Questions: Post-Quantum Cryptography

The transition timeline matters: deploying new cryptographic standards across global infrastructure takes years. If migration starts when quantum computers arrive, the window of vulnerability extends years further. NIST and NSA recommend immediate migration planning, with hybrid deployments (classical + PQC) as the transitional approach.

Cryptographic diversity is a hedge against catastrophic assumption failure. All lattice-based schemes share related mathematical foundations — a breakthrough in lattice cryptanalysis could break them all simultaneously. Hash-based signatures rest on a completely different foundation (the security of hash functions, a much older and more conservative assumption). The tradeoff is performance: SLH-DSA signatures are ~8-50 KB and signing is slower, compared to ML-DSA's ~2.4 KB signatures and faster signing. The diversity premium justifies the performance cost.

Grover's algorithm searches an unstructured space of N items in O(sqrt(N)) quantum operations. For AES-128 with 2^128 keys, this means ~2^64 quantum operations — feasible for a large quantum computer. AES-256 requires ~2^128 quantum operations, which remains secure. The impact on symmetric crypto is quantitative (double key sizes) rather than qualitative (completely broken). This is why the PQC transition focuses on public-key algorithms, which face an existential threat.

Answer: True

Hybrid key exchange derives the shared secret by combining outputs from both algorithms (typically via a key derivation function). If ML-KEM turns out to be broken but ECDH is secure (no quantum computers), the combined key is still secure. If ECDH is broken by a quantum computer but ML-KEM is secure, the combined key is still secure. Only if both are simultaneously broken does the system fail. This belt-and-suspenders approach provides safety during the uncertain transition period where confidence in PQC schemes is still building.

SIDH's break was enabled by known mathematical connections between isogenies and abelian varieties that the cryptographic community had not fully explored. The attack used theta functions and the structure of product isogenies. It was a reminder that the security of a scheme depends on the full depth of mathematical understanding of the underlying problem — and that understanding evolves.