QNSP
Start building free
Why QNSP
The Quantum ImperativeWhy QNSPPQC Migration GuideCompetitive AnalysisVet PQC Vendors
Platform
Platform ArchitectureCapabilitiesUse Cases by IndustryKnowledge BaseBlogResearch
Trust
Trust HubCompliance MappingNIST ACVP ConformancePerformance BenchmarksEntropy ChainAlgorithm CatalogSystem Status
Developers
Developer HubUse CasesAI Assistants (MCP)
PricingContactStart building free

Key Encapsulation

ML-KEM

Module-Lattice-based Key Encapsulation Mechanism · FIPS 203

FIPS-finalisedlattice-based3 parameter setsQNSP tier: default+provider: nobleprovider: liboqsalso called: Kyber, CRYSTALS-Kyber, Module-LWE KEM
NIST's primary post-quantum key encapsulation standard, finalised August 2024 as FIPS 203. ML-KEM is QNSP's default KEM in every tier and powers PQC TLS key agreement, KMS-wrapped data keys, and vault secret encryption.

Mechanism

How it works

ML-KEM is built on the hardness of the Module Learning With Errors (Module-LWE) problem over polynomial rings. Encapsulation generates a 32-byte shared secret and a ciphertext that can be decapsulated only by the holder of the corresponding secret key. Parameter sets ML-KEM-512 / 768 / 1024 trade key size against security category (NIST levels 1 / 3 / 5). FIPS 203 §6.2 specifies a deterministic seed-driven Encaps_internal(ek, m) and Decaps_internal(dk, c) pair, which is exactly what NIST ACVP test vectors exercise.

Parameter Sets

3 variants shipped

Each variant trades security category against key, ciphertext, or signature size. QNSP exposes all variants via the @cuilabs/liboqs-native binding; tenant crypto-policy determines which are allowed.

VariantNIST LevelPublic KeySecret KeyCiphertextNote
ML-KEM-512L1800 B1,632 B768 BDevelopment / testing tier. Smallest key footprint.
ML-KEM-768L31,184 B2,400 B1,088 BProduction default across QNSP backend services. Recommended for hybrid PQC TLS (X25519+ML-KEM-768).
ML-KEM-1024L51,568 B3,168 B1,568 BMaximum + Government crypto policy default. Required for `government` tier.

NIST ACVP

Conformance evidence

QNSP runs the official NIST ACVP test vectors against every shipped algorithm. Live evidence + SHA-3-256 tamper digest at /verify/conformance.

@noble/post-quantum
passing
Pure-JavaScript reference; cross-verification secondary on Maximum + Government tiers.
@cuilabs/liboqs-native
passing
Native-C primary production engine. Runs across every QNSP backend service.
Both providers pass all 240 ML-KEM ACVP tests (keyGen 75 + encapsulation AFT 75 + decapsulation VAL 30 + §7.2/§7.3 key-validation 60). liboqs driven via OQS_KEM_keypair_derand + OQS_KEM_encaps_derand bindings shipped in @cuilabs/liboqs-native 0.15.1.
View live ACVP evidence →

Use Cases

When to use it

  • PQC TLS key agreement (hybrid with X25519 for production)
  • KMS-wrapped data keys (envelope encryption)
  • Vault secret-key derivation
  • PQC-encrypted object storage (SSE-X)
  • Encrypted vector search index keys

Trade-offs

What you give up, what you get

  • Smallest combined key + ciphertext footprint of the FIPS-finalised KEMs
  • Highest performance — sub-millisecond keygen / encaps / decaps on modern CPUs
  • Module-LWE security assumption is well-studied but newer than RSA / ECDH classical assumptions

FAQ

ML-KEM — frequently asked questions

Concise, source-of-truth answers to the questions buyers and engineers ask most about this algorithm.

What is ML-KEM?

ML-KEM (Module-Lattice-based Key Encapsulation Mechanism) is a lattice based post-quantum key encapsulation mechanism. It is designed to resist attacks from both classical and quantum computers, and QNSP ships 3 of its parameter sets. It is also known as Kyber, CRYSTALS-Kyber, Module-LWE KEM.

Is ML-KEM NIST-standardized?

Yes. ML-KEM is a NIST-standardized algorithm, finalized as FIPS 203. QNSP runs the official NIST ACVP test vectors against it on every release, with the live evidence and a SHA-3-256 tamper digest published at /verify/conformance.

What is ML-KEM used for?

On QNSP, ML-KEM is used for PQC TLS key agreement (hybrid with X25519 for production); KMS-wrapped data keys (envelope encryption). It is available from the default crypto-policy tier upward via the noble and liboqs providers.

References

Primary sources