Unfortunately, in Post Quantum land, the same truth doesn’t hold, as primitives like hash chains/trees and noisy lattices don’t inherit the mathematical symmetry and structure that EC groups give us.
One implication of this is that there isn’t any one post-quantum cryptosystem that can give us everything we need in terms of functionality. As a result, it’s likely the case that we’ll end up shipping not one, not two, but likely three different cryptosystems to just achieve even the base line functionality that we have today with ECC (ML-KEM for transport, ML-DSA for off-chain signatures, and SLH-DSA for on-chain signatures).
Seems like Bitcoin cryptography has been on easy mode.
Also, there is this about combining post quantum cryptography with classical:
Instead of switching over whole sale to PQC, we can actually hedge a bit instead. Hybrid Post Quantum cryptography combines classical and post quantum cryptography in a way that if either of the schemes are secure the final scheme is still secure. As after all, maybe the PQ schemes are the ones that are broken in the future. Alternatively perhaps the classical schemes fall not due to a quantum computer, but some other cryptanalysis innovation.
As we’ll see below, other than for onion routing, the other areas can be hybridized in a gradual manner with new TLVs or existing version extension fields. We could add these hybrid keys as optional TLVs today, validate them as normal, then only in the future would we reject messages that didn’t include the PQ capsules/signatures.
This is interesting:
Seems like Bitcoin cryptography has been on easy mode.
Also, there is this about combining post quantum cryptography with classical: