Key insight

ML-KEM is a key-encapsulation mechanism: three steps — keygen, encapsulate, decapsulate — that let two parties agree a shared secret over an open channel. It resists quantum attack because it’s built on the Learning-With-Errors lattice problem, which has no hidden structure for Shor’s algorithm to exploit. It comes in three security levels: 512, 768, 1024, with 768 the sensible default.

In one sentence

ML-KEM is the quantum-safe way for two strangers to end up holding the same secret without ever sending it in the clear — the direct fix for harvest-now-decrypt-later.

What “key encapsulation” means

You want to share a secret with me, but the only channel between us is public — eavesdroppers can record everything. In the old world, you’d grab my public key, encrypt a secret with it, and send it; only my private key could unwrap it (see the mailbox metaphor). A key-encapsulation mechanism (KEM) is the modern, precise formalisation of exactly this dance. “Encapsulate” is a fancy word for “seal a fresh shared secret into a package only your private key can open.”

The three steps

ML-KEM in three steps Keygen publishes a public key; encapsulate produces a shared secret and a ciphertext; decapsulate recovers the same shared secret from the ciphertext using the private key. Bob (receiver) Alice (sender) 1 · KeyGenmakes public + private key public key → 2 · Encapsulateout: shared secret (keep)+ ciphertext (send) ← ciphertext 3 · Decapsulateprivate key + ciphertext→ same shared secret both now hold the identical secret
The shared secret never crosses the wire — only the ciphertext does. Fast symmetric encryption (AES) then protects the real data.
  1. KeyGen — Bob generates a key pair and publishes his public key.
  2. Encapsulate — Alice feeds Bob’s public key in; out come two things: a random shared secret she keeps, and a ciphertext she sends.
  3. Decapsulate — Bob feeds the ciphertext into his private key; out pops the same shared secret.

Why quantum can’t undo it: lattices

The old RSA/ECDH key exchange fell to Shor because factoring and elliptic curves have hidden periodic structure a quantum computer can find. ML-KEM is built on a completely different hard problem: Learning With Errors (LWE) over module lattices — the “ML” in the name.

Toy intuition: noisy equations Imagine a set of linear equations that school algebra would solve in seconds — except a small, random amount of noise is added to every equation. That noise turns an easy problem into one that looks astronomically hard, even for a quantum computer, because there’s no clean pattern to exploit. Shor’s algorithm was built for the structure in factoring; lattice noise offers it nothing to grip. The reason is specific: Shor’s speed-up comes entirely from finding a hidden repeating pattern (a periodicity) in the maths — and LWE’s added noise means there simply isn’t one. Classical methods can’t brute-force it either, because the noise leaves a huge space of near-solutions with no exact structure to lock onto.

512, 768, 1024: what they mean

These aren’t key lengths — they’re security levels. Bigger is more conservative but has larger keys and ciphertexts (which matters inside a network handshake):

Parameter setRoughly comparable toUse when
ML-KEM-512AES-128 strengthConstrained devices; lightest option
ML-KEM-768AES-192 strengthRecommended default for most systems (TLS uses it today)
ML-KEM-1024AES-256 strengthHighest assurance (NSA CNSA 2.0)

For almost everyone, ML-KEM-768 is the sensible middle. It’s what most browsers and servers negotiate today in hybrid TLS.

Why deployments run it “hybrid”

ML-KEM is new. To hedge against an undiscovered flaw, real systems currently run it hybrid: they perform both the classical ECDH exchange and ML-KEM, then combine both shared secrets. An attacker must break both to win. The strength of the hedge is that the two rest on completely unrelated hard problems — elliptic curves versus lattices — so a single undiscovered weakness can’t bring down both at once: quantum threatens the classical half, and any future surprise in the young lattice scheme is still caught by the battle-tested classical half. You get post-quantum protection today without betting everything on a young algorithm — a theme we’ll return to in the migration guidance.

ML-KEM
Module-Lattice Key-Encapsulation Mechanism (FIPS 203) — the post-quantum key-exchange standard this article explains.
KEM (key-encapsulation mechanism)
A three-step method (keygen / encapsulate / decapsulate) for agreeing a shared secret.
Learning With Errors (LWE)
The “noisy equations” hard problem underpinning ML-KEM’s security.
Module lattice
The structured mathematical grid ML-KEM works over; the “ML” in ML-KEM.
Hybrid
Running classical + post-quantum key exchange together so both must be broken.
Ciphertext
The encapsulated package sent across the wire; useless without the private key.
RSA / ECDH
The classical key-exchange algorithms ML-KEM replaces: RSA (Rivest–Shamir–Adleman) and ECDH (Elliptic-Curve Diffie–Hellman). ECDH is still run alongside ML-KEM in hybrid mode.
AES (Advanced Encryption Standard)
The symmetric cipher that protects the bulk data once ML-KEM has agreed a shared secret; parameter sets map to AES-128/192/256 strength.
TLS (Transport Layer Security)
The protocol behind HTTPS; browsers already negotiate hybrid ML-KEM inside it.
CNSA 2.0
The NSA’s (National Security Agency) Commercial National Security Algorithm suite, which mandates ML-KEM-1024.

What to carry forward

Next: ML-DSA & SLH-DSA Explained → — the two signature standards for authenticity.

Understand it in your own words

Paste into any AI assistant to check yourself:

I'm learning ML-KEM (FIPS 203). Quiz me one question at a time, correcting
me gently:

1. What does "key encapsulation" mean, and what are the three steps?
2. In encapsulate/decapsulate, what actually travels across the wire, and
   what never does?
3. Why can't Shor's algorithm break ML-KEM the way it breaks RSA? What is
   the "noisy equations" (Learning With Errors) intuition?
4. What do ML-KEM-512, 768, and 1024 mean, and which is the usual default?
5. What does it mean to deploy ML-KEM "hybrid," and why do it?

References & further reading

  1. NIST, FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard (Aug 2024). csrc.nist.gov/pubs/fips/203
  2. NIST, PQC FAQ — lattice hardness and parameter selection. csrc.nist.gov
  3. IETF, Hybrid key exchange in TLS 1.3 — how ML-KEM is deployed alongside ECDH. datatracker.ietf.org
  4. D. J. Bernstein & T. Lange, Post-quantum cryptography (overview of lattice problems). pqcrypto.org