Two papers came out last week that suggest classical asymmetric cryptography might indeed be broken by quantum computers in just a few years.
That means we need to ship post-quantum crypto now, with the tools we have: ML-KEM and ML-DSA. I didn't think PQ auth was so urgent until recently.
@filippo I am inclined to agree with @djb and to assume the NSA is pulling a DES stunt again [1]. Call me paranoid, but it seems like safer bet.
In your blog you mention that "hybrid key exchange is reasonably easy" but hybrid authentication is not. I am way out-of-the-loop on this, could you point me to an explanation on why hybrid authentication is hard(er)?
@Curve25519 @filippo Here's the obvious, straightforward hybrid ECC+PQ signature system (from, e.g., https://cr.yp.to/talks.html#2016.02.24): to sign, sign with ECC and with PQ; to verify, verify both signatures. This combiner is even fewer lines of code than typical KEM combiners.
Screwups for encryption and for signatures in some non-TLS protocols motivate _slightly_ more complicated approaches that I recommend for key exchange (Chempat) and for signatures (Mothma). TLS could use these but doesn't need to.
Filippo Valsorda
John Curve
Daniel J. Bernstein