Thoughts about Cloudflare's "State of the post-quantum internet in 2025"

[Max Heiser]

Dear PQC forum,

I've recently came across Cloudflare's Bas Westerbaan post [1] about the post-quantum migration and especially (candidate) general-purpose signature schemes for future use (SNOVA / MAYO / SQISign / HAWK out of the 14 schemes in round 2).

What especially caught me are multiple recent attacks on Multivariate schemes - particularly Lars Ran's Wedges attack on UOV [2] hitting both MAYO and SNOVA significantly, which is alarming. In addition, it seems like SQISign has real issues with obtaining constant time implementation, which is worrisome as well. 

With all other general-purpose candidates in round 2 having their own caveats (as well as Falcon / FN-DSA), do we have a strategy to provide a backup?

Sincerely,

Max Heiser

[1] https://blog.cloudflare.com/pq-2025/

[2] https://eprint.iacr.org/2025/1143

[John Mattsson]

>With all other general-purpose candidates in round 2 having their own caveats (as well as Falcon / FN-DSA), do we have a strategy to provide a backup?

ML-DSA is the default choice. If you want to meet the 2030–2035 timelines recommended/required by governments, the only safe options are ML-DSA, SLH-DSA, XMSS, and LMS. The various ramp-on signature proposals should be viewed as future optimisations. The backup is simply to continue use ML-DSA and SLH-DSA. This aligns with Bas’s statement: “We use ML-DSA-44 as the baseline, as that’s the scheme that’s going to see the most widespread use initially.”

For non-constrained environments such as the Web, ML-DSA and SLH-DSA are viable, though their size and performance may cause issues. The situation becomes much more challenging in very constrained IoT radio systems, where today’s (ephemeral-ephemeral, ephemeral-static, and static-static) ECDHE and ECDSA work well, but ML-KEM and ML-DSA are simply too large to be used at all. Disallowing ECC without standardizing viable replacements likely lead to use of more symmetric group keys.

Cheers,

John Preuß Mattsson

--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/LAtwWsXO4-Z6Yzw9AzA-tkkEVnIsCXzaFPl7dU6mU_zEr6zut5IeEsRynWYxOubfUqZnPjAHvBNTojrxK7AFV8KtKyDgxVmJucOxnZyxqYY%3D%40protonmail.com.

[Bas Westerbaan]

On Mon, Dec 8, 2025 at 1:33 PM 'Max Heiser' via pqc-forum <pqc-...@list.nist.gov> wrote:

Dear PQC forum,

I've recently came across Cloudflare's Bas Westerbaan post [1] about the post-quantum migration and especially (candidate) general-purpose signature schemes for future use (SNOVA / MAYO / SQISign / HAWK out of the 14 schemes in round 2).

What especially caught me are multiple recent attacks on Multivariate schemes - particularly Lars Ran's Wedges attack on UOV [2] hitting both MAYO and SNOVA significantly, which is alarming.

It'd be alarming to me if we'd (want to) have them deployed in production (soon). At this point though, I'd say it's actually a good sign. Of course, ideally no new attacks are found against a scheme. But these attacks show that there have been new people thinking about these schemes and coming up with new ideas without catastrophic results. This is the process working as intended. Clearly, we are in the early stages and we need time for more cryptanalysis. 

 

With all other general-purpose candidates in round 2 having their own caveats (as well as Falcon / FN-DSA), do we have a strategy to provide a backup?

If you can bear its size and performance, SLH-DSA is a very conservative choice.

 

Sincerely,

Max Heiser

[1] https://blog.cloudflare.com/pq-2025/

[2] https://eprint.iacr.org/2025/1143

--