# Alice, Bob & Eve: ML-KEM

Alice and Bob are going quantum safe! The previous algorithms (RSA and Diffie-Hellman) are not safe against quantum computers. If we can expect that Eve has access to quantum computer, we have to use something more resillent. And even if Eve does not have access to quantum computer now, she will definitely have access to one in the future. 

Therefore she can do the _harvest now, decrypt later_ attack. The name says it: she can eavesdrop the communication today, even though she is unable to decrypt it immediatelly. But she can store the data and decrypt it later, once she obtains the quantum computer.

We will use the ML-KEM (Module‑Lattice‑based Key‑Encapsulation Mechanism) algorithm, originally known as CRYSTALS-Kyber (Cryptographic Suite for Algebraic Lattices). This is _post-quantum_ algorithm, also called _quantum-safe_ algorithm. It runs on current digital computers, but is safe from attacks made with future quantum computers.

ML-KEM is similar to the Diffie-Hellman algorithm in that it does not support encryption of arbitrary data, but can be used to derive a common shared secret, which can be used as a secret key for symmetric algorithm such as AES, which is not really affected by quantum attacks. Quantum computers will make breaking AES easier in theory, but not useful in practice, it will be still safe enough.

In [5]:
// Install the Microsoft.Bcl.Cryptography package (required for .NET < 10.0)
// #r "nuget: Microsoft.Bcl.Cryptography"

// Import namespace
using System.Security.Cryptography;

// Show what runtime we're actually on
Console.WriteLine($"Runtime version:  {System.Runtime.InteropServices.RuntimeInformation.FrameworkDescription}");

// Check whether ML-KEM is supported on this platform
Console.WriteLine($"ML-KEM supported: {MLKem.IsSupported}");

Runtime version:  .NET 10.0.3
ML-KEM supported: True


## Alice

Alice will generate her key pair, as usual in case of asymmetric algorithms. The only difference here is that in ML-KEM we use the term _encapsulation key_ instead of _public key_, to emphasize it's used only for encapsulation of data, not traditional encryption.

There are three variants: ML-KEM-512, ML-KEM-768 and ML-KEM 1024. The numbers come from the module dimension used in the underlying lattice construction. All these variants produce 256 bits (32 bytes) of secret, handy for AES-256.

Higher number is "better" in terms of security (and "worse" in terms of performance and data size). The following table shows the three variants and their parameters (security roughly equivalent to AES with given key lenghs and size of various aspects):

| Variant | AES Equivalent | Public Key (bytes) | Public Key (bits) | Private Key (bytes) | Private Key (bits) | Ciphertext (bytes) | Ciphertext (bits) |
|--------|---------------:|--------------------:|-------------------:|---------------------:|--------------------:|--------------------:|-------------------:|
| ML-KEM-512 | 128 | 800 | 6400 | 1632 | 13056 | 768 | 6144 |
| ML-KEM-768 | 192 | 1184 | 9472 | 2400 | 19200 | 1088 | 8704 |
| ML-KEM-1024 | 256 | 1568 | 12544 | 3168 | 25344 | 1568 | 12544 |


In [6]:
// Suppress warnings about experimental APIs for this demo
// (ExportPkcs8PrivateKeyPem method is currently marked as experimental)
#pragma warning disable SYSLIB5006

// Generate Alice's ML-KEM key pair
var alice = MLKem.GenerateKey(MLKemAlgorithm.MLKem768);
var alicePrivateKeyPem = alice.ExportPkcs8PrivateKeyPem();
var aliceEncapsulationKey = alice.ExportEncapsulationKey();

// Display Alice's keys
Console.WriteLine("Alice's Private Key:");
Console.WriteLine(alicePrivateKeyPem);
Console.WriteLine();
Console.WriteLine("Alice's Encapsulation (\"public\") Key:");
Console.WriteLine(Convert.ToBase64String(aliceEncapsulationKey, Base64FormattingOptions.InsertLineBreaks));

Alice's Private Key:
-----BEGIN PRIVATE KEY-----
MFQCAQAwCwYJYIZIAWUDBAQCBEKAQJaTO37ZvcXe5YsQLzOmRJjA/Fv1bWfQu0Qd
TMAvaRL1IQQKRLKdXFX+TLAf5Wie929Q0a4zFKn+SuByKjJ5bqQ=
-----END PRIVATE KEY-----

Alice's Encapsulation ("public") Key:
zDtdydR3fPpd6KtOn2lH66Ul/2Y2BOU/gYEAony+Grdx/mN+MDOPg4Ks24Ob+jkrsWG42gcexgRd
31DAaTbKLvhazGajSmZ2zRuPiLcrkKcCEOY3VUkqSSSciLq0Eaq/pcS+QqtTPrNnjFQf1FlS32Nn
JPco6Xh5dRJsc3qP9BO6DAd/FMKrmxFT84wKOAwPJEtpH8mujMpLfcDOhzguspWf39WrFeOA8zWQ
IsCYQNlE7uY7Hzp9pHtBTmstb9F12vW0GptndrcO4RMyF8oAwqpoN/lg6lK9lLQRDqIFSuccACt9
m+eg7kau/WlnEUecA5KbfqoDb6tOpiFidQOG88hleQQs8vOUrQSNC0eF1dywCWJtjaNpv/x4Cqc2
MDSlCHiziykSvoqpSbOkIzFtJpayftAYDMqETuWf3edtQiYeibyCeSuhp3tDKJKLksktlCI/EyqA
LwA+xoWyOCNcyDollAtjBQgsYYCK/taKcNk/2+KMxwTMfStAsTo1ryGrLykAoGO7SEV3qcEdYPaV
BLVM5RBqbWdM6CCjtmlrnPOb/zNcN4JecXSdKdZw7rSPLdES/YEg/CfHZZiSJyym8xwgCYoB+vhQ
iftkgEO2q2VzlkG8MwopUcsWs6enOyrLC2GYdUVugKlkPHYf/IorhFoniBpi1NKt/tOpb2izLdlL
Q6TIT5Q7f3YQFNwv+7cDIKOhZIZY1qYbjoxH6ZlxBgpFLVxijDgu5Oqjw4O1CwkPL8V7tYkHxQc

## Bob

Bob will take Alice's encapsulation key (public key) and generate both its raw shared secret and its encapsulated (encrypted) version:

In [7]:
// Import Alice's encapsulation key to create ML-KEM instance
var bob = MLKem.ImportEncapsulationKey(MLKemAlgorithm.MLKem768, aliceEncapsulationKey);

// Generate shared secret and encapsulated key
bob.Encapsulate(out var bobCiphertext, out var bobSharedSecret);

// Display Bob's generated keys
Console.WriteLine("Bob's Shared Secret:");
Console.WriteLine(Convert.ToBase64String(bobSharedSecret, Base64FormattingOptions.InsertLineBreaks));
Console.WriteLine();
Console.WriteLine("Bob's Encapsulated (\"encrypted\") Key:");
Console.WriteLine(Convert.ToBase64String(bobCiphertext, Base64FormattingOptions.InsertLineBreaks));

Bob's Shared Secret:
Z6XXK4/M4yyJ618DywgA7mIZwBFOIRh1Sejd0iy0qc0=

Bob's Encapsulated ("encrypted") Key:
ntAy6wh08iasLH74mq7l4VQ6P315GvazuXriU5Sunr7XdFeZm6dRJ2WxRHsMJoEMqzk1ybHjR75O
PT4qB79dffwvToJ+ZJMUOK6J/Mhg2nVoKaoqZdR+pZri8lGuei/jETx7uxE9EE0+EZEc1mUVUHTX
LIQQqmWEO7f1ZZBjy+9nNVSnsW97yeGs2aM0/7k3neYL5lHJE8UjBfQnQVIBJQSSxzCDHg9KJPzQ
XN38noqSHKhHKyHQtbq/GpFdc1VVhMekNfWCsRIKDljKwJCKdqxNPsijx517RUFTfzdY4vhLyzLA
8x1NVHyKWcuzpN2Tds/udMGDbMaDsgaP7ybGdr6veZfen/ZuGbxq6m+zwBagdmsI7CYp/JGw7WAo
A0x39aadoAfytGmE5Ivxdqb4V4RO7OCLb2W0cpWFcvtQ8fBTdNJ5wo1dshzEwf2eOLv8w8qzOUnI
MTlJk9esPH8r/3kkdOY8OSB5xhzc7hCV2zFHX3RXvzxGaiYrJW5YYyJK/dT+Jy7vCOC5CkfAaPy/
UWAHZFNOnP7VS8Ch9HsJjtUop9e40aSBPoN8wir9i/vkQTfSQbVW6MqKndFsy8/i1Uj5YRnosxMA
gfxr2ELKIefDiyReHBHbhyUXVFKHQB6nPvGrrQE5651ETbiyx02sSUI6uG7DZ2RYF/ew0MMfBknx
noTLfeTEF2ZZSbXep9qmOEyDby3cbJ5rJsGAVuHFZT8UVIVyOjhB5B/9QMLG+2F9Y58APAQ/Snc/
Tq01tm+IeOiTJVzqTmyVEExXDoS96CRF/nrNCEdPuOHJfCcHu1gyvTEmySwAYE/LH1ATFWbhXQEi
+eiCv9lDweH29n0ixqwQc17zQuzHVH1BcTkqlmMC6ib55VVB

# Alice

Alice will take the encapsulated secret and decapsulate (decrypt) it using her private key:

In [8]:
// Alice decapsulates the ciphertext to obtain the shared secret
var aliceSharedSecret = alice.Decapsulate(bobCiphertext);

// Display Alice's derived shared secret
Console.WriteLine($"Alice's Shared Secret: {Convert.ToBase64String(aliceSharedSecret)} ({aliceSharedSecret.Length * 8} bits)");
Console.WriteLine($"Bob's Shared Secret:   {Convert.ToBase64String(bobSharedSecret)} ({bobSharedSecret.Length * 8} bits) for reference");

Alice's Shared Secret: Z6XXK4/M4yyJ618DywgA7mIZwBFOIRh1Sejd0iy0qc0= (256 bits)
Bob's Shared Secret:   Z6XXK4/M4yyJ618DywgA7mIZwBFOIRh1Sejd0iy0qc0= (256 bits) for reference


Now both Alice and Bob have identical shared secrets, which they can use for symmetric encryption.