Module Learning With Errors (M-LWE)

Updated 13 April 2026

Module Learning With Errors (M-LWE) is a structured average-case hardness problem using module lattices, positioned between standard LWE and Ring-LWE to balance efficiency and security.
It leverages algebraic structure to enable fast arithmetic (e.g., via NTT) and provides security reductions from worst-case lattice problems like SIVP and GapSVP for parameterized module dimensions.
Advanced key reconciliation protocols using nested lattice quantization (e.g., with E8, BW16, and Leech lattices) achieve notable reductions in decryption failure rate and ciphertext expansion.

Module Learning With Errors (M-LWE) is a structured, average-case hardness assumption and problem family leveraging module lattices over rings, foundational to efficient post-quantum cryptography. Positioned between standard LWE and Ring-LWE in terms of algebraic structure and concrete security, M-LWE captures cryptosystems such as CRYSTALS-Kyber and forms the basis for modern key exchange, public-key encryption, and signature schemes. Security reductions, attack strategies, and advanced key reconciliation protocols in the module context define the cryptanalytic landscape and efficiency frontier.

1. Formal Definition and Algebraic Structure

Let $q \ge 2$ be an integer modulus and $R = \mathbb{Z}[X]/(X^n+1)$ (for $n$ a power of two), so $R_q = R/qR$ is a ring of degree $n$ . The module rank $k$ (or $d$ in some conventions) indexes the free $R$ -module $M = R^k$ , which acts as the ambient space for secrets and error vectors. Given error distribution $\chi$ (e.g., centered binomial or discrete Gaussian over $R = \mathbb{Z}[X]/(X^n+1)$ 0), an M-LWE sample is constructed by sampling:

secret $R = \mathbb{Z}[X]/(X^n+1)$ 1,
error $R = \mathbb{Z}[X]/(X^n+1)$ 2,
uniformly random $R = \mathbb{Z}[X]/(X^n+1)$ 3,
then setting

$R = \mathbb{Z}[X]/(X^n+1)$ 4

The decision M-LWE problem asks: given $R = \mathbb{Z}[X]/(X^n+1)$ 5, distinguish distribution from uniform over $R = \mathbb{Z}[X]/(X^n+1)$ 6. The search variant recovers $R = \mathbb{Z}[X]/(X^n+1)$ 7 from many independent samples. In coefficient embedding, the total lattice dimension is $R = \mathbb{Z}[X]/(X^n+1)$ 8.

M-LWE generalizes:

Standard LWE: $R = \mathbb{Z}[X]/(X^n+1)$ 9, $n$ 0.
Ring-LWE: $n$ 1, $n$ 2. The intermediate structure permits efficient arithmetic (NTT) and parametrizes security via $n$ 3, $n$ 4, $n$ 5.

The formalism extends to more general rings $n$ 6 for number fields $n$ 7, with secrets $n$ 8 and samples distributed in $n$ 9, where $R_q = R/qR$ 0 is the trace dual and $R_q = R/qR$ 1 is the dual torus. This abstraction provides a unifying context for cyclotomic and non-cyclotomic modules (Al-Jabbari et al., 2024).

2. Hardness and Reductions to Worst-case Lattice Problems

Average-case hardness of M-LWE is underpinned by quantum reductions from worst-case lattice problems such as the Shortest Independent Vector Problem (SIVP) and Gap Shortest Vector Problem (GapSVP) on module lattices. For power-of-two cyclotomic $R_q = R/qR$ 2 of degree $R_q = R/qR$ 3, solving M-LWE for parameters $R_q = R/qR$ 4 is as hard as approximating (SIVP, GapSVP) on $R_q = R/qR$ 5-module lattices of rank $R_q = R/qR$ 6 and dimension $R_q = R/qR$ 7, up to polynomial approximation factors in the parameters (Al-Jabbari et al., 2024).

The security margin conferred by $R_q = R/qR$ 8 allows the cryptosystem designer to increase the total lattice dimension independently of the ring degree $R_q = R/qR$ 9, reducing algebraic attack surface compared to $n$ 0 Ring-LWE, while keeping parameter sizes smaller than plain LWE for the same lattice dimension (Al-Jabbari et al., 2024).

3. Key Reconciliation via Lattice Quantization

Key reconciliation mechanisms (KRM) in M-LWE-based KEMs transform noisy shared M-LWE values into agreement on uniform shared keys. The reconciliation can be interpreted as quantizing the M-LWE sample according to a nested lattice codebook:

$n$ 1

where $n$ 2 is the nearest-neighbor quantizer. The typical operations are:

$n$ 3, sent as helper vector $n$ 4,
$n$ 5.

For $n$ 6 (Kyber), lattices such as $n$ 7 ( $n$ 8), Barnes–Wall $n$ 9 ( $k$ 0), and the Leech lattice $k$ 1 ( $k$ 2) serve as elementary blocks, offering optimal packing and covering properties and efficient quantization (Liu et al., 2024). Application of these lattices minimizes decryption failure rate (DFR) and ciphertext expansion rate (CER) simultaneously.

For instance, using $k$ 3 ( $k$ 4) on Kyber parameters yields $k$ 5, DFR $k$ 6, compared to Kyber-768's $k$ 7, DFR $k$ 8, thus reducing communication cost by $k$ 9 and DFR by a factor of $d$ 0; use of $d$ 1 and Leech lattices further improves DFR and CER, with up to $d$ 2 CER reduction and $d$ 3 DFR improvement (Liu et al., 2024).

Scheme	$d$ 4	CER	DFR	CER-reduction
Kyber-768	3329	34	$d$ 5	—
KRM- $d$ 6	3329	31	$d$ 7	8.82%
KRM- $d$ 8	3329	26.4	$d$ 9	22.35%
KRM-Leech $R$ 0	3329	21.6	$R$ 1	36.47%

4. Parameter Selection and Efficiency Considerations

Selecting M-LWE parameters is driven by security, implementation efficiency, and protocol requirements:

Ring degree $R$ 2: power of two, enabling NTT for efficient multiplication (e.g., $R$ 3).
Modulus $R$ 4: typically prime $R$ 5 (Kyber) or power-of-two (e.g., $R$ 6) to allow dither-free reconciliation and even faster arithmetic (Saliba et al., 2020, Liu et al., 2024).
Module rank $R$ 7: set such that $R$ 8 meets security targets.
Error distribution: centered binomial or discrete Gaussian, chosen to balance security and decryption failure probability.
Reconciliation lattice dimension $R$ 9: determined by the choice of $M = R^k$ 0, $M = R^k$ 1, or Leech lattice (Liu et al., 2024).

Concrete instantiations can use $M = R^k$ 2, $M = R^k$ 3, $M = R^k$ 4, $M = R^k$ 5 and $M = R^k$ 6 reconciliation for $M = R^k$ 7 at 137–138 "best plausible" bits of post-quantum security, exceeding Kyber768's 128-bit security and $M = R^k$ 8 error (Saliba et al., 2020).

5. Cryptanalytic Attacks and Their Implications

Attacks on M-LWE include both lattice-based (BKZ) and novel robust regression strategies. NoMod, a recent attack, circumvents the challenge of modular wrap-arounds by treating modular reductions as statistical corruption, casting secret recovery as robust linear regression with Tukey's biweight loss (Bassotto et al., 2 Oct 2025). The core insight is to ignore explicit modeling of modular "wrap-arounds" (samples for which $M = R^k$ 9 wraps modulo $\chi$ 0) and instead leverage robust estimators to recover sparse secrets. Lattice preprocessing, algebraic amplification, and priority queue-driven short-vector extraction optimize the process.

NoMod recovers binary or sparse binomial secrets (e.g., Kyber's parameters $\chi$ 1) in subexponential time on commodity hardware, outperforming prior ML-based and transformer-based attacks. Practical countermeasures include using denser secrets, intentionally increasing wrap-around rates ("noise flooding"), and setting parameters requiring infeasibly large BKZ block sizes (Bassotto et al., 2 Oct 2025). The attack is most effective when the secret is sparse and its distribution is known.

(n,k)	Secret type	Hamming weight	Time (16 cores)
(128,3)	sparse CBD ( $\chi$ 2)	3 (100%)	5 h
(256,2)	sparse CBD ( $\chi$ 3)	6 (100%)	40 h

6. Cryptographic Applications and Security Arguments

M-LWE underpins public-key encryption, KEM, and digital signature schemes. For KEMs (e.g., Kyber), the reconciliation key is shown to be uniform given public helper data, satisfying IND-CPA security under standard reductions; IND-CCA security follows from the Fujisaki–Okamoto transform. Efficiency and security claims hold for both prime and power-of-two modulus settings, and fast arithmetic (e.g., NTT) is preserved without the need for extra dithers or masks (Liu et al., 2024).

Digital signature constructions combine M-LWE and Module-SIS, attaining high security and negligible decoding failure by appropriate parameter scaling (e.g., large $\chi$ 4, moderate $\chi$ 5) (Al-Jabbari et al., 2024). The algebraic flexibility of the module setting enables fine-grained trade-offs between key size, bandwidth, and resistance to structured attacks.

7. Connections to Ring-LWE, Standard LWE, and Parameter Trade-offs

M-LWE interpolates between LWE and Ring-LWE:

Key/sample sizes are reduced over standard LWE via ring structure.
Algebraic structure in $\chi$ 6 enables more efficient arithmetic, yet increases vulnerability to ring-specific attacks; module rank $\chi$ 7 allows mitigation.
Security margin is tuned by joint choice of $\chi$ 8 to resist both generic and structure-exploiting algorithms.

These properties position M-LWE as the prevailing foundation for post-quantum cryptography, offering parametrizable efficiency and quantum-resistant security, provided implementation and parameterization avoid emergent algorithmic weaknesses (e.g., robust, distribution-aware regression attacks such as NoMod) (Bassotto et al., 2 Oct 2025, Liu et al., 2024, Al-Jabbari et al., 2024, Saliba et al., 2020).

Markdown Report Issue Upgrade to Chat

References (4)

A Digital signature scheme based on Module-LWE and Module-SIS (2024)

CRYSTALS-Kyber With Lattice Quantizer (2024)

A reconciliation approach to key generation based on Module-LWE (2020)

NoMod: A Non-modular Attack on Module Learning With Errors (2025)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Module Learning With Errors (M-LWE).