ML-KEM is a key encapsulation method (KEM) defined in the [FIPS203]. It is designed to withstand
    cryptanalytic attacks from quantum computers.
    
    This document introduces two new supported groups for hybrid post-quantum key agreements in TLS 1.3:
    X25519MLKEM768 and SecP256r1MLKEM768. Both combine ML-KEM-768 with ECDH in the manner of [hybrid].
    
    The first one uses X25519 [rfc7748] and is an update to X25519Kyber768Draft00 [xyber], the most widely
    deployed PQ/T hybrid combiner for TLS v1.3 deployed in 2024.
    
    The second one uses secp256r1 (NIST P-256) [ECDSA] [DSS]. The goal of this group is to support a use
    case that requires both shared secrets to be generated by FIPS-approved mechanisms.
    
    Both constructions aim to provide a FIPS-approved key-establishment scheme (as per [SP56C]).