>So my recommendation is simple. Use Classic McEliece wherever you can. For situations where you can't, use lattices; that's higher risk, but hopefully holds up. Finally, to limit the damage in case of cryptosystem failures or software failures, make sure to roll out PQ as ECC+PQ.<p>---<p>It looks like NIST is playing shenanigans against Classic McEliece<p><a href="https://mindly.social/@cazabon/114391333897400729" rel="nofollow">https://mindly.social/@cazabon/114391333897400729</a><p>>My $0.02: it sure looks like NIST is backstopping an attempt by the NSA to get everyone to standardize on cryptography #standards that the #NSA knows how to break.<p>>Again.<p>>Yes, they did it before. If you read up on the Dual_EC calamity and its fallout, and how this time it was supposed to be different - open, transparent, secure - then prepare to be disappointed. NIST is playing #Calvinball with their rules for this contest, yanking the rug out from under contenders that appear to be more #secure and better understood, while pushing alternatives that are objectively worse (#weaker encryption, less studied, poorer #performance).<p>>Frankly, I think organizations outside of the #USA would be foolish to trust anything that comes out of #NIST's current work. Well, those inside the USA too, but some of those may be forced by law to use whatever NIST certifies.