Kyber (ML-KEM): How Post-Quantum Encryption Works
Kyber768 — officially ML-KEM-768 under FIPS 203 — is the world's first NIST-standardized post-quantum encryption mechanism. It replaces RSA and ECDH for key exchange, protecting data against both classical and quantum attacks.
This article explains how Kyber works, why it is quantum-safe, and how to use it through the Qpher API. You will leave with a genuine understanding of lattice cryptography — not just the ability to call an API, but an intuition for why the math behind it resists quantum computers.
Why RSA and ECDH Break
RSA encryption relies on the difficulty of factoring large integers. ECDH key exchange relies on the elliptic curve discrete logarithm problem. Both problems are computationally intractable for classical computers — the best known algorithms take exponential time.
Shor's algorithm, running on a sufficiently powerful quantum computer, solves both problems in polynomial time. Not faster by a constant factor. Fundamentally, categorically faster — from infeasible to trivial.
We need key exchange based on a different hard problem. A problem that is hard for both classical and quantum computers. Lattice cryptography provides one.
RSA vs. Kyber768: Key Exchange Comparison
RSA-2048 Legacy | ECDH P-256 Legacy | Kyber768 FIPS 203 | |
|---|---|---|---|
| Public key size | 256 bytes | 64 bytes | 1,184 bytes |
| Ciphertext / exchange | 256 bytes | 64 bytes | 1,088 bytes |
| Shared secret | Variable | 32 bytes | 32 bytes |
| Quantum-safe | No | No | ✓ Yes |
| NIST standard | Legacy | Legacy | ✓ FIPS 203 |
| Hard problem | Integer factoring | Discrete logarithm | Module-LWE (lattice) |
The key sizes are larger. That is the tradeoff for quantum resistance. But 1,184 bytes is a negligible cost for API payloads — far smaller than a typical JSON response.
Lattice Cryptography — The Intuition
Kyber is built on lattice-based cryptography. You do not need to understand the formal mathematics to use it, but understanding the intuition helps you trust why it is considered quantum-safe — and why it survived eight years of NIST scrutiny.
What Is a Lattice?
A lattice is a regular grid of points in space. In two dimensions, think of graph paper — dots at every integer coordinate. In three dimensions, think of atoms in a crystal. Kyber operates in hundreds of dimensions, but the core idea is the same: a regular, repeating grid of points extending infinitely.
The Hard Problem: Finding the Closest Point
Imagine a massive warehouse filled with identical-looking boxes arranged on an invisible grid that extends in hundreds of directions. Someone gives you a set of coordinates that are slightly off — close to a real box, but not exactly on one. Your task: find the nearest real box.
In two or three dimensions, this is trivial. You can look around and see nearby boxes. But in 256 dimensions, the space is so vast and unintuitive that no efficient algorithm — classical or quantum — can reliably find the nearest grid point. This is the Closest Vector Problem (CVP), and its close relative the Shortest Vector Problem (SVP).
Learning With Errors (LWE)
Kyber specifically relies on a variant called Module Learning With Errors (Module-LWE). The setup is:
- Start with a system of linear equations (easy to solve classically).
- Add small, random noise (errors) to each equation.
- The noisy system becomes computationally intractable to solve.
The noise is the critical ingredient. Without it, Gaussian elimination solves the system instantly. With it, the problem maps to finding a close vector in a high-dimensional lattice — which neither classical nor quantum algorithms can do efficiently.
Why No Quantum Algorithm Helps
Shor's algorithm exploits the periodic structure of modular arithmetic — the mathematical patterns that underpin RSA and ECDH. Lattice problems have no such periodic structure. Grover's algorithm offers at most a quadratic speedup, which can be compensated by increasing the lattice dimension slightly.
After decades of research, no quantum algorithm has been found that significantly outperforms classical algorithms on LWE-based problems. This does not constitute a mathematical proof of security (no cryptographic system has one), but it represents the strongest evidence available — the same kind of evidence we relied on for RSA for 40 years.
You do not need to understand lattice mathematics to use Kyber through the Qpher API. But understanding that the hard problem is fundamentally different from RSA's — and specifically resistant to quantum attack — helps you make informed security decisions.
How KEM Works — Encapsulate / Decapsulate
KEM (Key Encapsulation Mechanism) is not the same as encryption. KEM produces a shared secret — a fixed-size random value that both parties derive independently. That shared secret is then used as the key for symmetric encryption (like AES-256).
Step 1 — Key Generation: Alice generates a Kyber768 key pair. The public key (1,184 bytes) can be shared freely. The private key (2,400 bytes) is kept secret.
Step 2 — Encapsulate: Bob takes Alice's public key and runs the encapsulation algorithm. This produces two outputs: a ciphertext (1,088 bytes) that he sends to Alice, and a shared secret (32 bytes) that he keeps.
Step 3 — Decapsulate: Alice takes her private key and Bob's ciphertext, and runs the decapsulation algorithm. She recovers the same 32-byte shared secret.
Both parties now have an identical 32-byte key, established quantum-safely. This key is then used for AES-256-GCM to encrypt actual data. The KEM-DEM Hybrid Encryption article explains this full pipeline.
The key distinction from RSA: KEM does not directly encrypt arbitrary data. It produces a shared secret of fixed size. To encrypt a 1MB file, you use KEM to establish the key, then AES to encrypt the file. This is the same pattern TLS has always used — the post-quantum part replaces only the key exchange step.
Kyber768 Specifics
Kyber768 uses these parameters:
- Module dimension: k = 3 (three polynomial vectors)
- Polynomial degree: n = 256
- Modulus: q = 3,329
- Security level: NIST Level 3 (roughly AES-192 equivalent)
| Property | Kyber768 | Dilithium3 |
|---|---|---|
| NIST Name | ML-KEM-768 | ML-DSA-65 |
| NIST Standard | FIPS 203 | FIPS 204 |
| Operation | Key Encapsulation (Encrypt/Decrypt) | Digital Signatures (Sign/Verify) |
| Security Level | NIST Level 3 (~AES-192) | NIST Level 3 (~AES-192) |
| Public Key Size | 1,184 bytes | 1,952 bytes |
| Private Key Size | 2,400 bytes | 4,000 bytes |
| Ciphertext Size | 1,088 bytes | 3,293 bytes |
| Shared Secret Size | 32 bytes | N/A |
| Latency Target | < 15ms (p95) | < 30ms (p95) |
Performance at Qpher: KEM operations complete in under 15ms at the 95th percentile, including network latency, authentication, and the cryptographic operation itself.
Using Kyber768 with Qpher
Generate a KEM Key Pair
from qpher import Qpher
client = Qpher(api_key="qph_your_api_key")
result = client.keys.generate(algorithm="Kyber768")
print(f"Key version: {result.key_version}")
print(f"Algorithm: {result.algorithm}")
print(f"Status: {result.status}")Encrypt Data
import base64
plaintext = b"Sensitive data to protect"
plaintext_b64 = base64.b64encode(plaintext).decode()
result = client.kem.encrypt(
plaintext=plaintext_b64,
key_version=1,
)
print(f"Ciphertext: {result.ciphertext[:40]}...")
print(f"Key version used: {result.key_version}")Decrypt Data
decrypted = client.kem.decrypt(
ciphertext=result.ciphertext,
key_version=1,
)
plaintext = base64.b64decode(decrypted.plaintext)
print(f"Decrypted: {plaintext.decode()}")Always store the key_version alongside your ciphertext. You will need it for decryption. When you rotate keys, old ciphertexts still need to reference the key version they were encrypted with.
Common Questions
Can I encrypt large files? Yes. Qpher uses a KEM-DEM hybrid scheme internally: Kyber768 establishes the key, then AES-256-GCM encrypts your data. There is no practical size limit. The KEM-DEM Hybrid article explains the architecture.
What is the ciphertext overhead? Approximately 1,116 bytes per encryption (1,088 bytes KEM ciphertext + 12 bytes IV + 16 bytes auth tag). For a 1KB file, that is 112% overhead. For a 1MB file, it is 0.1%.
Is Kyber768 compatible with TLS? Kyber768 is being integrated into TLS by browser vendors and TLS library maintainers. Qpher is an API service for encrypting your application data, not a TLS library. Your TLS connection to Qpher's API can independently use hybrid PQC key exchange as browser and library support matures.
Next Steps
Kyber handles encryption — establishing shared secrets quantum-safely. The next article covers the other half of public-key cryptography: Dilithium3 (ML-DSA-65), the NIST-standardized algorithm for quantum-safe digital signatures.
Try encrypting data yourself using the Encrypt Data guide, or explore the KEM API Reference for full endpoint documentation.
Want to experiment without writing code? Try the Qpher Playground to encrypt and decrypt data interactively.