#quantum #post #post-quantum #kem

frodo-kem-rs

A pure rust implementation of FrodoKEM and eFrodoKEM

6 releases (3 breaking)

0.4.1 Nov 21, 2024
0.4.0 Nov 8, 2024
0.3.1 Nov 8, 2024
0.2.0 Oct 30, 2024
0.1.0 Oct 29, 2024

#895 in Cryptography

Download history 60/week @ 2024-10-23 195/week @ 2024-10-30 317/week @ 2024-11-06 13/week @ 2024-11-13 158/week @ 2024-11-20 6/week @ 2024-11-27

495 downloads per month

Apache-2.0 OR MIT

160KB
3K SLoC

FrodoKem

Crate Docs Apache2/MIT licensed Downloads build MSRV

A pure rust implementation of

It's submission was included in NIST's PQ Round 3 competition, and is now being standardized at ISO.

⚠️ Security Warning

This crate has been tested against the test vectors provided by the FrodoKEM team and been rigorously tested for correctness, performance, and security. It has also been tested against opensafequatum's liboqs library to compatibility and correctness.

The implementation contained in this crate has never been independently audited!

USE AT YOUR OWN RISK!

Minimum Supported Rust Version

This crate requires Rust 1.82 at a minimum.

We may change the MSRV in the future, but it will be accompanied by a minor version bump.

Details

This crate provides the following FrodoKEM algorithms:

  • FrodoKEM-640-AES ✅
  • FrodoKEM-976-AES ✅
  • FrodoKEM-1344-AES ✅
  • FrodoKEM-640-SHAKE ✅
  • FrodoKEM-976-SHAKE ✅
  • FrodoKEM-1344-SHAKE ✅
  • eFrodoKEM-640-AES ✅
  • eFrodoKEM-976-AES ✅
  • eFrodoKEM-1344-AES ✅
  • eFrodoKEM-640-SHAKE ✅
  • eFrodoKEM-976-SHAKE ✅
  • eFrodoKEM-1344-SHAKE ✅

eFrodoKEM is a variant of FrodoKEM that is meant to be used one-time only. Using more than once is considered a security risk.

When in doubt use the FrodoKEM algorithm variants.

Expanding matrix A

NOTE on AES

To speed up AES, there are a few options available:

  • RUSTFLAGS="--cfg aes_armv8" cargo build --release ensures that the ARMv8 AES instructions are used if available.
  • frodo-kem-rs = { version = "0.3", features = ["openssl"] } uses the openssl crate for AES.

By default, the aes feature auto-detects the best AES implementation for your platform for x86 and x86_64, but not on ARMv8 where it defaults to the software implementation as of this writing. To enable the ARMv8 AES instructions, the aes_armv8 feature is enabled in the .cargo/config file in this crate.

Enabling openssl and aesni provides the fastest Aes algorithms.

openssl tends to be faster than the aes rust crate implementation by about 10-15% on Armv8.

NOTE on SHAKE

Shake auto detects the best implementation for your platform or like AES you can enable openssl for it also.

On Armv8, the rust shake implementation is faster than the openssl implementation by about 22-25%.

Serialization

This crate has been tested against the following serde compatible formats:

  • serde_bare
  • bincode
  • postcard
  • serde_cbor
  • serde_json
  • serde_yaml
  • toml

License

Licensed under

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

Dependencies

~0.6–1.8MB
~33K SLoC