ISO Standardizes Classic McEliece for Quantum-Resistant Encryption

Insider Brief
- Post-Quantum’s Classic McEliece algorithm has been included in the ISO/IEC 18033-2 standard for asymmetric ciphers, supporting broader adoption of the post-quantum cryptography scheme.
- The code-based cryptographic algorithm, originally developed by Post-Quantum and cryptographers, is designed to protect communications and sensitive data against future quantum computer attacks.
- The ISO standardization follows demonstrations of Classic McEliece in applications including quantum-safe communications, connected devices, and airborne drone systems.
Press release – It’s proven that today’s encryption is vulnerable to attack by a sufficiently mature quantum computer running Shor’s algorithm – a catastrophic event commonly known as Q-Day. Even before such a cryptographically relevant quantum computer emerges it is known that adversaries are stealing encrypted data now, which can be decrypted later – also known as Harvest Now, Decrypt Later (HNDL).
Google’s recent use of Artificial Intelligence (AI) to optimise Shor’s algorithm reduces the number of physical qubits required to break today’s encryption, therefore shortening the timeline to Q-Day. This has led prominent experts to estimate today’s encryption may be broken as-soon-as the next three years.
It’s against this backdrop that the International Organisation for Standardisation (ISO) has included the Classic McEliece algorithm as part of its standard for Asymmetric Ciphers (ISO/IEC 18033-2). Organisations from ISO’s 177 member states can now upgrade to Classic McEliece using an international standard that supports interoperability and robust implementation.
Available on an open source basis, Classic McEliece* was pioneered by the team at UK cyber security company Post-Quantum in collaboration with prominent cryptographers. The algorithm uses error correcting codes to build on Professor Robert McEliece’s cryptosystem, originally invented in 1978, providing an ultra-secure code-based option to protect communications in the quantum era.
Recommended by nation states, including Germany’s BSI and its Dutch counterpart and recognised by the crypto community as the most secure PQC algorithm available, Classic McEliece has a wide range of applications, including:
- Forming the backbone of quantum-safe Virtual Private Networks to secure communications between users and infrastructure, like data centres
- Protecting data-in-transit with a long shelf life, such as healthcare data, intellectual property or government secrets
- Securing mobile messaging applications to prevent interception
- Securing connected devices (e.g. drones) to prevent interception
- Securing identity systems to ensure credentials like passwords or biometric identifiers cannot be intercepted and compromised.
Through its partnership with Czech defence manufacturer STV Group, Post-Quantum recently demonstrated the first airborne deployment of Classic McEliece. The programme resulted in the world’s first battlefield-ready quantum-safe drones operating in the most challenging DDIL (Denied, Degraded, Intermittent, or Limited) environments. The drones were successfully tested at STV’s weapons facility – dispelling the myth that the algorithm’s large keysize is impractical for real-world deployment.
Rikky Hasan, CEO at Post-Quantum, commented: “Every major organisation should now have progressed beyond planning to active implementation of quantum-safe encryption. ISO standardisation means Classic McEliece can be implemented more easily and consistently by governments and enterprises across the world. The cryptographic community has attacked the McEliece system without success since the 1970’s and Classic McEliece offers the highest security assurance of any post quantum algorithm available today. Our own work for NATO and STV demonstrates the algorithm’s viability for a wide range of use cases.”
ISO’s decision to standardise Classic McEliece required a successful vote of independent technical experts drawn from ISO’s member states.
Hasan added: “ISO’s standardisation demonstrates the technical community’s belief in Classic McEliece and its suitability for securing communications from attack by quantum computers.”
Founded in 2009, Post-Quantum was the first company with the sole focus to develop and promote post-quantum cryptography (PQC). Specialists in high-grade cybersecurity and encryption innovation, the company works for various secure areas of banks, defence organisations, and governments. The company’s quantum-safe VPN has been successfully tested by NATO and its technology is licensed by defence group STV to secure communications between drones and their operators.
