blocksize larger by about the field degree to match the quality of ordinary BKZ. The authors confirm this prediction experimentally: for fields such as Q(ζ₂⁸) the measured β_eq − β aligns with the theoretical d − 1 offset.

Conversely, for all other cyclotomic fields the discriminant satisfies |ΔK| < d^d, making the discriminant term positive. This yields a sub‑linear gain of Θ(β / log β) on the required blocksize, which translates into a multiplicative speed‑up of exp(Θ(β / log β)) for the whole reduction process. The gain becomes more pronounced when the conductor contains odd prime factors; each additional odd factor contributes further improvement. The paper illustrates this with examples such as Q(ζ₁₅) versus Q(ζ₃) and Q(ζ₅).

To validate the heuristic model, the authors implement module‑BKZ for several cyclotomic fields (up to conductor 16) using the fplll library and the G6K framework. They generate five random module lattices of dimension r·d ≈ 240 for each field, run module‑BKZ with blocksizes that are multiples of d, and record the converged slopes after five tours per blocksize. The experimental slopes (thin lines with markers) are compared against the predicted slopes (thick lines with confidence bands). The agreement is excellent across a wide range of β, with only minor deviations attributed to “head‑and‑tail” effects that are not captured by the geometric‑series assumption.

The cryptographic implications are discussed in depth. For the power‑of‑two fields underlying ML‑KEM, ML‑DSA and FN‑DSA, the penalty of d − 1 suggests that an attacker would need a slightly larger blocksize to achieve the same reduction quality, but this can be compensated by modestly increasing β. Consequently, the concrete security estimates used in the standardization process remain essentially unchanged. However, for schemes that employ cyclotomic fields with odd prime factors (e.g., conductors of the form 2ⁱ·3ʲ, which appear in several homomorphic encryption libraries and alternative KEM proposals), the predicted sub‑linear gain could lead to noticeably faster attacks. The authors quantify this: for a field like Q(ζ₁₅) the gain corresponds to roughly 20 extra dimensions in the blocksize at the NIST Level 1 security target (β ≈ 380).

The paper also highlights several open research directions: (1) extending the slope analysis to HKZ reduction and understanding its impact on “free dimensions” in SVP oracles; (2) adapting BKZ simulators to model the faster convergence of module‑BKZ when only a few tours are performed; (3) investigating whether sieving algorithms can exploit cyclotomic symmetries to further accelerate the SVP subroutine within module‑BKZ; (4) translating the slope gains into concrete speed‑ups for solving module‑SIS, module‑LWE, module‑LIP and NTRU; (5) analyzing the effect of using the coefficient embedding instead of the canonical embedding, especially for schemes that rely on the former; and (6) exploring densest‑ideal oracles as alternatives to shortest‑vector oracles in the module‑BKZ framework.

In summary, the work provides the first concrete, experimentally validated prediction of how the algebraic structure of a number field influences the performance of module‑BKZ. It shows that for the standard power‑of‑two cyclotomics the module structure incurs a modest blocksize penalty, while for many other cyclotomic fields it yields a genuine sub‑linear advantage. The open‑source implementation and the detailed heuristic formulas give practitioners the tools to incorporate these findings into security assessments and to explore new cryptographic constructions that deliberately exploit the favorable cases.