A cryptographer shares their nuanced stance on hybrid post-quantum constructions. They strongly favor hybrid KEMs (like X-Wing combining ML-KEM-768 and X25519) due to the 'harvest now, decrypt later' threat model, but explicitly oppose hybrid signatures since no analogous attack exists for them. The post argues lattice cryptography is not as new as critics claim (NTRU dates to 1997), that the NIST standardization process was rigorous, and that ML-DSA is actually safer than ECDSA in practice due to its resistance to nonce reuse and fault attacks. The author concludes by preferring ML-DSA-44 over Ed25519 in current projects, while acknowledging hybrid KEMs serve a psychological safety role that aids adoption.
Table of contents
Soatok’s Stance on Hybrid PQCPsychological versus Cryptographic SecurityClosing ThoughtsSort: