On March 11, 2025, the National Institute for Standards and Technology (NIST) announced the selection of HQC as a new Post-Quantum Cryptography (PQC) algorithm for standardization.
HQC serves as an alternative to ML-KEM (FIPS 203) for key encapsulation and encryption. By choosing HQC - based on error-correcting codes - NIST ensures a non-lattice-based option, mitigating potential future vulnerabilities in lattice-based cryptography. However, ML-KEM remains NIST’s primary recommended encryption algorithm and is also part of the CNSA 2.0 suite.
Read more about different PQC algorithms types
More about HQC – Parameter sets and key sizes compared to ML-KEM
HQC is intended to come in three different parameter sets with the following key sizes:
Parameter | Public Key Size | Private Key Size | Ciphertext size | Shared secret size |
HQC-128 | 2,249 bytes | 2,305 bytes | 4,433 bytes | 64 bytes |
HQC-192 | 4,522 bytes | 4,586 bytes | 8,978 bytes | 64 bytes |
HQC-256 | 7,245 bytes | 7,317 bytes | 14,421bytes | 64 bytes |
As a reference, these are the parameters and respective key sizes for ML-KEM:
Parameter | Encapsulation Key Size | Decapsulation Key Size | Ciphertext Size | Shared Key Size |
ML-KEM-512 | 800 bytes | 1,632 bytes | 768 bytes | 32 bytes |
ML-KEM-768 | 1,184 bytes | 2,400 bytes | 1,088 bytes | 32 bytes |
ML-KEM-1024 | 1,568 bytes | 3,168 bytes | 1,568 bytes | 32 bytes |
HQC – Standardization Timeline
- 2025: HQC selected for standardization
- 2026: HQC draft standard to be published
- 2027: Final standard for HQC expected
So, organizations planning their PQC migration now will need to wait at least two years for a standardized version of HQC. Meanwhile, ML-KEM is already standardized and ready for use.
The current state of Post Quantum Cryptography
PQC standards published:
- ML-KEM (FIPS 203) for key encapsulation / encryption
- ML-DSA (FIPS 204) for digital signatures
- SLH-DSA (FIPS 205) for digital signatures
Draft PQC standards expected for 2025: FALCON / FN-DSA (FIPS 206) for digital signatures.
Classical algorithms – NIST’s plans for phase-out
In their internal report IR 8547, NIST is pushing the urgency of transitioning to PQC by defining clear deadlines for validity of classical algorithms:
By 2030, the following algorithms will be deprecated:
Elliptic Curve DH, MQC, Finite Field DH, MQV, RSA, ECDSA, EdDSA (112-bit security strength)
By 2035, the following algorithms will be disallowed:
Elliptic Curve DH, MQC, Finite Field DH, MQV, RSA, ECDSA, EdDSA
With these depreciation and disallowance deadlines in mind, organizations should see this as a clear call to action to review their current cryptography and plan for PQC migration.
For further information on NIST’s selection of HQC, visit:
NIST's website
Status Report on the Fourth Round of the NIST Post-Quantum Cryptography Standardization Process
Good to Know
Whether in classical or post-quantum cryptography, one principle remains unchanged: the best way to protect cryptographic keys and applications is by generating, managing, and storing them in a Hardware Security Module (HSM). After all, even the most advanced cryptography is useless if the keys are not secure. Utimaco’s HSM are designed crypto agile and already support NIST-standardized PQC algorithms today.
