In the post-quantum world, the security of KEMs must rely on quantum-resistant mathematical problems. Here are the key post-quantum techniques used for designing KEMs: 

Lattice-based cryptography—uses lattices and their associated mathematical properties to provide security. A lattice is a set of points in a multi-dimensional space that form a regular gridlike structure. Lattice-based cryptography is one of the most promising post-quantum techniques because it provides strong security guarantees and relatively efficient operations. It is based on the hardness of problems like Learning with Errors and Short Integer Solution [ 8 ]. Lattice-based KEMs are attractive due to their relatively small key sizes and fast operations, making them suitable for practical implementations [ 9 ].

Code-based cryptography—relies on error-correcting codes to provide security. The security of these    schemes is based on the hardness of decoding certain structured codes, making them resistant to quantum attacks. Code-based cryptography uses the difficulty of decoding random linear codes, particularly generalized Goppa codes. One of the oldest forms of post-quantum cryptography, it offers a high level of security but often comes with larger key sizes [ 10 ]. Hash-based cryptography—built upon cryptographic hash functions. These schemes are based on the hardness of finding collisions in the hash function, offering a potential post-quantum solution. Hashbased cryptography’s fundamental benefit is that it is a commonly used, well-researched technique that ensures great resistance to quantum assaults, making it a candidate for long-term security in the postquantum period (as a long enough key is utilized). While primarily used in signature schemes, hashbased cryptography can also be adapted for KEM. These rely on the difficulty of finding preimages or collisions in cryptographic hash functions.

Multivariate polynormal cryptography—relies on algebraic equations with multivariate polynomials. Although secure, the size of the public and private keys can be large [ 11, 12 ].

Isogeny-based cryptography—based on the mathematics of elliptic curves and isogenies. These schemes rely on constructing mappings between elliptic curves. It offers some of the smallest key sizes of any post-quantum cryptosystem but is relatively slow [ 13–16 ].

During the transition to post-quantum cryptography, hybrid KEMs are being used. These combine classical cryptographic methods (like RSA or ECC) with postquantum methods. For example, a hybrid KEM could simultaneously run both a lattice-based KEM (for postquantum security) and an RSA-based KEM (for classical security), ensuring safety from both quantum and classical attacks [ 17 ].

Implementing post-quantum Key Encapsulation Mechanisms in real-world systems presents several practical challenges.

Many post-quantum KEMs, especially those based on lattice and code-based cryptography, involve much larger key sizes compared to classical systems. For example, codebased KEMs like Classic McEliece have public keys that are several hundred kilobytes in size, which is significantly larger than RSA or ECC public keys. Larger key sizes increase the bandwidth needed for key exchange, which can slow down communication, particularly in low-bandwidth environments such as mobile networks, IoT devices, or satellite communications.

Post-quantum cryptographic schemes often require more computational power than traditional cryptographic algorithms.

For instance, lattice-based schemes like CRYSTALS-KYBER are efficient in terms of security but may still require more CPU cycles compared to classical systems. Implementing these algorithms on resource-constrained devices (e.g., IoT devices) can be difficult, as they may not have the processing power required to handle the increased computational load. The increased computation can introduce latency in key exchange processes. This can be a significant issue for real-time systems (e.g., VoIP, video conferencing), where even small delays in establishing secure connections can degrade user experience [ 17 ].

Many existing security protocols (e.g., TLS, SSH, IPsec) are based on classical cryptographic primitives like RSA and ECC. Implementing post-quantum KEMs requires either significant changes to these protocols or hybrid systems that combine classical and post-quantum techniques. Modifying or extending widely used protocols to support post-quantum KEMs can be complex [ 18 ]. It requires not only software updates but also widespread adoption to ensure that all parties in a communication system can use the new algorithms [ 8 ].

One solution to this challenge is the use of hybrid cryptography, where both classical and post-quantum algorithms are used together in a key exchange process. However, this increases the complexity of the system and can further slow down performance. Hybrid methods can add overhead, as two cryptographic algorithms (classical and post-quantum) are run in parallel, increasing computational and communication costs [ 19 ].

Many post-quantum algorithms, especially those based on lattice cryptography, are vulnerable to side-channel attacks such as timing attacks, power analysis, and fault injection attacks. These attacks exploit the physical characteristics of a system to recover secret keys. Protecting implementations of post-quantum KEMs from side-channel attacks requires additional countermeasures, such as constant-time implementations or masking techniques. These countermeasures can increase the complexity and reduce the performance of the system [ 20 ].

While NIST is in the process of standardizing postquantum algorithms, the field is still evolving. Organizations face uncertainty when selecting which postquantum algorithm to implement, as premature adoption could lead to interoperability issues or the need for future upgrades. Additionally, ensuring interoperability between different implementations of post-quantum KEMs remains a challenge. After careful consideration during the third round of the NIST PQC Standardization Process, NIST has identified a candidate algorithm for standardization. NIST will recommend the primary KEM algorithm to be implemented for most use cases: CRYSTALS-KYBER. The four algorithms selected for this fourth round are BIKE, Classic McEliece, HQC, and SIKE. Many industries rely on cryptographic standards and certifications to ensure security (e.g., FIPS 140-2/3). Post-quantum cryptographic systems will need to go through extensive certification processes to be widely adopted in regulated environments, which can be time-consuming.

While post-quantum KEMs are designed based on problems thought to be hard for quantum computers (e.g., lattice problems, isogenies, etc.), there is still some uncertainty about the long-term security of these algorithms. It is possible that future mathematical breakthroughs or quantum algorithms could weaken these assumptions. Building trust in the security of post-quantum KEMs is essential for their widespread adoption. However, businesses may be reluctant to deploy post-quantum solutions until there is a high level of confidence in their security. There is also resistance to change in the industry. Many organizations have deeply entrenched cryptographic infrastructures that rely on RSA or ECC, and the cost of transitioning to post-quantum cryptography may be prohibitive in the short term.

During the transition to post-quantum cryptography, systems will need to support both classical and quantumsafe algorithms simultaneously. This creates additional complexity in terms of key management, negotiation of algorithms, and ensuring that both parties in a communication can agree on a common cryptographic approach. Implementing dual cryptographic systems can lead to security risks if not done properly, such as potential downgrade attacks where an adversary forces the use of weaker, classical algorithms.

The transition to post-quantum KEMs is necessary to ensure long-term security in the face of quantum computing advancements, but it comes with practical challenges related to efficiency, key sizes, integration, and trust. Overcoming these challenges will require advances in both cryptographic research and engineering, as well as widespread industry adoption of post-quantum standards [ 21 ].

CRYSTALS-Kyber (Cryptographic Suite for Algebraic Lattices) is one of the most prominent lattice-based KEMs and was selected as a NIST finalist due to its efficiency, security, and small key and ciphertext sizes. It is based on the Module Learning With Errors (Module-LWE) problem, a variant of the Learning With Errors (LWE) problem, which is widely regarded as hard for quantum computers to solve [ 25 ].

The construction of Kyber follows a two-stage approach: first introduce an INDCPA-secure public-key encryption scheme encrypting messages of a fixed length of 32 bytes, which is called Kyber.CPAPKE. Then use a slightly tweaked Fujisaki–Okamoto (FO) transform to construct the IND-CCA2-secure KEM, which is called Kyber.CCAKEM.

Kyber defines three parameter sets, which we call Kyber512, Kyber768, and Kyber1024. The parameters are listed in Table 2.

Designation Kyber512 Kyber768 Kyber1024 n is set to 256 because the goal is to encapsulate keys with 256 bits of entropy (i.e., use a plaintext size of 256 bits in Kyber.CPAPKE.Enc). Smaller values of n would require encoding multiple key bits into one polynomial coefficient, which requires lower noise levels and therefore lowers security. Larger values of n would reduce the capability to easily scale security via parameter k.

q as a small prime satisfying n | (q-1); this is required to enable fast NTT-based multiplication. There are two smaller primes for which this property holds, namely 257 and 769. However, for those primes we would not be able to achieve the negligible failure probability required for CCA security, so was chosen the next largest, i.e., q = 3329.

k is selected to fix the lattice dimension as a multiple of n; changing k is the main mechanism in Kyber to scale security (and as a consequence, efficiency) to different levels. Kyber offers a good balance between key/ciphertext size and performance. It is more efficient in both space and speed compared to many other post-quantum candidates.

Public Key Size: Ranges from 736 bytes (Kyber512) to 1,568 bytes (Kyber1024).

Ciphertext Size: Ranges from 800 bytes (Kyber512) to 1,568 bytes (Kyber1024).

Kyber’s computational efficiency makes it suitable for a wide range of applications, including low-power devices such as IoT and mobile devices. Kyber provides a very efficient encapsulation and decapsulation process, particularly when compared to other post-quantum KEMs. 4.2. BIKE BIKE (Bit-Flipping Key Encapsulation) is a code-based cryptographic system that uses Quasi-Cyclic ModerateDensity Parity-Check (QC-MDPC) codes. It’s designed to offer efficient key encapsulation while relying on the hardness of decoding random linear codes, a wellestablished hard problem in cryptography.

BIKE is based on the decoding of QC-MDPC codes, which involves error correction methods. This problem has been studied for decades, and no quantum or classical efficient algorithms are known to solve it. The core cryptographic mechanism is the decoding process for MDPC codes, which involves flipping bits to correct errors in a way that only the legitimate parties can succeed.

BIKE’s first building block is a public key encryption scheme based on a variant of the Niederreiter framework. The plaintext is represented by the sparse vector (e0, e1), and the ciphertext by its syndrome. The decryption is performed with a decoding procedure. Next, this PKE is converted into an IND-CCA KEM with the application of the Fujisaki-Okamoto transformation. For the scheme to be truly IND-CCA, there must be conditions on the decoding failure rate (also called DFR), which is the case here with the chosen decoder [ 26, 27 ].

As defined in the specifications, the parameters should satisfy several constraints. The block length r should be a prime number, and 2 should be primitive modulo r. The parameter w should be such that w = 2d ≈ √n with d being odd. In addition, the error weight should be such that t ≈ √n. Instantiated parameters are present in Table 3. While BIKE offers relatively compact ciphertext sizes, it tends to require larger public keys compared to lattice-based KEMs like Kyber.

Public Key Size: Ranges from 1,254 bytes to 4,140 bytes, depending on the security level.

Ciphertext Size: Approximately 154 bytes to 284 bytes.

BIKE is relatively efficient in the key encapsulation process due to the use of fast bit-flipping decoding algorithms, although it can be slower than some latticebased systems in some use cases. The reliance on errorcorrecting codes is a tried-and-tested approach, giving confidence in its long-term security against both classical and quantum attacks.

Classic McEliece is one of the oldest and most established post-quantum cryptosystems, first proposed in 1978. It relies on the hardness of decoding random Goppa codes, a task that has resisted efficient attacks for over four decades. Classic McEliece has gained attention due to its longstanding security record and robust resistance to quantum attacks [ 28 ].

The original purpose is to encode data and transmit it on a noisy channel, allowing the receiver to remove the errors to get the correct message. If the decoder is kept secret and cannot be deduced from the encoder, it makes encoding with errors a one-way trapdoor function: the sender encodes with the public encoder and adds as many errors as the decoder can remove. The receiver with the decoder is then the only one who can remove the errors and read the message.

The public key size grows substantially from 261120 bytes at NIST level 1 to 1357824 bytes at NIST level 5c. The private key size also sees a significant increment from 6492 bytes at level 1 to 14120 bytes at level 5c. These increases align with the general principle that larger key sizes translate into stronger security, making the system more resilient against cryptographic attacks. The ciphertext size and the session key size also increase as the NIST level progresses, pointing to stronger security and larger communication overheads [ 29 ]. However, the session key size remains consistent at 32 bytes, as its primary role is to ensure confidentiality and integrity during a session, regardless of the NIST level.

Public key, bytes 261120 524160 1044992 1047319 1357824

Private key, bytes 6492 13608 13932 13948 14120

Ciphertext, bytes 96 156 208 194 208

Session key, bytes 32 32 32 32 32 Classic McEliece is known for its very large public key sizes, which are its primary drawback, but it has very small ciphertext sizes and extremely fast decapsulation.

Public Key Size: Up to 1 MB or more for higher security levels.

Ciphertext Size: 208 bytes.

Although the public keys are large, the small ciphertext size and fast decryption process make McEliece suitable for high-performance applications where the size of the public key is not a critical issue. The major disadvantage of McEliece is the size of its public keys, which can be as large as several hundred kilobytes to over a megabyte. This makes it less practical for systems with bandwidth or storage limitations. 4.4. HQC HQC (Hamming Quasi-Cyclic) is another code-based cryptographic system that uses Quasi-Cyclic codes to achieve secure key encapsulation. HQC is based on the hardness of decoding random linear codes but uses a different type of code construction compared to Classic McEliece and BIKE.

HQC is built on the difficulty of decoding random linear codes, which is believed to be a hard problem both for classical and quantum computers.

HQC uses SHAKE256 for multiple purposes e.g., as a PRNG for fixed weight vector generation and random vector generation in Key Generation, as a PRNG for fixed weight vector generation in Encryption, and for hashing in encapsulation and decapsulation. HQC-KEM uses polynomial multiplication in various stages of its operation. In HQC, the fundamental mathematical structure involves cyclic codes, and polynomial operations over finite fields play a crucial role in both the encryption and decryption processes [ 30 ].

Polynomial Multiplication is used in the public key generation stage. The public key involves a codeword that HQC’s key sizes are intermediate between those of McEliece and BIKE, but its ciphertexts are generally larger.

Public Key Size: Ranges from 2,249 bytes to 7,245 bytes.

Ciphertext Size: Approximately 7,245 bytes to 7,870 bytes.

HQC provides security levels aligned with NIST’s requirements, targeting 128-bit and 256-bit classical security levels.

HQC is more efficient in terms of key generation and encapsulation compared to Classic McEliece, while still offering strong security guarantees. As a code-based system, HQC benefits from decades of cryptographic research, giving confidence in its resistance to quantum and classical attacks. Compared to other post-quantum KEMs, HQC produces relatively large ciphertexts, which may be a disadvantage in bandwidth-constrained applications. is derived from the multiplication of two polynomials, one of which is a secret, and another is a random element. The process relies on encoding the secret key, which consists of small random polynomials, and performing multiplication in a finite field to produce part of the public key.

During the encapsulation process, the key encapsulator generates a random message and encodes it using a public codeword. The encoding procedure involves polynomial multiplication between the message (represented as a polynomial) and the public key polynomial. The ciphertext is generated as the sum of a product of polynomials (including the random polynomials and the public key) along with some error terms. These multiplications are done in a ring of polynomials, where coefficients are taken modulo a prime number.

On the receiver’s side, the decryption process also involves polynomial multiplication. The receiver uses their private key to multiply it with part of the ciphertext. By multiplying the ciphertext polynomial by the private key and removing the error components, the original message can be recovered. The structure of the private key, being sparse (i.e., consisting mostly of small entries), ensures that this operation is efficient despite the potential for larger polynomials.

In all cases, these polynomial multiplications are performed in a finite ensuring that the polynomials remain manageable in size and that the modular arithmetic preserves the structure of the quasi-cyclic codes. Polynomial multiplication in HQC is typically implemented using efficient algorithms such as the Number Theoretic Transform (NTT), which is a variant of the Fast Fourier Transform (FFT) for polynomials over finite fields, to speed up the process of large polynomial multiplications. Thus, polynomial multiplication is a critical and recurring operation in the key generation, encryption, and decryption steps of HQC-KEM.

Public key, bytes 2249 4522 7245 4.5. SIKE

Private key, bytes 56 64 72

Ciphertext, bytes 4497 9042 14485

SIKE (Supersingular Isogeny Key Encapsulation) is based on isogeny-based cryptography, a relatively new and promising post-quantum cryptographic approach. SIKE uses the difficulty of finding isogenies (mappings) between elliptic curves. While elliptic curve cryptography (ECC) is vulnerable to quantum attacks, isogeny-based systems remain secure.

SIKE is protected by the computational supersingular isogeny (CSSI) problem and allows for an IND-CCA2 key establishment between two parties [ 31 ].

The underlying hard problem for SIKE, the Computational Supersingular Isogeny problem, involves finding a secret isogeny (a specific type of function between elliptic curves) between two given supersingular elliptic curves. This is believed to be computationally infeasible, even for quantum computers, making it a good foundation for post-quantum security. SIKE provides IND-CCA2 security, which is a strong form of security for encryption schemes. This means that even if an attacker can request decryptions of ciphertexts of their choice, they cannot learn any useful information about the encryption of a different message. This ensures that the key establishment process between two parties is secure even against active attackers who can manipulate and intercept communications.

SIKE primes are carefully chosen to optimize both performance and security in the context of supersingular elliptic curves and the supersingular isogeny problem. SIKE uses a prime number of a particular form to define the finite field Fp over which elliptic curves are constructed. The form of these primes allows efficient isogeny computations and ensures that the curves used are supersingular.

SIKE primes are of the form:

p=2a*3b*f-1 where a and b are large integers.

f is a small cofactor, typically set to 1 in many cases.

The prime is of a size that ensures 128-bit, 192-bit, or 256-bit security levels, depending on the target.

Designation SIKEp434 SIKEp503 SIKEp610 SIKEp751

Public key, bytes 330 378 462 564

Private key, bytes 374 434 524 644 SIKE offers one of the smallest key and ciphertext sizes of any other post-quantum cryptosystem, making it particularly attractive for use in bandwidth-constrained environments. However, it tends to have slower performance compared to other post-quantum KEMs.

Public Key Size: As small as 330 bytes.

Ciphertext Size: Ranges from 346 to 596 bytes.

SIKE’s compact key and ciphertext sizes make it one of the most bandwidth-efficient post-quantum cryptosystems, making it attractive for specific use cases where data size and storage are a concern, despite its slower performance compared to other schemes.