Tools

ML-KEM (FIPS 203)

Key encapsulation demo with AES-GCM encryption derived from a shared secret.

Educational demo - don't copy/paste into production

All cryptography runs locally in your browser. Keys and plaintext never leave your device, but this is still a simplified demo.

Recipient keypair

Formerly CRYSTALS-Kyber

ML-KEM is a KEM. It encapsulates a shared secret. The demo derives an AES key from that secret for message encryption.

Parameter set

Higher parameter sets improve security margins but increase key and ciphertext sizes.

Public key

Size: -

Secret key

Size: -

Sender: encapsulate to recipient

The sender encapsulates to the recipient public key, producing ciphertext + shared secret.

Ciphertext

Size: -

Shared secret

Keep this secret. It becomes the input to HKDF for AES keys.

AES-GCM message encryption

A shared secret is derived into a 256-bit AES key with HKDF-SHA-256. The ciphertext below is AES-GCM, not ML-KEM.

Message to encrypt

Size:

AES-GCM ciphertext

HKDF salt

AES-GCM IV

Decrypted message

Sizes & timings

Sizes

Public key: -
Secret key: -
KEM ciphertext: -
Shared secret: -
AES-GCM ciphertext: -

Timings

Key generation: -
Encapsulate: -
Decapsulate: -
AES encrypt: -
AES decrypt: -

Security model (30 seconds)

ML-KEM encapsulates a shared secret locally. The browser derives an AES-256-GCM key with HKDF and encrypts the message. No private keys or plaintext leave your device, and the server never sees the shared secret. No server-side secrets and no user tracking are used.