[tptacek]

It is literally the worst plan, because it leaves every PQC-protected system in the world exposed to everybody in the world. It's a theory that depends on NSA just wanting to watch the world burn.

Dual EC isn't broken by an exploit script. It's broken with a secret key.

[philodeon]

> It is literally the worst plan, because it leaves every PQC-protected system in the world exposed to _everybody in the world_.

No, it leaves every SIKE-protected system in the world exposed to _everybody who reads obscure algebraic geometry papers from 1997._ We got really lucky that the two dorks who do read those papers decided to share their insights.

For all you know, there’s a paper sitting at the Institute For Advanced Study that would let you write a marvelous pq-crystals-shattering Python script, but they’ll never tell you the combination to the safe.

(Again: TAOSSA contained 0day exploits, and few noticed for a decade.)

[tptacek]

You seem to believe the only thing preventing people from exploiting Dual EC is not having read the right cryptography papers. No; the reason why that's not the case is plainly evident from Dual EC's structure (if that were true, the NSA would presumably have no need of Dual EC!). Our premises are too far apart to usefully discuss this.

[vlovich123]

I thought PQC systems were wrapping classical encryption within the PQC protection so even if you broke PQC you'd still be left having to crack classical. Of course some hypothetical future QC could then accomplish this task so the future proofing goal of PQC would be violated.

[zahllos]

The proposal is to do exactly this (hybrid schemes using a pre and a post quantum scheme).

However in this context the debate is just over the PQ scheme (not the overall system). Also, NSA are not planning to mandate a hybrid system for government use. Others may do the same.