name: ML-KEM
type: kem
principal-submitters:
- Peter Schwabe
auxiliary-submitters:
- Roberto Avanzi
- Joppe Bos
- Léo Ducas
- Eike Kiltz
- Tancrède Lepoint
- Vadim Lyubashevsky
- John M. Schanck
- Gregor Seiler
- Damien Stehlé
crypto-assumption: Module LWE+R with base ring Z[x]/(3329, x^256+1)
website: https://pq-crystals.org/kyber/ and https://csrc.nist.gov/pubs/fips/203
nist-round: FIPS203
spec-version: ML-KEM
primary-upstream:
  source: https://github.com/pq-code-package/mlkem-native/commit/048fc2a7a7b4ba0ad4c989c1ac82491aa94d5bfa
  spdx-license-identifier: MIT or Apache-2.0 or ISC
optimized-upstreams:
  cupqc-cuda:
    source: https://github.com/open-quantum-safe/liboqs-cupqc-meta/commit/b026f4e5475cd9c20c2082c7d9bad80e5b0ba89e
    spdx-license-identifier: Apache-2.0
  icicle-icicle_cuda:
    source: https://github.com/ingonyama-zk/icicle-liboqs/commit/8f215fd845928abfc2bb7d5ca15db76b839bee5c
    spdx-license-identifier: MIT
parameter-sets:
- name: ML-KEM-512
  claimed-nist-level: 1
  claimed-security: IND-CCA2
  length-public-key: 800
  length-ciphertext: 768
  length-secret-key: 1632
  length-shared-secret: 32
  length-keypair-seed: 64
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: ref
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: x86_64
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - avx2
      - bmi2
      - popcnt
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: aarch64
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Linux
      - Darwin
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
  - upstream: cupqc-cuda
    upstream-id: cuda
    supported-platforms:
    - architecture: CUDA
      operating_systems:
      - Linux
      - Darwin
    no-secret-dependent-branching-claimed: false
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
- name: ML-KEM-768
  claimed-nist-level: 3
  claimed-security: IND-CCA2
  length-public-key: 1184
  length-ciphertext: 1088
  length-secret-key: 2400
  length-shared-secret: 32
  length-keypair-seed: 64
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: ref
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: x86_64
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - avx2
      - bmi2
      - popcnt
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: aarch64
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Linux
      - Darwin
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
  - upstream: cupqc-cuda
    upstream-id: cuda
    supported-platforms:
    - architecture: CUDA
      operating_systems:
      - Linux
      - Darwin
    no-secret-dependent-branching-claimed: false
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
- name: ML-KEM-1024
  claimed-nist-level: 5
  claimed-security: IND-CCA2
  length-public-key: 1568
  length-ciphertext: 1568
  length-secret-key: 3168
  length-shared-secret: 32
  length-keypair-seed: 64
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: ref
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: x86_64
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - avx2
      - bmi2
      - popcnt
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: aarch64
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Linux
      - Darwin
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
  - upstream: cupqc-cuda
    upstream-id: cuda
    supported-platforms:
    - architecture: CUDA
      operating_systems:
      - Linux
      - Darwin
    no-secret-dependent-branching-claimed: false
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false