ML-KEM

This section describes two endpoints functional for key-encapsulation PQC operations - ML-KEM, FIPS 203 compliant.

Allowed users

Allowed

Required access scope

keymgmt:use:<KID>

where <KID> is a Key ID as a 32-character hexadecimal string

Encapsulation

Generate a shared secret

POST https://my.ence.do/api/crypto/pqc/mlkem/encaps

The encapsulation algorithm ML-KEM accepts an encapsulation key as input, generates randomness internally, and outputs a ciphertext CT and a shared key SS.

Headers

Name

Type

Description

Authorization*

String

Bearer JWT_TOKEN

Content-Type*

String

application/json

Request Body

Name

Type

Description

kid*

String

Key ID, 32-character hex string encapsulation key

Response status code

{
  "ct": "4IzdVAZlsNHaUXGNaPMUg139TwnW5QB7WvVKAMEFnHF3JT122JTTnCHuZ1Z6sc2Hvz3WETWJ0ePKUVRJ5HzxDQ==",
  "ss": "YBby9t5R6aiQ13CE0RJ7Z0jIMOIXGLN+U9Tebo3/CU=",
  "alg": "MLKEM512"  
}

Possible `alg` values

Algorithm

Description

MLKEM512

Regarding FIPS 203, ML-KEM-512 key

MLKEM768

Regarding FIPS 203, ML-KEM-768 key

MLKEM1024

Regarding FIPS 203, ML-KEM-1024 key

Response data for successful operation

Name

Type

Description

alg

String

ML-KEM algorithm type represented by the kid

ct

String

Base64 encoded ciphertext

ss

String

Base64 encoded shared secret

Log entries

Event

Result

Source

LOG_TYPE_FAILED_SCOPE_CHECK

LOG_RESULT_FAILED

403

LOG_TYPE_CRYPTO_PQC_MLKEM_ENCAPS

LOG_RESULT_ERROR

400

LOG_TYPE_CRYPTO_PQC_MLKEM_ENCAPS

LOG_RESULT_FAILED

406

LOG_TYPE_CRYPTO_PQC_MLKEM_ENCAPS

LOG_RESULT_OK

200

Decapsulation

Extract the shared secret

POST https://my.ence.do/api/crypto/pqc/mlkem/decaps

The decapsulation algorithm accepts a decapsulation key and an ML-KEM ciphertext as input, does not use any randomness, and outputs a shared.

Headers

Name

Type

Description

Authorization*

String

Bearer JWT_TOKEN

Content-Type*

String

application/json

Request Body

Name

Type

Description

ct

String

Base64 encoded ciphertext returned by encaps

kid*

String

Key ID, 32-character hex string decapsulation key

Response status code

{
  "ss": "YBby9t5R6aiQ13CE0RJ7Z0jIMOIXGLN+U9Tebo3/CU="
}

Log entries

Event

Result

Source

LOG_TYPE_FAILED_SCOPE_CHECK

LOG_RESULT_FAILED

403

LOG_TYPE_CRYPTO_PQC_MLKEM_DECAPS

LOG_RESULT_ERROR

400

LOG_TYPE_CRYPTO_PQC_MLKEM_DECAPS

LOG_RESULT_FAILED

406

LOG_TYPE_CRYPTO_PQC_MLKEM_DECAPS

LOG_RESULT_OK

200

PreviousML-DSA NextAudit log

Last updated 6 months ago

hashtagAllowed users

hashtagRequired access scope

hashtagEncapsulation

hashtagGenerate a shared secret

hashtagHeaders

hashtagRequest Body

hashtagResponse status code

hashtagPossible alg values

hashtagResponse data for successful operation

hashtagLog entries

hashtagDecapsulation

hashtagExtract the shared secret

hashtagHeaders

hashtagRequest Body

hashtagResponse status code

hashtagLog entries

Allowed users

Required access scope

Encapsulation

Generate a shared secret

Headers

Request Body

Response status code

Possible `alg` values

Response data for successful operation

Log entries

Decapsulation

Extract the shared secret

Headers

Request Body

Response status code

Log entries