About Round5

Due to the inherent vulnerability of RSA and Elliptic Curve cryptography to attacks by quantum computers and the relatively long time period that public key encryption algorithms must guarantee the confidentiality of their secrets, a transition to quantum-secure alternatives has been initiated by the U.S. Government and the information security community. Standardization bodies such as National Institute of Standards and Technology (NIST) or European Telecommunications Standards Institute are currently in the process of evaluating and standardizing Post- Quantum Cryptography.

Round5 is a leading candidate for NIST PQC key-encapsulation and public-key encryption. It resulted from the merge of the NIST PQC first round candidates Round2 and HILA5. Round5 relies on the General Learning with Rounding (GLWR) problem to unify the well-studied Learning with Rounding (LWR) and Ring Learning with Rounding (RLWR) lattice-problems. It enables a single description and implementation of an IND-CPA KEM and an IND-CCA PKE called Round5.KEM and Round5.PKE.

Round5 design choices have been made with security and performance in mind. The flexible and unified design allows the user to choose the configuration that fits best her security and performance needs. Learning with Rounding allows for a lower bandwidth overhead than typical Learning with Errors-based proposals. Round5’s ring instantiations further rely on prime-order cyclotomic polynomial rings that enjoy well-established proofs of security and offer a large design space, allowing for a fine tuning of the ring dimension. It is thus easy to scale-up or scale-down Round5’s parameters to target different security targets. The usage of power-of-two moduli q and p makes modular operations fast so that Round5 is very efficient on a variety of platforms. Ternary secrets ensure fast operation and low failure probability. Finally, the usage of the strong constant-time XEf error correction code allows Round5 to support the smallest configuration parameters among the NIST lattice-based proposals, and thus, offer the best performance in terms of bandwidth, CPU, and memory usage.  

Parameter sets and performance

Round5 defines a total of 12 parameter sets for Round5.KEM and Round5.PKE in the structured and unstructured lattice versions corresponding to NIST 1, 3 and 5 security levels. 

Round5's configurability allows fitting the needs of multiple use cases. It is even possible to enable "minimal KEM" configurations -- R5ND_MINKEM -- requiring around 500 B (public-key + ciphertext). Such a configuration is required in applications with very low resources.

To demonstrate the scalability of Round5’s design to lightweight platforms, the figure below shows the performance of a C implementation of Round5 on a Cortex M4. The C version of Round5 performs even better than assembler-optimized alternative proposals such as Saber or Kyber.

Similar results hold for the parameters corresponding to unstructured lattices. In particular, Round5 proposes alternative methods of generating the master parameter A that enable fast operation without hardware support and still preventing backdoor and precomputation attacks.

Round5.KEM Round5.PKE
R5ND_1KEM: 1170 B R5ND_1PKE: 1234 B
Structured lattice R5ND_3KEM: 1684 B R5ND_3PKE: 1842 B
R5ND_5KEM: 2257 B R5ND_5PKE: 2516 B
R5T0_1KEM: 10535 B R5T0_1PKE: 11553 B
Unstructured lattice R5T0_3KEM: 17969 B R5T0_3PKE: 19703 B
R5T0_5KEM: 28553 B R5T0_5PKE: 28925 B

The bandwidth requirements (public-key plus ciphertext) for the Round5 parameters are summarized below.  The public-key and ciphertext sizes are (among) the smallest ones of all lattice-based proposals.

Specific details can be found here.
Use Cases

Different applications have different trust, security and performance needs. Round5 allows addressing them with a single unified design.

  • Trust needs: Round5 allows selecting the underlying trust assumption, either a structured or an unstructured lattice. While unstructured lattices involve a higher overhead, the lack of structure gives more confidence. On the other hand, structured lattices ensure small messages that are required in some applications.
  • Security and performance needs: The security level and security properties offered by Round5 can be exactly configured to offer the desired security without unnecessary overheads in terms of bandwidth or CPU overhead.

Exemplary Recommended Round5 Rationale for recomendation
applications Configuration Trust needs Security needs Performance needs
IoT R5ND_MINKEM Structured lattice Low, Passive Very high
IPSec VPN R5ND_3KEM Structured lattice High, Passive Very high
Corporate VPN R5T0_5KEM Structured lattice Very high, Passive Less important
E-Mail R5ND_3PKE Unstructured lattice High, active High
Electronic Health Record R5T0_5PKE Unstructured lattice Very high, active Less important

Based on this, Round5 can be configured to address the needs of a wide range of applications.

Some examples are presented in the table below.

Specification and Code
A preliminary description of Round5 can be found here.
This paper describes the implementation and the performance of Round5 on a Cortex M4.

A full submission package in which design aspects in Round2 and HILA5 will be further merged will be ready as input to the second NIST PQC standardization round in the next weeks. 

Round5 code tailored for a Cortex M4 is available at www.github.com/round5

The original description and code of Round2 and HILA5 proposals is available from NIST PQC Standardization page.

Team & Contact
Round5's team:

Copyright © Round5 team 2018.