Edwin Török

@filippo I still think hybrid is the way to go. PQ crypto algorithms and their implementations are still very new, with undiscovered flaws. If you use hybrid and PQ is broken by a bug or flaw, no problem, you still have the same protection or better than the classical one. Even when quantum computers exist you'd have to break both the classical one (with a quantum computer) and the PQ one (with an implementation flaw, or mathematical breakthrough). If you deploy only PQ and a flaw is found you are *worse* than classical, depending on how bad the flaw is you might not be much better from transmitting in plain text. IOW a PQ crypto algoritm protects against an attack from a machine which doesn't yet exist. Deploying it standalone makes you vulnerable against a bug that doesn't yet exist. *But* we've seen a steady stream of bugs in OpenSSL, and it is very likely that there will be one in the PQ implementation too. I think it is more likely that such a bug is discovered before a quantum computer is built that is capable of a practical attack. For example there could be side channel attacks if you forget to implement protections similar to RSA blinding (constant time CPU instructions are not side-channel free, see latest Hertzbleed attack from 2025 about remote power analysis leaks). And there probably plenty of other "classical" attacks that will work on PQ algorithms too, since they execute on a classical computer... Of course implementation flaws in a classical+PQ hybrid could be worse off than just classical too (e.g. some C memory bug), but that might be an acceptable risk. I'm not sure what the best ordering for a hybrid would be, but I guess PQ encryption first, then classical? So you always have to break the classical first (which won't be instant, even with quantum computers). There is of course a performance cost, but AFAICT encryption isn't really the bottleneck in TLS, from some testing with 'curl' and 'stunnel' they achieve much lower speeds than what 'openssl speed' reports, so increasing encryption time may not affect overall time that much.

@jk yeah Win11 looks like it was designed on a Mac...