[olliej]

It is literally NIST’s job to define the standards that people are meant to use.

What you’re saying is that NIST not considering a dual system standard is fine because no one would consider relying solely on the standardized PQC algorithms and would obviously implement their own version of a dual system, only with less understanding of potential pitfalls or analysis for weaknesses.

[tptacek]

No. Once again: the NIST PQC competition is a project to standardize post-quantum cryptography constructions. It's not a protocol competition, any more than the AES and SHA-3 competitions were.

This is literally spelled out on the competition page. I'm having trouble how anyone could have any confusion about this. It literally says: do hybrid systems if you want, that's outside the scope of this competition.

How would it even have made sense to pursue hybrid systems in this competition? Like how would that have actually worked?