up:: HQC (Hamming Quasi-Cyclic)
HQC-128
HQC-128 is the smallest of the three parameter sets of HQC, the code-based key-encapsulation mechanism NIST selected on March 11, 2025 as the fifth post-quantum algorithm and the designated backup to ML-KEM. It targets NIST security category 1 and does the same key-establishment job as ML-KEM, agreeing on a shared secret over an open network, but on a completely different mathematical foundation: the hardness of decoding a random-looking error-correcting code rather than lattice math. Its artifacts are large, a 2,241-byte public key and a 4,433-byte ciphertext, several times the size of the comparable ML-KEM set, and those extra bytes are the price of a foundation that a lattice break cannot reach. HQC is selected but not yet finalized, so HQC-128 is an algorithm to design for and track, not one to deploy broadly today.
Source: NIST, “NIST Selects HQC as Fifth Algorithm for Post-Quantum Encryption,” March 11, 2025; HQC specification, pqc-hqc.org.
The short version:
- HQC-128 is a key-encapsulation mechanism, so it establishes a shared secret. It is not a signature algorithm.
- It targets NIST security category 1, the smallest of HQC’s three sets, with HQC-192 at category 3 and HQC-256 at category 5.
- Its public key is 2,241 bytes, its secret key is 2,321 bytes, and its ciphertext is 4,433 bytes.
[OPERATOR VERIFY: figures are from the HQC spec; re-verify against the NIST draft/final standard when published.] - It rests on code-based math (Quasi-Cyclic Syndrome Decoding), independent of the lattices behind ML-KEM.
- It is selected, not finalized. A draft standard is expected around 2026 and a final around 2027, so the move is to deploy ML-KEM now and track HQC.
What is HQC-128?
HQC-128 is the category-1 parameter set of HQC, a key-encapsulation mechanism from the code-based family. A KEM lets two parties agree on a shared secret over an untrusted channel: the recipient publishes a public key, the sender encapsulates a fresh secret into a ciphertext, and the recipient decapsulates it to recover the same secret, which then feeds ordinary symmetric encryption. HQC-128 runs that protocol at the smallest of the three parameter tiers, which is why its artifacts are the smallest of the HQC family, though still several times larger than the comparable ML-KEM set.
A naming note matters here. The current HQC specification labels its three parameter sets HQC-1, HQC-3, and HQC-5 for security categories 1, 3, and 5, while earlier NIST-round submissions used the names hqc-128, hqc-192, and hqc-256. HQC-128 and HQC-1 refer to the same category-1 parameter set. The finalized NIST standard may settle the naming and could tune the parameters, so treat the figures below as the current reference rather than final FIPS values. [OPERATOR VERIFY: confirm the parameter-set name the NIST standard adopts (HQC-1 vs HQC-128) when it publishes.]
Source: HQC specification, pqc-hqc.org.
What are HQC-128’s sizes and security category?
These figures are from the HQC specification; NIST’s final standard may adjust them, since parameters are sometimes tuned during standardization.
| Property | Value |
|---|---|
| NIST security category | Category 1 |
| Public key | 2,241 bytes |
| Secret key | 2,321 bytes |
| Ciphertext | 4,433 bytes |
The number to internalize is the scale, not the exact bytes. Even at the lowest security level, an HQC public key runs over two kilobytes and its ciphertext runs over four, where the comparable category-1 ML-KEM-512 has an 800-byte public key and a 768-byte ciphertext. That is roughly three times the key and nearly six times the ciphertext. The compute is not the constraint; the size on the wire is, and it is the direct cost of HQC’s independent, non-lattice foundation.
Source: HQC specification, pqc-hqc.org. [OPERATOR VERIFY: re-verify against the NIST HQC draft/final standard once published.]
Is HQC-128 finalized, and where does it fit?
HQC-128 is not finalized. NIST selected HQC on March 11, 2025 as the fifth post-quantum algorithm and the explicit backup to ML-KEM, with a draft standard expected around 2026 and a final one around 2027 after public comment. Until then, HQC-128 is not a FIPS you can point a compliance requirement at, and it should never be a reason to delay migrating to ML-KEM.
Its role is diversity, not first-line deployment. The primary NIST standard for key establishment, ML-KEM, is lattice-based, and HQC exists so that a future break in lattice cryptography would leave the encryption side of the transition with an independent second option. For nearly every program, HQC-128 is a Phase 2 consideration: deploy ML-KEM-512 or the recommended ML-KEM-768 now to close the harvest-now-decrypt-later exposure, build crypto-agility so a code-based KEM can slot in later, and follow the standard rather than the draft when adopting HQC. Reading “NIST selected it” as “wait for it before starting” gets the sequencing backward.
Source: NIST, March 11, 2025.
Common misconceptions
- “HQC-128 is a standard I can require.” It is selected but not finalized. A draft is expected around 2026 and a final standard around 2027, so it is not yet a FIPS to point a requirement at.
- “The 128 means a 128-bit key.” It reflects the targeted security category, not a key length. HQC-128 (also named HQC-1) targets category 1, and its public key is 2,241 bytes.
- “HQC-128’s big artifacts mean it is less secure.” The larger public key and ciphertext are a deployment cost, not a weakness. They reflect the code-based family’s size profile and buy the independent, non-lattice foundation HQC exists for.
- “HQC-128 replaces ML-KEM-512.” HQC is a backup to ML-KEM for mathematical diversity, not a replacement. ML-KEM is the primary line deployed now; HQC is the second family held in reserve.
Questions people ask
Is HQC-128 finalized? No. NIST selected HQC on March 11, 2025, with a draft standard expected around 2026 and a final around 2027. Until then it is an algorithm to track and design for, not one to deploy broadly.
Is HQC-128 the same as HQC-1? Yes. The current HQC specification names its category-1 set HQC-1, and earlier NIST-round submissions named it hqc-128. They are the same parameter set. [OPERATOR VERIFY: confirm which name the NIST standard adopts.]
How much bigger is HQC-128 than ML-KEM-512? Its public key is about 2,241 bytes against ML-KEM-512’s 800, and its ciphertext is about 4,433 bytes against 768, so roughly three times the key and nearly six times the ciphertext.
Does HQC-128 do signatures? No. It is a key-encapsulation mechanism, so it handles key establishment only. Signatures are the job of ML-DSA, SLH-DSA, and FN-DSA.
Should I wait for HQC-128 before migrating? No. Deploy ML-KEM now, because it is the finalized default that addresses harvest-now-decrypt-later today, and keep HQC on the roadmap as a diversity option to add later.
Everything here is the map, given freely. When your team needs to decide where a code-based backup like HQC-128 belongs in your own protocols and estate, that’s what an alignment briefing is for.
Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.