Error Correction for FrodoKEM Using the Gosset Lattice

We consider FrodoKEM, a lattice-based cryptosystem based on LWE, and propose a new error correction mechanism to improve its performance. Our encoder maps the secret key block-wise into the Gosset lattice $E_8$. We propose two sets of parameters for our modified implementation. Thanks to the improved error correction, the first implementation outperforms FrodoKEM in terms of concrete security by $10$ to $13$ bits by increasing the error variance; the second allows to reduce the bandwidth by $7\%$ by halving the modulus $q$. In both cases, the decryption failure probability is improved compared to the original FrodoKEM. Unlike some previous works on error correction for lattice-based protocols, we provide a rigorous error probability bound by decomposing the error matrix into blocks with independent error coefficients.