[olliej]

Quantum safe crypto isn’t FUD, NIST’s steadfast refusal to specify a dual system, especially given their historical laundering of NSA back doors is super questionable, but there exist (at least one that I know of) crypto systems that have no exploitable bias. The problem is the impractically large key sizes. Afaict a lot of pqc work is trying to reduce the key sizes to something reasonable.

[tptacek]

Horseshit. It's literally not NIST's job to design a "dual system"; the project was to standardize PQC constructions, not whole protocols. Everybody that deploys PQC anywhere is going to deploy "dual systems". This complaint is like claiming NIST is corrupt because they didn't standardize an authenticated key exchange along with SHA-3.

[olliej]

It is literally NIST’s job to define the standards that people are meant to use.

What you’re saying is that NIST not considering a dual system standard is fine because no one would consider relying solely on the standardized PQC algorithms and would obviously implement their own version of a dual system, only with less understanding of potential pitfalls or analysis for weaknesses.

[tptacek]

No. Once again: the NIST PQC competition is a project to standardize post-quantum cryptography constructions. It's not a protocol competition, any more than the AES and SHA-3 competitions were.

This is literally spelled out on the competition page. I'm having trouble how anyone could have any confusion about this. It literally says: do hybrid systems if you want, that's outside the scope of this competition.

How would it even have made sense to pursue hybrid systems in this competition? Like how would that have actually worked?

[api]

NIST/FIPS allows HMAC(salt, key) where salt can be anything, so a dual system is trivial: HMAC(PQ secret, conventional secret).