Can someone please tell me why is the Ring-LWE more efficient?
By introducing polynomials in place of matrices, what kind of optimizations do we introduce that make Ring-LWE more efficient?
Asked
Active
Viewed 2,481 times
2 Answers
9
- If you're using LWE for cryptography, then you'll need a system of $n$ linear equations with errors (mod some $q$). So for those $n$ equations, your key size will have $O(n^2)$ coefficients. In Ring-LWE, you only need $n$ coefficients (see Oded Regev's survey, page 5).
- Because you're dealing with polynomials now, you can use the Fast Fourier Transform or (even better for finite fields) the number theoretic transform to multiply them.
8
The previous (galvatron's) answer gave two good reasons why Ring-LWE is more efficient. They explain why the running time of LWE schemes is worse than of Ring-LWE ones. (The n^2 vs n equations is more of an efficiency issue because in both cases, this part of the key is expanded from a 256-bit seed using an XOF. So it just takes a lot longer to expand an LWE key than a Ring-LWE one).
In addition to the speed advantage, there is also the size advantage schemes based on Ring-LWE enjoy. In PKE, the message space corresponds to the size of the ring -- therefore ring-LWE over an n-dimensional ring allows one to encrypt a larger message at no extra cost.
In Fiat-Shamir digital signatures (ones that are constructed from Sigma protocols), the ring dimension determines the size of challenge space. The larger the challenge space, the less soundness error the scheme has and the fewer times the underlying identification scheme has to be repeated, and the shorter the signature is.
There are ways to go around having a small message/challenge space when using regular LWE, but those always require increasing the size of the public key by a factor related to the security parameter.
Vadim L.
- 1,271
- 7
- 9