Documentation says "FrodoKEM-640-AES: matching the post-quantum security of AES128".
Does the algorithm describe a measure of security level?
If I were to make changes to the code, is there a metric that I can verify against in order to state my algorithm to be secure?
Or is passing against the Known Answer Tests the only check?

I am attempting to use this library in a cross platform (between GNU+Linux and Windows [not really worried about Mac]) cryptographic tool I am making (Using Mingw64 for the Windows portion)

Compilation completes successfully under Mingw64, however when the tests (.\test_KEM.exe) are run, it just sits maxing out a single CPU core for a very long time. (>10 minutes and still not complete)

To attempt to remedy this, I have tried various permutations of the build options, and see no change.

I have run this on a GNU+Linux machine (with opt_level set to reference) that has a Core 2 Duo and it takes roughly 30 seconds to complete the tests. Therefore it probably shouldn't take longer running on an i7-4770.

Any ideas for where this issue may be stemming from?
Thanks

In words, the encode function interprets every B-bit substring (starting from the most significant bits) as a B-bit value (integers). These B-bit integers are encoded using ec() and are filled into a matrix row by row entry wise.

for example, if my bit string is
0b00110110 ...

the B-bit substrings are (B=2)
0b00 0b11 0b01 0b10 ...

intuitively this translates to integers 0, 3, 1, 2
but (algorithm 1) assumes little endian bit order for the substrings and translates to integers 0, 3, 2, 1

Am I right about the endianness of the substring?
Was there a specific reason the algorithm was designed this way? Is it because the parent bit string is assumed to be in little endian format too?

There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.

Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.

Merge this pull request

When clang's undefined behavior sanitizer is run on the FAST_GENERIC implementation, it identifies some signed integer overflows.

To reproduce, run the following on a Linux platform with clang-11 and valgrind installed, or enable the undefined behavior sanitizer in the GitHub Actions c.yml workflow in #22.

make CC=clang-11 OPT_LEVEL=FAST_GENERIC EXTRA_CFLAGS="-g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls -fsanitize-address-use-after-scope -fsanitize=undefined"
frodo640/test_KEM

Relevant parts of the output:

src/frodo_macrify.c:178:34: runtime error: signed integer overflow: 65535 * 33392 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/frodo_macrify.c:178:34 in 
src/frodo_macrify.c:179:34: runtime error: signed integer overflow: 65535 * 39246 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/frodo_macrify.c:179:34 in 
src/frodo_macrify.c:180:34: runtime error: signed integer overflow: 65535 * 58836 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/frodo_macrify.c:180:34 in 
src/frodo_macrify.c:181:34: runtime error: signed integer overflow: 65534 * 54684 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/frodo_macrify.c:181:34 in 

Hi,
I did not understand the purpose of PARAMS_NBAR in the reference code, and why should it be a multiple of 8.
Also, Regev'05 did not use PARAMS_NBAR parameter in their LWE proposal.

Can you help me understand it?

Hi,

When I used the python implementation to run an experiment, I found an error in decode method when E''' = 2^(D-B-1). It should make a decryption failure, but that didn't happen! Like this,

round(51200*16/65536)=12 #51200*16/65536=12.5

I found that the reason is round() returns a mistake answer sometimes because the peoperty of float number .
So, why not replace
round(a)
with
math.floor(a+0.5)

If we conjecture that frodokem's secure key encapsulation protocol is actually secure against quantum computer attacks, the reliance upon /dev/random is still in question, is it not? Perhaps this project could also examine the implementation of quantum effects as a source of randomness, including radioactive decay, rather than relying solely upon the Linux kernel for entropy generation. How to package this in a trustless way (not relying on a 3rd party source for the quantum effects) with every personal computer is another question entirely :)

Example of this would be: https://www.fourmilab.ch/hotbits/

The __ctverify does not run in constant time as Python ignores the second argument to and if the first is False.

Easily verified with

def __ctverify(a,b):
    r = True
    for i in range(len(a)):
        r = r and (a[i] == b[i])
    return r

a = [0]*1000000
b = list(a)
b[0] = 1

import time

start = time.time()
__ctverify(a,b)
print (time.time() - start)

start = time.time()
__ctverify(a,a)
print (time.time() - start)

It seems like you are indexing s as if it is in column major order. Is this really correct?

For example during key generation:

randombytes() can fail on Windows, which will go unnoticed and will lead to an insecure (possibly completely deterministic) key!

Additionally: the code in randombytes.c is not very well written for other reasons. On Linux, the code will simply deadlock if \dev\urandom is not available. And if you ever compile without either WINDOWS or NIX, then it defaults to returning passed instead of failed. But that last point doesn't actually matter, since the return value is not checked anyway...

The PQCrypto-LWEKE library has been tested on s390x architecture with a configuration very similar to PPC. On initial exploration, it looks like the PPC configurations can work efficiently on s390x. The goal is to try out the Power PC configuration on s390x, build and test and make the changes needed to enable it.