SandboxAQ quantum-resistant encryption algorithm approved by NIST

Palo Alto, California-based SandboxAQ has achieved a significant milestone with the National Institute of Standards and Technology (NIST) having officially selected its Hamming Quasi-Cyclic (HQC) algorithm as the fifth algorithm in its suite of post-quantum cryptographic (PQC) standards.

Out of these five algorithms, three will be used for digital signatures, while HQC and ML-KEM will serve as the NIST-approved solutions for ensuring the confidentiality of communications across the internet, cellular networks, payment systems, and other critical infrastructure. ML-KEM has been standardized by NIST as a post-quantum secure key encapsulation mechanism (KEM) that can be used for key establishment between two parties.

The HQC algorithm is a code-based post-quantum encryption scheme that is designed to withstand quantum computing attacks. It is structured around error-correcting codes, particularly leveraging quasi-cyclic codes, to provide secure encryption mechanisms that are resistant to quantum threats.

The selection of HQC represents SandboxAQ’s second major contribution to NIST’s post-quantum standardization effort, and a critical step in the global transition toward a quantum-safe encryption, providing robust protection against emerging threats posed by quantum computing advancements.

HQC’s inclusion in NIST’s suite reinforces the necessity of transitioning away from traditional encryption methods such as RSA and elliptic-curve cryptography, which will be rendered obsolete by sufficiently powerful quantum computers.

HQC is a key encapsulation mechanism designed to secure the exchange of encryption keys in a quantum-resistant manner. Unlike conventional public-key encryption systems, HQC is built on the mathematical foundation of error-correcting codes, which are resistant to quantum attacks.

In its final selection report, NIST highlighted HQC’s robust security and its ability to balance computational efficiency with key size, making it a viable option for large-scale deployments. This achievement follows multiple rounds of rigorous cryptanalysis and peer review.

Prior to HQC’s selection, SandboxAQ played a critical role in the development of SPHINCS+, one of the digital signature algorithms included in NIST’s initial set of PQC standards in 2022. With HQC now added to the standardization process, SandboxAQ has contributed to two of the five essential PQC standards, solidifying its leadership in quantum-resistant cybersecurity solutions.

Taher Elgamal, a senior advisor at SandboxAQ and a partner at Evolution Equity Partners, emphasized the significance of HQC’s selection, noting that its foundation in coding theory offers strong theoretical and practical protections against quantum decryption methods. Additionally, HQC’s efficient performance profile makes it suitable for widespread adoption.

“HQC has foundations in coding theory that offer strong theoretical and practical protection against known quantum decryption methods, while its efficient performance profile makes it well-suited to real-world adoption,” Elgamal, a partner at Evolution Equity Partners and senior advisor at SandboxAQ.

“This is not just a milestone for SandboxAQ, it’s a win for global security in the face of future quantum disruption,” he adds.

Carlos Aguilar Melchor, chief cybersecurity scientist at SandboxAQ, said the development of HQC dates to the 2000s, with critical breakthroughs in the 2010s addressing long-standing challenges in code-based key exchanges. Melchor said HQC is now one of only two protocols securing the confidentiality of global communications, an achievement that speaks to SandboxAQ’s ongoing commitment to shaping the future of cryptography.

“Today, HQC stands as one of only two protocols securing the confidentiality of nearly all global communications” Melchor said, adding that “we’ve long championed the importance of standardization, and contributing to two of the five NIST PQC standards reflects our commitment to shaping the future of cryptography.”

NIST’s decision to standardize HQC reflects the broader global effort to prepare for the eventual emergence of large-scale quantum computers. Quantum computing poses a fundamental threat to existing encryption methods by enabling adversaries to break widely used cryptographic protocols. NIST has been leading the charge in developing quantum-resistant encryption standards to ensure that sensitive data – including internet traffic, financial transactions, and national security communications – remain secure in a post-quantum world.

Last year, NIST finalized ML-KEM as the primary quantum-resistant encryption standard. HQC now serves as a backup mechanism, ensuring an alternative approach is available should ML-KEM face unforeseen vulnerabilities in the future.

Dustin Moody, head of NIST’s Post-Quantum Cryptography project, reaffirmed the importance of diversifying cryptographic solutions to mitigate emerging threats, emphasizing that organizations should continue migrating to the already established PQC standards while preparing for the eventual deployment of HQC.

Encryption systems rely on complex mathematical problems that are infeasible for conventional computers to solve within a reasonable timeframe. However, quantum computers could rapidly solve these problems using Shor’s algorithm, undermining the security of current encryption methods. ML-KEM and HQC provide quantum-resistant alternatives by leveraging different mathematical principles — ML-KEM is based on structured lattices, whereas HQC relies on error-correcting codes. This diversity in cryptographic approaches is critical for ensuring long-term security in an era of advancing quantum technologies.

HQC’s standardization follows a rigorous selection process conducted by NIST’s Post-Quantum Cryptography project, which has been evaluating quantum-resistant cryptographic solutions since 2016. Alongside HQC, NIST previously selected four other algorithms: ML-KEM for general encryption and CRYSTALS-Dilithium, FALCON, and SPHINCS+ for digital signatures.

ML-KEM is the foundation of FIPS 203, while CRYSTALS-Dilithium and SPHINCS+ are incorporated into FIPS 204 and FIPS 205. A forthcoming standard, FIPS 206, will feature the FALCON digital signature algorithm, rounding out the suite of approved post-quantum cryptographic solutions.

Incorporating HQC into the NIST PQC standards ensures an additional layer of security, addressing potential future cryptanalysis breakthroughs that could weaken existing encryption mechanisms. NIST plans to release a draft standard for HQC in about a year, followed by a 90-day public comment period. The finalized HQC standard is expected to be released in 2027.

HQC, like ML-KEM, operates as a key encapsulation mechanism, facilitating the secure exchange of encryption keys over public networks. NIST has issued draft guidelines for implementing KEMs, detailed in Special Publication 800-227, which outlines best practices for deploying key encapsulation mechanisms in secure environments.

The U.S. Department of Commerce has also emphasized the importance of quantum-resistant encryption in maintaining national and economic security. Deputy Secretary of Commerce Don Graves said the role of quantum technology is shaping the future of cybersecurity, and reaffirmed NIST’s commitment to safeguarding confidential digital information.

Laurie E. Locascio, who left the role of under secretary of commerce for standards and technology and NIST director in January, said proactive measures are essential to mitigate the risks posed by quantum computing advancements.

The finalization of post-quantum encryption standards marks a critical juncture in the evolution of cybersecurity. The threat posed by quantum computing is no longer theoretical; it is an impending reality that requires immediate action. NIST’s selection of HQC, alongside ML-KEM and other PQC standards, provides a strong foundation for securing sensitive data against future threats. NIST has said that organizations need to begin prioritizing the integration of quantum-resistant encryption protocols to ensure long-term data security.

Article Topics

algorithms  |  cybersecurity  |  electronic-signature  |  encryption  |  NIST  |  post-quantum cryptography  |  quantum computing  |  SandboxAQ