Classic McEliece: What the ISO Adoption Means for Post-Quantum Cryptography

A 47-year-old encryption scheme originally published in 1978 by Robert McEliece has just been adopted as an international standard by the ISO, marking a significant milestone in the global transition to quantum-resistant cryptography. Classic McEliece, a code-based cryptosystem, is now poised to protect data against future quantum computer attacks alongside standards from NIST and other bodies .

But how does this decades-old algorithm work, what makes it different from the RSA that secures much of today's internet, and which governments are already requiring its use?

The ISO Adoption of Classic McEliece

The International Organization for Standardization (ISO) has selected Classic McEliece as a new international standard for high-security cryptography, according to the Okinawa Institute of Science and Technology (OIST), whose Professor Carlos Cid contributed to the algorithm . The standard is being incorporated into ISO/IEC 18033-2 alongside other post-quantum key encapsulation mechanisms (KEMs) such as FrodoKEM and ML-KEM .

This ISO standardization is notable because NIST, in its 2025 selection of HQC over Classic McEliece as an additional code-based KEM, explicitly noted that it did not want to risk creating incompatible standards by standardizing alongside ISO. NIST stated it "may consider developing a standard for Classic McEliece based on the ISO standard" once the ISO process completes .

Code-Based Cryptography vs. RSA: The Core Difference

The fundamental difference between Classic McEliece and RSA lies in the mathematical problem each relies on for security. RSA and its contemporaries (Diffie-Hellman, elliptic-curve cryptography) are based on number-theoretic problems like integer factorization and discrete logarithms — precisely the kind of problems that Shor's algorithm running on a sufficiently large quantum computer could efficiently solve .

Classic McEliece belongs to a different family: code-based cryptography. Its security rests on the hardness of decoding a general linear code, a problem that has been studied for decades and remains hard even for quantum computers . The algorithm works as follows:

• The public key specifies a random binary Goppa code, a special class of error-correcting code .
• To encrypt, the sender encodes the plaintext as a codeword and intentionally adds random errors .
• The private key, which includes knowledge of the code's structure, allows efficient decoding — that is, identifying and removing the errors to recover the original message .

Key Tradeoffs at a Glance

Aspect	Classic McEliece (Code-Based)	RSA (Number-Theoretic)
Hard problem	Decoding a general linear code (NP-hard)	Integer factorization
Core mechanism	Encoding plaintext as codewords from Goppa codes with added errors	Modular exponentiation with public/private exponents
Quantum vulnerability	Not vulnerable to Shor's algorithm; studied as post-quantum approach	Vulnerable; targeted by post-quantum migration efforts
Public key size	Very large: roughly 260 KB to 1 MB for NIST parameter sets	Much smaller (typically 2048-4096 bits in current use)
Ciphertext size	Small — one of its noted advantages	Tied to RSA modulus size
Performance	Fast encapsulation/decapsulation, slow key generation	Widely deployed, but no direct comparison in sources

A Security Track Record Unmatched by RSA

While both algorithms date from the late 1970s, their security track records could not be more different. The McEliece system's design rationale notes that "RSA has suffered dramatic security losses, while the McEliece system has maintained a spectacular security track record unmatched by any other proposals for post-quantum encryption" . Classic McEliece is described as "the paramount conservative code-based encryption scheme" relying on a "minimal, well-studied security assumption" .

Government and Industry Backing

German Federal Office for Information Security (BSI)

The BSI has been recommending Classic McEliece since March 2020 as part of its Technical Guideline TR-02102-1, deeming the algorithm "cryptographically suitable for long-term confidentiality protection" when used with appropriate security parameters . The BSI's 2026 recommendation includes specific parameter sets such as mceliece460896, mceliece6688128, and mceliece8192128 . The BSI has also described Classic McEliece as one of the "most conservative choices from the BSI's point of view" .

Industry sources also confirm BSI's endorsement: the Botan cryptography library documents that "Classic McEliece is endorsed by the German Federal Office for Information Security (BSI) for its conservative security assumptions" .

NIST's Position (Caution)

NIST considered Classic McEliece as a Round 4 candidate in its Post-Quantum Cryptography project . However, in March 2025, NIST selected HQC instead as the additional code-based KEM for standardization . NIST's stated reasons: "Although it is widely regarded as secure, NIST does not yet anticipate it being widely used because of its large public key size" and cited "limited interest" .

Nevertheless, NIST materials acknowledge Classic McEliece's strengths, noting that it offers "small ciphertext sizes, fast encapsulation/decapsulation" and that one NIST presenter described it as "the best option for protecting various other keys" .

Industry Deployment

The Classic McEliece home page notes that the algorithm has "already seen significant deployment" . BSI's approach requires hybrid solutions (PQC plus classical) for post-quantum applications, a model that may influence how Classic McEliece gets deployed in practice .

What This Means for the Post-Quantum Transition

Classic McEliece's ISO adoption creates a second international standard path alongside NIST's PQC standards. While NIST selected HQC for its code-based KEM portfolio, the ISO path means Classic McEliece will have formal international recognition that could drive adoption in jurisdictions that follow ISO standards, particularly in Europe where BSI has been recommending it since 2020.

The key practical barrier remains public key size — roughly 260 KB to 1 MB depending on the security level . That is orders of magnitude larger than RSA keys typically used today, making Classic McEliece impractical for many common use cases. However, its small ciphertexts and fast encapsulation/decapsulation performance make it attractive for applications where public key size is less constrained .

The Bottom Line

Classic McEliece is now an ISO standard, backed by the BSI and respected by NIST. Its code-based architecture offers a fundamentally different — and arguably more conservative — security model than RSA, at the cost of very large public keys. For organizations planning a post-quantum migration, Classic McEliece represents a high-security option, particularly for long-term data protection where key size is not the primary constraint.