What changed in NIST FIPS 203 (ML-KEM) and why it will affect you sooner than you think

On August 13, 2024, the United States National Institute of Standards and Technology (NIST) published three final documents: FIPS 203, 204, and 205. They are the world's first official post-quantum cryptography standards. FIPS 203 in particular defines ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism), known by its competition name CRYSTALS-Kyber.

For those who do not follow the subject, the news passed by. For those who do, it was the most important milestone in applied cryptography since the publication of AES in 2001.

This text explains what changed in FIPS 203, what stays the same, and why this decision by an American federal agency will affect what you use every day well before it seems.

Why we need this

The green padlock in the corner of the browser (the "S" of HTTPS) sustains modern digital life. It works because two mathematical problems are absurdly hard on normal computers: factoring large numbers (the basis of RSA) and computing discrete logarithms over elliptic curves (the basis of ECDH).

Normal computers take billions of years to attack these problems at realistic parameters. In 2026, this remains true.

But quantum computers solve both in hours, if they are large enough. Shor's algorithm, published in 1994, describes how. Research into quantum hardware has progressed since then. In 2026, the world's largest quantum computers have about 1,000 stable qubits. To successfully attack RSA-2048, you would need somewhere between 4,000 and 20 million qubits (depending on how many errors it tolerates). Not tomorrow. But also not "never".

The detail that changes everything: the strategy called harvest now, decrypt later. An attacker stores the encrypted traffic you generate today, saves it to disk, waits 15 or 20 years. When the quantum computer reaches critical size, it decrypts retroactively. Everything you encrypted in 2026 with RSA will be legible in 2040.

For data that needs to stay secret for decades (industrial secret, medical record, tax return, personal identity), today's padlock may not cover until it matters.

What NIST chose

NIST opened an international competition in 2017 to choose post-quantum algorithms. Five years of public submissions, open cryptanalysis, elimination of fragile proposals. In July 2022, it announced four finalists. In August 2024, it standardized three of them in FIPS 203, 204, and 205.

FIPS 203 (ML-KEM) is the replacement for RSA and ECDH to establish keys. When your browser starts HTTPS with a site, it needs to agree with the server on a shared key without anyone listening in to discover it. ML-KEM does this while resisting quantum computers.

FIPS 204 (ML-DSA) is the replacement for digital signatures. When you install software and the system validates it came from the manufacturer, that is a digital signature. When the Bitcoin blockchain validates that a transaction was made by the holder of the key, that is a digital signature.

FIPS 205 (SLH-DSA) is an alternative digital signature, based on hashes. Slower, simpler, with a longer history of analysis. Technical reserve in case ML-DSA has a problem discovered later.

The focus of this text is FIPS 203, because it is the one that affects web browsing, messengers, password vaults, and everything that involves "establishing a secret key between two parties".

What ML-KEM does differently

ML-KEM is based on module learning with errors over lattices. Rough translation: "learning the pattern under noise in mathematical structures called lattices".

The intuition (simplified beyond the real math):

• Imagine you have a huge set of numbers that appear random.
• They are actually inside a mathematical structure (a lattice).
• Distinguishing "random noise" from "noise with hidden structure" is easy if you know the structure.
• It is very hard to discover the structure from the numbers, even with a quantum computer.

Unlike RSA (based on factoring) and ECDH (based on discrete logarithm), ML-KEM has no known quantum algorithm that breaks it in reasonable time. Shor's algorithm does not apply. Other theoretical quantum algorithms (Grover) reduce brute-force attacks, but not exponentially. To mitigate Grover, ML-KEM uses larger parameters, and that is why the "ML-KEM-1024" version has much larger keys than RSA-2048.

Practical sizes:

| Algorithm | Pubkey | Privkey | Ciphertext | |---|---|---|---| | RSA-2048 | 256 B | 256 B | 256 B | | ECDH P-256 | 32 B | 32 B | 64 B (with share) | | ML-KEM-512 | 800 B | 1,632 B | 768 B | | ML-KEM-768 | 1,184 B | 2,400 B | 1,088 B | | ML-KEM-1024 | 1,568 B | 3,168 B | 1,568 B |

ML-KEM is "fatter" in bytes. But it is faster in CPU than RSA (encapsulation takes microseconds, RSA-2048 takes milliseconds). For web browsing, the increase in key size is absorbed by today's bandwidth without noticeable cost.

The three variants (512, 768, 1024) correspond to NIST security categories 1, 3, and 5. Category 1 is roughly equivalent to AES-128. Category 5 is equivalent to AES-256. For data that should last decades, 1024 is recommended.

What stays the same

Common confusion: "if ML-KEM replaces RSA, does that mean AES, hashes, and everything else also fall with the quantum computer?". No.

AES-256 is fine. The quantum computer reduces effective strength by half via Grover, so AES-128 becomes "equivalent to AES-64" (fragile), but AES-256 becomes "equivalent to AES-128" (still strong). The industry is migrating from 128 to 256 where it had not already. Current recommendation: use AES-256 by default.

SHA-256 and SHA-3 are fine. Same argument: Grover reduces by half. SHA-256 becomes "equivalent to SHA-128", which is weaker but still far from breakable. For long durability, SHA-3 or BLAKE3 are more conservative.

HMAC, KDF based on hashes, key derivation (HKDF, Argon2, scrypt): they are fine. Quantum does not change much.

Hash-based signatures (SLH-DSA, old hash-based signatures): they have been post-quantum from the beginning. They just were not officially standardized. Now they are.

What falls with quantum is exactly the family of operations that depend on factoring or discrete logarithm. To simplify: "establishing key" and "signing with classical asymmetric key" need to migrate. The rest, mainly "encrypting with symmetric key" and "doing hash", remains firm.

The hybrid strategy being adopted now

Despite FIPS 203 being the final standard, nobody in 2026 is using ML-KEM alone in production. The industry adopted a hybrid strategy: combine ML-KEM with something classical, and the security of the combination depends on both falling.

Why? Because ML-KEM is new. It has 6 years of public analysis (published in 2017, standardized in 2024). Classical algorithms (RSA, ECDH) have 40+ years. There is no way to be absolutely certain that ML-KEM has no weakness yet to be discovered.

The hybrid strategy is reasonable caution during the transition:

• If ML-KEM falls (new cryptanalysis), the classical component still holds.
• If the classical falls (quantum computer arrives), ML-KEM holds.
• For it to truly fall, both need to be broken.

The concrete standard adopted by Chrome, Cloudflare, Signal, and others in 2024-2025 is X25519MLKEM768. It combines the classical elliptic curve X25519 with ML-KEM-768. The client does a classical and post-quantum handshake in parallel, derives a combined key via HKDF, and that becomes the TLS session key.

In 2025-2026, Chrome activated X25519MLKEM768 by default in connections to sites that support it. Cloudflare activated it at the edge for all hosted sites. Apple signaled intent to adopt it in iMessage and iCloud.

Your HTTPS navigation today may already be post-quantum without you having done anything. To check, open DevTools in Chrome → Security tab → Connection. The name of the key exchange used appears there. If it says X25519MLKEM768, congratulations, you are using it.

What changes for the average user

Honestly, almost nothing visible.

The green padlock looks the same. The interface does not show "this site uses post-quantum". The connection is slightly slower on first access (a few milliseconds), imperceptible after.

The practical effects come in the form of market maturation:

Next 6-12 months:

• More sites adopting hybrid. Cloud providers accepting it as default.
• Mobile apps starting to flag it ("post-quantum connection" in more advanced banking apps).
• Browsers automatically falling back to hybrid, without you needing to change anything.

Next 1-3 years:

• Enterprise software companies require "FIPS 203 compliance" in American government purchases (already mandatory in some contexts).
• Digital vaults, messengers, and backups adopt ML-KEM in their internal architectures (not just in transport). This is where TAIVA Vault enters.
• Libraries and languages bring ML-KEM built in. You do not even decide, it comes underneath npm install or pip install.

Next 5-10 years:

• ML-KEM becomes invisible default. Classical RSA and ECDH become legacy, deprecated in new standards.
• That traffic that was being recorded by attackers starts becoming useless to them. The "harvest now" attack stopped working at the frontier of what was encrypted in 2026-2030.

What to demand from services you use

Concretely. How do you know if a service is preparing for this future?

1. Look for mentions of "post-quantum cryptography" or "ML-KEM" or "FIPS 203" in technical documentation. Not in marketing. Look in the whitepaper, security policy, technical blog. If there is no mention, either they have not considered it yet, or they considered it and do not want to commit.

2. In banking or financial apps: ask support if they have a roadmap to adopt hybrid TLS X25519MLKEM768. An answer empty of technical terms is a negative answer.

3. In password vaults, cryptocurrency wallets, encrypted backups: demand ML-KEM in the key wrap, not just in TLS. Post-quantum TLS protects against live interception. Post-quantum wrap protects against retroactive database leak. The two defenses are complementary, not substitutes.

4. In messengers: Signal announced in 2023 that it is integrating post-quantum into the protocol (not just TLS). iMessage announced PQ3 in 2024. WhatsApp still silent on its roadmap.

5. In browsers and operating systems: you already have it or it is coming, without you needing to do anything. Chrome, Edge, Firefox, and Safari are all on the path.

The transition to post-quantum is not a single event. It is a migration process of 5-15 years. FIPS 203 marks the official start. Those who started early (providers that adopted hybrid in 2024-2025) arrive cleaner at the destination.

Why this matters to you today

Back to the beginning. Harvest now, decrypt later is the critical argument. It is not important because of hypothetical threats in 2040. It is important because what you encrypt TODAY can be read IN THE FUTURE, retroactively.

If you are a journalist with confidential sources, encrypt with hybrid now. The source who trusts you today can be exposed in 15 years.

If you are a doctor with patient records, encrypt with hybrid now. The patient who has data in 2026 can have that information linked to your identity in 2040.

If you are a company with industrial secrets, encrypt with hybrid now. The 2026 patent that would still produce in 2045 may be in a competitor's hands before that.

If you are anyone with extensive digital life (bank password, intimate photo, personal conversation, tax return, health data), use services that have committed to post-quantum. It costs no more, does not limit you. It just avoids a problem that will knock on the door sooner than it seems.

Also read:

• How a vault that never knows your password works: where ML-KEM-1024 enters in practice at TAIVA Vault.
• There is a computer being built that will break every digital bank you have. When does it arrive?: the panorama of the quantum threat in direct language.
• Recovery without losing sovereignty: 3 independent envelopes: another practical example of using advanced cryptography with usability.

TAIVA Vault: personal digital vault with ML-KEM-1024 hybrid (FIPS 203) in the key wrap. Post-quantum today, not in a decade. Create a free account →