The design of Round2 makes it possible to have a unique implementation for both RLWR and LWR. The optimized implementation supports all NIST secu- rity levels of uRound2 for bothn= 1 and n=d.
The parameters of nRound2 allow the use of NTT for performing polynomial multiplications. Becausenandqare different for different NIST security levels with the nRound2 parameters, different optimizations would be required for different NIST security levels. Such optimizations have not been carried out. 2.8.1 Polynomial multiplication
Polynomial multiplication moduloxn−1 is equivalent to a convolution. How-
ever, the reduction polynomial used in Round2 is not xn −1. We define the
following algorithm to enable polynomial multiplication modulo Φn+1(x) by polynomial multiplication modulo xn+1−1 preceded and followed by simple transformations:
• Computea0(x) = (x−1)a(x)
• Computec0(x) =a0(x)b(x) modxn+1−1
• Computec(x) =c0(x)/(x−1)
We have that c(x) ≡ a(x)b(x) (mod Φn+1(x)). The coefficients of c0(x) =
a0(x)b(x) modxn+1−1 can be computed as
c0i= n X j=0 bj·a0hi−jin+1 for 0≤i≤n, where bn= 0. (45) 2.8.2 A common multiplication
The polynomial multiplication expressed in (45) can be implemented as the matrix multiplication c0 = A0bwhere A0 =a0 and b= (b0, . . . , bn)T.
With the addition of the simple transformations in the casen=d, all multipli- cations in the algorithm, for bothn= 1 andn=d, can be considered as matrix multiplications, and therefore can use the same implementation.
2.8.3 Generation of A
Using the definition offnτ from Section 2.4.1, Acan be represented as a vector
amaster of lengthLand offsetso0, o1. . . , od−1in {0,1, . . . , d−1}.
• Forf0
n=1, all offsets are equal to zero andL=d2.
• For fn1=1, we have that L = d2. Entry i, j of the matrix A satisfies
ai,j = afixedi,(j+oi) (modd) for 0 ≤ i, j ≤ d−1. In order to avoid addition
modulod, we use the d×2dmatrixa∗ defined as a∗i,j =a∗i,j+d =afixedi,j for 0≤i, j≤d−1. Thenai,j=a∗i,j+oi.
• Forfn2=1, we take L=q. We writeamaster[i] =DRGB(σ0)[i] for 0≤i≤
L−1. We then haveai,j=amaster[(j+oi) (modL)] for 0≤i, j≤d−1.
In order to avoid additions moduloL, we use the vectora∗of lengthL+d defined as a∗[i] =a
master[i] for 0≤i≤d−1, and a∗[i+L] =amaster[i]
for 0≤i≤d−1. Then ai,j=a∗[i+j].
• Forf3
n=d, we have thatL=dand there are no offsets. 2.8.4 Secret key
The columns of the secret keysS andRare trinay vectors of Hamming weight h. The vectors are generated as described in Section 3.6 of [11]. Radix sort is used as constant-time sorting algorithm.
The optimized implementation relies on an index representation of the secret keys. That is, a trinary vector of Hamming weighth is described as a vector of lengthh. The firsth/2 entries of the vector contain the positions of the +1 elements; the nexth/2 elements contain the positions of the−1 elements. This allows us to only loop over the non-zero elements, adding the ones in the first half and subtracting the second half.
While this is implementation is constant-time (given h), it is not protected against cache attacks, as the only elements accessed are the ones for which the secret key is different from 0. It would be easy to reconstruct the positions of the non-zero entries of the secret key by observing which elements of A were accessed. Other implementations choices, e.g. straightforward vector-matrix multiplication, can be adopted to provide protection against this type of attacks. 2.8.5 Choice of auxiliary functions
The proposed algorithms make use of several auxiliary functions, specifically a hash and a deterministic random bit generator (DRBG). SHA3-512 is used as hash function. When several outputs are required from a hash (see line 2, Algorithm 9), the hash is iterated.
The DRBG used is based on the one provided by NIST for KAT generation and follows the recommendations in [33].
2.8.6 DEM in Round2.PKE
Round2.PKE can use any DEM. The implementation of Round2.PKE uses a DEM based on AES256 in GCM mode as recommended in [32]. The OpenSSL implementation of AES256 is used. Using this DEM, the ciphertext of Round2.PKE needs an additional overhead of 28 bytes: 12 bytes for the initialization vector, and 16 for the authentication tag.
For NIST security levels 1, 2, and 3, the key is padded with zeros before being used in the DEM. For NIST security level 4, the exchanged key is truncated. In all cases, the key is hashed before being used in AES256-GCM.
2.8.7 Use in network protocols
Different applications have different security and bandwidth requirements. The implementation of Round 2 supports all those different requirements without the need of recompiling.
In a network protocol, two parties can initiate the communication using a standard security level. After agreeing on a different security level, they simply can use the library with the new set of parameters. The choice ofn= 1 orn=d is included in this; that is, the same library can be used for a set of parameters based on LWR and a set of parameters based on RLWR.
2.8.8 Definition of Sampleµ
The function Sampleµ picks upµentries from a matrix. In our parameter sets,
ifn=d, then n=m = 1, and Sampleµ picks up the µ coefficients of highest
order. If n= 1, Sampleµ picks up the lastµ entries of the vector obtained by
serializing the matrix row by row.