SYSTEM Cited by 1 source

ML-KEM (Module-Lattice Key Encapsulation Mechanism)

What

ML-KEM is the NIST-standardised post-quantum key-encapsulation mechanism defined in FIPS 203 (August 2024). Formerly submitted and analysed as Kyber in the NIST PQC standardisation process. Module-lattice-based: security reduces to the hardness of module-LWE. Designed as the general-purpose PQ-KEM replacement for classical Diffie-Hellman and ECDH across protocols that need to establish session keys resistant to a CRQC — the KEM-side of the PQC migration, complementing ML-DSA on the signature side.

(Source: sources/2026-04-16-meta-post-quantum-cryptography-migration-at-meta-framework-lesson)

Parameter sets

NIST standardised three parameter sets trading security against size:

• ML-KEM-512 — NIST security category 1 (~AES-128 classical).
• ML-KEM-768 — NIST security category 3 (~AES-192).
• ML-KEM-1024 — NIST security category 5 (~AES-256).

Meta's stated policy (2026-04-16 migration post):

In general we suggest teams to consider adopting ML-KEM-768 achieving NIST Security Level 3, although exceptions can be granted for ML-KEM-512 achieving NIST Security Level 1 (as endorsed by NIST PQC FAQ) in case ML-KEM-768 performance is prohibitive for a particular use case.

The Kyber-512 FAQ from NIST explicitly endorses ML-KEM-512 for performance-constrained deployments; Meta treats it as exception- only.

Typical sizes (ML-KEM-768)

• Public key: ~1.2 kB
• Ciphertext: ~1.1 kB
• Shared secret: 32 B

Much larger than X25519 (32 B / 32 B) — carrying both in hybrid construction inflates TLS ClientHello to ~1.2 kB and interacts with MTU assumptions.

Canonical deployments

• TLS 1.3 hybrid X25519MLKEM768 — widely deployed by browsers and CDNs since 2024 (initially as X25519Kyber768Draft00). Carries >65 % of human traffic to Cloudflare as of early 2026.
• SSH — Meta and others aim for an ML-KEM-based hybrid SSH KEX replacing Streamlined NTRU Prime once library support matures.
• Meta's internal infrastructure — ML-KEM named as the recommended PQ KEM for Meta's multi-year migration. (Source: sources/2026-04-16-meta-post-quantum-cryptography-migration-at-meta-framework-lesson)

Diversity hedge: HQC

Meta explicitly notes HQC is important as a non-lattice alternative because it "is developed based on different math than ML-KEM, which is important if weaknesses are discovered in ML-KEM or its modular lattices approach, ensuring that an alternative method for PQC protection can still be deployed to protect organizations from SNDL attacks." Defence in depth on the algorithm-family axis.

FIPS status

FIPS 203 approved August 2024. Library-level FIPS validation ongoing through 2026. ML-KEM is the FIPS-approved PQ KEM — contrast with Streamlined NTRU Prime (not FIPS-approved, the reason GitHub's US-region GHEC carved out sntrup761x25519-sha512).

Seen in

• sources/2026-04-16-meta-post-quantum-cryptography-migration-at-meta-framework-lesson — canonical Meta statement recommending ML-KEM-768 as default, ML-KEM-512 as performance-constrained exception, with HQC as algorithmic-diversity hedge against lattice-specific attacks.

Related

• concepts/post-quantum-cryptography — umbrella concept.
• concepts/hybrid-key-encapsulation — the transition-era deployment shape combining ML-KEM with a classical KEM.
• concepts/harvest-now-decrypt-later — the threat ML-KEM rollout defeats.
• systems/ml-dsa-signature — the signature-side sibling.
• systems/hqc — the non-lattice alternative KEM.