I'm assuming here that you're looking at asymmetric algorithms only, which may function as a drop in replacement for DH. A deeper study into symmetric key establishment is left out.
In NIST's post quantum cryptography challenge it was found out that the one key exchange that was looked at - SIDH - was broken. SIKE, one of the contenders for the challenge which is based on SIDH was therefore ruled out.
What was left as final candidates was a set of KEM algorithms:
- CRYSTALS-Kyber
- SABER
- NTRU
of which CRYSTALS-Kyber won the race and became ML-KEM, where ML stands for Module Lattice(-based scheme).
There was also a set of alternative schemes, to note:
- BIKE
- HQC
- Classic McEliece
Neither of these algorithms is DH-like.
KEM's rely on a single, possibly ephemeral, key pair instead of two key pairs for DH (assuming two-party communication). Basically a newly generated, random secret is encapsulated by the public key and then decapsulated by the private key. If e.g. the public key of the holder is also included in the key calculation - as it is with Kyber - then the algorithm can be thought of as a key agreement algorithm.
In principle this means that DH can be replaced with a KEM as it doesn't require additional handshake messages, but one should take the following into account:
- the messages differ because one party does not have to send their public key (or sometimes simply called key share or public component)
- only the entity that has the private key can be authenticated, assuming that the key pair is static and that the public key is trusted by the receiving party
Ephemeral key pairs allow for forward security as the private key may be destructed after a single use. Key pair generation should preferably be fast in that case as a new key pair needs to be generated for each session. This kind of rules out RSA-KEM for forward security as key pair generation may take a long time as finding two large random primes will take many CPU-cycles. Finding more than two smaller primes takes less time than finding two large ones, but multi-prime RSA is not well supported.
There is also RSA key transport such as used in the older TLS 1.2 specifications and before. It simply uses RSA-encryption with PKCS#1 and it may also work with OAEP as padding primitive. This operates largely in the same way as a KEM. It doesn't provide forward secrecy which was a major reason to leave RSA_ ciphersuites out of TLS 1.3. As it uses a static key pair with the public key within the leaf certificate it does provide server authentication. It is however vulnerable against a set of (side channel) attacks against the padding schemes so RSA key wrapping should preferably not be used.
As for the edits to this old question:
- The Algebraic Eraser problem relies on two key pairs so it is a key exchange protocol. The fact that it seems to have vulnerabilities shows that it doesn't rely on the Discrete Logarithm problem. So yes, it isn't DH and it relies on significantly different math.
- CRYSTALS-Kyber is a KEM which is not based on DH, so Kyber is a good example. Note though that KEMs could be build on a DH like system or depend on the Discrete Logarithm Problem (DLP). An example of a DH-like KEMs is the post-quantum SIKE algorithm which is based on SIDH (broken!). (EC)IES is an example of using (EC)DH for encryption or wrapping, which is closely related to key encapsulation.
