# Alice, Bob & Eve: ML-KEM

Alice and Bob are going quantum safe! The previous algorithms (RSA and Diffie-Hellman) are not safe against quantum computers. If we can expect that Eve has access to quantum computer, we have to use something more resillent. And even if Eve does not have access to quantum computer now, she will definitely have access to one in the future. 

Therefore she can do the _harvest now, decrypt later_ attack. The name says it: she can eavesdrop the communication today, even though she is unable to decrypt it immediatelly. But she can store the data and decrypt it later, once she obtains the quantum computer.

We will use the ML-KEM (Module‑Lattice‑based Key‑Encapsulation Mechanism) algorithm, originally known as CRYSTALS-Kyber (Cryptographic Suite for Algebraic Lattices). This is _post-quantum_ algorithm, also called _quantum-safe_ algorithm. It runs on current digital computers, but is safe from attacks made with future quantum computers.

ML-KEM is similar to the Diffie-Hellman algorithm in that it does not support encryption of arbitrary data, but can be used to derive a common shared secret, which can be used as a secret key for symmetric algorithm such as AES, which is not really affected by quantum attacks. Quantum computers will make breaking AES easier in theory, but not useful in practice, it will be still safe enough.

## Hack: Installing the NuGet package 

In regular .NET 10 applications you do not need to install this NuGet package, as everything is part of the runtime itself. However, at time of writing, .NET Interactive (which is used in notebooks) uses version 9.0 and we have to import the package manually:

In [60]:
// Install the Microsoft.Bcl.Cryptography package 
#r "nuget: Microsoft.Bcl.Cryptography"

// Import namespace
using System.Security.Cryptography;

// Show what runtime we're actually on
Console.WriteLine($"Runtime version:  {System.Runtime.InteropServices.RuntimeInformation.FrameworkDescription}");

// Check whether ML-KEM is supported on this platform
Console.WriteLine($"ML-KEM supported: {MLKem.IsSupported}");

Runtime version:  .NET 9.0.11
ML-KEM supported: True


## Alice

Alice will generate her key pair, as usual in case of asymmetric algorithms. The only difference here is that in ML-KEM we use the term _encapsulation key_ instead of _public key_, to emphasize it's used only for encapsulation of data, not traditional encryption.

There are three variants: ML-KEM-512, ML-KEM-768 and ML-KEM 1024. The numbers come from the module dimension used in the underlying lattice construction. All these variants produce 256 bits (32 bytes) of secret, handy for AES-256.

Higher number is "better" in terms of security (and "worse" in terms of performance and data size). The following table shows the three variants and their parameters (security roughly equivalent to AES with given key lenghs and size of various aspects):

| Variant | AES Equivalent | Public Key (bytes) | Public Key (bits) | Private Key (bytes) | Private Key (bits) | Ciphertext (bytes) | Ciphertext (bits) |
|--------|---------------:|--------------------:|-------------------:|---------------------:|--------------------:|--------------------:|-------------------:|
| ML-KEM-512 | 128 | 800 | 6400 | 1632 | 13056 | 768 | 6144 |
| ML-KEM-768 | 192 | 1184 | 9472 | 2400 | 19200 | 1088 | 8704 |
| ML-KEM-1024 | 256 | 1568 | 12544 | 3168 | 25344 | 1568 | 12544 |


In [61]:
// Suppress warnings about experimental APIs for this demo
// (ExportPkcs8PrivateKeyPem method is currently marked as experimental)
#pragma warning disable SYSLIB5006

// Generate Alice's ML-KEM key pair
var alice = MLKem.GenerateKey(MLKemAlgorithm.MLKem768);
var alicePrivateKeyPem = alice.ExportPkcs8PrivateKeyPem();
var aliceEncapsulationKey = alice.ExportEncapsulationKey();

// Display Alice's keys
Console.WriteLine("Alice's Private Key:");
Console.WriteLine(alicePrivateKeyPem);
Console.WriteLine();
Console.WriteLine("Alice's Encapsulation (\"public\") Key:");
Console.WriteLine(Convert.ToBase64String(aliceEncapsulationKey, Base64FormattingOptions.InsertLineBreaks));

Alice's Private Key:
-----BEGIN PRIVATE KEY-----
MFQCAQAwCwYJYIZIAWUDBAQCBEKAQAIR1w9kKpWcuVHF8JumpHR8ZHS5D7Cs6zPD
6QHx6RqEBQR612rS5QpKDmSg83OtyqY2nEdxlNWi7oZpn92NvK8=
-----END PRIVATE KEY-----

Alice's Encapsulation ("public") Key:
2aIc+7R6EGhDUlJ1CjRZK0zC1VGIndgfmWp4b2yS6BCSdasnlDFEjnuLIWEypzpWQ0Z8sjLE6MA4
9mGm4yBvrhkaYrcQJxbM38CQYCc4tJiygFtBQBCcDaxc5vk6UPhad8XJN6qZOFCEeeMIyEITKvJV
p7SFdqmGL0zOWdCetHsm/GFq9kS9PKIgb3Js2JM6f1Wh1dzLjjAZJFGUKIYNXIMRFxEmDEacLmGr
uDVggiPHP6eXKmHAnciQ9hJTk1SjLbdfbkWrVAeE6DwGH5mGgsBg0+hc8fBCflcX4NxsC7EoFmSC
j0Sf4HDNM8AkqBCMdDoCr9ssb8U1ovVCXYua9nJyt1d0rbAo23nB2mw+w0Nbf2m+weKOAel5eRMp
9UJcSAB2p/pGOWt66Ls+pYO0cGK0DbpH/9qI2qMDPPJn2YFyJOBOQ7ZjSUlGQbS4RbzKnmYmzCRl
UXwsnOqAFdyfksd8DMq3SGuxmqCpv9hDS8DP0fa8W0XKTCJZwaVUWgZa/GJ0eJCpAzlu69Gr98wD
TWYyVsC54GK0MAG5XPZSUMaCwHzNAUp3KzUrdNNTvAwLPzh6SRKyQjevpsOd3OQ0koCkfLPLZjV8
fPOcheeXnNsp8Yt8+LlkLlDHa6LJOeIIWiIAMOqGjyYd9JcThpl1EPOYeNY15ywtKlljnrcyZCEj
QNhLqmxb6yOCIHep4KSGQAYhYoY7jvxSt0ok+1iD8xJET+ACqQktPKJq+NjN/Uuuq6W2LeszSzg

## Bob

Bob will take Alice's encapsulation key (public key) and generate both its raw shared secret and its encapsulated (encrypted) version:

In [64]:
// Import Alice's encapsulation key to create ML-KEM instance
var bob = MLKem.ImportEncapsulationKey(MLKemAlgorithm.MLKem768, aliceEncapsulationKey);

// Generate shared secret and encapsulated key
bob.Encapsulate(out var bobCiphertext, out var bobSharedSecret);

// Display Bob's generated keys
Console.WriteLine("Bob's Shared Secret:");
Console.WriteLine(Convert.ToBase64String(bobSharedSecret, Base64FormattingOptions.InsertLineBreaks));
Console.WriteLine();
Console.WriteLine("Bob's Encapsulated (\"encrypted\") Key:");
Console.WriteLine(Convert.ToBase64String(bobCiphertext, Base64FormattingOptions.InsertLineBreaks));

Bob's Shared Secret:
EPrOZeuq+6AtLWkSPCg7tpZbLITllypLrn45dZiJwZk=

Bob's Encapsulated ("encrypted") Key:
lVSNGtUsnxdKEfHUOGElckO4j1pMR+lKaLDHq/mtNj3SHTQLDqloUZ81sPjAJthQA42vbsxN6n3S
aNq0tM7rdhMqQnafmLAZVKTvTGXbSNQADMPz971JCt9HgnTxm4WyjNjLwvyJiw0JF/OZ/jPXB7Jr
yWZepJXjlTWL7DncztCxl5P+bYOYt4OIIUfauBaUh+detQl5A/tlod1V5bOlpishErdbARSuH+y9
m9++b3yEYEZTX4XA654+4VYJgADXfCGapdvuUEkk/uWDswhbuW3FMLdd1nWDmZWQF6/nKsYntVKa
CXn/EhnBcpmzCc5+dr+X4OwVgT3cU4PxijUOjEKEzy1lqVheXeDb6BjtRqW16fN/fy9pUnfqL7p9
LsijN4SVCtW/3PtNlJCKZy76UDQs29Iu0EFMsAollD4a2FkbA0zdVJF3sNM4tic/b1DgbafXSUhA
r/I5WjRnQVprt4MlIGymOJwJpTo/iEu4yDIGyRM2wo1bi+6kKZhfCF8drmTiWSZ8moQCy8RCFGc2
QjBojzFONj1nxTmq2+Q2mdQbJ/96NT/zMooidktXBl8Mo8SiF6lcazyTsTp9gXQm+MivGjnEH2K7
BncyX8HfQ+IwsicSWXjyxRKwIL5nI4BaCD9G9FSfjV+PA/887RQ0yL/LVMw7YakIgSpUDOj3QrRP
wuA28G4LiAYN287vx3EKWkmXaHUreRby2V8RUPksBaC15U27MSHLx6W0DWEYsnv5RwW2av+NsSy5
LEHQuaiyT3rjparnmRYOw8iNdcUc2glcNJQKpbV5Qw2pyhr4MIt6AGgN56w1Ca3KdKFP7jmQ7GXh
cshVo0LWvXCCAGz9GR/1fm+qJ3X1m4905t6icdLK2/anKAYc

# Alice

Alice will take the encapsulated secret and decapsulate (decrypt) it using her private key:

In [63]:
// Alice decapsulates the ciphertext to obtain the shared secret
var aliceSharedSecret = alice.Decapsulate(bobCiphertext);

// Display Alice's derived shared secret
Console.WriteLine($"Alice's Shared Secret: {Convert.ToBase64String(aliceSharedSecret)} ({aliceSharedSecret.Length * 8} bits)");
Console.WriteLine($"Bob's Shared Secret:   {Convert.ToBase64String(bobSharedSecret)} ({bobSharedSecret.Length * 8} bits) for reference");

Alice's Shared Secret: VMmx55bXC2o9LSlQ2K69jn6gkjub5TN4Ye+aHsziAJo= (256 bits)
Bob's Shared Secret:   VMmx55bXC2o9LSlQ2K69jn6gkjub5TN4Ye+aHsziAJo= (256 bits) for reference


Now both Alice and Bob have identical shared secrets, which they can use for symmetric encryption.