Soatok Dreamseeker

Hybrid Constructions: The Post-Quantum Safety Blanket

The funny thing about safety blankets is they can double as stage curtains for security theater. Art: CMYKat "When will a cryptography relevant quantum computer exist?" is a question many technologists are pondering as they stare into crystal balls or entrails. Two people I admire recently made a public long bet about that question, with a $5000 donation to charity as stakes.

http://soatok.blog/2026/04/13/hybrid-constructions-the-post-quantum-safety-blanket/

Hybrid Constructions: The Post-Quantum Safety Blanket - Dhole Moments

The funny thing about safety blankets is they can double as stage curtains for security theater. Art: CMYKat “When will a cryptography relevant quantum computer exist?” is a question ma…

Dhole Moments
3:11pmWeb
Show threadnadja12h ago
@soatok The singular other advantage EdDSA has over ML-DSA is signature size. Even more so if you have to send over the public key as well. But the problems where you have that extreme size constraints *and* require signatures over e.g. MACs are pretty rare to begin with, so it's definitely a the nichest of advantages. So yeah, ML-DSA all the way ^^
Show threadSoatok Dreamseeker12h ago
@dequbed I'm excited for SQISign (or whatever future iteration of it survives NIST)
Show threadex_0611h ago
@soatok could you elaborate a bit on the why 44 and not 87? If it's for non group DMs and Identities I would expect max security, but I know nothing, hence the question
Show threadSoatok Dreamseeker11h ago

@ex_06 There's a trade-off between bandwidth and security and I think 44 is the right parameter set for my purposes.

87 is for CNSA 2.0, but I don't listen to the NSA.

Show threadlizard appreciator11h ago
@soatok when I see “ML-DSA” I think of various Marxist factions in US politics lol
Show threadJeff Martin6h ago
@soatok WAT. He linked entrails? I had to click it. I was not disappointed. 
Show thread23n275h ago
@soatok One argument for hybrids that came up when looking into PQ signatures at work (for firmware updates specifically) is that they offer a way out when you need to store your keys in an HSM for compliance reasons, but also want to start including PQ signatures (which aren't widely supported in HSMs yet) right now - if only to make sure the joints of your implementation stay oiled.
Show threadSoatok Dreamseeker5h ago
@23n27 That's a threat model- and use case-specific corner case, not the general case.