2022.10.31 21:49:20 (1587184970258255872) from Daniel J. Bernstein:
FrodoKEM documentation claims that "the FrodoKEM parameter sets comfortably match their target security levels with a large margin". Warning: That's not true. Send 2^40 ciphertexts to a frodokem640 public key; one of them will be decrypted by a large-scale attack feasible today.
2022.10.31 21:54:38 (1587186307553316865) from Daniel J. Bernstein:
This attack does _not_ rely on a subsequent protocol exposing AES-128 ciphertexts for a common plaintext, a typical way that AES-128 keys are exposed to multi-target attacks. The attack is directly against the FrodoKEM ciphertexts. Randomizing AES modes doesn't help at all here.
2022.10.31 22:09:58 (1587190165272788993) from Daniel J. Bernstein:
NIST discarded FrodoKEM for performance reasons, but praised its security at length. Various other organizations are continuing to consider FrodoKEM because of its reputation as the most conservative lattice system. So it's worrisome to see FrodoKEM making false security claims.