ML-KEM (FIPS 203): CRYSTALS-Kyber Standardized
Deep-dive into ML-KEM's key encapsulation mechanism, parameter sets, and implementation considerations.
What ML-KEM Standardizes
ML-KEM (Module-Lattice-based Key Encapsulation Mechanism), standardized as FIPS 203 in August 2024, is the post-quantum replacement for Diffie-Hellman and RSA key exchange. It encapsulates a symmetric key under a public key, producing a shared secret that both parties can use for symmetric encryption. ML-KEM is derived from CRYSTALS-Kyber with minor modifications for cleaner specification.
ML-KEM Parameter Sets
ML-KEM defines three parameter sets. ML-KEM-512 targets approximately 128-bit classical and 100-bit post-quantum security with a public key of 800 bytes and ciphertext of 768 bytes. ML-KEM-768 targets 192-bit classical security (public key 1184 bytes, ciphertext 1088 bytes). ML-KEM-1024 targets 256-bit classical security (public key 1568 bytes, ciphertext 1568 bytes). NIST recommends ML-KEM-768 for most applications.
All lessons in this course
- The NIST PQC Competition: Process and Criteria
- ML-KEM (FIPS 203): CRYSTALS-Kyber Standardized
- ML-DSA (FIPS 204) and SLH-DSA (FIPS 205)
- Planning Your Migration to Post-Quantum Standards