2022.03.09 01:12:30 (1501350174970445827) from Daniel J. Bernstein, replying to "Nadim Kobeissi (@nadim@symbolic.software) (@kaepora)" = "Nadim Kobeissi (@kaepora)" (1501205947628363776):
Rolling out something post-quantum (on top of ECC, obviously) to _try_ to protect users is compatible with recognizing and mitigating risks (which _isn't_ the stated priority for #NISTPQC). NSA/NIST recommendations seem designed to maximize the amount of data delivered to NSA.
2022.03.08 02:32:43 (1501007974352916484) from Daniel J. Bernstein:
In today's #NISTPQC talk, Moody said (1) NIST will share any concrete post-quantum IP news as soon as it has it; (2) he's "happier" about IP news now than he was months ago; (3) NIST has already made its selection and is reviewing its report. So, um, did something secret happen?
2022.03.08 02:45:04 (1501011085725368320) from Daniel J. Bernstein:
Moody also took the new Rainbow attack from @WardBeullens as an argument "to not put candidates into products until the standard is done", which Moody said would be 2023 but later said maybe 2024. Um, how about we _try_ to protect Internet users against future quantum computers?
2022.03.08 15:39:23 (1501205947628363776) from "Nadim Kobeissi (@nadim@symbolic.software) (@kaepora)" = "Nadim Kobeissi (@kaepora)":
You can't have it both ways, though, right? Either you wait until some standards process chooses the most promising candidate that's likely to stand the test of time, or folks will just choose whichever primitive seems best to them, which could be anything from KYBER to Rainbow.