05 — Parameter Sets
Three Levels, Three Use Cases
ML-KEM comes in three flavours. The number (512, 768, 1024) refers to the ring dimension — the degree of the polynomials used. Higher numbers = more dimensions = harder to break = larger keys and ciphertexts.
| ML-KEM-512 | ML-KEM-768 | ML-KEM-1024 | |
|---|---|---|---|
| NIST Security Level | Level 1 | Level 3 | Level 5 |
| Classical equivalent | AES-128 | AES-192 | AES-256 |
| Ring dimension (n) | 256 | 256 | 256 |
| Module rank (k) | 2 | 3 | 4 |
| Modulus (q) | 3329 | 3329 | 3329 |
| Public key | 800 B | 1,184 B | 1,568 B |
| Ciphertext | 768 B | 1,088 B | 1,568 B |
| Shared secret | 32 B | 32 B | 32 B |
What "Security Level" Means
NIST defines security levels by comparing to AES (symmetric encryption):
| Level | Meaning | Example attack cost |
|---|---|---|
| 1 | At least as hard as breaking AES-128 | ~2128 classical ops, ~264 quantum ops (Grover) |
| 3 | At least as hard as breaking AES-192 | ~2192 classical ops, ~296 quantum ops |
| 5 | At least as hard as breaking AES-256 | ~2256 classical ops, ~2128 quantum ops |
Important: These are minimum guarantees. The actual security margin may be higher.
How the Parameters Affect Security
Module Rank (k)
The rank k determines the size of the matrix A and vectors s, e:
- k=2 (ML-KEM-512): A is a 2×2 matrix of polynomials
- k=3 (ML-KEM-768): A is a 3×3 matrix
- k=4 (ML-KEM-1024): A is a 4×4 matrix
Higher k means:
- More LWE equations to solve
- Larger LWE secret to find
- Exponentially harder (in theory)
Error Distribution (η)
The "small" errors are sampled from a centred binomial distribution:
- For ML-KEM: coefficients in {-2, -1, 0, 1, 2} (mostly)
- The exact distribution is fixed across all parameter sets
The security depends on the ratio of error size to modulus. Since q=3329 is fixed, larger k provides more "noise equations" without increasing error size.
How to Choose
Default: ML-KEM-768
Use this unless you have a specific reason not to.
Why:
- Security Level 3 (≈ AES-192) — strong margin against both classical and quantum attacks
- Key and ciphertext sizes (~1 KB) are acceptable for all modern protocols
- NIST recommends Level 3 as the minimum for general use
Use ML-KEM-512 When
- Extremely constrained bandwidth (IoT, satellite, SMS)
- Short-term secrets (session keys refreshed frequently)
- Performance-critical inner loops where every microsecond matters
Caution: Level 1 provides ~128-bit classical security but only ~64-bit security against Grover's algorithm. For long-term secrets, this may be insufficient.
Use ML-KEM-1024 When
- High-assurance environments (military, critical infrastructure)
- Long-term encryption (archives, legal documents stored for decades)
- Regulatory requirement for highest security level
- Hybrid with classical where you want maximum quantum safety margin
Trade-off: 1.5 KB public key and ciphertext. Still fine for TLS, but noticeable for high-frequency protocols.
Comparison with Classical Key Exchange
| ECDH P-256 | ECDH P-384 | RSA-2048 | ML-KEM-768 | |
|---|---|---|---|---|
| Public key size | 32 B | 48 B | 256 B | 1,184 B |
| Ciphertext/key share | 32 B | 48 B | 256 B | 1,088 B |
| Classical security | ~128 bit | ~192 bit | ~112 bit | ~192 bit |
| Quantum security | 0 (broken by Shor) | 0 | 0 | ~96 bit (Grover) |
| Speed (keygen) | ~50 µs | ~100 µs | ~5 ms | ~80 µs |
| Speed (exchange) | ~100 µs | ~200 µs | ~500 µs | ~100 µs |
ML-KEM is faster than RSA and comparable to ECDH in speed, with the trade-off being larger keys.
Resources
- NIST FIPS 203, Section 4: Parameter Sets
- NIST IR 8547: Transition to Post-Quantum Cryptography
- pq-crystals.org/kyber/ — Parameter rationale