Show HN: – 囲碁エコシステムのためのポスト量子暗号技術 A Secure and Readable Implementation of ML-KEM-768

ML-KEM-768 is a post-quantum key exchange mechanism that is being standardized by NIST and adopted by most of the industry. Filippo Valsorda, a renowned Go developer, has developed a pure-Go implementation of ML-KEM-768 called In this blog post, we will explore the features of this implementation, its design choices, and its implications for the industry.

Implementing ML-KEM-768 in Go is a pure-Go implementation of ML-KEM-768 that has been optimized for correctness, readability, and security. The implementation consists of approximately 500 lines of code, 200 lines of comments, and 650 lines of tests. It has no dependencies except for

One of the unique aspects of this implementation is that it was written from scratch, without closely reading other codebases. This was done intentionally to validate the ML-KEM specification and demonstrate that it is possible to produce an interoperable implementation based solely on the specification.

To ensure high security assurance and ease of review, the implementation closely mirrors the FIPS 203 specification. Function and variable names, as well as operation ordering, were carefully chosen to align with the specification. Additionally, the implementation includes a comprehensive guide on the necessary math background for implementing ML-KEM.

Readability and Reviewability

One of the primary goals of the implementation is readability. The code has been designed to be easily reviewed and understood by both code reviewers and interested researchers. This focus on readability serves as an educational resource for future maintainers and cryptography engineers.

Despite the emphasis on readability, the implementation does not compromise on security. The code has undergone extensive testing, with a test coverage of over 95%. Test vectors have been designed to cover various edge cases and are reusable by other implementations.

Performance and Optimization

While performance is not the primary goal of the implementation, it has been optimized to be fast enough for practical use. The implementation is competitive with assembly-optimized implementations of other cryptographic algorithms, such as P-256 and X25519.

The performance optimizations in the implementation include minimizing heap allocations and using high-performance Go programming patterns. Further optimizations are still possible, such as storing the sampled matrix for key generation and decapsulation, and optimizing the field implementation.

Interoperability and Standardization

ML-KEM-768 is being standardized by NIST, and the implementation aligns with the latest changes in the specification. The implementation supports the experimental protocols defined in terms of Kyber v3 and can be used for the main deployed PQ TLS key exchange.

By following the specification closely, the implementation ensures interoperability with other ML-KEM-768 implementations. It also allows for fingerprinting the implementation as Kyber-on-ML-KEM without compromising security or functionality.


The implementation of ML-KEM-768 is a secure, readable, and performant implementation of this post-quantum key exchange mechanism. It serves as an excellent resource for understanding and implementing ML-KEM-768, while also ensuring interoperability with other implementations.

With its emphasis on readability, thorough testing, and alignment with the specification, sets a high standard for implementing post-quantum cryptographic algorithms. As the industry continues to adopt ML-KEM-768, this implementation will play a