Appendix B. Parameter Set Security and Sizes
Cette section conserve le texte RFC pour ML-KEM dans PKIX, y compris algorithm identifiers, SubjectPublicKeyInfo, private key formats, ASN.1 objects, security considerations et examples.
Appendix B. Parameter Set Security and Sizes
Instead of defining the strength of a quantum algorithm in a typical
manner using the imprecise notion of bits of security, NIST has
defined security levels by picking a reference scheme, which is
expected to offer notable levels of resistance to both quantum and
classical attacks. To wit, a KEM algorithm that achieves NIST PQC
security must require computational resources to break IND-CCA
security comparable or greater than that required for key search on
AES-128, AES-192, and AES-256 for Levels 1, 3, and 5, respectively.
Levels 2 and 4 use collision search for SHA-256 and SHA-384 as
reference.
+=======+===============+========+========+============+========+
| Level | Parameter Set | Encap. | Decap. | Ciphertext | Secret |
| | | Key | Key | | |
+=======+===============+========+========+============+========+
| 1 | ML-KEM-512 | 800 | 1632 | 768 | 32 |
+-------+---------------+--------+--------+------------+--------+
| 3 | ML-KEM-768 | 1184 | 2400 | 1088 | 32 |
+-------+---------------+--------+--------+------------+--------+
| 5 | ML-KEM-1024 | 1568 | 3168 | 1568 | 32 |
+-------+---------------+--------+--------+------------+--------+
Table 1: Mapping Between NIST Security Level, ML-KEM
Parameter Sets, and Sizes in Bytes