ML-KEM-768 (Module-Lattice Key Encapsulation Mechanism) is a post-quantum key exchange algorithm standardized by NIST in FIPS 203 (August 2024). Based on CRYSTALS-Kyber, it resists quantum and classical attacks. The '768' indicates security equivalent to AES-192.

What is 'harvest now, decrypt later'?

A threat model where state actors capture encrypted traffic today (RSA/ECC) expecting to decrypt it once quantum computers are powerful enough. Data like passwords, IP, and private comms hold value for decades.

Is RSA-2048 still safe in 2026?

Against classical threats, yes. But a quantum computer with ~4,000 stable logical qubits could break RSA-2048 via Shor's algorithm. IBM, Google, and China actively work toward this scale — conservative estimates place it between 2030-2035.

← Blog·Cryptography

ML-KEM-768 explained: why post-quantum encryption is no longer optional

2026-04-13·MONO Team·8 min read

The problem: "harvest now, decrypt later"

In 1994, Peter Shor published an algorithm that, on a sufficiently large quantum computer, factors large integers in polynomial time. This breaks RSA. It also breaks ECC (the elliptic curves WhatsApp, Signal, and HTTPS use).

No such machine exists in 2026. But any nation-state with budget can record every byte of encrypted traffic flowing through a submarine cable and store it. When quantum arrives — likely 2030-2035 — they decrypt the past.

Things you're writing today to your AI assistant (passwords, medical, financial, intimate secrets) hold value for 10+ years. The risk horizon has already reached you.

The solution: lattice-based crypto

NIST launched its post-quantum cryptography competition in 2016. Among finalists, CRYSTALS-Kyber won, based on the Module Learning With Errors (M-LWE) problem — a lattice-based math problem that stays hard even for quantum computers.

In August 2024, NIST published FIPS 203, standardizing Kyber as ML-KEM (Module-Lattice Key Encapsulation Mechanism). Three security levels:

ML-KEM-512 — AES-128 level
ML-KEM-768 — AES-192 level (what MONO uses)
ML-KEM-1024 — AES-256 level

768 is the sweet spot: resists quantum + classical attacks, with public keys of only 1.2 KB and ciphertext of 1.1 KB. Three orders of magnitude more efficient than hash-based alternatives like SPHINCS+.

How MONO integrates it

MONO uses a hybrid scheme: ML-KEM-768 for key exchange + AES-256-GCM for symmetric encryption + HKDF for per-vault-entry key derivation.

Why hybrid? Because ML-KEM is new. If an attack emerges in 5 years, classical AES-256 still protects the data. The worst case is fallback to pre-quantum security — not total loss.

Every vault entry — every password, every file, every document — is encrypted with its own derived key. If one leaks, the others stay sealed. Defense in depth.

What others are doing

Apple iMessage — PQ3 (Kyber-1024) live since iOS 17.4 (Feb 2024).
Signal — PQXDH (combining X3DH + Kyber-1024) since Sep 2023.
Chrome / TLS — hybrid X25519+Kyber in 1-RTT handshake since 2024.
OpenAI / Anthropic API — no public post-quantum crypto. Every prompt to ChatGPT is vulnerable to harvest-now.
WhatsApp (Meta) — classical Signal Protocol still. No announced ML-KEM in 2026.

This is what worries me most about ChatGPT Memory, Claude Projects, and any assistant storing conversations in the cloud: no post-quantum protection. Everything you upload today can be read tomorrow.

What can you do?

Check if your app uses ML-KEM or Kyber on its security page.
If not, assume data uploaded today can be decrypted in 2030.
Minimize what you upload to systems without PQ crypto. Segregate real secrets.
Demand your AI assistant provider publish its cryptographic model.

MONO's bet

Every MONO runs on its own VPS. Every vault uses ML-KEM-768 + AES-256-GCM. Every key derived via HKDF per-entry and PBKDF2-SHA256 (600,000 iterations) from the passphrase. No data leaves the server without hybrid encryption. Zero-knowledge isn't a slogan — even we can't read your vault.