Module Learning With Errors (Module-LWE)
Module Learning With Errors (Module-LWE) is the variant of Learning With Errors defined over module lattices, a middle ground between unstructured LWE and ring-based Ring-LWE. Samples use short vectors of polynomials drawn from a small ring, so the problem keeps Ring-LWE efficiency while spreading the algebraic structure across a module of tunable rank.
Why NIST chose it
Module-LWE lets one ring and one implementation serve every strength target: raising the module rank raises the security level without changing the underlying polynomial arithmetic. NIST standardized it as the basis of ML-KEM (FIPS 203) and, with the companion Module-SIS assumption, ML-DSA (FIPS 204). Langlois and Stehlé proved worst-case hardness reductions for module lattices in 2015 (ePrint 2012/090).
Structure versus assurance
Adding algebraic structure is what makes the schemes compact and fast, but it also narrows the problem compared to plain LWE, so some conservative designs still prefer unstructured lattices. No known attack exploits the module structure beyond what is already possible against the ring case.
Sources
- Worst-Case to Average-Case Reductions for Module Lattices (IACR ePrint Archive, 2015)
- FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard (NIST, 2024)
- FIPS 204, Module-Lattice-Based Digital Signature Standard (NIST, 2024)
Cite this entry
"Module Learning With Errors (Module-LWE)." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/module-lwe@misc{pqwiki-module-lwe,
title = {Module Learning With Errors (Module-LWE)},
howpublished = {\url{https://postquantum.wiki/module-lwe}},
year = {2026},
note = {postquantum.wiki, updated 2026-07-11}
}