QNSP
Start building free
Why QNSP
The Quantum ImperativeWhy QNSPPQC Migration GuideCompetitive AnalysisVet PQC Vendors
Platform
Platform ArchitectureCapabilitiesUse Cases by IndustryKnowledge BaseBlogResearch
Trust
Trust HubCompliance MappingNIST ACVP ConformancePerformance BenchmarksEntropy ChainAlgorithm CatalogSystem Status
Developers
Developer HubUse CasesAI Assistants (MCP)
PricingContactStart building free

Key Encapsulation

FrodoKEM

Frodo Key Encapsulation Mechanism

non-FIPSlattice-based3 parameter setsQNSP tier: maximum+provider: liboqsalso called: Frodo
Plain Learning With Errors (LWE) KEM — same lattice family as ML-KEM but without the additional ring or module structure. Larger keys and ciphertexts but built on the most conservative lattice assumption.

Mechanism

How it works

FrodoKEM operates on plain LWE (no ring / module structure), avoiding any potential structural cryptanalysis advances against ring-LWE / module-LWE. The trade-off is significantly larger parameters. Two hash function variants (AES, SHAKE) × three security categories.

Parameter Sets

3 variants shipped

Each variant trades security category against key, ciphertext, or signature size. QNSP exposes all variants via the @cuilabs/liboqs-native binding; tenant crypto-policy determines which are allowed.

VariantNIST LevelPublic KeySecret KeyCiphertextNote
FrodoKEM-640-AES / SHAKEL19,616 B19,888 B9,720 B
FrodoKEM-976-AES / SHAKEL315,632 B31,296 B15,744 B
FrodoKEM-1344-AES / SHAKEL521,520 B43,088 B21,632 B

NIST ACVP

Conformance evidence

QNSP runs the official NIST ACVP test vectors against every shipped algorithm. Live evidence + SHA-3-256 tamper digest at /verify/conformance.

@noble/post-quantum
non-addressable
Pure-JavaScript reference; cross-verification secondary on Maximum + Government tiers.
@cuilabs/liboqs-native
non-addressable
Native-C primary production engine. Runs across every QNSP backend service.
View live ACVP evidence →

Use Cases

When to use it

  • Customers requiring plain-LWE assumption (no module structure)
  • Conservative lattice-based fallback under defence-in-depth policies

Trade-offs

What you give up, what you get

  • ~10x larger keys and ciphertexts than ML-KEM at equivalent security levels
  • Most conservative lattice assumption available

FAQ

FrodoKEM — frequently asked questions

Concise, source-of-truth answers to the questions buyers and engineers ask most about this algorithm.

What is FrodoKEM?

FrodoKEM (Frodo Key Encapsulation Mechanism) is a lattice based post-quantum key encapsulation mechanism. It is designed to resist attacks from both classical and quantum computers, and QNSP ships 3 of its parameter sets. It is also known as Frodo.

Is FrodoKEM NIST-standardized?

FrodoKEM is not a finalized NIST FIPS standard. QNSP ships it as a non-FIPS post-quantum option, typically to add an independent cryptographic assumption (lattice based) alongside the FIPS-standardized ML-KEM and ML-DSA for defence-in-depth.

What is FrodoKEM used for?

On QNSP, FrodoKEM is used for Customers requiring plain-LWE assumption (no module structure); Conservative lattice-based fallback under defence-in-depth policies. It is available from the maximum crypto-policy tier upward via the liboqs provider.

References

Primary sources