So a 1978 cryptosystem just quietly became an international standard, and most of us missed it. On July 15, UK firm Post-Quantum announced that Classic McEliece is now part of ISO/IEC 18033-2, making it the first post-quantum algorithm to clear full ISO standardization. That's the headline, and it's real. Here's the part the press release skips over: this doesn't make McEliece your new TLS default. NIST already picked something else for that (ML-KEM), and McEliece hauls around a public key that can run past a megabyte. We've been tracking the post-quantum shift for a while, and this one is genuinely interesting, just not for the reason the announcement implies. It's a standard built for a specific job, not a drop-in for everything.
The short answer
On July 15, Post-Quantum announced Classic McEliece is now part of ISO/IEC 18033-2, the first post-quantum algorithm to clear full ISO standardization. It’s a real milestone. It is not, however, your new TLS default: NIST already picked ML-KEM for that, and McEliece carries a public key that can pass a megabyte. Think long-lived, static keys, not handshakes.
What actually got standardized
Here’s the plain version. ISO/IEC 18033-2 is the international standard for asymmetric ciphers, and it now includes Classic McEliece. The UK firm Post-Quantum, which drove the algorithm’s design alongside a group of cryptographers, announced it on July 15. They’re right to call it a first: no post-quantum algorithm had reached ISO standardization before this.
Classic McEliece is a KEM, a key-encapsulation mechanism. It’s the machinery two parties use to agree on a shared secret so they can then encrypt traffic with something fast. What makes it unusual is its age. The core idea comes from a 1978 paper by Robert McEliece, and in close to fifty years nobody has found a practical break, quantum or classical. That track record is the entire pitch. Germany’s BSI and the Dutch NCSC have both recommended it for exactly that reason: it’s boring, and boring is what you want in cryptography.
One thing to keep straight, because the coverage kept blurring it. ISO is not NIST. This standardization sits next to, not on top of, NIST’s own post-quantum work. NIST already chose a different KEM as its primary answer, and that choice still stands.
The catch is the key size
This is the honest catch, and it’s a large one. McEliece is secure. It’s also enormous where it hurts.
NIST’s own read on McEliece is a two-liner: smallest ciphertexts, largest public keys. Both halves matter. The smallest McEliece parameter set, mceliece348864, has a public key of 261,120 bytes, roughly 255 KB. Step up to mceliece6688128 and it’s 1,044,992 bytes, over a megabyte. Compare that to ML-KEM-768, NIST’s standard for general use, whose public key is 1,184 bytes. That’s about a thousand-fold difference.
The flip side is real too. McEliece ciphertexts are tiny, on the order of a couple hundred bytes, while ML-KEM-768 sends 1,088 bytes per ciphertext. So the shape of the tradeoff is clear once you see it. McEliece is brutal on the key you publish and gentle on every message after. That’s a terrible profile for a TLS handshake, where the server ships its key on every connection, and a fine one when the key gets installed once and sits there for years.
So who is this actually for
Not your web server. For TLS and everyday key exchange, the answer is still ML-KEM, which NIST standardized as FIPS 203 and which your browser probably negotiated already today without telling you. If you want the signature side of this same story, we wrote up why ML-DSA is the post-quantum signature to ship.
Where McEliece earns its place is the long game. The threat everyone’s actually planning around is “harvest now, decrypt later”: an adversary records your encrypted traffic today and cracks it once a quantum computer exists. For data with a long shelf life (medical records, intellectual property, state secrets), the confidentiality has to survive decades, and a conservative algorithm nobody has dented since 1978 is an easy thing to justify to a risk committee. That’s the pitch for quantum-safe VPNs, stored data, and identity systems built to outlive the hardware they run on.
Post-Quantum also leaned on a concrete demo to answer the “keys are too big” objection. Working with the Czech defense manufacturer STV Group, they showed Classic McEliece running on drones in communication-denied environments, edge hardware where you’d assume a megabyte key would be a non-starter. It ran. That doesn’t make a 1 MB key free, but it does puncture the idea that it’s automatically impractical.
What this means for you
Probably nothing you touch this week. If you run web services, keep letting ML-KEM do its job and treat this as good background news, not a to-do. If you work anywhere data has to stay secret for ten or twenty years, or you build for constrained, long-lived systems, this is worth a real look, because now there’s an international standard behind it and a couple of national agencies pointing the same way.
The one trap to avoid is reading “first ISO post-quantum standard” as “the winner.” It isn’t a ranking. It’s one more tool getting a spec, aimed at a narrow, important slice of the problem. If you want to sanity-check what your own endpoints negotiate today, our SSL Certificate Checker reads back the chain and expiry, and the TLS 1.2 versus TLS 1.3 breakdown covers the handshake all of this eventually has to fit inside.
The honest read
An ISO stamp on a 1978 algorithm is a genuinely nice milestone, and it’s also easy to oversell. McEliece isn’t replacing ML-KEM, and the megabyte public key is a real constraint that a single drone demo doesn’t erase. What the standard does is give the people who need paranoid, long-horizon confidentiality a recognized way to deploy the most conservative option on the board. That’s a smaller story than the headline, and a more useful one. Watch whether TLS-facing libraries and hardware vendors actually pick it up for those niche cases. That’s the signal that this graduates from press release to something you’d deploy.
Sources: Post-Quantum’s announcement via Quantum Computing Report and The Quantum Insider (both July 15, 2026); public key and ciphertext sizes from the Classic McEliece parameter sets; ML-KEM sizes and NIST’s status from FIPS 203 and NIST’s fourth-round report. The BSI and Dutch NCSC recommendations and the STV Group drone demonstration are as reported by Post-Quantum.
Frequently asked questions
What is Classic McEliece?
Classic McEliece is a code-based key-encapsulation mechanism (KEM), a way to agree on a shared secret over an insecure channel. It builds directly on a cryptosystem Robert McEliece published in 1978, which has resisted attack for close to fifty years, including from quantum algorithms. It uses error-correcting codes rather than the lattice math behind ML-KEM. Its defining trait is a very large public key paired with a very small ciphertext.
What does the ISO/IEC 18033-2 standardization actually mean?
It means Classic McEliece now has an internationally recognized specification for how it should be implemented, which helps different vendors interoperate and gives risk-averse buyers (governments, defense, healthcare) a standard to point to. It was standardized under ISO/IEC 18033-2, the standard for asymmetric ciphers, in 2026, and announced on July 15, 2026. It is the first post-quantum algorithm to reach that milestone. ISO standardization is separate from NIST standardization, so this does not override NIST FIPS 203.
Should I switch my TLS certificates or key exchange to Classic McEliece?
Almost certainly not. For TLS and most everyday key exchange, NIST already standardized ML-KEM as FIPS 203, and modern browsers and servers negotiate it already. McEliece public keys are enormous (from about 255 KB up past 1 MB), which is a poor fit for a handshake that ships the key every time. McEliece makes more sense where a public key is distributed once and lives a long time.
Why does Classic McEliece have such large keys?
The security comes from the difficulty of decoding a random-looking linear code, and the public key is essentially a big matrix describing that code. That matrix is what makes the key large: the smallest parameter set, mceliece348864, has a 261,120-byte public key, and mceliece6688128 is 1,044,992 bytes. The upside is that the ciphertext stays tiny, on the order of a couple hundred bytes, which is smaller than ML-KEM.
Is Classic McEliece a NIST-approved standard too?
Not as a primary standard. NIST selected ML-KEM (from CRYSTALS-Kyber) as its main post-quantum KEM in FIPS 203. Classic McEliece was carried into the NIST fourth round as a candidate that NIST rates highly on security but flags for its large public keys. So as of now it is an ISO standard, not a NIST FIPS one, and the two decisions were made by different bodies for different reasons.