[wstuartcl]

I have not been following this closely but I thought most all of the quantum safe algorithms that had been proposed so far had been found lacking for traditional attacks very soon after they where held up as a standard contender. Has this changed?

[jrexilius]

I believe three of the four contenders for round 4 of the NIST competition are still showing secure:

https://en.wikipedia.org/wiki/NIST_Post-Quantum_Cryptography...

[sevenoftwelve]

Rosenpass author here;

nope, that is not correct. NIST has elected Kyber as one of the algorithms to standardize and we are using that.

As other commenters mentioned (very good info there, thank you all!) the other algorithm we use – Classic McEliece – is one of the oldest algorithms and has been well studied. There is no known efficient attack against it.

[wolf550e]

Have you seen https://isd.mceliece.org/1347.html ? DJB agrees with you.

[Vecr]

DJB says the parameters designed for long term use mceliece6960119 and mceliece6688128 are fine against an attack billions or trillions of times stronger.

[d-z-m]

One of the KEMS they've elected to (McEliece) has been around since the 70's, and has arguably been studied more than the others. If you're not quite sure about lattices, I've heard it called the "conservative choice" for a PQ KEM.