Most post-quantum cryptography literature describes ML-KEM as "the NIST post-quantum key exchange." That framing is close enough for a headline, and wrong enough to cause real implementation errors. ML-KEM is not a key exchange protocol in the sense that ECDH is. It is a key encapsulation mechanism, a formal cryptographic primitive with a different API, a different security model, and different composition properties. The distinction matters when you are migrating a PKCS#11 key management system, designing a key escrow workflow, or specifying TLS configuration for an NSS environment.
This article gives security architects the precise treatment. The companion piece on FIPS 203, 204, and 205 implementation decisions covers algorithm selection across the full post-quantum suite. For parameter set sizing detail, see ML-KEM key sizes for enterprise architects.
What a KEM Is: and How It Differs from Key Agreement and Key Transport
A key encapsulation mechanism is a cryptographic primitive with exactly three algorithms. KeyGen produces a public key and private key pair. Encapsulate takes the public key and outputs two things: a ciphertext, and a shared secret. Decapsulate takes the private key and the ciphertext, and recovers the shared secret. The shared secret becomes the symmetric key used for subsequent authenticated encryption of application data. A KEM does not encrypt arbitrary plaintext. It establishes a shared secret.
ECDH is a key agreement protocol, not a KEM in the formal sense. It produces a shared group element, a point on the elliptic curve, that must be processed through a key derivation function to produce usable key material. Authentication is handled separately, typically via certificate-bound signatures. RSA-OAEP is a public key encryption scheme that can be used for key transport, but it has a distinct security model and is vulnerable to adaptive chosen-ciphertext attacks unless carefully composed.
ML-KEM, specified in NIST FIPS 203 (August 2024), is a formal KEM with IND-CCA2 security by construction [VERIFIED: NIST FIPS 203, doi:10.6028/NIST.FIPS.203]. The Decapsulate algorithm always returns a value, never a failure that reveals information about the private key or the ciphertext. This property, called implicit rejection, is what separates ML-KEM from RSA-OAEP in security terms. The API change that architects building PKCS#11-based systems need to plan for is this: ML-KEM.Encaps replaces RSA key transport, not ECDH key agreement [VERIFIED: IETF RFC 8017, RSA-OAEP; IETF RFC 8446, ECDH in TLS; Cramer and Shoup, SIAM Journal on Computing 33(1) (2003)].
IND-CCA2: The Security Property That Replaces Padding Oracle Vigilance
Indistinguishability under adaptive chosen-ciphertext attack (IND-CCA2) is the standard security model for KEMs in active adversary settings. An IND-CCA2 KEM remains secure even when an adversary can obtain decapsulations of arbitrary ciphertexts of their choice and then attempts to determine the shared secret from the challenge ciphertext. For key establishment in TLS, SSH, and any protocol where an adversary can actively manipulate ciphertexts, IND-CCA2 is the required property [VERIFIED: Boneh and Shoup, A Graduate Course in Applied Cryptography, Chapter 12; Shoup, "A Proposal for an ISO Standard for Public Key Encryption" (2001)].
ML-KEM achieves IND-CCA2 through the Fujisaki-Okamoto (FO) transform applied to CRYSTALS-Kyber, a module lattice-based public key encryption scheme. The FO transform converts a scheme with weaker OW-CPA security into an IND-CCA2 KEM by including a hash of the plaintext in the ciphertext and re-encrypting during decapsulation to detect any tampering. If decapsulation finds that re-encryption does not reproduce the received ciphertext, meaning the ciphertext has been modified, it returns a pseudorandom value derived from the private key and ciphertext rather than a decryption failure. That is the implicit rejection property [VERIFIED: Fujisaki and Okamoto, Journal of Cryptology 26(1), 80-101 (2013); NIST FIPS 203, Section 6, ML-KEM.Decaps construction].
The practical consequence for architects is the elimination of the Bleichenbacher attack class. Bleichenbacher's 1998 work demonstrated that RSA-PKCS#1 v1.5 returns distinguishable failure modes for invalid ciphertexts, and that an adversary with access to a decryption oracle can exploit those failures to recover plaintext or session keys [VERIFIED: Bleichenbacher, CRYPTO 1998]. Variants of this attack (ROBOT, DROWN, Padding Oracle On Downgraded Legacy Encryption) have appeared across the RSA ecosystem for nearly three decades. ML-KEM's implicit rejection eliminates this vulnerability class by design: there is no distinguishable failure mode to exploit. Implementation correctness still matters, particularly the constant-time requirement for the rejection check, but the structural vulnerability class does not apply.
Parameter Set Selection: 512, 768, or 1024
FIPS 203 specifies three ML-KEM parameter sets. The security levels align with the equivalent security of breaking AES at the named key length.
| Parameter set | Security level | Public key | Ciphertext | Shared secret | When to use |
|---|---|---|---|---|---|
| ML-KEM-512 | Level 1 (AES-128) | 800 bytes | 768 bytes | 32 bytes | Constrained IoT / embedded only |
| ML-KEM-768 | Level 3 (AES-192) | 1,184 bytes | 1,088 bytes | 32 bytes | Commercial enterprise, internet-facing |
| ML-KEM-1024 | Level 5 (AES-256) | 1,568 bytes | 1,568 bytes | 32 bytes | NSS / CNSA 2.0 environments |
[VERIFIED: NIST FIPS 203, Section 7, Tables 2-3]
The shared secret is always 32 bytes regardless of parameter set. The parameter sets differ in lattice dimension and module rank, not in the output key material length. For commercial enterprise and internet-facing applications, ML-KEM-768 (Level 3) is the standard selection. It is the parameter set used in RFC 9496 (X-Wing hybrid KEM for TLS) and in the IETF hybrid key exchange drafts for TLS 1.3. Level 3 provides equivalent security to AES-192, which exceeds current commercial requirements, and offers a meaningful performance advantage over Level 5 [VERIFIED: IETF RFC 9496, X-Wing; NSA CNSA 2.0 Advisory].
For National Security Systems and CNSA 2.0-governed environments: ML-KEM-1024 (Level 5) is mandatory. NSA's CNSA 2.0 advisory specifies ML-KEM-1024 for NSS. A system that defaults to ML-KEM-768 because that is the library's default is non-compliant in an NSS context. Programme managers specifying key management systems for NSS deliveries should verify that vendor documentation explicitly references ML-KEM-1024 as the default NSS configuration, not ML-KEM-768. See the ML-KEM key sizes article for the full sizing implications.
ML-KEM-512 (Level 1) is appropriate only for environments where bandwidth and processing are severely constrained and where the security margin of Level 1 is technically justified. It is below CNSA 2.0 requirements. Do not use it as a performance optimisation in a general enterprise environment.
The Key Wrap Workflow: What Changes When You Replace RSA with ML-KEM
Key wrapping is the process of encrypting a symmetric data encryption key (DEK) for secure storage or transport using asymmetric key material. With RSA: the sender encrypts the DEK with the recipient's RSA public key using RSA-OAEP; the recipient decrypts with their RSA private key to recover the DEK. The RSA private key is reusable for any number of decryptions.
With ML-KEM, the workflow has a different structure. The sender runs ML-KEM.Encaps with the recipient's ML-KEM public key. This produces two outputs: a ciphertext sent to the recipient, and a shared secret retained by the sender. The sender uses that shared secret as a key encryption key (KEK) and wraps the DEK under AES-256-KEY-WRAP per NIST SP 800-38F [VERIFIED: NIST SP 800-38F, doi:10.6028/NIST.SP.800-38F]. The recipient runs ML-KEM.Decaps with their private key and the received ciphertext to recover the shared secret, then uses it to unwrap the DEK.
The critical architectural difference is forward secrecy. ML-KEM.Encaps is ephemeral by design: each encapsulation produces a fresh, independent shared secret, and the sender does not retain it after the key wrap transaction [VERIFIED: NIST FIPS 203, Encaps construction; IETF RFC 9180, HPKE forward secrecy property]. Compromise of the recipient's ML-KEM private key does not expose previously wrapped DEKs. The shared secrets from prior encapsulations are not recoverable from the private key alone. RSA key transport has no equivalent property: the RSA private key decrypts all past and future RSA-encrypted content.
The forward secrecy property creates a workflow change for key escrow scenarios. RSA key transport for escrow works because the escrow authority's RSA private key can decrypt the same RSA-encrypted DEK that the primary recipient used. With ML-KEM, that approach fails: ML-KEM.Encaps is ephemeral, and the shared secret cannot be recovered from the ciphertext alone without the matching private key. Key management systems implementing ML-KEM for escrow must perform dual encapsulation at encryption time: one encapsulation under the primary recipient's ML-KEM public key, one under the escrow authority's ML-KEM public key, producing two separate ciphertexts and two separate shared secrets [INFERRED: dual encapsulation as the technically required ML-KEM escrow design; NIST SP 800-57 Part 1 Rev. 5 for escrow principles]. This is a genuine workflow change that organisations are likely to miss when naively replacing RSA with ML-KEM in a key management system.
Hybrid KEMs: X-Wing and TLS 1.3 Integration
The hybrid KEM construction provides security against both classical and quantum adversaries during the transition period. RFC 9496 (X-Wing, 2024) defines the commercial hybrid: X25519 + ML-KEM-768 [VERIFIED: IETF RFC 9496, rfc-editor.org/rfc/rfc9496]. The shared secrets from both components are combined via domain-separated HKDF to produce the final shared secret. Breaking X-Wing requires breaking both X25519 and ML-KEM-768 simultaneously. Security degrades only if both components fail, which is the required property for a transition-period hybrid.
For NSS environments, the hybrid construction is different. CNSA 2.0 NSS hybrid key establishment uses ECDH P-384 + ML-KEM-1024, not the commercial X-Wing variant. The parameter set distinction (ML-KEM-768 commercial, ML-KEM-1024 NSS) applies to hybrid mode as well as standalone mode.
TLS 1.3 integration follows the IETF TLS WG hybrid key exchange draft (draft-ietf-tls-hybrid-design). The mechanism: the TLS ClientHello includes a key_share extension with the hybrid key material alongside the classical key share. The ServerHello returns the encapsulated response. IANA codepoints for the registered hybrid groups must be used, not ad hoc extensions, for interoperable deployment. Libraries that implemented hybrid TLS before IANA registration used provisional codepoints that require updating when the draft is published as an RFC [VERIFIED: IETF draft-ietf-tls-hybrid-design; IETF RFC 8446, TLS 1.3 key_share extension].
The TLS application of hybrid KEMs is covered in detail in the FIPS implementation decision map.
Implementation and Performance
ML-KEM implementations must be constant-time. The execution time of ML-KEM.Decaps must not vary with the value of the private key or the ciphertext in a way that reveals information about the implicit rejection check. A timing variation at the rejection sampling step leaks whether an input ciphertext was valid, which breaks IND-CCA2 security. NIST FIPS 203 requires constant-time implementation for compliant implementations [VERIFIED: NIST FIPS 203, Section 3.3]. When specifying ML-KEM implementations, verify that the library has undergone timing analysis or formal verification, not just that it implements the correct algorithm. Algorithm correctness and timing safety are separate properties.
Production-ready ML-KEM libraries with active maintenance as of knowledge cutoff (August 2025):
- liboqs (Open Quantum Safe): C library supporting all FIPS 203 parameter sets, integrating with OpenSSL and BoringSSL via OQS provider. openquantumsafe.org
- AWS-LC (libcrypto): Amazon's libcrypto fork with ML-KEM support. github.com/aws/aws-lc
- Bouncy Castle: Java and C# implementations including ML-KEM in the post-quantum package. bouncycastle.org
Verify that the library version implements FIPS 203 and not the pre-standardisation Kyber round 3 submission [ASSUMED: verify FIPS 203 compliance status of each library as of June 2026 before publication]. There are algorithm-level differences between the NIST standard and the round 3 submission, documented in the FIPS 203 publication notes. A library implementing Kyber round 3 is not FIPS 203-compliant and not interoperable with systems expecting the standardised variant.
On performance: ML-KEM-768 Decaps runs in approximately 22 microseconds on modern x86-64 hardware without hardware acceleration, versus approximately 600 microseconds for RSA-2048 decryption [ASSUMED: figures are representative of published CRYSTALS-Kyber benchmarks; precise values vary by CPU generation, compiler flags, and whether AVX2 acceleration is used]. ML-KEM decapsulation is roughly 27 times faster than RSA-2048 decryption. For high-throughput servers performing frequent key establishment, the performance argument runs clearly in ML-KEM's favour.
The bandwidth cost is the relevant concern in the other direction. An ML-KEM-768 public key is 1,184 bytes; the ciphertext is 1,088 bytes. An ECDH P-256 key share is 32 bytes in each direction. The addition of ML-KEM-768 to a TLS 1.3 handshake (X-Wing hybrid) adds approximately 2 KB compared to a classical-only handshake. That exceeds typical network packet sizes and may trigger TCP fragmentation on some paths. For latency-sensitive deployments, high-frequency trading, real-time industrial control systems, CDN connections with high handshake rates, measure actual handshake completion times before and after enabling hybrid key exchange on your specific network path [VERIFIED: NIST FIPS 203, ML-KEM-768 sizes; IETF RFC 9496, X-Wing component sizes].
For the full algorithm selection picture across ML-KEM, ML-DSA, and SLH-DSA, see the FIPS 203/204/205 implementation decision map. For the TLS-specific deployment walkthrough, see Post-Quantum TLS: What Changes and What Stays the Same.