Insider Brief
- NIST has selected HQC as a backup quantum-resistant encryption algorithm to complement ML-KEM, ensuring a second line of defense against potential quantum threats to data security.
- HQC is based on error-correcting codes, a distinct mathematical approach from ML-KEM’s structured lattices, making it a strategic alternative if ML-KEM is compromised.
- NIST plans to release a draft HQC standard for public comment in 2026, with finalization expected in 2027, while organizations are advised to continue migrating to the 2024 standards.
PRESS RELEASE — Last year, NIST standardized a set of encryption algorithms that can keep data secure from a cyberattack by a future quantum computer. Now, NIST has selected a backup algorithm that can provide a second line of defense for the task of general encryption, which safeguards internet traffic and stored data alike.
Encryption protects sensitive electronic information, including internet traffic and medical and financial records, as well as corporate and national security secrets. But a sufficiently powerful quantum computer, if one is ever built, would be able to break that defense. NIST has been working for more than eight years on encryption algorithms that even a quantum computer cannot break.
Last year, NIST published an encryption standard based on a quantum-resistant algorithm called ML-KEM. The new algorithm, called HQC, will serve as a backup defense in case quantum computers are someday able to crack ML-KEM. Both these algorithms are designed to protect stored information as well as data that travels across public networks.
HQC is not intended to take the place of ML-KEM, which will remain the recommended choice for general encryption, said Dustin Moody, a mathematician who heads NIST’s Post-Quantum Cryptography project.
“Organizations should continue to migrate their encryption systems to the standards we finalized in 2024,” he said. “We are announcing the selection of HQC because we want to have a backup standard that is based on a different math approach than ML-KEM. As we advance our understanding of future quantum computers and adapt to emerging cryptanalysis techniques, it’s essential to have a fallback in case ML-KEM proves to be vulnerable.”
Encryption Based on Two Math Problems
Encryption systems rely on complex math problems that conventional computers find difficult or impossible to solve. A sufficiently capable quantum computer, though, would be able to sift through a vast number of potential solutions to these problems very quickly, thereby defeating current encryption.
While the ML-KEM algorithm is built around a mathematical idea called structured lattices, the HQC algorithm is built around another concept called error-correcting codes, which have been used in information security for decades. Moody said that HQC is a lengthier algorithm than ML-KEM and therefore demands more computing resources. However its clean and secure operation convinced reviewers that it would make a worthy backup choice.
“Organizations should continue to migrate their encryption systems to the standards NIST finalized in 2024. We are announcing the selection of HQC because we want to have a backup standard that is based on a different math approach than ML-KEM.” —Dustin Moody, NIST mathematician and project head
Present and Future Standards
HQC is the latest algorithm chosen by NIST’s Post-Quantum Cryptography project, which has overseen efforts since 2016 to head off potential threats from quantum computers. HQC will take its place alongside the four algorithms NIST selected previously. Three of those algorithms have been incorporated into finished standards, including ML-KEM, which forms the core of the standard called FIPS 203.
The other two finished standards, FIPS 204 and FIPS 205, contain digital signature algorithms, a kind of “electronic fingerprint” that authenticates the identity of a sender, such as when remotely signing documents. The three finished standards are ready for use, and organizations have already started integrating them into their information systems to future-proof them.
A draft of the fourth standard, built around the FALCON algorithm, also concerns digital signatures and will be released shortly as FIPS 206.
HQC is the only algorithm to be standardized from NIST’s fourth round of candidates, which initially included four algorithms meriting further study. NIST has released a report summarizing each of these four candidate algorithms and detailing why HQC was selected.
NIST plans to release a draft standard built around HQC for public comment in about a year. Following a 90-day comment period, NIST will address the comments and finalize the standard for release in 2027.
Draft Guidance for KEM Algorithms
One thing HQC has in common with ML-KEM is that they are both what experts call “key encapsulation mechanisms,” or KEMs. A KEM is used over a public network as a sort of first handshake between two parties that want to exchange confidential information.
NIST has recently published draft guidance for implementing KEM algorithms. This guidance, Recommendations for Key Encapsulation Mechanisms (NIST Special Publication 800-227), describes the basic definitions, properties and applications of KEMs. It also provides recommendations for implementing and using KEMs in a secure manner. NIST hosted a virtual Workshop on Guidance for KEMs in February, and the draft was open for public comment until March 7, 2025.
