Tag: Post Quantum Cryptography

NIST selects HQC as the 5th Post-Quantum Algorithm: What you need to Know?

NIST selects HQC as the 5th Post-Quantum Algorithm: What you need to Know?

The Evolution of Post-Quantum Cryptography: NIST’s Fifth Algorithm Selection and Its Impact

Introduction

Quantum computing is no longer just a theoretical curiosity—it is advancing towards real-world applications. With these advances comes a major challenge: how do we keep our data secure when today’s encryption methods become obsolete?

Recognising this urgent need, the National Institute of Standards and Technology (NIST) has been working to standardise cryptographic algorithms that can withstand quantum threats. On March 11, 2025, NIST made a significant announcement: the selection of Hamming Quasi-Cyclic (HQC) as the fifth standardised post-quantum encryption algorithm. This code-based algorithm serves as a backup to ML-KEM (Module-Lattice Key Encapsulation Mechanism), ensuring that the cryptographic landscape remains diverse and resilient.

Business and Regulatory Implications

Why This Matters for Organisations

For businesses, governments, and security leaders, the post-quantum transition is not just an IT issue—it is a strategic necessity. The ability of quantum computers to break traditional encryption is not a question of if, but when. Organisations that fail to prepare may find themselves vulnerable to security breaches, regulatory non-compliance, and operational disruptions.

Key Deadlines & Compliance Risks

  • By 2030: NIST will deprecate all 112-bit security algorithms, requiring organisations to transition to quantum-resistant encryption.
  • By 2035: Quantum-vulnerable cryptography will be disallowed, meaning organisations must adopt new standards or risk compliance failures.
  • Government Mandates: The Cybersecurity and Infrastructure Security Agency (CISA) has already issued Binding Operational Directive 23-02, requiring federal vendors to begin their post-quantum transition.
  • EU Regulations: The European Union is advocating for algorithm agility, urging businesses to integrate multiple cryptographic methods to future-proof their security.

How Organisations Should Respond

To stay ahead of these changes, organisations should:

  • Implement Hybrid Cryptography: Combining classical and post-quantum encryption ensures a smooth transition without immediate overhauls.
  • Monitor Supply Chain Dependencies: Ensuring Software Bill-of-Materials (SBOM) compliance can help track cryptographic vulnerabilities.
  • Leverage Automated Tooling: NIST-recommended tools like Sigstore can assist in managing cryptographic transitions.
  • Pilot Test Quantum-Resistant Solutions: By 2026, organisations should begin hybrid ML-KEM/HQC deployments to assess performance and scalability.

Technical Breakdown: Understanding HQC and Its Role

Background: The NIST PQC Standardisation Initiative

Since 2016, NIST has been leading the effort to standardise post-quantum cryptography. The urgency stems from the fact that Shor’s algorithm, when executed on a sufficiently powerful quantum computer, can break RSA, ECC, and Diffie-Hellman encryption—the very foundations of today’s secure communications.

How We Got Here: NIST’s Selection Process

  • August 2024: NIST finalised its first three PQC standards:
    • FIPS 203 – ML-KEM (for key exchange)
    • FIPS 204 – ML-DSA (for digital signatures)
    • FIPS 205 – SLH-DSA (for stateless hash-based signatures)
  • March 2025: NIST added HQC as a code-based backup to ML-KEM, ensuring an alternative in case lattice-based approaches face unforeseen vulnerabilities.

What Makes HQC Different?

HQC offers a code-based alternative to lattice cryptography, relying on quasi-cyclic codes and error-correction techniques.

  • Security Strength: HQC is based on the hardness of decoding random quasi-cyclic codes (QCSD problem). Its IND-CCA2 security is proven in the quantum random oracle model.
  • Efficient Performance:
    • HQC offers a key size of ~3,000 bits, significantly smaller than McEliece’s ~1MB keys.
    • It enables fast decryption while maintaining zero decryption failures in rank-metric implementations.
  • A Safety Net for Cryptographic Diversity: By introducing code-based cryptography, HQC provides a backup if lattice-based schemes, such as ML-KEM, prove weaker than expected.

Challenges & Implementation Considerations

Cryptographic Diversity & Risk Mitigation

  • Systemic Risk Reduction: A major breakthrough against lattice-based schemes would not compromise code-based HQC, ensuring resilience.
  • Regulatory Alignment: Many global cybersecurity frameworks now advocate for algorithmic agility, aligning with HQC’s role.

Trade-offs for Enterprises

  • Larger Key Sizes: HQC keys (~3KB) are larger than ML-KEM keys (~1.6KB), requiring more storage and processing power.
  • Legacy Systems: Organisations must modernise their infrastructure to support code-based cryptography.
  • Upskilling & Training: Engineers will need expertise in error-correcting codes, a different domain from lattice cryptography.

Looking Ahead: Preparing for the Post-Quantum Future

Practical Next Steps for Organisations

  • Conduct a Cryptographic Inventory: Use NIST’s PQC Transition Report to assess vulnerabilities in existing encryption methods.
  • Engage with Security Communities: Industry groups like the PKI Consortium and NIST Working Groups provide guidance on best practices.
  • Monitor Additional Algorithm Standardisation: Algorithms such as BIKE and Classic McEliece may be added in future updates.

Final Thoughts

NIST’s selection of HQC is more than just an academic decision—it is a reminder that cybersecurity is evolving, and businesses must evolve with it. The transition to post-quantum cryptography is not a last-minute compliance checkbox but a fundamental shift in how organisations secure their most sensitive data. Preparing now will not only ensure regulatory compliance but also protect against future cyber threats.

References & Further Reading

Why Do We Need Quantum-Resistant Security Standards?

Why Do We Need Quantum-Resistant Security Standards?

In October 2024, we discussed the profound implications of China’s quantum computing advancements and their potential to disrupt internet security. Quantum computers, with their unparalleled processing power, pose a direct threat to current encryption systems that secure global communications. Since then, the National Institute of Standards and Technology (NIST) has made significant strides in shaping the post-quantum cryptography (PQC) landscape. This follow-up delves into NIST’s recent updates, including finalised standards, transition strategies, and their broader impact on global cybersecurity.


NIST’s Finalised Post-Quantum Encryption Standards

On August 13, 2024, NIST announced the release of its first three finalized post-quantum encryption standards. These standards are foundational for safeguarding electronic information in a quantum-enabled future, addressing key areas such as secure email communications, online transactions, and identity verification.

The standards selected are robust against both classical and quantum attacks, offering a proactive defence against the anticipated rise of quantum threats. While these are groundbreaking, NIST has emphasized the need for rapid adoption, encouraging enterprises and governments alike to begin transitioning their systems to quantum-resistant encryption.

Key highlights:

  • Algorithms: CRYSTALS-Kyber (public key encryption) and CRYSTALS-Dilithium (digital signatures) lead the finalized standards.
  • Applications: These standards are particularly suited for critical applications, such as financial systems, healthcare records, and government communications.

NIST’s Draft Transition Strategy and Timeline

In a draft report released on November 14, 2024, NIST outlined a detailed roadmap for migrating to PQC. This document provides clarity on the timeline and steps necessary to shift from current cryptographic protocols to quantum-resistant ones.

Key Aspects of the Draft:

  1. Transition Timeline:
    • Transition to begin immediately, with milestones for algorithm implementation by 2026.
    • Full adoption in federal systems is targeted by 2030, though enterprises are urged to act sooner.
  2. Evaluation and Risk Management:
    • A phased approach to identify and replace quantum-vulnerable systems.
    • Focus on testing and interoperability with existing infrastructure.
  3. Public Review Period:
    • The draft is open for comments until January 10, 2025, ensuring that the strategy incorporates diverse perspectives from industry leaders, academia, and government.

Guidance for Federal Agencies and Enterprises

To aid the transition, NIST has issued specific guidance tailored for federal agencies and private organizations:

  • Quantum Risk Assessments: Organizations must inventory their cryptographic systems and identify components vulnerable to quantum decryption.
  • Pilot Programs: Encouraged for testing quantum-resistant algorithms in controlled environments.
  • Training and Awareness: Enterprises need to upskill their workforce to understand and implement PQC effectively.

This proactive approach aligns with Executive Order 14028 on improving national cybersecurity, which mandates the adoption of innovative security measures across federal systems.


Enterprises Must Act Faster

While NIST has provided a structured timeline, cybersecurity experts warn that enterprises cannot afford to wait until the final deadlines. The development of practical quantum computers may outpace current expectations, leaving vulnerable systems exposed.

Recommendations for Enterprises:

  1. Prioritise Cryptographic Inventories: Develop a clear understanding of where cryptography is used and its quantum vulnerability.
  2. Develop a Migration Plan: Incorporate NIST’s guidance to create a tailored transition strategy.
  3. Collaborate with Vendors: Work with software and hardware providers to ensure seamless updates and integrations of PQC algorithms.

Global Implications and Call to Action

The transition to PQC is not just a technical challenge but a global imperative. With quantum computing breakthroughs occurring across nations, adopting quantum-resistant standards is essential for maintaining the integrity of digital systems. Organizations worldwide must:

  • Collaborate to ensure interoperability of PQC standards across borders.
  • Share best practices and innovations to accelerate the global transition.
  • Support research in next-generation cryptographic techniques to stay ahead of emerging threats.

Conclusion

NIST’s efforts in finalizing post-quantum encryption standards and drafting a comprehensive transition strategy mark a pivotal moment in cybersecurity. However, these initiatives are only as effective as their adoption. Governments, enterprises, and individuals must take urgent steps to align with these standards and safeguard their digital assets against the looming threat of quantum-powered attacks.

For further insights into how quantum computing advancements could reshape internet security, revisit our previous discussion: How Will China’s Quantum Advances Change Internet Security?.


References & Further Reading: 

  1. NIST IR 8547 – https://csrc.nist.gov/pubs/ir/8547/ipd
  2. NIST IR 8413 – https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8413.pdf
  3. Dilithium – https://pq-crystals.org/dilithium/
  4. Falcon – https://falcon-sign.info/
  5. PHINCS+ – https://sphincs.org/ 
  6. Trapdoor for hard Lattices in Cryptographic Constructs – https://eprint.iacr.org/2007/432 (Must read if you’re a programmer and interested in exploring Lattices) 
  7. Lattice-based cryptography – Chris Peikert, Georgia Institute of Tech – https://web.eecs.umich.edu/~cpeikert/pubs/slides-abit4.pdf
  8. Additional Source Codes to Explore – https://github.com/regras/labs  (This project is a Proof of Concept (PoC), about an Attribute-Based Signature scheme using lattices.)
Bitnami