> you made the argument that we should abandon ECC by not doing hybrid,
Where did I ever make that argument? In both TFA and my previous blog post, I've made it abundantly clear that I'm pro-hybrid.
My argument is simply:
1. The claimed benefits of ECDH hybridization evaporate immediately the moment Q-Day happens. No one disputes this.
2. Harvest Now, Decrypt Later (HNDL) is the primary threat we face today during the uncertain times where we don't know if Q-Day will ever happen.
Advocating for PQ+ECC hybrids over PQ is fine. But fear-mongering about PQ in this threat model is self-defeating: Once Q-Day happens, your only source of security is PQ anyway, so if we're going to do hybrids with today's threat model in mind, PQ+PQ is the way you really want to go (and PQ+PQ+EC if you really want EC). The blog post you're commenting on says this explicitly.
I'm not anti-hybrid. I'm anti "this is an NSA ploy" bullshit. And the IETF mailing list thread I'm mentioning is stuffed with this kind of irritating conspiracy theory rhetoric. I even link to, and quote, two examples of this.
>Once Q-Day happens, your only source of security is PQ anyway, so if we're going to do hybrids with today's threat model in mind, PQ+PQ is the way you really want to go
I want to broadly agree but I still can't resist arguing :)
EC is really cheap on the CPU and I trust that libsodium's X25519 is implemented pretty solidly. After Q day, the $ price to break EC is still not negligible.
Whereas PQ+PQ is really expensive. I'm anti PQ+PQ hybrid just on cost. PQ+EC is practically free and still inflicts $'s on attackers after Q day (attacks do get cheaper and you discard the EC at some point, but practically I don't see EC as instantly worthless).
I’m a passive observer on the same list and have been for at least several years. I don’t plan to comment on the WGLC currently going on… but I will be so extremely happy once the subject is done with.
It’s like watching a cybersecurity version of Dawsons Creek or The Young and the Restless or… Jerry Springer?! Insane
in that case my mistake. i always assumed that the `NSA ploy` was strategic bullshit, the sort of thing you say to get support from NSA haters.
it wouldn't even occur to me that someone would take time addressing it without being one of those anti-hybrid people.
In your PQ safety blanket article https://soatok.blog/2026/04/13/hybrid-constructions-the-post... you make it pretty clear the reason you support hybrid is tactical, not cryptographic.
Your wording ("Once Q-Day happens") strongly suggests Q-Day will happen, like, it’s so certain you don’t even need to state it explicitly, you can just assume it will. And your references to the PQ timeline give the impression that you think it will likely happen soon.
It’s pretty clear from there that you think ECDH is now technically useless, and the only real justification for hybrid schemes (as opposed to pure PQ), is to reassure the people still unsure about the likes of ML-KEM. Sure you still do recommend going hybrid, but from what I can tell, you would have preferred a world where we go pure PQ right away.
And so would I to be honest (if ECC is a bust): one algorithm is simpler and faster than two.