PQC News: NIST announces HQC as fifth algorithm to be standardized
12 Mar 2025
On March 11, 2025, the National Institute for Standards and Technology (NIST) announced the selection of HQC as a new Post-Quantum Cryptography (PQC) algorithm for standardization.
HQC serves as an alternative to ML-KEM (FIPS 203) for key encapsulation and encryption. By choosing HQC - based on error-correcting codes - NIST ensures a non-lattice-based option, mitigating potential future vulnerabilities in lattice-based cryptography. However, ML-KEM remains NIST’s primary recommended encryption algorithm and is also part of the CNSA 2.0 suite.
Read more about different PQC algorithms types
More about HQC – Parameter sets and key sizes compared to ML-KEM
HQC is intended to come in three different parameter sets with the following key sizes:
Parameter | Public Key Size | Private Key Size | Ciphertext size | Shared secret size |
HQC-128 | 2,249 bytes | 2,305 bytes | 4,433 bytes | 64 bytes |
HQC-192 | 4,522 bytes | 4,586 bytes | 8,978 bytes | 64 bytes |
HQC-256 | 7,245 bytes | 7,317 bytes | 14,421bytes | 64 bytes |
As a reference, these are the parameters and respective key sizes for ML-KEM:
Parameter | Encapsulation Key Size | Decapsulation Key Size | Ciphertext Size | Shared Key Size |
ML-KEM-512 | 800 bytes | 1,632 bytes | 768 bytes | 32 bytes |
ML-KEM-768 | 1,184 bytes | 2,400 bytes | 1,088 bytes | 32 bytes |
ML-KEM-1024 | 1,568 bytes | 3,168 bytes | 1,568 bytes | 32 bytes |
HQC – Standardization Timeline
- 2025: HQC selected for standardization
- 2026: HQC draft standard to be published
- 2027: Final standard for HQC expected
So, organizations planning their PQC migration now will need to wait at least two years for a standardized version of HQC. Meanwhile, ML-KEM is already standardized and ready for use.
The current state of Post Quantum Cryptography
PQC standards published:
- ML-KEM (FIPS 203) for key encapsulation / encryption
- ML-DSA (FIPS 204) for digital signatures
- SLH-DSA (FIPS 205) for digital signatures
Draft PQC standards expected for 2025: FALCON / FN-DSA (FIPS 206) for digital signatures.
Classical algorithms – NIST’s plans for phase-out
In their internal report IR 8547, NIST is pushing the urgency of transitioning to PQC by defining clear deadlines for validity of classical algorithms:
By 2030, the following algorithms will be deprecated:
Elliptic Curve DH, MQC, Finite Field DH, MQV, RSA, ECDSA, EdDSA (112-bit security strength)
By 2035, the following algorithms will be disallowed:
Elliptic Curve DH, MQC, Finite Field DH, MQV, RSA, ECDSA, EdDSA
With these depreciation and disallowance deadlines in mind, organizations should see this as a clear call to action to review their current cryptography and plan for PQC migration.
For further information on NIST’s selection of HQC, visit:
NIST's website
Status Report on the Fourth Round of the NIST Post-Quantum Cryptography Standardization Process
Good to Know
Whether in classical or post-quantum cryptography, one principle remains unchanged: the best way to protect cryptographic keys and applications is by generating, managing, and storing them in a Hardware Security Module (HSM). After all, even the most advanced cryptography is useless if the keys are not secure. Utimaco’s HSMs are designed crypto agile and already support NIST-standardized PQC algorithms today.
Podcast: Post Quantum Cryptography, AI & Sovereignty: Insights from Utimaco's Nils Gerhardt
Your download request(s):
Your download request(s):
About Utimaco's Downloads
Visit our Downloads section and select from resources such as brochures, data sheets, white papers and much more. You can view and save almost all of them directly (by clicking the download button).
For some documents, your e-mail address needs to be verified. The button contains an e-mail icon.
A click on such a button opens an online form which we kindly ask you to fill and submit. You can collect several downloads of this type and receive the links via e-mail by simply submitting one form for all of them. Your current collection is empty.