logoalt Hacker News

tux3today at 10:57 AM1 replyview on HN

>Once Q-Day happens, your only source of security is PQ anyway, so if we're going to do hybrids with today's threat model in mind, PQ+PQ is the way you really want to go

I want to broadly agree but I still can't resist arguing :)

EC is really cheap on the CPU and I trust that libsodium's X25519 is implemented pretty solidly. After Q day, the $ price to break EC is still not negligible.

Whereas PQ+PQ is really expensive. I'm anti PQ+PQ hybrid just on cost. PQ+EC is practically free and still inflicts $'s on attackers after Q day (attacks do get cheaper and you discard the EC at some point, but practically I don't see EC as instantly worthless).


Replies

loup-vaillanttoday at 11:21 AM

I’ve seen arguments that PQ algorithms are easier to implement correctly than ECDH, thus reducing that risk. I’d have to try it myself to really asses that, but for now I believe them. I’d say the real cost is performance.

show 1 reply