Industry News

NIST Picks HQC as New Post-Quantum Encryption Candidate

Photo of Marin Ivezic Marin Ivezic Follow on X Send an email March 11, 2025
8 minutes read
NIST PQC HQC
NIST PQC HQC

The U.S. National Institute of Standards and Technology (NIST) has announced today the selection of Hamming Quasi-Cyclic (HQC) as a new post-quantum encryption candidate in its Round 4 of the Post-Quantum Cryptography (PQC) standardization program​. HQC’s advancement is especially interesting because it is the only algorithm from NIST’s 4th round of evaluations to be chosen for standardization​. This move will add a 5th algorithm to NIST’s list of quantum-resistant tools, serving as a backup encryption method alongside the four algorithms already selected in earlier rounds​​. For a more technical analysis of the previously-selected 4 algorithms, see: Inside NIST’s First Post-Quantum Standards: A Technical Exploration of Kyber, Dilithium, and SPHINCS+.

NIST officials highlighted that HQC is being designated as a “backup” encryption standard rather than a replacement for the primary algorithms finalized last year​. Dustin Moody, a NIST mathematician leading the PQC project, explained that as organizations migrate to post-quantum cryptography, it’s prudent to have an alternative based on different mathematics in case the main algorithm is ever threatened​. “We are announcing the selection of HQC because we want to have a backup standard that is based on a different math approach than [our primary algorithm],” Moody said​. In practice, this means HQC will coexist with NIST’s primary encryption standard (known as ML-KEM, derived from the lattice-based CRYSTALS-Kyber algorithm) rather than displace it​​. The intent is to bolster confidence that even as quantum technology advances, there will be more than one line of defense protecting sensitive data.

HQC’s selection is the result of NIST’s Round 4, an extra phase in the PQC competition dedicated to evaluating additional encryption algorithms for standardization. At the conclusion of the third round in 2022, NIST had already chosen four primary PQC algorithms (one encryption method and three digital signature schemes) to standardize, and it moved four other promising candidates into a fourth round for further study​​. Those Round 4 candidates included two code-based encryption schemes (HQC and a similar method called BIKE), the classic McEliece code-based system, and an isogeny-based scheme called SIKE​. NIST indicated back then that it expected to pick at most one of the two closely related code-based contenders (HQC or BIKE) for standardization​, aiming to diversify beyond the lattice-based approach of its first selections. Over the past two years, the field narrowed: SIKE was crippled by a surprise cryptanalytic attack in 2022​, and Classic McEliece, while still deemed very secure, was less practical due to its huge public keys​. This left HQC and BIKE vying as general-purpose alternatives. NIST’s latest report details how HQC ultimately earned the nod over the others, thanks to its strong security evaluations and acceptable performance trade-offs​​.

According to NIST’s announcement, a draft standard specifying HQC will be published for public comment in about a year, with the final standard expected in 2027 after feedback is incorporated​. This timeline gives industry and government stakeholders time to review HQC’s specifications and plan for its adoption.

What is HQC?

HQC, short for Hamming Quasi-Cyclic, is a code-based cryptographic algorithm designed to protect data against quantum-enabled attacks. In more technical terms, HQC is a type of Key-Encapsulation Mechanism (KEM) – a method for exchanging encryption keys securely – whose security relies on problems from error-correcting code theory​​.

Traditional encryption schemes like RSA or elliptic-curve cryptography rely on number theory problems (factoring, discrete log) that quantum computers could eventually solve. In contrast, HQC’s hardness comes from the difficulty of decoding a scrambled message that has been mixed with random errors, a problem believed to be resistant to quantum attacks. This approach builds on decades of research in coding theory: error-correcting codes (such as Hamming, Reed-Solomon, or Reed-Muller codes) are normally used to detect and fix errors in data transmissions, but they can also be repurposed to hide data within noise in a way that only someone with the secret key can efficiently decode​​.

Essentially, HQC generates a public key that anyone can use to encode (encrypt) a message with extra random noise; only the holder of the private key knows how to strip away just enough of that noise to recover the original message​​. This clever design means an attacker faces a task akin to solving a complex syndrome decoding puzzle – something believed to be mathematically intractable even for quantum computers. The structure is described as “quasi-cyclic” because HQC uses structured codes that repeat in a cyclic pattern, which allows for much smaller key sizes than earlier code-based systems without weakening security​​. (For context, HQC’s public keys are on the order of a few kilobytes​, versus hundreds of kilobytes for the classic McEliece scheme, making HQC considerably more practical for real-world use.)

Why did NIST select HQC?

The driving reason is cryptographic diversity. All of the primary encryption finalists that NIST standardized in 2022 rely on lattice mathematics – a family of problems that is very robust, but not immune to future breakthroughs. HQC offers a different mathematical foundation (code-based instead of lattice-based) to guard against the possibility that a single technique could be defeated​​. By standardizing HQC as a fallback, NIST is hedging against the unknown: if, years down the road, a new algorithm or a more powerful quantum computer manages to weaken lattice-based encryption, organizations could pivot to the code-based HQC algorithm, which would not be affected by lattice-specific attacks​​.

NIST’s cryptographers were satisfied that HQC met their high bar for security (surviving extensive cryptanalysis during the PQC rounds) and were reassured by its “clean and secure operation,” which “convinced reviewers that it would make a worthy backup choice,” according to Moody​. HQC did come with some performance trade-offs – for example, it demands more computational resources and produces larger ciphertexts than lattice-based Kyber – but these were expected for a code-based scheme and deemed an acceptable price for its security benefits​. In fact, NIST had weighed HQC against its closest rival, BIKE, which is also code-based; both schemes are built on similar principles, but ultimately only one was needed. HQC’s design and analysis evidently gave it the edge, leading NIST to pick it as the one additional KEM to standardize from the Round 4 candidates​​. (The other Round 4 contenders have effectively been sidelined: BIKE will not be standardized, and Classic McEliece remains unlikely unless a compelling use-case for its ultra-large-key approach emerges​​.) Notably, the fourth candidate SIKE – once valued for its tiny keys – was eliminated early after researchers broke its underlying problem in a startling classical cryptanalysis attack​, underscoring why NIST insists on thorough vetting and a diversified strategy. In the end, HQC stood out as the resilient choice to fortify the post-quantum encryption suite with a completely different defense mechanism.

Implications for Cybersecurity and Industry

The inclusion of HQC in the standards lineup has important implications for security professionals and the tech industry at large. First, it bolsters confidence that our encrypted data will remain safe in the post-quantum era, even in a worst-case scenario. With HQC in the toolkit, organizations will soon have two independent encryption algorithms (one lattice-based, one code-based) to choose from – or even deploy in tandem for extra safety. This multi-algorithm approach is a cornerstone of crypto agility, the ability to switch or layer cryptographic mechanisms without overhauling systems. Companies working to “quantum-proof” their products have mostly focused on the first NIST PQC standards (such as Kyber for encryption), which were finalized last year. Those primary PQC standards are already being integrated into software, hardware, and networks​. NIST has been clear that organizations should continue adopting the Round 3 algorithms as the default​ – for instance, using the lattice-based ML-KEM (Kyber) to secure web traffic and VPNs – since HQC is envisioned as a backup. In practice, that means near-term procurement and migration plans won’t change overnight with this announcement. However, forward-looking organizations will welcome HQC’s addition as an insurance policy. Security architects can start planning how they might implement HQC in the future if the need arises, and vendors may begin offering support for HQC alongside the main algorithms once the standard is finalized.

On a broader scale, HQC’s selection is a signal to the market that NIST is confident in code-based cryptography as a viable component of our security future. This could spur more investment in optimizing code-based schemes – for example, improving their performance or hardware acceleration – since they now have a clear path to standard use. It also sends a message to global standards bodies and governments that were waiting on NIST’s decisions: they can move forward knowing a second post-quantum encryption algorithm will be available. In the coming years, we may see guidelines recommending a hybrid approach (using both lattice and code-based encryption in different layers or applications) to maximize safety. For critical infrastructure and long-lived data (think healthcare records, state secrets, or infrastructure command systems that must remain confidential for decades), the availability of two distinct quantum-safe encryption standards provides a much-needed assurance against uncertainty. Even if one approach were ever compromised, the other could shield the data, preventing a single point of failure in our cryptographic defenses​​.

What Round 4 Means & What’s Next

In NIST’s PQC selection process, “Round 4” has been an unusual extra inning. The PQC program began in 2016 and was originally expected to conclude after three rounds of evaluation, which produced the initial standards in 2022​. However, given the high stakes and the desire to include more variety, NIST extended the process with a fourth round to scrutinize a few remaining candidates (like HQC) that showed promise but weren’t quite ready to standardize at the time of the third-round decision. The fact that HQC has emerged from this extended review and been approved for standardization indicates that NIST is wrapping up the competition phase of PQC. With encryption algorithms now settled (one primary and one backup) and multiple digital signature algorithms already standardized (lattice-based CRYSTALS-Dilithium and Falcon, plus hash-based SPHINCS+​​), the focus will shift to implementation and adoption. NIST plans to publish a draft standard for HQC in 2026 and finalize it after public comments by 2027​. In parallel, NIST is also working on expanding the roster of quantum-safe digital signatures through a separate call for new signature algorithms (sometimes informally called “Round 5”), seeking non-lattice options to complement Dilithium and Falcon​. All these efforts are part of a comprehensive push to ensure that when quantum computers finally arrive, the world’s cryptography will be ready.

For professionals in tech and security, the takeaway is that post-quantum cryptography is entering a deployment phase. The standards are maturing, and HQC’s introduction enriches the options for building secure systems. Enterprises should keep an eye on HQC’s standardization progress; even if it’s a backup, it might become mission-critical should new threats emerge. In the meantime, experts advise continuing to roll out the already-standardized PQC algorithms – many organizations have begun doing so to “future-proof” their systems​ – and to design systems with flexibility in mind. The crypto landscape is evolving, but with choices like HQC now in hand, the industry can approach the quantum era with greater confidence. As NIST’s latest selection shows, preparation for tomorrow’s threats includes not just one silver bullet, but a quiver of quantum-resistant arrows to keep our data safe for the long haul.

Photo of Marin Ivezic Marin Ivezic Follow on X Send an email March 11, 2025
8 minutes read
Photo of Marin Ivezic

Marin Ivezic

I am the Founder of Applied Quantum (AppliedQuantum.com), a research-driven professional services firm dedicated to helping organizations unlock the transformative power of quantum technologies. Alongside leading its specialized service, Secure Quantum (SecureQuantum.com)—focused on quantum resilience and post-quantum cryptography—I also invest in cutting-edge quantum ventures through Quantum.Partners. Currently, I’m completing a PhD in Quantum Computing and authoring an upcoming book “Practical Quantum Resistance” (QuantumResistance.com) while regularly sharing news and insights on quantum computing and quantum security at PostQuantum.com. I’m primarily a cybersecurity and tech risk expert with more than three decades of experience, particularly in critical infrastructure cyber protection. That focus drew me into quantum computing in the early 2000s, and I’ve been captivated by its opportunities and risks ever since. So my experience in quantum tech stretches back decades, having previously founded Boston Photonics and PQ Defense where I engaged in quantum-related R&D well before the field’s mainstream emergence. Today, with quantum computing finally on the horizon, I’ve returned to a 100% focus on quantum technology and its associated risks—drawing on my quantum and AI background, decades of cybersecurity expertise, and experience overseeing major technology transformations—all to help organizations and nations safeguard themselves against quantum threats and capitalize on quantum-driven opportunities.
© Copyright 2025 Marin Ivezic, All Rights Reserved
Share via
Facebook
X (Twitter)
LinkedIn
Mix
Pinterest
Tumblr
Skype
Buffer
Pocket
VKontakte
Parler
Xing
Reddit
Line
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
MeWe
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap