00 Cryptography

ML-KEM-768

FIPS 203 — the post-quantum key encapsulation.

ML-KEM-768 is the NIST-standardized key-encapsulation mechanism UltimaOS uses to establish fresh symmetric session keys. Standardized as FIPS 203 in August 2024, it is the lattice-based successor to ECDH for the post-quantum era.

01 Overview

Section overview

Why a new key exchange.

01

ECDH is quantum-broken

Like RSA, ECDH relies on the hardness of elliptic-curve discrete logarithm, which Shor's algorithm solves in polynomial time on a quantum computer. Any forward-secret conversation negotiated today with ECDH can be retroactively decrypted once a quantum computer exists.

02

ML-KEM is the lattice replacement

ML-KEM (formerly Kyber) is the lattice-based key-encapsulation mechanism standardized by NIST as FIPS 203 in August 2024. It is the most studied and most performant of the NIST post-quantum KEM candidates.

03

Forward secrecy against quantum harvest

When two UltimaOS users start a conversation, ML-KEM-768 encapsulates a fresh 256-bit AES session key. Even if the entire conversation is recorded today, no future quantum computer can derive that session key from the recording.

02 Details

Section details

How ML-KEM-768 works in UltimaOS.

Every conversation, file share, or call on UltimaOS begins with an ML-KEM-768 key encapsulation. The encapsulated session key seeds an XChaCha20-Poly1305 symmetric channel that carries the actual content.

01

Conversation setup

When user A opens a chat with user B, the client requests B's ML-KEM-768 public key from the server. The client encapsulates a fresh 256-bit key against it, sends the ciphertext to B, and both sides derive the same session key.

02

File encryption

File uploads generate a per-file 256-bit key. The file is encrypted with XChaCha20-Poly1305, and the file key is encapsulated with ML-KEM-768 against each recipient's public key. Recipients decapsulate to recover the file key.

03

Call key negotiation

Voice and video calls establish a fresh ML-KEM-768 session every 60 seconds, providing cryptographic forward secrecy even within a long call. A passive recorder of one segment cannot decrypt previous or subsequent segments.

04

Group rekeying

Group chats rekey when membership changes. New members receive the group key encapsulated with their individual ML-KEM-768 public key. Removed members lose access because the new group key is not encapsulated for them.

03 Key points

Key takeaways

Practical considerations.

  1. 01

    Encapsulation is fast

    ML-KEM-768 encapsulation takes about 0.07 ms. Opening a new conversation completes in under 50 ms including the network round-trip.

  2. 02

    Ciphertexts are small

    An ML-KEM-768 ciphertext is 1,088 bytes — small enough to fit in a single TCP segment. For group chats with N recipients, the client sends N ciphertexts in a single batch.

  3. 03

    Forward secrecy is automatic

    Every conversation uses a fresh session key. There are no long-term asymmetric keys used directly for symmetric encryption — the post-quantum KEM is always used to derive a one-time key.

  4. 04

    Hybrid-ready design

    UltimaOS is structured to combine ML-KEM-768 with classical ECDH in a hybrid construction if NIST ever recommends it. The current single-algorithm deployment is preferred because it removes the downgrade-attack surface.

04b References

Authoritative sources

Standards and references.

05 Frequently asked

Common questions

Questions about ML-KEM-768.

What is ML-KEM-768?
Short answer

ML-KEM-768 (Module-Lattice-Based Key-Encapsulation Mechanism, parameter set 768) is the NIST-standardized post-quantum key-encapsulation mechanism specified in FIPS 203. It replaces ECDH for the post-quantum era. (FIPS 203 spec)

What does the "768" mean in ML-KEM-768?
Short answer

The "768" refers to the dimension of the underlying module lattice. ML-KEM-768 targets NIST security level 3, equivalent in classical security terms to breaking AES-192.

Is ML-KEM-768 the same as Kyber?
Short answer

Yes. ML-KEM-768 is the standardized name; Kyber was the name used during the NIST competition. The mathematical construction is identical; only minor parameter tweaks were made during standardization.

How does ML-KEM-768 protect against quantum computers?
Short answer

ML-KEM's security is based on the hardness of the Module Learning-with-Errors (M-LWE) problem. No efficient quantum algorithm is known for M-LWE, unlike Shor's algorithm which breaks RSA and ECDH in polynomial time.

Is ML-KEM-768 slower than ECDH?
Short answer

ML-KEM-768 is slightly slower than ECDH at the cryptographic operation level, but the difference is invisible at the application level — both complete in fractions of a millisecond. The handshake adds a few milliseconds of latency overall.

Does UltimaOS combine ML-KEM with classical ECDH?
Short answer

No. The current deployment uses pure ML-KEM-768 for key encapsulation. Hybrid KEM+ECDH is structurally supported but not enabled, because single-algorithm deployment eliminates downgrade attacks.

What is FIPS 203?
Short answer

FIPS 203 is the Federal Information Processing Standard published by NIST in August 2024 that specifies ML-KEM. It is the formal standardization of the scheme.

What happens if ML-KEM-768 is broken?
Short answer

If a fundamental break is ever found in lattice-based cryptography, UltimaOS would migrate to the next NIST-standardized KEM. The cryptographic stack is designed so individual algorithm replacement is feasible without protocol redesign.