Round5: Compact and Fast Post-quantum Public-Key Encryption

  • Hayo Baan
  • Sauvik BhattacharyaEmail author
  • Scott Fluhrer
  • Oscar Garcia-Morchon
  • Thijs Laarhoven
  • Ronald Rietman
  • Markku-Juhani O. Saarinen
  • Ludo Tolhuizen
  • Zhenfei Zhang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11505)


We present the ring-based configuration of the NIST submission Round5, a Ring Learning with Rounding (RLWR)- based IND-CPA secure public-key encryption scheme. It combines elements of the NIST candidates Round2 (use of RLWR as underlying problem, having \(1+x+\ldots +x^n\) with \(n+1\) prime as reduction polynomial, allowing for a large design space) and HILA5 (the constant-time error-correction code XEf). Round5 performs part of encryption, and decryption via multiplication in \(\mathbb {Z}_{p}[x]/(x^{n+1}-1)\), and uses secret-key polynomials that have a factor \((x-1)\). This technique reduces the failure probability and makes correlation in the decryption error negligibly low. The latter allows the effective application of error correction through XEf to further reduce the failure rate and shrink parameters, improving both security and performance.

We argue for the security of Round5, both formal and concrete. We further analyze the decryption error, and give analytical as well as experimental results arguing that the decryption failure rate is lower than in Round2, with negligible correlation in errors.

IND-CCA secure parameters constructed using Round5 and offering more than 232 and 256 bits of quantum and classical security respectively, under the conservative core sieving model, require only 2144 B of bandwidth. For comparison, similar, competing proposals require over 30% more bandwidth. Furthermore, the high flexilibity of Round5’s design allows choosing finely tuned parameters fitting the needs of diverse applications – ranging from the IoT to high-security levels.


Lattice cryptography Learning with Rounding Prime cyclotomic ring Public-key encryption IND-CPA Error correction 



We thank Mike Hamburg for helpful discussions on combining features from the prime-order cyclotomic and power-of-two cyclotomic polynomial rings in a lattice based cryptosystem. We thank Léo Ducas for helpful discussions on rounding to the root lattice, and techniques required for proving IND-CPA security for a rounding-based scheme using \(N_{n+1}\) as reduction polynomial. Finally, we wish to thank our anonymous reviewers for their helpful comments that led to improving the content and readability of the paper.

Supplementary material


  1. 1.
    Albrecht, M.R.: On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL. Cryptology ePrint Archive, Report 2017/047 (2017)Google Scholar
  2. 2.
    Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. Cryptology ePrint Archive, Report 2015/046 (2015)Google Scholar
  3. 3.
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. Cryptology ePrint Archive, Report 2015/1092 (2015)Google Scholar
  4. 4.
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: NewHope without reconciliation. Cryptology ePrint Archive, Report 2016/1157 (2016)Google Scholar
  5. 5.
    Baan, H., et al.: Round2: KEM and PKE based on GLWR. Cryptology ePrint Archive, Report 2017/1183 (2017)Google Scholar
  6. 6.
    Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. Cryptology ePrint Archive, Report 2011/401 (2011)Google Scholar
  7. 7.
    Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. Cryptology ePrint Archive, Report 2015/1128 (2015)Google Scholar
  8. 8.
    Bonnoron, G., Ducas, L., Fillinger, M.: Large FHE gates from tensored homomorphic accumulator. In: Joux, A., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2018. LNCS, vol. 10831, pp. 217–251. Springer, Cham (2018). Scholar
  9. 9.
    Bos, J., et al.: CRYSTALS - Kyber: a CCA-secure module-lattice-based KEM. Cryptology ePrint Archive, Report 2017/634 (2017)Google Scholar
  10. 10.
    Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: 2015 IEEE Symposium on Security and Privacy, SP 2015, 17–21 May 2015, San Jose, CA, USA, pp. 553–570 (2015)Google Scholar
  11. 11.
    Cheon, J.H., Kim, D., Lee, J., Song, Y.: Lizard: Cut off the Tail! Practical Post-Quantum Public-Key Encryption from LWE and LWR. Cryptology ePrint Archive, Report 2016/1126 (2016)Google Scholar
  12. 12.
    Cheon, J.H., et al.: Lizard. Technical report, National Institute of Standards and Technology (2017).
  13. 13.
    D’Anvers, J.-P., Karmakar, A., Roy, S.S., Vercauteren, F.: SABER. Technical report, National Institute of Standards and Technology (2017).
  14. 14.
    D’Anvers, J.-P., Karmakar, A., Roy, S.S., Vercauteren, F.: Saber: Module-LWR based key exchange, CPA-secure encryption and CCA-secure KEM. Cryptology ePrint Archive, Report 2018/230 (2018)Google Scholar
  15. 15.
  16. 16.
    Ducas, L., van Woerden, W.P.J.: The closest vector problem in tensored root lattices of type A and in their duals. Cryptology ePrint Archive, Report 2016/910 (2016).
  17. 17.
    ETSI. ETSI launches Quantum Safe Cryptography specification group, March 2015Google Scholar
  18. 18.
    ETSI. Terms of reference for ETSI TC cyber working group for quantum-safe cryptography (ETSI TC cyber WG-QSC) (2017). Accessed 15 Feb 2017Google Scholar
  19. 19.
    Fritzmann, T., Pöppelmann, T., Sepulveda, J.: Analysis of error-correcting codes for lattice-based key exchange. Cryptology ePrint Archive, Report 2018/150 (2018)Google Scholar
  20. 20.
    Hamburg, M.: Three Bears. Technical report, National Institute of Standards and Technology (2017).
  21. 21.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). Scholar
  22. 22.
    Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. Cryptology ePrint Archive, Report 2017/604 (2017)Google Scholar
  23. 23.
    Howgrave-Graham, N.: A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 150–169. Springer, Heidelberg (2007). Scholar
  24. 24.
    d’Anvers, J.P., Karmakar, A., Sinha Roy, S., Vercauteren, F.: Saber: module-LWR based key exchange, CPA-secure encryption and CCA-secure KEM. In: Progress in Cryptology: AfricaCrypt 2018, pp. 282–305 (2018)Google Scholar
  25. 25.
    Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. Cryptology ePrint Archive, Report 2010/613 (2010)Google Scholar
  26. 26.
  27. 27.
    Lu, X., et al.: LAC. Technical report, National Institute of Standards and Technology (2017).
  28. 28.
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. Cryptology ePrint Archive, Report 2012/230 (2012)Google Scholar
  29. 29.
    McKilliam, R.G., Clarkson, I.V.L., Quinn, B.G.: An Algorithm to Compute the Nearest Point in the Lattice \(A_{n}^{*}\). CoRR, abs/0801.1364 (2008)Google Scholar
  30. 30.
    NIST. Submission requirements and evaluation criteria for the post-quantum cryptography standardization process. POST-QUANTUM CRYPTO STANDARDIZATION. Call For Proposals Announcement (2016)Google Scholar
  31. 31.
    Peikert, C., Regev, O., Stephens-Davidowitz, N.: Pseudorandomness of Ring-LWE for Any Ring and Modulus (2017)Google Scholar
  32. 32.
    Pöppelmann, T., et al.: NewHope. Technical report, National Institute of Standards and Technology (2017).
  33. 33.
    Saarinen, M.-J.O.: Ring-LWE ciphertext compression and error correction: tools for lightweight post-quantum cryptography. In: Proceedings of the 3rd ACM International Workshop on IoT Privacy, Trust, and Security, IoTPTS 2017, pp. 15–22. ACM, April 2017Google Scholar
  34. 34.
    Saarinen, M.-J.O.: HILA5: on reliability, reconciliation, and error correction for ring-LWE encryption. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 192–212. Springer, Cham (2018). Scholar
  35. 35.
    Smart, N.P., et al.: LIMA. Technical report, National Institute of Standards and Technology (2017).

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Hayo Baan
    • 1
  • Sauvik Bhattacharya
    • 1
    Email author
  • Scott Fluhrer
    • 2
  • Oscar Garcia-Morchon
    • 1
  • Thijs Laarhoven
    • 3
  • Ronald Rietman
    • 1
  • Markku-Juhani O. Saarinen
    • 4
  • Ludo Tolhuizen
    • 1
  • Zhenfei Zhang
    • 5
  1. 1.Royal Philips N.V.EindhovenNetherlands
  2. 2.CiscoSan JoseUSA
  3. 3.Eindhoven University of TechnologyEindhovenNetherlands
  4. 4.PQShield Ltd.OxfordUK
  5. 5.AlgorandBostonUSA

Personalised recommendations