Is module lattice reduction inherently more efficient than unstructured lattice reduction? Method: This work presents the first average-case analysis of the module BKZ algorithm, focusing on the relationship between its output slope and the discriminant of the underlying number field. Leveraging algebraic number theory for modeling and extensive experimental validation, we develop a heuristic prediction framework and implement the first open-source module BKZ tool supporting diverse cyclotomic fields. Contribution/Results: We quantify a Θ(β/log β) block-size advantage—yielding an exp(Θ(β/log β)) subexponential speedup—for non-power-of-two cyclotomic fields; in contrast, no significant gain is observed for power-of-two cyclotomic fields (e.g., those used in Kyber), where larger block sizes may even be required. Our analysis rigorously quantifies the concrete security impact of module structure, providing critical security evaluation guidelines for module-lattice-based cryptosystems, including CRYSTALS-Kyber.

Is module-lattice reduction better than unstructured lattice reduction? This question was highlighted as 'Q8' in the Kyber NIST standardization submission (Avanzi et al., 2021), as potentially affecting the concrete security of Kyber and other module-lattice-based schemes. Foundational works on module-lattice reduction (Lee, Pellet-Mary, Stehlé, and Wallet, ASIACRYPT 2019; Mukherjee and Stephens-Davidowitz, CRYPTO 2020) confirmed the existence of such module variants of LLL and block-reduction algorithms, but focus only on provable worst-case asymptotic behavior. In this work, we present a concrete average-case analysis of module-lattice reduction. Specifically, we address the question of the expected slope after running module-BKZ, and pinpoint the discriminant $Δ_K$ of the number field at hand as the main quantity driving this slope. We convert this back into a gain or loss on the blocksize $β$: module-BKZ in a number field $K$ of degree $d$ requires an SVP oracle of dimension $β+ log(|Δ_K| / d^d)β/(dlog β) + o(β/ log β)$ to reach the same slope as unstructured BKZ with blocksize $β$. This asymptotic summary hides further terms that we predict concretely using experimentally verified heuristics. Incidentally, we provide the first open-source implementation of module-BKZ for some cyclotomic fields. For power-of-two cyclotomic fields, we have $|Δ_K| = d^d$, and conclude that module-BKZ requires a blocksize larger than its unstructured counterpart by $d-1+o(1)$. On the contrary, for all other cyclotomic fields we have $|Δ_K| < d^d$, so module-BKZ provides a sublinear $Θ(β/log β)$ gain on the required blocksize, yielding a subexponential speedup of $exp(Θ(β/log β))$.