NIST selects HQC as backup algorithm for post-quantum encryption

Last year, NIST standardized a set of encryption algorithms that can keep data secure from a cyberattack by a future quantum computer. Now, NIST has selected a backup algorithm that can provide a second line of defense for the task of general encryption, which safeguards internet traffic and stored data alike.

Encryption protects sensitive electronic information, including internet traffic and medical and financial records, as well as corporate and national security secrets. But a sufficiently powerful quantum computer, if one is ever built, would be able to break that defense. NIST has been working for more than eight years on encryption algorithms that even a quantum computer cannot break.

ML-KEM remains the recommended choice for general encryption

Last year, NIST published an encryption standard based on a quantum-resistant algorithm called ML-KEM. The new algorithm, called HQC, will serve as a backup defense in case quantum computers are someday able to crack ML-KEM. Both these algorithms are designed to protect stored information as well as data that travels across public networks.

HQC is not intended to take the place of ML-KEM, which will remain the recommended choice for general encryption, said Dustin Moody, a mathematician who heads NIST’s Post-Quantum Cryptography project.

“Organizations should continue to migrate their encryption systems to the standards we finalized in 2024,” he said. “We are announcing the selection of HQC because we want to have a backup standard that is based on a different math approach than ML-KEM. As we advance our understanding of future quantum computers and adapt to emerging cryptanalysis techniques, it’s essential to have a fallback in case ML-KEM proves to be vulnerable.”

Encryption systems rely on complex math problems that conventional computers find difficult or impossible to solve. A sufficiently capable quantum computer, though, would be able to sift through a vast number of potential solutions to these problems very quickly, thereby defeating current encryption.

While the ML-KEM algorithm is built around a mathematical idea called structured lattices, the HQC algorithm is built around another concept called error-correcting codes, which have been used in information security for decades. Moody said that HQC is a lengthier algorithm than ML-KEM and therefore demands more computing resources. However its clean and secure operation convinced reviewers that it would make a worthy backup choice.

HQC becomes part of NIST’s post-quantum strategy

HQC is the latest algorithm chosen by NIST’s Post-Quantum Cryptography project, which has overseen efforts since 2016 to head off potential threats from quantum computers. HQC will take its place alongside the four algorithms NIST selected previously. Three of those algorithms have been incorporated into finished standards, including ML-KEM, which forms the core of the standard called FIPS 203.

The other two finished standards, FIPS 204 and FIPS 205, contain digital signature algorithms, a kind of “electronic fingerprint” that authenticates the identity of a sender, such as when remotely signing documents. The three finished standards are ready for use, and organizations have already started integrating them into their information systems to future-proof them.

A draft of the fourth standard, built around the FALCON algorithm, also concerns digital signatures and will be released shortly as FIPS 206.

HQC is the only algorithm to be standardized from NIST’s fourth round of candidates, which initially included four algorithms meriting further study. NIST has released a report summarizing each of these four candidate algorithms and detailing why HQC was selected.

NIST plans to release a draft standard built around HQC for public comment in about a year. Following a 90-day comment period, NIST will address the comments and finalize the standard for release in 2027.