Comment by mswphd

I am pointing out a particular cryptographer's abysmal track record in understanding the security of PQ schemes to call into question their current criticisms of PQ schemes. They've always been (in my opinion obviously) fear-mongering in the past. None of this fear-mongering has been right. So I do not put particularly high weight on their current fear-mongering.

This is especially true because they often lie in their fear-mongering. For example, you appear to be a follower of Dan. You seem to think the argument against hybrids is an argument against hybrid KEMs. It's not. That is a lie. Even Dan's recent tirade on the TLS-WG mailing list has been against putting forward an informational RFC on ML-DSA, a (pure lattice) digital signature scheme.

Perhaps you misunderstood this, and Dan accurately described the setting he is fear-mongering over. Perhaps Dan misrepresented things again, as he has been doing for nearly a decade again. I don't particularly care either way. All that matters to me is accurate evaluation of our current options. It is exceedingly frustrating that a high-profile cryptographer seems incapable of doing this, either due to incompetence or malice.