CINXE.COM

FrodoKEM

<!doctype html> <html lang="en"> <head> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /> <title>FrodoKEM</title> <meta name="description" content="FrodoKEM: Practical quantum-secure key encapsulation from generic lattices" /> <meta name="keywords" content="FrodoKEM,Frodo,lattices,learning with errors,post-quantum cryptography,NIST submission" /> <link rel="canonical" href="https://frodokem.org/"> <link rel="icon" type="image/png" href="img/logos/frodokem-square-32.png" sizes="32x32" /> <link rel="icon" type="image/png" href="img/logos/frodokem-square-152.png" sizes="152x152" /> <link rel="icon" type="image/png" href="img/logos/frodokem-square-152.png" sizes="160x160" /> <link rel="icon" type="image/png" href="img/logos/frodokem-square-192.png" sizes="192x192" /> <link rel="icon" type="image/jpeg" href="img/logos/frodokem-square-768.jpg" sizes="768x768" /> <link rel="apple-touch-icon" href="img/logos/frodokem-square-152.png" /> <meta property="og:title" content="FrodoKEM" /> <meta property="og:description" content="FrodoKEM: Practical quantum-secure key encapsulation from generic lattices" /> <meta property="og:url" content="" /> <meta property="og:image" content="img/logos/frodokem-square-768.jpg" /> <meta property="og:image:type" content="image/jpeg" /> <meta property="og:image:width" content="768" /> <meta property="og:image:height" content="768" /> <link rel="stylesheet" href="css/bootstrap.min.css"> <style> #header { background-color: #333333; background-image: url('img/frodokem-bg-960.jpg'); background-size: 100%; background-position: center; height: 300px; display: flex; flex-direction: column; justify-content: center; } #header h1, #header h2 { color: #9ce3fd; font-weight: bold; text-shadow: black 0px 0px 5px; } .bg-light { background-color: #9ce3fd!important; } @media (min-width: 576px) { #header { background-image: url('img/frodokem-bg-960.jpg'); height: 300px; } #header h1 { font-size: 400%; } #header h2 { font-size: 200%; } } @media (min-width: 768px) { #header { background-image: url('img/frodokem-bg-1920.jpg'); height: 300px; } #header h1 { font-size: 400%; } #header h2 { font-size: 200%; } } @media (min-width: 1200px) { #header { background-image: url('img/frodokem-bg-1920.jpg'); height: 500px; } #header h1 { font-size: 600%; } #header h2 { font-size: 300%; } } </style> </head> <body> <nav class="navbar fixed-top navbar-expand-lg navbar-light bg-light"> <a class="navbar-brand" href="index.html#"><b>FrodoKEM</b></a> <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation"> <span class="navbar-toggler-icon"></span> </button> <div class="collapse navbar-collapse" id="navbarSupportedContent"> <ul class="navbar-nav mr-auto"> <li class="nav-item"><a class="nav-link" href="#about">About</a></li> <li class="nav-item"><a class="nav-link" href="#team">Team</a></li> <li class="nav-item"><a class="nav-link" href="#spec">Specification</a></li> <li class="nav-item"><a class="nav-link" href="#code">Code</a></li> </ul> </div> </nav> <div class="container-fluid"> <br /> <div class="row"> <div id="header" class="col-sm-12"> <div class="row"> <div class="col-sm-12 col-md-10 offset-md-1 col-xl-8 offset-xl-2"> <h1>FrodoKEM</h1> <h2>Practical quantum-secure key encapsulation from generic lattices</h2> </div> </div> </div> </div> <br /> <div class="row"> <div class="col-sm-12 col-md-10 offset-md-1 col-xl-8 offset-xl-2"> <h1 id="about">About FrodoKEM</h1> <p>FrodoKEM is a family of key-encapsulation mechanisms that are designed to be <i>conservative</i> yet <i>practical</i> post-quantum constructions whose security derives from cautious parameterizations of the well-studied <i>learning with errors</i> problem, which in turn has close connections to conjectured-hard problems on <i>generic</i>, algebraically unstructured lattices.</p> <p>Concretely, FrodoKEM is designed for IND-CCA security at three levels:</p> <ul> <li>FrodoKEM-640, which targets Level 1 in the NIST call for proposals (matching or exceeding the brute-force security of AES-128),</li> <li>FrodoKEM-976, which targets Level 3 in the NIST call for proposals (matching or exceeding the brute-force security of AES-192),</li> <li>FrodoKEM-1344, which targets Level 5 in the NIST call for proposals (matching or exceeding the brute-force security of AES-256).</li> </ul> <p>FrodoKEM consists of two variants determined on whether there is key reuse: a standard variant that does not impose any restriction on the reuse of key pairs, and an ephemeral variant (eFrodoKEM) that requires the generation of a fresh key pair after a fairly small number (e.g., 2^8) of protocol executions.</p> <p>For each security level and variant, there is a choice of the symmetric primitive used in one step of the protocol:</p> <ul> <li>FrodoKEM-640-AES, FrodoKEM-976-AES, and FrodoKEM-1344-AES, and eFrodoKEM-640-AES, eFrodoKEM-976-AES, and eFrodoKEM-1344-AES, which use AES-128 to pseudorandomly generate a large public matrix (<b>A</b>). <li>FrodoKEM-640-SHAKE, FrodoKEM-976-SHAKE, and FrodoKEM-1344-SHAKE, and eFrodoKEM-640-SHAKE, eFrodoKEM-976-SHAKE, and eFrodoKEM-1344-SHAKE, which use SHAKE128 to pseudorandomly generate the matrix. </ul> <p>The AES variants are particularly suitable for devices having AES hardware acceleration (such as AES-NI on Intel platforms), while the SHAKE variants generally provide competitive or better performance in comparison with the AES variants in the absence of hardware acceleration.</p> <p>FrodoKEM was selected as a "Round 3 alternate candidate" in the <a href="https://nist.gov/pqcrypto">NIST Post-Quantum Cryptography Standardization project</a>, but was not selected for standardization.</p> <p>FrodoKEM, at level 3 and 5, is one of two post-quantum algorithms <a href="https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile&v=10">recommended by the German Federal Office for Information Security (BSI)</a> as cryptographically suitable for long-term confidentiality.</p> <h1 id="team">Team</h1> <p>The FrodoKEM team consists of:</p> <ul> <li>Erdem Alkim</li> <li>Joppe W. Bos, NXP Semiconductors</li> <li>Léo Ducas, CWI</li> <li>Lewis Glabush, EPFL</li> <li>Patrick Longa, Microsoft Research</li> <li>Ilya Mironov</li> <li>Michael Naehrig, Microsoft Research</li> <li>Valeria Nikolaenko</li> <li>Chris Peikert, University of Michigan</li> <li>Ananth Raghunathan</li> <li>Douglas Stebila, University of Waterloo</li> </ul> <p>Additional submitters for the FrodoKEM NIST submission are:</p> <ul> <li>Karen Easterbrook, Microsoft Research</li> <li>Brian LaMacchia</li> </ul> <p>FrodoKEM builds on an extensive line of literature which is detailed in the specification.</p> <p>You can contact the FrodoKEM team by emailing <a href="mailto:contact@frodokem.org">contact@frodokem.org</a>.</p> <h1 id="spec">Specification</h1> <p>The current version of the FrodoKEM specification is the Preliminary Standardization Proposal submitted (2024/12/05):</p> <p><a class="btn btn-success" href="files/FrodoKEM_standard_proposal_20241205.pdf">View FrodoKEM specification (PDF)</a></p> <p>This document is complemented by <a href="files/FrodoKEM-annex-20230418.pdf">Annex on FrodoKEM updates, April 18, 2023 version (PDF)</a> and the <a href="files/FrodoKEM-specification-20210604.pdf">NIST Round 3 specification, June 2021 update</a>.</p> <p>An equivalent version of FrodoKEM is also available as an Internet-Draft:</p> <p><a class="btn btn-success" href="https://datatracker.ietf.org/doc/draft-longa-cfrg-frodokem/">View FrodoKEM Internet-Draft</a></p> <h1 id="code">Code</h1> <p>We make available:</p> <ul> <li>a reference implementation written exclusively in portable C,</li> <li>an optimized implementation written exclusively in portable C that includes efficient algorithms to generate the matrix <b>A</b> and to compute the matrix operations <b>A</b><b>S</b> + <b>E</b> and <b>S</b>'<b>A</b> + <b>E</b>',</li> <li>an additional, optimized implementation for x64 platforms that exploits Advanced Vector Extensions 2 (AVX2) intrinsic instructions, and</li> <li>a extensively commented reference implementation written exclusively in Python 3.</li> </ul> <p>The implementations support all twelve schemes: FrodoKEM-640-AES, FrodoKEM-640-SHAKE, FrodoKEM-976-AES, FrodoKEM-976-SHAKE, FrodoKEM-1344-AES, and FrodoKEM-1344-SHAKE, and eFrodoKEM-640-AES, eFrodoKEM-640-SHAKE, eFrodoKEM-976-AES, eFrodoKEM-976-SHAKE, eFrodoKEM-1344-AES, and eFrodoKEM-1344-SHAKE. The only difference between the reference and the optimized implementation is that the latter includes two efficient functions to generate the public matrix <b>A</b> and to compute the matrix operations <b>A</b><b>S</b> + <b>E</b> and <b>S</b>'<b>A</b> + <b>E</b>'. Similarly, the only difference between the optimized and the additional implementation is that the latter uses AVX2 intrinsic instructions to speed up the implementation of the aforementioned functions. Hence, the different implementations share most of their codebase: this illustrates the simplicity of software based on FrodoKEM.</p> <p>All our implementations avoid the use of secret address accesses and secret branches and, hence, are protected against timing and cache attacks.</p> <p><a class="btn btn-primary" href="https://github.com/Microsoft/PQCrypto-LWEKE">View FrodoKEM code on GitHub</a></p> <h1 id="downloads">Downloads</h1> <p>Internet-Draft (March, 2025)</p> <ul> <li><a href="https://datatracker.ietf.org/doc/draft-longa-cfrg-frodokem/">FrodoKEM Internet-Draft – 2025/03/17</a></li> </ul> <p>Preliminary Standardization Proposal (December, 2024)</p> <ul> <li><a href="files/FrodoKEM_standard_proposal_20241205.pdf">FrodoKEM Preliminary Standardization Proposal – 2024/12/05 (PDF)</a></li> </ul> <p>Preliminary Standardization Proposal (March/April, 2023)</p> <ul> <li><a href="files/FrodoKEM-standard_proposal-20230314.pdf">FrodoKEM Preliminary Standardization Proposal (submitted to ISO) – 2023/03/14 (PDF)</a></li> <li><a href="files/FrodoKEM-annex-20230418.pdf">Annex on FrodoKEM updates – 2023/04/18 (PDF)</a></li> </ul> <p>June 4, 2021 update</p> <ul> <li><a href="files/FrodoKEM-specification-20210604.pdf">FrodoKEM Round 3 specification – 2021/06/04 (PDF)</a></li> </ul> <p>NIST Round 3 submission (September 30, 2020)</p> <ul> <li><a href="files/FrodoKEM-specification-20200930.pdf">FrodoKEM Round 3 specification – 2020/09/30 (PDF)</a></li> <li><a href="files/FrodoKEM-changes-20200930.pdf">FrodoKEM Round 3 changelog – 2020/09/30 (PDF)</a></li> <li><a href="files/FrodoKEM-20200930.zip">FrodoKEM Round 3 submission package – 2020/09/30 (ZIP)</a></li> </ul> <p>March 25, 2020 update</p> <ul> <li><a href="files/FrodoKEM-specification-20200325.pdf">FrodoKEM updated specification – 2020/03/25 (PDF)</a></li> <li><a href="files/FrodoKEM-python-20200325.zip">FrodoKEM Python 3 implementation – 2020/03/25 (ZIP)</a></li> </ul> <p>July 2, 2019 update</p> <ul> <li><a href="files/FrodoKEM-specification-20190702.pdf">FrodoKEM updated specification – 2019/07/02 (PDF)</a></li> <li><a href="files/FrodoKEM-parameter-search-scripts-20190702.zip">FrodoKEM updated parameter search scripts – 2019/07/02 (ZIP)</a></li> </ul> <p>NIST Round 2 submission (March 30, 2019)</p> <ul> <li><a href="files/FrodoKEM-specification-20190330.pdf">FrodoKEM Round 2 specification – 2019/03/30 (PDF)</a></li> <li><a href="files/FrodoKEM-20190330.zip">FrodoKEM Round 2 submission package – 2019/03/30 (ZIP)</a></li> </ul> <p>NIST Round 1 submission (November 30, 2017)</p> <ul> <li><a href="files/FrodoKEM-specification-20171130.pdf">FrodoKEM Round 1 specification – 2017/11/30 (PDF)</a></li> <li><a href="files/FrodoKEM-20171130.zip">FrodoKEM Round 1 submission package – 2017/11/30 (ZIP)</a></li> </ul> <p>Pre-NIST</p> <ul> <li><a href="https://www.douglas.stebila.ca/files/research/papers/CCS-BCDMNNRS16-full.pdf">"Frodo: Take off the ring! Practical, quantum-secure key exchange from LWE" In Proc. 23rd ACM Conference on Computer and Communications Security (CCS) 2016 (PDF)</a></li> </ul> <h4>Third-party implementations</h4> <ul> <li><a href="https://github.com/kuking/go-frodokem">FrodoKEM in Go</a>, by Eduardo Riccardi</li> <li><a href="https://github.com/cloudflare/circl/pull/311">FrodoKEM in Go</a> via Cloudflare's CIRCL library, by Goutam Tamvada</li> <li><a href="https://github.com/itzmeanjan/frodokem">FrodoKEM in C++ as a header-only library</a>, by Anjan Roy</li> <li><a href="https://github.com/randombit/botan">Botan</a>, a C++ cryptography library</li> </ul> <h1 id="news">News</h1> <ul> <li>December 16, 2019: <a href="https://background.tagesspiegel.de/digitalisierung/informationssicherheit-im-quantenzeitalter">Tagesspiegel Background: "Informationssicherheit im Quantenzeitalter"</a> – Arne Schönbohm, President of the Bundesamt für Sicherheit in der Informationstechnik (BSI), announces that FrodoKEM will be recommended by BSI as one of two key exchange methods that are 'fundamentally suitable (in hybrid solutions)'.</li> <li>July 22, 2020: <a href="https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions">NIST Round 3 Candidates</a> – FrodoKEM is selected by NIST as a Round 3 "alternate candidate".</li> <li>August 24, 2020: <a href="https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldungen/Post-Quanten-Kryptografie_200824.html">Post-Quanten-Kryptografie: Update der Handlungsempfehlungen</a> – Germany's Bundesamt für Sicherheit in der Informationstechnik (BSI) continues to recommend FrodoKEM for providing post-quantum confidentiality.</li> <li>March 31, 2021: <a href="https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.html">BSI TR-02102-1 "Cryptographic Procedures: Recommendations and Key Lengths" Version: 2021-01</a>: BSI recommendation for use of FrodoKEM for post-quantum confidentiality.</li> <li>January 18, 2022: <a href="https://english.aivd.nl/publications/publications/2022/01/18/prepare-for-the-threat-of-quantumcomputers">Prepare for the threat of quantumcomputers</a> – The Netherlands National Communications Security Agency (NLNCSA) recommends FrodoKEM to achieve post-quantum confidentiality.</li> <li>July 5, 2022: <a href="https://csrc.nist.gov/News/2022/pqc-candidates-to-be-standardized-and-round-4">NIST PQC Standardization Process: Announcing Four Candidates to be Standardized, Plus Fourth Round Candidates</a> – FrodoKEM is not selected by NIST for standardization or Round 4. Congratulations to the Kyber team and the candidates proceeding to Round 4.</li> <li>October, 2022: ISO/IEC JTC 1/SC 27/WG 2 establishes a preliminary work item to consider standardization of FrodoKEM.</li> <li>April, 2023: ISO/IEC JTC 1/SC 27/WG 2 has agreed to move forward with the standardization of FrodoKEM as an approved mechanism in a revision of ISO/IEC 18033-2, Encryption algorithms — Part 2: Asymmetric ciphers.</li> <li>March, 2025: <a href="https://datatracker.ietf.org/doc/draft-longa-cfrg-frodokem/">FrodoKEM submitted to IRTF Crypto Forum Research Group (CFRG) as an Internet-Draft</a></li> </ul> <br /> <br /> <br /> <br /> <p class="small">Copyright &copy; FrodoKEM team 2017–2023. <br /> FrodoKEM source code licensed under MIT License; see GitHub project for details. <br /> Cover image by <a href="https://pixabay.com/en/neon-glow-glowing-light-design-660989/">LoveToTakePhotos on pixabay.com</a>. </p> </div> </div> </div> <script src="js/jquery-3.2.1.slim.min.js"></script> <script src="js/popper.min.js"></script> <script src="js/bootstrap.min.js"></script> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10