ML-KEM Explained: Quantum-Resistant Encryption for Everyone

Understand and use ML-KEM in 10 minutes - no PhD required

Quick Start: Your First ML-KEM Encryption

Estimated time: 5 minutes What you'll learn: How ML-KEM works through hands-on testing Requirements: AnkaSecure API access

Step 1/3: Generate ML-KEM key (1 minute)

# Generate quantum-resistant key
curl -X POST https://api.ankatech.co/keys \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "algorithm": "ML_KEM_1024",
    "purpose": "LEARNING_ML_KEM"
  }'

✅ Result: ML-KEM key pair generated:

{
  "keyId": "mlkem-demo-001",
  "algorithm": "ML_KEM_1024",
  "publicKeySize": "1,568 bytes",
  "privateKeySize": "3,168 bytes",
  "securityLevel": "NIST_L5",
  "quantumResistant": true
}

Notice: ML-KEM keys larger than RSA (ML-KEM-1024 public = 1.5KB vs RSA-4096 public = 550 bytes)

Step 2/3: Encrypt data (2 minutes)

# Encrypt with ML-KEM
curl -X POST https://api.ankatech.co/encrypt \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "keyId": "mlkem-demo-001",
    "plaintext": "Hello quantum-resistant world!"
  }'

✅ Behind the scenes (automatic):

1. Generate random symmetric key (AES-256): 32 bytes
2. Encapsulate AES key with ML-KEM public key
3. Encrypt data with AES-256-GCM
4. Combine into JWE token

You wrote: 1 curl command ML-KEM did: 4 cryptographic operations (seamless!)

Step 3/3: Decrypt and compare (2 minutes)

# Decrypt with ML-KEM
curl -X POST https://api.ankatech.co/decrypt \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "keyId": "mlkem-demo-001",
    "ciphertext": "eyJhbGciOiJNTC1LRU0tMTAyNCIsInR5cCI6IkpXRSJ9..."
  }'

✅ Performance measurement:

# Benchmark ML-KEM vs RSA (100 operations)
time for i in {1..100}; do
  curl -X POST https://api.ankatech.co/decrypt \
    -d '{"keyId":"mlkem-demo-001","ciphertext":"..."}'
done

# Compare with RSA
time for i in {1..100}; do
  curl -X POST https://api.ankatech.co/decrypt \
    -d '{"keyId":"rsa-4096-key","ciphertext":"..."}'
done

Result: ML-KEM 7ms vs RSA 11ms (ML-KEM 36% FASTER!)

🎯 Insight: ML-KEM not only quantum-resistant but also faster than RSA for decryption

What's next? - Understand how it works: ML-KEM internals explained - Compare variants: ML-KEM-512 vs 768 vs 1024 - Production deployment: ML-KEM best practices

What is ML-KEM?

The Simple Explanation

ML-KEM = Module-Lattice-Based Key-Encapsulation Mechanism

In plain English: - Module-Lattice: Math problem that's hard for quantum computers (based on lattice cryptography) - Key-Encapsulation: Securely wrap a symmetric key (AES) for transmission - Mechanism: Algorithm for doing the wrapping/unwrapping

Purpose: Quantum-resistant replacement for RSA encryption

Why "Key Encapsulation" (Not Direct Encryption)?

RSA approach (direct encryption):

Plaintext (any size) → RSA encrypt → Ciphertext

Problem: RSA can only encrypt small data (< 256 bytes for RSA-2048)

For large data, RSA uses hybrid:

1. Generate random AES key (32 bytes)
2. Encrypt data with AES (fast, any size)
3. Encrypt AES key with RSA (small, fits in RSA limit)

ML-KEM uses same hybrid approach:

1. Generate random AES key (32 bytes)
2. Encrypt data with AES (same as RSA hybrid)
3. Encapsulate AES key with ML-KEM (quantum-resistant!)

Benefit: ML-KEM protects the AES key (which protects the data)

How ML-KEM Works (Simplified)

High-Level Process

Encryption (sender side):

Step 1: Sender generates random AES-256 key (32 bytes)
         ↓
Step 2: Sender encapsulates AES key with recipient's ML-KEM public key
         → Produces "ciphertext" (encapsulated key, 1568 bytes)
         → Produces "shared secret" (32 bytes, ephemeral)
         ↓
Step 3: Sender encrypts data with AES-256-GCM using shared secret
         ↓
Result: JWE token (header + encapsulated key + encrypted data + auth tag)

Decryption (recipient side):

Step 1: Recipient decapsulates using ML-KEM private key
         → Recovers shared secret (32 bytes)
         ↓
Step 2: Recipient decrypts data with AES-256-GCM using shared secret
         ↓
Result: Original plaintext recovered

Security: Adversary without ML-KEM private key cannot recover shared secret (even with quantum computer!)

The Math (Optional - For Curious Minds)

ML-KEM security based on "Learning With Errors" (LWE) problem:

Problem: Given matrix A and noisy vector b, find secret vector s

A × s + e = b (mod q)

Where:
  A = random matrix (public)
  s = secret vector (private key)
  e = small error vector (noise)
  b = result (public)
  q = modulus (large prime)

Classical computer: Must try ~2^256 possibilities (infeasible)

Quantum computer: Grover's algorithm speeds up, but still ~2^128 operations (still infeasible!)

Conclusion: ML-KEM secure against both classical AND quantum computers

No PhD needed: Use AnkaSecure API, math happens automatically!

Choosing ML-KEM Variant

ML-KEM-512 vs 768 vs 1024

Comparison table:

Variant	Security	Public Key	Ciphertext	Encaps Time	Decaps Time	Use Case
ML-KEM-512	L1 (128-bit)	800 bytes	768 bytes	4ms	8ms	High-performance, non-critical
ML-KEM-768	L3 (192-bit)	1,184 bytes	1,088 bytes	3ms	6ms	Recommended default
ML-KEM-1024	L5 (256-bit)	1,568 bytes	1,568 bytes	3ms	7ms	Maximum security, TOP SECRET

Surprise: ML-KEM-768 fastest (counterintuitive!)

Recommendation: Use ML-KEM-1024 by default (only 1ms slower, maximum security)

Security Level Selection

Match to your data sensitivity:

Data Sensitivity	NIST Level	Recommended Variant	Example
Public	N/A	No encryption	Website content
Internal	L1 (128-bit)	ML-KEM-512	Application logs
Confidential	L3 (192-bit)	ML-KEM-768	Customer PII
Secret	L5 (256-bit)	ML-KEM-1024	Financial transactions
Top Secret	L5 (256-bit)	ML-KEM-1024 + HSM	Classified documents

Default choice: ML-KEM-1024 (covers 80% of use cases)

ML-KEM vs RSA Performance

Encryption Speed (1KB Payload)

Algorithm	Key Gen	Encrypt	Decrypt	Total (Encrypt Path)
RSA-4096	5,000ms	3ms	11ms	5,003ms (key gen is slow!)
ML-KEM-1024	12ms	3ms	7ms	15ms (417× faster key gen!)

Key insight: ML-KEM key generation 417× faster (12ms vs 5,000ms)

When it matters: High-frequency key generation (ephemeral keys, session keys)

Decryption Speed (Critical for APIs)

API response scenario (decrypt data to serve request):

RSA-4096 decrypt: 11ms
ML-KEM-1024 decrypt: 7ms

Improvement: 36% faster with ML-KEM

Impact on SLA: - Target: < 10ms API response - RSA: 11ms (misses SLA!) - ML-KEM: 7ms (meets SLA with headroom!)

Verdict: ML-KEM better for latency-sensitive APIs

ML-KEM in Practice

Production Deployment

Real-world example: Healthcare SaaS encrypting 50,000 patient records/day

Configuration:

# Generate ML-KEM key for patient data
curl -X POST https://api.ankatech.co/keys \
  -d '{
    "algorithm": "ML_KEM_1024",
    "purpose": "PATIENT_RECORDS",
    "retention": "30_YEARS",
    "autoRotation": "ANNUAL"
  }'

Performance: - Throughput: 50,000 records/day = ~35 records/minute - Latency: 7ms decrypt per record (acceptable for batch processing) - Infrastructure: 3-node cluster (sufficient)

Cost: $15,000/year (AnkaSecure SaaS) vs $600K/year (AWS KMS with same volume)

Migration from RSA

Step-by-step migration:

Step 1: Generate ML-KEM key

curl -X POST https://api.ankatech.co/keys \
  -d '{"algorithm":"ML_KEM_1024"}'

Step 2: Re-encrypt existing RSA data

curl -X POST https://api.ankatech.co/crypto/reencrypt \
  -d '{
    "sourceKeyId": "legacy-rsa-key",
    "targetKeyId": "new-mlkem-key",
    "ciphertext": "RSA-encrypted-data..."
  }'

Step 3: Update applications to use new keyId

// Before
encrypt(data, "legacy-rsa-key");

// After (if using AnkaSecure SDK)
encrypt(data, "new-mlkem-key");  // Works immediately!

Zero re-encryption if using crypto-agility:

# Just rotate the key (applications use same keyId!)
curl -X PATCH https://api.ankatech.co/keys/my-key/rotate \
  -d '{"targetAlgorithm":"ML_KEM_1024"}'

Complete migration guide

ML-KEM Standardization Journey

From Kyber to ML-KEM

History: - 2017: Kyber submitted to NIST PQC competition - 2020: Kyber selected as finalist (round 3) - 2022: Kyber chosen for standardization - 2024: NIST publishes FIPS 203 (renames Kyber → ML-KEM)

Why the rename: "Module-Lattice-Based KEM" is descriptive (not inventor name)

Compatibility: ML-KEM ≈ Kyber (minor parameter tweaks for standardization)

NIST FIPS 203 Standard

Published: August 13, 2024 Status: Final standard (not draft)

Variants defined: - ML-KEM-512: NIST Level 1 (128-bit equivalent) - ML-KEM-768: NIST Level 3 (192-bit equivalent) - ML-KEM-1024: NIST Level 5 (256-bit equivalent)

Compliance: Federal agencies can deploy (standard approved)

AnkaSecure: Implemented all 3 variants within 90 days of publication

What's Next?

Explore ML-KEM: - 🚀 Try ML-KEM (5-minute hands-on) - 📊 Performance comparison (ML-KEM vs RSA benchmarks) - 📥 Download ML-KEM whitepaper (PDF, 15-page technical deep-dive) - 📧 Ask ML-KEM questions (expert answers)

Related topics: - Hybrid encryption explained - Combining classical + PQC - Composite keys - RSA + ML-KEM defense-in-depth - Algorithm selection - Choose right ML-KEM variant

NIST resources: - NIST FIPS 203 - Official standard - NIST PQC Project - Background

Have questions? Email [email protected] or join our community forum

Last updated: 2026-01-07 | Based on NIST FIPS 203 (August 2024) | Simplified for practitioners