[bem94]

> I find the suddenness, almost haste to be quite interesting. > But there is a clear change around 2022, 2023.

I think that's probably because the NIST competition [1] to choose their standard algorithms really started to heat up then.

NIST has a very large gravity well in the academic and industrial cryptographic community, so as soon as it became clear which algorithms NIST would pick (they chose Kyber / ML-KEM and Dilithium / ML-DSA), the (cryptographic) world felt it could start transitioning with much more certainty and haste.

1. https://csrc.nist.gov/projects/post-quantum-cryptography/pos...

[JoachimS]

Yes, that is one aspect, and when the drafts was published you could see orgs started running (I've got a nice timeline in my slides). But I still find the haste interesting. There is very little time for the transitions compared to the adoption rate of other crypto standards. The NIST algos are imho still quite immature, which is one big motivation for hybrid schemes.

A bit off topic, as a European, what is happening with DOGE, slashing funding for CISA, TAA etc, I'm seriously worried about NIST. As you say, NIST is very important in many areas. For USA, with things like the coordintated universal time normal. But also for federal cybersec standards that have led to interop with the rest of the world cryptographically. Will NIST be slashed, and if so will the crypto department be spared? If not, what would remain? New standards, the validation program? Will Falcon become a standard, or for that matter the new lightweight symmetric algo based on Ascon? (For which I'm eagerly waiting for NIST to publish test vectors so that I'm able verify that my implementation is compliant.)

[regularfry]

I think the haste is probably down to a risk calculation. If practical quantum breaks of classical crypto don't materialise in the next 5-10 years, "all" that's happened is we've cycled onto a new cypher suite sooner than we otherwise would have.

The reverse picture, where they do and we haven't, is so colossally damaging that it doesn't matter if the probability of quantum breaks landing is actually quite small. In expected value terms we still come out ahead.

You don't need to assume that someone in an NSA lab has already demonstrated it for this to work out, and you don't need to assume that there is ever a practical quantum computer deployed for this stuff. All you need is for the probability to be above some small threshold (1%? 5%? I could believe something in that range) to make running for the exits the right move today.

[Avamander]

How does the calculation look like if the thing we migrate to ends up being broken way easier than classical algorithms?

Because the current plans aren't to migrate to just hybrid classical+PQC schemes, the plans are to migrate to PQC fully. Discarding both RSA and ECC.

[adgjlsfhk1]

> Because the current plans aren't to migrate to just hybrid classical+PQC schemes, the plans are to migrate to PQC fully. Discarding both RSA and ECC.

This isn't true. NIST has been saying that, but everyone else just laughs and implements hybrid since throwing out RSA/ECC is so obviously stupid.

[JoachimS]

If you have references to nations, governments that state that transition to hybrid I would love to get references. The EU transition will not be hybrid. The NSA plan is not hybrid. ETSI is not hybrid.

My view is that IETF and commercial entities such as Apple, Google and open source world are the ones going hybrid. In this case I would love to be wrong.

[Avamander]

> NIST has been saying that, but everyone else just laughs and implements hybrid since throwing out RSA/ECC is so obviously stupid.

The Australian government is also saying this.

[JoachimS]

That is a very relevant point. Add a bit of scare mongering, herd mentality and downplaying of the technical effects, risks, you get the ones setting policies taking a decision to transition - just like everybody else.

[b6z]

When I have seen time estimates, everyone is referring to Mosca's Theorem. This is the idea that "store now, decrypt later", combined with the estimated time until a working quantum cryptanalysis is feasible, and a finite transition time for existing crypto standards and technologies (think update times for long-living tokens like ID cards with certificates) makes the available delay until a change must start quite short.