Paper 2019/090

Round5: Compact and Fast Post-Quantum Public-Key Encryption

Hayo Baan, Sauvik Bhattacharya, Scott Fluhrer, Oscar Garcia-Morchon, Thijs Laarhoven, Ronald Rietman, Markku-Juhani O. Saarinen, Ludo Tolhuizen, and Zhenfei Zhang


We present the ring-based configuration of the NIST submission Round5, a Ring Learning with Rounding (RLWR)- based IND-CPA secure public-key encryption scheme. It combines elements of the NIST candidates Round2 (use of RLWR as underlying problem, having $1+x+\ldots +x^n$ with $n+1$ prime as reduction polynomial, allowing for a large design space) and HILA5 (the constant-time error-correction code XEf). Round5 performs part of encryption, and decryption via multiplication in $\mathbb{Z}_{p}[x]/(x^{n+1}-1)$, and uses secret-key polynomials that have a factor $(x-1)$. This technique reduces the failure probability and makes correlation in the decryption error negligibly low. The latter allows the effective application of error correction through XEf to further reduce the failure rate and shrink parameters, improving both security and performance. We argue for the security of Round5, both formal and concrete. We further analyze the decryption error, and give analytical as well as experimental results arguing that the decryption failure rate is lower than in Round2, with negligible correlation in errors. IND-CCA secure parameters constructed using Round5 and offering more than 232 and 256 bits of quantum and classical security respectively, under the conservative core sieving model, require only 2144 B of bandwidth. For comparison, similar, competing proposals require over 30% more bandwidth. Furthermore, the high flexibility of Round5's design allows choosing finely tuned parameters fitting the needs of diverse applications -- ranging from the IoT to high-security levels.

Note: Updated references.

Available format(s)
Public-key cryptography
Publication info
Published elsewhere. Minor revision. PQCrypto 2019: The Tenth International Conference on Post-Quantum Cryptography.
Lattice cryptographyLearning with RoundingPrime cyclotomic ringPublic-key encryptionIND-CPAError correction
Contact author(s)
sauvik bhattacharya @ philips com
2019-05-03: last of 2 revisions
2019-01-28: received
See all versions
Short URL
Creative Commons Attribution


      author = {Hayo Baan and Sauvik Bhattacharya and Scott Fluhrer and Oscar Garcia-Morchon and Thijs Laarhoven and Ronald Rietman and Markku-Juhani O.  Saarinen and Ludo Tolhuizen and Zhenfei Zhang},
      title = {Round5: Compact and Fast Post-Quantum Public-Key Encryption},
      howpublished = {Cryptology ePrint Archive, Paper 2019/090},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.