About Round5

Due to the inherent vulnerability of RSA and Elliptic Curve cryptography to attacks by quantum computers and the relatively long time period that public key encryption algorithms must guarantee the confidentiality of their secrets, a transition to quantum-secure alternatives has been initiated by the U.S. Government and the information security community. Standardization bodies such as National Institute of Standards and Technology (NIST) or European Telecommunications Standards Institute are currently in the process of evaluating and standardizing Post- Quantum Cryptography.

Round5 is a leading candidate for NIST PQC key-encapsulation and public-key encryption. Round5 resulted from the merge of the NIST PQC first round candidates Round2 and HILA5 and on January 30th 2019 it was accepted as a NIST PQC second round candidate

Round5 relies on the General Learning with Rounding (GLWR) problem to unify the well-studied Learning with Rounding (LWR) and Ring Learning with Rounding (RLWR) lattice-problems. It enables a single description and implementation of Round5's IND-CPA KEM and an IND-CCA PKE called r5_cpa_kem and r5_cca_pke.

Round5 design choices have been made with security and performance in mind. The flexible and unified design allows the user to choose the configuration that fits best her security and performance needs. Learning with Rounding allows for a lower bandwidth overhead than typical Learning with Errors-based proposals. Round5’s ring instantiations further rely on prime-order cyclotomic polynomial rings that enjoy well-established proofs of security and offer a large design space, allowing for a fine-tuning of the ring dimension. It is thus easy to scale-up or scale-down Round5’s parameters to target different security targets. The usage of power-of-two moduli q and p makes modular operations fast so that Round5 is very efficient on a variety of platforms. Fixed-weight ternary secrets ensure fast operation and low failure probability. Finally, the usage of the strong constant-time XEf error correction code allows Round5 to support the smallest configuration parameters among the NIST lattice-based proposals, and thus, offer the best performance in terms of bandwidth, CPU, and memory usage. Since XEf is constant-time, timing attacks on the error correction are not feasible.

Parameter sets and performance

Round5 defines several parameter sets for r5_cpa_kem and r5_cca_pke in the structured and unstructured lattice versions corresponding to NIST 1, 3 and 5 security levels. 

A parameter set is denoted as R5N{1,D}_{1,3,5}{KEM,PKE}_{0,5}{version}. 

  • {1,D} refers whether it is a non-ring (1) or ring (D) parameter set.
  • {1,3,5} refers to the NIST security level that is strictly fulfilled.
  • {KEM,PKE} refers to the cryptographic algorithm it instantiates. 
  • {0,5} identifies the number of correctable bits, 0 means no errors are corrected and this description is equivalent to the original Round2; 5 means that up to 5 errors can be corrected.
  • {version} is a letter to indicate the version of published parameters. Round5 parameters for the second round of NIST PQC are version "d".

r5_cpa_kem r5_cca_pke
R5ND_1KEM_5d: 994 B R5ND_1PKE_5d: 1097 B
Structured lattice with XE5 R5ND_3KEM_5d: 1639 B R5ND_3PKE_5d: 1730 B
R5ND_5KEM_5d: 2035 B R5ND_5PKE_5d: 2279 B
R5ND_1KEM_0d: 1316 B R5ND_1PKE_0d: 1432 B
Structured lattice without XE5 R5ND_3KEM_0d: 1890 B R5ND_3PKE_0d: 2102 B
R5ND_5KEM_0d: 2452 B R5ND_5PKE_0d: 2874 B
R5N1_1KEM_0d: 10450 B R5N1_1PKE_0d: 11544 B
Unstructured lattice R5N1_3KEM_0d: 17700 B R5N1_3PKE_0d: 19393 B
R5N1_5KEM_0d: 28552 B R5N1_5PKE_0d: 29360 B

The bandwidth requirements (public-key plus ciphertext) for the Round5 parameters are summarized below.  The public-key and ciphertext sizes are (among) the smallest ones of all lattice-based proposals. Note that the usage of XE5 allows for around a 25% bandwidth improvement while strictly fulfilling NIST security levels. 

For instance, R5ND_1KEM_5d has a 445 B public-key and a 549 B ciphertext while providing a classical/quantum security level of 128/117-bits (core sieving) 170/135-bits (enumeration).

Round5's configurability allows fitting the needs of multiple use cases. We highlight three scenarios: IoT, unstructured lattices with short ciphertext, and variable size of the encapsulated keys.

Special configuration Bandwidh Benefit
R5ND_0KEM_2iot 736 B (PK + CT) Enable public-key in IoT.
R5N1_3PKE_0smallCT 988 B (CT) Unstructured lattice.
R5ND_1KEM_4longkey 1016 B (PK + CT) Encapsulate longer key.
Specific details can be found here.

Round5's design choices allow for very fast implementations. In particular, Round5 proposes alternative methods of generating the master parameter A that enable fast operation without hardware support and still preventing backdoor and precomputation attacks.

Use Cases

Different applications have different trust, security and performance needs. Round5 allows addressing them with a single unified design.

  • Trust needs: Round5 allows selecting the underlying trust assumption, either a structured or an unstructured lattice. While unstructured lattices involve a higher overhead, the lack of structure gives more confidence. On the other hand, structured lattices ensure small messages that are required in some applications.
  • Security and performance needs: The security level and security properties offered by Round5 can be exactly configured to offer the desired security without unnecessary overheads in terms of bandwidth or CPU overhead.

Exemplary Recommended Round5 Rationale for recomendation
Applications Configuration Trust needs Security needs Performance needs
IoT R5ND_0KEM_2iot Structured lattice Low, IND-CPA secure Very high
IPSec VPN R5ND_3KEM_5d Structured lattice High, IND-CPA secure Very high
Corporate VPN R5ND_5KEM_5d Structured lattice Very high, IND-CPA secure Less important
E-Mail R5N1_3PKE_0d Unstructured lattice High, IND-CCA secure High
Electronic Health Record R5N1_5PKE_0d Unstructured lattice Very high, IND-CCA secure Less important

Based on this, Round5 can be configured to address the needs of a wide range of applications.

Some examples are presented in the table below.

Specification, Presentations and Code

A draft description of Round5 can be found here.
This paper describes the implementation and the performance of Round5 on a Cortex M4.
NIST Submission
  • The NIST submission of Round5 is here. Round5's code as submitted to NIST can be found here.
  • This document details the rationale of the merge of Round2 and HILA5.
  • Reference and optimized code is available here. Section 2.11 here details the reference code from an implementation point of view.
  • Code for Cortex M4 is available here.
  • The original descriptions and code of Round2 and HILA5 proposals are available from NIST PQC Standardization page.
Papers, presentations, and other information
  • This paper details part of the design of Round5, in particular, for the merged parameters that achieve the best performance in terms of bandwidth.
  • This is the Round5 presentation at Cardis on November 13th 2018.
  • This script can be used to verify the security levels and failure probability of Round5.
  • These scripts and code output experimental results to validate the failure probability and error correlation analysis of Round5.

Team, Acknowledgements & Contact

Official Round5 team:

Special acknowledgements to Mike Hamburg for his contributions to deal with error correlations when using error correction.

Copyright © Round5 team 2019.