diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras
index b87930817..fca41ab7a 100644
--- a/.wolfssl_known_macro_extras
+++ b/.wolfssl_known_macro_extras
@@ -87,6 +87,7 @@ CONFIG_ESP_TLS_USING_WOLFSSL
 CONFIG_ESP_WIFI_PASSWORD
 CONFIG_ESP_WIFI_SSID
 CONFIG_ESP_WOLFSSL_ENABLE_KYBER
+CONFIG_ESP_WOLFSSL_ENABLE_MLKEM
 CONFIG_ESP_WOLFSSL_ENABLE_WOLFSSH
 CONFIG_ESP_WOLFSSL_NO_ESP32_CRYPT
 CONFIG_ESP_WOLFSSL_NO_HW_AES
@@ -674,6 +675,7 @@ WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN
 WOLFSSL_EMNET
 WOLFSSL_ESPWROOM32
 WOLFSSL_EVP_PRINT
+WOLFSSL_EXPERIMENTAL_SETTINGS
 WOLFSSL_EXPORT_INT
 WOLFSSL_EXPORT_SPC_SZ
 WOLFSSL_EXTRA
@@ -690,6 +692,7 @@ WOLFSSL_HARDEN_TLS_ALLOW_OLD_TLS
 WOLFSSL_HARDEN_TLS_ALLOW_TRUNCATED_HMAC
 WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK
 WOLFSSL_HARDEN_TLS_NO_SCR_CHECK
+WOLFSSL_HAVE_MLKEM
 WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY
 WOLFSSL_I2D_ECDSA_SIG_ALLOC
 WOLFSSL_IAR_ARM_TIME
@@ -702,6 +705,9 @@ WOLFSSL_IMXRT_DCP
 WOLFSSL_ISOTP
 WOLFSSL_KEIL
 WOLFSSL_KEIL_NET
+WOLFSSL_KYBER1024
+WOLFSSL_KYBER512
+WOLFSSL_KYBER768
 WOLFSSL_KYBER_NO_DECAPSULATE
 WOLFSSL_KYBER_NO_ENCAPSULATE
 WOLFSSL_KYBER_NO_MAKE_KEY
@@ -754,6 +760,9 @@ WOLFSSL_NO_KCAPI_HMAC_SHA256
 WOLFSSL_NO_KCAPI_HMAC_SHA384
 WOLFSSL_NO_KCAPI_HMAC_SHA512
 WOLFSSL_NO_KCAPI_SHA224
+WOLFSSL_NO_ML_KEM_1024
+WOLFSSL_NO_ML_KEM_512
+WOLFSSL_NO_ML_KEM_768
 WOLFSSL_NO_OCSP_DATE_CHECK
 WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK
 WOLFSSL_NO_OCSP_OPTIONAL_CERTS
@@ -816,6 +825,8 @@ WOLFSSL_SERVER_EXAMPLE
 WOLFSSL_SETTINGS_FILE
 WOLFSSL_SH224
 WOLFSSL_SHA256_ALT_CH_MAJ
+WOLFSSL_SHAKE128
+WOLFSSL_SHAKE256
 WOLFSSL_SHUTDOWNONCE
 WOLFSSL_SILABS_TRNG
 WOLFSSL_SM4_EBC
@@ -857,6 +868,7 @@ WOLFSSL_USE_FLASHMEM
 WOLFSSL_USE_OPTIONS_H
 WOLFSSL_USE_POPEN_HOST
 WOLFSSL_VALIDATE_DH_KEYGEN
+WOLFSSL_WC_MLKEM
 WOLFSSL_WC_XMSS_NO_SHA256
 WOLFSSL_WC_XMSS_NO_SHAKE256
 WOLFSSL_WICED_PSEUDO_UNIX_EPOCH_TIME
diff --git a/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/Kconfig b/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/Kconfig
index 150913190..9a7fcaa07 100644
--- a/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/Kconfig
+++ b/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/Kconfig
@@ -401,24 +401,25 @@ menu "wolfSSL"
                 when performance is critical. See also metrics for counting instances.
 
     endmenu # wolfSSL Hardware Acceleration
+
     # -----------------------------------------------------------------------------------------------------------------
 
     # -----------------------------------------------------------------------------------------------------------------
-    menu "wolfSSL Experimental Options"
+    menu "wolfSSL Post Quantum Kyber KEM PQ"
 
-        config ESP_WOLFSSL_EXPERIMENTAL_SETTINGS
-            bool "Enable wolfSSL Experimental Settings"
+        config ESP_WOLFSSL_ENABLE_MLKEM
+            bool "Enable ML-KEM (Kyber Post Quantum)"
             default n
             help
-                Enables experimental settings for wolfSSL. See documentation.
+                bool "Enable wolfSSL ML-KEM"
 
-        config ESP_WOLFSSL_ENABLE_KYBER
-            bool "Enable wolfSSL Kyber"
+        config WOLFSSL_ENABLE_KYBER
+            bool "Enable Kyber (Round 3)"
             default n
             help
-                Enable debugging messages for wolfSSL. See user_settings.h for additional debug options.
+                Enable old compatibility with Kyber Round 3 (enables experimental settings)
 
-    endmenu # wolfSSL Experimental Options
+    endmenu # wolfSSL Post Quantum Kyber KEM PQ
     # -----------------------------------------------------------------------------------------------------------------
 
     # -----------------------------------------------------------------------------------------------------------------
@@ -435,6 +436,11 @@ menu "wolfSSL"
             help
                 Enable a loop wrapper for benchmark, http_client, and wolfssl test apps.
 
+        config ESP_WOLFSSL_EXPERIMENTAL_SETTINGS
+            bool "Enable wolfSSL Experimental Settings"
+            default n
+            help
+                Enables experimental settings for wolfSSL. See documentation.
     endmenu # wolfSSL Debug Options
     # -----------------------------------------------------------------------------------------------------------------
 
diff --git a/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/include/user_settings.h b/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/include/user_settings.h
index de4daa38d..488182ed6 100644
--- a/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/include/user_settings.h
+++ b/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/include/user_settings.h
@@ -209,18 +209,40 @@
     /* the code is older or does not have application name defined. */
 #endif /* Example wolfSSL Configuration app settings */
 
-/* Experimental Kyber */
-#ifdef CONFIG_WOLFSSL_ENABLE_KYBER
+/* Optional MLKEM (Kyber Post Quantum)               */
+/*  ./configure --enable-mlkem                       */
+/* See Kconfig / menuconfig ESP_WOLFSSL_ENABLE_MLKEM */
+#ifdef CONFIG_ESP_WOLFSSL_ENABLE_MLKEM
     /* Kyber typically needs a minimum 10K stack */
-    #define WOLFSSL_EXPERIMENTAL_SETTINGS
     #define WOLFSSL_HAVE_MLKEM
     #define WOLFSSL_WC_MLKEM
-    #define WOLFSSL_SHA3
+    #define WOLFSSL_SHAKE128
+    #define WOLFSSL_SHAKE256
+
+    /* Old code points to keep compatibility with Kyber Round 3. */
+    /*   ./configure --enable-kyber=all --enable-experimental    */
+    #if defined(CONFIG_WOLFSSL_ENABLE_KYBER)
+        #define WOLFSSL_MLKEM_KYBER
+        #define WOLFSSL_EXPERIMENTAL_SETTINGS
+    #endif
+
     #if defined(CONFIG_IDF_TARGET_ESP8266)
         /* With limited RAM, we'll disable some of the Kyber sizes: */
         #define WOLFSSL_NO_KYBER1024
         #define WOLFSSL_NO_KYBER768
+        #define WOLFSSL_NO_ML_KEM_1024
+        #define WOLFSSL_NO_ML_KEM_768
         #define NO_SESSION_CACHE
+    #else
+        /* Only needed for older wolfssl versions, see mlkem.h */
+        #define WOLFSSL_KYBER1024
+        /* optional alternative sizes:    */
+        /* #define WOLFSSL_KYBER768       */
+        /* #define WOLFSSL_KYBER512       */
+        /* -- or disable a specific one:  */
+        /* #define WOLFSSL_NO_ML_KEM_1024 */
+        /* #define WOLFSSL_NO_ML_KEM_768  */
+        /* #define WOLFSSL_NO_ML_KEM_512  */
     #endif
 #endif
 
@@ -532,7 +554,7 @@
 /* Adjust wait-timeout count if you see timeout in RSA HW acceleration.
  * Set to very large number and enable WOLFSSL_HW_METRICS to determine max. */
 #ifndef ESP_RSA_TIMEOUT_CNT
-	#define ESP_RSA_TIMEOUT_CNT 0xFF0000
+    #define ESP_RSA_TIMEOUT_CNT 0xFF0000
 #endif
 
 /* hash limit for test.c */
@@ -560,8 +582,6 @@
     defined(WOLFSSL_SP_RISCV32)
 #endif
 
-#define WOLFSSL_SMALL_STACK
-
 
 #define HAVE_VERSION_EXTENDED_INFO
 /* #define HAVE_WC_INTROSPECTION */
@@ -936,6 +956,8 @@ Turn on timer debugging (used when CPU cycles not available)
 #define ATCA_WOLFSSL
 */
 
+/* optional SM4 Ciphers. See github.com/wolfSSL/wolfsm */
+
 /***************************** Certificate Macros *****************************
  *
  * The section below defines macros used in typically all of the wolfSSL
@@ -1027,9 +1049,14 @@ Turn on timer debugging (used when CPU cycles not available)
     #define WOLFSSL_BASE16
 #else
     #if defined(USE_CERT_BUFFERS_2048)
-        #define USE_CERT_BUFFERS_256
+        #ifdef USE_CERT_BUFFERS_1024
+            #error "USE_CERT_BUFFERS_1024 is already defined. Pick one."
+        #endif
+
         /* Be sure to include in app when using example certs: */
-        /* #include <wolfssl/certs_test.h>                     */
+        #include <wolfssl/certs_test.h>
+
+        #define USE_CERT_BUFFERS_256
         #define CTX_CA_CERT          ca_cert_der_2048
         #define CTX_CA_CERT_SIZE     sizeof_ca_cert_der_2048
         #define CTX_CA_CERT_TYPE     WOLFSSL_FILETYPE_ASN1
@@ -1049,9 +1076,14 @@ Turn on timer debugging (used when CPU cycles not available)
         #define CTX_CLIENT_KEY_TYPE  WOLFSSL_FILETYPE_ASN1
 
     #elif defined(USE_CERT_BUFFERS_1024)
-        #define USE_CERT_BUFFERS_256
+        #ifdef USE_CERT_BUFFERS_2048
+            #error "USE_CERT_BUFFERS_2048 is already defined. Pick one."
+        #endif
+
         /* Be sure to include in app when using example certs: */
-        /* #include <wolfssl/certs_test.h>                     */
+        #include <wolfssl/certs_test.h>
+
+        #define USE_CERT_BUFFERS_256
         #define CTX_CA_CERT          ca_cert_der_1024
         #define CTX_CA_CERT_SIZE     sizeof_ca_cert_der_1024
         #define CTX_CA_CERT_TYPE     WOLFSSL_FILETYPE_ASN1
diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/Kconfig b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/Kconfig
index 150913190..9a7fcaa07 100644
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/Kconfig
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/Kconfig
@@ -401,24 +401,25 @@ menu "wolfSSL"
                 when performance is critical. See also metrics for counting instances.
 
     endmenu # wolfSSL Hardware Acceleration
+
     # -----------------------------------------------------------------------------------------------------------------
 
     # -----------------------------------------------------------------------------------------------------------------
-    menu "wolfSSL Experimental Options"
+    menu "wolfSSL Post Quantum Kyber KEM PQ"
 
-        config ESP_WOLFSSL_EXPERIMENTAL_SETTINGS
-            bool "Enable wolfSSL Experimental Settings"
+        config ESP_WOLFSSL_ENABLE_MLKEM
+            bool "Enable ML-KEM (Kyber Post Quantum)"
             default n
             help
-                Enables experimental settings for wolfSSL. See documentation.
+                bool "Enable wolfSSL ML-KEM"
 
-        config ESP_WOLFSSL_ENABLE_KYBER
-            bool "Enable wolfSSL Kyber"
+        config WOLFSSL_ENABLE_KYBER
+            bool "Enable Kyber (Round 3)"
             default n
             help
-                Enable debugging messages for wolfSSL. See user_settings.h for additional debug options.
+                Enable old compatibility with Kyber Round 3 (enables experimental settings)
 
-    endmenu # wolfSSL Experimental Options
+    endmenu # wolfSSL Post Quantum Kyber KEM PQ
     # -----------------------------------------------------------------------------------------------------------------
 
     # -----------------------------------------------------------------------------------------------------------------
@@ -435,6 +436,11 @@ menu "wolfSSL"
             help
                 Enable a loop wrapper for benchmark, http_client, and wolfssl test apps.
 
+        config ESP_WOLFSSL_EXPERIMENTAL_SETTINGS
+            bool "Enable wolfSSL Experimental Settings"
+            default n
+            help
+                Enables experimental settings for wolfSSL. See documentation.
     endmenu # wolfSSL Debug Options
     # -----------------------------------------------------------------------------------------------------------------
 
diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/include/user_settings.h b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/include/user_settings.h
index de4daa38d..488182ed6 100644
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/include/user_settings.h
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/include/user_settings.h
@@ -209,18 +209,40 @@
     /* the code is older or does not have application name defined. */
 #endif /* Example wolfSSL Configuration app settings */
 
-/* Experimental Kyber */
-#ifdef CONFIG_WOLFSSL_ENABLE_KYBER
+/* Optional MLKEM (Kyber Post Quantum)               */
+/*  ./configure --enable-mlkem                       */
+/* See Kconfig / menuconfig ESP_WOLFSSL_ENABLE_MLKEM */
+#ifdef CONFIG_ESP_WOLFSSL_ENABLE_MLKEM
     /* Kyber typically needs a minimum 10K stack */
-    #define WOLFSSL_EXPERIMENTAL_SETTINGS
     #define WOLFSSL_HAVE_MLKEM
     #define WOLFSSL_WC_MLKEM
-    #define WOLFSSL_SHA3
+    #define WOLFSSL_SHAKE128
+    #define WOLFSSL_SHAKE256
+
+    /* Old code points to keep compatibility with Kyber Round 3. */
+    /*   ./configure --enable-kyber=all --enable-experimental    */
+    #if defined(CONFIG_WOLFSSL_ENABLE_KYBER)
+        #define WOLFSSL_MLKEM_KYBER
+        #define WOLFSSL_EXPERIMENTAL_SETTINGS
+    #endif
+
     #if defined(CONFIG_IDF_TARGET_ESP8266)
         /* With limited RAM, we'll disable some of the Kyber sizes: */
         #define WOLFSSL_NO_KYBER1024
         #define WOLFSSL_NO_KYBER768
+        #define WOLFSSL_NO_ML_KEM_1024
+        #define WOLFSSL_NO_ML_KEM_768
         #define NO_SESSION_CACHE
+    #else
+        /* Only needed for older wolfssl versions, see mlkem.h */
+        #define WOLFSSL_KYBER1024
+        /* optional alternative sizes:    */
+        /* #define WOLFSSL_KYBER768       */
+        /* #define WOLFSSL_KYBER512       */
+        /* -- or disable a specific one:  */
+        /* #define WOLFSSL_NO_ML_KEM_1024 */
+        /* #define WOLFSSL_NO_ML_KEM_768  */
+        /* #define WOLFSSL_NO_ML_KEM_512  */
     #endif
 #endif
 
@@ -532,7 +554,7 @@
 /* Adjust wait-timeout count if you see timeout in RSA HW acceleration.
  * Set to very large number and enable WOLFSSL_HW_METRICS to determine max. */
 #ifndef ESP_RSA_TIMEOUT_CNT
-	#define ESP_RSA_TIMEOUT_CNT 0xFF0000
+    #define ESP_RSA_TIMEOUT_CNT 0xFF0000
 #endif
 
 /* hash limit for test.c */
@@ -560,8 +582,6 @@
     defined(WOLFSSL_SP_RISCV32)
 #endif
 
-#define WOLFSSL_SMALL_STACK
-
 
 #define HAVE_VERSION_EXTENDED_INFO
 /* #define HAVE_WC_INTROSPECTION */
@@ -936,6 +956,8 @@ Turn on timer debugging (used when CPU cycles not available)
 #define ATCA_WOLFSSL
 */
 
+/* optional SM4 Ciphers. See github.com/wolfSSL/wolfsm */
+
 /***************************** Certificate Macros *****************************
  *
  * The section below defines macros used in typically all of the wolfSSL
@@ -1027,9 +1049,14 @@ Turn on timer debugging (used when CPU cycles not available)
     #define WOLFSSL_BASE16
 #else
     #if defined(USE_CERT_BUFFERS_2048)
-        #define USE_CERT_BUFFERS_256
+        #ifdef USE_CERT_BUFFERS_1024
+            #error "USE_CERT_BUFFERS_1024 is already defined. Pick one."
+        #endif
+
         /* Be sure to include in app when using example certs: */
-        /* #include <wolfssl/certs_test.h>                     */
+        #include <wolfssl/certs_test.h>
+
+        #define USE_CERT_BUFFERS_256
         #define CTX_CA_CERT          ca_cert_der_2048
         #define CTX_CA_CERT_SIZE     sizeof_ca_cert_der_2048
         #define CTX_CA_CERT_TYPE     WOLFSSL_FILETYPE_ASN1
@@ -1049,9 +1076,14 @@ Turn on timer debugging (used when CPU cycles not available)
         #define CTX_CLIENT_KEY_TYPE  WOLFSSL_FILETYPE_ASN1
 
     #elif defined(USE_CERT_BUFFERS_1024)
-        #define USE_CERT_BUFFERS_256
+        #ifdef USE_CERT_BUFFERS_2048
+            #error "USE_CERT_BUFFERS_2048 is already defined. Pick one."
+        #endif
+
         /* Be sure to include in app when using example certs: */
-        /* #include <wolfssl/certs_test.h>                     */
+        #include <wolfssl/certs_test.h>
+
+        #define USE_CERT_BUFFERS_256
         #define CTX_CA_CERT          ca_cert_der_1024
         #define CTX_CA_CERT_SIZE     sizeof_ca_cert_der_1024
         #define CTX_CA_CERT_TYPE     WOLFSSL_FILETYPE_ASN1
diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/Kconfig b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/Kconfig
index 150913190..9a7fcaa07 100644
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/Kconfig
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/Kconfig
@@ -401,24 +401,25 @@ menu "wolfSSL"
                 when performance is critical. See also metrics for counting instances.
 
     endmenu # wolfSSL Hardware Acceleration
+
     # -----------------------------------------------------------------------------------------------------------------
 
     # -----------------------------------------------------------------------------------------------------------------
-    menu "wolfSSL Experimental Options"
+    menu "wolfSSL Post Quantum Kyber KEM PQ"
 
-        config ESP_WOLFSSL_EXPERIMENTAL_SETTINGS
-            bool "Enable wolfSSL Experimental Settings"
+        config ESP_WOLFSSL_ENABLE_MLKEM
+            bool "Enable ML-KEM (Kyber Post Quantum)"
             default n
             help
-                Enables experimental settings for wolfSSL. See documentation.
+                bool "Enable wolfSSL ML-KEM"
 
-        config ESP_WOLFSSL_ENABLE_KYBER
-            bool "Enable wolfSSL Kyber"
+        config WOLFSSL_ENABLE_KYBER
+            bool "Enable Kyber (Round 3)"
             default n
             help
-                Enable debugging messages for wolfSSL. See user_settings.h for additional debug options.
+                Enable old compatibility with Kyber Round 3 (enables experimental settings)
 
-    endmenu # wolfSSL Experimental Options
+    endmenu # wolfSSL Post Quantum Kyber KEM PQ
     # -----------------------------------------------------------------------------------------------------------------
 
     # -----------------------------------------------------------------------------------------------------------------
@@ -435,6 +436,11 @@ menu "wolfSSL"
             help
                 Enable a loop wrapper for benchmark, http_client, and wolfssl test apps.
 
+        config ESP_WOLFSSL_EXPERIMENTAL_SETTINGS
+            bool "Enable wolfSSL Experimental Settings"
+            default n
+            help
+                Enables experimental settings for wolfSSL. See documentation.
     endmenu # wolfSSL Debug Options
     # -----------------------------------------------------------------------------------------------------------------
 
diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/include/user_settings.h b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/include/user_settings.h
index de4daa38d..488182ed6 100644
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/include/user_settings.h
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/include/user_settings.h
@@ -209,18 +209,40 @@
     /* the code is older or does not have application name defined. */
 #endif /* Example wolfSSL Configuration app settings */
 
-/* Experimental Kyber */
-#ifdef CONFIG_WOLFSSL_ENABLE_KYBER
+/* Optional MLKEM (Kyber Post Quantum)               */
+/*  ./configure --enable-mlkem                       */
+/* See Kconfig / menuconfig ESP_WOLFSSL_ENABLE_MLKEM */
+#ifdef CONFIG_ESP_WOLFSSL_ENABLE_MLKEM
     /* Kyber typically needs a minimum 10K stack */
-    #define WOLFSSL_EXPERIMENTAL_SETTINGS
     #define WOLFSSL_HAVE_MLKEM
     #define WOLFSSL_WC_MLKEM
-    #define WOLFSSL_SHA3
+    #define WOLFSSL_SHAKE128
+    #define WOLFSSL_SHAKE256
+
+    /* Old code points to keep compatibility with Kyber Round 3. */
+    /*   ./configure --enable-kyber=all --enable-experimental    */
+    #if defined(CONFIG_WOLFSSL_ENABLE_KYBER)
+        #define WOLFSSL_MLKEM_KYBER
+        #define WOLFSSL_EXPERIMENTAL_SETTINGS
+    #endif
+
     #if defined(CONFIG_IDF_TARGET_ESP8266)
         /* With limited RAM, we'll disable some of the Kyber sizes: */
         #define WOLFSSL_NO_KYBER1024
         #define WOLFSSL_NO_KYBER768
+        #define WOLFSSL_NO_ML_KEM_1024
+        #define WOLFSSL_NO_ML_KEM_768
         #define NO_SESSION_CACHE
+    #else
+        /* Only needed for older wolfssl versions, see mlkem.h */
+        #define WOLFSSL_KYBER1024
+        /* optional alternative sizes:    */
+        /* #define WOLFSSL_KYBER768       */
+        /* #define WOLFSSL_KYBER512       */
+        /* -- or disable a specific one:  */
+        /* #define WOLFSSL_NO_ML_KEM_1024 */
+        /* #define WOLFSSL_NO_ML_KEM_768  */
+        /* #define WOLFSSL_NO_ML_KEM_512  */
     #endif
 #endif
 
@@ -532,7 +554,7 @@
 /* Adjust wait-timeout count if you see timeout in RSA HW acceleration.
  * Set to very large number and enable WOLFSSL_HW_METRICS to determine max. */
 #ifndef ESP_RSA_TIMEOUT_CNT
-	#define ESP_RSA_TIMEOUT_CNT 0xFF0000
+    #define ESP_RSA_TIMEOUT_CNT 0xFF0000
 #endif
 
 /* hash limit for test.c */
@@ -560,8 +582,6 @@
     defined(WOLFSSL_SP_RISCV32)
 #endif
 
-#define WOLFSSL_SMALL_STACK
-
 
 #define HAVE_VERSION_EXTENDED_INFO
 /* #define HAVE_WC_INTROSPECTION */
@@ -936,6 +956,8 @@ Turn on timer debugging (used when CPU cycles not available)
 #define ATCA_WOLFSSL
 */
 
+/* optional SM4 Ciphers. See github.com/wolfSSL/wolfsm */
+
 /***************************** Certificate Macros *****************************
  *
  * The section below defines macros used in typically all of the wolfSSL
@@ -1027,9 +1049,14 @@ Turn on timer debugging (used when CPU cycles not available)
     #define WOLFSSL_BASE16
 #else
     #if defined(USE_CERT_BUFFERS_2048)
-        #define USE_CERT_BUFFERS_256
+        #ifdef USE_CERT_BUFFERS_1024
+            #error "USE_CERT_BUFFERS_1024 is already defined. Pick one."
+        #endif
+
         /* Be sure to include in app when using example certs: */
-        /* #include <wolfssl/certs_test.h>                     */
+        #include <wolfssl/certs_test.h>
+
+        #define USE_CERT_BUFFERS_256
         #define CTX_CA_CERT          ca_cert_der_2048
         #define CTX_CA_CERT_SIZE     sizeof_ca_cert_der_2048
         #define CTX_CA_CERT_TYPE     WOLFSSL_FILETYPE_ASN1
@@ -1049,9 +1076,14 @@ Turn on timer debugging (used when CPU cycles not available)
         #define CTX_CLIENT_KEY_TYPE  WOLFSSL_FILETYPE_ASN1
 
     #elif defined(USE_CERT_BUFFERS_1024)
-        #define USE_CERT_BUFFERS_256
+        #ifdef USE_CERT_BUFFERS_2048
+            #error "USE_CERT_BUFFERS_2048 is already defined. Pick one."
+        #endif
+
         /* Be sure to include in app when using example certs: */
-        /* #include <wolfssl/certs_test.h>                     */
+        #include <wolfssl/certs_test.h>
+
+        #define USE_CERT_BUFFERS_256
         #define CTX_CA_CERT          ca_cert_der_1024
         #define CTX_CA_CERT_SIZE     sizeof_ca_cert_der_1024
         #define CTX_CA_CERT_TYPE     WOLFSSL_FILETYPE_ASN1
diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/client-tls.c b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/client-tls.c
index 9a0bdc2ec..d6c887f92 100644
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/client-tls.c
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/client-tls.c
@@ -397,20 +397,47 @@ WOLFSSL_ESP_TASK tls_smp_client_task(void* args)
         ESP_LOGI(TAG, "tls_smp_client_task heap @ %p = %d",
                       &this_heap, this_heap);
 #endif
+
+#if defined(CONFIG_ESP_WOLFSSL_ENABLE_MLKEM)
+    /* Kconfig ESP_WOLFSSL_ENABLE_MLKEM triggers settings in user_setting.h */
+    ESP_LOGI(TAG, "Espressif CONFIG_ESP_WOLFSSL_ENABLE_MLKEM is defined");
+#endif
 #if defined(WOLFSSL_HAVE_MLKEM)
-    #if defined(WOLFSSL_KYBER1024)
-        ESP_LOGI(TAG, "WOLFSSL_HAVE_MLKEM is enabled, setting key share: "
-                                        "WOLFSSL_P256_KYBER_LEVEL5");
-        ret_i = wolfSSL_UseKeyShare(ssl, WOLFSSL_P521_KYBER_LEVEL5);
-    #elif defined(WOLFSSL_KYBER768)
-        ESP_LOGI(TAG, "WOLFSSL_HAVE_MLKEM is enabled, setting key share: "
+    ESP_LOGI(TAG, "WOLFSSL_MLKEM_KYBER is defined");
+    #if defined(WOLFSSL_KYBER1024) || !defined(WOLFSSL_NO_ML_KEM_1024)
+        #if defined(WOLFSSL_MLKEM_KYBER)
+            ESP_LOGW(TAG, "WOLFSSL_MLKEM_KYBER is enabled, setting key share: "
+                                        "WOLFSSL_P521_KYBER_LEVEL5");
+            ret_i = wolfSSL_UseKeyShare(ssl, WOLFSSL_P521_KYBER_LEVEL5);
+        #else
+            ESP_LOGI(TAG, "WOLFSSL_HAVE_MLKEM is enabled, setting key share: "
+                                        "WOLFSSL_ML_KEM_1024");
+            ESP_LOGW(TAG, "Note: Wireshark as of 4.4.6 reports as frodo976aes");
+            ret_i = wolfSSL_UseKeyShare(ssl, WOLFSSL_ML_KEM_1024);
+        #endif
+    #elif defined(WOLFSSL_KYBER768) || !defined(WOLFSSL_NO_ML_KEM_768)
+        #if defined(WOLFSSL_MLKEM_KYBER)
+            ESP_LOGW(TAG, "WOLFSSL_MLKEM_KYBER is enabled, setting key share: "
                                         "WOLFSSL_P256_KYBER_LEVEL3");
-        ret_i = wolfSSL_UseKeyShare(ssl, WOLFSSL_P256_KYBER_LEVEL3);
-    #elif defined(WOLFSSL_KYBER512)
+            ret_i = wolfSSL_UseKeyShare(ssl, WOLFSSL_P256_KYBER_LEVEL3);
+        #else
+            ESP_LOGI(TAG, "WOLFSSL_HAVE_MLKEM is enabled, setting key share: "
+                                        "WOLFSSL_ML_KEM_768");
+            ESP_LOGW(TAG, "Note: Wireshark as of 4.4.6 reports as frodo976aes");
+            ret_i = wolfSSL_UseKeyShare(ssl, WOLFSSL_ML_KEM_768);
+        #endif
+    #elif defined(WOLFSSL_KYBER512) || !defined(WOLFSSL_NO_ML_KEM_512)
         /* This will typically be a low memory situation, such as ESP8266 */
-        ESP_LOGI(TAG, "WOLFSSL_HAVE_MLKEM is enabled, setting key share: "
+        #if defined(WOLFSSL_MLKEM_KYBER)
+            ESP_LOGW(TAG, "WOLFSSL_MLKEM_KYBER is enabled, setting key share: "
                                         "WOLFSSL_P256_KYBER_LEVEL1");
-        ret_i = wolfSSL_UseKeyShare(ssl, WOLFSSL_P256_KYBER_LEVEL1);
+            ret_i = wolfSSL_UseKeyShare(ssl, WOLFSSL_P256_KYBER_LEVEL1);
+        #else
+            ESP_LOGI(TAG, "WOLFSSL_HAVE_MLKEM is enabled, setting key share: "
+                                        "WOLFSSL_ML_KEM_512");
+            ESP_LOGW(TAG, "Note: Wireshark as of 4.4.6 reports as frodo976aes");
+            ret_i = wolfSSL_UseKeyShare(ssl, WOLFSSL_ML_KEM_512);
+        #endif
     #else
         ESP_LOGW(TAG, "WOLFSSL_HAVE_MLKEM enabled but no key size available.");
         ret_i = ESP_FAIL;
diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/Kconfig b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/Kconfig
index 150913190..9a7fcaa07 100644
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/Kconfig
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/Kconfig
@@ -401,24 +401,25 @@ menu "wolfSSL"
                 when performance is critical. See also metrics for counting instances.
 
     endmenu # wolfSSL Hardware Acceleration
+
     # -----------------------------------------------------------------------------------------------------------------
 
     # -----------------------------------------------------------------------------------------------------------------
-    menu "wolfSSL Experimental Options"
+    menu "wolfSSL Post Quantum Kyber KEM PQ"
 
-        config ESP_WOLFSSL_EXPERIMENTAL_SETTINGS
-            bool "Enable wolfSSL Experimental Settings"
+        config ESP_WOLFSSL_ENABLE_MLKEM
+            bool "Enable ML-KEM (Kyber Post Quantum)"
             default n
             help
-                Enables experimental settings for wolfSSL. See documentation.
+                bool "Enable wolfSSL ML-KEM"
 
-        config ESP_WOLFSSL_ENABLE_KYBER
-            bool "Enable wolfSSL Kyber"
+        config WOLFSSL_ENABLE_KYBER
+            bool "Enable Kyber (Round 3)"
             default n
             help
-                Enable debugging messages for wolfSSL. See user_settings.h for additional debug options.
+                Enable old compatibility with Kyber Round 3 (enables experimental settings)
 
-    endmenu # wolfSSL Experimental Options
+    endmenu # wolfSSL Post Quantum Kyber KEM PQ
     # -----------------------------------------------------------------------------------------------------------------
 
     # -----------------------------------------------------------------------------------------------------------------
@@ -435,6 +436,11 @@ menu "wolfSSL"
             help
                 Enable a loop wrapper for benchmark, http_client, and wolfssl test apps.
 
+        config ESP_WOLFSSL_EXPERIMENTAL_SETTINGS
+            bool "Enable wolfSSL Experimental Settings"
+            default n
+            help
+                Enables experimental settings for wolfSSL. See documentation.
     endmenu # wolfSSL Debug Options
     # -----------------------------------------------------------------------------------------------------------------
 
diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/include/user_settings.h b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/include/user_settings.h
index de4daa38d..488182ed6 100644
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/include/user_settings.h
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/include/user_settings.h
@@ -209,18 +209,40 @@
     /* the code is older or does not have application name defined. */
 #endif /* Example wolfSSL Configuration app settings */
 
-/* Experimental Kyber */
-#ifdef CONFIG_WOLFSSL_ENABLE_KYBER
+/* Optional MLKEM (Kyber Post Quantum)               */
+/*  ./configure --enable-mlkem                       */
+/* See Kconfig / menuconfig ESP_WOLFSSL_ENABLE_MLKEM */
+#ifdef CONFIG_ESP_WOLFSSL_ENABLE_MLKEM
     /* Kyber typically needs a minimum 10K stack */
-    #define WOLFSSL_EXPERIMENTAL_SETTINGS
     #define WOLFSSL_HAVE_MLKEM
     #define WOLFSSL_WC_MLKEM
-    #define WOLFSSL_SHA3
+    #define WOLFSSL_SHAKE128
+    #define WOLFSSL_SHAKE256
+
+    /* Old code points to keep compatibility with Kyber Round 3. */
+    /*   ./configure --enable-kyber=all --enable-experimental    */
+    #if defined(CONFIG_WOLFSSL_ENABLE_KYBER)
+        #define WOLFSSL_MLKEM_KYBER
+        #define WOLFSSL_EXPERIMENTAL_SETTINGS
+    #endif
+
     #if defined(CONFIG_IDF_TARGET_ESP8266)
         /* With limited RAM, we'll disable some of the Kyber sizes: */
         #define WOLFSSL_NO_KYBER1024
         #define WOLFSSL_NO_KYBER768
+        #define WOLFSSL_NO_ML_KEM_1024
+        #define WOLFSSL_NO_ML_KEM_768
         #define NO_SESSION_CACHE
+    #else
+        /* Only needed for older wolfssl versions, see mlkem.h */
+        #define WOLFSSL_KYBER1024
+        /* optional alternative sizes:    */
+        /* #define WOLFSSL_KYBER768       */
+        /* #define WOLFSSL_KYBER512       */
+        /* -- or disable a specific one:  */
+        /* #define WOLFSSL_NO_ML_KEM_1024 */
+        /* #define WOLFSSL_NO_ML_KEM_768  */
+        /* #define WOLFSSL_NO_ML_KEM_512  */
     #endif
 #endif
 
@@ -532,7 +554,7 @@
 /* Adjust wait-timeout count if you see timeout in RSA HW acceleration.
  * Set to very large number and enable WOLFSSL_HW_METRICS to determine max. */
 #ifndef ESP_RSA_TIMEOUT_CNT
-	#define ESP_RSA_TIMEOUT_CNT 0xFF0000
+    #define ESP_RSA_TIMEOUT_CNT 0xFF0000
 #endif
 
 /* hash limit for test.c */
@@ -560,8 +582,6 @@
     defined(WOLFSSL_SP_RISCV32)
 #endif
 
-#define WOLFSSL_SMALL_STACK
-
 
 #define HAVE_VERSION_EXTENDED_INFO
 /* #define HAVE_WC_INTROSPECTION */
@@ -936,6 +956,8 @@ Turn on timer debugging (used when CPU cycles not available)
 #define ATCA_WOLFSSL
 */
 
+/* optional SM4 Ciphers. See github.com/wolfSSL/wolfsm */
+
 /***************************** Certificate Macros *****************************
  *
  * The section below defines macros used in typically all of the wolfSSL
@@ -1027,9 +1049,14 @@ Turn on timer debugging (used when CPU cycles not available)
     #define WOLFSSL_BASE16
 #else
     #if defined(USE_CERT_BUFFERS_2048)
-        #define USE_CERT_BUFFERS_256
+        #ifdef USE_CERT_BUFFERS_1024
+            #error "USE_CERT_BUFFERS_1024 is already defined. Pick one."
+        #endif
+
         /* Be sure to include in app when using example certs: */
-        /* #include <wolfssl/certs_test.h>                     */
+        #include <wolfssl/certs_test.h>
+
+        #define USE_CERT_BUFFERS_256
         #define CTX_CA_CERT          ca_cert_der_2048
         #define CTX_CA_CERT_SIZE     sizeof_ca_cert_der_2048
         #define CTX_CA_CERT_TYPE     WOLFSSL_FILETYPE_ASN1
@@ -1049,9 +1076,14 @@ Turn on timer debugging (used when CPU cycles not available)
         #define CTX_CLIENT_KEY_TYPE  WOLFSSL_FILETYPE_ASN1
 
     #elif defined(USE_CERT_BUFFERS_1024)
-        #define USE_CERT_BUFFERS_256
+        #ifdef USE_CERT_BUFFERS_2048
+            #error "USE_CERT_BUFFERS_2048 is already defined. Pick one."
+        #endif
+
         /* Be sure to include in app when using example certs: */
-        /* #include <wolfssl/certs_test.h>                     */
+        #include <wolfssl/certs_test.h>
+
+        #define USE_CERT_BUFFERS_256
         #define CTX_CA_CERT          ca_cert_der_1024
         #define CTX_CA_CERT_SIZE     sizeof_ca_cert_der_1024
         #define CTX_CA_CERT_TYPE     WOLFSSL_FILETYPE_ASN1
diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/server-tls.c b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/server-tls.c
index da8f933c1..b7a8dbf4f 100644
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/server-tls.c
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/server-tls.c
@@ -130,6 +130,7 @@ WOLFSSL_ESP_TASK tls_smp_server_task(void *args)
     int                connd;
     int                shutdown = 0;
     int                ret;
+    int                ret_i; /* interim return values */
     socklen_t          size = sizeof(clientAddr);
     size_t             len;
 #if 0
@@ -329,20 +330,40 @@ WOLFSSL_ESP_TASK tls_smp_server_task(void *args)
         if ((ssl = wolfSSL_new(ctx)) == NULL) {
             ESP_LOGE(TAG, "ERROR: failed to create WOLFSSL object");
         }
-#if defined(WOLFSSL_HAVE_MLKEM)
         else {
-            /* If success creating CTX and Kyber enabled, set key share: */
-            ret = wolfSSL_UseKeyShare(ssl, WOLFSSL_P521_KYBER_LEVEL5);
-            if (ret == SSL_SUCCESS) {
-                ESP_LOGI(TAG, "UseKeyShare WOLFSSL_P521_KYBER_LEVEL5 success");
-            }
-            else {
-                ESP_LOGE(TAG, "UseKeyShare WOLFSSL_P521_KYBER_LEVEL5 failed");
-            }
+#ifdef DEBUG_WOLFSSL
+        ESP_LOGI(TAG, "\nCreated WOLFSSL object:");
+        ShowCiphers(ssl);
+        this_heap = esp_get_free_heap_size();
+        ESP_LOGI(TAG, "tls_smp_client_task heap @ %p = %d",
+                      &this_heap, this_heap);
+#endif
+#if defined(WOLFSSL_HAVE_MLKEM)
+        /* Client sets the keyshare; we at the server only need to enable it. */
+        ESP_LOGI(TAG, "WOLFSSL_HAVE_MLKEM is enabled");
+        ret_i = WOLFSSL_SUCCESS;
+
+    #if defined(WOLFSSL_KYBER1024)
+        ESP_LOGI(TAG, "WOLFSSL_KYBER1024 is enabled");
+    #elif defined(WOLFSSL_KYBER768)
+        ESP_LOGI(TAG, "WOLFSSL_KYBER768 is enabled");
+    #elif defined(WOLFSSL_KYBER512)
+        ESP_LOGI(TAG, "WOLFSSL_KYBER512 is enabled");
+    #else
+        ESP_LOGW(TAG, "WOLFSSL_HAVE_MLKEM enabled but no key size available.");
+        ret_i = ESP_FAIL;
+    #endif
+
+        if (ret_i == WOLFSSL_SUCCESS) {
+            ESP_LOGI(TAG, "WOLFSSL_HAVE_MLKEM success");
+        }
+        else {
+            ESP_LOGE(TAG, "WOLFSSL_HAVE_MLKEM failed");
         }
 #else
         ESP_LOGI(TAG, "WOLFSSL_HAVE_MLKEM is not enabled, not using PQ.");
 #endif
+        }
         /* show what cipher connected for this WOLFSSL* object */
         ShowCiphers(ssl);
 
@@ -353,6 +374,8 @@ WOLFSSL_ESP_TASK tls_smp_server_task(void *args)
         ret = wolfSSL_accept(ssl);
         if (ret == SSL_SUCCESS) {
             ShowCiphers(ssl);
+            const char* curve = wolfSSL_get_curve_name(ssl);
+            ESP_LOGI(TAG, "Server negotiated key share group: %s", curve);
         }
         else {
             ESP_LOGE(TAG, "wolfSSL_accept error %d",
diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/Kconfig b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/Kconfig
index 150913190..9a7fcaa07 100644
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/Kconfig
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/Kconfig
@@ -401,24 +401,25 @@ menu "wolfSSL"
                 when performance is critical. See also metrics for counting instances.
 
     endmenu # wolfSSL Hardware Acceleration
+
     # -----------------------------------------------------------------------------------------------------------------
 
     # -----------------------------------------------------------------------------------------------------------------
-    menu "wolfSSL Experimental Options"
+    menu "wolfSSL Post Quantum Kyber KEM PQ"
 
-        config ESP_WOLFSSL_EXPERIMENTAL_SETTINGS
-            bool "Enable wolfSSL Experimental Settings"
+        config ESP_WOLFSSL_ENABLE_MLKEM
+            bool "Enable ML-KEM (Kyber Post Quantum)"
             default n
             help
-                Enables experimental settings for wolfSSL. See documentation.
+                bool "Enable wolfSSL ML-KEM"
 
-        config ESP_WOLFSSL_ENABLE_KYBER
-            bool "Enable wolfSSL Kyber"
+        config WOLFSSL_ENABLE_KYBER
+            bool "Enable Kyber (Round 3)"
             default n
             help
-                Enable debugging messages for wolfSSL. See user_settings.h for additional debug options.
+                Enable old compatibility with Kyber Round 3 (enables experimental settings)
 
-    endmenu # wolfSSL Experimental Options
+    endmenu # wolfSSL Post Quantum Kyber KEM PQ
     # -----------------------------------------------------------------------------------------------------------------
 
     # -----------------------------------------------------------------------------------------------------------------
@@ -435,6 +436,11 @@ menu "wolfSSL"
             help
                 Enable a loop wrapper for benchmark, http_client, and wolfssl test apps.
 
+        config ESP_WOLFSSL_EXPERIMENTAL_SETTINGS
+            bool "Enable wolfSSL Experimental Settings"
+            default n
+            help
+                Enables experimental settings for wolfSSL. See documentation.
     endmenu # wolfSSL Debug Options
     # -----------------------------------------------------------------------------------------------------------------
 
diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/include/user_settings.h b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/include/user_settings.h
index 9679a0841..488182ed6 100644
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/include/user_settings.h
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/include/user_settings.h
@@ -209,18 +209,40 @@
     /* the code is older or does not have application name defined. */
 #endif /* Example wolfSSL Configuration app settings */
 
-/* Experimental Kyber */
-#ifdef CONFIG_WOLFSSL_ENABLE_KYBER
+/* Optional MLKEM (Kyber Post Quantum)               */
+/*  ./configure --enable-mlkem                       */
+/* See Kconfig / menuconfig ESP_WOLFSSL_ENABLE_MLKEM */
+#ifdef CONFIG_ESP_WOLFSSL_ENABLE_MLKEM
     /* Kyber typically needs a minimum 10K stack */
-    #define WOLFSSL_EXPERIMENTAL_SETTINGS
     #define WOLFSSL_HAVE_MLKEM
     #define WOLFSSL_WC_MLKEM
-    #define WOLFSSL_SHA3
+    #define WOLFSSL_SHAKE128
+    #define WOLFSSL_SHAKE256
+
+    /* Old code points to keep compatibility with Kyber Round 3. */
+    /*   ./configure --enable-kyber=all --enable-experimental    */
+    #if defined(CONFIG_WOLFSSL_ENABLE_KYBER)
+        #define WOLFSSL_MLKEM_KYBER
+        #define WOLFSSL_EXPERIMENTAL_SETTINGS
+    #endif
+
     #if defined(CONFIG_IDF_TARGET_ESP8266)
         /* With limited RAM, we'll disable some of the Kyber sizes: */
         #define WOLFSSL_NO_KYBER1024
         #define WOLFSSL_NO_KYBER768
+        #define WOLFSSL_NO_ML_KEM_1024
+        #define WOLFSSL_NO_ML_KEM_768
         #define NO_SESSION_CACHE
+    #else
+        /* Only needed for older wolfssl versions, see mlkem.h */
+        #define WOLFSSL_KYBER1024
+        /* optional alternative sizes:    */
+        /* #define WOLFSSL_KYBER768       */
+        /* #define WOLFSSL_KYBER512       */
+        /* -- or disable a specific one:  */
+        /* #define WOLFSSL_NO_ML_KEM_1024 */
+        /* #define WOLFSSL_NO_ML_KEM_768  */
+        /* #define WOLFSSL_NO_ML_KEM_512  */
     #endif
 #endif
 
@@ -532,7 +554,7 @@
 /* Adjust wait-timeout count if you see timeout in RSA HW acceleration.
  * Set to very large number and enable WOLFSSL_HW_METRICS to determine max. */
 #ifndef ESP_RSA_TIMEOUT_CNT
-	#define ESP_RSA_TIMEOUT_CNT 0xFF0000
+    #define ESP_RSA_TIMEOUT_CNT 0xFF0000
 #endif
 
 /* hash limit for test.c */
@@ -560,6 +582,7 @@
     defined(WOLFSSL_SP_RISCV32)
 #endif
 
+
 #define HAVE_VERSION_EXTENDED_INFO
 /* #define HAVE_WC_INTROSPECTION */
 
@@ -933,6 +956,8 @@ Turn on timer debugging (used when CPU cycles not available)
 #define ATCA_WOLFSSL
 */
 
+/* optional SM4 Ciphers. See github.com/wolfSSL/wolfsm */
+
 /***************************** Certificate Macros *****************************
  *
  * The section below defines macros used in typically all of the wolfSSL
@@ -1024,9 +1049,14 @@ Turn on timer debugging (used when CPU cycles not available)
     #define WOLFSSL_BASE16
 #else
     #if defined(USE_CERT_BUFFERS_2048)
-        #define USE_CERT_BUFFERS_256
+        #ifdef USE_CERT_BUFFERS_1024
+            #error "USE_CERT_BUFFERS_1024 is already defined. Pick one."
+        #endif
+
         /* Be sure to include in app when using example certs: */
-        /* #include <wolfssl/certs_test.h>                     */
+        #include <wolfssl/certs_test.h>
+
+        #define USE_CERT_BUFFERS_256
         #define CTX_CA_CERT          ca_cert_der_2048
         #define CTX_CA_CERT_SIZE     sizeof_ca_cert_der_2048
         #define CTX_CA_CERT_TYPE     WOLFSSL_FILETYPE_ASN1
@@ -1046,9 +1076,14 @@ Turn on timer debugging (used when CPU cycles not available)
         #define CTX_CLIENT_KEY_TYPE  WOLFSSL_FILETYPE_ASN1
 
     #elif defined(USE_CERT_BUFFERS_1024)
-        #define USE_CERT_BUFFERS_256
+        #ifdef USE_CERT_BUFFERS_2048
+            #error "USE_CERT_BUFFERS_2048 is already defined. Pick one."
+        #endif
+
         /* Be sure to include in app when using example certs: */
-        /* #include <wolfssl/certs_test.h>                     */
+        #include <wolfssl/certs_test.h>
+
+        #define USE_CERT_BUFFERS_256
         #define CTX_CA_CERT          ca_cert_der_1024
         #define CTX_CA_CERT_SIZE     sizeof_ca_cert_der_1024
         #define CTX_CA_CERT_TYPE     WOLFSSL_FILETYPE_ASN1
diff --git a/examples/configs/user_settings_espressif.h b/examples/configs/user_settings_espressif.h
index 8f598aff5..488182ed6 100644
--- a/examples/configs/user_settings_espressif.h
+++ b/examples/configs/user_settings_espressif.h
@@ -110,7 +110,7 @@
     /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */
     /* #define USE_WOLFSSL_ESP_SDK_WIFI */
     #define TEST_ESPIDF_ALL_WOLFSSL
-
+    #define HAVE_HKDF
 #elif defined(CONFIG_WOLFSSL_EXAMPLE_NAME_BENCHMARK)
     /* See https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark */
     /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */
@@ -209,18 +209,40 @@
     /* the code is older or does not have application name defined. */
 #endif /* Example wolfSSL Configuration app settings */
 
-/* Experimental Kyber */
-#ifdef CONFIG_WOLFSSL_ENABLE_KYBER
+/* Optional MLKEM (Kyber Post Quantum)               */
+/*  ./configure --enable-mlkem                       */
+/* See Kconfig / menuconfig ESP_WOLFSSL_ENABLE_MLKEM */
+#ifdef CONFIG_ESP_WOLFSSL_ENABLE_MLKEM
     /* Kyber typically needs a minimum 10K stack */
-    #define WOLFSSL_EXPERIMENTAL_SETTINGS
     #define WOLFSSL_HAVE_MLKEM
     #define WOLFSSL_WC_MLKEM
-    #define WOLFSSL_SHA3
+    #define WOLFSSL_SHAKE128
+    #define WOLFSSL_SHAKE256
+
+    /* Old code points to keep compatibility with Kyber Round 3. */
+    /*   ./configure --enable-kyber=all --enable-experimental    */
+    #if defined(CONFIG_WOLFSSL_ENABLE_KYBER)
+        #define WOLFSSL_MLKEM_KYBER
+        #define WOLFSSL_EXPERIMENTAL_SETTINGS
+    #endif
+
     #if defined(CONFIG_IDF_TARGET_ESP8266)
         /* With limited RAM, we'll disable some of the Kyber sizes: */
         #define WOLFSSL_NO_KYBER1024
         #define WOLFSSL_NO_KYBER768
+        #define WOLFSSL_NO_ML_KEM_1024
+        #define WOLFSSL_NO_ML_KEM_768
         #define NO_SESSION_CACHE
+    #else
+        /* Only needed for older wolfssl versions, see mlkem.h */
+        #define WOLFSSL_KYBER1024
+        /* optional alternative sizes:    */
+        /* #define WOLFSSL_KYBER768       */
+        /* #define WOLFSSL_KYBER512       */
+        /* -- or disable a specific one:  */
+        /* #define WOLFSSL_NO_ML_KEM_1024 */
+        /* #define WOLFSSL_NO_ML_KEM_768  */
+        /* #define WOLFSSL_NO_ML_KEM_512  */
     #endif
 #endif
 
@@ -560,8 +582,6 @@
     defined(WOLFSSL_SP_RISCV32)
 #endif
 
-#define WOLFSSL_SMALL_STACK
-
 
 #define HAVE_VERSION_EXTENDED_INFO
 /* #define HAVE_WC_INTROSPECTION */
@@ -784,6 +804,15 @@
     #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI
     /***** END CONFIG_IDF_TARGET_ESP32H2 *****/
 
+#elif defined(CONFIG_IDF_TARGET_ESP32P4)
+    #define WOLFSSL_ESP32
+    /*  wolfSSL Hardware Acceleration not yet implemented */
+    #define NO_ESP32_CRYPT
+    #define NO_WOLFSSL_ESP32_CRYPT_HASH
+    #define NO_WOLFSSL_ESP32_CRYPT_AES
+    #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI
+    /***** END CONFIG_IDF_TARGET_ESP32P4 *****/
+
 #elif defined(CONFIG_IDF_TARGET_ESP8266)
     #define WOLFSSL_ESP8266
 
@@ -927,6 +956,8 @@ Turn on timer debugging (used when CPU cycles not available)
 #define ATCA_WOLFSSL
 */
 
+/* optional SM4 Ciphers. See github.com/wolfSSL/wolfsm */
+
 /***************************** Certificate Macros *****************************
  *
  * The section below defines macros used in typically all of the wolfSSL
@@ -1018,9 +1049,14 @@ Turn on timer debugging (used when CPU cycles not available)
     #define WOLFSSL_BASE16
 #else
     #if defined(USE_CERT_BUFFERS_2048)
-        #define USE_CERT_BUFFERS_256
+        #ifdef USE_CERT_BUFFERS_1024
+            #error "USE_CERT_BUFFERS_1024 is already defined. Pick one."
+        #endif
+
         /* Be sure to include in app when using example certs: */
-        /* #include <wolfssl/certs_test.h>                     */
+        #include <wolfssl/certs_test.h>
+
+        #define USE_CERT_BUFFERS_256
         #define CTX_CA_CERT          ca_cert_der_2048
         #define CTX_CA_CERT_SIZE     sizeof_ca_cert_der_2048
         #define CTX_CA_CERT_TYPE     WOLFSSL_FILETYPE_ASN1
@@ -1040,9 +1076,14 @@ Turn on timer debugging (used when CPU cycles not available)
         #define CTX_CLIENT_KEY_TYPE  WOLFSSL_FILETYPE_ASN1
 
     #elif defined(USE_CERT_BUFFERS_1024)
-        #define USE_CERT_BUFFERS_256
+        #ifdef USE_CERT_BUFFERS_2048
+            #error "USE_CERT_BUFFERS_2048 is already defined. Pick one."
+        #endif
+
         /* Be sure to include in app when using example certs: */
-        /* #include <wolfssl/certs_test.h>                     */
+        #include <wolfssl/certs_test.h>
+
+        #define USE_CERT_BUFFERS_256
         #define CTX_CA_CERT          ca_cert_der_1024
         #define CTX_CA_CERT_SIZE     sizeof_ca_cert_der_1024
         #define CTX_CA_CERT_TYPE     WOLFSSL_FILETYPE_ASN1
diff --git a/wolfcrypt/src/wc_mlkem.c b/wolfcrypt/src/wc_mlkem.c
index 842506ee3..461a7c407 100644
--- a/wolfcrypt/src/wc_mlkem.c
+++ b/wolfcrypt/src/wc_mlkem.c
@@ -674,8 +674,8 @@ static int mlkemkey_encapsulate(MlKemKey* key, const byte* m, byte* r, byte* c)
     sword16 y[3 * WC_ML_KEM_MAX_K * MLKEM_N];
 #endif
 #endif
-    sword16* u;
-    sword16* v;
+    sword16* u = 0;
+    sword16* v = 0;
 
     /* Establish parameters based on key type. */
     switch (key->type) {