FrodoKEM

Learning With Errors Key Encapsulation

Algorithm Specifications And Supporting Documentation

November 30, 2017

1
Contents
1 Introduction and design rationale 4
1.1 Pedigree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Design overview and rationale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2.1 Generic, algebraically unstructured lattices . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2.2 Parameters from worst-case reductions and conservative cryptanalysis . . . . . . . . . 6
1.2.3 Simplicity of design and implementation . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.3 Other features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2 Written specification 9
2.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.1.1 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.1.2 Cryptographic definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.1.3 Learning With Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.1.4 Gaussians . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.1.5 Lattices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2 Algorithm description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2.1 Matrix encoding of bit strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2.2 Packing matrices modulo q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2.3 Deterministic random bit generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2.4 Sampling from the error distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2.5 Pseudorandom matrix generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2.6 FrodoPKE: IND-CPA-secure public key encryption scheme . . . . . . . . . . . . . . . . 16
2.2.7 Correctness of IND-CPA PKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2.8 Transform from IND-CPA PKE to IND-CCA KEM . . . . . . . . . . . . . . . . . . . 18
2.2.9 FrodoKEM: IND-CCA-secure key encapsulation mechanism . . . . . . . . . . . . . . . 19
2.2.10 Correctness of IND-CCA KEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.2.11 Interconversion to IND-CCA PKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.3 Cryptographic primitives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.4 Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.4.1 High-level overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.4.2 Parameter constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.4.3 Selected parameter sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.5 Summary of parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.6 Provenance of constants and tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3 Performance analysis 24
3.1 Associated implementations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2 Performance analysis on x64 Intel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2.1 Performance using AES128 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2.2 Performance using cSHAKE128 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2.3 Memory analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.3 Performance analysis on ARM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

4 Known Answer Test (KAT) values 28

5 Justification of security strength 29

5.1 Security reductions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.1.1 IND-CCA Security of KEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.1.2 IND-CPA Security of PKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5.1.3 Approximating the error distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5.1.4 Deterministic generation of A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
5.1.5 Reductions from worst-case lattice problems . . . . . . . . . . . . . . . . . . . . . . . . 32
5.2 Cryptanalytic attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

2
 5.2.1 Methodology: the core-SVP hardness . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
5.2.2 Primal attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.2.3 Dual attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

6 Advantages and limitations 37

6.1 Ease of implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
6.2 Compatibility with existing deployments and hybrid schemes . . . . . . . . . . . . . . . . . . 37
6.3 Hardware implementations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
6.4 Side-channel resistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

3
1 Introduction and design rationale
This submission defines a family of key-encapsulation mechanisms (KEMs), collectively called FrodoKEM.
The FrodoKEM schemes are designed to be conservative yet practical post-quantum constructions whose
security derives from cautious parameterizations of the well-studied learning with errors problem, which in
turn has close connections to conjectured-hard problems on generic, “algebraically unstructured” lattices.
Concretely, FrodoKEM is designed for IND-CCA security at two levels:
• FrodoKEM-640, which targets Level 1 in the NIST call for proposals (matching or exceeding the
brute-force security of AES-128), and
• FrodoKEM-976, which targets Level 3 in the NIST call for proposals (matching or exceeding the
brute-force security of AES-192).
Two variants of each of the above schemes are provided:
• FrodoKEM-640-AES and FrodoKEM-976-AES, which use AES128 to pseudorandomly generate a large
public matrix (called A).
• FrodoKEM-640-cSHAKE and FrodoKEM-976-cSHAKE, which use cSHAKE128 to pseudorandomly gen-
erate the matrix.
The AES variants are particularly suitable for devices having AES hardware acceleration (such as AES-NI
on Intel platforms), while the cSHAKE variants generally provide competitive or better performance in
comparison with the AES variants in the absence of hardware acceleration.
In the remainder of this section, we outline FrodoKEM’s scientific lineage, briefly explain our design choices
(with further details appearing in subsequent sections), and describe other features of our proposal beyond
those explicitly requested by NIST.

1.1 Pedigree
The core of FrodoKEM is a public-key encryption scheme called FrodoPKE,1 whose IND-CPA security is
tightly related to the hardness of a corresponding learning with errors problem. Here we briefly recall the
scientific lineage of these systems. See the surveys [82, 103, 92] for further details.
The seminal works of Ajtai [3] (published in 1996) and Ajtai–Dwork [4] (published in 1997) gave the first
cryptographic constructions whose security properties followed from the conjectured worst-case hardness
of various problems on point lattices in Rn . In subsequent years, these works were substantially refined
and improved, e.g., in [57, 30, 81, 101, 84]. Notably, in work published in 2005, Regev [102] defined the
learning with errors (LWE) problem, proved the hardness of (certain parameterizations of) LWE assuming
the hardness of various worst-case lattice problems against quantum algorithms, and defined a public-key
encryption scheme whose IND-CPA security is tightly related to the hardness of LWE.2
Regev’s initial work on LWE was followed by much more, which, among other things:
• provided additional theoretical support for the hardness of various LWE parameterizations (e.g., [88,
13, 28, 48, 83, 94]),
• extensively analyzed the concrete security of LWE and closely related lattice problems (e.g., [85, 40, 76,
8, 39, 6, 7, 69, 65, 10, 11, 24, 5, 9], among countless others), and
• constructed LWE-based cryptosystems with improved efficiency or additional functionality (e.g., [96,
95, 55, 32, 29, 56, 22, 58]).
In particular, in work published in 2011, Lindner and Peikert [75] gave a more efficient LWE-based public-key
encryption scheme that uses a square public matrix A ∈ Zn×n q instead of an oblong rectangular one.
The FrodoPKE scheme from this submission is an instantiation and implementation of the Lindner–Peikert
scheme [75] with some modifications, such as: pseudorandom generation of the public matrix A from a small
seed, more balanced key and ciphertext sizes, and new LWE parameters.
1 FrodoPKEis an intermediate building block used to create FrodoKEM, but is not a submission to the NIST competition.
2 As
pointed out in [89], Regev’s encryption scheme implicitly contains an (unauthenticated) “approximate” key-exchange
protocol analogous to the classic Diffie–Hellman protocol [46].

4
Frodo. FrodoPKE is closely related to an earlier work [24], called “Frodo,” by a subset of the authors of this
submission, which appeared at the 2016 ACM CCS conference. For clarity, we refer to the conference version
as FrodoCCS, and the KEM defined in this submission as FrodoKEM. The main differences are as follows:
• FrodoCCS was described as an unauthenticated key-exchange protocol, which can equivalently be viewed
as an IND-CPA-secure KEM, whereas FrodoKEM is designed to be an IND-CCA-secure KEM.
• FrodoCCS used a “reconciliation mechanism” to extract shared-key bits from approximately equal values
(similarly to [47, 91, 25, 11]), whereas FrodoKEM uses simpler key transport via public-key encryption
(as in [102, 75]).
• FrodoKEM uses significantly “wider” LWE error distributions than FrodoCCS does, which conform to
certain worst-case hardness theorems (see below).
• FrodoKEM uses different symmetric-key primitives than FrodoCCS does.

Chosen-ciphertext security. FrodoKEM achieves IND-CCA security by way of a transformation of the

IND-CPA-secure FrodoPKE. In work published in 1999, Fujisaki and Okamoto [51] gave a generic transform
from an IND-CPA PKE to an IND-CCA PKE, in the random-oracle model. At a high level, the Fujisaki–
Okamoto transform derives encryption coins pseudorandomly, and decryption regenerates these coins to
re-encrypt and check that the ciphertext is well-formed. In 2016, Targhi and Unruh [111] gave a modification
of the Fujisaki–Okamoto transform that achieves IND-CCA security in the quantum random-oracle model. In
2017, Hofheinz, Hövelmanns, and Kiltz [61] gave several variants of the Fujisaki–Okamoto and Targhi–Unruh
transforms that in particular convert an IND-CPA-secure PKE into an IND-CCA-secure KEM, and analyzed
them in both the classical and quantum random-oracle models, even for PKEs with non-zero decryption error.
FrodoKEM is constructed from FrodoPKE using a slight variant of one of the constructions from [61], that
includes additional values in hash computations to avoid multi-target attacks.

1.2 Design overview and rationale

Given the high cost and slow deployment of entirely new cryptographic systems, the desired decades-long
lifetime of such systems, and the unpredictable trajectory of quantum computing technology and quantum
cryptanalysis over the coming years, we argue that any post-quantum standard should follow a conservative
approach that errs comfortably on the side of security and simplicity over performance and (premature)
optimization. This principle permeates the design choices behind FrodoKEM, as we now describe.

1.2.1 Generic, algebraically unstructured lattices

The security of every public-key cryptosystem depends on the presumed intractability of one or more
computational problems. In lattice-based cryptography, the (plain) LWE problem [102] relates to solving a
“noisy” linear system modulo a known integer; it can also be interpreted as the problem of decoding a random
“unstructured” lattice from a certain class. There are also “algebraically structured” variants, called Ring-
LWE [78, 94] and Module-LWE [27, 72], and problems associated with the classic NTRU cryptosystem [60],
which are more compact and computationally efficient, but also have the potential for weaknesses due to the
extra structure.
After a good deal of investigation, the state of the art for recommended parameterizations of algebraic
LWE variants does not indicate any particular weaknesses in comparison to plain LWE. However, at present
there appear to be some gaps between the (quantum) complexity of some related, seemingly weaker problems
on certain kinds of algebraic lattices and their counterparts on general lattices. (See below for details.) Of
course, this only represents our current understanding of these problems, which could potentially change with
further cryptanalytic effort.
Given the unpredictable long-term outlook for algebraically structured lattices, and because any post-
quantum standard should remain secure for decades into the future—including against new quantum
attacks—we have based our proposal on the algebraically unstructured, plain LWE problem with conservative
parameterizations (see Section 1.2.2). While this choice comes at some cost in efficiency versus algebraic
lattice problems, our proposal is still eminently practical for the vast majority of today’s devices, networks,
and applications, and will become only more so in the coming years.

5
Algebraic lattices. Ring-LWE, Module-LWE, and NTRU-related problems can be viewed as decoding
(or in the case of NTRU, shortest vector) problems on random “algebraically structured” lattices over
certain polynomial rings. (Formally, the lattices are modules of a certain rank over the ring.) Similarly
to LWE, various parameterizations of Ring-LWE and Module-LWE, and even some non-standard versions
of NTRU [110], have been proven hard assuming the worst-case quantum hardness of certain problems on
lattices corresponding to ideals or modules over the ring [78, 72, 94].
For recommended parameterizations of Ring- and Module-LWE, the current best attacks perform essentially
the same as those for plain LWE, apart from some obvious linear-factor (in the ring dimension) savings
in time and memory; the same goes for the underlying worst-case problems on ideal and module lattices,
versus generic lattices [40, 107, 62, 26, 70].3 However, some conventional NTRU parameterizations admit
specialized attacks with significantly better asymptotic performance than on generic lattices with the same
parameters [65, 66]. In addition, a series of recent
√
works [31, 42, 43] has yielded a quantum polynomial-time
algorithm for very large but subexponential 2Õ( n) approximations to the worst-case Shortest Vector Problem
on ideal lattices over a widely used class of rings (in contrast to just slightly subexponential 2O(n log log n/ log n)
factors obtainable for general lattices [74, 108]). Note that these subexponential approximation factors are
still much larger than the small polynomial factors that are typically used in cryptography (so the reductions
have not been made vacuous), and the algorithms from [31, 42, 43] do not yet have any impact on Ring- or
Module-LWE themselves.

1.2.2 Parameters from worst-case reductions and conservative cryptanalysis

Like all cryptographic problems, LWE is an average-case problem, i.e., input instances are chosen at random
from a prescribed probability distribution. As already mentioned, some parameterizations of LWE admit
(quantum or classical) reductions from worst-case lattice problems. That is, any algorithm that solves
n-dimensional LWE (with some non-negligible advantage) can be converted with some polynomial overhead
into a (quantum) algorithm that solves certain short-vector problems on any n-dimensional lattice (with high
probability). Therefore, if the latter problems have some (quantumly) hard instances, then random instances
of LWE are also hard.
Worst-case/average-case reductions help guide the search for cryptographically hard problems in a
large design space, and offer (at minimum) evidence that the particular distribution of inputs does not
introduce any structural weaknesses. This is in contrast to several lattice-based proposals that lacked such
reductions, and turned out to be insecure because their distributions made “planted” secrets easy to recover,
e.g., [109, 86, 31, 42]. Indeed, Micciancio and Regev [85] argue that a reduction from a hard worst-case
problem

“. . . assures us that attacks on the cryptographic construction are likely to be effective only for
small choices of parameters and not asymptotically. In other words, it assures us that there are no
fundamental flaws in the design of our cryptographic construction. . . In principle the worst-case
security guarantee can help us in choosing concrete parameters for the cryptosystem, although in
practice this leads to what seems like overly conservative estimates, and . . . one often sets the
parameters based on the best known attacks.”
Not all LWE parameterizations admit reductions from worst-case lattice problems. For example, the
iterative
√ quantum reductions from [102, 94] require the use of Gaussian error having standard deviation at
least c n for an arbitrary constant c > 1/(2π), where n is the dimension of the LWE secret. In practice, a
drawback of using such “wide” error distributions for cryptography is the relatively large modulus required
to avoid decryption error, which leads to larger dimensions n and sizes of keys and ciphertexts for a desired
level of concrete security. Subsequent works like [48, 83] provided weaker reductions for “narrower” error
distributions, such as uniform over a small set (even {0, 1}), but only by restricting the number of LWE
samples available to the attacker—to fewer than the number exposed by LWE-based cryptosystems [102, 75],
in the case of moderately small errors. Note that some limitation on the number of samples is necessary,
3 Some unconventional parameterizations of Ring-LWE were specifically devised to be breakable by certain algebraic attacks [50,

37, 33, 38]. However, it was later shown that their error distributions are insufficiently “wide” relative to the ring, so they
reveal errorless (or nearly so) linear equations and can therefore be broken even more efficiently using elementary, non-algebraic
means [33, 93].

6
because LWE with errors bounded by (say) a constant is solvable in polynomial time, given a large enough
polynomial number of samples [14, 6]. Currently, there is still a sizeable gap between small-error LWE
parameters that are known to be vulnerable, and those conforming to a worst-case reduction. Most proposed
implementations use parameters that lie within this gap.

Error width and an alternative worst-case reduction. In keeping with our philosophy of using
conservative choices of hard problems that still admit practical implementations, our proposal uses “moderately
wide” Gaussian error of standard deviation σ ≥ 2.3, and (automatically) limits the number of LWE samples
available to the adversary. Although such parameters do not conform to the full quantum reductions
from [102, 94] for our choices of n, we show that they do conform to an alternative, classical worst-case
reduction that can be extracted from those works. (We note that the original version of Frodo from [24] used
a smaller σ that is not compatible with any of these reductions.)
In a little more detail, the alternative reduction is from a worst-case lattice problem we call “Bounded
Distance Decoding with Discrete Gaussian Samples” (BDDwDGS), which has been closely investigated
(though not under that name) in several works [2, 77, 102, 45]. Along with being classical (non-quantum), a
main advantage of the alternative reduction is that it works for LWE with (1) Gaussian error whose width
only needs to exceed the “smoothing parameter” [84] of the integer lattice Z for tiny enough ε > 0, and
(2) a correspondingly bounded number of samples. We view this reduction as evidence that the smoothing
parameter of Z is an important qualitative threshold for LWE error, which is why we use a standard
deviation σ which is comfortably above it. We also view the reduction as narrowing the gap between the
known weakness of small-error LWE with a large number of samples, and its apparent hardness with a small
number of samples. See Section 5.1.5 for full details.
We stress that we use the worst-case reduction only for guidance in choosing a narrow enough error
distribution for practice that still has some theoretical support, and not for any concrete security claim. As
alluded to in the above quote from [85] (see also [36]), the known worst-case reduction does not yield any
meaningful “end-to-end” security guarantee for our concrete parameters based on the conjecture hardness
of a worst-case problem, because the reduction is non-tight: it has some significant polynomial overhead in
running time and number of discrete Gaussian samples used, versus the number of LWE samples it produces.
(Improving the tightness of worst-case reductions is an interesting problem.) Instead, as stated in the above
quote from [85], we choose concrete parameters using a conservative analysis of the best known cryptanalytic
attacks, as described next.

Concrete cryptanalysis using core-SVP hardness. Our concrete security estimates are based on a
conservative methodology, as previously used for NewHope [11] and Frodo [24] and detailed in Section 5.2.1,
that estimates the “core-SVP hardness” of solving the underlying LWE problem. This methodology builds
on the extensive prior cryptanalysis of LWE and related lattice problems, and was further validated by recent
work [9], which concluded that its experimental results “confirm that lattice-reduction largely follows the
behavior expected from the 2016 estimate [11].” The core-SVP methodology counts only the first-order
exponential cost of just one (quantum) shortest-vector computation on a lattice of appropriate dimension to
solve the relevant LWE problem. Because it ignores lower-order terms like the significant subexponential
factors in the runtime, as well as the large exponential memory requirements, it significantly underestimates
the actual cost of known attacks, and allows for significant future improvement in these attacks.

1.2.3 Simplicity of design and implementation

Using plain LWE allows us to construct encryption and key-encapsulation schemes that are simple and easy
to implement, reducing the potential for errors. Wherever possible, design decisions were made in favor of
simplicity over more sophisticated mechanisms.

Modular arithmetic. Our LWE parameters use an integer modulus q ≤ 216 that is always a power of two.
This ensures that only single-precision arithmetic is needed, and that reduction modulo q can be computed
almost for free by bit-masking. (Reduction modulo 216 is even entirely free when 16-bit data types are used.)
Modular arithmetic is thus easy to implement correctly and in a way that is resistant to cache and timing
side-channel attacks.

7
Error sampling. Although our “ideal” LWE error distribution is a Gaussian with an appropriate standard
deviation, our implementation actually uses a distribution that is very close to it. Sampling from the
distribution is quite simple via a small lookup table and a few random bits, and is resistant to cache and
timing side-channels. (See Section 2.2.4 for details.) Using this alternative error distribution comes at very
little expense in the concrete security of FrodoKEM, which we show by analyzing the Rényi divergence between
the two distributions, following [15]. See Section 5.1.3 for full details.

Matrix-vector operations. Apart from error sampling and calls to symmetric primitives like AES or
cSHAKE, the main operations in our schemes are simple matrix-vector products. Compared to systems like
NewHope [11] or Kyber [23] that use algebraically structured LWE variants, our system has moderately
larger running times and bandwidth requirements, but is also significantly simpler, because there is no need
to implement fast polynomial multiplication algorithms (like the number-theoretic transform for a prime
modulus) to exploit the algebraic structure.

Encryption and key encapsulation without reconciliation. Our PKE and KEM use the original
method from Regev’s encryption scheme [102] of transmitting secret bits by simply adding their (q/2)-multiples
to pseudorandom values that the receiver can (approximately) subtract away. We do not need or use any of
the more complicated reconciliation mechanisms that were developed in the context of key-exchange protocols
(as mentioned above in Section 1.1).
In addition, unlike the Ring-LWE-based NewHope scheme [11], which transmits data using non-trivial
lattice codes to make up for bandwidth losses arising from a sparse set of friendly ring dimensions, plain-LWE-
based constructions do not have such bandwidth losses because the dimensions can be set freely. Therefore,
we also have no need for complex bandwidth-saving optimizations.

Simple and compact code base. Our focus on simplicity is manifested in the FrodoKEM code base. For
example, our x64 implementation of the full FrodoKEM scheme consists of only about 250 lines of plain C
code (not including header files and code for symmetric primitives). Moreover, the exact same code can be
used for other LWE parameters and security levels, solely by changing compile-time constants.

1.3 Other features

Flexible, fine-grained choice of parameters. The plain LWE problem imposes very few requirements
on its parameters, which makes it possible to rather tightly meet almost any desired security target in an
automated way, using the methodology described in Section 5.2.1. Alternative parameters can be selected
to reflect future advances in cryptanalysis, or to support other features beyond basic encryption and key
encapsulation. For example, by using a larger LWE modulus (e.g., q = 232 or q = 264 ) and appropriate
dimensions for a desired security level, FrodoPKE can easily support a large number of homomorphic additions,
or multiplications by (small) public scalars, on ciphertexts. Using even larger moduli, it can even be made
into a leveled or fully homomorphic encryption scheme, following [29].

Dynamically generated public matrices. To reduce the size of public keys and accelerate encryption,
the public matrix A ∈ Zn×nq could potentially be a fixed value that is chosen in a “nothing-up-my-sleeve”
fashion [18] and used for all keys (see [25] for an example of this in a Ring-LWE-based system). However, to
avoid the possibility of backdoors and all-for-the-price-of-one attacks [1], following prior work [11, 24] we
dynamically and pseudorandomly generate a fresh matrix A for every generated key. The pseudorandom
derivation is defined in a way that allows for fast generation of the entire matrix, or row-by-row generation
on devices that cannot store the entire matrix in memory. See Section 2.2.5 for details.

8
2 Written specification
2.1 Background
This defines the cryptographic primitives and security notions that are relevant to FrodoPKE and FrodoKEM,
as well as the mathematical background required to analyze their security.

2.1.1 Notation
We use the following notation throughout this document.
• Vectors are denoted with bold lower-case letters (e.g., a, b, v), and matrices are denoted with bold
upper-case letters (e.g., A, B, S). For a set D, the set of m-dimensional vectors with entries in D is
denoted by Dm , and the set of m-by-n matrices with entries in D is denoted by Dm×n .
• For an n-dimensional vector v, its ith entry for 0 ≤ i < n is denoted by vi .
• For an m-by-n matrix A, its (i, j)th entry (i.e., the entry in the ith row and jth column) for 0 ≤ i < m
and 0 ≤ j < n is denoted by Ai,j , and its ith row is denoted by Ai = (Ai,0 , Ai,1 , . . . , Ai,n−1 ).
• An m-bit string k ∈ {0, 1}m is written as a vector over the set {0, 1} and its ith bit for 0 ≤ i < m is
denoted by ki .
• The ring of integers is denoted by Z, and, for a positive integer q, the quotient ring of integers modulo q
is denoted by Zq = Z/qZ.
• For a probability distribution χ, the notation e ←$ χ denotes drawing a value e according to χ. The
n-fold product distribution of χ with itself is denoted by χn .
• For a finite set S, the uniform distribution on S is denoted by U (S).
• The floor of a real number a, i.e., the largest integer less than or equal to a, is denoted by bac.
• The closest integer to a real number a (with ties broken upward) is denoted by bae = ba + 1/2c.
• For a real vector v ∈ Rn , its Euclidean (i.e., `2 ) norm is denoted by kvk.
• For two n-dimensional vectors a, b over a common ring R, their inner product is denoted by ha, bi =
Pn−1
i=0 ai bi ∈ R.

2.1.2 Cryptographic definitions

This section states definitions of the cryptographic primitives that are specified in this document, along
with their correctness and security notions. This document specifies a key encapsulation mechanism (KEM),
formally defined by three algorithms as follows.
Definition 2.1 (Key encapsulation mechanism). A key encapsulation mechanism KEM is a tuple of
algorithms (KeyGen, Encaps, Decaps) along with a finite keyspace K:
• KeyGen() $→ (pk, sk): A probabilistic key generation algorithm that outputs a public key pk and a
secret key sk.
• Encaps(pk) $→ (c, ss): A probabilistic encapsulation algorithm that takes as input a public key pk,
and outputs an encapsulation c and a shared secret ss ∈ K. The encapsulation is sometimes called a
ciphertext.
• Decaps(c, sk) → ss0 : A (usually deterministic) decapsulation algorithm that takes as input an encapsu-
lation c and a secret key sk, and outputs a shared secret ss0 ∈ K.

The notion of δ-correctness gives a bound on the probability of a legitimate protocol execution producing
different keys in encapsulation and decapsulation.
Definition 2.2 (δ-correctness for KEMs). A key encapsulation mechanism KEM is δ-correct if

Pr [ss0 6= ss : (pk, sk) ←$ KEM.KeyGen(); (c, ss) ←$ KEM.Encaps(pk); ss0 ← KEM.Decaps(c, sk)] ≤ δ .

The following defines IND-CCA security for a key encapsulation mechanism.

Definition 2.3 (IND-CCA for KEMs). Let KEM be a key encapsulation mechanism with keyspace K, and
let A be an algorithm. The security experiment for indistinguishability under adaptive chosen ciphertext

9
attack (IND-CCA2, or just IND-CCA) of KEM is Expind-cca
KEM (A) shown in Figure 1. The advantage of A in the
experiment is  h i 1 
Advind-cca ind-cca

KEM (A) :=  Pr ExpKEM (A) ⇒ 1 −  .
 2

Note that A can be a classical or quantum algorithm. If A is a quantum algorithm, then we only consider
the model in which the adversary makes classical queries to its ODecaps oracle.

Experiment Expind-cca
KEM (A): Oracle ODecaps (c):
1: (pk, sk) ←$ KEM.KeyGen() 1: if c = c∗ then
2: b ←$ {0, 1} 2: return ⊥
3: (c∗ , ss0 ) ←$ KEM.Encaps(pk) 3: else
4: ss1 ←$ U (K) 4: return KEM.Decaps(c, sk)
5: b0 ←$ AODecaps (·) (pk, ssb , c∗ )
6: if b0 = b then
7: return 1
8: else
9: return 0

Figure 1: Security experiment for indistinguishability under adaptive chosen ciphertext attack (IND-CCA2, or
just IND-CCA) of a key encapsulation mechanism KEM for an adversary A.

The key encapsulation mechanism specified in this document is obtained by a transformation from a
public-key encryption (PKE) scheme; a PKE scheme is formally defined as follows.
Definition 2.4 (Public key encryption scheme). A public key encryption scheme PKE is a tuple of
algorithms (KeyGen, Enc, Dec) along with a message space M:
• KeyGen() $→ (pk, sk): A probabilistic key generation algorithm that outputs a public key pk and a
secret key sk.
• Enc(m, pk) $→ c: A probabilistic encryption algorithm that takes as input a message m ∈ M and public
key pk, and outputs a ciphertext c. The deterministic form is denoted Enc(m, pk; r) → c, where the
randomness r ∈ R is passed as an explicit input; R is called the randomness space of the encryption
algorithm.
• Dec(c, sk) → m0 or ⊥: A deterministic decryption algorithm that takes as input a ciphertext c and
secret key sk, and outputs a message m0 ∈ M or a special error symbol ⊥ ∈ / M.

The notion of δ-correctness captures an upper bound on the probability of decryption failure in a legitimate
execution of the scheme.
Definition 2.5 (δ-correctness for PKEs [61]). A public key encryption scheme PKE with message space
M is δ-correct if  
E max Pr [PKE.Dec(c, sk) 6= m : c ←$ PKE.Enc(m, pk)] ≤ δ , (1)
m∈M

where the expectation is taken over (pk, sk) ←$ PKE.KeyGen().

In our PKE, the probability expression in Equation (1) has no dependence on m, so the condition simplifies
to
Pr [PKE.Dec(c, sk) 6= m : (pk, sk) ← PKE.KeyGen(); c ←$ PKE.Enc(m, pk)] ≤ δ , (2)
which is what we analyze when calculating the probability of decryption failure (see Section 2.2.7).
The PKE scheme we use as the basis for the KEM transformation in Section 2.2.8 is required to satisfy
the notion of IND-CPA security, which is defined as follows.

10
Definition 2.6 (IND-CPA for PKE). Let PKE be a public key encryption scheme, and let A be an algo-
rithm. The security experiment for indistinguishability under chosen plaintext attack (IND-CPA) of PKE is
Expind-cpa
PKE (A) shown in Figure 2. The advantage of A in the experiment is
 h 
Pr Expind-cpa (A) ⇒ 1 − 1  .
i
Advind-cpa
 
PKE (A) := PKE
 2

Note that A can be a classical or quantum algorithm.

Experiment Expind-cpa
PKE (A):
1: (pk, sk) ←$ PKE.KeyGen()
2: (m0 , m1 , st) ←$ A(pk)
3: b ←$ {0, 1}
4: c∗ ←$ PKE.Enc(mb , pk)
5: b0 ←$ A(pk, c∗ , st)
6: if b0 = b then
7: return 1
8: else
9: return 0

Figure 2: Security experiment for indistinguishability under chosen plaintext attack (IND-CPA) of a public
key encryption scheme PKE against an adversary A.

2.1.3 Learning With Errors

The security of our proposed PKE and KEM relies on the hardness of the Learning With Errors (LWE)
problem, a generalization of the classic Learning Parities with Noise problem (see, e.g., [20]) first defined by
Regev [102]. This section defines the LWE probability distributions and computational problems.
Definition 2.7 (LWE distribution). Let n, q be positive integers, and let χ be a distribution over Z. For
an s ∈ Znq , the LWE distribution As,χ is the distribution over Znq × Zq obtained by choosing a ∈ Znq uniformly
at random and an integer error e ∈ Z from χ, and outputting the pair (a, ha, si + e mod q) ∈ Znq × Zq .

There are two main kinds of computational LWE problem: search, which is to recover the secret s ∈ Znq
given a certain number of samples drawn from the LWE distribution As,χ ; and decision, which is to distinguish
a certain number of samples drawn from the LWE distribution from uniformly random samples. For both
variants, one often considers two distributions of the secret s ∈ Znq : the uniform distribution, and the
distribution χn mod q where each coordinate is drawn from the error distribution χ and reduced modulo q.
The latter is often called the “normal form” of LWE.

Definition 2.8 (LWE Search Problem). Let n, m, q be positive integers, and let χ be a distribution
over Z. The uniform-secret (respectively, normal-form) learning with errors search problem with parameters
(n, m, q, χ), denoted by SLWEn,m,q,χ (respectively, nf-SLWEn,m,q,χ ), is as follows: given m samples from
the LWE distribution As,χ for uniformly random s (resp, s ←$ χn mod q), find s. More formally, for an
adversary A, define (for the uniform-secret case)

Advslwe n
 
n,m,q,χ (A) = Pr A(((ai , bi ))i=1,...,m ) ⇒ s : s ←$ U (Zq ), (ai , bi ) ←$ As,χ for i = 1, . . . , m .

Similarly, define (for the normal-form case) Advnf-slwe n n

n,m,q,χ (A), where s ←$ χ mod q instead of s ←$ U (Zq ).

Definition 2.9 (LWE Decision Problem). Let n, m, q be positive integers, and let χ be a distribution
over Z. The uniform-secret (respectively, normal-form) learning with errors decision problem with parameters
(n, m, q, χ), denoted DLWEn,m,q,χ (respectively, nf-DLWEn,m,q,χ ), is as follows: distinguish m samples drawn

11
from the LWE distribution As,χ from m samples drawn from the uniform distribution U (Znq × Zq ). More
formally, for an adversary A, define (for the uniform-secret case)
 
Advdlwe  Pr A((ai , bi )i=1,...,m ) ⇒ 1 : s ←$ U (Znq ), (ai , bi ) ←$ As,χ for i = 1, . . . , m

(A) =

n,m,q,χ

− Pr A((ai , bi )i=1,...,m ) ⇒ 1 : (ai , bi ) ←$ U (Znq × Zq ) for i = 1, . . . , m  .


Similarly, define (for the normal-form case) Advnf-dlwe n n

n,m,q,χ (A), where s ←$ χ mod q instead of s ←$ U (Zq ).

For all of the above problems, when χ = Ψαq is the continuous Gaussian of parameter αq, rounded to the
nearest integer (see Definition 2.11 below), we sometimes replace the subscript χ by α.

2.1.4 Gaussians
For any real s > 0, the (one-dimensional) Gaussian function with parameter (or width) s is the function
ρs : R → R+ , defined as
ρs (x) := exp(−πkxk2 /s2 ) .

Definition 2.10 (Gaussian distribution). For any real s > 0, the (one-dimensional) Gaussian distribution
with parameter (or width) s, denoted Ds , is the distribution over R having probability density function
Ds (x) = ρs (x)/s.
√
Note that Ds has standard deviation σ = s/ 2π.
Definition 2.11 (Rounded Gaussian distribution). For any real s > 0, the rounded Gaussian distribu-
tion with parameter (or width) s, denoted Ψs , is the distribution over Z obtained by rounding a sample
from Ds to the nearest integer: Z
Ψs (x) = Ds (z) dz . (3)
{z:bze=x}

2.1.5 Lattices
Here we recall some background on lattices that will be used when relating LWE to lattice problems.
Definition 2.12 (Lattice). A (full-rank) n-dimensional lattice L is a discrete additive subset of Rn for
which spanR (L) = Rn . Any such lattice can be generated by a (non-unique) basis B = {b1 , . . . , bn } ⊂ Rn of
linearly independent vectors, as
n
nX o
L = L(B) := B · Zn = zi · bi : zi ∈ Z .
i=1

The volume, or determinant, of L is defined as vol(L) := |det(B)|. An integer lattice is a lattice that is a
subset of Zn . For an integer q, a q-ary lattice is an integer lattice that contains qZn .

Definition 2.13 (Minimum distance). For a lattice L, its minimum distance is the length (in the Eu-
clidean norm) of a shortest non-zero lattice vector:

λ1 (L) = min kvk .

v∈L\{0}

More generally, its ith successive minimum λi (L) is the smallest real r > 0 such that L has i linearly
independent vectors of length at most r.

Definition 2.14 (Discrete Gaussian). For a lattice L ⊂ Rn , the discrete Gaussian distribution over L
with parameterPs, denoted DL,s , is defined as Ds (x) = ρs (x)/ρs (L) for x ∈ L (and Ds (x) = 0 otherwise),
where ρs (L) = v∈L ρs (v) is a normalization factor.

12
 We now recall various computational problems on lattices. We stress that these are worst-case problems,
i.e., to solve such a problem an algorithm must succeed on every input. The following two problems are
parameterized by an approximation factor γ = γ(n), which is a function of the lattice dimension n.
Definition 2.15 (Decisional approximate shortest vector problem (GapSVPγ )). Given a basis B of
an n-dimensional lattice L = L(B), where λ1 (L) ≤ 1 or λ1 (L) > γ(n), determine which is the case.
Definition 2.16 (Approximate shortest independent vectors problem (SIVPγ )). Given a basis B
of an n-dimensional lattice L = L(B), output a set {v1 , . . . , vn } ⊂ L of n linearly independent lattice vectors
where kvi k ≤ γ(n) · λn (L) for all i.
The following problem is parameterized by a function ϕ from lattices to positive real numbers.
Definition 2.17 (Discrete Gaussian Sampling (DGSϕ )). Given a basis B of an n-dimensional lattice
L = L(B) and a real number s ≥ ϕ(L), output a sample from the discrete Gaussian distribution DL,s .

2.2 Algorithm description

This section specifies the algorithms comprising the FrodoKEM key encapsulation mechanism. FrodoKEM is
built from a public key encryption scheme, FrodoPKE, as well as several other components.

Notation. The algorithms in this document are described in terms of the following parameters:
• χ, a probability distribution on Z;
• q = 2D , a power-of-two integer modulus with exponent D ≤ 16;
• n, m, n, integer matrix dimensions with n ≡ 0 (mod 8);
• B ≤ D, the number of bits encoded in each matrix entry;
• ` = B · m · n, the length of bit strings that are encoded as m-by-n matrices;
• lenA , the bit length of seeds used for pseudorandom matrix generation;
• lenE , the bit length of seeds used for pseudorandom bit generation for error sampling.
Additional parameters for specific algorithms accompany the algorithm description.

2.2.1 Matrix encoding of bit strings

This subsection describes how bit strings are encoded as mod-q integer matrices. Recall that 2B ≤ q. The
encoding function ec(·) encodes an integer 0 ≤ k < 2B as an element in Zq by multiplying it by q/2B = 2D−B :
ec(k) := k · q/2B .
Using this function, the function Frodo.Encode encodes bit strings of length ` = B · m · n as m-by-n-matrices
with entries in Zq by applying ec(·) to B-bit sub-strings sequentially and filling the matrix row by row
entry-wise. The function Frodo.Encode is shown in Algorithm 1. Each B-bit sub-string is interpreted as an
integer 0 ≤ k < 2B and then encoded by ec(k), which means that B-bit values are placed into the B most
significant bits of the corresponding entry modulo q.
The corresponding decoding function Frodo.Decode is defined as shown in Algorithm 2. It decodes the
m-by-n matrix K into a bit string of length ` = B · m · n. It extracts B bits from each entry by applying the
function dc(·):
dc(c) = bc · 2B /qe mod 2B .
That is, the Zq -entry is interpreted as an integer, then divided by q/2B and rounded. This amounts to
rounding to the B most significant bits of each entry. With these definitions, it is the case that dc(ec(k)) = k
for all 0 ≤ k < 2B .

2.2.2 Packing matrices modulo q

This section specifies packing and unpacking algorithms to transform matrices with entries in Zq to bit strings
and vice versa. The algorithm Frodo.Pack packs a matrix into a bit string by simply concatenating the D-bit
matrix coefficients, as shown in Algorithm 3. Note that in the software implementation, the resulting bit
string is stored as a byte array, padding with zero bits to make the length a multiple of 8. The reverse
operation Frodo.Unpack is shown in Algorithm 4.

13
 Algorithm 1 Frodo.Encode Algorithm 2 Frodo.Decode
Input: Bit string k ∈ {0, 1}` , ` = B · m · n. Input: Matrix K ∈ Zm×n
q .
Output: Matrix K ∈ Zm×n q . Output: Bit string k ∈ {0, 1}` , ` = B · m · n.
1: for (i = 0; i < m; i ← i + 1) do 1: for (i = 0; i < m; i ← i + 1) do
2: for (j = 0; j < n; j ← j + 1) do 2: for (j = 0; j < n; j ← j + 1) do
PB−1
3: k ← l=0 k(i·n+j)B+l · 2l 3: k ← dc(Ki,j ) = bKi,j · 2B /qe mod 2B
PB−1
4: Ki,j ← ec(k) = k · q/2B 4: k = l=0 kl · 2l where kl ∈ {0, 1}
5: return K = (Ki,j )0≤i<m,0≤j<n 5: for (l = 0; l < B; l ← l + 1) do
6: k(i·n+j)B+l ← kl
7: return k

Algorithm 3 Frodo.Pack Algorithm 4 Frodo.Unpack

Input: Matrix C ∈ Znq 1 ×n2 . Input: Bit string b ∈ {0, 1}D·n1 ·n2 , n1 , n2 .
Output: Bit string b ∈ {0, 1}D·n1 ·n2 . Output: Matrix C ∈ Zqn1 ×n2 .
1: for (i = 0; i < n1 ; i ← i + 1) do 1: for (i = 0; i < n1 ; i ← i + 1) do
2: for (j = 0; j < n2 ; j ← j + 1) do 2: for (j = 0; j < n2 ; j ← j + 1) do
PD−1 PD−1
3: Ci,j = l=0 cl · 2l where cl ∈ {0, 1} 3: Ci,j ← l=0 b(i·n2 +j)D+l · 2D−1−l
4: for (l = 0; l < D; l ← l + 1) do 4: return C
5: b(i·n2 +j)D+l ← cD−1−l
6: return b

2.2.3 Deterministic random bit generation

FrodoKEM requires the deterministic generation of random bit sequences from a random seed value. This is
done using the SHA-3-derived extendable output function cSHAKE [64]. The function cSHAKE is taken as
either cSHAKE128 or cSHAKE256 (indicated below for each parameter set of FrodoKEM), and takes as input
a bit string X, a requested output bit length L, and a 16-bit customization value c as a domain separator.
Interpreting c as a 16-bit integer, it is converted to an array of two bytes [c0 , c1 ], where c = c0 + 28 · c1 . The
call to the function on these inputs is written cSHAKE(X, L, c), and returns a string of L bits as output.

2.2.4 Sampling from the error distribution

The error distribution χ used in FrodoKEM is a discrete, symmetric distribution on Z, centered at zero and
with small support, which approximates a rounded continuous Gaussian distribution.
The support of χ is Sχ = {−s, −s + 1, . . . , −1, 0, 1, . . . , s − 1, s} for a positive integer s. The probabilities
χ(z) = χ(−z) for z ∈ Sχ are given by a discrete probability density function, which is described by a table

Tχ = (Tχ (0), Tχ (1), . . . , Tχ (s))

of s + 1 positive integers related to the cumulative distribution function. For a certain positive integer lenχ ,
the table entries satisfy the following conditions:
z
X
Tχ (0)/2lenχ = χ(0)/2 and Tχ (z)/2lenχ = χ(0)/2 + χ(i) for 1 ≤ z ≤ s .
i=1

Therefore, Tχ (s) = 2lenχ −1 .

Sampling from χ via inversion sampling is done as shown in Algorithm 5. Given a string of lenχ uniformly
random bits r ∈ {0, 1}lenχ and a distribution table Tχ , the algorithm Frodo.Sample returns a sample e from
the distribution χ. We emphasize that it is important to perform this sampling in constant time to avoid
exposing timing side-channels, which is why Step 3 of the algorithm does a complete loop through the entire
table Tχ . Note also that the comparison in Step 4 needs to be implemented in a constant-time manner.

14
Algorithm 5 Frodo.Sample
Input: A (random) bit string r = (r0 , r1 , . . . , rlenχ −1 ) ∈ {0, 1}lenχ , the table Tχ = (Tχ (0), Tχ (1), . . . , Tχ (s)).
Output: A sample e ∈ Z.
Plenχ −1
1: t ← i=1 ri · 2i−1
2: e ← 0
3: for (z = 0; z < s; z ← z + 1) do
4: if t > Tχ (z) then
5: e←e+1
6: e ← (−1)r0 · e
7: return e

An n1 -by-n2 matrix of n1 n2 samples from the error distribution is sampled by expanding a random
seed to an (n1 n2 · lenχ )-bit string, here written as a sequence of n1 n2 bit vectors (r(0) , r(1) , . . . , r(n1 n2 −1) ) of
length lenχ , using the extendable output function cSHAKE, and then sampling n1 n2 error terms by calling
Frodo.Sample on a corresponding lenχ -bit substring r(i·n2 +j) and the distribution table Tχ to sample the
matrix entry Ei,j . The algorithm Frodo.SampleMatrix is shown in Algorithm 6.

Algorithm 6 Frodo.SampleMatrix
Input: Seed seedE ∈ {0, 1}lenE , dimensions n1 , n2 , the table Tχ , domain separator value c.
Output: A sample E ∈ Zn1 ×n2 .
1: (r(0) , r(1) , . . . , r(n1 n2 −1) ) ← cSHAKE(seedE , n1 n2 · lenχ , c) (here, each r(i) is a vector of lenχ bits)
2: for (i = 0; i < n1 ; i ← i + 1) do
3: for (j = 0; j < n2 ; j ← j + 1) do
4: Ei,j ← Frodo.Sample(r(i·n2 +j) , Tχ )
5: return E

2.2.5 Pseudorandom matrix generation

The algorithm Frodo.Gen takes as input a seed seedA ∈ {0, 1}lenA and a dimension n ∈ Z, and outputs a
pseudorandom matrix A ∈ Zqn×n . There are two options for instantiating Frodo.Gen. The first one uses
AES128 and is shown in Algorithm 7; the second uses cSHAKE128 and is shown in Algorithm 8.

Using AES128. Algorithm 7 generates a matrix A ∈ Zqn×n as follows. For each row index i = 0, 1, . . . , n − 1
and column index j = 0, 8, . . . , n − 8, the algorithm generates a 128-bit block, which it uses to set the
matrix entries Ai,j , Ai,j+1 , . . . , Ai,j+7 as follows. It applies AES128 with key seedA to the input block
hiikhjik0 · · · 0 ∈ {0, 1}128 , where i, j are encoded as 16-bit strings. It then splits the 128-bit AES output
block into eight 16-bit strings, which it interprets as nonnegative integers ci,j+k for k = 0, 1, . . . , 7. Finally, it
sets Ai,j+k = ci,j+k mod q for all k.

Algorithm 7 Frodo.Gen using AES128

Input: Seed seedA ∈ {0, 1}lenA .
Output: Matrix A ∈ Zn×n
q .
1: for (i = 0; i < n; i ← i + 1) do
2: for (j = 0; j < n; j ← j + 8) do
3: b ← hiikhjik0 · · · 0 ∈ {0, 1}128 where hii, hji ∈ {0, 1}16
4: hci,j ikhci,j+1 ik · · · khci,j+7 i ← AES128seedA (b) where each hci,k i ∈ {0, 1}16 .
5: for (k = 0; k < 8; k ← k + 1) do
6: Ai,j+k ← ci,j+k mod q
7: return A

15
Using cSHAKE128. Algorithm 8 generates a matrix A ∈ Zn×n q as follows. For each row index i =
0, 1, . . . , n − 1, it calls cSHAKE128 with a main input of seedA and customization value 28 + i to produce
a 16n-bit output string. It splits this output into 16-bit integers ci,j for j = 0, 1, . . . , n − 1, and sets
Ai,j = ci,j mod q for all j. Note that the offset of 28 in the customization value is used for domain separation
between the generation of A and other uses of cSHAKE128 in the key encapsulation functions below, which
have customization values smaller than 28 .

Algorithm 8 Frodo.Gen using cSHAKE128

Input: Seed seedA ∈ {0, 1}lenA .
Output: Pseudorandom matrix A ∈ Zn×n
q .
1: for (i = 0; i < n; i ← i + 1) do
2: hci,0 ikhci,1 ik · · · khci,n−1 i ← cSHAKE128(seedA , 16n, 28 + i) where each hci,j i ∈ {0, 1}16 .
3: for (j = 0; j < n; j ← j + 1) do
4: Ai,j ← ci,j mod q
5: return A

2.2.6 FrodoPKE: IND-CPA-secure public key encryption scheme

This section describes FrodoPKE, a public-key encryption scheme with fixed-length message space, targeting
IND-CPA security, that will be used as a building block for FrodoKEM. FrodoPKE is based on the public-key
encryption scheme presented by Lindner and Peikert in [75], with the following adaptations and specializations:
• The matrix A is generated from a seed using the function Gen specified in Section 2.2.5.
• Several (m) ciphertexts are generated at once.
• The same Gaussian-derived error distribution is used for both key generation and encryption.
The PKE scheme is given by three algorithms (FrodoPKE.KeyGen, FrodoPKE.Enc, FrodoPKE.Dec), defined
respectively in Algorithm 9, Algorithm 10, and Algorithm 11. FrodoPKE is parameterized by the following
parameters:
• q = 2D , a power-of-two integer modulus with exponent D ≤ 16;
• n, m, n, integer matrix dimensions with n ≡ 0 (mod 8);
• B ≤ D, the number of bits encoded in each matrix entry;
• ` = B · m · n, the length of bit strings that are encoded as m-by-n matrices;
• lenµ = `, the bit length of messages;
• M = {0, 1}lenµ , the message space;
• lenA , the bit length of seeds used for pseudorandom matrix generation;
• lenE , the bit length of seeds used for pseudorandom bit generation for error sampling;
• Gen, the matrix-generation algorithm, either Algorithm 7 or Algorithm 8;
• Tχ , the distribution table for sampling.
In the notation of [75], their n1 and n2 both equal n here, and their dimension ` is n here.

Algorithm 9 FrodoPKE.KeyGen.
Input: None.
Output: Key pair (pk, sk) ∈ ({0, 1}lenA × Zn×n
q ) × Zn×n
q .
1: Choose a uniformly random seed seedA ←$ U ({0, 1}lenA )
2: Generate the matrix A ∈ Zn×n
q via A ← Frodo.Gen(seedA )
3: Choose a uniformly random seed seedE ←$ U ({0, 1}lenE )
4: Sample error matrix S ← Frodo.SampleMatrix(seedE , n, n, Tχ , 1)
5: Sample error matrix E ← Frodo.SampleMatrix(seedE , n, n, Tχ , 2)
6: Compute B = AS + E
7: return public key pk ← (seedA , B) and secret key sk ← S

16
Algorithm 10 FrodoPKE.Enc.
Input: Message µ ∈ M and public key pk = (seedA , B) ∈ {0, 1}lenA × Zqn×n .
Output: Ciphertext c = (C1 , C2 ) ∈ Zm×n
q × Zm×n
q .
1: Generate A ← Frodo.Gen(seedA )
2: Choose a uniformly random seed seedE ←$ U ({0, 1}lenE )
3: Sample error matrix S0 ← Frodo.SampleMatrix(seedE , m, n, Tχ , 4)
4: Sample error matrix E0 ← Frodo.SampleMatrix(seedE , m, n, Tχ , 5)
5: Sample error matrix E00 ← Frodo.SampleMatrix(seedE , m, n, Tχ , 6)
6: Compute B0 = S0 A + E0 and V = S0 B + E00
7: return ciphertext c ← (C1 , C2 ) = (B0 , V + Frodo.Encode(µ))

Algorithm 11 FrodoPKE.Dec.
Input: Ciphertext c = (C1 , C2 ) ∈ Zm×n
q × Zm×n
q and secret key sk = S ∈ Zn×n
q .
0
Output: Decrypted message µ ∈ M.
1: Compute M = C2 − C1 S
2: return message µ0 ← Frodo.Decode(M)

2.2.7 Correctness of IND-CPA PKE

The next lemma states bounds on the size of errors that can be handled by the decoding algorithm.
Lemma 2.18. Let q = 2D , B ≤ D. Then dc(ec(k) + e) = k for any k, e ∈ Z such that 0 ≤ k < 2B and
−q/2B+1 ≤ e < q/2B+1 .
Proof. This follows directly from the fact that dc(ec(k) + e) = bk + e2B /qe mod 2B .

Correctness of decryption: The decryption algorithm FrodoPKE.Dec computes

M = C2 − C1 S
= V + Frodo.Encode(µ) − (S0 A + E0 )S
= Frodo.Encode(µ) + S0 B + E00 − S0 AS − E0 S
= Frodo.Encode(µ) + S0 AS + S0 E + E00 − S0 AS − E0 S
= Frodo.Encode(µ) + S0 E + E00 − E0 S
= Frodo.Encode(µ) + E000
for some error matrix E000 = S0 E + E00 − E0 S. Therefore, any B-bit substring of the message µ corresponding
to an entry of M will be decrypted correctly if the condition in Lemma 2.18 is satisfied for the corresponding
entry of E000 .

Failure probability. Each entry in the matrix E000 is the sum of 2n products of two independent samples
from χ, and one more independent sample from χ. Denote the distribution of this sum by χ0 . In the case of
a power-of-2 modulus q, the probability of decryption failure for any single symbol is therefore the sum
X
p= χ0 (e) .
e∈[−q/2
/ B+1 ,q/2B+1 )

The probability of decryption failure for the entire message can then be obtained using the union bound.
For the distributions χ we use, which have rather small support Sχ , the distribution χ0 can be efficiently
computed exactly. The probability that a product of two independent samples from χ equals e (modulo q) is
simply X
χ(a) · χ(b) .
(a,b)∈Sχ ×Sχ : ab=e mod q

17
Similarly, the probability that the sum of two entries assumes a certain value is given by the standard
convolution sum. Section 2.4.3 reports the failure probability for each of the selected parameter sets.

2.2.8 Transform from IND-CPA PKE to IND-CCA KEM

The Fujisaki–Okamoto transform [51] constructs an IND-CCA2-secure public key encryption scheme from a
one-way-secure public key encryption scheme in the classical random oracle model (with an assumption on
the distribution of ciphertexts for each plaintext being sufficiently close to uniform). Targhi and Unruh [111]
gave a variant of the Fujisaki–Okamoto transform and showed its IND-CCA2 security against a quantum
adversary in the quantum random oracle model under similar assumptions. The results of both FO and TU
proceed under the assumption that the public key encryption scheme has perfect correctness, which is not
the case for lattice-based schemes. Hofheinz, Hövelmanns, and Kiltz [61] gave a variety of constructions in a
modular fashion. We apply their QFO6⊥ m (“Quantum FO with implicit rejection and K being a hash of m”)
transform which constructs an IND-CCA-secure key encapsulation mechanism from an IND-CPA public key
encryption scheme and three hash functions; following [23], we make the following modifications (see Figure 3
for notation), denoting the resulting transform QFO6⊥ 0
m:
• A single hash function (with longer output) is used to compute r, k, and d.
• The computation of r, k, and d also takes the public key pk as input.
• The computation of the shared secret ss also takes the encapsulation c as input.
Definition 2.19 (QFO6⊥ 0
m transform). Let PKE = (KeyGen, Enc, Dec) be a public key encryption scheme
with message space M and ciphertext space C, where the randomness space of Enc is R. Let lens , lenk , lend , lenss
be parameters. Let G : {0, 1}∗ → R × {0, 1}lenk × {0, 1}lend and F : {0, 1}∗ → {0, 1}lenss be hash func-
tions. Define QKEM6⊥ 0 6⊥0
m = QFOm [PKE, G, F ] be the key encapsulation mechanism with QKEMm .KeyGen,
6⊥0
6⊥0 6⊥0
QKEMm .Encaps and QKEMm .Decaps as shown in Figure 3.

QKEM6⊥ 0
m .KeyGen(): QKEM6⊥ 0
m .Decaps((c, d), (sk, s, pk)):
1: (pk, sk) ←$ PKE.KeyGen() 1: µ0 ← PKE.Dec(c, sk)
2: s ←$ {0, 1}lens 2: (r0 , k0 , d0 ) ← G(pkkµ0 )
3: sk 0 ← (sk, s) 3: if c = PKE.Enc(µ0 , pk; r0 ) and d = d0 then
4: return (pk, sk 0 ) 4: return ss0 ← F (ckk0 kd)
5: else
QKEM6⊥ 0
m .Encaps(pk): 6: return ss0 ← F (ckskd)
1: µ ←$ M
2: (r, k, d) ← G(pkkµ)
3: c ← PKE.Enc(µ, pk; r)
4: ss ← F (ckkkd)
5: return ((c, d), ss)

Figure 3: Construction of an IND-CCA-secure key encapsulation mechanism QKEM6⊥ 0 6⊥0

m = QFOm [PKE, G, F ]
from a public key encryption scheme PKE and hash functions G and F .

Remark. In October and November 2017, Jiang et al. posted an eprint giving a proof for two FO-like
transforms that yield an IND-CCA-secure KEM in the quantum random oracle model and do not require the
extra hash value d introduced by Targhi and Unruh [63]. As of this writing, it is too early to know if the
results in the Jiang et al. eprint are correct. If they are, then we can remove the d value in the QKEM6⊥ m
0

transform of Figure 3, and from the resulting FrodoKEM in Algorithm 13 and Algorithm 14. The transform
becomes sufficiently similar to Jiang et al.’s FO-I transform to have its security implied by their result; the
differences are: the computation of r and K also take the public key pk as input, and the value random coins
µ are hashed before they are input to the hash function that computes the shared secret.

18
2.2.9 FrodoKEM: IND-CCA-secure key encapsulation mechanism
This section describes FrodoKEM, a key encapsulation mechanism that is derived from FrodoPKE by applying
the QFO6⊥ 0
m transform. FrodoKEM is parameterized by the following parameters:
• q = 2D , a power-of-two integer modulus with exponent D ≤ 16;
• n, m, n, integer matrix dimensions with n ≡ 0 (mod 8);
• B ≤ D, the number of bits encoded in each matrix entry;
• ` = B · m · n, the length of bit strings to be encoded in an m-by-n matrix;
• lenµ = `, the bit length of messages;
• M = {0, 1}lenµ , the message space;
• lenA , the bit length of seeds used for pseudorandom matrix generation;
• lenE , the bit length of seeds used for pseudorandom bit generation for error sampling;
• Gen, pseudorandom matrix generation algorithm, either Algorithm 7 or Algorithm 8;
• Tχ , distribution table for sampling;
• lens , the length of the bit vector s used for pseudorandom shared secret generation in the event of
decapsulation failure in the QFO6⊥ 0
m transform;
• lenz , the bit length of seeds used for pseudorandom generation of seedA ;
• lenk , the bit length of intermediate shared secret k in the QFO6⊥ 0
m transform;
6⊥0
• lend , the bit length of check value d in the QFOm transform;
• lenss , the bit length of shared secret ss in the QFO6⊥ 0
m transform;
∗ lenA
• H : {0, 1} → {0, 1} , a hash function, either cSHAKE128(·, lenA , 0) or cSHAKE256(·, lenA , 0);
• G : {0, 1}∗ → {0, 1}lenE ×{0, 1}lenk ×{0, 1}lend , a hash function, either cSHAKE128(·, lenE +lenk +lend , 3)
or cSHAKE256(·, lenE + lenk + lend , 3);
• F : {0, 1}∗ → {0, 1}lenss , a hash function, either cSHAKE128(·, lenss , 7) or cSHAKE256(·, lenss , 7).

Algorithm 12 FrodoKEM.KeyGen.
Input: None.
Output: Key pair (pk, sk 0 ) with pk ∈ {0, 1}lenA +D·n·n , sk 0 ∈ {0, 1}lens +lenA +D·n·n × Zn×n
q .
1: Choose uniformly random seeds skseedE kz ←$ U ({0, 1}lens +lenE +lenz
2: Generate pseudorandom seed seedA ← H(z)
3: Generate the matrix A ∈ Zn×n
q via A ← Frodo.Gen(seedA )
4: Sample error matrix S ← Frodo.SampleMatrix(seedE , n, n, Tχ , 1)
5: Sample error matrix E ← Frodo.SampleMatrix(seedE , n, n, Tχ , 2)
6: Compute B ← AS + E
7: Compute b ← Frodo.Pack(B)
8: return public key pk ← seedA kb and secret key sk 0 ← (skseedA kb, S)

19
Algorithm 13 FrodoKEM.Encaps.
Input: Public key pk = seedA kb ∈ {0, 1}lenA +D·n·n .
Output: Ciphertext c1 kc2 kd ∈ {0, 1}(m·n+m·n)D+lend and shared secret ss ∈ {0, 1}lenss .
1: Choose a uniformly random key µ ←$ U ({0, 1}lenµ
2: Generate pseudorandom values seedE kkkd ← G(pkkµ)
3: Sample error matrix S0 ← Frodo.SampleMatrix(seedE , m, n, Tχ , 4)
4: Sample error matrix E0 ← Frodo.SampleMatrix(seedE , m, n, Tχ , 5)
5: Generate A ← Frodo.Gen(seedA )
6: Compute B0 ← S0 A + E0
7: Compute c1 ← Frodo.Pack(B0 )
8: Sample error matrix E00 ← Frodo.SampleMatrix(seedE , m, n, Tχ , 6)
9: Compute B ← Frodo.Unpack(b, n, n)
10: Compute V ← S0 B + E00
11: Compute C ← V + Frodo.Encode(µ)
12: Compute c2 ← Frodo.Pack(C)
13: Compute ss ← F (c1 kc2 kkkd)
14: return ciphertext c1 kc2 kd and shared secret ss

Algorithm 14 FrodoKEM.Decaps.
Input: Ciphertext c1 kc2 kd ∈ {0, 1}(m·n+m·n)D+lend , secret key sk 0 = (skseedA kb, S) ∈ {0, 1}lens +lenA +D·n·n ×
Zn×n
q .
Output: Shared secret ss ∈ {0, 1}lenss .
1: B0 ← Frodo.Unpack(c1 )
2: C ← Frodo.Unpack(c2 )
3: Compute M ← C − B0 S
4: Compute µ0 ← Frodo.Decode(M)
5: Parse pk ← seedA kb
6: Generate pseudorandom values seed0E kk0 kd0 ← G(pkkµ0 )
7: Sample error matrix S0 ← Frodo.SampleMatrix(seed0E , m, n, Tχ , 4)
8: Sample error matrix E0 ← Frodo.SampleMatrix(seed0E , m, n, Tχ , 5)
9: Generate A ← Frodo.Gen(seedA )
10: Compute B00 ← S0 A + E0
11: Sample error matrix E00 ← Frodo.SampleMatrix(seed0E , m, n, Tχ , 6)
12: Compute B ← Frodo.Unpack(b, n, n)
13: Compute V ← S0 B + E00
14: Compute C0 ← V + Frodo.Encode(µ0 )
15: if B0 kC = B00 kC0 and d = d0 then
16: return shared secret ss ← F (c1 kc2 kk0 kd)
17: else
18: return shared secret ss ← F (c1 kc2 kskd)

2.2.10 Correctness of IND-CCA KEM

The failure probability δ of FrodoKEM is the same as the failure probability of the underlying FrodoPKE as
computed in Section 2.2.7.

2.2.11 Interconversion to IND-CCA PKE

FrodoKEM can be converted to an IND-CCA-secure public key encryption scheme using standard conversion
techniques as specified by NIST. In particular, shared secret ss can be used as the encryption key in

20
an appropriate data encapsulation mechanism in the KEM/DEM (key encapsulation mechanism / data
encapsulation mechanism) framework [44].

2.3 Cryptographic primitives

In FrodoKEM we use the following generic cryptographic primitives. We describe their security requirements
and instantiations with NIST-approved cryptographic primitives. In what follows, we use cSHAKE128/256
to denote the use of either cSHAKE128 or cSHAKE256; which one is used with which parameter set for
FrodoKEM is indicated in Table 3. Every use of cSHAKE in different contexts listed below is performed with
a different domain separator.
• Gen: The security requirement on Gen is that it is a public random function that generates pseudorandom
matrices A. Gen is instantiated using either AES128 (as in Algorithm 7) or cSHAKE128 (as in
Algorithm 8).
• H: The security requirement on H is that it is a pseudorandom generator. H is instantiated using
cSHAKE128/256 with the input being a uniformly random seed z.
• G: The security requirement on G is that it is a pseudorandom function. G is instantiated using
cSHAKE128/256 with the input being the public key pk concatenated with a random key µ.
• F : The security requirement on F is that it is a pseudorandom function. F is instantiated using
cSHAKE128/256 with the input being the ciphertext components c1 and c2 , concatenated (during
encapsulation and successful decapsulation) with the intermediate shared secret k or (during failed
decapsulation) the seed s.
• cSHAKE: We also use cSHAKE directly in the SampleMatrix algorithm as a pseudorandom function.
cSHAKE128/256 is used with the input being a seed seedE and distinct context strings for the different
matrices generated from the same seed.

2.4 Parameters
This section outlines our methodology for choosing tunable parameters of the proposed algorithms.

2.4.1 High-level overview

Recall the main FrodoPKE parameters defined in Section 2.2:
• χ, a probability distribution on Z;
• q = 2D , a power-of-two integer modulus with exponent D ≤ 16;
• n, m, n, integer matrix dimensions with n ≡ 0 mod 8;
• B ≤ D, the number of bits encoded in each matrix entry;
• ` = B · m · n the length of bit strings to be encoded in an m-by-n matrix.
The task of parameter selection is framed as a combinatorial optimization problem, where the objective func-
tion is the ciphertext’s size, and the constraints are dictated by the target security level, probability of decryp-
tion failure, and computational efficiency. The optimization problem is solved by sweeping the parameter space,
subject to simple pruning techniques. We perform this sweep of the parameter space using the Python scripts
that accompany the submission, in the folder Additional Implementations/Parameter Search Scripts.

2.4.2 Parameter constraints

Implementation considerations limit q to be at most 216 and n to be a multiple of 8. Our cost function is the
bit length of the FrodoPKE ciphertext, which is D · m · (n + n).
The standard deviation σ of the Gaussian error distribution is bounded from below by the constant 2.12.
This bound is chosen following the argument in Section 5.1.5, which demonstrates that σ > 2.12 conforms to
a reduction from the worst-case BDDwDGS problem to the LWE decision problem.
The complexity of the error-sampling algorithm (Section 2.2.4) depends on the support of the distribution
and the number of uniformly random bits per sample. We bound the number of bits per sample by 16.
Since the distribution is symmetric, the sample’s sign (r0 in Algorithm 5) can be chosen independently from
its magnitude e, which leaves 15 bits for sampling from the non-negative part of the support. For each

21
setting of the variance σ 2 we find a discrete distribution subject to the above constraints that minimizes
its Rényi divergence (for several integral orders) from the target “ideal” distribution, which is the rounded
Gaussian Ψσ√2π .
We estimate the concrete security of parameters for our scheme based on cryptanalytic attacks (Section 5.2),
accounting for the loss due to substitution of a rounded Gaussian with its discrete approximation (Section 5.1.3).
The probability of decryption failure is computed according to the procedure outlined in Section 2.2.6.
In case of ties, i.e., when different parameter sets result in identical ciphertext sizes (i.e., the same q and
n), we chose the smaller σ for FrodoKEM-640 (minimizing the probability of decryption failure), and the
larger σ for FrodoKEM-976 (prioritizing security).

2.4.3 Selected parameter sets

We present two parameter sets for FrodoKEM. The first, denoted Frodo-640, targets Level 1 in the NIST call
for proposals (matching or exceeding the brute-force security of AES-128). The second, denoted Frodo-976,
targets Level 3 (matching or exceeding the brute-force security of AES-192). At present, we are not proposing
parameters for Level 5, the highest security target (matching or exceeding the brute-force security of AES-256).
In addition to targeting Level 5 and other security objectives, the procedures outlined in this section
can be adapted to support alternative cost functions and constraints. For instance, an objective function
that takes into account computational costs or penalizes the public key size would lead to a different set
of outcomes. For example, constraints can be also chosen to guarantee error-free decryption, or to select
parameters that allow for a bounded number of homomorphic operations.
The two parameter sets are given in Table 1. The corresponding error distributions are given in Table 2.
Security columns C and Q respectively denote security, in bits, for classical and quantum attacks as estimated
by the methodology of Section 5.2.

Table 1: Parameter sets

n q σ support B m̄ × n̄ failure c size Security

of χ prob. (bytes) C Q
Frodo-640 640 215 2.75 [−11 . . . 11] 2 8×8 2−148.8 9,736 143 103
Frodo-976 976 216 2.3 [−10 . . . 10] 3 8×8 2−199.6 15,768 209 150

Table 2: Error distributions

σ Probability of (in multiples of 2−15 ) Rényi

0 ±1 ±2 ±3 ±4 ±5 ±6 ±7 ±8 ±9 ±10 ±11 order divergence
χFrodo-640 2.75 9456 8857 7280 5249 3321 1844 898 384 144 47 13 3 500.0 0.72 × 10−4
χFrodo-976 2.3 11278 10277 7774 4882 2545 1101 396 118 29 6 1 500.0 0.14 × 10−4

2.5 Summary of parameters

Table 3 summarizes all cryptographic parameters for Frodo-640 and Frodo-976. FrodoKEM-640-AES and
FrodoKEM-976-AES use AES128 as Gen for generation of A; FrodoKEM-640-cSHAKE and FrodoKEM-976-
cSHAKE use cSHAKE as Gen for generation of A.
Table 4 summarizes the sizes, in bytes, of the different inputs and outputs required by FrodoKEM. Note
that we also include the size of the public key in the secret key sizes, in order to comply with NIST’s API
guidelines. Specifically, since NIST’s decapsulation API does not include an input for the public key, it needs
to be included as part of the secret key.

22
 Table 3: Cryptographic parameters for Frodo-640 and Frodo-976

Frodo-640 Frodo-976
D 15 16
q 32768 65536
n 640 976
m=n 8 8
B 2 3
lenA 128 128
lenµ = ` 128 192
lenE 128 192
lenz 128 192
lens 128 192
lenk 128 192
lend 128 192
lenss 128 192
lenχ 16 16
χ χFrodo-640 χFrodo-976
H cSHAKE128(·, 128, 0) cSHAKE256(·, 128, 0)
G cSHAKE128(·, 384, 3) cSHAKE256(·, 576, 3)
F cSHAKE128(·, 128, 7) cSHAKE256(·, 192, 7)

Table 4: Size (in bytes) of inputs and outputs of FrodoKEM. Secret key size is the sum of the sizes of
the actual secret value and of the public key (the NIST API does not include the public key as explicit input
to decapsulation).

secret key public key ciphertext shared secret

Scheme
sk pk c ss
FrodoKEM-640 19,872 9,616 9,736 16
(10,256 + 9,616)
FrodoKEM-976 31,272 15,632 15,768 24
(15,640 + 15,632)

2.6 Provenance of constants and tables

Constants used as domain separators in calls to cSHAKE are integers selected incrementally starting at 0.
The constants in Table 2 and Table 1 were generated by search scripts following the methodology described
in Section 2.4.

23
3 Performance analysis
3.1 Associated implementations
The submission package includes:
• a reference implementation written exclusively in portable C,
• an optimized implementation written exclusively in portable C that includes efficient algorithms to
generate the matrix A and to compute the matrix operations AS + E and S0 A + E0 , and
• an additional, optimized implementation for x64 platforms that exploits Advanced Vector Extensions 2
(AVX2) intrinsic instructions.
The implementations in the submission package support all four schemes: FrodoKEM-640-AES, FrodoKEM-
640-cSHAKE, FrodoKEM-976-AES, and FrodoKEM-976-cSHAKE. The only difference between the reference
and the optimized implementation is that the latter includes two efficient functions to generate the public
matrix A and to compute the matrix operations AS + E and S0 A + E0 . Similarly, the only difference between
the optimized and the additional implementation is that the latter uses AVX2 intrinsic instructions to speed
up the implementation of the aforementioned functions. Hence, the different implementations share most of
their codebase: this illustrates the simplicity of software based on FrodoKEM.
All our implementations avoid the use of secret address accesses and secret branches and, hence, are
protected against timing and cache attacks.

3.2 Performance analysis on x64 Intel

In this section, we summarize results of our performance evaluation using a machine equipped with a 3.4GHz
Intel Core i7-6700 (Skylake) processor and running Ubuntu 16.04.3 LTS. As standard practice, TurboBoost
was disabled during the tests. For compilation we used GNU GCC version 7.2.0 with the command gcc -O3
-march=native. The generation of the matrix A is the most expensive part of the computation. As described
in Section 2.2.5, we support two ways of generating A: one using AES128 and one using cSHAKE128.

3.2.1 Performance using AES128

Table 5 details the performance of the optimized implementations and the additional x64 implementations
when using AES128 for the generation of the matrix A. The top two sets of results correspond to performance
when using OpenSSL’s AES implementation4 and the bottom set presents the results when using a standalone
AES implementation using Intel’s Advanced Encryption Standard New Instructions (AES-NI).
As can be observed, the different implementation variants have similar performance, even when using
hand-optimized AVX2 intrinsic instructions. This illustrates that FrodoKEM’s algorithms, which are mainly
based on matrix operations, facilitate automatic parallelization using vector instructions. Hence, the compiler
is able to achieve close to “optimal” performance with little intervention from the programmer. The best
results for FrodoKEM-640-AES and FrodoKEM-976-AES (i.e., 1.1 ms and 2.1 ms, respectively, obtained by
adding the times for encapsulation and decapsulation) are achieved by the optimized implementation using C
only and by the additional implementation using AVX2 intrinsic instructions, respectively. However, the
difference in performance between the different implementations reported in Table 5 is, in all the cases, less
than 1%.
We note that the performance of FrodoKEM using AES on Intel platforms greatly depends on AES-NI
instructions. For example, when turning off the use of these instructions the computing cost of the optimized
implementation of FrodoKEM-640-AES (resp. FrodoKEM-976-AES) is 26.4 ms (resp. 61.2 ms), which is roughly
a 24-fold (resp. 29-fold) degradation in performance.

3.2.2 Performance using cSHAKE128

Table 6 outlines the performance figures of the optimized implementations and the additional x64 imple-
mentations when using cSHAKE128 for the generation of the matrix A. The top set of results shows the
performance of the optimized implementation written in C only, while the bottom set presents the results
4 Note that in order to enable AES-NI instructions in OpenSSL, we use the EVP aes 128 ecb interface in OpenSSL.

24
Table 5: Performance (in thousands of cycles) of FrodoKEM on a 3.4GHz Intel Core i7-6700
(Skylake) processor with matrix A generated using AES128. Results are reported using OpenSSL’s
AES implementation and using a standalone AES implementation, all of which exploit AES-NI instructions.
Cycle counts are rounded to the nearest 103 cycles.

Total
Scheme KeyGen Encaps Decaps
(Encaps + Decaps)
Optimized Implementation (AES from OpenSSL)
FrodoKEM-640-AES 1,287 1,810 1,811 3,621
FrodoKEM-976-AES 2,715 3,572 3,588 7,160
Additional implementation using AVX2 intrinsic instructions (AES from OpenSSL)
FrodoKEM-640-AES 1,293 1,828 1,829 3,657
FrodoKEM-976-AES 2,663 3,565 3,580 7,145
Additional implementation using AVX2 intrinsic instructions (standalone AES)
FrodoKEM-640-AES 1,288 1,834 1,837 3,671
FrodoKEM-976-AES 2,677 3,577 3,580 7,157

Table 6: Performance (in thousands of cycles) of FrodoKEM on a 3.4GHz Intel Core i7-6700
(Skylake) processor with matrix A generated using cSHAKE128. Results are reported for two test
cases: (i) using a cSHAKE implementation written in plain C and, (ii) using a 4-way implementation of
cSHAKE using AVX2 instructions. Cycle counts are rounded to the nearest 103 cycles.

Total
Scheme KeyGen Encaps Decaps
(Encaps + Decaps)
Optimized Implementation (plain C cSHAKE)
FrodoKEM-640-cSHAKE 8,297 9,082 9,077 18,159
FrodoKEM-976-cSHAKE 17,798 19,285 19,299 38,584
Additional implementation using AVX2 intrinsics (cSHAKE4x using AVX2)
FrodoKEM-640-cSHAKE 4,212 4,671 4,672 9,343
FrodoKEM-976-cSHAKE 8,822 9,749 9,720 19,469

when using a 4-way implementation of cSHAKE using AVX2 instructions (“cSHAKE4x using AVX2”). Note
that the use of such vectorized implementation of cSHAKE is necessary to boost the practical performance.
In our use-case, the usage of such a vectorized implementation results in a two-fold speedup when compared
to the version using a cSHAKE implementation written in plain C.
Comparing Table 5 and Table 6, FrodoKEM using AES, when implemented with AES-NI instructions, is
around 2.6–2.7× faster than the vectorized cSHAKE implementation. Nevertheless, this comparative result
could change drastically if hardware-accelerated instructions such as AES-NI are not available on the targeted
platform, or if support for hardware-accelerated instructions for SHA-3 is added in the future.

3.2.3 Memory analysis

Table 7 shows the peak usage of stack memory per function. In addition, in the right-most column we show
the size of the produced static libraries.
In order to determine the memory usage we ran valgrind (http://valgrind.org/) to obtain “memory
use snapshots” during execution of the test program:

25
$ valgrind --tool=massif --stacks=yes --detailed-freq=1 ./frodo/test_KEM

This command produces a file of the form massif.out.xxxxx. We then ran massif-cherrypick
(https://github.com/lnishan/massif-cherrypick), which is an extension that outputs memory usage
per function:

$ ./massif-cherrypick massif.out.xxxxx kem_function

The results are summarized in Table 7. Note that in our implementations the use of cSHAKE for
generating A reduces peak memory usage in up to 26%. However, the vectorized AVX2 implementation of
cSHAKE increases the size of the produced static libraries significantly (implementations based on AES-NI
instructions are indeed very compact).

Table 7: Peak usage of stack memory (in bytes) and static library size (in bytes) of the optimized
and additional implementations of FrodoKEM on a 3.4GHz Intel Core i7-6700 (Skylake) processor. Compilation
with GNU GCC version 7.2.0 using flags -O3 -march=native. Matrix A is generated with either cSHAKE128
or AES128 (using OpenSSL’s AES implementation or the standalone AES implementation).

Peak stack memory usage Static library size

Scheme
KeyGen Encaps Decaps
Optimized Implementation (AES from OpenSSL)
FrodoKEM-640-AES 72,192 103,072 123,968 81,836
FrodoKEM-976-AES 111,424 159,136 189,176 79,700
Additional implementation using AVX2 intrinsics (standalone AES)
FrodoKEM-640-AES 72,192 103,088 124,016 81,184
FrodoKEM-976-AES 111,424 157,832 189,176 79,048
Additional implementation using AVX2 intrinsics (cSHAKE4x using AVX2)
FrodoKEM-640-cSHAKE 70,184 81,832 101,016 257,654
FrodoKEM-976-cSHAKE 105,560 124,856 156,248 255,398

3.3 Performance analysis on ARM

In this section, we summarize results of our performance evaluation using a device powered by a 1.992GHz
64-bit ARM Cortex-A72 (ARMv8) processor and running Ubuntu 16.04.2 LTS. For compilation we used
GNU GCC version 5.4.0 with the command gcc -O3 -march=native.
Table 8 details the performance of the optimized implementations when using AES128 and cSHAKE128.
Similar to the case of the x64 Intel platform, the overall performance of FrodoKEM is highly dependent on the
performance of the primitive that is used for the generation of the matrix A. Hence, the best performance
in this case is achieved when using OpenSSL’s AES implementation, which exploits the efficient NEON
engine. On the other hand, cSHAKE performs significantly better when there is no support for specialized
instructions in the targeted platform: using a plain C version of cSHAKE is more than 3 times faster than
using a plain C version of AES.

26
Table 8: Performance (in thousands of cycles) of the optimized implementations of FrodoKEM
on a 1.992GHz 64-bit ARM Cortex-A72 (ARMv8) processor. Results are reported for three test
cases: (i) using OpenSSL’s AES implementation, (ii) using an AES implementation written in plain C, and
(iii) using a cSHAKE implementation written in plain C. Results have been scaled to cycles using the nominal
processor frequency. Cycle counts are rounded to the nearest 103 cycles.

Total
Scheme KeyGen Encaps Decaps
(Encaps + Decaps)
Optimized Implementation (AES from OpenSSL)
FrodoKEM-640-AES 3,343 4,082 4,082 8,164
FrodoKEM-976-AES 7,056 8,428 8,382 16,810
Optimized implementation (plain C AES)
FrodoKEM-640-AES 44,007 45,013 44,967 89,980
FrodoKEM-976-AES 100,996 102,074 102,323 204,397
Optimized implementation (plain C cSHAKE)
FrodoKEM-640-AES 12,081 13,458 13,446 26,904
FrodoKEM-976-AES 26,125 28,735 28,506 57,241

27
4 Known Answer Test (KAT) values
The submission includes KAT values with tuples containing secret key (sk), public key (pk), ciphertext (c)
and shared secret (ss) values for the proposed KEM schemes. The KAT files can be found in the KAT folder
of the submission:

Scheme KAT file

FrodoKEM-640-AES \KAT\PQCkemKAT_19872.rsp
FrodoKEM-976-AES \KAT\PQCkemKAT_31272.rsp
FrodoKEM-640-cSHAKE \KAT\PQCkemKAT_19872_cshake.rsp
FrodoKEM-976-cSHAKE \KAT\PQCkemKAT_31272_cshake.rsp

In addition, we provide a test suite that can be used to verify the KAT values against any of the
implementations. Instructions to compile and run the KAT test suite can be found in the README file (see
Section 2, “Quick Instructions”).

28
5 Justification of security strength
The security of FrodoKEM is supported both by security reductions and by analysis of the best known
cryptanalytic attacks.

5.1 Security reductions

A summary of the reductions supporting the security of FrodoKEM is as follows:
1. FrodoKEM is an IND-CCA-secure KEM under the assumption that FrodoPKE is an IND-CPA-secure
public-key encryption scheme, and where G and F are modeled as random oracles. Theorem 5.1 gives a
tight, classical reduction against classical adversaries in the classical random oracle model. Theorem 5.2
gives a non-tight, classical reduction against quantum adversaries in the quantum random oracle model.
2. FrodoPKE is an IND-CPA secure public key encryption scheme under the assumption that the corre-
sponding normal-form learning with errors decision problem is hard. Theorem 5.3 gives a tight, classical
reduction against classical or quantum adversaries in the standard model.
3. Section 5.1.3 provides justification and bounds exact security loss for substituting exact rounded
Gaussian distributions with distributions from Table 2.
4. Section 5.1.4 provides an overview of the security reduction when replacing A sampled from a truly
uniform distribution with one generated in a pseudorandom fashion from a seed. The reduction models
AES128 as an ideal cipher when considering Frodo.Gen with AES128 (Algorithm 7) and cSHAKE128
as a random oracle when considering Frodo.Gen with cSHAKE128 (Algorithm 8) and preserve the
security up to a small multiplicative loss in the number of samples of the underlying LWE problem.
5. The normal-form learning with errors decision problem is hard under the assumption that the uniform-
secret learning with errors decision problem is hard for the same parameters, except for a small additive
loss in the number of samples. Theorem 5.4 gives a tight, classical reduction against classical or quantum
adversaries (in the standard model).
6. The (average-case) uniform-secret learning with errors decision problem, with the particular values of σ
from Table 1 and an appropriate bound on the number of samples, is hard under the assumption that
the worst-case bounded distance decoding problem with discrete Gaussian samples problem (BDDwDGS,
Definition 5.7) is hard for related parameters. Theorem 5.8 gives a non-tight classical reduction against
classical or quantum adversaries (in the standard model).

5.1.1 IND-CCA Security of KEM

Theorem 5.1 (IND-CPA PKE =⇒ IND-CCA KEM in classical ROM). Let PKE be a public key en-
cryption scheme with algorithms (KeyGen, Enc, Dec), message space M, and which is δ-correct. Let G and
F be independent random oracles. Let QKEM6⊥ 0 6⊥0
m = QFOm [PKE, G, F ] be the KEM obtained by applying the
6⊥0
QFOm transform as in Definition 2.19. For any classical algorithm A against the IND-CCA security of
QKEM6⊥ 0
m that makes qG and qF queries to its G and F oracles, there exists a classical algorithm B against
the IND-CPA security of PKE such that
4 · qRO + 1
Advind-cca
QKEM6⊥0
(A) ≤ + qRO · δ + 3 · Advind-cpa
PKE (B)
m |M|
where qRO = qG + qF . Moreover, the running time of B is about that of A.
Theorem 5.1 follows from Theorems 3.2 and 3.4 of Hofheinz, Hövelmanns, and Kiltz (HHK) [61], with the
following modifications. In the application of HHK’s Theorem 3.2, we take qV = 0. Note that Theorems 3.2
and 3.4 of HHK are about the FO6⊥ transform, which differs from the QFO6⊥ 0
m in the following ways.
1. QFOm uses a single hash function (with longer output) to compute r and K whereas FO6⊥ uses two;
6⊥0

but this is equivalent in the random oracle model with appropriate output lengths.
2. QFO6⊥ 0 6⊥
m ’s computation of r and K also takes the public key pk as input whereas FO does not; this does
not negatively affect any of the theorems, and has the potential to provide multi-target security.
3. QFO6⊥ 0 6⊥
m includes the d value in the ciphertext, whereas FO does not; since d is computed by applying a
random oracle G to the secret µ ∈ M, taking advantage of d requires querying G on µ, which occurs
with the additional qRO /|M| probability term added in the theorem.

29
Theorem 5.2 (IND-CPA PKE =⇒ IND-CCA KEM in quantum ROM). Let PKE be a public key en-
cryption scheme with algorithms (KeyGen, Enc, Dec), message space M, and which is δ-correct. Let G and
F be independent random oracles. Let QKEM6⊥ 0 6⊥0
m = QFOm [PKE, G, F ] be the KEM obtained by applying the
6⊥0
QFOm transform as in Definition 2.19. For any quantum algorithm A against the IND-CCA security of
QKEM6⊥ 0
m that makes qG and qF queries to its quantum G and F oracles, there exists a quantum algorithm B
against the IND-CPA security of PKE such that
v s
u
u 1
AdvQKEM6⊥0 (A) ≤ 9 · qRO · qRO · δ + qRO · Advind-cpa
ind-cca t 2
PKE (B) +
m |M|

where qRO = qG + qF . Moreover, the running time of B is about that of A.

Theorem 5.2 follows from Lemma 2.3 and Theorems 4.4 and 4.6 of Hofheinz, Hövelmanns, and Kiltz [61],
with the following modifications. Note that Theorems 4.4 and 4.6 of HHK are about the QFO6⊥ m transform,
which differs from the QFO6⊥ m
0
in the following ways. 1) QFO 6⊥0
m uses a single hash function (with longer output)
to compute r, K, and d whereas FO6⊥ uses two; but this is equivalent in the random oracle model with
appropriate output lengths. 2) QFO6⊥ 0
m ’s computation of r, K, and d also takes the public key pk as input
6⊥
whereas FO does not; this does not negatively affect any of the theorems, and has the potential to provide
multi-target security. 3) QFO6⊥ 0
m ’s computation of the shared secret k also takes the encapsulation c as input;
this does not negatively affect any of the theorems, and provides robustness against ciphertext modification.
Note that Theorem 5.2 is far from being tight due to the fourth-root between the Advind-cpa PKE (B) term and
the Advind-cca
QKEMm 6⊥0 (A) term. As of writing there is no known attack that takes advantage of the tightness gap,

and so it seems to be an artifact of the proof technique. As noted in Section 2.2.8, a recent eprint of Jiang et
al. [63] presents an alternative transform from IND-CPA PKE to IND-CCA KEM in the quantum random
oracle model, and their theorems give only a square-root gap between the advantages; our IND-CPA PKE
satisfies the conditions needed for their Theorem 1 to yield IND-CCA security of the resulting KEM. In our
parameter selection, we ignore the tightness gap arising from Theorem 5.2.

5.1.2 IND-CPA Security of PKE

Theorem 5.3 (Normal Form DLWE =⇒ IND-CPA security of FrodoPKE). Let n, q, m, n be positive
integers, and χ be a probability distribution on Z. For any quantum algorithm A against the IND-CPA
security of FrodoPKE (with a uniformly random A), there exist quantum algorithms B1 and B2 against the
normal-form LWE decision problem such that

Advind-cpa nf-dlwe nf-dlwe

FrodoKEM (A) ≤ n · Advn,n,q,χ (B1 ) + m · Advn,n+n,q,χ (B2 ) .

Moreover, the running times of B1 and B2 are approximately that of A.

The proof of Theorem 5.3 is the same as that of [75, Theorem 3.2] or [24, Theorem 5.1].
Theorem 5.4 (uniform-secret DLWE =⇒ normal-form DLWE). Let n, q, m be integers, and χ be a
probability distribution on Z. For any quantum algorithm A against the normal-form LWE decision problem,
there exists a quantum algorithm B against the uniform-secret LWE decision problem such that

Advnf-dlwe dlwe
n,m,q,χ (A) ≤ Advn,m+O(n),q,χ (B) .

Moreover, the running time of B is about that of A.

The proof of Theorem 5.4 is the same as that of [13, Lemma 2].

5.1.3 Approximating the error distribution

The discrete Gaussian distribution (Definition 2.14), whose properties are key to the worst-to-average-case
reduction, is difficult to sample from on a finite computer (and impossible to do so in constant time). Following
Langlois et al. [73], we replace an infinite-precision distribution with its discrete approximation and quantify
the loss of security by computing the Rényi divergence between the two distributions.

30
Definition 5.5 (Rényi divergence). Rényi divergence of order α between two discrete distributions P
and Q is defined as
 α−1
1 X P (x)
Dα (P kQ) = ln P (x) .
α−1 Q(x)
x∈supp P

(Note that our definition differs from Langlois et al. in that we take the logarithm of the sum.)
The following theorem relates probabilities of observing a certain event under two distributions as a
function of their Rényi divergence.

Theorem 5.6 ([73, Lemma 4.1]). If there is an event S defined in a game GQ where n samples are drawn
from distribution Q, the probability of S in the same game where Q is replaced with P is bounded as follows:

Pr[GP (S)] ≤ (Pr[GQ (S)] · exp(n · Dα (P kQ)))1−1/α . (4)

Reduction to any search problem, such as the ones that appear in the proof of Theorem 5.3 (specifically,
winning in the OW-PCVA game as defined in [61]) are preserved subject to the relaxation (4). For each exact
security argument, and any concrete choice of the two distributions P and Q, the bound can be minimized
by choosing an optimal value of the Rényi order α.
For a concrete example of application of Theorem 5.6 consider the distribution χFrodo-640 specified according
to Table 2. The distribution approximates the rounded Gaussian Ψ2.75/√2π as defined in Section 2.1.4. During
a single run of FrodoKEM the parties sample from the distribution (8+8)×640+64 = 10,304 times. Assume that
the adversary attacking the underlying search problem (of recovering the shared secret key before applying the
random oracle) has probability of winning 2−145 when the parties sample from Ψ2.75/√2π . According to Table 2
the Rényi divergence between the two distributions is D500 (χFrodo-640 kΨ2.75/√2π ) = .000074. Substituting the
rounded Gaussian distribution with χFrodo-640 and applying Theorem 5.6 will lead to the following bound on
classical security of the resulting protocol (cf. Table 1): (2−145 · exp(10304 · .000074)).998 ≈ 2−143.6 .

5.1.4 Deterministic generation of A

The matrix A in FrodoKEM is deterministically expanded from a short random seed in the function Frodo.Gen
either using AES128 or cSHAKE128. In order to relate FrodoKEM’s security to the hardness of the learning
with errors problem, we argue that we can replace a uniformly sampled A ∈ Zn×n q with matrices sampled
according to Frodo.Gen. Although the matrix appears pseudorandom under standard security assumptions to
an adversary without access to the seed, we argue security of this step against a stronger (and more realistic)
adversary via the indifferentiability framework [80, 41].
Informally, a construction C with access to an ideal primitive G is said to be ε-indifferentiable from an
ideal
  primitive  F if there existsa simulator S such that for any polynomial time distinguisher D it holds that
Pr DC,G = 1 − Pr DF ,S = 1  < ε. An indifferentiability argument implies that any cryptosystem secure


in the F-model remains secure (in a tight sense) in the G-model with F instantiated as C G [80]. In what
follows, we consider the ideal primitive F to be an ideal “domain expansion” function expanding a small seed
to a matrix A. Criticially, the security of the step depends on the properties of G rather than randomness of
the seed. The construction C and primitive G depend on whether we use AES128 or cSHAKE128, modeled
below as an ideal cipher and an ideal extendable-output function (XOF) respectively.

Using AES128 to generate A. Algorithm 7 generates the entries of A as 16-bit values and then reduces
each one modulo q. For simplicity, we assume that A consists of N = 16n2 bits and we set M = N/128. This
means that A consists of M 128-bit AES128 blocks. The pseudorandom bits in the ith block are generated
by encrypting a fixed index idxi with a uniformly random seedA ∈ {0, 1}128 as the key. Throughout, we refer
to the set Idx := {idx1 , . . . , idxM } as the set of indices used in the pseudorandom generation of A.
The ideal domain expansion primitive F expands a uniformly random seed seedA ∈ {0, 1}128 to a larger
bit string s1 ks2 k · · · ksM ∈ {0, 1}128M subject to the condition that si = 6 sj for any distinct pair of i, j.
Observe that a uniformly sampled A satisfies this condition with probability at least 1 − M 2 /2128 . In our
security reductions, the matrix A is constructed through m = n calls to the LWE oracle (Definition 2.9).
By increasing the number of calls to this oracle marginally, by setting m = 1.01n > n · (1 − M 2 /2128 )−1 , we

31
can construct an LWE matrix A sampled from the same distribution as the output of F with overwhelming
probability without affecting its underlying security.
When Frodo.Gen uses AES128, we consider a construction C G in the Ideal Cipher model implementing
F as AES128seedA (idx1 )k · · · kAES128seedA (idxM ). We show that C G is indifferentiable from F as follows.
Consider the two worlds with which D interacts to make queries on the construction C and G:
• REAL. In the real world, upon query C(k), D receives AES128k (idx1 )k · · · kAES128k (idxM ). Queries
to G are answered naturally with AES128(·) (·) or AES128−1 (·) (·) as required.
• IDEAL. In the ideal world, upon query C(k), the simulator S simulates F as follows. S samples
M uniformly random strings s1 , . . . , sM subject to no collisions and outputs F(k) = s1 k · · · ksM . It
additionally stores a mapping Mk from {idx1 , . . . , idxM } to S = {s1 , . . . , sM }. These will be used to
answer G queries. Without loss of generality, we assume that whenever G is queried on a key k, S
pretends that C(k) has been queried and sets up Mk .
D can now effectively simulate an ideal cipher G as follows. For forward queries with an input in Idx
or backward queries with an input in Sk , S uses the mapping Mk to answer the query in a manner
consistent with C(·) simulation. For all other queries, the simulator maintains an on-the-fly table to
simulate an ideal cipher. It samples independent uniformly random responses for each input query
(forward or backward) subject to the fact that the resulting table of input/output pairs (x, y) combined
with (idxi , si ) pairs remains a permutation over {0, 1}128 for every key k.
It is easy to see that the simulator is efficient. Indifferentiability of the two worlds follows by construction
as AES128(·, ·) is modeled as an ideal cipher. Thus, in generating A starting with a seed seedA using AES128,
we can effectively replace the ideal domain extension primitive F with our construction in the ideal cipher
model.

Using cSHAKE128 to generate A. An argument in using cSHAKE128 to expand seedA to the matrix A
is significantly simpler. In the random oracle model, cSHAKE128 is an ideal XOF [49]. In fact, for every
customization string str, we can model cSHAKE128(·, `, str) as an independent hash function mapping
{0, 1}128 to {0, 1}` . The domain expansion step is constructed by computing cSHAKE128(seedA , 16n, 28 + i)
for 1 ≤ i ≤ n where each step fills up the ith row of the matrix A. As each row is independently constructed
via an ideal hash function, this construction maps a uniformly random seed seedA to a much larger uniformly
random matrix A thereby implementing the ideal functionality F perfectly.

Reusing A. Finally, we point out that generating A from seedA can be a significant computational burden,
but this cost can be amortized by relaxing the requirement that a fresh seedA be used for every instance
of key encapsulation, e.g., by caching and reusing A for a small period of time. In this case, we observe
that the cost of generating A represents roughly 40% of the cost of encapsulation and decapsulation on
the targeted x64 Intel machine used in Section 3. A straightforward argument shows that the amortization
above is compatible with all the security reductions in this section. But importantly, it now allows for an
all-for-the-price-of-one attack against those key encapsulations that share the same A. This can be mitigated
by making sure that we cache and reuse A only for a small number of uses, but we need to do this in a very
careful manner.

Generating A from joint randomness. It is also possible to generate A from joint randomness or
using protocol random nonces. For example, when integrating FrodoKEM into the TLS protocol, A could
be generated from a seed consisting of the random nonces client random and server random sent by the
client and server in their ClientHello and ServerHello messages in the TLS handshake protocol. This
functionality does not match the standard description of a KEM and the API provided by NIST, but is
possible in general. A design with both parties contributing entropy to the seed might better protect against
all-for-the-price-of-one attacks by being more robust to faulty random number generation at one of the parties.

5.1.5 Reductions from worst-case lattice problems

When choosing parameters for LWE, one needs to choose an error distribution, and in particular its “width.”
Certain choices (e.g., sufficiently wide Gaussians) are supported by reductions from worst-case lattice problems

32
to LWE; see, e.g., [102, 88, 28, 94]. At a high level, such a reduction transforms any algorithm that solves
LWE on the average—i.e., for random instances sampled according to the prescribed distribution—into an
algorithm of related efficiency that solves any instance of certain lattice problems (not just random instances).
The original work of [102] and a follow-up work [94] gave quantum polynomial-time reductions, from
the worst-case GapSVPγ (Definition 2.15), SIVPγ (Definition 2.16), and DGSϕ (Definition 2.17) problems
on n-dimensional lattices, to n-dimensional LWE (for an√unbounded polynomial m = poly(n) number of
p with Gaussian error of standard deviation σ ≥ c n. The constant factor c was originally stated as
samples)
c = 2/π, but can easily be improved to any c > 1/(2π) via a tighter analysis of essentially the same proof.5
However, for efficiency reasons our choices of σ (see Table 2) are somewhat smaller than required by these
reductions.
Instead, following [102, Section 1.1], below we obtain an alternative classical (i.e., non-quantum) reduction
from a variant of the worst-case bounded-distance decoding (BDD) problem to our LWE parameterizations. In
contrast
√ to the quantum reductions described above, which requires Gaussian error of standard deviation σ =
Θ( n), the alternative reduction supports a smaller error width—as small as the “smoothing parameter” [84]
of the lattice of integers Z. For the BDD variant we consider, which we call “BDD with Discrete Gaussian
Samples” (BDDwDGS), the input additionally includes discrete Gaussian samples over the dual lattice, but
having a larger width than known algorithms are able to exploit [77, 45]. Details follow.

Bounded-distance decoding with discrete Gaussian samples. We first define a variant of the
bounded-distance decoding problem, which is implicit in prior works that consider “BDD with prepro-
cessing,” [2, 77, 45] and recall the relevant aspects of known algorithms for the problem.
Definition 5.7 (Bounded-distance decoding with discrete Gaussian samples). For a lattice L ⊂
Rn and positive reals d < λ1 (L)/2 and r > 0, an instance of the bounded-distance decoding with discrete
Gaussian samples problem BDDwDGSL,d,r is a point t ∈ Rn such that dist(t, L) ≤ d, and access to an oracle
that samples from DL∗ ,s for any (adaptively) queried s ≥ r. The goal is to output the (unique) lattice point
v ∈ L closest to t.

Remark. For a given distance bound d, known BDDwDGS algorithms use discrete Gaussian samples that all
have the same width parameter s. However, the reduction to LWE will use the ability to vary s. Alternatively,
we mention that when r ≥ ηε (L∗ ) for some very small ε > 0 (which will always be the case in our setting),
we can replace the variable-width DGS oracle from Definition 5.7 with a fixed-width one that samples from
Dw+L∗ ,r for any queried coset w + L∗ , always for the same width r. This is because we can use the latter
oracle to implement
√ the former one (up to statistical distance 8ε), by sampling e from the continuous Gaussian
of parameter s2 − r2 and then adding a sample from DL∗ −e,r . See [90, Theorem 3.1] for further details.

The state-of-the-art algorithms for solving BDDwDGS [2, 77, 45] deal with a certain L-periodic function
fL,1/r : Rn → [0, 1], defined as

ρ1/r (x + L)
fL,1/r (x) := = E [cos(2πhw, xi)] , (5)
ρ1/r (L) w∼DL∗ ,r

where the equality on the right follows from the Fourier series of fL,1/r (see [2]). To solve BDDwDGS for
a target point t, the algorithms use several discrete Gaussian samples wi ∼ DL∗ ,r to estimate the value
of fL,1/r at t and nearby points via Equation (5), to “hill climb” from t to the nearest lattice point. For the
relevant points t we have the (very sharp) approximation

fL,1/r (t) ≈ exp(−πr2 · dist(t, L)2 ) ,

so by the Chernoff-Hoeffding bound, approximating fL,1/r (t) to within (say) a factor of two uses at least

1
≈ exp(2πr2 · dist(t, L)2 )
fL,1/r (t)2
√
5 The approximation factor γ for GapSVP and SIVP is Õ(qn/σ) = (qn/σ) logO(1) n, and the parameter ϕ for DGS is Θ(q n/σ)
times the “smoothing parameter” of the lattice.

33
 samples.6 Note that without enough samples, the “signal” of fL,1/r (t) is overwhelmed by measurement
“noise,” which prevents the hill-climbing from making progress toward the answer.
In summary, when limited to N discrete Gaussian samples, the known approaches to solving BDDwDGS
are limited to distance p
dist(t, L) ≤ r−1 ln(N )/(2π) , (6)
and having such samples does not seem to provide any speedup in decoding√at somewhat distances that are
larger by some constant factor greater than one. In particular, if d · r ≥ ω( log n) (which is the smoothing
parameter of the integer lattice Z for negligible error ε), then having N = poly(n) samples does not seem to
provide any help in solving BDDwDGSL,d,r (versus having no samples at all).

Reduction from BDDwDGS to LWE. We now recall the following result from [94], which generalizes a
key theorem from [102] to give a reduction from BDDwDGS to the LWE decision problem.
Theorem 5.8 (BDDwDGS hard =⇒ decision-LWE hard [94, Lemma 5.4]). Let ε = ε(n) be a negli-
gible function and let m = poly(n) and C = C(n) > 1 be arbitrary. There is a probabilistic polynomial-time
(classical) algorithm that, given access to an oracle that solves DLWEn,m,q,α with non-negligible advantage
n ∗
and input a number α ∈ (0, 1), an integer q ≥ 2, a lattice L p⊂ R , and a parameter r ≥ Cq · ηε (L ), solves
BDDwDGSL,d,r using N = m · poly(n) samples, where d = 1 − 1/C · αq/r. 2

√
Remark. The above statement generalizes the fixed choice of C = 2 in the original statement (inherited
from [102, Section 3.2.1]), using [102, Corollary 3.10]. In particular, for any constant δ > 0 there is a constant
C > 1 such that d = (1 − δ) · αq/r.

p In particular, by Equation (6), if the Gaussian parameter αq of the LWE error sufficiently exceeds
ln(N )/(2π) (e.g., by a constant factor greater than one), then the BDDwDGSL,d,r problem is plausibly
hard in the worst case, hence so is the corresponding LWE problem from Theorem 5.8.
Concretely, if we use an extremely large bound N ≤ 2256 on the number ofpdiscrete Gaussian samples,
then the threshold for Gaussian parameters αq thatpconform to Theorem 5.8 is ln(N )/(2π) ≈ 5.314, which
corresponds to a standard deviation threshold of ln(N )/(2π) ≈ 2.120. Our FrodoPKE parameters, which
use standard deviation σ ≥ 2.3 (see Table 2), are above this threshold by a comfortable margin. (Note that a
standard deviation threshold of 2.3 corresponds to N ≈ 2300 .)

5.2 Cryptanalytic attacks

In this section, we explain our methodology to estimate the security level of our proposed parameters. The
methodology is similar to the one proposed in [11], with slight modifications taking into account the fact that
some quasi-linear accelerations [107, 26] over sieving algorithms [16, 69] are not available without the ring
structure.
We also remark that this methodology is significantly more conservative than what is usually used in
the literature [10], at least since recently. Indeed, we must acknowledge that lattice cryptanalysis is far less
mature than that for factoring and computing discrete logarithms, for which the best-known attacks can
more safely be considered best-possible attacks.

5.2.1 Methodology: the core-SVP hardness

In this section, let msamp denote the number of LWE samples available to the attacker. Due to the small
number of samples (i.e., msamp ≈ n in our schemes) we are not concerned with either BKW types of attacks [65]
or linearization attacks [14]. This essentially leaves us with two BKZ [40] attacks, usually referred to as
primal and dual attacks that we will briefly recall below.
Formally, BKZ with block-size b requires up to polynomially many calls to an SVP oracle in dimension b,
but some heuristics allow to decrease the number of calls to be essentially linear [39]. To account for further
improvement, we shall count only the cost of one such call to the SVP oracle: the core-SVP hardness. Such
6 In fact, the algorithms need approximation factors much better than two, so the required number of samples is even larger
by a sizable constant factor. However, the above crude bound will be sufficient for our purposes.

34
precaution is motivated by the fact that there are ways to amortize the cost of SVP calls inside BKZ, especially
when sieving is to be used as the SVP oracle. Such a strategy was suggested in a talk, but has so far not
been experimentally tested, as more implementation effort is required to integrate sieving within BKZ.
Even evaluating the concrete cost of one SVP oracle call in dimension b is difficult, because the numerically
optimized pruned enumeration strategy does not yield a closed formula [53, 40]. Yet, asymptotically,
enumeration is super-exponential (even with pruning), while sieving algorithms are exponential 2cb+o(b) with
a well understood constant c in the exponent. A sound and simple strategy is therefore to give a lower bound
for the cost of an attack by 2cb vector operations (i.e. about b2cb CPU cycles7 ), and to make sure that the
block-size b is in a range where enumeration costs more than 2cb . From the estimates of [40], it is argued
in [11] that this is the case both classically and quantumly whenever b ≥ 200. p
The best known constant in the exponent is for classical algorithms is cCp= log2 3/2 ≈ 0.292, as provided
by the sieve algorithm of [16]. For quantum algorithms it isq cQ = log2 13/9 ≈ 0.265 [69, Sec. 14.2.10].
p b
Because allp variants of the sieve algorithm require building a list of 4/3 many vectors, the constant
cP = log2 4/3 ≈ .2075 can plausibly serve as a “worst-possible” lower bound for sieving algorithm.

Conservatism: lower bounds vs. experiments. These estimates are very conservative compared to
the state of the art implementation of [79], which has practical complexity of about 20.405b+11 cycles in the
range b = 60 . . . 80. The classical lower bound of 20.292b corresponds to a margin factor of 220 at blocksize
b = 80, and this margin should continue increasing with the blocksize (abusing the linear fit suggests a margin
of 245 at blocksize b = 300).

Conservatism: future improvements. Of course, one could assume further improvements on known
techniques. At least asymptotically, it may be reasonable to assume that 20.292b+o(b) is optimal for SVP
considering that the underlying technique of [16] has been shown to reach lower bounds for the generic
nearest-neighbor search problem [12]. As for concrete improvements, we note that this algorithm has already
been subject to some fine-tuning in [79], so we may conclude that there is not much more to be gained without
introducing new ideas. We therefore consider our margin sufficient to absorb such future improvements.

Conservatism: cost models. The NIST call for proposals suggested a particular cost model, inspired
by the estimates of a Grover search attack on AES, essentially accounting for the quantum gate count. In
comparison, the literature on sieving algorithms mostly focuses on analysis in the RAM model and quantumly
accessible RAM models, and considers the amount of memory they use. Their cost in the area-time model
should be higher by polynomial, if not exponential, factors.
Firstly, our model accounts for arithmetic operations rather than gates (used to compute inner products
and evaluate norms of vectors). The conversion to gate count may not be trivial as it is unclear how many
bits of precision are required.
Secondly, even in the classical setting, the cost of sieving in large dimensions may not be accurately
captured by the count of elementary operations in the RAM model, as those algorithms use an exponential
amount of memory. Admittedly, the most basic sieve algorithm (with theoretical complexity 20.415b+o(b) )
has sequential memory access, and can therefore be efficiently implemented by a large circuit without
memory access delays. But more advanced ones [16] have much less predictable memory access patterns,
and memory complexities as large as time complexities (20.292b+o(b) ). It is unclear if they can be adapted to
reach a complexity 20.292b+o(b) in the area-time model; one might expect extra polynomial factors to appear.
(Following an idea of [17], Becker et al. [16] also claims a version that only requires 20.2015b+o(b) memory, but
we suspect this would come at some hidden cost on the running time.)
Moreover, the quantum versions of all sieving algorithms work in the quantumly accessible RAM model [71].
Again, the conversion to an efficient quantum circuit will induce extra costs—at least polynomial ones.
7 Because of the additional ring-structure, [11] chooses to ignore this factor b to the advantage of the adversary, assuming the

techniques of [107, 26] can be adapted to more advanced sieve algorithms [11]. But for plain LWE, we can safely include this
factor.

35
5.2.2 Primal attack
The primal attack consists of constructing a unique-SVP instance from the LWE problem and solving it using
BKZ. We examine how large the block dimension b is required to be for BKZ to find the unique solution. Given
the matrix LWE instance (A, b = As+e) one builds the lattice Λ = {x ∈ Zm+n+1 : (A|−Im |−b)x = 0√mod q}
of dimension d = m + n + 1, volume q m , and with a unique-SVP solution v = (s, e, 1) of norm λ ≈ σ n + m.
The number of used samples m may be chosen between 0 and msamp in our case and we numerically optimize
this choice.
Using the typical models of BKZ (geometric series assumption, Gaussian heuristic [39, 10]) one concludes
that the primal attack is successful if and only if
√
σ b ≤ δ 2b−d−1 · q m/d where δ = ((πb)1/b · b/2πe)1/2(b−1) . (7)

We note that this condition, introduced in [11], is substantially different from the one suggested in [52] and
is used in many previous security analyses, such as [10]. The recent study [9] showed that this new condition
predicts significantly smaller security levels than the older, and is corroborated by extensive experiments.

5.2.3 Dual attack

The dual attack searches for a short vector in the dual lattice w ∈ Λ̂ = {(x, y) ∈ Zm × Zn : At x = y mod q}
and intends to use it as a distinguisher for LWE. The algorithm BKZ with block size b will output such a
vector of length ` = δ d−1 q n/d .
Having found (x, y) ∈ Λ̂ of length `, an attacker computes z = vt · b = vt As + vt e = wt s + vt e mod q
which is distributed as a Gaussian of standard deviation `σ if (A, b) is indeed an LWE sample (otherwise
it is uniform mod q). Those two distributions have maximal variation distance bounded by ε = exp(−πτ 2 )
where τ = `σ/q: given such a vector of length ` the attacker may distinguish LWE samples from random
with advantage at most ε.
Note that small advantages ε are not meaningful to attack a key exchange protocol: as the agreed key is
to be used as a symmetric cipher key, any advantage below 1/2 does not significantly decrease the search
space to bruteforce the symmetric cipher.8
We therefore require the attacker to amplify his success probability by building about 1/ε2 many such
short vectors. Because the sieve algorithms provide 2.2075b vectors, the attack must be repeated at least R
times where
R = max(1, 1/(2.2075b ε2 )).
This is again quite pessimistic, as the other vectors outputted by the sieving algorithm are a bit larger than
the shortest one.

8 To make this more formal, one may simply hash the agreed key with a random oracle before using it for any other purposes.

36
6 Advantages and limitations
6.1 Ease of implementation
One of the features of FrodoKEM is that it is easy to implement and naturally facilitates writing implementa-
tions that are compact and run in constant-time. This latter feature aids to avoid common cryptographic
implementation mistakes which can lead to key-extraction based on, for instance, timing differences when
executing the code. For example, the additional x64 implementation of the full KEM scheme accompanying
this submission consists of slightly more than 250 lines of plain C code.9 This same code is used for the two
security levels FrodoKEM-640 and FrodoKEM-976, with parameters changed by a small number of macros at
compile-time.
Computing on matrices —the basic operation in FrodoKEM— allows for easy scaling to different dimensions
n. In addition, FrodoKEM uses a modulus q that is always equal or less than 216 . These two combined
aspects allow for the full reuse of the matrix functions for the different security levels by instantiating them
with the right parameters at build time. Since the modulus q used is always a power of two, implementing
arithmetic modulo q is simple, efficient and ease to do in constant-time in modern computer architectures:
for instance, computing modulo 216 comes for free when using 16-bit data-types. Moreover, the dimension
values were chosen to be divisible by 16 in order to facilitate vectorization optimizations and to simplify the
use of AES128 for the generation of the matrix A.
Also the error sampling is designed to be simple and facilitates code reuse: for any security level, FrodoKEM
requires 16 bits per sample, and the tables Tχ corresponding to the discrete cumulative density functions
always consist of values that are less than 215 . Hence, a simple function applying inversion sampling (see
Algorithm 5) can be instantiated using different precomputed tables Tχ . Moreover, due to the small sizes of
these pre-computed tables constant-time table lookups, needed to protect against attacks based on timing
differences, can be implemented almost for free in terms of effort and performance impact.

6.2 Compatibility with existing deployments and hybrid schemes

FrodoKEM does have larger public key / encapsulation sizes than traditional RSA and elliptic curve cryptosys-
tems, and some other post-quantum candidates such as ring-LWE-based schemes. Nonetheless, FrodoKEM’s
communication size is sufficiently small that it is still compatible with many existing deployments. In our
original research paper on FrodoCCS [24], we integrated FrodoCCS as well as several other key encapsulation
mechanisms into OpenSSL v1.0.1f and added ciphersuites, both hybrid and non-hybrid, to the TLS 1.2
implementation in OpenSSL. We compiled the Apache httpd v2.4.20 web server against our modified OpenSSL,
and tested compatibility and performance of the web server. We encountered no problems with existing clients
despite using larger ephemeral public keys / encapsulations, and did not need to make any modifications to
data structures (e.g., existing 16-bit length fields were large enough to hold our values).
We measured throughput (connections per second) for a variety of page sizes, and latency (connection
establishment time) for a server with or without heavy load, of both hybrid and non-hybrid ciphersuites.
Detailed results including the exact methodology can be found in [24]. To highlight a few results: the
connection time of an ECDHE (nistp256) ciphersuite with an RSA certificate on an unloaded server was 16.1
milliseconds (over a network with ping time 0.62 ms); it was 20.7 ms for FrodoCCS, and 24.5 ms for hybrid
FrodoCCS+ECDHE10 . The number of connections (with 1 KiB HTTP payload) supported per second with
an ECDHE ciphersuite with an RSA certificate was 810, compared to 700 for FrodoCCS and 551 for hybrid
FrodoCCS+ECDHE. These results indicate that, despite its larger communication sizes, FrodoKEM remains
practical for Internet applications.
In our experience with testing the performance of the original Frodo construction in an end-to-end
testbed OpenSSL deployment, we observed a few trends that let us extrapolate these results to our current
proposal. First, we note that even with the significantly larger bandwidth of the original FrodoCCS proposal,
as compared to the original NewHope proposal, we observed a slowdown of less than 1.6× when comparing
9 Thiscount does not include header files and the additional symmetric primitives.
10 Note that the results in [24] use a different parameter set than in this proposal which had slightly larger communication
(22.1 KiB in [24] versus 18.9 KiB for FrodoKEM-640 in this proposal; the IND-CCA-secure FrodoKEM-640 in this proposal has an
additional runtime cost in decapsulation due to the application of the FO transform compared to the IND-CPA-secure scheme in
[24]; and used somewhat different symmetric primitives. Nonetheless the results provide some indication of suitability.

37
connection times for 1 KiB webpages. This slowdown factor only decreases with increasing sizes of webpages
and considering our smaller bandwidth (18.9 KiB for FrodoKEM-640 versus 22.1 KiB for the original FrodoCCS
construction) we expect to be competitive for typical connection sizes.
Moreover, we can state with some measure of confidence that the additional costs when applying the FO
transform will have a very small impact on the connection throughput as well as on the connection times. We
state this with two supporting arguments. First, with a microbenchmark a whole order of magnitude faster
than the original FrodoCCS construction, the original NewHope construction only improves connection times
and throughputs by 30–50% and we expect various other bottlenecks in the entire Web serving ecosystem to
have a larger impact. To compare, our FO-transformed implementations run in time a small constant factor
larger than the microbenchmarks of FrodoCCS. Second—and as stated previously to support the practical
application of the original FrodoCCS construction [24]—deployments in the near-term will necessarily involve
both a post-quantum and a traditional EC-based construction which would result in any drastic improvements
in post-quantum microbenchmarks having a small or even negligible impact in practical deployments. The
costs of these small impacts are well worth the long-term post-quantum security afforded by a conservative
scheme based only on generic lattices.

6.3 Hardware implementations

Hardware implementations of lattice-based cryptographic schemes have mainly considered the ring learning
with errors based schemes (see, e.g., [59, 97, 98, 106]) since these schemes allow to compute polynomial
multiplication with the number-theoretic transform, e.g. the discrete Fourier transform over a finite field.
Computing the fast Fourier transform (FFT) is a well-known primitive for hardware implementations.
Schemes based on the original learning with errors problem work with matrices instead. Fortunately, the
FPGA design and implementation of, for instance, matrix multiplication architectures is a well-studied area
and very efficient (in terms of either area, energy or performance) implementations are known (cf. [100] and
the related literature mentioned therein). Hence, the proposed schemes FrodoKEM-640 and FrodoKEM-976
are a natural fit for hardware implementations.

6.4 Side-channel resistance

Side-channel attacks are a family of attacks which use meta-information such as power consumption (e.g, in a
differential power analysis (DPA) attack [68]) or electromagnetic usage (e.g., in a differential electromagnetic
analysis (DEMA) attack [54]) in a statistical analysis by correlating this information obtained when executing
a cryptographic primitive to a key-dependent guess. Besides such passive side-channel attacks (cf. [67]) there
are also active attacks which might inject faults [21, 19] and use the potentially corrupted output to obtain
information about the secret key used.
This is a well-studied and active research area used to protect software and hardware implementations
where such attacks are realistic. In the setting of implementations based on the ring LWE problems not much
work has been done yet. For ring LWE masking techniques [34] have been studied to protect implementations
such as in [87, 104, 105].
In a more recent work [99] it is shown how to perform a single trace attack on ring LWE encryption using
side-channel template matching [35]. Hence, it can also be applied to attack masked implementations. This
single trace behaviour makes it immediately applicable to key-exchange algorithms.
No side-channel attacks nor countermeasures are currently known for LWE key encapsulation mechanisms
but the generic attacks methods as well as the countermeasures which apply to ring LWE also do apply
to LWE. However, since our LWE-based schemes FrodoKEM-640 and FrodoKEM-976 do not use FFT-based
multiplication techniques (the point of attack used in [99]), the attack surface against FrodoKEM is significantly
reduced. This might result in cheap and easy-to-apply countermeasures against a large set of the known
side-channel attacks applied in practice.

38
References
[1] D. Adrian, K. Bhargavan, Z. Durumeric, P. Gaudry, M. Green, J. A. Halderman, N. Heninger,
D. Springall, E. Thomé, L. Valenta, B. VanderSloot, E. Wustrow, S. Z. Béguelin, and P. Zimmermann.
Imperfect forward secrecy: How Diffie-Hellman fails in practice. In I. Ray, N. Li, and C. Kruegel:,
editors, ACM CCS 15: 22nd Conference on Computer and Communications Security, pages 5–17. ACM
Press, Oct. 2015.

[2] D. Aharonov and O. Regev. Lattice problems in NP ∩ coNP. Journal of the ACM, 52(5):749–765, 2005.
Preliminary version in FOCS 2004.
[3] M. Ajtai. Generating hard instances of lattice problems (extended abstract). In 28th Annual ACM
Symposium on Theory of Computing, pages 99–108. ACM Press, May 1996.
[4] M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case/average-case equivalence. In 29th
Annual ACM Symposium on Theory of Computing, pages 284–293. ACM Press, May 1997.
[5] M. R. Albrecht. On dual lattice attacks against small-secret LWE and parameter choices in HElib and
SEAL. In J. Coron and J. B. Nielsen, editors, Advances in Cryptology – EUROCRYPT 2017, Part II,
volume 10211 of Lecture Notes in Computer Science, pages 103–129. Springer, Heidelberg, May 2017.
[6] M. R. Albrecht, C. Cid, J.-C. Faugère, and L. Perret. Algebraic algorithms for LWE. Cryptology ePrint
Archive, Report 2014/1018, 2014. http://eprint.iacr.org/2014/1018.
[7] M. R. Albrecht, J.-C. Faugère, R. Fitzpatrick, and L. Perret. Lazy modulus switching for the BKW
algorithm on LWE. In H. Krawczyk, editor, PKC 2014: 17th International Conference on Theory
and Practice of Public Key Cryptography, volume 8383 of Lecture Notes in Computer Science, pages
429–445. Springer, Heidelberg, Mar. 2014.

[8] M. R. Albrecht, R. Fitzpatrick, and F. Göpfert. On the efficacy of solving LWE by reduction to unique-
SVP. In H.-S. Lee and D.-G. Han, editors, ICISC 13: 16th International Conference on Information
Security and Cryptology, volume 8565 of Lecture Notes in Computer Science, pages 293–310. Springer,
Heidelberg, Nov. 2014.
[9] M. R. Albrecht, F. Göpfert, F. Virdia, and T. Wunderer. Revisiting the expected cost of solving uSVP
and applications to LWE. Cryptology ePrint Archive, Report 2017/815, 2017. http://eprint.iacr.
org/2017/815.
[10] M. R. Albrecht, R. Player, and S. Scott. On the concrete hardness of Learning with Errors. Journal of
Mathematical Cryptology, 9(3):169–203, Nov 2015.

[11] E. Alkim, L. Ducas, T. Pöppelmann, and P. Schwabe. Post-quantum key exchange - a new hope. In
25th USENIX Security Symposium, pages 327–343, 2016.
[12] A. Andoni, T. Laarhoven, I. P. Razenshteyn, and E. Waingarten. Optimal hashing-based time-space
trade-offs for approximate near neighbors. In P. N. Klein, editor, 28th Annual ACM-SIAM Symposium
on Discrete Algorithms, pages 47–66. ACM-SIAM, Jan. 2017.

[13] B. Applebaum, D. Cash, C. Peikert, and A. Sahai. Fast cryptographic primitives and circular-
secure encryption based on hard learning problems. In S. Halevi, editor, Advances in Cryptology –
CRYPTO 2009, volume 5677 of Lecture Notes in Computer Science, pages 595–618. Springer, Heidelberg,
Aug. 2009.
[14] S. Arora and R. Ge. New algorithms for learning in presence of errors. In L. Aceto, M. Henzinger,
and J. Sgall, editors, ICALP 2011: 38th International Colloquium on Automata, Languages and
Programming, Part I, volume 6755 of Lecture Notes in Computer Science, pages 403–415. Springer,
Heidelberg, July 2011.

39
[15] S. Bai, A. Langlois, T. Lepoint, D. Stehlé, and R. Steinfeld. Improved security proofs in lattice-based
cryptography: Using the Rényi divergence rather than the statistical distance. In T. Iwata and J. H.
Cheon, editors, Advances in Cryptology – ASIACRYPT 2015, Part I, volume 9452 of Lecture Notes in
Computer Science, pages 3–24. Springer, Heidelberg, Nov. / Dec. 2015.
[16] A. Becker, L. Ducas, N. Gama, and T. Laarhoven. New directions in nearest neighbor searching with
applications to lattice sieving. In R. Krauthgamer, editor, 27th Annual ACM-SIAM Symposium on
Discrete Algorithms, pages 10–24. ACM-SIAM, Jan. 2016.
[17] A. Becker, N. Gama, and A. Joux. Speeding-up lattice sieving without increasing the memory,
using sub-quadratic nearest neighbor search. Cryptology ePrint Archive, Report 2015/522, 2015.
http://eprint.iacr.org/2015/522.
[18] D. J. Bernstein, T. Chou, C. Chuengsatiansup, A. Hülsing, E. Lambooij, T. Lange, R. Niederhagen,
and C. van Vredendaal. How to manipulate curve standards: A white paper for the black hat. In
L. Chen and S. Matsuo, editors, Security Standardisation Research (SSR) 2015, volume 9497 of Lecture
Notes in Computer Science, pages 109–139. Springer, 2015.
[19] E. Biham and A. Shamir. Differential fault analysis of secret key cryptosystems. In B. S. Kaliski Jr.,
editor, Advances in Cryptology – CRYPTO’97, volume 1294 of Lecture Notes in Computer Science,
pages 513–525. Springer, Heidelberg, Aug. 1997.
[20] A. Blum, M. L. Furst, M. J. Kearns, and R. J. Lipton. Cryptographic primitives based on hard learning
problems. In D. R. Stinson, editor, Advances in Cryptology – CRYPTO’93, volume 773 of Lecture Notes
in Computer Science, pages 278–291. Springer, Heidelberg, Aug. 1994.
[21] D. Boneh, R. A. DeMillo, and R. J. Lipton. On the importance of checking cryptographic protocols for
faults (extended abstract). In W. Fumy, editor, Advances in Cryptology – EUROCRYPT’97, volume
1233 of Lecture Notes in Computer Science, pages 37–51. Springer, Heidelberg, May 1997.
[22] D. Boneh, C. Gentry, S. Gorbunov, S. Halevi, V. Nikolaenko, G. Segev, V. Vaikuntanathan, and
D. Vinayagamurthy. Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled
circuits. In P. Q. Nguyen and E. Oswald, editors, Advances in Cryptology – EUROCRYPT 2014, volume
8441 of Lecture Notes in Computer Science, pages 533–556. Springer, Heidelberg, May 2014.
[23] J. Bos, L. Ducas, E. Kiltz, T. Lepoint, V. Lyubashevsky, J. M. Schanck, P. Schwabe, and D. Stehlé.
CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM. Cryptology ePrint Archive, Report
2017/634, 2017. http://eprint.iacr.org/2017/634.
[24] J. W. Bos, C. Costello, L. Ducas, I. Mironov, M. Naehrig, V. Nikolaenko, A. Raghunathan, and
D. Stebila. Frodo: Take off the ring! Practical, quantum-secure key exchange from LWE. In E. R.
Weippl, S. Katzenbeisser, C. Kruegel, A. C. Myers, and S. Halevi, editors, ACM CCS 16: 23rd
Conference on Computer and Communications Security, pages 1006–1018. ACM Press, Oct. 2016.
[25] J. W. Bos, C. Costello, M. Naehrig, and D. Stebila. Post-quantum key exchange for the TLS protocol
from the ring learning with errors problem. In 2015 IEEE Symposium on Security and Privacy, pages
553–570. IEEE Computer Society Press, May 2015.
[26] J. W. Bos, M. Naehrig, and J. van de Pol. Sieving for shortest vectors in ideal lattices: a practical
perspective. International Journal of Applied Cryptography, 2016. to appear, http://eprint.iacr.
org/2014/880.
[27] Z. Brakerski, C. Gentry, and V. Vaikuntanathan. (Leveled) fully homomorphic encryption without
bootstrapping. ACM Transactions on Computer Theory, 6(3):13, 2014. Preliminary version in ITCS
2012.
[28] Z. Brakerski, A. Langlois, C. Peikert, O. Regev, and D. Stehlé. Classical hardness of learning with
errors. In D. Boneh, T. Roughgarden, and J. Feigenbaum, editors, 45th Annual ACM Symposium on
Theory of Computing, pages 575–584. ACM Press, June 2013.

40
[29] Z. Brakerski and V. Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE.
In R. Ostrovsky, editor, 52nd Annual Symposium on Foundations of Computer Science, pages 97–106.
IEEE Computer Society Press, Oct. 2011.
[30] J. Cai and A. Nerurkar. An improved worst-case to average-case connection for lattice problems. In
38th Annual Symposium on Foundations of Computer Science, pages 468–477. IEEE Computer Society
Press, Oct. 1997.
[31] P. Campbell, M. Groves, and D. Shepherd. Soliloquy: a cautionary tale. ETSI 2nd Quantum-Safe
Crypto Workshop, 2014. http://docbox.etsi.org/Workshop/2014/201410_CRYPTO/S07_Systems_
and_Attacks/S07_Groves_Annex.pdf.
[32] D. Cash, D. Hofheinz, E. Kiltz, and C. Peikert. Bonsai trees, or how to delegate a lattice basis. Journal
of Cryptology, 25(4):601–639, Oct. 2012.
[33] W. Castryck, I. Iliashenko, and F. Vercauteren. Provably weak instances of ring-LWE revisited. In
M. Fischlin and J.-S. Coron, editors, Advances in Cryptology – EUROCRYPT 2016, Part I, volume
9665 of Lecture Notes in Computer Science, pages 147–167. Springer, Heidelberg, May 2016.

[34] S. Chari, C. S. Jutla, J. R. Rao, and P. Rohatgi. Towards sound approaches to counteract power-analysis
attacks. In M. J. Wiener, editor, Advances in Cryptology – CRYPTO’99, volume 1666 of Lecture Notes
in Computer Science, pages 398–412. Springer, Heidelberg, Aug. 1999.
[35] S. Chari, J. R. Rao, and P. Rohatgi. Template attacks. In B. S. Kaliski Jr., Çetin Kaya. Koç, and
C. Paar, editors, Cryptographic Hardware and Embedded Systems – CHES 2002, volume 2523 of Lecture
Notes in Computer Science, pages 13–28. Springer, Heidelberg, Aug. 2003.
[36] S. Chatterjee, N. Koblitz, A. Menezes, and P. Sarkar. Another look at tightness II: Practical issues in
cryptography. In Paradigms in Cryptology – Mycrypt 2016, volume 10311 of Lecture Notes in Computer
Science, pages 21–25. Springer, Heidelberg, 2017.
[37] H. Chen, K. Lauter, and K. E. Stange. Attacks on search RLWE. Cryptology ePrint Archive, Report
2015/971, 2015. http://eprint.iacr.org/2015/971.
[38] H. Chen, K. Lauter, and K. E. Stange. Vulnerable Galois RLWE families and improved attacks.
Cryptology ePrint Archive, Report 2016/193, 2016. http://eprint.iacr.org/2016/193.
[39] Y. Chen. Lattice reduction and concrete security of fully homomorphic encryption. PhD thesis,
l’Université Paris Diderot, 2013. http://www.di.ens.fr/~ychen/research/these.pdf.

[40] Y. Chen and P. Q. Nguyen. BKZ 2.0: Better lattice security estimates. In D. H. Lee and X. Wang,
editors, Advances in Cryptology – ASIACRYPT 2011, volume 7073 of Lecture Notes in Computer
Science, pages 1–20. Springer, Heidelberg, Dec. 2011.
[41] J.-S. Coron, Y. Dodis, C. Malinaud, and P. Puniya. Merkle-Damgård revisited: How to construct a
hash function. In V. Shoup, editor, Advances in Cryptology – CRYPTO 2005, volume 3621 of Lecture
Notes in Computer Science, pages 430–448. Springer, Heidelberg, Aug. 2005.
[42] R. Cramer, L. Ducas, C. Peikert, and O. Regev. Recovering short generators of principal ideals in
cyclotomic rings. In M. Fischlin and J.-S. Coron, editors, Advances in Cryptology – EUROCRYPT 2016,
Part II, volume 9666 of Lecture Notes in Computer Science, pages 559–585. Springer, Heidelberg, May
2016.

[43] R. Cramer, L. Ducas, and B. Wesolowski. Short Stickelberger class relations and application to ideal-
SVP. In J. Coron and J. B. Nielsen, editors, Advances in Cryptology – EUROCRYPT 2017, Part I,
volume 10210 of Lecture Notes in Computer Science, pages 324–348. Springer, Heidelberg, May 2017.
[44] R. Cramer and V. Shoup. Design and analysis of practical public-key encryption schemes secure against
adaptive chosen ciphertext attack. SIAM Journal on Computing, 33(1):167–226, 2003.

41
[45] D. Dadush, O. Regev, and N. Stephens-Davidowitz. On the closest vector problem with a distance
guarantee. In IEEE Conference on Computational Complexity, pages 98–109, 2014.
[46] W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Transactions on Information
Theory, 22(6):644–654, 1976.

[47] J. Ding, X. Xie, and X. Lin. A simple provably secure key exchange scheme based on the learning with
errors problem. Cryptology ePrint Archive, Report 2012/688, 2012. http://eprint.iacr.org/2012/
688.
[48] N. Döttling and J. Müller-Quade. Lossy codes and a new variant of the learning-with-errors problem.
In T. Johansson and P. Q. Nguyen, editors, Advances in Cryptology – EUROCRYPT 2013, volume
7881 of Lecture Notes in Computer Science, pages 18–34. Springer, Heidelberg, May 2013.

[49] M. J. Dworkin. SHA-3 standard: Permutation-based hash and extendable-output functions. Federal
Information Processing Standards (FIPS) 202, National Institute of Standards and Technology, Aug.
2015.
[50] Y. Elias, K. E. Lauter, E. Ozman, and K. E. Stange. Provably weak instances of ring-LWE. In
R. Gennaro and M. J. B. Robshaw, editors, Advances in Cryptology – CRYPTO 2015, Part I, volume
9215 of Lecture Notes in Computer Science, pages 63–92. Springer, Heidelberg, Aug. 2015.
[51] E. Fujisaki and T. Okamoto. Secure integration of asymmetric and symmetric encryption schemes.
In M. J. Wiener, editor, Advances in Cryptology – CRYPTO’99, volume 1666 of Lecture Notes in
Computer Science, pages 537–554. Springer, Heidelberg, Aug. 1999.

[52] N. Gama and P. Q. Nguyen. Predicting lattice reduction. In N. P. Smart, editor, Advances in Cryptology
– EUROCRYPT 2008, volume 4965 of Lecture Notes in Computer Science, pages 31–51. Springer,
Heidelberg, Apr. 2008.
[53] N. Gama, P. Q. Nguyen, and O. Regev. Lattice enumeration using extreme pruning. In H. Gilbert,
editor, Advances in Cryptology – EUROCRYPT 2010, volume 6110 of Lecture Notes in Computer
Science, pages 257–278. Springer, Heidelberg, May 2010.
[54] K. Gandolfi, C. Mourtel, and F. Olivier. Electromagnetic analysis: Concrete results. In Çetin Kaya. Koç,
D. Naccache, and C. Paar, editors, Cryptographic Hardware and Embedded Systems – CHES 2001,
volume 2162 of Lecture Notes in Computer Science, pages 251–261. Springer, Heidelberg, May 2001.
[55] C. Gentry, C. Peikert, and V. Vaikuntanathan. Trapdoors for hard lattices and new cryptographic
constructions. In R. E. Ladner and C. Dwork, editors, 40th Annual ACM Symposium on Theory of
Computing, pages 197–206. ACM Press, May 2008.
[56] C. Gentry, A. Sahai, and B. Waters. Homomorphic encryption from learning with errors: Conceptually-
simpler, asymptotically-faster, attribute-based. In R. Canetti and J. A. Garay, editors, Advances in
Cryptology – CRYPTO 2013, Part I, volume 8042 of Lecture Notes in Computer Science, pages 75–92.
Springer, Heidelberg, Aug. 2013.
[57] O. Goldreich, S. Goldwasser, and S. Halevi. Collision-free hashing from lattice problems. Cryptology
ePrint Archive, Report 1996/009, 1996. http://eprint.iacr.org/1996/009.
[58] S. Gorbunov, V. Vaikuntanathan, and H. Wee. Predicate encryption for circuits from LWE. In
R. Gennaro and M. J. B. Robshaw, editors, Advances in Cryptology – CRYPTO 2015, Part II, volume
9216 of Lecture Notes in Computer Science, pages 503–523. Springer, Heidelberg, Aug. 2015.
[59] N. Göttert, T. Feller, M. Schneider, J. Buchmann, and S. A. Huss. On the design of hardware
building blocks for modern lattice-based encryption schemes. In E. Prouff and P. Schaumont, editors,
Cryptographic Hardware and Embedded Systems – CHES 2012, volume 7428 of Lecture Notes in
Computer Science, pages 512–529. Springer, Heidelberg, Sept. 2012.

42
[60] J. Hoffstein, J. Pipher, and J. H. Silverman. NTRU: A ring-based public key cryptosystem. In ANTS,
pages 267–288, 1998.
[61] D. Hofheinz, K. Hövelmanns, and E. Kiltz. A modular analysis of the Fujisaki-Okamoto transformation.
In Y. Kalai and L. Reyzin, editors, TCC 2017: 15th Theory of Cryptography Conference, Part I, volume
10677 of Lecture Notes in Computer Science, pages 341–371. Springer, Heidelberg, Nov. 2017.

[62] T. Ishiguro, S. Kiyomoto, Y. Miyake, and T. Takagi. Parallel Gauss sieve algorithm: Solving the SVP
challenge over a 128-dimensional ideal lattice. In H. Krawczyk, editor, PKC 2014: 17th International
Conference on Theory and Practice of Public Key Cryptography, volume 8383 of Lecture Notes in
Computer Science, pages 411–428. Springer, Heidelberg, Mar. 2014.
[63] H. Jiang, Z. Zhang, L. Chen, H. Wang, and Z. Ma. Post-quantum IND-CCA-secure KEM without
additional hash. Cryptology ePrint Archive, Report 2017/1096, 2017. https://eprint.iacr.org/
2017/1096.
[64] J. Kelsey, S. Chang, and R. Perlner. SHA-3 derived functions: cSHAKE, KMAC, TupleHash
and ParallelHash, 2016. NIST Special Publication 800-185. http://nvlpubs.nist.gov/nistpubs/
SpecialPublications/NIST.SP.800-185.pdf.

[65] P. Kirchner and P.-A. Fouque. An improved BKW algorithm for LWE with applications to cryptography
and lattices. In R. Gennaro and M. J. B. Robshaw, editors, Advances in Cryptology – CRYPTO 2015,
Part I, volume 9215 of Lecture Notes in Computer Science, pages 43–62. Springer, Heidelberg, Aug.
2015.

[66] P. Kirchner and P.-A. Fouque. Revisiting lattice attacks on overstretched NTRU parameters. In
J. Coron and J. B. Nielsen, editors, Advances in Cryptology – EUROCRYPT 2017, Part I, volume
10210 of Lecture Notes in Computer Science, pages 3–26. Springer, Heidelberg, May 2017.
[67] P. C. Kocher. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In
N. Koblitz, editor, Advances in Cryptology – CRYPTO’96, volume 1109 of Lecture Notes in Computer
Science, pages 104–113. Springer, Heidelberg, Aug. 1996.

[68] P. C. Kocher, J. Jaffe, and B. Jun. Differential power analysis. In M. J. Wiener, editor, Advances in
Cryptology – CRYPTO’99, volume 1666 of Lecture Notes in Computer Science, pages 388–397. Springer,
Heidelberg, Aug. 1999.
[69] T. Laarhoven. Search problems in cryptography. PhD thesis, Eindhoven University of Technology, 2015.

[70] T. Laarhoven. Sieving for shortest vectors in lattices using angular locality-sensitive hashing. In
R. Gennaro and M. J. B. Robshaw, editors, Advances in Cryptology – CRYPTO 2015, Part I, volume
9215 of Lecture Notes in Computer Science, pages 3–22. Springer, Heidelberg, Aug. 2015.
[71] T. Laarhoven, M. Mosca, and J. van de Pol. Finding shortest lattice vectors faster using quantum
search. Designs, Codes and Cryptography, 77(2-3):375–400, 2015.

[72] A. Langlois and D. Stehlé. Worst-case to average-case reductions for module lattices. Designs, Codes
and Cryptography, 75(3):565–599, 2015.
[73] A. Langlois, D. Stehlé, and R. Steinfeld. GGHLite: More efficient multilinear maps from ideal lattices.
In P. Q. Nguyen and E. Oswald, editors, Advances in Cryptology – EUROCRYPT 2014, volume 8441
of Lecture Notes in Computer Science, pages 239–256. Springer, Heidelberg, May 2014.

[74] A. K. Lenstra, H. W. Lenstra, Jr., and L. Lovász. Factoring polynomials with rational coefficients.
Mathematische Annalen, 261(4):515–534, December 1982.
[75] R. Lindner and C. Peikert. Better key sizes (and attacks) for LWE-based encryption. In A. Kiayias,
editor, Topics in Cryptology – CT-RSA 2011, volume 6558 of Lecture Notes in Computer Science, pages
319–339. Springer, Heidelberg, Feb. 2011.

43
[76] M. Liu and P. Q. Nguyen. Solving BDD by enumeration: An update. In E. Dawson, editor, Topics
in Cryptology – CT-RSA 2013, volume 7779 of Lecture Notes in Computer Science, pages 293–309.
Springer, Heidelberg, Feb. / Mar. 2013.
[77] Y.-K. Liu, V. Lyubashevsky, and D. Micciancio. On bounded distance decoding for general lattices. In
APPROX-RANDOM, volume 4110 of Lecture Notes in Computer Science, pages 450–461. Springer,
Heidelberg, 2006.
[78] V. Lyubashevsky, C. Peikert, and O. Regev. On ideal lattices and learning with errors over rings.
Journal of the ACM, 60(6):43:1–43:35, November 2013. Preliminary version in Eurocrypt 2010.
[79] A. Mariano, T. Laarhoven, and C. Bischof. A parallel variant of LDSieve for the SVP on lattices. In
25th Euromicro Int. Conf. on Parallel, Distributed and Network-based Processing (PDP), pages 23–30.
IEEE, 2017.
[80] U. M. Maurer, R. Renner, and C. Holenstein. Indifferentiability, impossibility results on reductions,
and applications to the random oracle methodology. In M. Naor, editor, TCC 2004: 1st Theory of
Cryptography Conference, volume 2951 of Lecture Notes in Computer Science, pages 21–39. Springer,
Heidelberg, Feb. 2004.

[81] D. Micciancio. Improved cryptographic hash functions with worst-case/average-case connection. In

34th Annual ACM Symposium on Theory of Computing, pages 609–618. ACM Press, May 2002.
[82] D. Micciancio. Cryptographic functions from worst-case complexity assumptions. Information Security
and Cryptography, pages 427–452. Springer, Heidelberg, 2010.

[83] D. Micciancio and C. Peikert. Hardness of SIS and LWE with small parameters. In R. Canetti and
J. A. Garay, editors, Advances in Cryptology – CRYPTO 2013, Part I, volume 8042 of Lecture Notes in
Computer Science, pages 21–39. Springer, Heidelberg, Aug. 2013.
[84] D. Micciancio and O. Regev. Worst-case to average-case reductions based on Gaussian measures. SIAM
J. Comput., 37(1):267–302, 2007. Preliminary version in FOCS 2004.

[85] D. Micciancio and O. Regev. Lattice-based cryptography. In Post Quantum Cryptography, pages
147–191. Springer, February 2009.
[86] P. Q. Nguyen and O. Regev. Learning a parallelepiped: Cryptanalysis of GGH and NTRU signatures.
Journal of Cryptology, 22(2):139–160, Apr. 2009.

[87] T. Oder, T. Schneider, T. Pöppelmann, and T. Güneysu. Practical CCA2-secure and masked ring-LWE
implementation. Cryptology ePrint Archive, Report 2016/1109, 2016. http://eprint.iacr.org/
2016/1109.
[88] C. Peikert. Public-key cryptosystems from the worst-case shortest vector problem: extended abstract.
In M. Mitzenmacher, editor, 41st Annual ACM Symposium on Theory of Computing, pages 333–342.
ACM Press, May / June 2009.
[89] C. Peikert. Some recent progress in lattice-based cryptography. In O. Reingold, editor, TCC 2009:
6th Theory of Cryptography Conference, volume 5444 of Lecture Notes in Computer Science, page 72.
Springer, Heidelberg, Mar. 2009. Invited talk. Slides available at http://web.eecs.umich.edu/
~cpeikert/pubs/slides-tcc09.pdf.
[90] C. Peikert. An efficient and parallel Gaussian sampler for lattices. In T. Rabin, editor, Advances in
Cryptology – CRYPTO 2010, volume 6223 of Lecture Notes in Computer Science, pages 80–97. Springer,
Heidelberg, Aug. 2010.
[91] C. Peikert. Lattice cryptography for the Internet. In M. Mosca, editor, PQCrypto 2014, volume 8772 of
Lecture Notes in Computer Science, pages 197–219. Springer, Heidelberg, 2014.

44
 [92] C. Peikert. A decade of lattice cryptography. Foundations and Trends in Theoretical Computer Science,
10(4):283–424, 2016.
[93] C. Peikert. How (not) to instantiate ring-LWE. In V. Zikas and R. De Prisco, editors, SCN 16: 10th
International Conference on Security in Communication Networks, volume 9841 of Lecture Notes in
Computer Science, pages 411–430. Springer, Heidelberg, Aug. / Sept. 2016.

[94] C. Peikert, O. Regev, and N. Stephens-Davidowitz. Pseudorandomness of ring-LWE for any ring and
modulus. In H. Hatami, P. McKenzie, and V. King, editors, 49th Annual ACM Symposium on Theory
of Computing, pages 461–473. ACM Press, June 2017.
[95] C. Peikert, V. Vaikuntanathan, and B. Waters. A framework for efficient and composable oblivious
transfer. In D. Wagner, editor, Advances in Cryptology – CRYPTO 2008, volume 5157 of Lecture Notes
in Computer Science, pages 554–571. Springer, Heidelberg, Aug. 2008.
[96] C. Peikert and B. Waters. Lossy trapdoor functions and their applications. In R. E. Ladner and
C. Dwork, editors, 40th Annual ACM Symposium on Theory of Computing, pages 187–196. ACM Press,
May 2008.

[97] T. Pöppelmann and T. Güneysu. Towards efficient arithmetic for lattice-based cryptography on recon-
figurable hardware. In A. Hevia and G. Neven, editors, Progress in Cryptology - LATINCRYPT 2012:
2nd International Conference on Cryptology and Information Security in Latin America, volume 7533
of Lecture Notes in Computer Science, pages 139–158. Springer, Heidelberg, Oct. 2012.
[98] T. Pöppelmann and T. Güneysu. Towards practical lattice-based public-key encryption on reconfigurable
hardware. In T. Lange, K. Lauter, and P. Lisonek, editors, SAC 2013: 20th Annual International
Workshop on Selected Areas in Cryptography, volume 8282 of Lecture Notes in Computer Science, pages
68–85. Springer, Heidelberg, Aug. 2014.
[99] R. Primas, P. Pessl, and S. Mangard. Single-trace side-channel attacks on masked lattice-based
encryption. In W. Fischer and N. Homma, editors, Cryptographic Hardware and Embedded Systems –
CHES 2017, volume 10529 of Lecture Notes in Computer Science, pages 513–533. Springer, Heidelberg,
Sept. 2017.
[100] S. M. Qasim, A. A. Telba, and A. Y. AlMazroo. FPGA design and implementation of matrix multiplier
architectures for image and signal processing applications. International Journal of Computer Science
and Network Security, 10(2):168–176, 2010.

[101] O. Regev. New lattice-based cryptographic constructions. J. ACM, 51(6):899–942, 2004. Preliminary
version in STOC 2003.
[102] O. Regev. On lattices, learning with errors, random linear codes, and cryptography. Journal of the
ACM, 56(6):34, 2009. Preliminary version in STOC 2005.
[103] O. Regev. The learning with errors problem (invited survey). In IEEE Conference on Computational
Complexity, pages 191–204, 2010.
[104] O. Reparaz, R. de Clercq, S. Sinha Roy, F. Vercauteren, and I. Verbauwhede. Additively homomorphic
ring-LWE masking. In T. Takagi, editor, PQCrypto 2016, volume 9606 of Lecture Notes in Computer
Science, pages 233–244. Springer, Heidelberg, 2016.
[105] O. Reparaz, S. Sinha Roy, R. de Clercq, F. Vercauteren, and I. Verbauwhede. Masking ring-LWE.
Journal of Cryptographic Engineering, 6(2):139–153, 2016.
[106] S. S. Roy, F. Vercauteren, N. Mentens, D. D. Chen, and I. Verbauwhede. Compact ring-LWE
cryptoprocessor. In L. Batina and M. Robshaw, editors, Cryptographic Hardware and Embedded Systems
– CHES 2014, volume 8731 of Lecture Notes in Computer Science, pages 371–391. Springer, Heidelberg,
Sept. 2014.

45
[107] M. Schneider. Sieving for shortest vectors in ideal lattices. In A. Youssef, A. Nitaj, and A. E. Hassanien,
editors, AFRICACRYPT 13: 6th International Conference on Cryptology in Africa, volume 7918 of
Lecture Notes in Computer Science, pages 375–391. Springer, Heidelberg, June 2013.
[108] C.-P. Schnorr. A hierarchy of polynomial time lattice basis reduction algorithms. Theoretical Computer
Science, 53:201–224, 1987.

[109] A. Shamir. A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem. In
D. Chaum, R. L. Rivest, and A. T. Sherman, editors, Advances in Cryptology – CRYPTO’82, pages
279–288. Plenum Press, New York, USA, 1982.
[110] D. Stehlé and R. Steinfeld. Making NTRU as secure as worst-case problems over ideal lattices. In
K. G. Paterson, editor, Advances in Cryptology – EUROCRYPT 2011, volume 6632 of Lecture Notes in
Computer Science, pages 27–47. Springer, Heidelberg, May 2011.
[111] E. E. Targhi and D. Unruh. Post-quantum security of the Fujisaki-Okamoto and OAEP transforms.
In M. Hirt and A. D. Smith, editors, TCC 2016-B: 14th Theory of Cryptography Conference, Part II,
volume 9986 of Lecture Notes in Computer Science, pages 192–216. Springer, Heidelberg, Oct. / Nov.
2016.

46