6 minute read

Post Quantum Cryptography Logo

Post Quantum Cryptography

Introduction

As quantum computing progresses at an accelerating pace, the classical public-key infrastructure based on RSA and Elliptic Curve Cryptography (ECC) faces a critical threat. Algorithms like Shor’s algorithm can, when quantum computers mature, break RSA and ECC in polynomial time.

To protect communications today, we must adopt cryptographic schemes that resist the threat of both present and future adversaries. This is the purpose of Post-Quantum Cryptography (PQC), and among all PQC primitives standardized by NIST in 2024, the ML-KEM (Module-Lattice-based Key Encapsulation Mechanism) formerly known as Kyber is the flagship algorithm for key establishment.

This post provides:

  • A conceptual overview of ML-KEM
  • The high-level architecture of the algorithm
  • Technical use cases and performance considerations
  • Migration and integration best practices
  • A working Python sample using the cryptography module
  • A detailed mathematical appendix

Why We Need ML-KEM

1. Quantum Threat

Quantum computers will undermine today’s cryptographic assumptions:

  • RSA depends on the hardness of integer factorization
  • ECC depends on the hardness of the discrete logarithm problem
  • Both problems become solvable in polynomial time using Shor’s algorithm

In contrast, ML-KEM relies on the hardness of a lattice problem that has no known efficient quantum attack.

2. Harvest-Now, Decrypt-Later

Adversaries can capture encrypted traffic today and decrypt it later when quantum computers become powerful enough. This is especially dangerous for:

  • Government communications
  • Financial systems
  • Healthcare and identity data
  • Long-lived secrets (e.g., firmware, secure channels, negotiation logs)

3. Standardization and Interoperability

ML-KEM is now:

  • Standardized by NIST (FIPS 203)
  • Integrated in major libraries (OpenSSL 3.4+, BoringSSL, libOQS, python cryptography)
  • Adopted by large platforms (Cloudflare, AWS KMS PQC hybrid mode, Tor experiments)

This ensures real-world support and compatibility with existing security stacks.

ML-KEM based key exchange overview

This diagram gives a high level overview of the key echange mechanism.

Overview

Core idea

  • Receiver Side (the party who generates the initial keys)
  • Sender Side (the party who establishes a shared secret using the public key)

(1) Key Generation — Receiver

The process starts with the Receiver:

  • They run the ML-KEM key generation function.
  • This produces two outputs:
    • Public Key — safe to share.
    • Secret Key — must be kept private.

These keys define the cryptographic context for the exchange.

(2) Transmit Public Key

The Receiver sends the Public Key to the Sender.

  • This transmission can happen through any secure or insecure channel.
  • The public key alone does not reveal any information about the secret key.
  • It enables the Sender to initiate the encapsulation step.

This concludes the Receiver’s pre-processing phase.

(3) Encapsulate — Sender

Upon receiving the public key, the Sender performs encapsulation.

This step produces two outputs:

  1. Ciphertext — a compact message that the Receiver will later use to recover the shared secret.
  2. Shared Secret (Sender) — a cryptographically strong random value that both parties will ultimately share.

The shared secret is never transmitted; it is derived independently on both sides.

(4) Transmit Ciphertext

The Sender transmits the Ciphertext to the Receiver.

  • The ciphertext is safe to send over any channel.
  • It contains the information the Receiver needs to reproduce the same shared secret.

This step mirrors how key establishment works in traditional KEM schemes.

(5) Decapsulate — Receiver

Using the previously generated Secret Key, the Receiver runs the decapsulation function on the received ciphertext.

  • This produces Shared Secret (Receiver).
  • This value matches exactly the one generated by the Sender during encapsulation.

At this point, both parties share the same secret, which can be used as input for:

  • AES-GCM
  • ChaCha20-Poly1305
  • HKDF
  • TLS session key derivation
  • or any symmetric encryption process.

The shared secret is never sent over the network, ensuring strong confidentiality.

Result

After completing all five steps:

  • The Sender and Receiver hold the same shared secret.
  • No attacker can compute this shared secret, even with access to both public key and ciphertext.
  • The process is efficient, quantum-safe, and easy to integrate into existing key exchange workflows.

Why Lattices?

ML-KEM uses Module Learning-With-Errors (Module-LWE) and Module-SIS problems. These problems are believed to be hard even for quantum computers.

Technical Use Cases

1. TLS 1.3 Hybrid Key Exchange

ML-KEM is already integrated into:

  • Cloudflare PQC pilot deployments
  • Chrome and Firefox experimental PQTLS
  • OpenSSL 3.4 hybrid key exchange (ECDHE + ML-KEM)

2. Secure Messaging

Used for post-quantum key setup in:

  • Signal PQXDH
  • Matrix PQC experiments
  • VPN key negotiation

3. Firmware and IoT

Firmware often has long lifetimes (10–20 years), making PQC essential for:

  • Secure boot
  • Update signing encapsulation
  • Device-server session keys

4. Government and Banking

Long-term confidentiality requirements mean that:

PQC adoption is mandatory before 2030 (See US NSA CNSA 2.0 timeline and Canada CCCS PQC guidance)

Performance Impact

ML-KEM is vastly faster than RSA and slightly faster than ECC for key establishment.

Performance Summary

Algorithm Public Key Size Ciphertext Size Keygen Encaps Decaps
RSA-2048 256 bytes 256 bytes Very slow Slow Slow
X25519 32 bytes 32 bytes Fast Fast Fast
ML-KEM-768 1184 bytes 1088 bytes Very fast Very fast Very fast

Implementation Impact

Pros:

  • Extremely fast (small polynomial multiplications)
  • Constant-time implementations available
  • Hardware acceleration emerging (RISC-V Vector, ARM PQ extensions)

Cons:

  • Larger public keys
  • Memory-heavy on tiny microcontrollers
  • Requires patched crypto stacks (OpenSSL ≥ 3.4)

Migration & Integration Best Practices

1. Use Hybrid Key Exchange

Combine ML-KEM with classical ECDHE:

$ k = \text{KDF}(\text{ECDHE} \parallel \text{ML-KEM}) $

2. Maintain Crypto Agility

Prepare infrastructure to rotate:

  • PQC parameter sets
  • PQC-hybrid vs PQC-only stacks
  • Keys and certificates

3. Update Dependencies

Minimum recommended versions:

  • OpenSSL 3.4+
  • BoringSSL (2024+)
  • python-cryptography 44+
  • liboqs 0.9+

4. Test in Staging Before Rollout

Common pitfalls:

  • MTU issues due to larger handshake packets
  • Firewall DPI blocking unknown KEM ciphersuites
  • TLS middleboxes failing with PQC extensions

5. Avoid Home-grown PQC Implementations

Always use audited, constant-time libraries.

Python Sample Using oqs ML-KEM

Note that the cryptography module expose PQC through its TLS APIs, but does not give granular low level access to PQC algorithms.

# See https://github.com/open-quantum-safe/liboqs-python
# for oqs setup instructions.
import oqs

# --- Key Generation ---
# Use Kyber768 which corresponds to ML-KEM-768
kem = oqs.KeyEncapsulation("Kyber768")
public_key_bytes = kem.generate_keypair()

# Keys are already in bytes format with OQS
pk_bytes = public_key_bytes
sk_bytes = kem.export_secret_key()  # Export secret key if needed

print("Generated ML-KEM-768 (Kyber768) key pair")
print(f"Public key length: {len(pk_bytes)} bytes")
print(f"Secret key length: {len(sk_bytes)} bytes")

# --- Encapsulation ---
# Create a new KEM instance for the sender
sender_kem = oqs.KeyEncapsulation("Kyber768")
ciphertext, shared_secret_enc = sender_kem.encap_secret(public_key_bytes)

print("Encapsulation complete")
print(f"Ciphertext length: {len(ciphertext)} bytes")
print(f"Shared secret length: {len(shared_secret_enc)} bytes")

# --- Decapsulation ---
# The original KEM instance (receiver) decapsulates with its secret key
shared_secret_dec = kem.decap_secret(ciphertext)

# Verify the shared secrets match
assert shared_secret_enc == shared_secret_dec
print("ML-KEM shared secret established successfully!")
print(f"Shared secret: {shared_secret_enc.hex()[:32]}...")

Mathematical Appendix

1. Underlying Structure

ML-KEM operates over:

  • A polynomial ring $ R_q = \mathbb{Z}_q[x]/(x^n + 1) $ where typically:
    • $n = 256$
    • $q = 3329$
  • A module of rank $k \in {2, 3, 4}$ (ML-KEM-512, ML-KEM-768, ML-KEM-1024)

2. Module-LWE Problem

Given:

$ A \in R_q^{k \times k}, \quad s, e \leftarrow \chi^k $

Produce:

$ t = A s + e \mod q $

The Module-LWE problem is:

Given $(A, t)$, recover $s$.

3. ML-KEM KeyGen

  1. Generate matrix $A$ from a seed
  2. Sample secret $s$ and noise $e$
  3. Compute:

$ t = A s + e $

  1. Public key: $(A, t)$
  2. Secret key: $s$

4. Encapsulation

  1. Sample ephemeral vector $r$
  2. Sample noise $(e_1, e_2)$
  3. Compute:

$ u = A r + e_1 $ $ v = t^T r + e_2 + \text{encode}(m) $

  1. Ciphertext: $(u, v)$
  2. Shared secret = $\text{KDF}(m \parallel \text{hash}(u, v))$

5. Decapsulation

Receiver uses secret $s$:

$ v - u^T s = \text{encode}(m) + \text{noise} $

Conclusion

ML-KEM is not only the flagship of NIST’s post-quantum standardization effort it is now a practical, performant, and essential cryptographic primitive.