Cryptology ePrint Archive: Report 2017/1183

Round2: KEM and PKE based on GLWR

Hayo Baan and Sauvik Bhattacharya and Oscar Garcia-Morchon and Ronald Rietman and Ludo Tolhuizen and Jose-Luis Torre-Arce and Zhenfei Zhang

Abstract: Cryptographic primitives that are secure against quantum computing are receiving growing attention with recent, steady advances in quantum computing and standardization initiatives in post-quantum cryptography by NIST and ETSI. Lattice-based cryptography is one of the families in post-quantum cryptography, demonstrating desirable features such as well-understood security, efficient performance, and versatility.

In this work, we present Round2 that consists of a key-encapsulation mechanism and a public-key encryption scheme. Round2 is based on the General Learning with Rounding problem, that unifies the Learning with Rounding and Ring Learning with Rounding problems. Round2's construction using the above problem allows for a unified description and implementation. The key-encapsulation mechanism and public-key encryption scheme furthermore share common building blocks, simplifying (security and operational) analysis and code review. Round2's reliance on prime cyclotomic rings offers a large design space that allows fine-tuning of parameters to required security levels. The use of rounding reduces bandwidth requirements and the use of sparse-trinary secrets improves CPU performance and decryption success rates. Finally, Round2 includes various approaches of refreshing the system public parameter A, allowing efficient ways of preventing precomputation and back-door attacks.

Category / Keywords: key encapsulation, public key encryption, lattice techniques, post-quantum cryptography

Date: received 5 Dec 2017, last revised 2 Mar 2018

Contact author: ludo tolhuizen at philips com

Available format(s): PDF | BibTeX Citation

Note: Spelling error in name of second author.

Version: 20180302:125432 (All versions of this report)

Short URL: ia.cr/2017/1183

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]