Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Predicting Module-Lattice Reduction

Léo Ducas, Lynn Engelberts, Paola de Perthuis

TL;DR

The paper analyzes the average-case performance of module-BKZ versus unstructured BKZ, showing that the slope outcome is governed by the discriminant $|\Delta_K|$ of the underlying number field and quantifying the equivalent blocksize gain as $\beta_{eq} = \beta + \frac{\ln\left(\frac{|\Delta_K|}{d^d}\right)}{d \ln\beta} \beta (1+o(1)) + d-1 + o(1)$. It develops a module-lattice extension of the geometric series assumption (module-GSA), decomposing the slope into four terms $t_1$–$t_4$ that capture module-lattice Gaussian heuristics, discriminant gaps, skewness, and index effects, with concrete experimental validation across cyclotomic fields. The authors provide an open-source implementation of module-BKZ for cyclotomic fields, and present detailed predictions showing substantial slope gains for non-power-of-two conductors (e.g., odd primes in the conductor) and a limited, nearly sublinear gain for power-of-two conductors, affecting parameter choices for module-lattice-based cryptosystems. Overall, the work connects slope behavior to algebraic invariants, offering practical guidance for assessing the security and efficiency trade-offs in module-lattice cryptography while outlining key open questions for further refinement and evaluation.

Abstract

Is module-lattice reduction better than unstructured lattice reduction? This question was highlighted as 'Q8' in the Kyber NIST standardization submission (Avanzi et al., 2021), as potentially affecting the concrete security of Kyber and other module-lattice-based schemes. Foundational works on module-lattice reduction (Lee, Pellet-Mary, Stehlé, and Wallet, ASIACRYPT 2019; Mukherjee and Stephens-Davidowitz, CRYPTO 2020) confirmed the existence of such module variants of LLL and block-reduction algorithms, but focus only on provable worst-case asymptotic behavior. In this work, we present a concrete average-case analysis of module-lattice reduction. Specifically, we address the question of the expected slope after running module-BKZ, and pinpoint the discriminant $Δ_K$ of the number field at hand as the main quantity driving this slope. We convert this back into a gain or loss on the blocksize $β$: module-BKZ in a number field $K$ of degree $d$ requires an SVP oracle of dimension $β+ \log(|Δ_K| / d^d)β/(d\log β) + o(β/ \log β)$ to reach the same slope as unstructured BKZ with blocksize $β$. This asymptotic summary hides further terms that we predict concretely using experimentally verified heuristics. Incidentally, we provide the first open-source implementation of module-BKZ for some cyclotomic fields. For power-of-two cyclotomic fields, we have $|Δ_K| = d^d$, and conclude that module-BKZ requires a blocksize larger than its unstructured counterpart by $d-1+o(1)$. On the contrary, for all other cyclotomic fields we have $|Δ_K| < d^d$, so module-BKZ provides a sublinear $Θ(β/\log β)$ gain on the required blocksize, yielding a subexponential speedup of $\exp(Θ(β/\log β))$.

Predicting Module-Lattice Reduction

TL;DR

The paper analyzes the average-case performance of module-BKZ versus unstructured BKZ, showing that the slope outcome is governed by the discriminant of the underlying number field and quantifying the equivalent blocksize gain as . It develops a module-lattice extension of the geometric series assumption (module-GSA), decomposing the slope into four terms that capture module-lattice Gaussian heuristics, discriminant gaps, skewness, and index effects, with concrete experimental validation across cyclotomic fields. The authors provide an open-source implementation of module-BKZ for cyclotomic fields, and present detailed predictions showing substantial slope gains for non-power-of-two conductors (e.g., odd primes in the conductor) and a limited, nearly sublinear gain for power-of-two conductors, affecting parameter choices for module-lattice-based cryptosystems. Overall, the work connects slope behavior to algebraic invariants, offering practical guidance for assessing the security and efficiency trade-offs in module-lattice cryptography while outlining key open questions for further refinement and evaluation.

Abstract

Is module-lattice reduction better than unstructured lattice reduction? This question was highlighted as 'Q8' in the Kyber NIST standardization submission (Avanzi et al., 2021), as potentially affecting the concrete security of Kyber and other module-lattice-based schemes. Foundational works on module-lattice reduction (Lee, Pellet-Mary, Stehlé, and Wallet, ASIACRYPT 2019; Mukherjee and Stephens-Davidowitz, CRYPTO 2020) confirmed the existence of such module variants of LLL and block-reduction algorithms, but focus only on provable worst-case asymptotic behavior. In this work, we present a concrete average-case analysis of module-lattice reduction. Specifically, we address the question of the expected slope after running module-BKZ, and pinpoint the discriminant of the number field at hand as the main quantity driving this slope. We convert this back into a gain or loss on the blocksize : module-BKZ in a number field of degree requires an SVP oracle of dimension to reach the same slope as unstructured BKZ with blocksize . This asymptotic summary hides further terms that we predict concretely using experimentally verified heuristics. Incidentally, we provide the first open-source implementation of module-BKZ for some cyclotomic fields. For power-of-two cyclotomic fields, we have , and conclude that module-BKZ requires a blocksize larger than its unstructured counterpart by . On the contrary, for all other cyclotomic fields we have , so module-BKZ provides a sublinear gain on the required blocksize, yielding a subexponential speedup of .

Paper Structure

This paper contains 17 sections, 4 equations, 2 figures.

Table of Contents

  1. Introduction
  2. Contributions
  3. Cryptanalytic Impact
  4. Open Questions
  5. Technical Overview
  6. Two Enlightening Cases.
  7. The General Case.
  8. Dense Sublattices.
  9. Preliminaries
  10. Lattice Background
  11. Algebraic Background
  12. Cyclotomic Fields.
  13. Ideals, Modules, and Module Lattices.
  14. GSO over $K_\RR$
  15. Module-BKZ
  16. ...and 2 more sections

Figures (2)

  • Figure 1: Module-BKZ $\QQ$-slope for several cyclotomic fields $K$. The case $K=\QQ$ serves as a baseline for comparison with unstructured BKZ, under the general belief that BKZ is oblivious to the algebraic structure of module lattices. Experimentally measured slopes [https://github.com/lducas/mBKZ/blob/main/exp_slope.py#L-L] are represented by thin lines with large marks, and were averaged over $5$ random lattices of dimension $r d = 240$. We progressively ran $5d$ tours for each multiple-of-$d$ blocksize $\beta$ to be close to convergence. Predictions [https://github.com/lducas/mBKZ/blob/main/predictions.py#L80-L103] consist of under- and overestimations, represented by thick lines with small marks and a filled region in between. For $\QQ$ and $\QQ(\omega_3)$, both predictions are too close to be distinguished.
  • Figure 2: Predictions for the difference $\beta_{\text{eq}} - \beta$ of blocksizes for mBKZ$_K^{\beta_{\text{eq}}/d}$ to reach the same slope as unstructured BKZ$^\beta$ for several cyclotomic fields $K$. Concrete predictions [https://github.com/lducas/mBKZ/blob/main/pred_gain.py#L-L] are represented by lines with large marks and a filled region in between. Asymptotic predictions from \ref{['hclaim: asymptotic gain']} [https://github.com/lducas/mBKZ/blob/main/asympt_gain.py#L-L] are represented by dashed lines.

Theorems & Definitions (2)

  • remark thmcounterremark: On random lattices
  • definition thmcounterdefinition: GSO over $K_{\RR}$