SYSTEM Cited by 2 sources

ML-KEM (Module-Lattice Key Encapsulation Mechanism)¶

What¶

ML-KEM is the NIST-standardised post-quantum key-encapsulation mechanism defined in FIPS 203 (August 2024). Formerly submitted and analysed as Kyber in the NIST PQC standardisation process. Module-lattice-based: security reduces to the hardness of module-LWE. Designed as the general-purpose PQ-KEM replacement for classical Diffie-Hellman and ECDH across protocols that need to establish session keys resistant to a CRQC — the KEM-side of the PQC migration, complementing ML-DSA on the signature side.

(Source: sources/2026-04-16-meta-post-quantum-cryptography-migration-at-meta-framework-lesson)

Parameter sets¶

NIST standardised three parameter sets trading security against size:

ML-KEM-512 — NIST security category 1 (~AES-128 classical).
ML-KEM-768 — NIST security category 3 (~AES-192).
ML-KEM-1024 — NIST security category 5 (~AES-256).

Meta's stated policy (2026-04-16 migration post):

In general we suggest teams to consider adopting ML-KEM-768 achieving NIST Security Level 3, although exceptions can be granted for ML-KEM-512 achieving NIST Security Level 1 (as endorsed by NIST PQC FAQ) in case ML-KEM-768 performance is prohibitive for a particular use case.

The Kyber-512 FAQ from NIST explicitly endorses ML-KEM-512 for performance-constrained deployments; Meta treats it as exception- only.

Typical sizes (ML-KEM-768)¶

Public key: ~1.2 kB
Ciphertext: ~1.1 kB
Shared secret: 32 B

Much larger than X25519 (32 B / 32 B) — carrying both in hybrid construction inflates TLS ClientHello to ~1.2 kB and interacts with MTU assumptions.

Canonical deployments¶

TLS 1.3 hybrid X25519MLKEM768 — widely deployed by browsers and CDNs since 2024 (initially as X25519Kyber768Draft00). Carries >65 % of human traffic to Cloudflare as of early 2026.
IPsec / IKEv2 hybrid per draft-ietf-ipsecme-ikev2-mlkem (late 2025 draft). Generally available in Cloudflare IPsec as of 2026-04-30 — classical Diffie-Hellman runs first, its derived key encrypts a second exchange running ML-KEM, and both outputs mix into the session keys securing ESP data-plane traffic. Branch-connector interoperability verified with Cisco 8000 Series Secure Routers 26.1.1+ and Fortinet FortiOS 7.6.6+; reference implementation via strongswan. (Source: sources/2026-04-30-cloudflare-post-quantum-encryption-for-cloudflare-ipsec-is-ga)
SSH — Meta and others aim for an ML-KEM-based hybrid SSH KEX replacing Streamlined NTRU Prime once library support matures.
Meta's internal infrastructure — ML-KEM named as the recommended PQ KEM for Meta's multi-year migration. (Source: sources/2026-04-16-meta-post-quantum-cryptography-migration-at-meta-framework-lesson)

Diversity hedge: HQC¶

Meta explicitly notes HQC is important as a non-lattice alternative because it "is developed based on different math than ML-KEM, which is important if weaknesses are discovered in ML-KEM or its modular lattices approach, ensuring that an alternative method for PQC protection can still be deployed to protect organizations from SNDL attacks." Defence in depth on the algorithm-family axis.

FIPS status¶

FIPS 203 approved August 2024. Library-level FIPS validation ongoing through 2026. ML-KEM is the FIPS-approved PQ KEM — contrast with Streamlined NTRU Prime (not FIPS-approved, the reason GitHub's US-region GHEC carved out sntrup761x25519-sha512).

Seen in¶

sources/2026-04-30-cloudflare-post-quantum-encryption-for-cloudflare-ipsec-is-ga — canonical IPsec / IKEv2 instance. Cloudflare's 2026-04-30 GA of hybrid ML-KEM for Cloudflare IPsec per draft-ietf-ipsecme-ikev2-mlkem. The classical-DH-first-then- ML-KEM-second handshake shape produces the post-quantum-secure session keys for Encapsulating Security Payload (ESP) IPsec tunnel traffic. Named specifically as the NIST FIPS 203 primitive ("Cloudflare IPsec now uses post-quantum encryption with hybrid ML-KEM (FIPS 203) to stop harvest-now-decrypt-later attacks"). Interoperability verified with Cisco 8000 Series Secure Routers 26.1.1+ / Fortinet FortiOS 7.6.6+ branch connectors and with strongswan as the reference implementation. Canonical wiki instance of ML-KEM in site-to-site networking context, complementing the earlier TLS instance.
sources/2026-04-16-meta-post-quantum-cryptography-migration-at-meta-framework-lesson — canonical Meta statement recommending ML-KEM-768 as default, ML-KEM-512 as performance-constrained exception, with HQC as algorithmic-diversity hedge against lattice-specific attacks.

concepts/post-quantum-cryptography — umbrella concept.
concepts/hybrid-key-encapsulation — the transition-era deployment shape combining ML-KEM with a classical KEM.
concepts/harvest-now-decrypt-later — the threat ML-KEM rollout defeats.
systems/ml-dsa-signature — the signature-side sibling.
systems/hqc — the non-lattice alternative KEM.
systems/ikev2-protocol — the key-exchange protocol carrying ML-KEM in Cloudflare's IPsec PQ rollout.
systems/cloudflare-magic-wan-ipsec — canonical production deployment for ML-KEM in IPsec.
systems/strongswan — reference open-source IPsec implementation supporting ML-KEM hybrid.
systems/cisco-8000-series-secure-routers — enterprise hardware shipping ML-KEM IPsec.
systems/fortinet-fortios — enterprise hardware shipping ML-KEM IPsec.