> This is the thing I don't understand about (a superficial interpretation of) anarchists
I think most superficial interpretations of anarchists are based on edgy LARPers rather than real political ideology.
Fun fact: Anarchy means "without rulers", not "without laws" or "without social order". There's a wide diversity of political thought under this umbrella, but the key underlying common denominator is (on some level, at least) a rejection of hierarchy (and often a rejection of capital).
Though it's fun to imagine what the philosophical and political beliefs that underpin a colloquial understanding of the word might look like, the answer is usually simply: Teenagers.
Maybe don't be so dismissive of that which you lack a thorough understanding.
Recommend reading "Against the State" by James Stout, wherein he describes history of various Anarchist societies, including Barcelona during Spanish fascism, Myanmar where they are very successfully fighting the junta which wrested control from their civilian government, and Rojava where he personally visited and gives a firsthand account.
Understood, apologize for my misconception of your assertion. Mass media, of course, is only too happy to cultivate such misconceptions on the part of the public.
They can't address it because nobody knows the answer yet. That's why their plans https://letsencrypt.org/2026/06/03/pq-certs#our-plans are to work with experts to solve the engineering challenges in the coming years, rather than announce a gift-wrapped solution today.
If this fear of yours is particularly poignant, I invite you to share it with the forum so they have it in writing. It makes it easier for them to consider it as they work on a solution.
There is nothing answered in there. Just "It'll be fine" and vague pointing at unrelated ecc vulnerabilities in some libs. It totally lacks any rational arguments.
the rational argument is that this time is not particularly worse than prior transitions, and arguably is one we are doing much more clear-eyed (think about all the ECC vulnerabilities during their first few years of deployment due to not knowing how to "pick safe curves". The analogous issue for standardized NIST PQ schemes is understood very well). So the hysteria around the transition, from an expert's perspective, is misplaced.
This doesn't guarantee things will work. In cryptography there are no guarantees. In particular, failing to transition fast enough can also lead to vulnerabilities (by this I mean quantum attacks. Cryptographers are increasingly worried this may happen very soon. I've seen some estimate as soon as 2030). So there is an underlying tension in changing, and also a clear worry about not changing.
nsa & eu pushing for something to change proven algorithms makes me personally automatically distrustful as both are highly rotten bad actors. i have no knowledge, nor time to eval. (and probably few people do)
all i am saying is there is no good reason to depreciate proven algs, especially not because those two institutions said so.
> nsa & eu pushing for something to change proven algorithms makes me personally automatically distrustful as both are highly rotten bad actors.
Who do you trust, then?
> i have no knowledge, nor time to eval. (and probably few people do)
If you do not have the expertise nor time to evaluate technical claims, how do you hope to arrive at correct technical conclusions?
Surely, you'd trust experts in that case? Like the experts that were involved in a multi-year international standardization effort? Like the one that produced ML-KEM and ML-DSA?
Or do you just balk at experts and "trust no one" even to your own detriment?
> If you do not have the expertise nor time to evaluate technical claims, how do you hope to arrive at correct technical conclusions?
>
> Surely, you'd trust experts in that case? Like the experts that were involved in a multi-year international standardization effort? Like the one that produced > ML-KEM and ML-DSA?
>
> Or do you just balk at experts and "trust no one" even to your own detriment?
what detriment? there is no quantum treat, it is made up. at least not in the discussed timelines.
besides, experts are cheap and compromisable, especially for the nation state level bodies like nsa and eu.
it's not just those two institutions. South Korea is running their own standardization currently, and fundamentally similar algorithms are expected to win (some more modern insights might be incorporated, due to starting >=5 years after the NIST standardization did, but still).
The Chinese Academy of Science made their own professional recommendation to the Chinese government a few years ago to use fundamentally similar schemes. The Chinese government this year is planning to start on their own standardization. Again, it is expected they will use fundamentally similar schemes.
The German BSD has suggested their own schemes as well, which are fundamentally similar (they suggested unstructured lattices, which is mildly different. They've also made some incompetent suggestions regarding quantum networking though iirc, so it might be a BSD-specific quirk).
Cryptographers are paranoid by default. It's really the only reasonable way to evaluate things competently. Even among the paranoid though, there's been no plausible argument suggested that something bad is happening with the PQ transition. People will point various fingers, for example
1. a backdoor! Except we can typically detect the possible presence of a backdoor, and nobody has suggested anything despite the designs being fundamentally fixed over the last 15 years (again, except the "one obvious" possible backdoor of standardizing a ML-KEM lattice, which was decided against for this reason), or
2. lattice-based problems are classically weak! There is no publicly visible reason to suspect this. One might then conjecture that they're weak in only a way a nation-state can detect/exploit. Then it would be very weird that it appears that both the US and China will both adopt lattice-based schemes.
It takes more to be a competent cryptographer to be blindly paranoid. There has been zero credible reasons presented though, and the cryptographic community has been looking into these problems and constructions for well over a decade now.
That's not what you said. You said that the algorithms were "very likely backdoored", despite the fact that neither NSA nor the EU had any hand in actually designing them.
I'm not here to defend the NSA as it's treaded on liberties and rights countless times so far.
But understand this:
YES they have a vested interest in harvesting all of your private data for surveillance.
That doesn't mean they DON'T have a vested interest in safeguarding their own data and that of other gov't agencies.
They need the co-operation of the academic community and top cryptography experts to accomplish this. They cannot safeguard their own data or other agencies' data without publishing reports on what works and what doesn't.
So either they risk leaking the encryption algorithms that work for them by hiding them and only sharing the backdoored ones with the public, which is a violation of the [Kerchoff Principle](https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle) and a massive risk.
Or they simply cooperate with experts and publish algorithms that work for both them and everyone else.
> Refreshing! Not wanting to be the "told you so" guy,
> This is a problem that I have met so many times talking with people: they parrot the "Harvest-Now-Decrypt-Later is the only urgent problem, signatures can wait" mantra, and this piece of misinformation has spread so much that even AI repeats it (because it has been trained on open data, where the overwhelming sentiment has been following this trend), thereby reinforcing the problem. Ask Claude/ChatGPT/Gemini about the problem, and they will invariably tell you that signatures are less urgent because theyr are not subjective to retroactive compromise.
I can't speak to public sentiment, but the stance I've held for years was roughly:
HNDL is more urgent because people are already encrypting messages today that could be decrypted in the future if a quantum computer is ever built in the foreseeable future, and that harms their privacy for the entirety of human history until PQC is rolled out.
That's not the same as "authentication doesn't matter at all". It was, if you must pick a problem to solve today, this one will stop the bleeding sooner.
But they were always both important to solve. The question was whether we could delay PQ auth until better signature algorithms were deployed. The Google/Cloudflare 2029 decision signaled to the rest of us: "No, we need to start the migration now."
Yes, totally agreed, but the problem is that most people tend to simplify this as "let's just bother with PQ encryption, forget about signatures". I know experts can handle the nuance, but execs and most industry folks can't. Or, at least, this is the trend that I have personally observed countless times, maybe I was just unlucky with my data points, but I have seen this in "technical" settings as well (case in point: GnuPG prioritized inclusion of PQ hybrid encryption, to the point of rushing the standard against OpenPGP, the well-known "GnuPG schism", but I'm not aware of concrete plans for PQ signature adoptions there).
I agree. If we're going the rally the industry to do the work, it should be the whole work in one shot. Any given project/infrastructure that implements both encryption and signing should adopt ML-DSA/SLH-DSA at the same time as ML-KEM, or at least in immediate succession.
My concern is that PQC is having a bit of a Y2K moment, and undercapitalizing on that sense of urgency may risk letting PQ signatures drag on for ages like IPv6. "We need $X engineering budget for PQC" is easy to understand, but "we need $X for PQ encryption now and $Y for PQ signing at some undefined future time" is murkier and may require getting into the weeds on cryptographic concepts and speculative CRQC timelines with non-expert stakeholders.
One of the biggest challenges with the signatures currently standardized is the signature + public key sizes. Demanding we hybridize both just maximizes the pain, and there's no real incentive for this.
Use ML-DSA-44. Don't combine it with other crap. It's good enough.
For KEMs, X-Wing (mlkem768x25519) is great, but ML-KEM-768 and ML-KEM-1024 are also fine on their own. Hybrids are the path of least resistance here, so I prefer them, but have no concerns over ML-KEM's security.
I wasn't implying that the two should be hybridized. I think both are great options to have in our toolkit. For example, in Cyph I chose ML-DSA for end user signing keys + certificates and SLH-DSA for code signing.
No worries, thanks for sharing that post anyway! Another post of yours[1] turned out to be a useful resource for me not too long ago, and the artwork is pretty entertaining.
reply