# Alice, Bob & Eve: ML-KEM

Alice and Bob are going quantum safe! The previous algorithms (RSA and Diffie-Hellman) are not safe against quantum computers. If we can expect that Eve has access to quantum computer, we have to use something more resillent. And even if Eve does not have access to quantum computer now, she will definitely have access to one in the future. 

Therefore she can do the _harvest now, decrypt later_ attack. The name says it: she can eavesdrop the communication today, even though she is unable to decrypt it immediatelly. But she can store the data and decrypt it later, once she obtains the quantum computer.

We will use the ML-KEM (Module‑Lattice‑based Key‑Encapsulation Mechanism) algorithm, originally known as CRYSTALS-Kyber (Cryptographic Suite for Algebraic Lattices). This is _post-quantum_ algorithm, also called _quantum-safe_ algorithm. It runs on current digital computers, but is safe from attacks made with future quantum computers.

ML-KEM is similar to the Diffie-Hellman algorithm in that it does not support encryption of arbitrary data, but can be used to derive a common shared secret, which can be used as a secret key for symmetric algorithm such as AES, which is not really affected by quantum attacks. Quantum computers will make breaking AES easier in theory, but not useful in practice, it will be still safe enough.

## Hack: Installing the NuGet package 

In regular .NET 10 applications you do not need to install this NuGet package, as everything is part of the runtime itself. However, at time of writing, .NET Interactive (which is used in notebooks) uses version 9.0 and we have to import the package manually:

In [1]:
// Install the Microsoft.Bcl.Cryptography package 
#r "nuget: Microsoft.Bcl.Cryptography"

// Import namespace
using System.Security.Cryptography;

// Show what runtime we're actually on
Console.WriteLine($"Runtime version:  {System.Runtime.InteropServices.RuntimeInformation.FrameworkDescription}");

// Check whether ML-KEM is supported on this platform
Console.WriteLine($"ML-KEM supported: {MLKem.IsSupported}");

Runtime version:  .NET 9.0.11
ML-KEM supported: True


## Alice

Alice will generate her key pair, as usual in case of asymmetric algorithms. The only difference here is that in ML-KEM we use the term _encapsulation key_ instead of _public key_, to emphasize it's used only for encapsulation of data, not traditional encryption.

There are three variants: ML-KEM-512, ML-KEM-768 and ML-KEM 1024. The numbers come from the module dimension used in the underlying lattice construction. All these variants produce 256 bits (32 bytes) of secret, handy for AES-256.

Higher number is "better" in terms of security (and "worse" in terms of performance and data size). The following table shows the three variants and their parameters (security roughly equivalent to AES with given key lenghs and size of various aspects):

| Variant | AES Equivalent | Public Key (bytes) | Public Key (bits) | Private Key (bytes) | Private Key (bits) | Ciphertext (bytes) | Ciphertext (bits) |
|--------|---------------:|--------------------:|-------------------:|---------------------:|--------------------:|--------------------:|-------------------:|
| ML-KEM-512 | 128 | 800 | 6400 | 1632 | 13056 | 768 | 6144 |
| ML-KEM-768 | 192 | 1184 | 9472 | 2400 | 19200 | 1088 | 8704 |
| ML-KEM-1024 | 256 | 1568 | 12544 | 3168 | 25344 | 1568 | 12544 |


In [2]:
// Suppress warnings about experimental APIs for this demo
// (ExportPkcs8PrivateKeyPem method is currently marked as experimental)
#pragma warning disable SYSLIB5006

// Generate Alice's ML-KEM key pair
var alice = MLKem.GenerateKey(MLKemAlgorithm.MLKem768);
var alicePrivateKeyPem = alice.ExportPkcs8PrivateKeyPem();
var aliceEncapsulationKey = alice.ExportEncapsulationKey();

// Display Alice's keys
Console.WriteLine("Alice's Private Key:");
Console.WriteLine(alicePrivateKeyPem);
Console.WriteLine();
Console.WriteLine("Alice's Encapsulation (\"public\") Key:");
Console.WriteLine(Convert.ToBase64String(aliceEncapsulationKey, Base64FormattingOptions.InsertLineBreaks));

Alice's Private Key:
-----BEGIN PRIVATE KEY-----
MFQCAQAwCwYJYIZIAWUDBAQCBEKAQO3rHRAj+Ymb6nP05fkHRmUtCNhgGYqu4j5X
+RWMeGbXBiccQk21TJRzSE8E8Qfx9dubwdV1KiWRuIUN4RRuI8M=
-----END PRIVATE KEY-----

Alice's Encapsulation ("public") Key:
TkqDqiO4HXasCQxrmToVxAVvR4Gcg1yUPHkGfuq9PHVEJNNCdrZt2Dk/VIMyUXcipgVF/lMI0HXO
1YlOlYGMpRa3fhYdeWtdHaE8Ena6GGkJNRm2Fpd/RtysB+mtT4iYhIubP1cterw+LHSO1pzMrnMk
sJwvb+ijAqlEUlpsEZxhP/ezwChIontdaju9cZF8siiE8RVabEjEkbMq+TKXbfGqUJsx77M/yYtG
zfm4D5OAz9uPPHue7xxiCBENCYHExyRnULpNDaOrN4mIafIxtgTBQexNHgMvc4I6nmADGNRJp4dr
sSrCImjAVqEeXkAR1fFGQbKhNTJusBFwICGP24qDoIXGhHylrjY3hIIF7sqUcLEq7Xs3tPIwxDqf
5vVR7onM7phUFnxyIdWwoMGx0iIpxBewGIhl8eqdjXJiXReroQZzJQB6P2SaPyee6MCCSLTA9tAU
UKEgmRFkBOaSevpMWoCiIHjGnnY76Fy+YeE1HRnEEAK/5WGXxAphoetrJok9WcQbFPZhLoOxvgsP
zlVeiRaAusogSGyBbzCpjHvMjreTzHdVzGwzyaJScMkBXsOLf9zIgQo5aEc0eis23lY0ApNMY9xr
pUtDlAgxZ6O7T1OdAnC6T4UJcOJwXceq5lySouc5DuGbwNYcY1CrXuvP7KieHwiqmzoH76DJRSrO
1uS9XTRqXuU0kUPHDMUJRnqvqXVkEZtElKGHbrErPLyrxVMGC3cTUaV+6Za7OgMJEMAqIPjFGWu

## Bob

Bob will take Alice's encapsulation key (public key) and generate both its raw shared secret and its encapsulated (encrypted) version:

In [3]:
// Import Alice's encapsulation key to create ML-KEM instance
var bob = MLKem.ImportEncapsulationKey(MLKemAlgorithm.MLKem768, aliceEncapsulationKey);

// Generate shared secret and encapsulated key
bob.Encapsulate(out var bobCiphertext, out var bobSharedSecret);

// Display Bob's generated keys
Console.WriteLine("Bob's Shared Secret:");
Console.WriteLine(Convert.ToBase64String(bobSharedSecret, Base64FormattingOptions.InsertLineBreaks));
Console.WriteLine();
Console.WriteLine("Bob's Encapsulated (\"encrypted\") Key:");
Console.WriteLine(Convert.ToBase64String(bobCiphertext, Base64FormattingOptions.InsertLineBreaks));

Bob's Shared Secret:
X55nd2WjW4keCRR2f7+mQyewel/69erwC+3RkXQaOrU=

Bob's Encapsulated ("encrypted") Key:
6cOZaxv845OEWGAxG65Gfz/y2Lzy6PKUth01QV4eOBNk0Fje719yVOekEbFiSU5Lqp5ppHKu+ugU
30VUOTM9MGCEwHhhgkm6lXJMHaaqqgQ6EuXA6rQRN+QhLH6ug3OBq55UAECOMXiFO6Bh1/ODTjji
xJOlPQh5ft5NDympVBrOzl4c9i2nkyNwEs454V/g3JQwyAhBIUBdHZR1Kfb+rYG/CdO54/w9CT0x
BRhBYfJKuCo6j/W3nDFb4T7joM88jdeRDtbSx7biqwEqhA9QpvwTv4X4EFPGeMoIb+lH6iuCBLqP
iUsj0LH5BjiUoihj+vLXZdH//m1XMh6MATTXDQA4FnnNLoiqmrEOjT2Dv6fLimWmt/O1yTBWhAOc
jE9BTtZU3Zp/tS+nZa4cVGfTna29FVAyd+tmieJiNewcv5/MovZWmxR77MHaDRBDLahno/ftDwJY
a789V8raTqAiQ/Fq1x95MWvTxXAKnLKGUiZJz8GUEDHrmTzdnJQqTObu5fIe3JHBYi/LcPWUDpom
sPQrSTn7GLDzMtu9RqQiRhRgwB9t9Xhb/c/4g2IrELM4oURnpVKVFcUgVpmbWHBMdrqnb42++FXX
llEElH5aHORHkzNts0Cr0OS7Dgp1J7lIzy6yt+0KX91A8Dt6cAOB4gS/9pUm/ot/MdJWsRvqsdns
7CUkMG08ZvdrJR25fURj6sDwJsNuYfn8oUpei4/GyUNvkYqxH5iNJFeOHYWu/S2jOG2fT3unLsL9
HsiHgs2AvbM1aBFOpArJsUYXDeMYThsKreh3wHS3JOEkhzOIchBMzeEVnfhgeb7RVzLE8YbQ6DqM
LVc9dyaWB+6LyfMUnwrtz9N23WoGRpQzCujg3b+M2kb51kaR

# Alice

Alice will take the encapsulated secret and decapsulate (decrypt) it using her private key:

In [4]:
// Alice decapsulates the ciphertext to obtain the shared secret
var aliceSharedSecret = alice.Decapsulate(bobCiphertext);

// Display Alice's derived shared secret
Console.WriteLine($"Alice's Shared Secret: {Convert.ToBase64String(aliceSharedSecret)} ({aliceSharedSecret.Length * 8} bits)");
Console.WriteLine($"Bob's Shared Secret:   {Convert.ToBase64String(bobSharedSecret)} ({bobSharedSecret.Length * 8} bits) for reference");

Alice's Shared Secret: X55nd2WjW4keCRR2f7+mQyewel/69erwC+3RkXQaOrU= (256 bits)
Bob's Shared Secret:   X55nd2WjW4keCRR2f7+mQyewel/69erwC+3RkXQaOrU= (256 bits) for reference


Now both Alice and Bob have identical shared secrets, which they can use for symmetric encryption.