The National Institute of Standards and Technology (NIST) has selected a fifth algorithm (HQC) to add to its PQC portfolio. It plans to issue a draft HQC standard in early 2026, with the finalized standard expected in 2027.
In a report (PDF) on the fourth round of the NIST post-quantum cryptography standardization process, NIST states, “The only key-establishment algorithm that will be standardized is HQC, and NIST will develop a standard based on HQC to augment its key-establishment portfolio.”
Four other algorithms have already been selected, and three of these have been released as finished standards: FIPS 203 is ML-KEM (CRYSTALS-Kyber), FIPS 204 is ML-DSA (CRYSTALS-Dilithium), and FIPS 205 is SLH-DSA (SPHINCS+). FIPS 206 is planned for the fourth standardization and built around FALCON — the draft standard is due to be released shortly as FIPS 206, FN-DSA.
HQC will serve as a backup for ML-KEM. Both are key encapsulation mechanisms (KEMs). KEMs are used to establish a shared secret key over a public channel. That shared secret key can then be used for data encrypted with a symmetric-key encryption system (such as AES-256).
Symmetric algorithms are considered less vulnerable to quantum decryption when their key lengths are long enough — AES-256 is considered to be quantum resistant and there is, for the moment, no emphasis on replacing such symmetric algorithms.
The DSA epithet in the standards refers to ‘digital signature algorithm’, described by NIST as, “a kind of ‘electronic fingerprint’ that authenticates the identity of a sender, such as when remotely signing documents.”
Just as Sphincs+ is included as a backup for Dilithium and FALCON, so HQC is included as a backup for ML-KEM. The ‘KEM’ epithet stands for ‘key encapsulation mechanism’. Logically, this fifth standardization is likely to be FIPS 207, xx-KEM.
First choices for both KEMs and DSAs are already standardized, and organizations should not wait for the backups to be available before migrating to PQC.
“Organizations should continue to migrate their encryption systems to the standards NIST finalized in 2024. We are announcing the selection of HQC because we want to have a backup standard that is based on a different math approach than ML-KEM,” explains Dustin Moody, NIST mathematician and project head.
Despite the future option of HQC, ML-KEM remains the recommended first choice for migration to PQC. Its algorithm is built around the mathematics of structured lattices. HQC uses different math, built around error-correcting codes. Its algorithm is lengthier and requires more computing resources than Kyber, but Moody noted, “Its clean and secure operation convinced reviewers that it would make a worthy backup choice.”
Within the DSA category, Dilithium (FIPS 204, ML-DSA) is the primary recommendation. The FALCON algorithm (expected to be FIPS 206, FN-DSA) is recommended for applications that require a smaller signature than can be provided by Dilithium. Sphincs+ (FIPS 205 SLH-DSA) is larger and slower than the others but is a useful backup since it uses different math based on cryptographic hash functions.
The availability of backups provides options for crypto agility (which could also be called ‘just in case crypto’). NIST urges that migration to PQC should include crypto agility, so that just in case an installed encryption fails or gets broken, an adequate alternative can be swiftly swapped in.
With the coming addition of HQC, NIST now has a complete set of first choice and backup post quantum encryption algorithms.
Related: Post-Quantum Cryptography Standards Officially Announced by NIST – a History and Explanation
Related: US Government Publishes Guidance on Migrating to Post-Quantum Cryptography
Related: NIST Post-Quantum Algorithm Finalist Cracked Using a Classical PC
Related: Cyber Insights 2025: Quantum and the Threat to Encryption