FIPS 203 — ML-KEM (Key Encapsulation)
What It Is in One Sentence
ML-KEM lets two strangers create a shared secret key over an insecure channel — even if a quantum computer is listening.
The Problem
Every time your browser connects to a bank, it uses a key exchange (usually ECDH or RSA) to agree on a secret. Shor's algorithm breaks both. ML-KEM is the replacement.
How It Works (Three Steps)
Alice Bob
| |
|-- KeyGen() --> pk, sk |
| |
|---- public key pk --------->|
| |
| Encapsulate(pk) |
| --> ct, ss |
|<---- ciphertext ct ---------|
| |
Decapsulate(sk, ct) |
--> ss |
| |
[Both now have the same ss] |
| Step | What happens | Who does it |
|---|---|---|
| KeyGen | Creates a key pair | Receiver (Bob) |
| Encapsulate | Creates ciphertext + shared secret | Sender (Alice) |
| Decapsulate | Recovers the same shared secret | Receiver (Bob) |
The Math in Plain English
ML-KEM is built on lattices — grids of points in high-dimensional space. The security comes from a problem called Learning With Errors (LWE):
Imagine a maze of 1,000,000 dimensions. You're given a bunch of clues, but each clue has random noise. Finding your way out is nearly impossible — even for a quantum computer.
Module-LWE makes this practical by reusing the same structure across many equations (like using the same blueprint for many houses).
Why It's Secure
| Attack type | Can it break ML-KEM? | Why not? |
|---|---|---|
| Classical computer | No | LWE is NP-hard in the worst case |
| Quantum computer (Shor's) | No | Shor's algorithm only works on periodic structures (factorisation, discrete log) |
| Quantum computer (Grover's) | Only halves security | You'd need 2^128 operations for Level 5 — practically impossible |
Quick Reference
| ML-KEM-512 | ML-KEM-768 | ML-KEM-1024 | |
|---|---|---|---|
| Security | ~AES-128 | ~AES-192 | ~AES-256 |
| Public key | 800 B | 1,184 B | 1,568 B |
| Ciphertext | 768 B | 1,088 B | 1,568 B |
| Shared secret | 32 B | 32 B | 32 B |
| Default? | Yes | High-assurance |
Articles in This Section
- 01 — Why We Need It — The quantum threat to key exchange
- 02 — Lattices Made Simple — What lattices are and why they're hard
- 03 — Learning With Errors — The LWE problem explained
- 04 — The ML-KEM Protocol — KeyGen, Encapsulate, Decapsulate step by step
- 05 — Parameter Sets — Security levels demystified
- 06 — Hybrid Mode — Running alongside classical crypto
- 07 — Performance — Concrete speed and size numbers
- 08 — Deployment Checklist — Practical adoption steps