Uncovering the Hidden Security Features of ML-KEM
Praveenaa U
This is a follow up on my earlier article "Post-quantum migration mis-steps". It captures my thoughts after attending the ETSI/IQC Quantum-safe conference (June 2026) where pQCee presented our joint collaboration with IoTex on "Performing Post-Quantum Transactions on IoTeX (an EVM-compatible chain)"
While everyone can agree that applications using classical public key cryptosystems such as RSA are vulnerable to harvest-now-decrypt-later quantum attacks, it is very unlikely that the different groups agree wholeheartedly with one another on how to approach the post-quantum migration process to mitigate the threat. Why is that so?
I believe that is because the threat mental model for each of them is different.
Let's start with the quantum communications researcher. The researcher advocates an information-theoretically safe communication method such as the one-time pad (OTP) since any public key cryptosystem will have to include a mathematical trapdoor (aka private key), and it is a matter of time that quantum algorithms will be able to compute the trapdoor.
The cryptographer, on the other hand, will argue that post-quantum cryptography (PQC) works because while public key cryptosystems are not unconditionally safe, they can be designed to be computationally-secure. This means that it will take a long time (e.g. more than 1000 years) for a hacker with a quantum computer to find the private key. How the cryptographer designs the PQC algorithm is based on the principles of Indistinguishability under Chosen-Plaintext Attack (IND-CPA) and Indistinguishability under Chosen-Ciphertext Attack (IND-CCA) where the adversary, given the opportunity of providing samples of plaintexts or ciphertexts to observe the encryption process, will still not be able to compute the private key.
Next comes the cryptographic engineer who works on applied cryptography (i.e. enabling the business application to use the cryptographic algorithms). To have effective data security, the engineer needs to architect the protocol and management of the keys and algorithms including when, who, how the keys are generated, stored, used, combined, split, derived and deleted across the useful lifetime of the data. The design principles applied are based on the STRIDE threat model which takes into account how an adversary can spoof, tamper, cause repudiation, disclose information, deny the service or elevate the privilege through improper use of the algorithm.
Finally, the cybersecurity specialist approaches the problem from a vulnerability management perspective. The MITRE ATT&CK and the Cyber Kill Chain threat models look at where, when and how adversaries are able to gain a foothold into the protected system in order to launch the compromise, and seek to prevent such attacks by shutting down the vector. In the case of post-quantum migration, the specialist will focus on discovering the vulnerabilities and prioritize removal of weak cryptographic algorithms through remediation actions.
I breakdown the differences in the mental models and their implication in the table below:
| Cybersecurity Specialist | Cryptographic Engineer | Cryptographer | Quantum Communications Researcher | |
| Threat Model | MITRE ATT&CK / Cyber Kill Chain | STRIDE | IND-CPA / IND-CCA | Information security |
| How to approach quantum-safe migration | Discover where all weak cryptography is used and replace them with quantum-safe algorithms | Look at the data under threat and design mitigation measures to remove the threat | Start using PQC algorithms, and build in capability to switch them in the future | Use QKD to generate a random sequence for both communicating parties to scramble the data |
| Typical Quote | You can't protect what you don't know | We have successfully migrated from MD5, DES in the past. We can get PQC done. | PQC is superior to QKD | PQC will eventually be broken |
| Biggest criticism | Doing cryptographic discovery does not solve the quantum threat. Not all classical implementations can be replaced | Cryptographic design is complex and requires experience. Many deployments still have vulnerabilities | PQC algorithms are not efficient and take up too much resources and storage | QKD is expensive, commercially viable and limited in use-cases |
So herein lies the difficulty. I don't think any of these groups are fundamentally wrong in their opinion, but these differing views will only serve to confuse the broader community who need to get their systems protected against the upcoming quantum threat.
Regardless whether you are a regulator setting up the quantum-safe policy for your industry, or a CISO overseeing the post-quantum migration efforts of your organization, or an operations manager tasked to plan an upgrade of your application, you are likely to be speaking to various industry practitioners and vendors. I hope this article will help you get clarity on the mindset of the people you are talking to, and understand where the advice is coming from.
Let me know if this makes sense? I'm available at teikguan@pqcee.com.
Author
Teik Guan is CEO of pQCee.com. He works in the niche area of cryptographic security design and integration, having implemented numerous successful projects for banks, government agencies and enterprises. He holds a BSc and MSc from NUS and a PhD from SUTD.
Don't have an account? We will create one for you.
Enter the OTP send to
in seconds. Check your spam folder if you can't find email from us.
Valid email is required for further communications