Standards & Policy
When the world's most authoritative body for encryption standards builds a backup plan, it's worth paying attention. In March 2025, the National Institute of Standards and Technology (NIST) announced the selection of HQC (Hamming Quasi-Cyclic) as the fifth algorithm to be standardized for post-quantum encryption — and the reasoning behind that choice tells us a great deal about how seriously the quantum threat is being taken.
NIST finalized its first three post-quantum cryptography (PQC) standards in August 2024. The primary algorithm for general encryption is ML-KEM (formerly CRYSTALS-Kyber), which is built on a branch of mathematics called structured lattices. ML-KEM is fast, efficient, and already being adopted by major cloud providers and operating systems.
So why add another one? Because in cryptography, diversity of mathematical foundations is a safety net. If a fundamental weakness were ever discovered in ML-KEM's lattice-based approach — whether through a mathematical breakthrough or an unforeseen vulnerability — the entire world's encrypted communications could be exposed simultaneously.
"We want to have a backup standard that is based on a different math approach than ML-KEM. As we advance our understanding of future quantum computers and adapt to emerging cryptanalysis techniques, it's essential to have a fallback in case ML-KEM proves to be vulnerable."
— NIST statement on HQC selection, March 2025
HQC is built on error-correcting codes — a mathematical concept that has been studied for decades in information theory, long before quantum computing was a practical concern. This long track record gives cryptographers greater confidence in its security assumptions: there are no known quantum or classical attacks that break error-correcting-code-based cryptography.
The trade-off is performance. HQC requires more computing resources than ML-KEM, producing larger key sizes and slower operations. This makes it less suitable as a primary standard for everyday use, but perfectly adequate as a fallback — deployed only if ML-KEM is ever compromised.
HQC's selection is a signal, not a solution. NIST is not saying ML-KEM is broken — far from it. But the agency is explicitly acknowledging that no single algorithm should be trusted indefinitely, and that cryptographic agility — the ability to swap algorithms quickly when needed — is a core principle of modern security architecture.
For organizations preparing for Q-Day, this has practical implications. Systems that migrate to ML-KEM today should be designed with the assumption that the algorithm underneath may one day need to change. Hardcoded cryptographic choices are a liability; modular, algorithm-agnostic architectures are the goal.
NIST plans to publish a draft HQC standard for public comment approximately one year after the March 2025 announcement, with a finalized standard expected in 2027. Until then, ML-KEM remains the recommended algorithm for organizations actively migrating today.
The bottom line: the quantum threat is real enough that NIST isn't just building one wall — it's building two, made of completely different materials. That's how seriously the agency is taking the possibility that Q-Day arrives on schedule.