# ML-KEM #### Allowed users {% tabs %} {% tab title="User" %} Allowed {% endtab %} {% tab title="Alternative" %} Not allowed {% endtab %} {% tab title="ExtAuth" %} Allowed {% endtab %} {% endtabs %} #### Required access scope {% tabs %} {% tab title="Main" %} `keymgmt:use:` where `` is a Key ID as a 32-character hexadecimal string {% endtab %} {% endtabs %} ## Encapsulation ## Generate a shared secret `POST` `https://my.ence.do/api/crypto/pqc/mlkem/encaps` The encapsulation algorithm ML-KEM accepts an encapsulation key as input, generates randomness internally, and outputs a ciphertext CT and a shared key SS. #### Headers | Name | Type | Description | | ----------------------------------------------- | ------ | ----------------- | | Authorization\* | String | Bearer JWT\_TOKEN | | Content-Type\* | String | application/json | #### Request Body | Name | Type | Description | | --------------------------------------- | ------ | ------------------------------------------------- | | `kid`\* | String | Key ID, 32-character hex string encapsulation key | #### Response status code {% tabs %} {% tab title="200: Operation successful" %} ```javascript { "ct": "4IzdVAZlsNHaUXGNaPMUg139TwnW5QB7WvVKAMEFnHF3JT122JTTnCHuZ1Z6sc2Hvz3WETWJ0ePKUVRJ5HzxDQ==", "ss": "YBby9t5R6aiQ13CE0RJ7Z0jIMOIXGLN+U9Tebo3/CU=", "alg": "MLKEM512" } ``` {% endtab %} {% tab title="400: Bad Request Incorrect argument(s)" %} {% endtab %} {% tab title="401: Unauthorized Missing or invalid JWT\_TOKEN" %} {% endtab %} {% tab title="403: Forbidden Incorrect access scope" %} {% endtab %} {% tab title="406: Not Acceptable Operation failed" %} {% endtab %} {% tab title="409: Conflict Incorrect internal state" %} {% endtab %} {% tab title="418: I'm a Teapot TLS (https) connection required" %} {% endtab %} {% endtabs %} #### Possible `alg` values | Algorithm | Description | | --------- | ----------------------------------- | | MLKEM512 | Regarding FIPS 203, ML-KEM-512 key | | MLKEM768 | Regarding FIPS 203, ML-KEM-768 key | | MLKEM1024 | Regarding FIPS 203, ML-KEM-1024 key | #### Response data for successful operation
NameTypeDescription
algStringML-KEM algorithm type represented by the kid
ctStringBase64 encoded ciphertext
ssStringBase64 encoded shared secret
#### Log entries
EventResultSource
LOG_TYPE_FAILED_SCOPE_CHECKLOG_RESULT_FAILED403
LOG_TYPE_CRYPTO_PQC_MLKEM_ENCAPSLOG_RESULT_ERROR400
LOG_TYPE_CRYPTO_PQC_MLKEM_ENCAPSLOG_RESULT_FAILED406
LOG_TYPE_CRYPTO_PQC_MLKEM_ENCAPSLOG_RESULT_OK200
## Decapsulation ## Extract the shared secret `POST` `https://my.ence.do/api/crypto/pqc/mlkem/decaps` The decapsulation algorithm accepts a decapsulation key and an ML-KEM ciphertext as input, does not use any randomness, and outputs a shared. #### Headers | Name | Type | Description | | ----------------------------------------------- | ------ | ----------------- | | Authorization\* | String | Bearer JWT\_TOKEN | | Content-Type\* | String | application/json | #### Request Body | Name | Type | Description | | --------------------------------------- | ------ | ------------------------------------------------- | | `ct` | String | Base64 encoded ciphertext returned by `encaps` | | `kid`\* | String | Key ID, 32-character hex string decapsulation key | #### Response status code {% tabs %} {% tab title="200: Operation successful" %} ```json { "ss": "YBby9t5R6aiQ13CE0RJ7Z0jIMOIXGLN+U9Tebo3/CU=" } ``` {% endtab %} {% tab title="400: Incorrect argument(s)" %} {% endtab %} {% tab title="401: Missing or invalid JWT\_TOKEN" %} {% endtab %} {% tab title="403: Incorrect access scope" %} {% endtab %} {% tab title="406: Operation failed" %} {% endtab %} {% tab title="409: Incorrect internal state" %} {% endtab %} {% tab title="418: TLS connection required" %} {% endtab %} {% endtabs %} #### Log entries
EventResultSource
LOG_TYPE_FAILED_SCOPE_CHECKLOG_RESULT_FAILED403
LOG_TYPE_CRYPTO_PQC_MLKEM_DECAPSLOG_RESULT_ERROR400
LOG_TYPE_CRYPTO_PQC_MLKEM_DECAPSLOG_RESULT_FAILED406
LOG_TYPE_CRYPTO_PQC_MLKEM_DECAPSLOG_RESULT_OK200