About Round5

Due to the inherent vulnerability of RSA and Elliptic Curve cryptography to attacks by quantum computers and the relatively long time period that public key encryption algorithms must guarantee the confidentiality of their secrets, a transition to quantum-secure alternatives has been initiated by the U.S. Government and the information security community. Standardization bodies such as National Institute of Standards and Technology (NIST) or European Telecommunications Standards Institute are currently in the process of evaluating and standardizing Post- Quantum Cryptography.

Round5 is a leading candidate for NIST PQC key-encapsulation and public-key encryption. Round5 resulted from the merge of the NIST PQC first round candidates Round2 and HILA5 and on January 30th 2019 it was accepted as a NIST PQC second round candidate

Round5 relies on the General Learning with Rounding (GLWR) problem to unify the well-studied Learning with Rounding (LWR) and Ring Learning with Rounding (RLWR) lattice-problems. Thus, Round5 enables a single description and implementation of multiple algorithms relying on different underlying problems. This gives the user the flexibility to choose the parameter set and algorithm that fits his application best. 

Round5 design choices have been made with security and performance in mind. The flexible and unified design allows the user to choose the configuration that fits best her security and performance needs. Learning with Rounding allows for a lower bandwidth overhead than typical Learning with Errors-based proposals. Round5’s ring instantiations further rely on prime-order cyclotomic polynomial rings that enjoy well-established proofs of security and offer a large design space, allowing for a fine-tuning of the ring dimension. It is thus easy to scale-up or scale-down Round5’s parameters to target different security targets. The usage of power-of-two moduli q and p makes modular operations fast so that Round5 is very efficient on a variety of platforms. Fixed-weight ternary secrets ensure fast operation and low failure probability. Finally, the usage of the strong constant-time XEf error correction code allows Round5 to support the smallest configuration parameters among the NIST lattice-based proposals, and thus, offer the best performance in terms of bandwidth, CPU, and memory usage. Since XEf is constant-time, timing attacks on the error correction are not feasible.

Parameter sets and performance

Currently, Round5 includes 21 parameter sets. The parameters are tailored to IND-CPA and IND-CCA algorithms and available for both the structured (ND) and unstructured (N1) lattice versions corresponding to NIST 1, 3 and 5 security levels.

CPA parameter sets are used in combination with an ephemeral IND-CPA KEM (r5_cpa_kem). The IND-CCA KEM (r5_cca_kem) and IND-CCA PKE (r5_cca_pke) require CCA parameter sets. 

A parameter set is denoted as R5N{1,D}_{1,3,5}{CPA,CCA}_{0,5}{version}. 

  • {1,D} refers whether it is a non-ring (1) or ring (D) parameter set.
  • {1,3,5} refers to the NIST security level that is strictly fulfilled.
  • {CPA,CCA} refers to the type of cryptographic algorithm it applies. 
  • {0,5} identifies the number of correctable bits, 0 means no errors are corrected and this description is equivalent to the original Round2; 5 means that up to 5 errors can be corrected.
  • {version} is a letter to indicate the version of published parameters. Round5 parameters for the second round of NIST PQC are version "d".

r5_cpa_kem r5_cca_kem
R5ND_1CPA_5d: 994 B R5ND_1CCA_5d: 1081 B
Structured lattice with XE5 R5ND_3CPA_5d: 1639 B R5ND_3CCA_5d: 1714 B
R5ND_5CPA_5d: 2035 B R5ND_5CCA_5d: 2263 B
R5ND_1CPA_0d: 1316 B R5ND_1CCA_0d: 1416 B
Structured lattice without XE5 R5ND_3CPA_0d: 1890 B R5ND_3CCA_0d: 2086 B
R5ND_5CPA_0d: 2452 B R5ND_5CCA_0d: 2858 B
R5N1_1CPA_0d: 10450 B R5N1_1CCA_0d: 11528 B
Unstructured lattice R5N1_3CPA_0d: 17700 B R5N1_3CCA_0d: 19376 B
R5N1_5CPA_0d: 28552 B R5N1_5CCA_0d: 29344 B

The bandwidth requirements (public-key plus ciphertext) for the Round5 parameters are summarized below.  The public-key and ciphertext sizes are (among) the smallest ones of all lattice-based proposals. Note that the usage of XE5 allows for around a 25% bandwidth improvement while strictly fulfilling NIST security levels. The usage of CPA parameter set enables a bandwidth reduction of up to 40%.

For instance, R5ND_1CPA_5d has a 445 B public-key and a 549 B ciphertext while providing a classical/quantum security level of 125/115-bits (core sieving) 189/148-bits (enumeration).

Round5's configurability allows fitting the needs of multiple use cases. We highlight three scenarios: IoT, unstructured lattices with short ciphertext, and variable size of the encapsulated keys.

Special configuration Bandwidh Benefit
R5ND_0CPA_2iot 736 B (PK + CT) Public-key crypto for IoT.
R5N1_3CCA_0smallCT 972 B (CT) Short ciphertext using unstructured lattices.
R5ND_1CPA_4longkey 1016 B (PK + CT) Strong and practical security.
Specific details can be found here.

Round5's design choices allow for very fast implementations. In particular, Round5 proposes alternative methods of generating the master parameter A that enable fast operation without hardware support and still preventing backdoor and precomputation attacks.

Use Cases

Different applications have different trust, security and performance needs. Round5 provides multiple parameter sets to fit very different requirements. 

  • Trust needs: Round5 allows selecting the underlying trust assumption, either a structured or an unstructured lattice. While unstructured lattices involve a higher overhead, the lack of structure gives more confidence. On the other hand, structured lattices ensure smaller messages that are required in many applications.
  • Security and performance needs: The security level and security properties offered by Round5 can be exactly configured to offer the desired security without unnecessary overheads in terms of bandwidth or CPU overhead.

Based on this, Round5 can be configured to address the needs of a wide range of applications.

Some examples are presented in the table below.

Exemplary Recommended Rationale for recomendation
Applications Configuration Trust needs Security needs Performance needs
IoT R5ND_0CPA_2iot / KEM Structured lattice Low, IND-CPA secure Very high
IPSec VPN R5ND_3CPA_5d / KEM Structured lattice High, IND-CPA secure Very high
Corporate VPN R5ND_5CPA_5d / KEM Structured lattice Very high, IND-CPA secure Less important
E-Mail R5N1_3CCA_0d / PKE Unstructured lattice High, IND-CCA secure High
Electronic Health Record R5N1_5CCA_0d / PKE Unstructured lattice Very high, IND-CCA secure Less important

Specification, Presentations and Code

NIST Submission
  • This is the latest update of Round5, updated in April 2020. The original NIST submission of Round5 (March 2019) is here.
  • This document details the rationale of the merge of Round2 and HILA5 and changes made.
  • Reference and optimized code is available in Github. Section 2.11 here details the reference code from an implementation point of view.
  • Code for Cortex M4 is available here.
  • The original descriptions and code of Round2 and HILA5 proposals are available from NIST PQC Standardization page.
Papers, presentations, and other information
  • This paper details part of the design of Round5, in particular, for the merged parameters that achieve the best performance in terms of bandwidth.
  • This is the Round5 presentation at Cardis on November 13th 2018.
  • These are the slides presented during the Second NIST PQC Standardization Conference, August 2019.
  • This script can be used to verify the security levels and failure probability of Round5.
  • These scripts and code output experimental results to validate the failure probability and error correlation analysis of Round5.

Team, Acknowledgements & Contact

Official Round5 team:Special acknowledgements to Mike Hamburg for his contributions to deal with error correlations when using error correction.
Copyright (C) Round5 Team 2020