Date Published: August 24, 2023
Comments Due:
Email Questions to:
Planning Note (12/12/2023):
The public comments received have been posted.
Author(s)
National Institute of Standards and Technology
Announcement
NIST requests comments on three draft Federal Information Processing Standards (FIPS):
These proposed standards specify key establishment and digital signature schemes that are designed to resist future attacks by quantum computers, which threaten the security of current standards. The three algorithms specified in these standards are each derived from different submissions to the NIST Post-Quantum Cryptography Standardization Project.
Note to Reviewers
This draft FIPS specifies a key encapsulation mechanism (KEM) called ML-KEM. A KEM is a particular type of key establishment scheme. While NIST has previously published standards for key establishment schemes (see SP-800-56A and SP-800-56B), this will be the first NIST standard for key establishment using a KEM. As a result, NIST will specify both the particulars of the ML-KEM scheme and the general properties of KEMs in FIPS 203 and SP 800-227, respectively.
The scope of FIPS 203 (this document) is limited to specifying only the ML-KEM algorithms (for key generation, encapsulation, and decapsulation) and the associated ML-KEM parameter sets. It aims to provide sufficient information for implementing ML-KEM in a manner that can pass validation through the Cryptographic Module Validation Program (CMVP).
SP 800-227 is forthcoming and will discuss the general properties of KEMs in detail. This will include basic definitions, security properties, and requirements for the use of KEMs in secure applications. These topics will not be discussed in detail in the FIPS 203 draft. NIST welcomes comments from reviewers regarding the planned content of SP 800-227.
A key-encapsulation mechanism (or KEM) is a set of algorithms that, under certain conditions, can be used by two parties to establish a shared secret key over a public channel. A shared secret key that is securely established using a KEM can then be used with symmetric-key cryptographic algorithms to perform basic tasks in secure communications, such as encryption and authentication.
This standard specifes a key-encapsulation mechanism called ML-KEM. The security of ML-KEM is related to the computational diffculty of the so-called Module Learning with Errors problem. At present, ML-KEM is believed to be secure even against adversaries who possess a quantum computer.
This standard specifes three parameter sets for ML-KEM. In order of increasing security strength (and decreasing performance), these parameter sets are ML-KEM-512, ML-KEM-768, and ML-KEM-1024.
A key-encapsulation mechanism (or KEM) is a set of algorithms that, under certain conditions, can be used by two parties to establish a shared secret key over a public channel. A shared secret key that is securely established using a KEM can then be used with symmetric-key cryptographic algorithms...
See full abstract
A key-encapsulation mechanism (or KEM) is a set of algorithms that, under certain conditions, can be used by two parties to establish a shared secret key over a public channel. A shared secret key that is securely established using a KEM can then be used with symmetric-key cryptographic algorithms to perform basic tasks in secure communications, such as encryption and authentication.
This standard specifes a key-encapsulation mechanism called ML-KEM. The security of ML-KEM is related to the computational diffculty of the so-called Module Learning with Errors problem. At present, ML-KEM is believed to be secure even against adversaries who possess a quantum computer.
This standard specifes three parameter sets for ML-KEM. In order of increasing security strength (and decreasing performance), these parameter sets are ML-KEM-512, ML-KEM-768, and ML-KEM-1024.
Hide full abstract
Keywords
computer security; cryptography; encryption; Federal Information Processing Standards; lattice-based cryptography; key-encapsulation; post-quantum; public-key cryptography
Control Families
None selected
