FrodoKEM

  • Algorithm type: Key encapsulation mechanism.
  • Main cryptographic assumption: learning with errors (LWE).
  • Principal submitters: Michael Naehrig, Erdem Alkim, Joppe Bos, Léo Ducas, Karen Easterbrook, Brian LaMacchia, Patrick Longa, Ilya Mironov, Valeria Nikolaenko, Christopher Peikert, Ananth Raghunathan, Douglas Stebila.
  • Authors' website: https://frodokem.org/
  • Specification version: NIST Round 3 submission.
  • Primary Source:

Parameter set summary

Parameter setParameter set aliasSecurity modelClaimed NIST LevelPublic key size (bytes)Secret key size (bytes)Ciphertext size (bytes)Shared secret size (bytes)
FrodoKEM-640-AESNAIND-CCA21961619888972016
FrodoKEM-640-SHAKENAIND-CCA21961619888972016
FrodoKEM-976-AESNAIND-CCA2315632312961574424
FrodoKEM-976-SHAKENAIND-CCA2315632312961574424
FrodoKEM-1344-AESNAIND-CCA2521520430882163232
FrodoKEM-1344-SHAKENAIND-CCA2521520430882163232

FrodoKEM-640-AES implementation characteristics

Implementation sourceIdentifier in upstreamSupported architecture(s)Supported operating system(s)CPU extension(s) usedNo branching-on-secrets claimed?No branching-on-secrets checked by valgrind?Large stack usage?‡
Primary SourcemasterAllAllNoneTrueTrueFalse
Primary Sourcemasterx86_64Linux,Darwin,WindowsAVX2TrueTrueFalse

Are implementations chosen based on runtime CPU feature detection? Yes.

‡For an explanation of what this denotes, consult the Explanation of Terms section at the end of this file.

FrodoKEM-640-SHAKE implementation characteristics

Implementation sourceIdentifier in upstreamSupported architecture(s)Supported operating system(s)CPU extension(s) usedNo branching-on-secrets claimed?No branching-on-secrets checked by valgrind?Large stack usage?
Primary SourcemasterAllAllNoneTrueTrueFalse
Primary Sourcemasterx86_64Linux,Darwin,WindowsAVX2TrueTrueFalse

Are implementations chosen based on runtime CPU feature detection? Yes.

FrodoKEM-976-AES implementation characteristics

Implementation sourceIdentifier in upstreamSupported architecture(s)Supported operating system(s)CPU extension(s) usedNo branching-on-secrets claimed?No branching-on-secrets checked by valgrind?Large stack usage?
Primary SourcemasterAllAllNoneTrueTrueFalse
Primary Sourcemasterx86_64Linux,Darwin,WindowsAVX2TrueTrueFalse

Are implementations chosen based on runtime CPU feature detection? Yes.

FrodoKEM-976-SHAKE implementation characteristics

Implementation sourceIdentifier in upstreamSupported architecture(s)Supported operating system(s)CPU extension(s) usedNo branching-on-secrets claimed?No branching-on-secrets checked by valgrind?Large stack usage?
Primary SourcemasterAllAllNoneTrueTrueFalse
Primary Sourcemasterx86_64Linux,Darwin,WindowsAVX2TrueTrueFalse

Are implementations chosen based on runtime CPU feature detection? Yes.

FrodoKEM-1344-AES implementation characteristics

Implementation sourceIdentifier in upstreamSupported architecture(s)Supported operating system(s)CPU extension(s) usedNo branching-on-secrets claimed?No branching-on-secrets checked by valgrind?Large stack usage?
Primary SourcemasterAllAllNoneTrueTrueFalse
Primary Sourcemasterx86_64Linux,Darwin,WindowsAVX2TrueTrueFalse

Are implementations chosen based on runtime CPU feature detection? Yes.

FrodoKEM-1344-SHAKE implementation characteristics

Implementation sourceIdentifier in upstreamSupported architecture(s)Supported operating system(s)CPU extension(s) usedNo branching-on-secrets claimed?No branching-on-secrets checked by valgrind?Large stack usage?
Primary SourcemasterAllAllNoneTrueTrueFalse
Primary Sourcemasterx86_64Linux,Darwin,WindowsAVX2TrueTrueFalse

Are implementations chosen based on runtime CPU feature detection? Yes.

Explanation of Terms

  • Large Stack Usage: Implementations identified as having such may cause failures when running in threads or in constrained environments.