About Round5

Due to the inherent vulnerability of RSA and Elliptic Curve cryptography to attacks by quantum computers and the relatively long time period that public key encryption algorithms must guarantee the confidentiality of their secrets, a transition to quantum-secure alternatives has been initiated by the U.S. Government and the information security community. Standardization bodies such as National Institute of Standards and Technology (NIST) or European Telecommunications Standards Institute are currently in the process of evaluating and standardizing Post- Quantum Cryptography.

Round5 is a leading candidate for NIST PQC key-encapsulation and public-key encryption. Round5 resulted from the merge of the NIST PQC first round candidates Round2 and HILA5 and on January 30th 2019 it was accepted as a NIST PQC second round candidate

Round5 relies on the General Learning with Rounding (GLWR) problem to unify the well-studied Learning with Rounding (LWR) and Ring Learning with Rounding (RLWR) lattice-problems. It enables a single description and implementation of Round5's IND-CPA KEM and an IND-CCA PKE called r5_cpa_kem and r5_cca_pke.

Round5 design choices have been made with security and performance in mind. The flexible and unified design allows the user to choose the configuration that fits best her security and performance needs. Learning with Rounding allows for a lower bandwidth overhead than typical Learning with Errors-based proposals. Round5’s ring instantiations further rely on prime-order cyclotomic polynomial rings that enjoy well-established proofs of security and offer a large design space, allowing for a fine tuning of the ring dimension. It is thus easy to scale-up or scale-down Round5’s parameters to target different security targets. The usage of power-of-two moduli q and p makes modular operations fast so that Round5 is very efficient on a variety of platforms. Fixed-weight ternary secrets ensure fast operation and low failure probability. Finally, the usage of the strong constant-time XEf error correction code allows Round5 to support the smallest configuration parameters among the NIST lattice-based proposals, and thus, offer the best performance in terms of bandwidth, CPU, and memory usage. Since XEf is constant-time, timing attacks on the error correction are not feasible.

Parameter sets and performance

Round5 defines several parameter sets for r5_cpa_kem and r5_cca_pke in the structured and unstructured lattice versions corresponding to NIST 1, 3 and 5 security levels. 

A parameter set is denoted as R5N{1,D}_{1,3,5}{KEM,PKE}_{0,5}{version}. 

  • {1,D} refers whether it is a non-ring (1) or ring (D) parameter set.
  • {1,3,5} refers to the NIST security level that is strictly fulfilled.
  • {KEM,PKE} refers to the cryptographic algorithm it instantiates. 
  • {0,5} identifies the amount of corrected bits, 0 means no-errors are corrected and this description is equivalent to the original Round2; 5 means that up to 5 errors can be corrected.
  • {version} is a letter to indicate the version of published parameters.

Similar results hold for the parameters corresponding to unstructured lattices. In particular, Round5 proposes alternative methods of generating the master parameter A that enable fast operation without hardware support and still preventing backdoor and precomputation attacks.

r5_cpa_kem r5_cca_pke
R5ND_1KEM_5c: 994 B R5ND_1PKE_5c: 1097 B
Structured lattice with XE5 R5ND_3KEM_5c: 1639 B R5ND_3PKE_5c: 1730 B
R5ND_5KEM_5c: 2035 B R5ND_5PKE_5c: 2144 B
R5ND_1KEM_0c: 1316 B R5ND_1PKE_0c: 1432 B
Structured lattice without XE5 R5ND_3KEM_0c: 1890 B R5ND_3PKE_0c: 2102 B
R5ND_5KEM_0c: 2452 B R5ND_5PKE_0c: 2874 B
R5N1_1KEM_0c: 10450 B R5N1_1PKE_0c: 11544 B
Unstructured lattice R5N1_3KEM_0c: 17700 B R5N1_3PKE_0c: 19393 B
R5N1_5KEM_0c: 28552 B R5N1_5PKE_0c: 29360 B

The bandwidth requirements (public-key plus ciphertext) for the Round5 parameters are summarized below.  The public-key and ciphertext sizes are (among) the smallest ones of all lattice-based proposals. Note that the usage of XE5 allows for around a 25% bandwidth improvement while strictly fulfilling NIST security levels. 

For instance, R5ND_1KEM_5c has a 445 B public-key and a 549 B ciphertext while providing a classical/quantum security level of 128/117-bits (core sieving) 170/135-bits (enumeration).

Round5's configurability allows fitting the needs of multiple use cases. We highlight three scenarios: IoT, unstructured lattices with short ciphertext, and variable size of the encapsulated keys.

Special configuration Bandwidh Benefit
R5ND_0KEM_2iot 736 B (PK + CT) Enable public-key in IoT.
R5N1_3PKE_0smallCT 988 B (CT) Unstructured lattice.
R5ND_1KEM_4longkey 1016 B (PK + CT) Encapsulate longer key.
Specific details can be found here.
To demonstrate the scalability of Round5’s design to lightweight platforms, the figure below shows the performance of a C implementation of Round5 on a Cortex M4. The C version of Round5 performs even better than assembler-optimized alternative proposals such as Saber or Kyber. This is based on the Round5 parameters in paper.
Use Cases

Different applications have different trust, security and performance needs. Round5 allows addressing them with a single unified design.

  • Trust needs: Round5 allows selecting the underlying trust assumption, either a structured or an unstructured lattice. While unstructured lattices involve a higher overhead, the lack of structure gives more confidence. On the other hand, structured lattices ensure small messages that are required in some applications.
  • Security and performance needs: The security level and security properties offered by Round5 can be exactly configured to offer the desired security without unnecessary overheads in terms of bandwidth or CPU overhead.

Exemplary Recommended Round5 Rationale for recomendation
applications Configuration Trust needs Security needs Performance needs
IoT R5ND_0KEM_2iot Structured lattice Low, indcpa secure Very high
IPSec VPN R5ND_3KEM_5c Structured lattice High, indcpa secure Very high
Corporate VPN R5ND_5KEM_5c Structured lattice Very high, indcpa secure Less important
E-Mail R5N1_3PKE_0c Unstructured lattice High, indcca secure High
Electronic Health Record R5N1_5PKE_0c Unstructured lattice Very high, indcca secure Less important

Based on this, Round5 can be configured to address the needs of a wide range of applications.

Some examples are presented in the table below.

Specification, Presentations and Code

A draft description of Round5 can be found here.
This paper describes the implementation and the performance of Round5 on a Cortex M4.
  • This document details the rationale of the merge of Round2 and HILA5.
  • The draft NIST submission of Round5 in preparation for the second round is here.
  • These slides were presented at CWG on September 14th 2018.
  • This is the Round5 presentation at Cardis on November 13th 2018.
  • Here you find Supercop performance results for the parameter sets in the Cardis paper.
  • This script can be used to verify the security levels and failure probability of Round5.
  • These scripts and code output experimental results to validate the failure probability and error correlation analysis of Round5.
  • This paper details part of the design of Round5, in particular, for the merged parameters that achieve the best performance in terms of bandwidth.
  • Reference and optimized code is available here. Section 1.11 here details the reference code from an implementation point of view. More code will be uploaded in the next weeks.
  • A full submission package including the above contents and implementations will be provided for the second round in the next weeks. The original description and code of Round2 and HILA5 proposals is available from NIST PQC Standardization page.

Team, Acknowledgements & Contact

Official Round5 team:Special acknowledgements to Mike Hamburg for his contributions to deal with error correlations when using error correction.

Copyright © Round5 team 2019.