Is module-lattice reduction better than unstructured lattice reduction? This question was highlighted as 'Q8' in the Kyber NIST standardization submission (Avanzi et al., 2021), as potentially affecting the concrete security of Kyber and other module-lattice-based schemes. Foundational works on module-lattice reduction (Lee, Pellet-Mary, Stehl\'e, and Wallet, ASIACRYPT 2019; Mukherjee and Stephens-Davidowitz, CRYPTO 2020) confirmed the existence of such module variants of LLL and block-reduction algorithms, but focus only on provable worst-case asymptotic behavior. In this work, we present a concrete average-case analysis of module-lattice reduction. Specifically, we address the question of the expected slope after running module-BKZ, and pinpoint the discriminant $\Delta_K$ of the number field at hand as the main quantity driving this slope. We convert this back into a gain or loss on the blocksize $\beta$: module-BKZ in a number field $K$ of degree $d$ requires an SVP oracle of dimension $\beta + \log(|\Delta_K| / d^d)\beta /(d\log \beta) + o(\beta / \log \beta)$ to reach the same slope as unstructured BKZ with blocksize $\beta$. This asymptotic summary hides further terms that we predict concretely using experimentally verified heuristics. Incidentally, we provide the first open-source implementation of module-BKZ for some cyclotomic fields. For power-of-two cyclotomic fields, we have $|\Delta_K| = d^d$, and conclude that module-BKZ requires a blocksize larger than its unstructured counterpart by $d-1+o(1)$. On the contrary, for all other cyclotomic fields we have $|\Delta_K| < d^d$, so module-BKZ provides a sublinear $\Theta(\beta/\log \beta)$ gain on the required blocksize, yielding a subexponential speedup of $\exp(\Theta(\beta/\log \beta))$.

翻译：模块格约化是否优于非结构化格约化？该问题在Kyber的NIST标准化提案（Avanzi等人，2021）中被列为"Q8"问题，因其可能影响Kyber及其他基于模块格的方案的实际安全性。关于模块格约化的奠基性工作（Lee、Pellet-Mary、Stehlé和Wallet，ASIACRYPT 2019；Mukherjee和Stephens-Davidowitz，CRYPTO 2020）虽已证实LLL及分块约化算法存在此类模块变体，但仅聚焦于可证明的最坏情况渐近行为。本研究对模块格约化进行了具体的平均情况分析。具体而言，我们探讨了运行module-BKZ后期望斜率的计算问题，并指出数域的判别式$\Delta_K$是驱动该斜率的核心参数。我们将此结果转化为对分块尺寸$\beta$的增益或损耗分析：在次数为$d$的数域$K$中，module-BKZ需要维度为$\beta + \log(|\Delta_K| / d^d)\beta /(d\log \beta) + o(\beta / \log \beta)$的SVP预言机，才能达到与非结构化BKZ在分块尺寸$\beta$下相同的斜率。该渐近结论隐含了更多可通过实验验证启发式方法具体预测的项。此外，我们首次为部分分圆域提供了开源的module-BKZ实现。对于二次幂分圆域，由于$|\Delta_K| = d^d$，可得出结论：module-BKZ所需的分块尺寸比非结构化版本大$d-1+o(1)$。相反地，对于所有其他分圆域，由于$|\Delta_K| < d^d$，module-BKZ在所需分块尺寸上可提供次线性的$\Theta(\beta/\log \beta)$增益，从而产生$\exp(\Theta(\beta/\log \beta))$的次指数级加速。