|
|
|
|
|
|
by adgjlsfhk1
69 days ago
|
|
|
The requirement for favoring hybrid isn't that "you view classically breaking PQ algorithms as higher likelihood than QC breaking classical", but you think that the likelihood than QC breaking classical is less than a billion times more than the likelyhood of classically breaking PQ. Hybrid has essentially no cost, so we should favor it as long as it has a greater than negligible chance of providing protection. IMO the likelihood of CRQCs breaking ECC is pretty high (>50% by 2040) and the odds of classically breaking lattices is low (<1% by 2050), but creating a 0.5% chance of breaking cryptography for the entire world seems way to high when we have a free mitigation right here. |
|
|
I agree that my previous wording was sloppy to the point of error. The point I was trying to communicate was that we already had agreement that an elevated assessment of the chance of a classical attack against a given PQ algorithm would lead to one disagreeing with the aforementioned premise that we should switch to a PQ only scheme making use of said algorithm. Rehashing that is just stating the obvious.
What wasn't presented was any reasoning to back an elevated risk assessment for any particular PQ algorithm, of which there are several. So at that point the "argument" amounts to little more than "nuh-uh, that risk assessment is wrong" which isn't exactly convincing or insightful.