2022.08.07 06:06:11 (1556129553466081285) from Daniel J. Bernstein, replying to "Peter Todd (@peterktodd)" (1556125621469827073):
Keeping the ECC layer is critical for trustworthy protection today. But the objective of rolling out post-quantum crypto is to _also_ protect user data against future quantum computers. The ECC layer will then be broken by Shor's algorithm, and we need to get the pq layer right.
2022.08.07 05:29:31 (1556120326005592064) from Daniel J. Bernstein:
It's great to see the progress on rolling out post-quantum crypto, assuming big quantum computers are coming. The _risks_ of Kyber problems (patents, attacks) aren't a reason to incur the _definite failure_ of doing nothing. But the bleeding-edge Kyber-512 option is a bad idea. https://twitter.com/grittygrease/status/1555201358357270528
2022.08.07 05:34:37 (1556121607118000129) from Daniel J. Bernstein:
If there's a Kyber-512 attack that scales as well as the recent SIKE attack, then, sure, Kyber-1024 is dead too. But if there's an attack that scales like core RSA attacks (NFS for integer factorization), then moving from Kyber-512 and Kyber-768 to Kyber-1024 could save the day.
2022.08.07 05:46:57 (1556124713960689667) from Daniel J. Bernstein:
Some people say "We'll move to larger key sizes if an attack is published"; does this mean we don't care about tons of user data we're feeding into attacker databases _before_ the attack is published? Once we've sent a ciphertext, we can't retroactively add stronger protections.
2022.08.07 05:50:34 (1556125621469827073) from "Peter Todd (@peterktodd)":
“We are not using Kyber on its own though, but are using hybrids. That means we are doing both an X25519 and Kyber key agreement such that the connection is still classically secure if either is broken.” Seems that in this case, you're still protected if the test fails.