FrodoKEM is a family of key-encapsulation mechanisms that are designed to be *conservative* yet *practical* post-quantum constructions whose security derives from cautious parameterizations of the well-studied *learning with errors* problem, which in turn has close connections to conjectured-hard problems on *generic*, algebraically unstructured lattices.

Concretely, FrodoKEM is designed for IND-CCA security at two levels:

- FrodoKEM-640, which targets Level 1 in the NIST call for proposals (matching or exceeding the brute-force security of AES-128), and
- FrodoKEM-976, which targets Level 3 in the NIST call for proposals (matching or exceeding the brute-force security of AES-192).

Two variants of each of the above schemes are provided:

- FrodoKEM-640-AES and FrodoKEM-976-AES, which use AES-128 to pseudorandomly generate a large public matrix (
**A**). - FrodoKEM-640-cSHAKE and FrodoKEM-976-cSHAKE, which use cSHAKE128 to pseudorandomly generate the matrix.

The AES variants are particularly suitable for devices having AES hardware acceleration (such as AES-NI on Intel platforms), while the cSHAKE variants generally provide competitive or better performance in comparison with the AES variants in the absence of hardware acceleration.

The inventors of FrodoKEM are:

- Erdem Alkim
- Joppe W. Bos, NXP Semiconductors
- Léo Ducas, CWI
- Patrick Longa, Microsoft Research
- Ilya Mironov, Google
- Michael Naehrig, Microsoft Research
- Valeria Nikolaenko
- Chris Peikert, University of Michigan
- Ananth Raghunathan, Google
- Douglas Stebila, McMaster University

Additional submitters for the FrodoKEM NIST submission are:

- Karen Easterbrook, Microsoft Research
- Brian LaMacchia, Microsoft Research

FrodoKEM builds on an extensive line of literature which is detailed in the specification.

You can contact the FrodoKEM team by emailing contact@frodokem.org.

The specification of FrodoKEM submitted to NIST on November 30, 2017, is available below:

View FrodoKEM specification (PDF)

Our submission package includes:

- a reference implementation written exclusively in portable C,
- an optimized implementation written exclusively in portable C that includes efficient algorithms to generate the matrix
**A**and to compute the matrix operations**A****S**+**E**and**S**'**A**+**E**', and - an additional, optimized implementation for x64 platforms that exploits Advanced Vector Extensions 2 (AVX2) intrinsic instructions.

The implementations in the submission package support all four schemes: FrodoKEM-640-AES, FrodoKEM-640-cSHAKE, FrodoKEM-976-AES, and FrodoKEM-976-cSHAKE. The only difference between the reference and the optimized implementation is that the latter includes two efficient functions to generate the public matrix **A** and to compute the matrix operations **A****S** + **E** and **S**'**A** + **E**'. Similarly, the only difference between the optimized and the additional implementation is that the latter uses AVX2 intrinsic instructions to speed up the implementation of the aforementioned functions. Hence, the different implementations share most of their codebase: this illustrates the simplicity of software based on FrodoKEM.

All our implementations avoid the use of secret address accesses and secret branches and, hence, are protected against timing and cache attacks.

Our GitHub project contains a version of our submission package code that is more amenable to building as a standalone library:

Copyright © FrodoKEM team 2017.

FrodoKEM source code licensed under MIT License; see GitHub project for details.

Cover image by LoveToTakePhotos on pixabay.com.