International Association
for Cryptologic Research

The module-Lattice Isomorphism Problem (module-LIP) was introduced by Ducas et al. and used within the signature scheme and NIST candidate HAWK. Recently, it was pointed out that over certain number fields $F$, the problem can be reduced to enumerating solutions of $x^2 + y^2 = q$ (where $q \in \mathcal{O}_F$ is given and $x,y \in \mathcal{O}_F$ are the unknowns). Moreover one can always reduce to a similar equation which has only few solutions. This key insight led to a heuristic polynomial-time algorithm for solving module-LIP on those specific instances. Yet this result doesn't threaten HAWK for which the problem can be reduced to enumerating solutions of $x^2 + y^2 + z^2 + t^2 = q$ (where $q \in \mathcal{O}_F$ is given and $x,y,z,t \in \mathcal{O}_F$ are the unknowns). We show that, in all likelihood, solving this equation requires the enumeration of a too large set to be feasible, thereby making irrelevant a straightforward adaptation of the previous method for solving module-LIP.