Consideration on Defining Field for Efficient Ring-LWE

The Ring-LWE problem is defined over number fields. In cryptographic schemes based on the Ring-LWE problem, the time complexity of multiplication on the ring of integers of defining field can be too expensive to ignore. For degrees.. of defining fields, the cost of multiplication is reduced to O(m log m), if the defining polynomial or a suitable basis representation of the ring of integers are found. However, it is difficult in general to find them. Although it is shown that cyclotomic fields and decomposition fields of some cyclotomic fields realize efficient cryptographic schemes in previous research, finding suitable defining fields for Ring-LWE is still important. In this paper, we discuss the conditions under which subfields of cyclotomic fields of arbitrary degrees can be used for the efficient cryptographic schemes based on the Ring-LWE. We derive certain conditions about Galois groups of defining fields and show our experimental results which support our result.