Key insight
ML-KEM is a key-encapsulation mechanism: three steps — keygen, encapsulate, decapsulate — that let two parties agree a shared secret over an open channel. It resists quantum attack because it’s built on the Learning-With-Errors lattice problem, which has no hidden structure for Shor’s algorithm to exploit. It comes in three security levels: 512, 768, 1024, with 768 the sensible default.
ML-KEM is the quantum-safe way for two strangers to end up holding the same secret without ever sending it in the clear — the direct fix for harvest-now-decrypt-later.
What “key encapsulation” means
You want to share a secret with me, but the only channel between us is public — eavesdroppers can record everything. In the old world, you’d grab my public key, encrypt a secret with it, and send it; only my private key could unwrap it (see the mailbox metaphor). A key-encapsulation mechanism (KEM) is the modern, precise formalisation of exactly this dance. “Encapsulate” is a fancy word for “seal a fresh shared secret into a package only your private key can open.”
The three steps
- KeyGen — Bob generates a key pair and publishes his public key.
- Encapsulate — Alice feeds Bob’s public key in; out come two things: a random shared secret she keeps, and a ciphertext she sends.
- Decapsulate — Bob feeds the ciphertext into his private key; out pops the same shared secret.
Why quantum can’t undo it: lattices
The old RSA/ECDH key exchange fell to Shor because factoring and elliptic curves have hidden periodic structure a quantum computer can find. ML-KEM is built on a completely different hard problem: Learning With Errors (LWE) over module lattices — the “ML” in the name.
512, 768, 1024: what they mean
These aren’t key lengths — they’re security levels. Bigger is more conservative but has larger keys and ciphertexts (which matters inside a network handshake):
| Parameter set | Roughly comparable to | Use when |
|---|---|---|
| ML-KEM-512 | AES-128 strength | Constrained devices; lightest option |
| ML-KEM-768 | AES-192 strength | Recommended default for most systems (TLS uses it today) |
| ML-KEM-1024 | AES-256 strength | Highest assurance (NSA CNSA 2.0) |
For almost everyone, ML-KEM-768 is the sensible middle. It’s what most browsers and servers negotiate today in hybrid TLS.
Why deployments run it “hybrid”
ML-KEM is new. To hedge against an undiscovered flaw, real systems currently run it hybrid: they perform both the classical ECDH exchange and ML-KEM, then combine both shared secrets. An attacker must break both to win. The strength of the hedge is that the two rest on completely unrelated hard problems — elliptic curves versus lattices — so a single undiscovered weakness can’t bring down both at once: quantum threatens the classical half, and any future surprise in the young lattice scheme is still caught by the battle-tested classical half. You get post-quantum protection today without betting everything on a young algorithm — a theme we’ll return to in the migration guidance.
- ML-KEM
- Module-Lattice Key-Encapsulation Mechanism (FIPS 203) — the post-quantum key-exchange standard this article explains.
- KEM (key-encapsulation mechanism)
- A three-step method (keygen / encapsulate / decapsulate) for agreeing a shared secret.
- Learning With Errors (LWE)
- The “noisy equations” hard problem underpinning ML-KEM’s security.
- Module lattice
- The structured mathematical grid ML-KEM works over; the “ML” in ML-KEM.
- Hybrid
- Running classical + post-quantum key exchange together so both must be broken.
- Ciphertext
- The encapsulated package sent across the wire; useless without the private key.
- RSA / ECDH
- The classical key-exchange algorithms ML-KEM replaces: RSA (Rivest–Shamir–Adleman) and ECDH (Elliptic-Curve Diffie–Hellman). ECDH is still run alongside ML-KEM in hybrid mode.
- AES (Advanced Encryption Standard)
- The symmetric cipher that protects the bulk data once ML-KEM has agreed a shared secret; parameter sets map to AES-128/192/256 strength.
- TLS (Transport Layer Security)
- The protocol behind HTTPS; browsers already negotiate hybrid ML-KEM inside it.
- CNSA 2.0
- The NSA’s (National Security Agency) Commercial National Security Algorithm suite, which mandates ML-KEM-1024.
What to carry forward
- ML-KEM = post-quantum key exchange; three steps: keygen, encapsulate, decapsulate.
- The shared secret never crosses the wire — only a ciphertext does.
- Security rests on the Learning-With-Errors lattice problem — no structure for Shor to exploit.
- Three levels: 512 / 768 (default) / 1024. Deployed hybrid with ECDH for now.
Next: ML-DSA & SLH-DSA Explained → — the two signature standards for authenticity.
Understand it in your own words
Paste into any AI assistant to check yourself:
I'm learning ML-KEM (FIPS 203). Quiz me one question at a time, correcting
me gently:
1. What does "key encapsulation" mean, and what are the three steps?
2. In encapsulate/decapsulate, what actually travels across the wire, and
what never does?
3. Why can't Shor's algorithm break ML-KEM the way it breaks RSA? What is
the "noisy equations" (Learning With Errors) intuition?
4. What do ML-KEM-512, 768, and 1024 mean, and which is the usual default?
5. What does it mean to deploy ML-KEM "hybrid," and why do it?
References & further reading
- NIST, FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard (Aug 2024). csrc.nist.gov/pubs/fips/203
- NIST, PQC FAQ — lattice hardness and parameter selection. csrc.nist.gov
- IETF, Hybrid key exchange in TLS 1.3 — how ML-KEM is deployed alongside ECDH. datatracker.ietf.org
- D. J. Bernstein & T. Lange, Post-quantum cryptography (overview of lattice problems). pqcrypto.org