2022.07.02 06:00:05 (1543082053805019136) from Daniel J. Bernstein, replying to "Greg Slepak (@firstname.lastname@example.org) (@taoeffect)" (1543078527397810176):
Getting crypto to widespread deployment involves many stages (decades for ECC!). Google already tried rolling out post-quantum crypto 6 years ago and then retreated, for interesting reasons; see https://blog.cr.yp.to/20220129-plagiarism.html. OpenSSH has pq now but much more is waiting for NIST to act.
2022.07.02 02:49:44 (1543034151544049664) from Daniel J. Bernstein:
NIST now says it plans to announce its selections of post-quantum algorithms on "Tuesday, July 5th" (I presume 2022, not 2033). Given the extent to which waiting for NIST has stalled pq deployment, this announcement is an important step forward no matter what the details are.
2022.07.02 02:52:04 (1543034738331435008) from Daniel J. Bernstein:
Regarding details, I _hope_ that whatever NIST picked turns out to be safe, and I _hope_ that their handling of patents turns out to be adequate. If so, great: this announcement will set many more wheels in motion towards deployment of high-security post-quantum cryptography.
2022.07.02 02:54:43 (1543035406194581504) from Daniel J. Bernstein:
But say NIST selects X, and later X turns out to be a disaster. (I question the competence of anyone who ignores this risk.) Are people then going to go back to waiting for NIST? Surely not. The announcement is getting rid of NIST's primary impact here as a deployment bottleneck.
2022.07.02 05:46:04 (1543078527397810176) from "Greg Slepak (@email@example.com) (@taoeffect)":
Can you elaborate on what you mean by “deployment bottleneck”? Isn’t the only real bottleneck the existence of a good cipher?