Welcome again! In Half 1 we set the scene: a safe handshake rests on two pillars (key trade and authentication), and quantum computer systems threaten each. Now we zoom in on the primary and most pressing one: key trade. Why pressing? Two phrases that ought to genuinely hold you up at evening: harvest now, decrypt later.
Let’s unpack that, then introduce the 2 algorithms that can spend the subsequent few posts going head-to-head. No instructions but; for now, let’s construct the instinct.
Diffie-Hellman: the quiet hero
Diffie-Hellman (DH) is the unsung hero behind almost each safe channel on the web. The concept is genuinely elegant: two events every generate a key pair, swap public keys over an untrusted community, and thru some stunning math they independently arrive on the identical shared secret, with out that secret ever crossing the wire. Neither facet controls the result; each contribute. IKEv2 (the protocol behind IPsec VPNs) has all the time leaned on some taste of DH as its main key trade.
So what’s the issue? DH, in each taste, falls aside towards a sufficiently highly effective quantum pc working Shor’s algorithm. Such a machine may derive the shared secret from the general public keys alone, the precise factor DH was designed to make inconceivable.
Why “sometime” is already an issue immediately
Right here’s the half that journeys individuals up. “Quantum computer systems can’t do that but,” you may say, “so why panic?” Due to the really nasty twist:
An attacker can report your encrypted visitors immediately and easily wait, decrypting it years later, the second quantum {hardware} grows up.
That’s “harvest now, decrypt later.” The risk is delayed. It doesn’t matter that no quantum pc can crack your handshake this afternoon; what issues is whether or not the information you’re sending this afternoon will nonetheless be delicate when one can. Medical information, monetary knowledge, state secrets and techniques, your organization’s crown jewels: loads of it has a shelf life measured in many years.
So the query isn’t “when will quantum computer systems arrive?” It’s “is something I’m transmitting immediately nonetheless going to matter once they do?” If sure, your key trade must be quantum-safe now. For this reason post-quantum key trade is the hearth alarm, not the sluggish rebuild.
Submit-quantum cryptography exists exactly to slam this door shut. On this pillar we’ll use ML-KEM, NIST’s standardised PQC key encapsulation mechanism. And, crucially, we’ll use it alongside classical DH, not as a substitute of it. Why alongside? Maintain that thought; it’s the punchline of Half 3.
Within the classical nook: X25519
Each good showdown wants correct introductions, so let’s meet our fighters.
X25519 is a contemporary, high-performance taste of Diffie-Hellman constructed on Curve25519 (an elliptic curve designed by Daniel Bernstein). You’ll additionally see it known as ECDH (Elliptic Curve Diffie-Hellman), or referred to by its group quantity #31 in IKE. It’s the beneficial classical DH algorithm immediately: sooner and safer than the previous finite-field DH teams (modp2048 and associates) or the older NIST curves (P-256).
It’s a true key trade: each events contribute. Both sides whips up a throwaway key pair, they swap public keys, and every computes the identical shared secret from their very own non-public key plus the opposite get together’s public key. It’s been battle-tested since 2016 (RFC 7748).
The catch? It’s quantum-vulnerable. Shor’s algorithm eats elliptic curves for breakfast. Sigh.
Within the post-quantum nook: ML-KEM
ML-KEM (Module-Lattice-Based mostly Key Encapsulation Mechanism, FIPS 203) is the brand new child on the block: a post-quantum key encapsulation algorithm standardised by NIST in 2024. It is available in three flavors:
| Identify | Safety degree | Public key | Ciphertext |
|---|---|---|---|
| ML-KEM-512 | ~128-bit classical | 800 B | 768 B |
| ML-KEM-768 | ~192-bit classical | 1184 B | 1088 B |
| ML-KEM-1024 | ~256-bit classical | 1568 B | 1568 B |
ML-KEM-768 is the candy spot for many deployments: a snug safety margin with out the additional bandwidth of ML-KEM-1024. (ML-KEM-512 is usually averted; its margin is taken into account a bit skinny for long-term safety.) In order that’s what our lab makes use of.
That “Module-Lattice-Based mostly” within the identify is doing actual work, by the best way: ML-KEM’s safety rests on a lattice math drawback that quantum computer systems haven’t any identified shortcut for. We gained’t dive into that math right here; the essential factor for now’s the headline: no identified quantum assault.
The twist that confuses everybody: KEM ≠ key trade
Right here’s the gotcha that journeys up newcomers, so let’s hit it head-on. ML-KEM is a Key Encapsulation Mechanism, not a symmetric Diffie-Hellman-style trade. The mechanics are genuinely completely different:
- In DH, each sides do the identical factor (generate a pair, swap publics, derive the key). It’s symmetric.
- In a KEM, the work is cut up. One get together generates a key pair and sends its public key. The opposite get together runs an encapsulation algorithm on that public key (which spits out each a ciphertext and a shared secret) and sends again the ciphertext. Solely the unique get together, holding the non-public key, can run decapsulation on that ciphertext to get well the identical shared secret.
So as a substitute of “each side combine their halves,” it’s “I ship you a lockbox, you set a secret in it and lock it, solely I can open it.” Identical vacation spot (a shared secret neither eavesdropper can compute), however a special path to get there. Maintain this imbalance in thoughts: it’ll clarify why, once we seize the packets in Half 4, the public key and the ciphertext are completely different sizes flying in reverse instructions.
The place we’re headed
So now we’ve received our two fighters within the ring:
- X25519: tiny, quick, battle-tested… and quantum-doomed.
- ML-KEM-768: quantum-safe, surprisingly fast… however new, and chunky on the wire.
Neither one clearly wins immediately, which units up the central query of the subsequent publish: if the basic is doomed and the newcomer is unproven, which can we decide? (Trace: it’s a trick query, and the reply is the entire motive this works.)
In Half 3 we’ll put these two facet by facet in a correct head-to-head (measurement on the wire, latency, compute price, safety), after which reveal the elegant answer that lets us cease selecting and use each. See you there!

