[BoppreH]

Excellent post, I've always recommended people to this series.

I'm curious what's the general opinion on the production-readiness of these solutions. Open Quantum Safe, for example, discourages it's use in production, and recompiling nginx to use PQC-BoringSSL feels risky since I'm not intimately familiar with both projects ("did I miss a --enable-security flag?").

> the PQ keys are 4 orders of magnitude larger

For McEliece, perhaps, but the algorithms in the tables are "only" 2 orders of magnitude larger.

[er4hn]

One interesting thing is that if you look at what companies that want to prepare for Store Now Decrypt Later are doing (see links at bottom) they're pretty much all using the non-production ready OQS. If you believe in hybrid encryption this is mostly okay since a failure in the PQC portion should not cause a breakage in the classical portion. Assuming that OQS has implemented the hybrid protocol correctly.

- https://www.microsoft.com/en-us/research/project/post-quantu... - https://engineering.fb.com/2024/05/22/security/post-quantum-... - https://blog.cloudflare.com/kemtls-post-quantum-tls-without-...

[stratom]

The field is too young that we can be absolutely sure. That's why most suggest to use hybrid cryptography for now.

[BoppreH]

True, and hybrid cryptography is definitely the way to go.

But there's more to it than just resistance to cryptanalysis: crashes, memory leaks, disabled security features (e.g., ASLR), irregular performance, supply chain attacks...

PQC requires extra code, and every added instruction carries some risk.