up:: HQC (Hamming Quasi-Cyclic)
HQC-256
HQC-256 is the largest and most conservative of the three parameter sets of HQC, the code-based key-encapsulation mechanism NIST selected on March 11, 2025 as the fifth post-quantum algorithm and the designated backup to ML-KEM. It targets NIST security category 5, the highest tier, and does the same key-establishment job as ML-KEM on a completely different mathematical foundation: the hardness of decoding a random-looking error-correcting code rather than lattice math. Its artifacts are the largest of the family, a 7,237-byte public key and a 14,421-byte ciphertext, and those bytes are the price of a maximum-assurance margin on a foundation that a lattice break cannot reach. HQC is selected but not yet finalized, so HQC-256 is an algorithm to design for and track, not one to deploy broadly today.
Source: NIST, “NIST Selects HQC as Fifth Algorithm for Post-Quantum Encryption,” March 11, 2025; HQC specification, pqc-hqc.org.
The short version:
- HQC-256 is a key-encapsulation mechanism, so it establishes a shared secret. It is not a signature algorithm.
- It targets NIST security category 5, the highest of HQC’s three sets, with HQC-128 at category 1 and HQC-192 at category 3.
- Its public key is 7,237 bytes, its secret key is 7,333 bytes, and its ciphertext is 14,421 bytes.
[OPERATOR VERIFY: figures are from the HQC spec; re-verify against the NIST draft/final standard when published.] - It rests on code-based math (Quasi-Cyclic Syndrome Decoding), independent of the lattices behind ML-KEM.
- It is selected, not finalized. A draft standard is expected around 2026 and a final around 2027, so the move is to deploy ML-KEM now and track HQC.
What is HQC-256?
HQC-256 is the category-5 parameter set of HQC, a key-encapsulation mechanism from the code-based family. A KEM lets two parties agree on a shared secret over an untrusted channel: the recipient publishes a public key, the sender encapsulates a fresh secret into a ciphertext, and the recipient decapsulates it to recover the same secret, which then feeds ordinary symmetric encryption. HQC-256 runs that protocol at the strongest parameter tier the specification defines, which is what gives it the widest margin and the largest artifacts of the HQC family.
A naming note matters here. The current HQC specification labels its three parameter sets HQC-1, HQC-3, and HQC-5 for security categories 1, 3, and 5, while earlier NIST-round submissions used the names hqc-128, hqc-192, and hqc-256. HQC-256 and HQC-5 refer to the same category-5 parameter set. The finalized NIST standard may settle the naming and could tune the parameters, so treat the figures below as the current reference rather than final FIPS values. [OPERATOR VERIFY: confirm the parameter-set name the NIST standard adopts (HQC-5 vs HQC-256) when it publishes.]
Source: HQC specification, pqc-hqc.org.
What are HQC-256’s sizes and security category?
These figures are from the HQC specification; NIST’s final standard may adjust them, since parameters are sometimes tuned during standardization.
| Property | Value |
|---|---|
| NIST security category | Category 5 |
| Public key | 7,237 bytes |
| Secret key | 7,333 bytes |
| Ciphertext | 14,421 bytes |
The number to internalize is the scale. At category 5, an HQC public key runs over seven kilobytes and its ciphertext runs over fourteen, where the comparable category-5 ML-KEM-1024 has a 1,568-byte public key and a 1,568-byte ciphertext. That is roughly four and a half times the key and more than nine times the ciphertext. The compute is not the constraint; the size on the wire is, and it is the direct cost of HQC’s independent, non-lattice foundation at the maximum-assurance tier.
Source: HQC specification, pqc-hqc.org. [OPERATOR VERIFY: re-verify against the NIST HQC draft/final standard once published.]
Is HQC-256 finalized, and where does it fit?
HQC-256 is not finalized. NIST selected HQC on March 11, 2025 as the fifth post-quantum algorithm and the explicit backup to ML-KEM, with a draft standard expected around 2026 and a final one around 2027 after public comment. Until then, HQC-256 is not a FIPS you can point a compliance requirement at, and it should never be a reason to delay migrating to ML-KEM.
Its role is diversity, not first-line deployment. The primary NIST standard for key establishment, ML-KEM, is lattice-based, and HQC exists so that a future break in lattice cryptography would leave the encryption side of the transition with an independent second option. For nearly every program, HQC-256 is a Phase 2 consideration, and at category 5 it is the maximum-assurance version of that diversity hedge: deploy the recommended ML-KEM-768 or the category-5 ML-KEM-1024 now to close the harvest-now-decrypt-later exposure, build crypto-agility so a code-based KEM can slot in later, and follow the standard rather than the draft when adopting HQC.
Source: NIST, March 11, 2025.
Common misconceptions
- “HQC-256 is a standard I can require.” It is selected but not finalized. A draft is expected around 2026 and a final standard around 2027, so it is not yet a FIPS to point a requirement at.
- “The 256 means a 256-bit key.” It reflects the targeted security category, not a key length. HQC-256 (also named HQC-5) targets category 5, and its public key is 7,237 bytes.
- “HQC-256’s big artifacts mean it is less secure.” The larger public key and ciphertext are a deployment cost, not a weakness. They reflect the code-based family’s size profile at the highest tier and buy the independent, non-lattice foundation HQC exists for.
- “HQC-256 replaces ML-KEM-1024.” HQC is a backup to ML-KEM for mathematical diversity, not a replacement. ML-KEM is the primary line deployed now; HQC is the second family held in reserve.
Questions people ask
Is HQC-256 finalized? No. NIST selected HQC on March 11, 2025, with a draft standard expected around 2026 and a final around 2027. Until then it is an algorithm to track and design for, not one to deploy broadly.
Is HQC-256 the same as HQC-5? Yes. The current HQC specification names its category-5 set HQC-5, and earlier NIST-round submissions named it hqc-256. They are the same parameter set. [OPERATOR VERIFY: confirm which name the NIST standard adopts.]
How much bigger is HQC-256 than ML-KEM-1024? Its public key is about 7,237 bytes against ML-KEM-1024’s 1,568, and its ciphertext is about 14,421 bytes against 1,568, so roughly four and a half times the key and more than nine times the ciphertext.
Does HQC-256 do signatures? No. It is a key-encapsulation mechanism, so it handles key establishment only. Signatures are the job of ML-DSA, SLH-DSA, and FN-DSA.
Should I wait for HQC-256 before migrating? No. Deploy ML-KEM now, because it is the finalized default that addresses harvest-now-decrypt-later today, and keep HQC on the roadmap as a diversity option to add later.
Everything here is the map, given freely. When your team needs to decide where a code-based backup like HQC-256 belongs in your own protocols and estate, that’s what an alignment briefing is for.
Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.