- NIST has chosen a new algorithm for post-quantum encryption called HQC, which will serve as a backup for ML-KEM, the main algorithm for general encryption.
- HQC is based on different math than ML-KEM, which could be important if a weakness were discovered in ML-KEM.
- NIST plans to issue a draft standard incorporating the HQC algorithm in about a year, with a finalized standard expected in 2027.
Credit: J. Wang/NIST and Shutterstock
Last year, NIST standardized a set of encryption algorithms that can keep data secure from a cyberattack by a future quantum computer. Now, NIST has selected a backup algorithm that can provide a second line of defense for the task of general encryption, which safeguards internet traffic and stored data alike.
Encryption protects sensitive electronic information, including internet traffic and medical and financial records, as well as corporate and national security secrets. But a sufficiently powerful quantum computer, if one is ever built, would be able to break that defense. NIST has been working for more than eight years on encryption algorithms that even a quantum computer cannot break.
Last year, NIST published an encryption standard based on a quantum-resistant algorithm called ML-KEM. The new algorithm, called HQC, will serve as a backup defense in case quantum computers are someday able to crack ML-KEM. Both these algorithms are designed to protect stored information as well as data that travels across public networks.
HQC is not intended to take the place of ML-KEM, which will remain the recommended choice for general encryption, said Dustin Moody, a mathematician who heads NIST’s Post-Quantum Cryptography project.
“Organizations should continue to migrate their encryption systems to the standar
6 Comments
garbageman
Given the recent politics based layoffs at NIST, presumably to install and/or keep loyalists in the department, can we trust this is the best encryption standard?
tux3
The NIST report that explains the decision: https://nvlpubs.nist.gov/nistpubs/ir/2025/NIST.IR.8545.pdf#p…
whimsicalism
Give how quickly quantum is potentially coming, I wonder if we should/could find some way of using multiple quantum-resistant algorithms simultaneously as a default, in case a fault is found after the limited time we have to verify that there are no faults.
Also – should we not be switching over to these algorithms starting like… now? Am I wrong that anyone collecting https traffic now will be able to break it in the future?
throw0101c
Meta: I can understand the math problems behind RSA and DH, and the general concepts of EC, but all stuff for post-quantum algorithms I have yet to have a intuitive understanding even after reading / watching a bunch of videos trying to explain things.
Starlord2048
[flagged]
EGreg
What is your favorite post-quantum encryption approach?
I think Lattice-based ones will eventually be broken by a quantum algorithm. I am fully on board with lamport signatures and SPHINCS+