My introduction to threat modeling was from this post: https://www.privacyguides.org/en/basics/threat-modeling/
It's a bit shorter and focused for people interested in privacy.
> Hybrid PQ+ECDH is a hedged bet against an algorithm break before Q-Day, but is utterly fucking useless over Pure PQ once Q-Day occurs.
there is also the likelihood that Q-Day never arrives, either because something we don't know prevents the construction of sufficiently large quantum computers (eg. quantum gravity) or because the entire field was a scam. in that scenario abandoning ECC would have been pretty stupid.> there is also the likelihood that Q-Day never arrives, either because something we don't know prevents the construction of sufficiently large quantum computers (eg. quantum gravity)
That is possible, but given the recent 2029 timelines from large Internet providers, I think it's prudent to prepare for Q-Day even if it never arrives.
> or because the entire field was a scam.
The field is like... a magnet for scams, sure. But it, itself, isn't one.
And, like, the Quantum Village at DEFCON has really failed to establish credibility in my eyes.
https://soatok.blog/2022/08/18/burning-trust-at-the-quantum-...
https://soatok.blog/2023/08/20/defcon-quantum-village-2-elec...
> in that scenario abandoning ECC would have been pretty stupid.
Not really, no. See https://blog.trailofbits.com/2024/07/01/quantum-is-unimporta... for a counter-point.
> That is possible, but given the recent 2029 timelines from large Internet providers, I think it's prudent to prepare for Q-Day even if it never arrives.
no one argues we shouldn't. you made the argument that we should abandon ECC by not doing hybrid, in my opinion it's an extremely weak argument because it assumes Q-Day will arrive. don't change goalposts.the article you linked supports my position.
> the fear of the quantum doomsayers is based on a completely valid observation: the internet has put nearly all of its cryptographic eggs into the single basket of the hidden subgroup problem.
> By the time the next phase of standardization is over, we can expect to have algorithms based on at least three or four different mathematical problems. If one of the selected problems were to fall to advances in quantum or classical algorithms, there are readily-available replacements that are highly unlikely to be affected by attacks on the fallen cryptosystems.
in fact, it makes the argument (if not directly) for a concatenation of multiple schemes. I'm all for it, hybrid++.Where did I ever make that argument? In both TFA and my previous blog post, I've made it abundantly clear that I'm pro-hybrid.
My argument is simply:
1. The claimed benefits of ECDH hybridization evaporate immediately the moment Q-Day happens. No one disputes this.
2. Harvest Now, Decrypt Later (HNDL) is the primary threat we face today during the uncertain times where we don't know if Q-Day will ever happen.
Advocating for PQ+ECC hybrids over PQ is fine. But fear-mongering about PQ in this threat model is self-defeating: Once Q-Day happens, your only source of security is PQ anyway, so if we're going to do hybrids with today's threat model in mind, PQ+PQ is the way you really want to go (and PQ+PQ+EC if you really want EC). The blog post you're commenting on says this explicitly.
I'm not anti-hybrid. I'm anti "this is an NSA ploy" bullshit. And the IETF mailing list thread I'm mentioning is stuffed with this kind of irritating conspiracy theory rhetoric. I even link to, and quote, two examples of this.
it wouldn't even occur to me that someone would take time addressing it without being one of those anti-hybrid people.