Classic McEliece Secures ISO/IEC 18033-2 for Quantum-Safe Encryption

Classic McEliece has been incorporated into the ISO/IEC 18033-2 standard through its 2026 amendment, establishing the first global ISO approval for a post-quantum cryptography algorithm. This step allows organizations in ISO member states to reference a common specification for code-based encryption that addresses quantum computing risks to long-shelf-life data.
The announcement dated July 15, 2026, integrates specific parameter sets into the asymmetric ciphers section of the standard. It builds on prior national endorsements and supports consistent implementation for sectors handling sensitive records over extended periods.
ISO Standardization Milestone
The inclusion of Classic McEliece in the ISO/IEC 18033-2 amendment marks a key interoperability milestone for post-quantum cryptography. Organizations can now reference an international standard when implementing code-based encryption to protect data against quantum threats over long periods.
The amendment adds the algorithm to the asymmetric ciphers category, with the Classic McEliece team site providing confirmation of the parameter sets as of June 2026. The July 15 announcement from Post-Quantum brought wider attention to this development across the industry.
Criteria for using this standard involve situations where global consistency is required, such as in international supply chains or multi-jurisdictional data storage. It is particularly relevant for entities that need to demonstrate adherence to recognized international specifications.
A limitation is the requirement to purchase the full ISO document for complete details, as public pages only confirm the amendment's existence and included parameters. Typical mistakes include assuming that the standard replaces all other PQC approaches or that it is the only algorithm added in the amendment.
In a conditional example, a company managing intellectual property across 177 ISO member states might adopt the standardized parameters to facilitate secure data exchange with partners in different countries. This ensures that encryption methods are compatible without custom adaptations.
Verification of dates is important because the team documentation lists June 2026 while the public announcement is July 2026, and overlooking this can lead to inaccurate project planning.
The standardization enables broader adoption by providing a verified baseline that can be referenced in contracts and regulatory discussions across borders. This reduces the potential for disputes over the acceptability of specific encryption methods in international contexts.
Algorithm Background and Mechanism
Classic McEliece is based on the 1978 Goppa code-based cryptosystem, which provides a conservative security foundation rooted in established coding theory. The mechanism involves generating public keys from Goppa codes and inserting random errors during the encryption process to obscure the original message.
This approach results in ciphertexts that remain under 208 bytes in size, while allowing the public key to be reused across multiple encryptions. Public key sizes, however, range from hundreds of kilobytes to more than one megabyte depending on the selected parameters.
Choice criteria include scenarios where small ciphertext sizes are critical for transmission efficiency and where key reusability simplifies protocol design. The algorithm suits applications that prioritize long-term security based on the difficulty of decoding random linear codes.
Limitations encompass the larger public key sizes that may strain storage and distribution in environments with limited resources. A typical mistake is underestimating the computational requirements for key generation and decryption on certain hardware platforms.
In a conditional example, a research institution archiving scientific data might select this algorithm for its small ciphertext advantage when sending encrypted files over networks with bandwidth constraints. The reusable keys reduce the need for frequent key exchanges in such setups.
Another error to avoid is selecting parameters without matching them to the required security level, which could compromise the intended protection duration.
The conservative nature of the code-based method means it relies on decades of research into error-correcting codes rather than newer mathematical assumptions. This history contributes to its inclusion in national recommendations for high-value data protection.
Standardized Parameter Sets

The ISO standard includes four main Classic McEliece parameter sets along with their variants: mceliece460896, mceliece6688128, mceliece6960119, and mceliece8192128. These sets specify different code parameters that determine the security level and performance characteristics.
The team recommends the mceliece6* sizes for applications demanding long-term security guarantees. Each set offers a different balance between key size, ciphertext size, and the number of errors the code can correct.
Criteria for selection involve matching the parameter set to the expected threat model and the duration for which data must remain protected. Organizations should review the security levels associated with each set before implementation.
Limitations include the need to test performance on target hardware, as larger parameters increase computational demands during operations. A common mistake is using smaller parameter sets for high-security needs, leading to insufficient protection against advanced attacks.
In a conditional example, an organization protecting healthcare records for 50 years or more could choose mceliece6960119 to achieve the recommended security margin. This selection would be based on the team's guidance for extended confidentiality periods.
Failure to consult the primary documentation for the exact variants included in the standard can result in using non-standardized configurations that lack official approval.
Implementers must also consider how each parameter set interacts with existing hardware accelerators for code-based operations to avoid unexpected bottlenecks in processing speed.
National Body Recommendations
Germany’s BSI recommends Classic McEliece with parameters such as mceliece460896 and larger for long-term confidentiality protection, often in hybrid configurations with classical algorithms. This endorsement appears in the BSI TR-02102-1 guidelines for cryptographic procedures.
The Dutch NCSC has also endorsed the algorithm for protecting data with long retention requirements, including healthcare records and intellectual property. These recommendations predate the ISO announcement and focus on hybrid use during the transition to post-quantum methods.
Criteria for following these recommendations include the presence of data that requires protection against both current and future quantum threats. Organizations in these jurisdictions should prioritize hybrid modes to maintain security.
Limitations involve the fact that these are national guidelines rather than mandatory standards, and they may be updated as new information emerges. A typical mistake is implementing the algorithm without the hybrid component, which could expose systems during the migration phase.
In a conditional example, a European healthcare provider might follow the BSI guidelines when updating their archival encryption to include Classic McEliece alongside existing methods. This would help safeguard patient data against potential quantum decryption in the future.
Overlooking the date of the guidelines, which is January 2026 for the BSI document, might lead to using outdated parameter advice if newer versions become available.
Organizations outside these countries can still reference the endorsements as examples of rigorous national evaluation when building their own risk assessments for long-shelf-life data.
Context Within Broader PQC Standardization
FrodoKEM is also included in the same ISO/IEC 18033-2:2006/Amd 2:2026 amendment, providing a lattice-based option alongside the code-based Classic McEliece. This means the standard offers two distinct post-quantum algorithms rather than a single choice.
The ISO process operates independently from NIST efforts, which have standardized other algorithms such as ML-KEM. The code-based approach offers different performance trade-offs compared to lattice-based methods in terms of key and ciphertext sizes.
Criteria for considering this context include the need to evaluate multiple algorithms for specific use cases within an organization. National bodies continue to assess various options for different applications.
Limitations arise from the fact that the ISO inclusion does not supersede national recommendations or NIST standards. A common mistake is assuming that ISO standardization eliminates the need to monitor other standardization bodies for complementary or alternative algorithms.
In a conditional example, a technology firm developing global products might evaluate both Classic McEliece and FrodoKEM from the same amendment to select the best fit for different components of their system. This dual availability supports more flexible security architectures.
Ignoring the parallel standardization can lead to incomplete assessments of available quantum-safe options in the international framework.
Continued monitoring of updates from both ISO and national bodies remains necessary because standardization efforts evolve based on new cryptanalysis and implementation feedback.
Implications for Adoption

The global ISO status facilitates interoperability for organizations operating across the 177 member states by providing a common reference for code-based encryption. This is particularly beneficial for sectors like healthcare and intellectual property that require long-term data protection.
Adoption can occur through hybrid deployments that combine the algorithm with classical methods to ensure security during the transition period. The small ciphertext size supports efficient data transmission even when public keys are larger.
Criteria for adoption include the presence of long-shelf-life data and the need for international consistency in security practices. Organizations should assess their infrastructure compatibility before proceeding.
Limitations include the larger public key sizes that may require additional storage and distribution planning. A typical mistake is expecting immediate widespread vendor support without verifying implementation availability in commercial products.
In a conditional example, an international research consortium could reference the ISO standard when establishing shared encrypted databases to protect sensitive findings for decades. This approach would promote consistent security across participating institutions.
Another error is neglecting to plan for key management challenges associated with the larger public keys in distributed systems.
The status also supports procurement processes by offering a recognized benchmark that vendors can reference when certifying their solutions for quantum resistance.
Technical Trade-offs and Considerations
Classic McEliece provides small ciphertexts under 208 bytes and supports reusable public keys, which are advantages in bandwidth-sensitive and protocol-simple scenarios. However, the public keys are significantly larger than those of many lattice-based alternatives, affecting storage and initial distribution.
The conservative security profile based on Goppa codes offers a different risk profile compared to newer constructions. Performance during encryption and decryption depends on the chosen parameter set and the hardware environment.
Criteria for weighing these trade-offs involve prioritizing ciphertext size and key reusability over public key compactness. Organizations with limited bandwidth but ample storage may find the algorithm suitable.
Limitations include the need for thorough testing on target platforms to ensure acceptable performance levels. A common mistake is selecting the algorithm solely based on its ISO status without evaluating the specific size and speed implications for the use case.
In a conditional example, a logistics company transmitting encrypted tracking data over constrained networks might benefit from the small ciphertexts while managing the larger keys through centralized key servers. This balances the trade-offs in their operational environment.
Failure to account for the key size in system design can result in unexpected increases in memory usage or transmission overhead during key exchange phases.
Hardware acceleration options for code-based operations should be evaluated early because they can mitigate some performance drawbacks associated with larger parameters.
Practical Next Steps
Organizations should begin by obtaining the amendment details from authorized ISO channels and cross-referencing them with national guidelines such as the BSI technical report. Parameter selection should follow the team's recommendation for mceliece6* sets when long-term security is the priority.
Initial implementations can start with pilot projects that use hybrid configurations combining Classic McEliece with established classical algorithms. This approach allows for gradual integration while maintaining current security levels.
Criteria for progressing include having identified data sets with extended retention needs and confirming infrastructure readiness for the key sizes involved. Regular monitoring of updates from primary sources is essential.
Limitations involve the evolving nature of post-quantum recommendations, which may require adjustments as more implementation experience is gained. A typical mistake is rushing to full deployment without adequate pilot testing and performance validation.
In a conditional example, a government agency could initiate a small-scale pilot in one department to test the standardized parameters before expanding to agency-wide systems protecting archival records. This step-by-step method reduces risks associated with large-scale changes.
Continued review of the Classic McEliece team site and relevant national body publications ensures that implementations remain aligned with the latest verified information.
Final validation should include compatibility checks with existing key management systems to prevent integration issues during the rollout phase.
Subscribe to our newsletter
Get the latest Web3, AI, and crypto news delivered straight to your inbox.