NIST’s Post-Quantum Cryptography Standards

Heart of his argument is this, with which I absolutely agree:<p>&quot;The moral is the need for cryptographic agility. It’s not enough to implement a single standard; it’s vital that our systems be able to easily swap in new algorithms when required. We’ve learned the hard way how algorithms can get so entrenched in systems that it can take many years to update them: in the transition from DES to AES, and the transition from MD4 and MD5 to SHA, SHA-1, and then SHA-3.&quot;<p>Although, personally, I am more supportive of the OpenVPN model (many standards to choose from, including older algos, maybe too much choice) compared to the Wireguard model (one set of well thought of defaults, no choice), one has to ask -- aren&#x27;t they both wrong? Isn&#x27;t the correct model high flexibility, while relentlessly deprecating and <i>removing</i> older standards, and, maybe, a clear nudge towards sensible default choices (&quot;X recommends the following algos in 2022...&quot;).<p>Obviously crypto is super hard. But the &#x27;problem of agility&#x27; seems like a software engineering problem not a hard crypto theoretical or implementation issue.

&gt; Current quantum computers are still toy prototypes, and the engineering advances required to build a functionally useful quantum computer are somewhere between a few years away and impossible.<p>We don&#x27;t know what quantum computers exist in the hands of powerful adversaries like state actors as they do not openly share this information. Schneier even admits this later on.<p>&gt; This represents the first time a national intelligence organization has published a cryptanalysis result in the open literature.<p>Given how much control the NSA has over the NIST when defining standards. The NSA and NIST&#x27;s consistent history of intentionally weakening their standards, and the current secrecy around NIST and NSA collaboration especially when it comes to the NIST PQ competition there is very good reason to believe that these cryptographic primitives are all compromised.

&gt; EDITED TO ADD: One of the four public-key encryption algorithms selected for further research, SIKE, was just broken.<p>Yikes. I&#x27;m sure these first generation algorithms have pushed things forward but we need another round of evaluation soon, I suspect.

&gt; It’s a good process, mostly because NIST is both trusted and trustworthy.<p>Is it?