Is module-lattice reduction better than unstructured lattice reduction? This question was highlighted as 'Q8' in the Kyber NIST standardization submission (Avanzi et al., 2021), as potentially affecting the concrete security of Kyber and other module-lattice-based schemes. Foundational works on module-lattice reduction (Lee, Pellet-Mary, Stehlé, and Wallet, ASIACRYPT 2019; Mukherjee and Stephens-Davidowitz, CRYPTO 2020) confirmed the existence of such module variants of LLL and block-reduction algorithms, but focus only on provable worst-case asymptotic behavior. In this work, we present a concrete average-case analysis of module-lattice reduction. Specifically, we address the question of the expected slope after running module-BKZ, and pinpoint the discriminant $Δ_K$ of the number field at hand as the main quantity driving this slope. We convert this back into a gain or loss on the blocksize $β$: module-BKZ in a number field $K$ of degree $d$ requires an SVP oracle of dimension $β+ \log(|Δ_K| / d^d)β/(d\log β) + o(β/ \log β)$ to reach the same slope as unstructured BKZ with blocksize $β$. This asymptotic summary hides further terms that we predict concretely using experimentally verified heuristics. Incidentally, we provide the first open-source implementation of module-BKZ for some cyclotomic fields. For power-of-two cyclotomic fields, we have $|Δ_K| = d^d$, and conclude that module-BKZ requires a blocksize larger than its unstructured counterpart by $d-1+o(1)$. On the contrary, for all other cyclotomic fields we have $|Δ_K| < d^d$, so module-BKZ provides a sublinear $Θ(β/\log β)$ gain on the required blocksize, yielding a subexponential speedup of $\exp(Θ(β/\log β))$.

翻译：模格约化是否优于非结构化格约化？该问题在Kyber的NIST标准化提交文件（Avanzi等人，2021）中被列为“Q8”问题，因其可能影响Kyber及其他基于模格的方案的具体安全性。关于模格约化的奠基性工作（Lee、Pellet-Mary、Stehlé和Wallet，ASIACRYPT 2019；Mukherjee和Stephens-Davidowitz，CRYPTO 2020）证实了LLL及分块约化算法存在此类模变体，但仅聚焦于可证明的最坏情况渐近行为。在本工作中，我们对模格约化进行了具体的平均情况分析。具体而言，我们探讨了运行module-BKZ后期望斜率的问题，并指出当前数域的判别式$Δ_K$是驱动该斜率的主要参量。我们将其重新转化为对分块大小$β$的增益或损失：在次数为$d$的数域$K$中，module-BKZ需要维度为$β+ \log(|Δ_K| / d^d)β/(d\log β) + o(β/ \log β)$的SVP预言机，才能达到与非结构化BKZ在分块大小$β$下相同的斜率。这一渐近概括隐藏了其他项，我们通过实验验证的启发式方法对其进行了具体预测。此外，我们首次为某些分圆域提供了module-BKZ的开源实现。对于2的幂次分圆域，我们有$|Δ_K| = d^d$，并得出结论：module-BKZ所需的分块大小比其非结构化对应方法大$d-1+o(1)$。相反，对于所有其他分圆域，我们有$|Δ_K| < d^d$，因此module-BKZ对所需分块大小提供了次线性的$Θ(β/\log β)$增益，从而产生$\exp(Θ(β/\log β))$的次指数级加速。