August 14, 2024: a turning point for cryptography
On August 14, 2024, the National Institute of Standards and Technology (NIST) published three cryptographic standards designed to resist attacks from future quantum computers. FIPS 203 defines ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism), a key encapsulation mechanism. FIPS 204 standardizes ML-DSA (Module-Lattice-Based Digital Signature Algorithm), a digital signature algorithm. FIPS 205 introduces SLH-DSA (Stateless Hash-Based Digital Signature Algorithm), a hash-based signature alternative. These three publications mark the culmination of a selection process launched in 2016 and represent the first concrete normative response to the quantum threat.
What is ML-KEM?
ML-KEM is a key encapsulation mechanism derived from the CRYSTALS-Kyber algorithm, which was selected at the end of the third round of the NIST post-quantum competition. Key encapsulation (KEM) is a cryptographic primitive that allows two parties to establish a shared secret without ever directly transmitting it over the network. In practice, the sender generates a random secret, encapsulates it using the recipient's public key, and transmits the encrypted result. Only the holder of the corresponding private key can recover the original secret. This shared secret is then used to derive the symmetric encryption keys that protect communications.
The MLWE problem: mathematical security
ML-KEM's security is based on the MLWE (Module Learning with Errors) problem, a structured variant of the LWE (Learning with Errors) problem. The principle is as follows: given a system of noisy linear equations over a polynomial ring, recovering the underlying secret is a problem considered computationally hard, even for a quantum computer. Unlike integer factorization (RSA) or discrete logarithms on elliptic curves (ECDH), no known quantum algorithm efficiently solves MLWE. This resistance has been studied extensively by the cryptographic community for over two decades, giving ML-KEM a solid foundation of trust.
Three security levels
ML-KEM comes in three parameter sets corresponding to increasing security levels. ML-KEM-512 offers a security level equivalent to AES-128 (NIST Level 1), with 800-byte public keys and 768-byte ciphertexts. ML-KEM-768 achieves a level comparable to AES-192 (NIST Level 3), with 1,184-byte public keys and 1,088-byte ciphertexts. ML-KEM-1024 provides the highest security level, equivalent to AES-256 (NIST Level 5), with 1,568-byte public keys and 1,568-byte ciphertexts. These sizes remain reasonable relative to modern network performance, well below the tens of kilobytes required by other families of post-quantum algorithms.
Why replace RSA and ECDH?
RSA and ECDH key exchanges, which currently protect virtually all digital communications, rely respectively on the difficulty of factoring large integers and computing discrete logarithms on elliptic curves. In 1994, Peter Shor demonstrated that a sufficiently powerful quantum computer could solve both problems in polynomial time, rendering these algorithms obsolete. The "harvest now, decrypt later" approach means an adversary can already collect encrypted traffic today to decrypt it as soon as a quantum computer becomes available. ML-KEM is not vulnerable to Shor's algorithm because the MLWE problem does not belong to the same complexity class. Migration to ML-KEM is therefore a necessary precaution, even before the advent of an operational quantum computer.
Advantages over other PQC candidates
Throughout the NIST selection process, ML-KEM stood out for its balance between key size, operational speed, and security analysis maturity. The alternatives still in competition for the NIST fourth round present different trade-offs. BIKE and HQC, based on error-correcting codes, offer slightly more compact keys but larger ciphertexts and longer encapsulation times. Classic McEliece, based on Goppa codes, offers security that has been proven for over forty years but with public keys of several hundred kilobytes, making it impractical for many network applications. ML-KEM represents the best available trade-off between performance, compactness, and cryptographic confidence, which explains its selection as the primary standard.
ANSSI and BSI recommendations
The French National Cybersecurity Agency (ANSSI) and the German Federal Office for Information Security (BSI) have published a joint position on post-quantum transition. Their recommendation is clear: deployments should use ML-KEM-768 at minimum, and ML-KEM-1024 for the most sensitive data. During the transition period, the use of hybrid mode is mandatory. This means combining a classical key exchange (typically X25519 or ECDH P-384) with an ML-KEM exchange, so that security remains guaranteed even if one of the two mechanisms were to be compromised. This cautious approach provides post-quantum protection without sacrificing the confidence built in proven classical algorithms.
European roadmap
The European Union has integrated the post-quantum transition into its cybersecurity strategy. The recommendation is that all new key exchanges protecting sensitive data must use NIST-approved PQC algorithms by 2030. For critical infrastructure covered by the NIS2 directive and the DORA regulation, this deadline may be brought forward. Operators of vital importance (OIV) and essential service operators (OSE) must immediately assess their exposure to quantum risk and plan the migration of their cryptographic protocols. European regulation thus aligns with the American position (NSA CNSA 2.0), which also mandates a complete migration to post-quantum cryptography before the end of the decade.
Cryptosphere integration: ML-KEM-1024 in FPGA
Cryptosphere encryptors integrate ML-KEM-1024 directly into the FPGA, in hybrid mode with X25519. The key exchange executes entirely within the hardware security domain, with no intermediate keys transiting through the host CPU. The hardware implementation delivers deterministic performance compatible with line-rate encryption at 800 Gbps, without the variability of software implementations subject to scheduling and cache effects. The combination of a post-quantum KEM at the highest NIST security level, a proven classical exchange, and total hardware isolation constitutes the most comprehensive response available to the quantum threat. The FPGA's crypto-agility further guarantees that any eventual successor to ML-KEM can be deployed through a simple firmware update, without hardware replacement.