2024.03.12 20:19:44 (Mastodon 112084568257483595, Twitter 1767646697784774932) from Daniel J. Bernstein:
I clicked on "Google's Threat model for Post-Quantum Cryptography". 2MB page; below web average. I was hoping it would explain how Google sees Kyber-768 as such low risk as to not move up to Kyber-1024 (384 bytes larger key, 480 bytes larger ciphertext): https://bughunters.google.com/blog/5108747984306176/google-s-threat-model-for-post-quantum-cryptography