Expert technical analysis on quantum computing, post-quantum cryptography, and quantum-safe infrastructure for Ireland and the EU.
Post-Quantum Cryptography | Algorithm Selection | Ireland
Meta Description: CRYSTALS-Kyber (ML-KEM) vs McEliece post-quantum algorithms compared by Michael English, Irish CTO. Performance, security, key sizes, and which to choose for Irish and EU deployments.
Target Keywords: CRYSTALS-Kyber vs McEliece, ML-KEM vs code-based cryptography, post-quantum algorithm comparison, quantum-safe algorithms Ireland EU, Michael English post-quantum algorithms
The NIST post-quantum cryptography competition evaluated 82 candidate algorithms over eight years. The finalists and alternatives represent fundamentally different mathematical approaches to quantum-resistant security. Understanding the trade-offs between these approaches is essential for informed algorithm selection.
This article compares the two most widely deployed approaches for key encapsulation: CRYSTALS-Kyber (now standardised as ML-KEM in FIPS 203) — the lattice-based approach — and McEliece (Classic McEliece, a NIST alternate candidate) — the code-based approach. I'll also briefly cover NTRU (now FALCON/FN-DSA) and BIKE (code-based).
Built on the Module Learning With Errors (MLWE) problem over polynomial rings. NIST's selected standard for key encapsulation. Fast, compact keys and ciphertexts.
Built on the hardness of decoding random linear codes — specifically, variants of the syndrome decoding problem. Robert McEliece proposed code-based public-key encryption in 1978, making it one of the oldest public-key cryptographic systems. Classic McEliece is a NIST alternate for key encapsulation (selected for standardisation but not the primary recommendation due to large key sizes).
Robert McEliece's 1978 scheme uses Goppa codes — a class of algebraic codes with efficient decoding algorithms. The public key is a disguised generator matrix of a Goppa code; decryption uses the trapdoor knowledge of the code's structure.
The syndrome decoding problem: Given a parity check matrix H and a syndrome s = Hv mod 2, find a low-weight vector v such that Hv = s. This is NP-hard in general and believed to be hard even for quantum computers.
Classic McEliece's security relies on:
Nearly 50 years of cryptanalysis have produced no practical attacks. The best known quantum attack (using Grover search to speed up information set decoding) reduces security from O(2^n) to O(2^(n/2)), but the parameter choices in Classic McEliece (code length 6960 or 8192) maintain strong security even under this quadratic speedup.
Classic McEliece's Achilles heel is its key sizes:
| Variant | Public Key | Secret Key | Ciphertext |
|---|---|---|---|
| Classic McEliece 348864 | 261,120 B (255 KB) | 6,492 B | 128 B |
| Classic McEliece 460896 | 524,160 B (512 KB) | 13,608 B | 188 B |
| Classic McEliece 6960119 | 1,047,319 B (1 MB) | 13,908 B | 226 B |
| Classic McEliece 8192128 | 1,357,824 B (1.3 MB) | 14,120 B | 240 B |
Compare these to ML-KEM-768:
The public key size of 512 KB–1.3 MB makes Classic McEliece impractical for TLS certificate distribution, PKI, and any use case where the public key must be transmitted frequently. However, the tiny ciphertext makes McEliece interesting for constrained environments where the public key can be pre-distributed.
| Metric | ML-KEM-768 | Classic McEliece 6960119 |
|---|---|---|
| Public key | 1,184 B | 1,047,319 B |
| Secret key | 2,400 B | 13,908 B |
| Ciphertext | 1,088 B | 226 B |
| Keygen time (Intel i7) | ~67 μs | ~2,800 μs |
| Encaps time | ~82 μs | ~8 μs |
| Decaps time | ~80 μs | ~380 μs |
| Security level | Level 3 (AES-192 eq.) | Level 5 (AES-256 eq.) |
NIST selected ML-KEM as the primary standard for several reasons:
FALCON (Fast Fourier Lattice-based Compact Signatures over NTRU), being standardised as FIPS 206 / FN-DSA, represents the NTRU approach applied to digital signatures.
| Metric | FALCON-512 | ML-DSA-65 |
|---|---|---|
| Public key | 897 B | 1,952 B |
| Secret key | 1,281 B | 4,032 B |
| Signature | **666 B** | **3,293 B** |
| Signing time | ~450 μs | ~190 μs |
| Verification time | ~55 μs | ~125 μs |
| Security level | Level 1 | Level 3 |
FALCON's primary advantage is dramatically smaller signatures (666 bytes vs 3,293 bytes). This makes FALCON compelling for:
FALCON's disadvantage: implementation complexity. The discrete Gaussian sampling over NTRU lattices required for signing must use floating-point arithmetic with specific precision, creating potential for implementation errors and side-channel vulnerabilities. NIST recommends ML-DSA as the primary signature standard and FALCON for applications where signature size is critical.
BIKE (Bit Flipping Key Encapsulation) and HQC (Hamming Quasi-Cyclic) are two additional code-based candidates under consideration for NIST standardisation (as potential alternates).
Based on quasi-cyclic moderate-density parity-check (QC-MDPC) codes. Offers much smaller key sizes than Classic McEliece:
| Variant | Public Key | Ciphertext |
|---|---|---|
| BIKE-L1 | 1,541 B | 1,573 B |
| BIKE-L3 | 3,083 B | 3,115 B |
| BIKE-L5 | 5,122 B | 5,154 B |
BIKE's decapsulation uses a probabilistic bit-flipping decoder that has a small (but non-negligible) decapsulation failure probability (~2^-128). This decapsulation failure can create vulnerabilities if not properly handled in higher-level protocol design.
Based on quasi-cyclic codes with simpler decoding than BIKE, HQC achieves reliable decapsulation (failure probability negligible) at the cost of larger ciphertexts:
| Variant | Public Key | Ciphertext |
|---|---|---|
| HQC-128 | 2,249 B | 4,497 B |
| HQC-192 | 4,522 B | 9,042 B |
| HQC-256 | 7,245 B | 14,469 B |
Most Irish businesses should default to ML-KEM-768 + ML-DSA-65, accessed through:
NIST and ENISA both recommend cryptographic diversity: don't rely solely on one mathematical hard problem. The principle is:
If lattice problems are broken by an unexpected mathematical advance, all of ML-KEM, ML-DSA, and FALCON fail simultaneously. Diversifying with a code-based (Classic McEliece, HQC) or hash-based (SLH-DSA) scheme for critical applications provides insurance.
For most organisations, pure ML-KEM + ML-DSA is sufficient. But for:
...dual-signing with ML-DSA + SLH-DSA (hash-based, different mathematical assumptions) provides cryptographic diversity.
For Irish and EU businesses beginning post-quantum migration, the choice is clear:
Classic McEliece's extreme key sizes make it impractical for most deployments, but its near-50-year track record makes it worth considering for ultra-high-security root keys. The important thing is to start: pick ML-KEM and ML-DSA, deploy them in hybrid mode, and learn from the process.
Michael English is Co-Founder & CTO of IMPT.io. He evaluates post-quantum algorithms for blockchain and EU carbon market infrastructure. Based in Clonmel, Co. Tipperary, Ireland.
Keywords: CRYSTALS-Kyber vs McEliece post-quantum, ML-KEM algorithm comparison, post-quantum algorithm selection Ireland, FALCON ML-DSA comparison EU, quantum-safe algorithm choice, Michael English post-quantum algorithms Ireland