ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) is the post-quantum key establishment algorithm standardized by NIST in FIPS 203 in August 2024, based on the CRYSTALS-Kyber algorithm.
ML-KEM is a key encapsulation mechanism designed to be secure against quantum computers. It lets two parties establish a shared secret key over an insecure channel, replacing quantum-vulnerable methods like RSA and Diffie-Hellman key exchange. NIST published it as FIPS 203 in August 2024 with three parameter sets: ML-KEM-512, ML-KEM-768, and ML-KEM-1024.
Key Takeaways
- ML-KEM is NIST’s primary post-quantum standard for key establishment, published as FIPS 203 in August 2024.
- It is based on CRYSTALS-Kyber and relies on the hardness of the Module Learning With Errors (MLWE) problem.
- Three parameter sets (ML-KEM-512/768/1024) give roughly 128, 192, and 256-bit classical security.
- ML-KEM replaces RSA and ECDH key exchange, which quantum computers can break with Shor’s algorithm.
- It is often deployed in hybrid mode alongside a classical algorithm during migration.
What is ML-KEM?
ML-KEM is a post-quantum algorithm for key establishment. A key encapsulation mechanism (KEM) lets two parties agree on a shared secret key over an insecure channel, which is the job that RSA key transport and Diffie-Hellman key exchange do today. NIST standardized ML-KEM in FIPS 203 in August 2024, alongside ML-DSA (FIPS 204) and SLH-DSA (FIPS 205).
Why ML-KEM Matters
Today’s key exchange relies on the hardness of factoring or the discrete logarithm problem. A large quantum computer running Shor’s algorithm could solve both, breaking RSA and elliptic-curve key exchange. ML-KEM is built on a different mathematical problem (Module Learning With Errors) that has no known efficient quantum attack. Combined with the harvest-now, decrypt-later threat, this is why migrating key establishment to ML-KEM is a priority.
How ML-KEM Works
ML-KEM uses three operations to establish a shared secret:
- Key generation: the receiver creates a public and private key pair and publishes the public key.
- Encapsulation: the sender uses the receiver’s public key to generate a shared secret and a ciphertext, and sends the ciphertext.
- Decapsulation: the receiver uses the private key to recover the same shared secret from the ciphertext.
Both sides now hold the same secret, which is used to key a fast symmetric algorithm such as AES for the actual data.
ML-KEM Parameter Sets
FIPS 203 defines three parameter sets that trade security strength against size and performance.
| Parameter set | Approx. classical security | Typical use |
|---|---|---|
| ML-KEM-512 | 128-bit | Lightest; constrained environments. |
| ML-KEM-768 | 192-bit | Recommended default for general use. |
| ML-KEM-1024 | 256-bit | Highest security requirements. |
All three produce a 32-byte shared secret. Public keys and ciphertexts range from roughly 800 to about 1,568 bytes depending on the parameter set, larger than classical keys, which is one of the practical considerations when adopting ML-KEM.
ML-KEM vs ML-DSA
ML-KEM and ML-DSA are complementary, not alternatives. ML-KEM establishes keys; ML-DSA produces digital signatures. A typical secure connection in a post-quantum world uses ML-KEM for the key exchange and ML-DSA for authenticating the parties, mirroring how RSA or ECDH and a signature algorithm work together today.
Deploying ML-KEM
The common deployment pattern during migration is hybrid: ML-KEM is combined with a proven classical algorithm such as X25519, so the connection stays secure even if one algorithm has an unexpected weakness. ML-KEM is already in major TLS libraries and browsers, and hardware security modules are adding support. Encryption Consulting’s HSM-as-a-Service and PQC Advisory help organizations adopt it safely.
How Encryption Consulting Helps
Encryption Consulting’s PQC Advisory helps you plan and execute ML-KEM adoption as part of a broader post-quantum roadmap, from cryptographic inventory through hybrid deployment and testing. Our HSM-as-a-Service provides FIPS-validated hardware that supports post-quantum algorithms, all backed by ISO/IEC 27001:2022 and SOC 2 certified practices.
Frequently Asked Questions
Is ML-KEM the same as Kyber?
ML-KEM is the standardized version of CRYSTALS-Kyber. Kyber was the algorithm selected in the NIST post-quantum competition, and NIST standardized it as ML-KEM in FIPS 203 in August 2024 with some refinements. In practice, when people say Kyber today they usually mean ML-KEM, but ML-KEM is the official, standardized name to use.
What is the difference between ML-KEM and ML-DSA?
They solve different problems. ML-KEM (FIPS 203) is a key encapsulation mechanism used to establish a shared secret key, replacing RSA and Diffie-Hellman key exchange. ML-DSA (FIPS 204) is a digital signature algorithm used to sign and verify, replacing RSA and ECDSA signatures. Most systems will need both: ML-KEM for key exchange and ML-DSA for authentication.
Which ML-KEM parameter set should I use?
ML-KEM-768 is the common default, offering roughly 192-bit classical security with a good balance of size and performance, and it is widely recommended for general use. ML-KEM-1024 suits the highest-security needs, while ML-KEM-512 is the lightest. The right choice depends on your security requirements and performance constraints; many guidelines point to ML-KEM-768 as the baseline.
Is ML-KEM quantum-safe?
ML-KEM is designed to resist attacks from both classical and quantum computers. Its security rests on the hardness of the Module Learning With Errors (MLWE) problem, which has no known efficient quantum algorithm, unlike the factoring and discrete-log problems that Shor’s algorithm breaks. NIST standardized ML-KEM in FIPS 203 precisely because it is believed to be quantum-resistant.
Where can I use ML-KEM today?
ML-KEM is already supported in major TLS libraries and browsers, often in a hybrid mode that combines it with a classical algorithm such as X25519. It is being adopted in protocols like TLS 1.3 and SSH, and hardware security modules are adding support. The practical path is hybrid deployment now, moving to ML-KEM alone as support matures.
Adopt ML-KEM With Confidence
Ready to move key exchange to post-quantum cryptography? Talk to an Encryption Consulting PQC advisor, or explore HSM-as-a-Service.