ML-KEM
- Algorithm type: Key encapsulation mechanism.
- Main cryptographic assumption: Module LWE+R with base ring Z[x]/(3329, x^256+1).
- Principal submitters: Peter Schwabe.
- Auxiliary submitters: Roberto Avanzi, Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Gregor Seiler, Damien Stehlé.
- Authors’ website: https://pq-crystals.org/kyber/ and https://csrc.nist.gov/pubs/fips/203
- Specification version: ML-KEM.
- Primary Source:
- Source: https://github.com/pq-crystals/kyber/commit/10b478fc3cc4ff6215eb0b6a11bd758bf0929cbd with copy_from_upstream patches
- Implementation license (SPDX-Identifier): CC0-1.0 or Apache-2.0
Parameter set summary
| Parameter set | Parameter set alias | Security model | Claimed NIST Level | Public key size (bytes) | Secret key size (bytes) | Ciphertext size (bytes) | Shared secret size (bytes) |
|---|---|---|---|---|---|---|---|
| ML-KEM-512 | NA | IND-CCA2 | 1 | 800 | 1632 | 768 | 32 |
| ML-KEM-768 | NA | IND-CCA2 | 3 | 1184 | 2400 | 1088 | 32 |
| ML-KEM-1024 | NA | IND-CCA2 | 5 | 1568 | 3168 | 1568 | 32 |
ML-KEM-512 implementation characteristics
| Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage?‡ |
|---|---|---|---|---|---|---|---|
| Primary Source | ref | All | All | None | True | True | False |
| Primary Source | avx2 | x86_64 | Linux,Darwin | AVX2,BMI2,POPCNT | True | True | False |
Are implementations chosen based on runtime CPU feature detection? Yes.
‡For an explanation of what this denotes, consult the Explanation of Terms section at the end of this file.
ML-KEM-768 implementation characteristics
| Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage? |
|---|---|---|---|---|---|---|---|
| Primary Source | ref | All | All | None | True | True | False |
| Primary Source | avx2 | x86_64 | Linux,Darwin | AVX2,BMI2,POPCNT | True | True | False |
Are implementations chosen based on runtime CPU feature detection? Yes.
ML-KEM-1024 implementation characteristics
| Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage? |
|---|---|---|---|---|---|---|---|
| Primary Source | ref | All | All | None | True | True | False |
| Primary Source | avx2 | x86_64 | Linux,Darwin | AVX2,BMI2,POPCNT | True | True | False |
Are implementations chosen based on runtime CPU feature detection? Yes.
Explanation of Terms
- Large Stack Usage: Implementations identified as having such may cause failures when running in threads or in constrained environments.