up:: HQC (Hamming Quasi-Cyclic)

HQC-256

HQC-256 is the largest and most conservative of the three parameter sets of HQC, the code-based key-encapsulation mechanism NIST selected on March 11, 2025 as the fifth post-quantum algorithm and the designated backup to ML-KEM. It targets NIST security category 5, the highest tier, and does the same key-establishment job as ML-KEM on a completely different mathematical foundation: the hardness of decoding a random-looking error-correcting code rather than lattice math. Its artifacts are the largest of the family, a 7,237-byte public key and a 14,421-byte ciphertext, and those bytes are the price of a maximum-assurance margin on a foundation that a lattice break cannot reach. HQC is selected but not yet finalized, so HQC-256 is an algorithm to design for and track, not one to deploy broadly today.

Source: NIST, “NIST Selects HQC as Fifth Algorithm for Post-Quantum Encryption,” March 11, 2025; HQC specification, pqc-hqc.org.

The short version:

  • HQC-256 is a key-encapsulation mechanism, so it establishes a shared secret. It is not a signature algorithm.
  • It targets NIST security category 5, the highest of HQC’s three sets, with HQC-128 at category 1 and HQC-192 at category 3.
  • Its public key is 7,237 bytes, its secret key is 7,333 bytes, and its ciphertext is 14,421 bytes. [OPERATOR VERIFY: figures are from the HQC spec; re-verify against the NIST draft/final standard when published.]
  • It rests on code-based math (Quasi-Cyclic Syndrome Decoding), independent of the lattices behind ML-KEM.
  • It is selected, not finalized. A draft standard is expected around 2026 and a final around 2027, so the move is to deploy ML-KEM now and track HQC.

What is HQC-256?

HQC-256 is the category-5 parameter set of HQC, a key-encapsulation mechanism from the code-based family. A KEM lets two parties agree on a shared secret over an untrusted channel: the recipient publishes a public key, the sender encapsulates a fresh secret into a ciphertext, and the recipient decapsulates it to recover the same secret, which then feeds ordinary symmetric encryption. HQC-256 runs that protocol at the strongest parameter tier the specification defines, which is what gives it the widest margin and the largest artifacts of the HQC family.

A naming note matters here. The current HQC specification labels its three parameter sets HQC-1, HQC-3, and HQC-5 for security categories 1, 3, and 5, while earlier NIST-round submissions used the names hqc-128, hqc-192, and hqc-256. HQC-256 and HQC-5 refer to the same category-5 parameter set. The finalized NIST standard may settle the naming and could tune the parameters, so treat the figures below as the current reference rather than final FIPS values. [OPERATOR VERIFY: confirm the parameter-set name the NIST standard adopts (HQC-5 vs HQC-256) when it publishes.]

Source: HQC specification, pqc-hqc.org.

What are HQC-256’s sizes and security category?

These figures are from the HQC specification; NIST’s final standard may adjust them, since parameters are sometimes tuned during standardization.

PropertyValue
NIST security categoryCategory 5
Public key7,237 bytes
Secret key7,333 bytes
Ciphertext14,421 bytes

The number to internalize is the scale. At category 5, an HQC public key runs over seven kilobytes and its ciphertext runs over fourteen, where the comparable category-5 ML-KEM-1024 has a 1,568-byte public key and a 1,568-byte ciphertext. That is roughly four and a half times the key and more than nine times the ciphertext. The compute is not the constraint; the size on the wire is, and it is the direct cost of HQC’s independent, non-lattice foundation at the maximum-assurance tier.

Source: HQC specification, pqc-hqc.org. [OPERATOR VERIFY: re-verify against the NIST HQC draft/final standard once published.]

Is HQC-256 finalized, and where does it fit?

HQC-256 is not finalized. NIST selected HQC on March 11, 2025 as the fifth post-quantum algorithm and the explicit backup to ML-KEM, with a draft standard expected around 2026 and a final one around 2027 after public comment. Until then, HQC-256 is not a FIPS you can point a compliance requirement at, and it should never be a reason to delay migrating to ML-KEM.

Its role is diversity, not first-line deployment. The primary NIST standard for key establishment, ML-KEM, is lattice-based, and HQC exists so that a future break in lattice cryptography would leave the encryption side of the transition with an independent second option. For nearly every program, HQC-256 is a Phase 2 consideration, and at category 5 it is the maximum-assurance version of that diversity hedge: deploy the recommended ML-KEM-768 or the category-5 ML-KEM-1024 now to close the harvest-now-decrypt-later exposure, build crypto-agility so a code-based KEM can slot in later, and follow the standard rather than the draft when adopting HQC.

Source: NIST, March 11, 2025.

Common misconceptions

  1. “HQC-256 is a standard I can require.” It is selected but not finalized. A draft is expected around 2026 and a final standard around 2027, so it is not yet a FIPS to point a requirement at.
  2. “The 256 means a 256-bit key.” It reflects the targeted security category, not a key length. HQC-256 (also named HQC-5) targets category 5, and its public key is 7,237 bytes.
  3. “HQC-256’s big artifacts mean it is less secure.” The larger public key and ciphertext are a deployment cost, not a weakness. They reflect the code-based family’s size profile at the highest tier and buy the independent, non-lattice foundation HQC exists for.
  4. “HQC-256 replaces ML-KEM-1024.” HQC is a backup to ML-KEM for mathematical diversity, not a replacement. ML-KEM is the primary line deployed now; HQC is the second family held in reserve.

Questions people ask

Is HQC-256 finalized? No. NIST selected HQC on March 11, 2025, with a draft standard expected around 2026 and a final around 2027. Until then it is an algorithm to track and design for, not one to deploy broadly.

Is HQC-256 the same as HQC-5? Yes. The current HQC specification names its category-5 set HQC-5, and earlier NIST-round submissions named it hqc-256. They are the same parameter set. [OPERATOR VERIFY: confirm which name the NIST standard adopts.]

How much bigger is HQC-256 than ML-KEM-1024? Its public key is about 7,237 bytes against ML-KEM-1024’s 1,568, and its ciphertext is about 14,421 bytes against 1,568, so roughly four and a half times the key and more than nine times the ciphertext.

Does HQC-256 do signatures? No. It is a key-encapsulation mechanism, so it handles key establishment only. Signatures are the job of ML-DSA, SLH-DSA, and FN-DSA.

Should I wait for HQC-256 before migrating? No. Deploy ML-KEM now, because it is the finalized default that addresses harvest-now-decrypt-later today, and keep HQC on the roadmap as a diversity option to add later.


Everything here is the map, given freely. When your team needs to decide where a code-based backup like HQC-256 belongs in your own protocols and estate, that’s what an alignment briefing is for.

Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.