[tptacek]

Horseshit. It's literally not NIST's job to design a "dual system"; the project was to standardize PQC constructions, not whole protocols. Everybody that deploys PQC anywhere is going to deploy "dual systems". This complaint is like claiming NIST is corrupt because they didn't standardize an authenticated key exchange along with SHA-3.

[olliej]

It is literally NIST’s job to define the standards that people are meant to use.

What you’re saying is that NIST not considering a dual system standard is fine because no one would consider relying solely on the standardized PQC algorithms and would obviously implement their own version of a dual system, only with less understanding of potential pitfalls or analysis for weaknesses.

[tptacek]

No. Once again: the NIST PQC competition is a project to standardize post-quantum cryptography constructions. It's not a protocol competition, any more than the AES and SHA-3 competitions were.

This is literally spelled out on the competition page. I'm having trouble how anyone could have any confusion about this. It literally says: do hybrid systems if you want, that's outside the scope of this competition.

How would it even have made sense to pursue hybrid systems in this competition? Like how would that have actually worked?