This work investigates the efficiency of solving the shortest vector problem (SVP) derived from Learning With Errors (LWE), to support security analysis of NIST’s 2024 standardized module-lattice key encapsulation mechanism (ML-KEM). Method: Through systematic numerical experiments and statistical evaluation, we quantify— for the first time—the success probability of recovering SVP solutions using the LLL and BKZ lattice reduction algorithms across varying lattice dimensions, moduli, and BKZ block sizes. Contribution/Results: We identify critical parameter sensitivity patterns: BKZ achieves substantially higher solution recovery rates for medium-scale LWE instances when the block size is ≥30; conversely, LLL remains practically effective in low-dimensional and small-modulus settings. Based on these findings, we propose an empirically grounded lattice-basis-reduction efficacy criterion tailored for LWE security assessment. This criterion provides concrete, data-driven guidance for selecting secure and efficient parameters in lattice-based cryptography.

In this work, we study the solution of shortest vector problems (SVPs) arising in terms of learning with error problems (LWEs). LWEs are linear systems of equations over a modular ring, where a perturbation vector is added to the right-hand side. This type of problem is of great interest, since LWEs have to be solved in order to be able to break lattice-based cryptosystems as the Module-Lattice-Based Key-Encapsulation Mechanism published by NIST in 2024. Due to this fact, several classical and quantum-based algorithms have been studied to solve SVPs. Two well-known algorithms that can be used to simplify a given SVP are the Lenstra-Lenstra-Lov'asz (LLL) algorithm and the Block Korkine-Zolotarev (BKZ) algorithm. LLL and BKZ construct bases that can be used to compute or approximate solutions of the SVP. We study the performance of both algorithms for SVPs with different sizes and modular rings. Thereby, application of LLL or BKZ to a given SVP is considered to be successful if they produce bases containing a solution vector of the SVP.