CRYSTALS-Kyber
What is CRYSTALS-Kyber?
CRYSTALS-KyberA lattice-based key-encapsulation mechanism standardized by NIST as FIPS 203 (ML-KEM) in August 2024, designed to replace RSA and Diffie-Hellman key exchange in a post-quantum world.
CRYSTALS-Kyber is a key-encapsulation mechanism (KEM) whose security reduces to the Module Learning With Errors (MLWE) problem over structured lattices. NIST selected it as the primary PQC KEM in 2022 and finalized it as FIPS 203 (ML-KEM) in August 2024. The standard defines three parameter sets — ML-KEM-512, ML-KEM-768, and ML-KEM-1024 — targeting NIST security categories 1, 3, and 5, with public keys of roughly 800, 1184, and 1568 bytes and ciphertexts of comparable size. Kyber is already being deployed inside hybrid TLS 1.3 key exchange (for example X25519MLKEM768) by major browsers, CDNs, and VPN vendors.
● Examples
- 01
Used in the X25519MLKEM768 hybrid key exchange that Chrome and Cloudflare enabled for TLS 1.3.
- 02
Selected as the default PQ KEM in the OpenSSH 9.x default key-exchange list.
● Frequently asked questions
What is CRYSTALS-Kyber?
A lattice-based key-encapsulation mechanism standardized by NIST as FIPS 203 (ML-KEM) in August 2024, designed to replace RSA and Diffie-Hellman key exchange in a post-quantum world. It belongs to the Cryptography category of cybersecurity.
What does CRYSTALS-Kyber mean?
A lattice-based key-encapsulation mechanism standardized by NIST as FIPS 203 (ML-KEM) in August 2024, designed to replace RSA and Diffie-Hellman key exchange in a post-quantum world.
How does CRYSTALS-Kyber work?
CRYSTALS-Kyber is a key-encapsulation mechanism (KEM) whose security reduces to the Module Learning With Errors (MLWE) problem over structured lattices. NIST selected it as the primary PQC KEM in 2022 and finalized it as FIPS 203 (ML-KEM) in August 2024. The standard defines three parameter sets — ML-KEM-512, ML-KEM-768, and ML-KEM-1024 — targeting NIST security categories 1, 3, and 5, with public keys of roughly 800, 1184, and 1568 bytes and ciphertexts of comparable size. Kyber is already being deployed inside hybrid TLS 1.3 key exchange (for example X25519MLKEM768) by major browsers, CDNs, and VPN vendors.
How do you defend against CRYSTALS-Kyber?
Defences for CRYSTALS-Kyber typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for CRYSTALS-Kyber?
Common alternative names include: Kyber, ML-KEM, FIPS 203.
● Related terms
- cryptography№ 846
Post-Quantum Cryptography
Classical cryptographic algorithms designed to remain secure against attacks by both classical and large-scale quantum computers.
- cryptography№ 607
Lattice-Based Cryptography
A family of post-quantum cryptographic schemes whose security reduces to the hardness of finding short vectors or solving linear equations with small errors over high-dimensional lattices.
- cryptography№ 732
NIST PQC Standardization
The multi-year NIST process that selects and standardizes post-quantum cryptographic algorithms; its first three standards, FIPS 203, 204, and 205, were published in August 2024.
- cryptography№ 252
CRYSTALS-Dilithium
A lattice-based digital-signature scheme standardized by NIST as FIPS 204 (ML-DSA) in August 2024 and intended as the post-quantum replacement for RSA, DSA, and ECDSA signatures.
- network-security№ 1159
TLS (Transport Layer Security)
The IETF-standardized cryptographic protocol that provides confidentiality, integrity, and authentication for traffic between two networked applications.
- cryptography№ 1036
Shor's Algorithm
A quantum algorithm that factors large integers and computes discrete logarithms in polynomial time, breaking RSA, Diffie-Hellman, and elliptic-curve cryptography on a sufficiently large quantum computer.