Dr. Markku-Juhani O. Saarinen Cryptographer and Security Engineer

Round5

Round5 is our current NIST PQC proposal, a result of a merger between Round2 and Hila5 first-round candidates. The official homepage is at round5.org.

We have recently released two preprints on Round5:

We plan to compile the official NIST submission tweak around October 2018.

r5nd_tiny

Round5 is currently the fastest post-quantum encryption algorithm in all NIST security classes where it is implemented. It also has the shortest public keys and messages of any lattice-based NIST PQC candidate. The Isogeny-based proposal SIKE requires 15-35% less bytes for key establishment but is hundreds of times slower, making it impractical for many applications.

In addition to being the orignal author of Hila5, and designer of key components of Round5, I wrote the fast C implementation reported in the paper “Shorter Messages..”, above. It is available at https://github.com/round5/r5nd_tiny.

Here is a simple engineering and security comparison for key establishment use case on Cortex M4. All of the compared algorithms are at NIST Category 3.

  • Xfer: Total data transferred (public key + ciphertext), in bytes.
  • Time: KeyGen() + Encaps() + Decaps() on Cortex-M4 at 24 MHz, seconds.
  • Code: Size of implementation in bytes, excluding hash function etc.
  • Failure: Decryption failure bound.
  • Post-Quantum: Claimed quantum complexity.
  • Classical: Claimed classical complexity.
Algorithm Xfer Time Code Failure Post-Quantum Classical
R5ND_3KEM 1684 0.124 4464 2-75 2176 2193
R5ND_3PKE 1842 0.169 5232 2-129 2181 2193
Saber 2080 0.172 ? 2-136 2180 2198
Kyber-768 2240 0.210 7016 2-142 2161 2178
sntrup4591761 2265 8.718 71024 0 - 2248
NTRU-HRSS17 2416 7.814 11956 0 2123 2136
NewHope1024-CCA 4032 0.264 12912 2-216 2233 -
SIKEp751 1160 685.9 19112 0 2124 2186