There is no clear evidence that the risk of "a practical post quantum computer would arrive in the next 5 years" is greater than "post quantum scheme X is broken" for any scheme X. The only way to go is hybridation and it is quite hard from an engineering point apparently.
I think it is pretty direct from my comment that if you use a hybrid approach (done correctly) you can rely on the hardness of dlog based assumption and therefore my comment on potential weakness of PQ assumptions can be ruled out.
In this way we disagree that rushing PQ is the appropriate choice if it rules out dlog based security.
> He's also pointing out that the only scenario in which hybrid is of benefit is one in which crypto related QC remains either relatively ineffective or extremely expensive in the medium term. Since that assumption is looking increasingly suspect it calls into question the point of hybrid to begin with. In the face of cheap QC hybrid adds zero value.
This is exactly what I'm pointing out as extremely dangerous. My take was that the risk of seeing a quantum computer breaking dlog in a near future isn't stronger than breaking PQ assumptions in a near future.
He is assessing that the risk of seeing a quantum computer break dlog cryptography is stronger than the risk of having post quantum assumptions broken, in particular for lattices.
One can always debate but we have seen more post quantum assumptions break during the last 15 years than we have seen concrete progress in practical quantum factorisation (I'm not talking about the theory).
Indeed anti-hybrids arguments are very dangerous takes at best. People are putting a tremendous amount of faith in very understudied assumptions, in particular given the complexity of geometric relations and the structure of current lattice based scheme.
I think people have to be extremely careful with this kind of opinion.
In particular seeing such a push for post-quantum crypto while the current state of the art for quantum factorisation is 15 and 21 and the fact that current assumptions (for KEM in particular) are clearly not as studied as dlog.
It's maybe good to remember that SIDH was broken in polynomial time by a classical computer 3 years ago...
I'm really concerned by the current rush for PQ solutions and what are the real intentions behind it.
On a side note there might even be a world where a powerfully enough quantum computer that break 2048 bigs RSA will never exists (Hooft, Palmer... Recent quantum gravity theory).
The anti-privacy movement in Europe is really concerning.
In particular as general population don't really care about it, we are going toward some major shifts.
I'm wondering though how this radical turn was initiated and if some lobbies are pulling the strings behind the scene...
I think you are mixing the function itself and it's output, if for a given input to the function the output is uniformly random, then this is a way to derive randomness. The fact that the function itself is deterministic tells you nothing about the distribution of it's output.
He is technically not wrong, most signatures can be seen has a public coin interactive proof system where you prove knowledge of a private key.
They are then compiled into an non-interactive proof system via the Fiat-Shamir transform that uses a random oracle concretely instantiated using a hash function (easy to see in Schnorr signature).
So at the end you are using a Hash function to generate your random coin.
Hash functions are used to instantiate a random oracle (which is a theoretical object that can't be instantiated because it would be of infinite size but makes it easy to reason about) because it doesn't seems crazy as an assumption that if finding a collision between 2 hashes is hard it should be hard to predict the output of the so called hash function. However it is well known that there was some contrive counter example for protocols that are secure under the Random Oracle model and unsecure when instanciated with any hash function. The problem with this paper is that the protocol it described isn't so contrive anymore.
Cryptography is a matter of assumptions and what you believe in or not. You might want to not use random oracle but you will therefore have to restrict yourself in what you can concretely build.
And the reason behind the problem outlined in the paper isn't a biased randomness problem but the fact that you can represent the hash function compared to a RO.