01 — Why We Need ML-KEM
Today's Key Exchange
When you visit a secure website, your browser and the server perform a key exchange — a mathematical handshake that creates a shared secret key. This key encrypts everything that follows.
The Two Classical Methods
| Method | Used for | How it works (simplified) |
|---|---|---|
| RSA | Key wrapping, legacy TLS | Based on factoring large numbers |
| ECDH | Modern TLS, VPNs, messaging | Based on elliptic curve discrete logarithms |
Both rely on the same assumption: certain math problems are too hard for computers to solve in reasonable time.
Enter the Quantum Computer
In 1994, Peter Shor discovered a quantum algorithm that:
- Factors integers in polynomial time
- Solves discrete logarithms in polynomial time
For RSA-2048 (the current standard):
- Classical effort: ~trillions of years
- Quantum effort with Shor's: ~hours (with a large enough quantum computer)
The Timeline Problem
| Year | Milestone | What it means |
|---|---|---|
| 1994 | Shor's algorithm published | Theoretical threat established |
| 2019 | Google's 53-qubit Sycamore | Proof of concept |
| 2024 | IBM's 1,121-qubit Condor | Scaling is happening |
| ~2030–2035 | Estimated cryptographically-relevant quantum computer | RSA and ECDH become breakable |
| Now | Harvest now, decrypt later | Adversaries are recording encrypted traffic today to decrypt when quantum computers arrive |
"Harvest Now, Decrypt Later"
This is the most immediate threat:
- An adversary (nation-state, criminal group) records encrypted traffic today.
- They cannot break it now — classical computers are too slow.
- In 10–15 years, they use a quantum computer to break the recorded key exchange.
- They now have the session keys and can decrypt all recorded traffic.
Everything with long-term value is at risk:
- Diplomatic communications
- Healthcare records (protected for patient lifetime)
- Financial transactions
- Military secrets
- Trade secrets and intellectual property
The Fix: Post-Quantum Key Exchange
ML-KEM (FIPS 203) replaces the vulnerable key exchange step. It does NOT replace AES (the symmetric cipher that encrypts data after key exchange) — AES-256 remains secure against quantum computers.
What Changes
| Layer | Before | After |
|---|---|---|
| Key exchange | ECDH or RSA | ML-KEM |
| Data encryption | AES-256-GCM | AES-256-GCM (unchanged) |
| Authentication | ECDSA signatures | ML-DSA or SLH-DSA |
The Transition Strategy
Hybrid mode (recommended during transition):
- Perform both ECDH and ML-KEM key exchange.
- Combine both shared secrets into one final key.
- If either algorithm is broken, the other still protects you.
Client Server
| |
|-- ECDH public key ----------->|
|-- ML-KEM public key --------->|
|<-- ECDH public key -----------|
|<-- ML-KEM ciphertext ---------|
| |
| Combine: ss = KDF(ECDH_ss || MLKEM_ss) |
| |
[Both use ss for AES-256-GCM] |
Why ML-KEM Specifically?
NIST ran a 6-year competition (2016–2022) evaluating 82 candidate algorithms. CRYSTALS-Kyber (now ML-KEM) won because it:
| Criterion | How ML-KEM scored |
|---|---|
| Security | Well-understood mathematical foundation (MLWE) |
| Performance | Faster than RSA key generation |
| Key sizes | 1–2 KB (larger than ECDH but acceptable) |
| Flexibility | Three security levels to match AES-128/192/256 |
| Confidence | Extensively analysed by cryptographers worldwide |
Resources
- NIST Post-Quantum Cryptography Standardization: csrc.nist.gov/projects/post-quantum-cryptography
- Shor's original paper (1994): Algorithms for quantum computation
- Harvest Now Decrypt Later analysis: NSA CNSA 2.0 timeline