Link Search Menu Expand Document

FrodoKEM

  • Algorithm type: Key encapsulation mechanism.
  • Main cryptographic assumption: learning with errors (LWE).
  • Principal submitters: Michael Naehrig, Erdem Alkim, Joppe Bos, Léo Ducas, Karen Easterbrook, Brian LaMacchia, Patrick Longa, Ilya Mironov, Valeria Nikolaenko, Christopher Peikert, Ananth Raghunathan, Douglas Stebila.
  • Authors’ website: https://frodokem.org/
  • Specification version: NIST Round 3 submission.
  • Implementation source: https://github.com/microsoft/PQCrypto-LWEKE/commit/b6609d30a9982318d7f2937aa3c7b92147b917a2
  • Implementation license (SPDX-Identifier): MIT.

Parameter set summary

Parameter set Security model Claimed NIST Level Public key size (bytes) Secret key size (bytes) Ciphertext size (bytes) Shared secret size (bytes)
FrodoKEM-640-AES IND-CCA2 1 9616 19888 9720 16
FrodoKEM-640-SHAKE IND-CCA2 1 9616 19888 9720 16
FrodoKEM-976-AES IND-CCA2 3 15632 31296 15744 24
FrodoKEM-976-SHAKE IND-CCA2 3 15632 31296 15744 24
FrodoKEM-1344-AES IND-CCA2 5 21520 43088 21632 32
FrodoKEM-1344-SHAKE IND-CCA2 5 21520 43088 21632 32

FrodoKEM-640-AES implementation characteristics

Identifier in upstream Supported architecture(s) Supported operating system(s) CPU extension(s) used No branching-on-secrets claimed? No branching-on-secrets checked by valgrind? Large stack usage?‡
master All All None True True False
master x86_64 Linux,Darwin,Windows AVX2 True True False

Are implementations chosen based on runtime CPU feature detection? Yes.

‡For an explanation of what this denotes, consult the Explanation of Terms section at the end of this file.

FrodoKEM-640-SHAKE implementation characteristics

Identifier in upstream Supported architecture(s) Supported operating system(s) CPU extension(s) used No branching-on-secrets claimed? No branching-on-secrets checked by valgrind? Large stack usage?
master All All None True True False
master x86_64 Linux,Darwin,Windows AVX2 True True False

Are implementations chosen based on runtime CPU feature detection? Yes.

FrodoKEM-976-AES implementation characteristics

Identifier in upstream Supported architecture(s) Supported operating system(s) CPU extension(s) used No branching-on-secrets claimed? No branching-on-secrets checked by valgrind? Large stack usage?
master All All None True True False
master x86_64 Linux,Darwin,Windows AVX2 True True False

Are implementations chosen based on runtime CPU feature detection? Yes.

FrodoKEM-976-SHAKE implementation characteristics

Identifier in upstream Supported architecture(s) Supported operating system(s) CPU extension(s) used No branching-on-secrets claimed? No branching-on-secrets checked by valgrind? Large stack usage?
master All All None True True False
master x86_64 Linux,Darwin,Windows AVX2 True True False

Are implementations chosen based on runtime CPU feature detection? Yes.

FrodoKEM-1344-AES implementation characteristics

Identifier in upstream Supported architecture(s) Supported operating system(s) CPU extension(s) used No branching-on-secrets claimed? No branching-on-secrets checked by valgrind? Large stack usage?
master All All None True True False
master x86_64 Linux,Darwin,Windows AVX2 True True False

Are implementations chosen based on runtime CPU feature detection? Yes.

FrodoKEM-1344-SHAKE implementation characteristics

Identifier in upstream Supported architecture(s) Supported operating system(s) CPU extension(s) used No branching-on-secrets claimed? No branching-on-secrets checked by valgrind? Large stack usage?
master All All None True True False
master x86_64 Linux,Darwin,Windows AVX2 True True False

Are implementations chosen based on runtime CPU feature detection? Yes.

Explanation of Terms

  • Large Stack Usage: Implementations identified as having such may cause failures when running in threads or in constrained environments.







Copyright © 2017-2021 The Open Quantum Safe Project.
This site uses Just the Docs, a documentation theme for Jekyll. Background image by Rick Doble.