NIST chooses HQC, which is based on different mathematics than ML-KEM.
Last year, the National Institute of Standards and Technology (NIST), one of the U.S.’s oldest physical science labs, standardized a set of encryption algorithms that can keep data secure from a cyberattack by a future quantum computer. Now, NIST has selected a backup algorithm as an additional security measure for general encryption, which protects internet traffic and stored data alike.
Encryption protects sensitive electronic information, including internet traffic and medical and financial records, as well as corporate and national security information. However, a sufficiently powerful quantum computer, should one be successfully developed, could compromise that security. NIST has been working for more than eight years on encryption algorithms that even a quantum computer cannot break.
Last year, NIST published an encryption standard based on a quantum-resistant algorithm called ML-KEM. The new algorithm, called HQC, will serve as a backup defense in case quantum computers are someday able to crack ML-KEM. These algorithms are designed to protect stored information as well as data that travels across public networks.
HQC is not intended to take the place of ML-KEM, which will remain the recommended choice for general encryption, said Dustin Moody, a mathematician who heads NIST’s Post-Quantum Cryptography project.
“Organizations should continue to migrate their encryption systems to the standards we finalized in 2024,” he said. “We are announcing the selection of HQC because we want to have a backup standard that is based on a different math approach than ML-KEM. As we advance our understanding of future quantum computers and adapt to emerging cryptanalysis techniques, it’s essential to have a fallback in case ML-KEM proves to be vulnerable.”
Encryption based on two math problems
Encryption systems rely on complex math problems that conventional computers require significant time and resources to solve. However, a sufficiently capable quantum computer could rapidly evaluate numerous possible solutions, potentially rendering current encryption methods ineffective.
While the ML-KEM algorithm is based on structured lattices, the HQC algorithm uses error-correcting codes, which are commonly applied in information security. Moody said that HQC is a longer algorithm than ML-KEM and requires more computing resources. However, its security and reliability led reviewers to select it as a backup choice.
Present and future standards
HQC is the latest algorithm chosen by NIST’s Post-Quantum Cryptography project, which has managed the initiative since 2016 to address security risks posed by quantum computers. HQC joins the four algorithms NIST selected previously. Three of those algorithms have been incorporated into finished standards, including ML-KEM, which is central to the standard called FIPS 203.
The other two finished standards, FIPS 204 and FIPS 205, contain digital signature algorithms that authenticate the identity of a sender, such as when remotely signing documents. The three finished standards are now available, and organizations have already started integrating them into their information systems to enhance security and longevity.
A draft of the fourth standard, based on the FALCON algorithm, also addresses digital signatures and will be released shortly as FIPS 206.
HQC is the only algorithm to be standardized from NIST’s fourth round of candidates, which initially included four algorithms under further evaluation. NIST has released a report summarizing each of these four algorithms and explaining why HQC was selected.
NIST plans to release a draft standard for HQC for public comment in about a year. After a 90-day comment period, NIST will address the comments and finalize the standard for release in 2027.
Edited by Puja Mitra, WTWH Media, for Control Engineering, from a National Institute of Standards and Technology news release.
