info@kfcipher.net

Kyber Encryption (ML-KEM)

  1. Home
  2. Kyber

Generate kyber key pair, encrypt and decrypt via this form

Kyber Key Pair Generation (Post-Quantum)
Encrypt with Public Key (Hybrid: Kyber + AES)
Decrypt with Private Key
How to Use Kyber (ML-KEM)

1. Generate quantum-resistant key pair → 2. Encrypt text using public key → 3. Decrypt with private key.

Kyber (ML-KEM): NIST-Standardized Post-Quantum KEM

Lattice-based key encapsulation for the quantum era

Introduction

Kyber — now officially standardized as ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism) — is a post-quantum cryptographic algorithm selected by NIST in 2022 and formally published in FIPS 203 in August 2024.

Designed to replace classical Diffie-Hellman (ECDH) in a future where quantum computers can break RSA and ECC using Shor's algorithm, Kyber provides secure key exchange based on the hardness of lattice problems — believed to resist both classical and quantum attacks.

NIST PQC Standard: ML-KEM is the only KEM standardized for general encryption in the first round of NIST Post-Quantum Cryptography Standardization.

What is a KEM?

Key Encapsulation Mechanism (KEM) is a modern primitive for secure key exchange:

  1. Receiver generates a public key \( pk \)
  2. Sender uses \( pk \) to encapsulate a random shared secret \( K \)
  3. Receiver uses private key \( sk \) to decapsulate and recover \( K \)
  4. Both parties now share \( K \) for symmetric encryption (e.g., AES-GCM)

Kyber is an IND-CCA2 secure KEM — the gold standard for key exchange.

Mathematical Foundation: Module-LWE

Kyber is based on the Module Learning With Errors (Module-LWE) problem over polynomial rings.

\( A \in \mathbb{Z}_q^{k \times k}[x]/(x^n + 1) \)
\( \mathbf{s}, \mathbf{e} \leftarrow \chi^k \)
\( \mathbf{t} = A \cdot \mathbf{s} + \mathbf{e} \mod q \)

Given \( (A, \mathbf{t}) \), find \( \mathbf{s} \) — this is Module-LWE.

Key Parameters

Parameter Kyber-512 Kyber-768 Kyber-1024
Security Level 128-bit (NIST Level 1) 192-bit (NIST Level 3) 256-bit (NIST Level 5)
k (module rank) 2 3 4
n (degree) 256
q (modulus) 3329
η (noise) 3 2 2

Algorithm Overview

1. Key Generation

Input: security parameter
Output: (pk, sk)

1. A ← random matrix in R_q^{k×k}
2. s ← CBD_η^k        (centered binomial distribution)
3. e ← CBD_η^k
4. t := A·s + e
5. pk := (t, A) encoded
6. sk := s encoded
Return (pk, sk)

2. Encapsulation (Sender)

Input: pk = (t, A)
Output: (c, K)

1. m ← {0,1}^256
2. r ← CBD_η^k
3. u := A^T · r + e1
4. v := t^T · r + e2 + Decompress(m)
5. c := (u, v) compressed
6. K := H(m || c)
Return (c, K)

3. Decapsulation (Receiver)

Input: sk = s, c = (u, v)
Output: K

1. m' := v - s^T · u
2. m' := Compress/Decompress to recover m
3. K := H(m' || c)
Return K

FO Transform: Kyber uses Fujisaki-Okamoto to achieve IND-CCA2 from weaker IND-CPA security.

Parameter Sets (FIPS 203)

ML-KEM Variant Kyber Equivalent Security pk Size sk Size Ciphertext
ML-KEM-512 Kyber-512 128-bit 800 B 1632 B 768 B
ML-KEM-768 Kyber-768 192-bit 1184 B 2400 B 1088 B
ML-KEM-1024 Kyber-1024 256-bit 1568 B 3168 B 1568 B

Recommended: ML-KEM-768 for most applications.

Security Analysis

Attack Resistance
Shor's Algorithm Secure (no exponential speedup)
Grover's Algorithm Only quadratic speedup → 256-bit → 128-bit security
Lattice Attacks Best known: ~2^140 for Kyber-512 (2025)
Side-Channel Requires masking in embedded systems

Conservative Design: Kyber parameters exceed estimated quantum attack costs.

Performance (2025 Benchmarks)

Operation ML-KEM-768 (x86-64) ECDH (X25519)
KeyGen ~18,000 cycles ~14,000 cycles
Encaps ~22,000 cycles ~15,000 cycles
Decaps ~25,000 cycles ~15,000 cycles

~2–3× slower than ECC, but quantum-secure.

Implementation: libpqcrypto / OpenQuantumSafe

// ML-KEM-768 Example (C)
#include "api.h"

uint8_t pk[CRYPTO_PUBLICKEYBYTES];
uint8_t sk[CRYPTO_SECRETKEYBYTES];
uint8_t ct[CRYPTO_CIPHERTEXTBYTES];
uint8_t key_a[CRYPTO_BYTES], key_b[CRYPTO_BYTES];

crypto_kem_keypair(pk, sk);
crypto_kem_enc(ct, key_a, pk);
crypto_kem_dec(key_b, ct, sk);

assert(memcmp(key_a, key_b, CRYPTO_BYTES) == 0);

Libraries: OQS, pqcrypto, circl (Go), liboqs

Hybrid Cryptography (Recommended)

Combine classical + post-quantum for future-proofing:

Shared Key = X25519(Kyber-768(m)) || Kyber-768(m)

Used in TLS 1.3, Signal, Cloudflare.

Warning: Demo uses reduced parameters (n=32, q=769) for visualization. Use full ML-KEM in production.

Future: Migration Timeline

  • 2025–2027: Hybrid deployment (ECC + Kyber)
  • 2028–2030: PQC-only in high-security systems
  • 2030+: Full migration

Start migrating now — NIST recommends hybrid mode today.

Conclusion

Kyber (ML-KEM) is the first standardized post-quantum KEM and represents the future of secure key exchange.

Its lattice-based design, efficient performance, and conservative parameters make it the top choice for quantum-resistant cryptography.

Key Takeaways:

  • Use ML-KEM-768 for 192-bit security
  • Deploy in hybrid mode with X25519
  • Use FIPS 203 compliant libraries
  • Begin migration today

References

  1. FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard (2024)
  2. CRYSTALS-Kyber Submission to NIST PQC (v3.0)
  3. D. J. Bernstein et al., "Kyber: A CCA-Secure Module-LWE KEM"
  4. pq-crystals.org/kyber
  5. Open Quantum Safe (OQS)
Learn about Kyber (NIST)
https://www.kfcipher.net
Cryptography Tools
Post Quantum Cryptography
Security Tools
Domain Tools
KF-Cipher APP
Resources