[hannob]

I've heard physicists raise opinions like yours (i.e. QC will never be built for practical reasons), but I also hear ones that say the opposite. I'd err on the side of caution.

As for your conspiracy: The conclusion of that would be to continue using hybrid constructions.

Though, and I know crypto more than physics, I'd consider it as highly unlikely. Creating backdoors that others won't find is next to impossible. Why do I say that? Because we have some historic evidence how "NSA wants to plant a backdoor into an algorithm" works. Usually they've been discovered quickly. They can still be successful, because as we have seen with dual ec drbg, it was discovered quickly, yet nobody really cared and industry still used the algorithm.

But something like that won't happen in a transparent process. You can be sure that every expert in the field had a look at crystals-kyber. If anything about it was suspicious, we would know.

[nullc]

It's perhaps telling that NSA has been rather aggressively against the use of hybrid systems, even though they have almost no marginal cost (an extra 56 bytes on top of 1.2kb of PQ exchange) and are the obvious move esp while the PQ systems are very new.

[JanisErdmanis]

The transparency of the process in an essential way depends on a number of people who can understand what is being proposed. It seems from the outside that the lattice-based cryptography is significantly more complex. The question is, would anyone notice and how far-reaching are the proofs made on their security? On what basis can one prove that a computer with a novel algorithm could not break it?

> As for your conspiracy: The conclusion of that would be to continue using hybrid constructions.

As long as ordinary crypto does not get deprecated.

Anyway, the number of responses made me curious about this new novel crystals-kyber. Do you have any recommendations on the best introductory text that explains it from the bird's view?

[ghost751]

> As long as ordinary crypto does not get deprecated.

On that note, just this month Tutanota emailed customers that their Secure Connect product is being turned off at the end of next month in order to focus developers on quantum-secure encryption solutions.

This occurs in a time when there appear to be a stark few hosted E2EE webform-submission options that don't involve either a) bigtech or b) fly-by-night operations. Tutanota was a happy medium, and is getting out of that market, apparently.

It can make one wonder what kind of pressure might exist to turn off a quite good, working solution to an actual problem. If one didn't know better, it could seem that blaming the need for quantum is just a distraction.

The GP is not the first to make the observation in a natural line of inquiry. HN guidelines ask to assume good faith, and surely we know to try to.

[bawolff]

Honestly, that sounds more like an excuse to get out of the market. Probably facing a lot of competition from securedrop for the paranoid, and the non paranoid dont care about security at all.

[pyinstallwoes]

Why create backdoors if you can convince everyone to use less effective cryptography?