I’m very surprised that folks are still building critical security software like this while making elementary mistakes like not using constant time operations. This is a class of vulnerability almost as old as I can remember.
There was a post a few days ago about how the NSA is wrong in not recommending hybrid quantum+classical cryptography algorithms [0].<p>And here is Mullvad, using two quantum algorithms together, presumably on top of classical cryptography.<p>> We use two quantum-secure key encapsulation mechanisms (Kyber and Classic McEliece) and mix the secrets from both. This means that both algorithms must have exploitable vulnerabilities before the security of the VPN tunnel can become affected.<p>[0] <a href="https://news.ycombinator.com/item?id=38844117">https://news.ycombinator.com/item?id=38844117</a>