2021.07.07 00:22:05 (1412537362941317122) from Daniel J. Bernstein:

Most post-quantum encryption proposals rely on a "T" transform that (1) has seen very little cryptanalysis and (2) _could_ lose ~100 bits of security. My new paper "On the looseness of FO derandomization" (https://cr.yp.to/papers.html#footloose) constructs examples where T _does_ lose security.

2021.07.07 00:25:35 (1412538241975078914) from Daniel J. Bernstein:

These are pre-quantum examples. All available post-quantum (QROM) T proofs allow even larger security losses than the pre-quantum (ROM) T proofs, which makes the combined cryptanalytic gap + proof gap even more worrisome, but QROM analysis is outside the scope of this paper.

2021.07.07 00:32:44 (1412540042795388930) from Daniel J. Bernstein:

Perhaps the unbroken post-quantum proposals using T are secure. Or perhaps the lack of attacks against derandomization in these proposals is simply because people haven't been looking for attacks. This is just one example of how scary the overall post-quantum attack surface is.