Key encapsulation mechanism (KEM)

A key encapsulation mechanism (KEM) is a public-key primitive for establishing a shared secret. KeyGen produces a key pair, Encaps uses the public key to output a ciphertext together with a fresh shared secret, and Decaps recovers that secret from the ciphertext with the private key. The secret then keys symmetric encryption for the actual data.

Why KEMs replaced Diffie-Hellman

Classical protocols derive session keys from Diffie-Hellman style key exchange, where both sides contribute a public value and compute the same secret. The main post-quantum families offer no efficient drop-in for that non-interactive exchange, but they do yield fast KEMs, so protocol designers rebuilt handshakes around encapsulation. FIPS 203 standardizes ML-KEM as the primary post-quantum KEM, and NIST selected the code-based HQC as a backup in March 2025. Deployed handshakes usually pair a KEM with a classical curve as hybrid cryptography.

Security notion

The standard target is IND-CCA security (indistinguishability under chosen-ciphertext attack): an attacker who can query decapsulation on other ciphertexts still cannot tell the encapsulated secret from random. IND-CCA security is what lets one KEM public key be reused across many encapsulations, as in the HPKE construction of RFC 9180.

Sources

  1. FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard (NIST, 2024)
  2. RFC 9180: Hybrid Public Key Encryption (IETF, 2022)
  3. NIST Selects HQC as Fifth Algorithm for Post-Quantum Encryption (NIST, 2025)
Cite this entry
"Key encapsulation mechanism (KEM)." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/kem@misc{pqwiki-kem, title = {Key encapsulation mechanism (KEM)}, howpublished = {\url{https://postquantum.wiki/kem}}, year = {2026}, note = {postquantum.wiki, updated 2026-07-11} }