Due to the inherent vulnerability of RSA and Elliptic Curve cryptography to attacks by quantum computers and the relatively long time period that public key encryption algorithms must guarantee the confidentiality of their secrets, a transition to quantum-secure alternatives has been initiated by the U.S. Government and the information security community. Standardization bodies such as National Institute of Standards and Technology (NIST) or European Telecommunications Standards Institute are currently in the process of evaluating and standardizing Post- Quantum Cryptography.
Round5 is a leading candidate for NIST PQC key-encapsulation and public-key encryption. It resulted from the merge of the NIST PQC first round candidates Round2 and HILA5. Round5 relies on the General Learning with Rounding (GLWR) problem to unify the well-studied Learning with Rounding (LWR) and Ring Learning with Rounding (RLWR) lattice-problems. It enables a single description and implementation of an IND-CPA KEM and an IND-CCA PKE called Round5.KEM and Round5.PKE.
Round5 design choices have been made with security and performance in mind. The flexible and unified design allows the user to choose the configuration that fits best her security and performance needs. Learning with Rounding allows for a lower bandwidth overhead than typical Learning with Errors-based proposals. Round5’s ring instantiations further rely on prime-order cyclotomic polynomial rings that enjoy well-established proofs of security and offer a large design space, allowing for a fine tuning of the ring dimension. It is thus easy to scale-up or scale-down Round5’s parameters to target different security targets. The usage of power-of-two moduli q and p makes modular operations fast so that Round5 is very efficient on a variety of platforms. Ternary secrets ensure fast operation and low failure probability. Finally, the usage of the strong constant-time XEf error correction code allows Round5 to support the smallest configuration parameters among the NIST lattice-based proposals, and thus, offer the best performance in terms of bandwidth, CPU, and memory usage.
Parameter sets and performance
Round5 defines a total of 12 parameter sets for Round5.KEM and Round5.PKE in the structured and unstructured lattice versions corresponding to NIST 1, 3 and 5 security levels.
Round5's configurability allows fitting the needs of multiple use cases. It is even possible to enable "minimal KEM" configurations -- R5ND_MINKEM -- requiring around 500 B (public-key + ciphertext). Such a configuration is required in applications with very low resources.
To demonstrate the scalability of Round5’s design to lightweight platforms, the figure below shows the performance of a C implementation of Round5 on a Cortex M4. The C version of Round5 performs even better than assembler-optimized alternative proposals such as Saber or Kyber.
Similar results hold for the parameters corresponding to unstructured lattices. In particular, Round5 proposes alternative methods of generating the master parameter A that enable fast operation without hardware support and still preventing backdoor and precomputation attacks.
|R5ND_1KEM: 1170 B||R5ND_1PKE: 1234 B|
|Structured lattice||R5ND_3KEM: 1684 B||R5ND_3PKE: 1842 B|
|R5ND_5KEM: 2257 B||R5ND_5PKE: 2516 B|
|R5T0_1KEM: 10535 B||R5T0_1PKE: 11553 B|
|Unstructured lattice||R5T0_3KEM: 17969 B||R5T0_3PKE: 19703 B|
|R5T0_5KEM: 28553 B||R5T0_5PKE: 28925 B|
The bandwidth requirements (public-key plus ciphertext) for the Round5 parameters are summarized below. The public-key and ciphertext sizes are (among) the smallest ones of all lattice-based proposals.
Different applications have different trust, security and performance needs. Round5 allows addressing them with a single unified design.
|Exemplary||Recommended Round5||Rationale for recomendation|
|applications||Configuration||Trust needs||Security needs||Performance needs|
|IoT||R5ND_MINKEM||Structured lattice||Low, Passive||Very high|
|IPSec VPN||R5ND_3KEM||Structured lattice||High, Passive||Very high|
|Corporate VPN||R5T0_5KEM||Structured lattice||Very high, Passive||Less important|
|R5ND_3PKE||Unstructured lattice||High, active||High|
|Electronic Health Record||R5T0_5PKE||Unstructured lattice||Very high, active||Less important|
Based on this, Round5 can be configured to address the needs of a wide range of applications.
Some examples are presented in the table below.
A full submission package in which design aspects in Round2 and HILA5 will be further merged will be ready as input to the second NIST PQC standardization round in the next weeks.
Round5 code tailored for a Cortex M4 is available at www.github.com/round5.
The original description and code of Round2 and HILA5 proposals is available from NIST PQC Standardization page.