[tptacek]

Your theory here is that NSA coordinated an action whereby the PQC standard selected could be broken by anybody in the world with a Python script, based on research disclosed to the public in the 1990s.

I'm guessing this isn't a conversation that's going to take us into Richelot isogenies.

[philodeon]

You obviously know that the Python script wasn’t submitted to NIST along with the draft standard.

Is Dual-EC-DRBG fine because we never saw the FVEY Python exploit that breaks it?

I think my theory here is that NSA coordinated an action whereby they figured no one was reading obscure algebraic geometry papers from 1997. In our low-attention-span world, it’s not the worst plan.

(Hell, folks didn’t realize TAOSSA contained 0day for a long time. Simply putting something in front of the public doesn’t mean they’ll read or comprehend it.)

[tptacek]

It is literally the worst plan, because it leaves every PQC-protected system in the world exposed to everybody in the world. It's a theory that depends on NSA just wanting to watch the world burn.

Dual EC isn't broken by an exploit script. It's broken with a secret key.

[philodeon]

> It is literally the worst plan, because it leaves every PQC-protected system in the world exposed to _everybody in the world_.

No, it leaves every SIKE-protected system in the world exposed to _everybody who reads obscure algebraic geometry papers from 1997._ We got really lucky that the two dorks who do read those papers decided to share their insights.

For all you know, there’s a paper sitting at the Institute For Advanced Study that would let you write a marvelous pq-crystals-shattering Python script, but they’ll never tell you the combination to the safe.

(Again: TAOSSA contained 0day exploits, and few noticed for a decade.)

[tptacek]

You seem to believe the only thing preventing people from exploiting Dual EC is not having read the right cryptography papers. No; the reason why that's not the case is plainly evident from Dual EC's structure (if that were true, the NSA would presumably have no need of Dual EC!). Our premises are too far apart to usefully discuss this.

[vlovich123]

I thought PQC systems were wrapping classical encryption within the PQC protection so even if you broke PQC you'd still be left having to crack classical. Of course some hypothetical future QC could then accomplish this task so the future proofing goal of PQC would be violated.

[zahllos]

The proposal is to do exactly this (hybrid schemes using a pre and a post quantum scheme).

However in this context the debate is just over the PQ scheme (not the overall system). Also, NSA are not planning to mandate a hybrid system for government use. Others may do the same.