in python3/frodokem.py [0:0]
def genSHAKE128(self, seedA):
"""Generate matrix A using SHAKE-128 (FrodoKEM specification, Algorithm 8)"""
A = [[None for j in range(self.n)] for i in range(self.n)]
# 1. for i = 0; i < n; i += 1
for i in range(self.n):
# 2. b = i || seedA in {0,1}^{16 + len_seedA}, where i is encoded as a 16-bit integer in little-endian byte order
tmp = bytearray(2)
struct.pack_into('<H', tmp, 0, i)
b = tmp + seedA
# 3. c_{i,0} || c_{i,1} || ... || c_{i,n-1} = SHAKE128(b, 16n) (length in bits) where each c_{i,j} is parsed as a 16-bit integer in little-endian byte order format
tmp = FrodoKEM.__shake128(b, int(16 * self.n / 8))
c_i = [struct.unpack_from('<H', tmp, 2 * j)[0] for j in range(self.n)]
# 4. for j = 0; j < n; j +=1
for j in range(self.n):
# 5. A[i][j] = c[i][j] mod q
A[i][j] = c_i[j] % self.q
return A