possible complete break of post quantum key exchange? eprint.iacr.org/2022/975

Interesting

endogenic: Yeah, it's been everywhere. It's solely SIDH and there's already workarounds and discussions on it.

The workaround is a trusted setup. While that wouldn't be secure, of course, it's possible for Alice to generate the curve ad hoc. By having one of the trusted participants do the trusted setup, there's no extension of trust.

There's still a reduction in security even with a trusted setup however, so it unfortunately seems like we'll be moving on from SIDH. It wasn't a NIST selection though and there's still plenty of other schemes.

Rainbow was also nuked a while ago.

Funny that some of these things fall long before we have any working quantum computers. Progress :)

All current discussions around PQ deployment are combined with classical deployment due to the difficulties with PQ

I'd personally want a Ristretto + Kyber + NTRU key exchange 👀 It'd at least be as secure as the standard Ed25519 key exchange, yet also have two quantum offerings. Probably just Kyber would work but NTRU has benefits.

If the final round has a pre commit, it shouldn't be possible to allow one algorithm to bias the overall seed either, which is a known attack on reseedable RNGs (albeit one with a variety of preconditions).

IIRC NTRU is patended up the wazoo.