> For the complete documentation index, see [llms.txt](https://cryptic-documentation.gitbook.io/cryptic-documentation/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cryptic-documentation.gitbook.io/cryptic-documentation/technology/2.-technology-overview/2.1-platform-architecture/ml-kem-crystals-kyber.md).

# ML-KEM / CRYSTALS-Kyber

### ML-KEM / Kyber: Post-Quantum Key Encapsulation Mechanism <a href="#ml-kem-kyber-post-quantum-key-encapsulation-mechanism" id="ml-kem-kyber-post-quantum-key-encapsulation-mechanism"></a>

#### **Overview**

ML-KEM, formerly known as CRYSTALS-Kyber, is a post-quantum cryptographic algorithm based on module learning-with-errors (MLWE). It is a Key Encapsulation Mechanism (KEM) designed for secure key exchange and symmetric key establishment in systems preparing for the post-quantum era.

* **Full name:** Module-LWE Key Encapsulation Mechanism
* **Also known as:** Kyber / CRYSTALS-Kyber
* **Submitted to:** NIST Post-Quantum Cryptography Standardization Project
* **Selected as:** The sole KEM finalist for standardization in July 2022
* **Standardized as:** ML-KEM by NIST in **FIPS 203** (finalized 2024)

#### **Design Goals**

* **Post-quantum security:** Designed to resist known classical and quantum attack models
* **High efficiency:** Small key sizes, fast computation, and low memory usage
* **Drop-in KEM replacement:** Easily replaces traditional key exchange schemes such as RSA or Diffie-Hellman
* **Simplicity:** Clean structure with three main operations: `KeyGen`, `Encaps`, `Decaps`

#### **Core Operations**

ML-KEM is a **KEM**, not a full public-key encryption scheme. Its role is to securely establish shared keys using encapsulation.

**1. `KeyGen() → (pk, sk)`**

* Generates a public/private keypair
* Public key `pk` is used to encapsulate
* Secret key `sk` is used to decapsulate

**2. `Encaps(pk) → (ct, ss)`**

* Encapsulates a shared secret
* `ct`: Ciphertext sent to the recipient
* `ss`: Shared secret used by the sender

**3. `Decaps(ct, sk) → ss'`**

* Decapsulates ciphertext using the private key
* Returns the same shared secret `ss'`, which should equal the sender’s `ss` if the ciphertext is valid

#### **Parameter Sets**

|                 |                        |            |            |            |          |
| --------------- | ---------------------- | ---------- | ---------- | ---------- | -------- |
| **ML-KEM-512**  | 128-bit (NIST Level 1) | 800 bytes  | 800 bytes  | 1632 bytes | 32 bytes |
| **ML-KEM-768**  | 192-bit (Level 3)      | 1184 bytes | 1184 bytes | 2400 bytes | 32 bytes |
| **ML-KEM-1024** | 256-bit (Level 5)      | 1568 bytes | 1568 bytes | 3168 bytes | 32 bytes |

Each variant provides a tradeoff between security level and bandwidth.

Cryptic uses ML-KEM-768 as the middle ground between security and performance, supporting post-quantum key establishment across the Cryptic communication stack.

#### **How It Works (Simplified)**

ML-KEM is based on **module learning-with-errors (MLWE)**, a hard lattice problem believed to resist known classical and quantum attacks.

* Public keys are short vectors over a polynomial ring
* Encapsulation involves sampling random secrets and adding small error terms
* Decapsulation uses the secret key to recover the shared secret
* A final hash step derives the session key

#### **Important Concepts:**

* **Lattices:** Mathematical structures used in post-quantum cryptography
* **Error terms:** Noise added to preserve security and make recovery difficult without the private key
* **Compression:** Helps keep ciphertext and key sizes practical for real-world use

#### **Security Considerations**

* **Post-quantum security:** Based on MLWE, with no known efficient classical or quantum attacks
* **IND-CCA2 security:** ML-KEM achieves indistinguishability under adaptive chosen ciphertext attack, which is important for secure protocols
* **Error leakage mitigations:** Uses hashing and compression techniques to reduce leakage risks
* **Side-channel resistance:** Implementations must avoid timing attacks; constant-time arithmetic is important

#### **References**

* [NIST FIPS 203 – ML-KEM Standard](https://csrc.nist.gov/publications/detail/fips/203/final)
* [Kyber Submission to NIST](https://pq-crystals.org/kyber/)
* [Original Kyber Paper (Bos, Ducas, et al)](https://eprint.iacr.org/2017/634.pdf)
* [liboqs Documentation](https://openquantumsafe.org/liboqs/)

​


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://cryptic-documentation.gitbook.io/cryptic-documentation/technology/2.-technology-overview/2.1-platform-architecture/ml-kem-crystals-kyber.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.