# CRYSTALS-Kyber: From Submission to ML-KEM Standard

**Source**: https://quantumsequrity.com/blog/crystals-kyber-history
**Category**: PQC Algorithms

---

[← Back to Blog](../../blog.html) PQC Algorithms

# CRYSTALS-Kyber: From Submission to ML-KEM Standard

12 min read

The story of CRYSTALS-Kyber is the story of how nine cryptographers spent seven years moving a research idea through the most rigorous public scrutiny process in cryptographic history, eventually producing the first NIST-standardized post-quantum key encapsulation mechanism. Kyber was submitted to NIST in 2017, selected for standardization in 2022, and finalized as FIPS 203 in August 2024 under the new official name ML-KEM. That arc captures both the speed and the patience of modern cryptographic standardization.

This post walks through that history. The original submission, the iterative tweaks across NIST's three rounds, the selection moment, and the renaming from Kyber to ML-KEM.

## The CRYSTALS Project

CRYSTALS stands for Cryptographic Suite for Algebraic Lattices. The project was a coordinated effort by a team of researchers to develop a complete suite of post-quantum primitives based on the same underlying lattice mathematics. Two main outputs emerged from CRYSTALS: a key encapsulation mechanism (Kyber) and a digital signature scheme (Dilithium).

The CRYSTALS team brought together expertise from European and American research groups. The named authors of the CRYSTALS-Kyber submission to NIST were Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John Schanck, Peter Schwabe, Gregor Seiler, and Damien Stehlé. Their institutions spanned NXP Semiconductors, CWI Amsterdam, Ruhr-Universität Bochum, IBM Research, ENS Lyon, the Israeli Institute of Technology, the University of Waterloo, Radboud University, and CWI again. This international, multi-institutional team is typical of modern cryptographic research at the highest level.

Kyber's design was published as a research paper around the same time as its NIST submission. The team continued to refine the design throughout the standardization process based on feedback from the cryptographic community.

## The Module-LWE Foundation

Kyber's security rests on the Module Learning With Errors problem, often abbreviated MLWE. This is a structured variant of the Learning With Errors (LWE) problem first introduced by Regev in 2005.

The LWE problem in its basic form asks: given a set of noisy linear equations modulo q, recover the secret coefficients. The noise makes the problem hard to solve in polynomial time, even for quantum computers. Variants like Ring-LWE and Module-LWE add algebraic structure that makes implementations efficient while preserving (under reasonable assumptions) the underlying hardness.

Module-LWE specifically uses a module of polynomial rings rather than a single ring. This module structure provides flexibility in selecting parameter sets that target specific security levels without requiring different fundamental implementations. Kyber-512, Kyber-768, and Kyber-1024 share the same algorithm. Only the module dimension and noise parameters change.

For more on lattice-based cryptography, see [Lattice-Based Cryptography Explained](../lattice-based-cryptography-explained.html).

## NIST PQC Round 1 (2017-2019)

NIST announced its post-quantum cryptography standardization process in February 2016 with a call for submissions. The submission deadline was November 2017. NIST received 69 algorithm submissions, of which 64 were complete and survived initial screening to enter Round 1.

Kyber was among the Round 1 submissions. It joined a crowded field of lattice-based KEMs, including New Hope, Frodo, NTRU-HRSS, NTRU Prime, ThreeBears, Saber, and several others. The lattice-based KEM space was the most competitive of all post-quantum families.

Round 1 ran from December 2017 to January 2019. NIST and the cryptographic community examined each submission for security flaws, performance characteristics, and intellectual property issues. Submissions received public comments and presentations at NIST PQC conferences.

In January 2019, NIST announced 26 schemes advancing to Round 2. Kyber was among them. Several lattice-based competitors did not advance.

## NIST PQC Round 2 (2019-2020)

Round 2 ran for about a year and a half. It involved deeper security analysis and concrete benchmarking. The community examined Kyber's specific parameter choices, the encoding of public keys and ciphertexts, and the underlying security assumptions.

During Round 2, the Kyber team made several refinements. The team published Kyber-90s, an alternative version that used SHA-256 and AES-256 instead of SHAKE-256 to potentially improve hardware performance on platforms with SHA acceleration. They tweaked parameter choices to improve the concrete security margin against the best known attacks.

In July 2020, NIST announced Round 3 finalists and alternates. Kyber was selected as a Round 3 finalist for KEMs. The other finalists were Classic McEliece, NTRU, and SABER. Several Round 2 schemes were either eliminated or moved to alternates.

## NIST PQC Round 3 (2020-2022)

Round 3 was the deciding round. NIST gave each finalist roughly two years for further analysis. The cryptographic community focused intense scrutiny on the four KEM finalists.

During Round 3, Kyber received continued security analysis with no major weaknesses found. Performance benchmarking demonstrated that Kyber was among the fastest of the finalists across diverse platforms. Implementation analysis confirmed that constant-time, side-channel-resistant Kyber implementations were achievable.

NIST also evaluated practical deployment considerations. How easy is each algorithm to integrate into existing protocols? What are the total bandwidth and storage costs? How do the algorithms interact with hybrid schemes during the transition period?

In July 2022, NIST announced selection. CRYSTALS-Kyber was selected as the primary KEM standard. NIST simultaneously announced that Classic McEliece, BIKE, HQC, and SIKE would continue analysis as Round 4 candidates. (SIKE was subsequently broken later in 2022 by an attack from Castryck and Decru, and removed from the candidate list.)

## The 2022 Selection

The July 2022 announcement was a significant moment in cryptographic history. After six years of public analysis, NIST committed to Kyber as the primary post-quantum KEM. This kicked off the formal standardization phase, where Kyber would be transformed into a NIST FIPS standard.

NIST announced its selection alongside selections for digital signatures (CRYSTALS-Dilithium, FALCON, and SPHINCS+). The signature selections also went through similar multi-round processes. For more on Dilithium's history, see [CRYSTALS-Dilithium History](../crystals-dilithium-history.html).

The cryptographic community's reaction to the Kyber selection was largely positive. The choice was widely expected based on Kyber's performance, security analysis depth, and design clarity. Some commentators noted that the lattice-based selection meant the world was committing to a single mathematical foundation for KEMs, which motivated the continued analysis of code-based alternatives that eventually led to HQC's selection in 2025.

For more on HQC, see [HQC Explained](../hqc-explained.html).

## From Kyber to ML-KEM

Between the July 2022 selection and the August 2024 final standard publication, NIST went through its formal standardization process. This involves drafting the FIPS document, soliciting public comments, addressing comments, and approving the final standard.

During this process, NIST renamed CRYSTALS-Kyber to ML-KEM. ML stands for Module-Lattice. The renaming aligned the algorithm name with NIST's naming convention for the post-quantum suite. ML-KEM, ML-DSA, SLH-DSA, and FN-DSA all share consistent naming based on their underlying mathematical foundations.

The renaming was administrative. The algorithm itself was essentially unchanged from the final Kyber Round 3 specification. Implementation libraries that supported Kyber needed only minor updates to align with FIPS 203 specifics.

In August 2024, NIST published FIPS 203 as the final standard. ML-KEM was now an official NIST cryptographic standard alongside FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA).

For more on the FIPS standards, see [NIST FIPS Guide](../nist-fips-guide.html).

## Parameter Sets in FIPS 203

FIPS 203 standardizes three parameter sets for ML-KEM.

ML-KEM-512 targets NIST Category 1, equivalent to AES-128. Public key 800 bytes, ciphertext 768 bytes.

ML-KEM-768 targets Category 3, equivalent to AES-192. Public key 1,184 bytes, ciphertext 1,088 bytes.

ML-KEM-1024 targets Category 5, equivalent to AES-256. Public key 1,568 bytes, ciphertext 1,568 bytes.

These parameter sets correspond to Kyber-512, Kyber-768, and Kyber-1024 from the original submission, with minor encoding adjustments. The mathematical structure and security analysis carried over directly.

## Real-World Deployment

ML-KEM is now deployed in production systems worldwide. Cloud providers integrate ML-KEM into their TLS handshake offerings, often in hybrid combinations with X25519 for defense in depth. Browser vendors are rolling out post-quantum TLS support that uses ML-KEM. Email providers, messaging applications, and VPN services are adding ML-KEM support.

For most deployments, ML-KEM-768 is the default choice. It targets Category 3, which is the typical regulatory minimum for sensitive data. Bandwidth and storage costs are modest. Performance is fast on modern hardware.

ML-KEM-1024 is reserved for high-assurance deployments that specifically require Category 5 security. The size and performance overhead is small enough that most users could pay it, but Category 3 is sufficient for most threat models.

ML-KEM-512 is used for bandwidth-constrained applications where Category 1 security is acceptable. It is also the algorithm QNSQY makes available in its Free tier.

For more on hybrid deployment patterns, see [Hybrid Encryption](../hybrid-encryption.html).

## QNSQY's ML-KEM Implementation

QNSQY exposes ML-KEM at all three parameter sets. Free tier users get ML-KEM-512. Pro tier users get ML-KEM-768 and ML-KEM-1024. Business tier users get the full suite of post-quantum cryptography including ML-KEM and HQC.

QNSQY uses the reference ML-KEM implementation, which has been validated against NIST's published Known Answer Tests for FIPS 203. The implementation is constant-time and resistant to standard side-channel attacks.

The QNSQY CLI accepts ML-KEM-512, ML-KEM-768, or ML-KEM-1024 as KEM algorithm choices on encryption operations. The choice of parameter set determines the security category and the resulting ciphertext size.

For more details on ML-KEM operation, see [ML-KEM Explained](../ml-kem-explained.html).

## Industry Reaction to FIPS 203 Publication

The August 2024 publication of FIPS 203 was a major milestone for the cryptographic industry. Years of preparation by vendors, libraries, and standard bodies came to fruition.

Cloud service providers began rolling out ML-KEM support in their TLS handshake offerings. Cloudflare, Google Cloud, AWS, and Azure all announced ML-KEM hybrid support during 2024. Browser vendors followed with experimental and then production rollouts of post-quantum TLS in Chrome, Firefox, Safari, and Edge.

The IETF working groups updated their hybrid TLS drafts to reference FIPS 203 specifically. The specification of how to combine ML-KEM with X25519 in TLS 1.3 became standardized through these IETF efforts.

Cryptographic library maintainers updated their packages. liboqs (the Open Quantum Safe library), boringssl, OpenSSL providers, and many others added FIPS 203-aligned ML-KEM implementations. Cross-implementation testing using NIST KAT vectors became routine.

For end users, the practical impact is that post-quantum-protected TLS handshakes are increasingly available in production. Most users do not see this directly, but their connections benefit from the additional security.

## Lessons from the Standardization Process

The Kyber-to-ML-KEM journey provides several lessons for the broader cryptographic community.

Public scrutiny over multi-year periods produces better cryptographic standards than closed development. The Kyber team made many refinements based on Round 1 and Round 2 feedback. Without that public process, those refinements would not have happened.

Multiple competing schemes per category strengthen the eventual selection. Even though Kyber was widely expected to win, the existence of strong alternatives like SABER and NTRU ensured that the selection process was rigorous and that the chosen algorithm was genuinely the best.

Naming and administrative details matter for adoption. The renaming from Kyber to ML-KEM aligned naming across the post-quantum suite, which simplifies documentation and communication for vendors and users.

Security analysis and performance benchmarking must both inform selection. Kyber won not just on security but also on practical deployability across diverse hardware platforms.

## FAQ

### Why was Kyber renamed to ML-KEM?

NIST renamed all selected algorithms to align with a consistent naming convention based on mathematical foundations. ML-KEM, ML-DSA, SLH-DSA, and FN-DSA share this convention.

### Are Kyber and ML-KEM cryptographically identical?

The algorithms are essentially the same with minor encoding adjustments specified in FIPS 203. Implementations that supported Kyber Round 3 needed minor updates to align with the FIPS 203 final specification.

### Which lattice problem does ML-KEM rely on?

ML-KEM relies on the Module Learning With Errors problem (MLWE). This problem has been studied since the 2010s and has resisted both classical and quantum cryptanalytic attacks.

### Is ML-KEM IND-CCA secure?

Yes. ML-KEM provides IND-CCA2 security (the strongest standard notion of security for key encapsulation mechanisms). The scheme uses a Fujisaki-Okamoto-like transform to convert an IND-CPA secure primitive into an IND-CCA secure KEM.

### Can I use ML-KEM with TLS today?

Yes, in hybrid mode. The IETF has published draft standards for hybrid post-quantum key exchange in TLS 1.3 that combine ML-KEM with X25519. Major browsers and servers are rolling out support for these hybrid modes.

## Sources

1. [NIST FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf)
2. [NIST PQC Project: ML-KEM Selection Documentation](https://csrc.nist.gov/projects/post-quantum-cryptography)
3. [CRYSTALS-Kyber Round 3 Specification](https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf)
4. [IACR Cryptology ePrint: CRYSTALS-Kyber Algorithm Design](https://eprint.iacr.org/2017/634)
5. [NIST PQC Standardization Process Reports](https://csrc.nist.gov/publications/detail/nistir/8413/final)

## Related Articles

- [ML-KEM Explained](../ml-kem-explained.html)
- [CRYSTALS-Dilithium History](../crystals-dilithium-history.html)
- [Lattice-Based Cryptography Explained](../lattice-based-cryptography-explained.html)
- [NIST FIPS Guide](../nist-fips-guide.html)

---

### Protect Your Data Before Q-Day Arrives

QNSQY's NIST-standardized post-quantum encryption protects files against both current and quantum-era threats.

[Try QNSQY](../../pricing.html)
