# CRYSTALS-Kyber

### ML-KEM / Kyber: Post-Quantum Key Encapsulation Mechanism <a href="#ml-kem-kyber-post-quantum-key-encapsulation-mechanism" id="ml-kem-kyber-post-quantum-key-encapsulation-mechanism"></a>

#### Overview <a href="#overview" id="overview"></a>

ML-KEM (Kyber) is a post-quantum cryptographic algorithm based on module learning-with-errors (MLWE). It is a Key Encapsulation Mechanism (KEM) designed for secure key exchange and symmetric key establishment resistant to attacks by quantum computers.

* **Full name:** Module-LWE Key Encapsulation Mechanism
* **Also known as:** Kyber (Crystals-Kyber)
* **Submitted to:** NIST Post-Quantum Cryptography Standardization Project
* **Selected as:** The *sole* KEM finalist for standardization in July 2022
* **Standardized as:** ML-KEM by NIST in **FIPS 203** (finalized 2024)

#### Design Goals <a href="#design-goals" id="design-goals"></a>

* **Post-quantum security:** Resistant to attacks from quantum computers; no known efficient quantum algorithms exist for MLWE-based problems.
* &#x20;**High efficiency:** Small key sizes, fast computation, and low memory usage
* **Drop-in KEM replacement:** Easily replaces traditional schemes like RSA or Diffie-Hellman
* **Simplicity:** Clean structure with only three main operations: `KeyGen`, `Encaps`, `Decaps`

#### Core Operations <a href="#core-operations" id="core-operations"></a>

ML-KEM is a **KEM** not a full public-key encryption scheme so its job is to securely establish shared keys using encapsulation.

**1. `KeyGen() → (pk, sk)`**

* Generates a public/private keypair
* Public key `pk` is used to encrypt (encapsulate)
* Secret key `sk` is used to decrypt (decapsulate)

**2. `Encaps(pk) → (ct, ss)`**

* Encrypts a shared secret
* `ct`: Ciphertext (to be sent to recipient)
* `ss`: Shared secret (for the sender to use)

**3. `Decaps(ct, sk) → ss'`**

* Decrypts ciphertext using the private key
* Returns the same shared secret `ss'` (which should equal the sender’s `ss` if the ciphertext is valid)

#### Parameter Sets <a href="#parameter-sets" id="parameter-sets"></a>

|                 |                        |            |            |            |          |
| --------------- | ---------------------- | ---------- | ---------- | ---------- | -------- |
| **ML-KEM-512**  | 128-bit (NIST Level 1) | 800 bytes  | 800 bytes  | 1632 bytes | 32 bytes |
| **ML-KEM-768**  | 192-bit (Level 3)      | 1184 bytes | 1184 bytes | 2400 bytes | 32 bytes |
| **ML-KEM-1024** | 256-bit (Level 5)      | 1568 bytes | 1568 bytes | 3168 bytes | 32 bytes |

Each variant provides a tradeoff between security level and bandwidth. In Cryptic we use ML-KEM-768 for the perfect middle ground of security and performance and will be releasing a NPM package for mobile developers to allow them to implement Kyber 768 like we did for Cypher.

#### How It Works (Simplified) <a href="#how-it-works-simplified" id="how-it-works-simplified"></a>

ML-KEM is based on **module learning-with-errors (MLWE)**, a hard lattice problem that even quantum computers cannot solve efficiently.

* Public keys are short vectors over a polynomial ring.
* Encapsulation involves sampling random secrets and adding small error terms (noise).
* Decapsulation uses the secret key to reverse the operation and recover the shared secret.
* A final hash step derives the session key.

**Important Concepts:**

* **Lattices:** Mathematical structures resistant to quantum attacks.
* **Error terms (noise):** Critical for security; ensures hardness of recovering the plaintext.
* **Rejection sampling and compression:** Keeps ciphertext sizes small and leakage low.

#### Security Considerations <a href="#security-considerations" id="security-considerations"></a>

* **Quantum security**: Based on MLWE, with no known polynomial-time classical or quantum attacks
* **IND-CCA2**: ML-KEM achieves **indistinguishability under adaptive chosen ciphertext attack** (IND-CCA2), critical for TLS and other secure protocols.
* **Error leakage mitigations**: Uses hashing and compression techniques to mitigate side channels.
* **Side-channel resistance**: Implementations must avoid timing attacks constant-time arithmetic is crucial.

#### References <a href="#references" id="references"></a>

* &#x20;[NIST FIPS 203 – ML-KEM Standard](https://csrc.nist.gov/publications/detail/fips/203/final)​
* &#x20;[Kyber Submission to NIST](https://pq-crystals.org/kyber/)​
* &#x20;[Original Kyber Paper (Bos, Ducas, et al)](https://eprint.iacr.org/2017/634.pdf)​
* &#x20;[liboqs Documentation](https://openquantumsafe.org/liboqs/)

​


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cryptic-documentation.gitbook.io/cryptic-documentation/technology/2.-technology-overview/2.1-platform-architecture/crystals-kyber.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.