Kai Ole Hartwig
6 min read
By

Classic McEliece becomes an ISO standard: a 1978 cryptosystem gets a global norm for post-quantum encryption

15/16 July 2026. ISO has added Classic McEliece — a code-based cryptosystem developed by Robert McEliece in 1978 — to ISO/IEC 18033-2 (Asymmetric Ciphers), with 16 parameter sets across four security levels. The standardization effort was driven by the company Post-Quantum together with cryptographers. What matters more than the headline is the context: at NIST, Classic McEliece remains only a fourth-round post-quantum candidate, not a selected standard — that's still ML-KEM (Kyber). And McEliece's well-known practical trade-off doesn't change with the ISO norm: very large public keys paired with very small ciphertexts, which makes it less suited to classic TLS handshakes than to scenarios with pre-distributed, long-lived keys.

What happened

The International Organization for Standardization (ISO) added Classic McEliece to ISO/IEC 18033-2, the standard for asymmetric ciphers, following successful technical expert voting among its 177 member states; per classic.mceliece.org, publication dates to June 2026, with broader press coverage starting 15 July 2026. The standard covers 16 parameter sets across four security levels (including mceliece460896, mceliece6688128, mceliece6960119, mceliece8192128, each with four variants). Per classic.mceliece.org, the Classic McEliece team itself recommends the mceliece6* sizes for long-term security; the original draft proposed only the 6* and 8* parameter sets, but ISO decided to also include the smaller 4* sets.

Classic McEliece itself is not a new scheme: it builds on Robert McEliece's 1978 cryptosystem, which uses the hardness of decoding general linear codes (specifically Goppa codes) as its security basis — a structurally different security approach from the lattice-based cryptography underlying ML-KEM/Kyber. The current standardization effort was developed and driven by the UK-based company Post-Quantum together with cryptographers; CEO Rikky Hasan is quoted saying ISO standardization makes Classic McEliece “easier and more consistent to implement.”

Assessment

Two caveats matter here, because the coverage — which visibly builds on a press release from the company Post-Quantum — tends to blur rather than emphasize them. First: ISO standardization is not the same as NIST selection. Classic McEliece has run at NIST since the third round as one of several fourth-round candidates for key-establishment mechanisms (KEMs), alongside BIKE and HQC — NIST has not elevated it to a standard so far. The KEM already standardized by NIST and recommended by BSI as the near-term default for broad practice remains ML-KEM (formerly CRYSTALS-Kyber). Second: the claim circulating in press coverage that Classic McEliece is “the most secure PQC algorithm available” and is “recommended by the German BSI” could not be confirmed at that level of specificity when we checked BSI's own post-quantum cryptography pages — BSI lists Classic McEliece there as one of three code-based candidates in NIST's ongoing process, without singling it out as its own recommendation. These statements should therefore be read as the vendor's framing, not as independently confirmed fact.

What remains unchanged is McEliece's well-known practical trade-off: very large public keys (several hundred kilobytes, depending on the parameter set) paired with very small ciphertexts — the opposite profile from ML-KEM/Kyber, which offers compact keys and ciphertexts suited to frequent handshakes. That's exactly why McEliece tends to be discussed in practice for scenarios with once-distributed, long-lived keys (device identities, VPN configurations) rather than for classic, handshake-heavy TLS connection setup on the web.

Significance for mid-market organisations

For most organisations, this news creates no immediate pressure to act. If you're rolling out post-quantum cryptography today — for instance hybrid key agreement with X25519MLKEM768 for TLS — stick with that already NIST-standardized, broadly supported path; the ISO norm for Classic McEliece changes nothing about that. McEliece becomes more relevant for niche cases: where a once-distributed, long-lived public key is already in use — for example device provisioning or VPN configurations with infrequent key rotation — it can be worth taking a look at Classic McEliece once mature, independently audited implementations are available in common toolchains. Until then: crypto-agility (the ability to swap algorithms without major effort) remains more important than committing to a specific PQC algorithm in advance.

Significance for technical development

What's technically interesting is less the individual norm than the diversification effect: with Classic McEliece, a second, structurally entirely different PQC approach (code-based rather than lattice-based) gets broad international standardization. That reduces the risk of a single point of failure in post-quantum cryptography — should an unexpected weakness show up in lattice-based assumptions, a structurally independent replacement candidate exists in code-based schemes. The security assumption tracing back to McEliece's 1978 Goppa-code approach, intensively cryptanalyzed for decades, is seen by many cryptographers as grounds for particular confidence — in contrast to the comparatively younger lattice-based assumptions behind ML-KEM. That ISO chose to also include the smaller mceliece4* parameter sets, in addition to the originally proposed large ones, suggests an attempt to make the scheme practical for more deployment scenarios — though it doesn't change the fundamental key-size characteristics.

Concrete recommendation

First, don't change course because of this news: the path relevant for TLS and most practical cases, already standardized by NIST, remains ML-KEM/Kyber, ideally hybridized with a classical scheme (e.g. X25519MLKEM768). Second, check marketing claims like “most secure PQC algorithm” or blanket references to agency endorsements against primary sources (NIST, BSI) before adopting them in your own communications, rather than repeating press phrasing unchecked. Third, keep Classic McEliece on your watch list if your architecture has scenarios with long-lived, once-distributed public keys (device identities, VPN provisioning) — worth reassessing once mature libraries and implementation audits are available. Fourth, generally work toward crypto-agility in your own platform, so that a later switch or the addition of a second PQC algorithm is a configuration change, not an architecture project.

Sources

The press coverage of the ISO standardization visibly traces back to a press release from the company Post-Quantum (distributed via Businesswire, among others); claims about “comparative security” and “agency endorsement” originate from that source and could not be independently confirmed at that level of specificity — they are framed cautiously above accordingly.

About the author

[Translate to English:] Foto von Kai Ole Hartwig.

Kai Ole Hartwig

Freelance DevSecOps consultant · OnlyOle Consulting

Programming since 2002 – self-taught, set up my own business with KO-Web in 2012. Over 100 projects, with a focus on security, performance, automation and quality. Today freelance: DevSecOps consulting, training and software development.