Miyaji Laboratory

Lattice-based cryptography has attracted a great deal of attention through the National Institute of Standards and Technology's (NIST) standardization project on quantum resistant computer cryptog raphy (PQC). The Ring Learning with Errors (Ring-LWE) problem defined over an integer ring R of an algebra K is proposed as a lattice-based cryptosystem. has been proposed for the Ring-LWE prob lem. On the other hand, the Module Learning with Errors (Module-LWE) problem, which consists of a direct sum of Ring-LWE problems, was standardized by NIST in 2024 with 3 algorithms: CRYSTALS Kyber, CRYSTALS-Dilithium, and SPHINCS+. Standardization of the algorithms Lattice cryptography is expected to become increasingly important in cryptography because CRYSTALS-Kyber, CRYSTALS Dilithium, and FALCON, which is currently being standardized, are lattice cryptosystems based on the security of computationally hard problems on lattices. problem, an improved χ2 attack at arbitrary relative orders using prime ideals q has been proposed. On the other hand, no such attack has been proposed for the Module-LWE problem. In this paper, we propose a χ2 attack for Module-LWE prob lems with arbitrary relative degree. Both existing studies and the proposed attack use the bias of the error distribution. From an experimental point of view, we analyze the security of the χ2 attack due to the change of error width r0 caused by the difference of algebraic forms. The relationship between the error distribution on prime ideals and the dual space of integer rings is also used to investigate the difference in effectiveness of the attack between the Ring-LWE and Module-LWE problems. As a result, it is confirmed that it is difficult to determine the success probability of the attack in the Module-LWE problem only by analyzing the element's norm in the dual space.