ML-KEM (FIPS 203)
What is ML-KEM (FIPS 203)?
ML-KEM (FIPS 203)NIST's standardized post-quantum key encapsulation mechanism, based on the CRYSTALS-Kyber design and published as FIPS 203 in August 2024 — now the default PQ KEM for TLS, IPsec, and hybrid key exchange.
ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism), standardized as FIPS 203 on 13 August 2024, is the first post-quantum KEM officially standardized by NIST. It is derived from CRYSTALS-Kyber, the winning lattice-based KEM from the NIST PQC competition. The standard defines three parameter sets — ML-KEM-512, ML-KEM-768, and ML-KEM-1024 — targeting AES-128, AES-192, and AES-256-equivalent classical security with quantum resistance under reasonable lattice assumptions. ML-KEM produces encapsulated shared secrets suitable for use with HKDF, allowing it to slot into existing protocols. Hybrid key exchange — combining ML-KEM with classical X25519 via concatenated shared secrets fed into HKDF — was deployed by Apple iMessage (PQ3), Signal (PQXDH), Cloudflare and Google for TLS, and AWS KMS through 2023–2025. Pure ML-KEM (no classical hybrid) is also acceptable per FIPS 203 but most deployments hybridize until lattice cryptography has more years of broad scrutiny. Naming pitfall: the FIPS document uses ML-KEM, but most existing code still says Kyber; treat them as the same family with slight encoding differences between the draft Kyber-768 and final ML-KEM-768.
● Examples
- 01
TLS 1.3 deployments add the `X25519MLKEM768` hybrid group, sending both classical X25519 and ML-KEM-768 shares in the ClientHello.
- 02
Signal's PQXDH protocol mixes ML-KEM-768 output into the existing X3DH key agreement to provide post-quantum forward secrecy.
● Frequently asked questions
What is ML-KEM (FIPS 203)?
NIST's standardized post-quantum key encapsulation mechanism, based on the CRYSTALS-Kyber design and published as FIPS 203 in August 2024 — now the default PQ KEM for TLS, IPsec, and hybrid key exchange. It belongs to the Cryptography category of cybersecurity.
What does ML-KEM (FIPS 203) mean?
NIST's standardized post-quantum key encapsulation mechanism, based on the CRYSTALS-Kyber design and published as FIPS 203 in August 2024 — now the default PQ KEM for TLS, IPsec, and hybrid key exchange.
How does ML-KEM (FIPS 203) work?
ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism), standardized as FIPS 203 on 13 August 2024, is the first post-quantum KEM officially standardized by NIST. It is derived from CRYSTALS-Kyber, the winning lattice-based KEM from the NIST PQC competition. The standard defines three parameter sets — ML-KEM-512, ML-KEM-768, and ML-KEM-1024 — targeting AES-128, AES-192, and AES-256-equivalent classical security with quantum resistance under reasonable lattice assumptions. ML-KEM produces encapsulated shared secrets suitable for use with HKDF, allowing it to slot into existing protocols. Hybrid key exchange — combining ML-KEM with classical X25519 via concatenated shared secrets fed into HKDF — was deployed by Apple iMessage (PQ3), Signal (PQXDH), Cloudflare and Google for TLS, and AWS KMS through 2023–2025. Pure ML-KEM (no classical hybrid) is also acceptable per FIPS 203 but most deployments hybridize until lattice cryptography has more years of broad scrutiny. Naming pitfall: the FIPS document uses ML-KEM, but most existing code still says Kyber; treat them as the same family with slight encoding differences between the draft Kyber-768 and final ML-KEM-768.
How do you defend against ML-KEM (FIPS 203)?
Defences for ML-KEM (FIPS 203) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for ML-KEM (FIPS 203)?
Common alternative names include: FIPS 203, Kyber (standardized), Module-Lattice KEM.
● Related terms
- cryptography№ 279
CRYSTALS-Kyber
A lattice-based key-encapsulation mechanism standardized by NIST as FIPS 203 (ML-KEM) in August 2024, designed to replace RSA and Diffie-Hellman key exchange in a post-quantum world.
- cryptography№ 947
Post-Quantum Cryptography
Classical cryptographic algorithms designed to remain secure against attacks by both classical and large-scale quantum computers.
- cryptography№ 678
Lattice-Based Cryptography
A family of post-quantum cryptographic schemes whose security reduces to the hardness of finding short vectors or solving linear equations with small errors over high-dimensional lattices.
- cryptography№ 767
ML-DSA (FIPS 204)
NIST's standardized post-quantum digital signature algorithm, derived from CRYSTALS-Dilithium and published as FIPS 204 in August 2024 — the default lattice-based PQ signature for code signing, X.509, and DNSSEC over time.
- cryptography№ 820
NIST PQC Standardization
The multi-year NIST process that selects and standardizes post-quantum cryptographic algorithms; its first three standards, FIPS 203, 204, and 205, were published in August 2024.
- cryptography№ 518
Harvest Now, Decrypt Later
An attack strategy where adversaries record encrypted traffic today to decrypt it once cryptographically relevant quantum computers become available.
● See also
- № 1166SLH-DSA (FIPS 205)