> I'm really concerned by the current rush for PQ solutions and what are the real intentions behind it.
You had written. As long as we're in agreement that rushing PQ appears to be the appropriate choice. The only question is the precise form it should take, with the author arguing that hybrid would be unacceptably slow to roll out due to various social and bureaucratic reasons.
He's also pointing out that the only scenario in which hybrid is of benefit is one in which crypto related QC remains either relatively ineffective or extremely expensive in the medium term. Since that assumption is looking increasingly suspect it calls into question the point of hybrid to begin with. In the face of cheap QC hybrid adds zero value.
I think it is pretty direct from my comment that if you use a hybrid approach (done correctly) you can rely on the hardness of dlog based assumption and therefore my comment on potential weakness of PQ assumptions can be ruled out.
In this way we disagree that rushing PQ is the appropriate choice if it rules out dlog based security.
> He's also pointing out that the only scenario in which hybrid is of benefit is one in which crypto related QC remains either relatively ineffective or extremely expensive in the medium term. Since that assumption is looking increasingly suspect it calls into question the point of hybrid to begin with. In the face of cheap QC hybrid adds zero value.
This is exactly what I'm pointing out as extremely dangerous. My take was that the risk of seeing a quantum computer breaking dlog in a near future isn't stronger than breaking PQ assumptions in a near future.
You seem to just be rehashing what we already clearly agree on. Obviously if you view classically breaking PQ algorithms as higher likelihood than QC breaking classical then you are going to disagree with the premise.
Can you actually back up your prediction that crypto related QC will remain either relatively ineffective or extremely expensive in the medium term?
The requirement for favoring hybrid isn't that "you view classically breaking PQ algorithms as higher likelihood than QC breaking classical", but you think that the likelihood than QC breaking classical is less than a billion times more than the likelyhood of classically breaking PQ.
Hybrid has essentially no cost, so we should favor it as long as it has a greater than negligible chance of providing protection. IMO the likelihood of CRQCs breaking ECC is pretty high (>50% by 2040) and the odds of classically breaking lattices is low (<1% by 2050), but creating a 0.5% chance of breaking cryptography for the entire world seems way to high when we have a free mitigation right here.
Not so. One of the core premises of the article that we're discussing here is that hybrid is proving to be quite difficult for entirely nontechnical reasons.
I agree that my previous wording was sloppy to the point of error. The point I was trying to communicate was that we already had agreement that an elevated assessment of the chance of a classical attack against a given PQ algorithm would lead to one disagreeing with the aforementioned premise that we should switch to a PQ only scheme making use of said algorithm. Rehashing that is just stating the obvious.
What wasn't presented was any reasoning to back an elevated risk assessment for any particular PQ algorithm, of which there are several. So at that point the "argument" amounts to little more than "nuh-uh, that risk assessment is wrong" which isn't exactly convincing or insightful.
You had written. As long as we're in agreement that rushing PQ appears to be the appropriate choice. The only question is the precise form it should take, with the author arguing that hybrid would be unacceptably slow to roll out due to various social and bureaucratic reasons.
He's also pointing out that the only scenario in which hybrid is of benefit is one in which crypto related QC remains either relatively ineffective or extremely expensive in the medium term. Since that assumption is looking increasingly suspect it calls into question the point of hybrid to begin with. In the face of cheap QC hybrid adds zero value.