pith. sign in

arxiv: 2604.22900 · v2 · pith:DTVYGPKJnew · submitted 2026-04-24 · 💻 cs.CR · cs.IT· math.IT· quant-ph

Module Lattice Security (Part II): Module Lattice Reduction via Optimal Sign Selection

Ming-Xing Luo This is my paper

Pith reviewed 2026-05-08 11:25 UTC · model grok-4.3

classification 💻 cs.CR cs.ITmath.ITquant-ph
keywords module latticelattice reductionCDPR algorithmHermite factorMLWEsign selectionclass number onemixed integer linear program
0
0 comments X

The pith

Module lattices reduce to the same quality as ideal lattices by decomposing them into rank-1 submodules and optimizing sign choices.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper shows how to reduce module lattices by decomposing them into rank-1 submodules using trace orthogonality of the power basis and applying the CDPR algorithm independently to each. This yields a Hermite factor of exp(Õ(√n)) matching the ideal case, along with a module reduction factor that remains O(1) and independent of rank when the balance hypothesis holds for MLWE-distributed bases. Precision is controlled by CRT-scaled rounding at totally split primes, and the sign-selection subproblem is solved as a mixed-integer linear program that identifies the optimal balanced discrepancy as the constant δ* ≈ 0.4407. All claims rest on the class number one condition established in the prior part of the series. Such a reduction directly informs the concrete security level of module lattice cryptography.

Core claim

By leveraging the trace orthogonality of the power basis to decompose the module into rank-1 submodules, the CDPR algorithm applies independently to each, achieving a Hermite factor exp(Õ(√n)) that matches the ideal case and a module reduction factor O(1) independent of the rank under the balance hypothesis automatically satisfied for MLWE-distributed bases. The CDPR sign-selection subproblem is recast as a mixed-integer linear program whose solution is the universal constant δ* ≈ 0.4407, while CRT-scaled rounding at split primes yields a bounded-precision implementation.

What carries the argument

Decomposition of the module into rank-1 submodules via trace orthogonality of the power basis, followed by independent CDPR application and MILP optimization of sign selection.

If this is right

  • The Hermite factor of module lattice reduction matches the ideal lattice case of exp(Õ(√n)).
  • The module reduction factor remains O(1) and does not grow with module rank.
  • CRT-scaled rounding produces a practical bounded-precision implementation.
  • The optimal balanced discrepancy equals the fixed constant δ* ≈ 0.4407.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • If the balance hypothesis can be proved independently for MLWE bases, the reduction would apply directly to security analyses of module-based cryptosystems.
  • The decomposition technique may suggest similar rank-independent reductions for other structured lattices beyond the module setting.
  • The explicit MILP formulation for sign selection could be adapted to improve heuristics in related lattice basis algorithms.

Load-bearing premise

The results assume the class number one condition holds and that the balance hypothesis is satisfied for MLWE-distributed bases.

What would settle it

Finding an MLWE basis on which the balance hypothesis fails and the achieved Hermite factor exceeds exp(Õ(√n)), or observing that the MILP-derived discrepancy constant deviates from approximately 0.4407 on concrete instances.

read the original abstract

We extend the CDPR's quantum attack from ideal lattices to module lattices over $2^k$-th cyclotomic rings. Using trace orthogonality of the power basis, we decompose a rank-$d$ module into mutually orthogonal rank-$1$ submodules, and apply CDPR's analysis to each independently and return the shortest candidate. The Hermite factor $\exp(\tilde{O}(\sqrt{n}))$ matches the ideal case, with a module reduction factor $\alpha_d=O(1)$ independent of the rank, under a balance hypothesis (proved for Gaussian distribution) automatic for MLWE-distributed bases. To enable a bounded-precision implementation, we replace coordinate-wise rounding with Chinese Remainder Theorem-scaled rounding at totally split primes, reducing the Gram-Schmidt rounding radius from $n/2$ to $\le 1$ at cost $O(d^2 r n \log n)$. Finally, we reformulate the CDPR's sign-selection step as a mixed-integer linear program and prove its optimum is no more than 1/2 for all $k$ ($\approx 0.4407$ for all tested $k\le 12$, conjecturally universal). This replaces the previous heuristic discrepancy $\Theta(\sqrt{nk})$. All results build on the class number condition $h_k^+=1$ established in Part I of this series.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The manuscript extends the CDPR lattice reduction algorithm from ideal to module lattices by using trace orthogonality of the power basis to decompose the module into rank-1 submodules and applying CDPR independently to each. Under a balance hypothesis asserted to hold automatically for MLWE-distributed bases, it claims a Hermite factor of exp(Õ(√n)) matching the ideal case and a module reduction factor of O(1) independent of rank. The paper introduces CRT-scaled rounding at totally split primes to bound precision and reformulates the CDPR sign-selection subproblem as a mixed-integer linear program, determining the optimal balanced discrepancy δ* ≈ 0.4407. All results are stated to build on the class number one condition h_k^+=1 from Part I of the series.

Significance. If the balance hypothesis is rigorously justified, the work would be significant for module-lattice cryptography by providing a reduction algorithm whose performance matches the ideal-lattice case with a rank-independent factor. The MILP reformulation of sign selection and the CRT-scaled rounding technique for bounded-precision implementation are constructive contributions that could aid practical implementations and security analyses of MLWE-based schemes.

major comments (2)
  1. Abstract: The headline claims of Hermite factor exp(Õ(√n)) and module reduction factor O(1) independent of rank are explicitly conditional on a 'balance hypothesis automatically satisfied for MLWE-distributed bases.' No derivation, independent verification, error bounds, or counter-example search for this hypothesis is supplied; the text asserts it follows from the MLWE distribution without further support. This assumption is load-bearing for the central claims and the universal constant δ* ≈ 0.4407.
  2. Abstract: All results are stated to build on the class-number-one condition h_k^+=1 established in Part I. While dependence on prior work is permissible, the current manuscript provides no restatement, brief justification, or self-contained reference to the relevant statements from Part I, leaving the claims non-self-contained.
minor comments (1)
  1. The abstract and introduction could benefit from explicit cross-references to the precise statements of the balance hypothesis and the class-number condition (e.g., equation or theorem numbers from Part I) to improve readability for readers who have not studied the preceding paper.

Simulated Author's Rebuttal

2 responses · 1 unresolved

We thank the referee for the careful and constructive review of our manuscript. We respond point by point to the major comments and outline the revisions we will undertake.

read point-by-point responses

  1. Referee: Abstract: The headline claims of Hermite factor exp(Õ(√n)) and module reduction factor O(1) independent of rank are explicitly conditional on a 'balance hypothesis automatically satisfied for MLWE-distributed bases.' No derivation, independent verification, error bounds, or counter-example search for this hypothesis is supplied; the text asserts it follows from the MLWE distribution without further support. This assumption is load-bearing for the central claims and the universal constant δ* ≈ 0.4407.

    Authors: We acknowledge that the manuscript asserts the balance hypothesis without supplying a derivation, verification, error bounds, or counter-example search. The claim rests on the statistical uniformity of MLWE samples combined with trace orthogonality of the power basis, which we expect to produce balanced submodule norms; however, this remains a heuristic assertion at present. In the revised version we will add a short discussion paragraph that explains the heuristic rationale, references analogous assumptions in the ideal-lattice CDPR literature, and explicitly notes the absence of a rigorous proof or exhaustive verification as a limitation of the current work. A full derivation with error bounds is beyond the scope of this paper and will be pursued separately. revision: partial

  2. Referee: Abstract: All results are stated to build on the class-number-one condition h_k^+=1 established in Part I. While dependence on prior work is permissible, the current manuscript provides no restatement, brief justification, or self-contained reference to the relevant statements from Part I, leaving the claims non-self-contained.

    Authors: We agree that the manuscript should be more self-contained with respect to its dependence on Part I. In the revision we will insert a concise paragraph in the preliminaries section that restates the class-number-one condition h_k^+=1, recalls its role in guaranteeing the existence of a power basis with the required trace-orthogonality property, and briefly indicates how this enables the rank-1 decomposition used throughout the paper. This addition will allow readers to follow the central arguments without immediately consulting Part I while still directing them to the earlier work for complete proofs. revision: yes

standing simulated objections not resolved
  • Rigorous derivation, independent verification, error bounds, or systematic counter-example search for the balance hypothesis under MLWE distributions.

Circularity Check

2 steps flagged

Central performance claims conditional on class-number-one from Part I and asserted balance hypothesis for MLWE

specific steps
  1. self citation load bearing [ABSTRACT]
    "All results build on the class number one condition h_k^+=1 established in Part I of this series."

    The paper states that its results on Hermite factor and module reduction factor build directly on the class-number-one condition from the same author's prior Part I, without re-deriving or independently verifying it here; the central applicability claim for module lattices therefore reduces to this self-citation chain.

  2. other [ABSTRACT]
    "with a module reduction factor O(1) independent of the rank, under a balance hypothesis automatically satisfied for MLWE-distributed bases."

    The O(1) module reduction factor is asserted to hold for MLWE bases solely because the balance hypothesis is 'automatically satisfied,' with no derivation, equation, or verification supplied in the text to establish why the hypothesis holds under the MLWE distribution.

full rationale

The paper derives an extension of CDPR to modules via trace orthogonality decomposition, CRT-scaled rounding, and MILP reformulation of sign selection, yielding explicit algorithms and a computed universal constant δ*≈0.4407. These steps are self-contained and independent of the flagged assumptions. However, the headline claims of Hermite factor exp(Õ(√n)) and O(1) rank-independent module reduction factor are explicitly conditioned on the balance hypothesis (asserted without derivation) and the class number one condition from the author's own Part I. This is a self-citation that is load-bearing for the applicability statement but does not render the algorithmic derivations themselves tautological or equivalent to their inputs by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The central claims rest on the class-number-one condition imported from Part I and the unproven balance hypothesis for MLWE bases; no new free parameters or invented entities are introduced beyond the computed constant δ* obtained from the MILP.

axioms (2)
  • domain assumption class number one condition h_k^+=1
    Explicitly invoked as the foundation for all results in the abstract.
  • ad hoc to paper balance hypothesis automatically satisfied for MLWE-distributed bases
    Used to guarantee the O(1) module reduction factor independent of rank.

pith-pipeline@v0.9.0 · 5456 in / 1465 out tokens · 40773 ms · 2026-05-08T11:25:55.368898+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.