up:: The Mandates MOC
ISO IEC 18033
ISO/IEC 18033 is the international standard for encryption algorithms, published jointly by the International Organization for Standardization and the International Electrotechnical Commission, and its Part 2 (asymmetric ciphers) is the vehicle through which post-quantum key-encapsulation gets an international-standards home alongside NIST’s FIPS 203. The distinctive feature is breadth: the amendment standardizes three post-quantum KEMs at once, the structured-lattice ML-KEM, the unstructured-lattice FrodoKEM, and the code-based Classic McEliece, rather than concentrating on a single pick. That three-KEM stance is a deliberate hedge against cryptographic monoculture, keeping algorithms that rest on unrelated hard problems inside one standard so that a break in one math family does not take the whole standard down with it.
ISO/IEC 18033 is a standard, not a regulation, so it binds no organization by itself. Its weight comes from being the international-standards reference that procurement, national bodies, and non-U.S. jurisdictions reach for when they want a globally recognized cryptography standard that is not a single country’s national output. For an organization outside the U.S. federal orbit, ISO/IEC 18033 is often the standard a contract or a national scheme actually names.
The short version:
- ISO/IEC 18033 is the ISO/IEC “Encryption algorithms” standard, split into parts, with Part 2 covering asymmetric (public-key) ciphers and key-encapsulation mechanisms.
- The post-quantum work is an amendment to ISO/IEC 18033-2 that adds three KEMs, ML-KEM, FrodoKEM, and Classic McEliece, covering structured-lattice, unstructured-lattice, and code-based foundations.
- The three-KEM breadth is the notable contrast with NIST, which concentrated its primary encryption standard on the single structured-lattice ML-KEM and added the code-based HQC separately as a backup. ISO puts three unrelated foundations in one place, which is a diversity-first posture against monoculture.
- The standardization ran through ISO/IEC JTC 1/SC 27 (the security-techniques subcommittee), tracked under an ISO project that reached the Draft International Standard ballot stage in early 2025, with Classic McEliece reported as standardized in June 2026.
- ISO/IEC 18033 is an international-standards reference, so it is the citation many non-U.S. buyers, national bodies, and certification schemes name, and it lets a client point at a globally recognized standard that is independent of any single government.
Think of NIST as a national committee that picked one main crop and one backup crop for the whole country, and ISO as an international committee that decided to keep three different crops growing in the same field on purpose. Neither is wrong. NIST optimized for a clean, efficient default with a code-based reserve. ISO optimized for the widest possible spread of unrelated foundations, so that whichever one a given jurisdiction or use case needs, the international standard already covers it.
What is ISO/IEC 18033?
ISO/IEC 18033 is the multi-part international standard titled “Information technology, Security techniques, Encryption algorithms,” developed jointly by ISO and the IEC through their shared technical committee for information technology, JTC 1, and specifically its Subcommittee 27 (SC 27) for information security, cybersecurity, and privacy protection. It is the international-standards counterpart to the U.S. FIPS encryption standards, and it specifies the actual algorithms rather than higher-level policy.
- What it standardizes. The 18033 series names approved encryption algorithms and specifies how they work in enough detail for independent, interoperable implementation. Part 2 is the relevant one for the quantum transition, because it covers asymmetric ciphers and key-encapsulation mechanisms, which is the layer Shor’s algorithm breaks.
- Who writes it. It is developed in ISO/IEC JTC 1/SC 27, the same subcommittee responsible for a large share of the world’s information-security standards, through the consensus process that produces International Standards.
- How it differs from a national standard. A national body like NIST, BSI, or ANSSI speaks for one jurisdiction. ISO/IEC 18033 is an international standard produced by a global committee, so it is the reference that national schemes and cross-border contracts reach for when they want a standard that does not belong to one country.
Source: Classic McEliece team, “ISO,” standardization status page, classic.mceliece.org/iso.html; D. J. Bernstein, “McEliece standardization,” April 23, 2025, blog.cr.yp.to/20250423-mceliece.html. [OPERATOR VERIFY the full official title, the current edition, and the part structure of ISO/IEC 18033 against the primary ISO catalogue page (iso.org) before quoting them verbatim in a client deliverable; the ISO catalogue pages returned an access error at verification time, so the descriptive details here are grounded in the Classic McEliece team’s primary standardization page and Bernstein’s project-tracking post rather than read directly from the ISO catalogue.]
What is the ISO/IEC 18033-2 post-quantum amendment?
The post-quantum work is an amendment to ISO/IEC 18033-2, the asymmetric-ciphers part, that adds three post-quantum key-encapsulation mechanisms to the standard. The defining choice is that it standardizes all three at once, each resting on a different mathematical foundation, rather than concentrating on a single winner.
| KEM added | Foundation | Character |
|---|---|---|
| ML-KEM (formerly Kyber) | Structured lattices | The efficient default, the same algorithm NIST standardized in FIPS 203 |
| FrodoKEM | Unstructured (plain) lattices | The conservative lattice option, larger and slower but resting on a more generic assumption |
| Classic McEliece | Error-correcting codes | Very short ciphertexts and a decades-old security record, at the cost of a very large public key, best for static-key use |
Source: D. J. Bernstein, “McEliece standardization,” April 23, 2025, blog.cr.yp.to/20250423-mceliece.html; Classic McEliece team, “ISO,” classic.mceliece.org/iso.html.
- The three foundations are the point. ML-KEM rests on structured lattices, FrodoKEM on unstructured lattices, and Classic McEliece on the hardness of decoding a random-looking error-correcting code. A single cryptanalytic advance against one of those problems leaves the other two standing, which is exactly the monoculture defense written into an international standard.
- The process. The amendment was developed in ISO/IEC JTC 1/SC 27, tracked under an ISO project that entered the standardization pipeline in 2023 and reached the Draft International Standard ballot stage on February 19, 2025. Classic McEliece is reported as standardized in June 2026.
- The status caution. The amendment is the KEM-standardization vehicle, and the exact amendment number and its final publication date are the load-bearing details to confirm against the primary ISO catalogue before citing them precisely.
Source: D. J. Bernstein, “McEliece standardization,” April 23, 2025, blog.cr.yp.to/20250423-mceliece.html (ISO project stages, DIS ballot February 19, 2025). [OPERATOR VERIFY the exact amendment designation (reported in secondary coverage as ISO/IEC 18033-2:2006/Amd 2) and its precise publication date against the primary ISO catalogue page before quoting an amendment number or date to a client; those specifics were read from secondary reporting, not from the ISO catalogue itself, which returned an access error at verification time.]
Why does ISO standardize three KEMs when NIST picked one?
This is the concentration-risk angle, and it is the most useful thing to understand about ISO/IEC 18033’s post-quantum posture. NIST and ISO reached different answers to the same question, and neither is a mistake. They optimized for different things.
- NIST’s approach: one efficient default plus a code-based reserve. NIST made ML-KEM the single primary encryption standard, chosen for its efficiency, and later added the code-based HQC as a separate backup on unrelated math. The result is a clean default with a diversity reserve held in a second document.
- ISO’s approach: three unrelated foundations in one standard. ISO/IEC 18033-2’s amendment puts structured-lattice, unstructured-lattice, and code-based KEMs into a single standard, so a jurisdiction or use case that wants a specific conservative option finds it already covered internationally.
- The monoculture logic. Cryptographic monoculture is the systemic risk of a whole ecosystem depending on one algorithm or one math family, so a single break compromises everything at once. The historical warnings are concrete: the isogeny scheme SIDH/SIKE fell to an ordinary computer in 2022, and the multivariate scheme Rainbow fell on a laptop the same year, both after years of looking solid. Keeping unrelated foundations alive is the defense, and ISO builds that defense into the standard itself.
- The friction with NIST. NIST raised a concern that concurrent standardization risks creating incompatible standards. The counter-argument, made by cryptographers close to the ISO work, is that NIST and ISO already standardized Kyber in parallel between 2023 and 2024 without a real incompatibility problem, so the diversity is worth more than the coordination cost.
Source: D. J. Bernstein, “McEliece standardization,” April 23, 2025, blog.cr.yp.to/20250423-mceliece.html (NIST’s incompatible-standards concern and the parallel-Kyber counter-argument).
The practical read for a migration plan is that the KEM you can point to as internationally standardized may be broader than the single NIST default. If a conservative use case wants an unstructured-lattice or code-based KEM rather than ML-KEM, ISO/IEC 18033-2 is where that choice sits inside a recognized international standard, with a global reach that a single-country national standard cannot match.
Who does ISO/IEC 18033 reach?
ISO/IEC 18033 is a standard, not a mandate, so it reaches organizations through the contracts, national schemes, and certification frameworks that reference it rather than through direct legal force. The audiences fall into three tiers:
- Non-U.S. and cross-border buyers. The primary reason to track it. Many jurisdictions outside the U.S. federal orbit prefer to name an international ISO/IEC standard in procurement and regulation over a foreign national standard, so ISO/IEC 18033 is frequently the standard a contract or tender actually cites.
- National bodies and certification schemes. ISO/IEC standards are commonly adopted or referenced by national standards bodies and by certification schemes, so ISO/IEC 18033-2 becomes the technical baseline for what counts as an approved encryption algorithm in those contexts.
- Vendors selling internationally. A vendor selling cryptographic products into multiple countries benefits from conforming to the international standard, because it lets one implementation satisfy buyers who name ISO/IEC 18033 rather than a specific national standard.
How does ISO/IEC 18033 relate to the other mandates and standards?
ISO/IEC 18033 is the international-standards node that sits alongside the national algorithm standards, and it mostly complements them while taking a broader stance on KEM diversity.
- NIST FIPS suite. FIPS 203 and ISO/IEC 18033-2 both standardize ML-KEM, so the primary algorithm is shared. The difference is that ISO adds FrodoKEM and Classic McEliece into the same standard, where NIST held HQC as a separate backup.
- BSI and ANSSI. Both national bodies keep conservative KEMs like FrodoKEM and Classic McEliece on their recommended lists, which lines up with ISO’s decision to standardize exactly those alternatives internationally.
- Cryptographic monoculture and code-based cryptography. ISO/IEC 18033-2’s three-KEM breadth is the monoculture defense expressed as a standard, and Classic McEliece is the code-based line it keeps alive on foundations unrelated to lattices.
- Crypto-agility. Standardizing several unrelated KEMs only pays off if systems can actually switch between them, which is why crypto-agility is the architecture that makes an ISO-style diversity posture usable rather than theoretical.
Common misconceptions
- “ISO just adopted NIST’s ML-KEM.” ISO/IEC 18033-2’s amendment standardizes ML-KEM and two more KEMs, FrodoKEM and Classic McEliece, on unrelated foundations, so ISO’s post-quantum encryption stance is broader than NIST’s single default.
- “ISO/IEC 18033 is a regulation with a deadline.” It is an international standard, not a mandate. It binds an organization only where a contract, national scheme, or certification framework references it.
- “Three standardized KEMs means three you must deploy.” No. The three are options resting on different math, so a system picks the one that fits its constraints. The value is having unrelated foundations available inside one recognized standard.
- “NIST and ISO standardizing in parallel creates chaos.” NIST raised an incompatibility concern, but the two bodies already standardized Kyber in parallel without a real interoperability problem, and the diversity gained is widely judged worth the coordination cost.
- “Classic McEliece is exotic, so it does not belong in a real standard.” Its security record runs for decades and its ciphertexts are very short. Its drawback is a very large public key, which makes it a strong fit for static-key scenarios, and both ISO and Germany’s BSI treat it as a serious conservative option.
Questions people ask
What is ISO/IEC 18033? It is the international standard for encryption algorithms, developed by ISO and the IEC in JTC 1/SC 27. Part 2 covers asymmetric ciphers and key-encapsulation mechanisms, which is the layer that needs post-quantum replacement, and the post-quantum amendment adds three KEMs to it.
Which post-quantum algorithms does ISO/IEC 18033 standardize? Three key-encapsulation mechanisms on three different foundations, ML-KEM on structured lattices, FrodoKEM on unstructured lattices, and Classic McEliece on error-correcting codes. That breadth is a deliberate hedge against cryptographic monoculture.
Why does ISO standardize three KEMs when NIST picked one? They optimized differently. NIST chose the efficient ML-KEM as its single default and added the code-based HQC separately as a backup. ISO put three unrelated foundations into one standard so that whichever conservative option a jurisdiction needs is already internationally covered.
Is ISO/IEC 18033 binding? No, not on its own. It is a standard rather than a law. It reaches organizations through procurement, national schemes, and certification frameworks that name it, which is common outside the U.S. federal orbit where an international standard is often preferred to a national one.
Should a migration plan care about ISO/IEC 18033 or just NIST? It depends on where you operate and who you sell to. A U.S. federal system tracks NIST. An organization selling internationally, or subject to a non-U.S. national scheme, may find ISO/IEC 18033 is the standard actually named in its contracts, and ISO’s broader KEM set gives more conservative options a recognized international home.
What is the concentration-risk angle here? Cryptographic monoculture is the risk of everything depending on one algorithm or one math family, so one break takes everything down. ISO/IEC 18033-2 standardizes KEMs on three unrelated foundations to keep that risk low, which is the diversity-first counterpart to NIST’s single-default-plus-reserve approach.
Everything here is the map, given freely. When your team needs to know which encryption standard your contracts and jurisdictions actually name, and whether a conservative KEM belongs in your plan, that’s what an alignment briefing is for.
Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.