Key encapsulation mechanism (KEM)
A key encapsulation mechanism (KEM) is a public-key primitive for establishing a shared secret. KeyGen produces a key pair, Encaps uses the public key to output a ciphertext together with a fresh shared secret, and Decaps recovers that secret from the ciphertext with the private key. The secret then keys symmetric encryption for the actual data.
Why KEMs replaced Diffie-Hellman
Classical protocols derive session keys from Diffie-Hellman style key exchange, where both sides contribute a public value and compute the same secret. The main post-quantum families offer no efficient drop-in for that non-interactive exchange, but they do yield fast KEMs, so protocol designers rebuilt handshakes around encapsulation. FIPS 203 standardizes ML-KEM as the primary post-quantum KEM, and NIST selected the code-based HQC as a backup in March 2025. Deployed handshakes usually pair a KEM with a classical curve as hybrid cryptography.
Security notion
The standard target is IND-CCA security (indistinguishability under chosen-ciphertext attack): an attacker who can query decapsulation on other ciphertexts still cannot tell the encapsulated secret from random. IND-CCA security is what lets one KEM public key be reused across many encapsulations, as in the HPKE construction of RFC 9180.
Sources
Cite this entry
"Key encapsulation mechanism (KEM)." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/kem@misc{pqwiki-kem,
title = {Key encapsulation mechanism (KEM)},
howpublished = {\url{https://postquantum.wiki/kem}},
year = {2026},
note = {postquantum.wiki, updated 2026-07-11}
}