Talk Abstract
Even before the NIST PQ standards came out, Google, Cloudflare, Apple, and Signal Foundation turned on Kyber PQ key exchange in their products used by billions of users. We appear to have solved PQ confidentiality and the harvest-now-decrypt-later (HNDL) threat: you just add Kyber. The glaring omission is that everyone is postponing PQ authentication. Why is this seemingly so difficult? In this talk, I will go over why PQ authentication is not something that we can afford to not be thinking about. Even though it does not seem as urgent as it’s not sensitive to HNDL attacks, PQ authentication is much harder and much more expensive to achieve. Along the way, I will discuss the NIST call for additional PQ signature algorithms (and why it is probably not worth waiting for its results). Finally, we will briefly go beyond “boring” cryptography and see that even after the NIST competition, we’re nowhere near able to solve all problems by “just replacing the algorithms”.