You can install solar panels over areas that are already developed — rooftops (lol), parking garages, highways, and so on. Some agricultural land even benefits from being covered by solar panels. This has great potential and was first researched in the United States. China is covering water reservoirs with solar panels, which has the additional positive effect of reducing evaporation. And then there is the incredibly large amount of energy that the North Sea, far from any beaches or islands, could provide in consistent wind energy.
I have my doubts about short and medium term feasibility, and much more importantly storage and adapting carbon-based industrial processes.
But yes, if all it took was 5% of landmass (which also doesn’t get permanently unusable nor polluted), I’d say that would be a pretty good deal, yeah. This is significantly less than what’s used for livestock farming, to put it into perspective.
Realistically, I don’t think we’ll solve storage fast enough to be able to afford zero nuclear power in Europe.
And of course, you can combine those things sometimes - I've seen cattle munching on grass under solar panels in Baden-Württemberg (state just west of Bavaria).
IIUC "chip" is just a token that represent money, they are not necessary "fair", they are not good to be tossed.
I imagine a parallel world where chips are shaped like empty cones, so they can pilled but they are very bad as a D2. (Perhaps a world where chips are shaped like cubes is more realistic, also bad as D2.)
He said "a whole civilization will die tonight, never to be brought back again." To me that sounds more like a threat to destroy a civilization than an announcement that the US will be targeting specific parts of Iranian infrastructure, but maybe you are better at reading between the lines than I am.
> We don’t know which infrastructure he wants to attack
I think you may be living under a rock. He has announced multiple times that he wants to go after oil processing, power plants, desalination plants, and bridges. His threat for today's deadline (made last week) is to destroy every power plant and bridge in the country.
Yes, and? That changes exactly nothing about the argument, he still threatened genocide. If someone threatens to kill you, you give them a cookie and they relent ("for now"), that doesn't magically change the past and make it so they didn't threaten to kill you, but instead asked for a cookie.
You are the only one making fake arguments. The threat was explicitly to destroy 'a civilization', which nobody but yourself considers equivalent to 'infrastructure'. Ply your lame rhetorical fallacies elsewhere.
> Genocide is very clear intent to destroy a people.
"a whole civilization will die tonight, never to be brought back again."
where is the intent ambiguous to you? are you just one of those that says Trump blusters big to force negotiations? otherwise, he's quite clearly said the he wants to eliminate "a whole civilization" which is exactly what genocide is. not really sure how you can be confused on this other than willingly so
He did exactly that and succeeded. Read his book the art of the deal, in which he says that is precisely his strategy. Historically this is what he does every single time.
He succeeded in opening a strait that was open a month ago in exchange for higher gas prices, destroying a nuclear program he himself said was already destroyed a year ago, killing an 86-year-old leader who would be dead in a couple of years anyway, no regime change, billions of dollars wasted, and dead American soldiers.
Genocide literally means killing a nation, and that's what Trump is threatening. If he achieves those aims by destroying vital infrastructure, it's just as much genocide as if he does it by any other means.
Article IIc of the Genocide Convention would likely cover that particular case, but I'll note that that's just your reading of it - Trump hasn't actually given specifics.
What he definitely has done, though, is make a clear statement of intent. And, historically, the most difficult part in proving genocide has been with demonstrating intent. Trump's just made that bit easy.
there are no meaningful questions. The only way there are meaningful questions is if you think global cryptographers + governments are part of a cabal to build insecure schemes. The new schemes use
1. cryptography developed across the world,
2. the actual schemes were overwhelmingly by European authors
3. standardized by the US
4. other countries standardizations have been substantially similar (e.g. the ongoing Korean one, the German BSI's recommendations. China's CACR [had one with substantially similar schemes](https://www.sdxcentral.com/analysis/china-russia-to-adopt-sl...). Note that this is separate from a "standardization", which sounds like it is starting soon).
In particular, given that China + the US ended up with (essentially the same) underlying math, you'd have to have a very weird hypothetical scenario for the conclusion to not be "these seem secure", and instead "there is a global cabal pushing insecure schemes".
There are not in fact meaningful questions about whether the settled-on PQC constructions are secure, in the sense of "within the bounds of our current understanding of QC".
Didn't one of the PQC candidates get found to have a fatal classical vulnerability? Are we confident we won't find any future oopsies like that with the current PQC candidates?
The whole point of the competition is to see if anybody can cryptanalyze the contestants. I think part of what's happening here is that people have put all PQC constructions in bucket, as if they shared an underlying technology or theory, so that a break in one calls all of them into question. That is in fact not at all the case. PQC is not a "kind" of cryptography. It's a functional attribute of many different kinds of cryptography.
The algorithm everyone tends to be thinking of when they bring this up has literally nothing to do with any cryptography used anywhere ever; it was wildly novel, and it was interesting only because it (1) had really nice ergonomics and (2) failed spectacularly.
SIKE made it all the way to round 3. It failed spectacularly, but it happened rather abruptly. In one sense it wasn't surprising because of its novelty, but the actual attack was somewhat surprising--nobody was predicting it would crumble so thoroughly so quickly. Notably, the approach undergirding it is still thought secure; it was the particular details that caused it to fail.
It's hubris to say there are no questions, especially for key exchange. The general classes of mathematical problems for PQC seem robust, but that's generally not how crypto systems fail. They fail in the details, both algorithmically and in implementation gotchas.
From a security engineering perspective, there's no persuasive reason to avoid general adoption of, e.g., the NIST selections and related approaches. But when people suggest not to use hybrid schemes because the PQC selections are clearly robust on their own, well then reasonable people can disagree. Because, again, the devil is in the details.
The need to proclaim "no questions" feels more like a reaction to lay skepticism and potential FUD, for fear it will slow the adoption of PQC. But that's a social issue, and imbibing that urge may cause security engineers to let their guard down.
What's your point? SIKE has literally nothing to do with MLKEM. There is no relationship between the algorithms. Essentially everybody working on PQC, including Bernstein himself, have converged on lattices, which, again, were a competitor to curves as a successor to RSA --- they are old.
SIKE: not lattices. Literally moon math. Do you understand how SIKE/SIDH works? It's fucking wild.
I'm going to keep saying this: you know the discussion is fully off the rails when people bring SIKE/SIDH into it as evidence against MLKEM.
You may not have any questions about the security of ML-KEM, but many people do. See, for example, DJB's compilation of such doubts from the IETF WG: https://blog.cr.yp.to/20260221-structure.html
These doubts may not be the kind curious onlookers have in mind, but to say there are no doubts among researchers and practitioners is a misrepresentation. In fact, you're flatly contradicting what DJB has said on the matter:
> SIKE is not an isolated example: https://cr.yp.to/papers.html#qrcsp shows that 48% of the 69 round-1 submissions to the NIST competition have been broken by now.
Unqualified assurances is what you hear from a salesman. You're trying to sell people on PQC. There's no reason to believe ML-KEM is a lemon, but you're effectively saying, "it's the last KEX scheme we'll ever need", and that's just not honest from an engineering point of view, even if it's what people need to hear.
I think you just gave away the game. To the extent I believe a CRQC is imminent, I suppose I am "trying to sell people on PQC". But then, so is Daniel Bernstein, your only cryptographically authoritative cite to your concern. Bernstein's problem isn't that we're rushing to PQC. It's that we didn't pick his personal lattice proposal.
And, if we're on the subject of how trustworthy Bernstein's concerns are, I'll note again: in his own writing about the potential frailty of MLKEM, he cites SIKE, because, again, he thinks you're too dumb to understand the difference between a module lattice and a generic lattice.
Finally, I'm going to keep saying this until I don't have to say it anymore: PQC is not a "kind" of cryptography. It doesn't mean anything that N% of the Round 1 submissions to the NIST PQC Contest were cryptanalyzed. Multivariate quadratic equation cryptography, supersingular isogeny cryptography, and F_2^128 code-based cryptography are not related to each other. The point of the contest was for that to happen.
Yeah I get that, what I am really asking is that I know in my field, I can quickly get a vibe as to whether certain new work is good or not so good, and where any bugaboos are likely to be. For those who know PQC like I know economics, do they believe at this point that the algorithms have been analyzed successfully to a level comparable to DH or RSA? Or is this really gonna be a rush job under the gun because we have no choice?
Lattice cryptography was a contender alongside curves as a successor to RSA. It's not new. The specific lattice constructions we looked at during NIST PQC were new iterations on it, but so was Curve25519 when it was introduced. It's extremely not a rush job.
The elephant in the room in these conversations is Daniel Bernstein and the shade he has been casting on MLKEM for the last few years. The things I think you should remember about that particular elephant are (1) that he's cited SIDH as a reason to be suspicious of MLKEM, which indicates that he thinks you're an idiot, and (2) that he himself participated in the NIST PQC KEM contest with a lattice construction.
Bernstein's ego is at a level where he thinks most other people are idiots (not without some justification), that's been clear for decades. What are you hinting at?
I'm not saying anything about his ego or trying to psychoanalyze him. I'm saying: he attempted to get a lattice scheme standardized under the NIST PQC contest, and now fiercely opposes the standard that was chosen instead.
It's the same situation with classical encryption. It's not uncommon for a candidate algorithm [to be discovered ] to be broken during the selection process.
Why don't you go ahead and pick out the attacks in here that you think are relevant to this conversation? It can't be on me to do that, because obviously my subtext is that none of them are.
they're almost assuredly talking about two things (maybe 3 if they really know what they're talking about, but the third is something that people making this argument like to pretend doesn't exist).
1. the main "eye catching" attack was the [attack on SIDH](https://eprint.iacr.org/2022/975.pdf). it was very much a "thought to be entirely secure" to "broken in 5 minutes with a Sage (python variant) implementation" within ~1 week. Degradation from "thought to be (sub-)exp time" to "poly time". very bad.
2. the other main other "big break" was the [RAINBOW attack](https://eprint.iacr.org/2022/214.pdf). this was a big attack, but it did not break all parameter sets, e.g. it didn't suddenly reduce a problem from exp-time to poly-time. instead, it was a (large) speedup for existing attacks.
anyway, someone popular among some people in tech (the cryptographer Dan Bernstein) has been trying (successfully) to slow the PQC transition for ~10 years. His strategy throughout has been complaining that a very particular class of scheme ("structured LWE-based schemes") are suspect. He has had several complaints that have shifted throughout the years (galois automorphism structure for a while, then whatever his "spherical models" stuff was lmao). There have been no appreciable better attacks (nothing like the above) on them since then. But he still complains, saying that instead people should use
1. NTRU, a separate structured lattice scheme (that he coincidentally submitted a scheme for standardization with). Incidentally, it had [a very bad attack](https://eprint.iacr.org/2016/127) ~ 2016. Didn't kill PQC, but killed a broad class of other schemes (NTRU-based fully homomorphic encryption, at least using tensor-based multiplication)
2. McCliece, a scheme from the late 70s (that has horrendously large public keys --- people avoid it for a reason). He also submitted a version of this for standardization. It also had a [greatly improved attack recently](https://eprint.iacr.org/2024/1193).
Of course, none of those are relevant to improved attacks on the math behind ML-KEM (algebraically structured variants on ring LWE). there have been some progress on these, but not really. It's really just "shaving bits", e.g. going from 2^140 to 2^135 type things. The rainbow attack (of the first two, the "mild" one) reduced things by a factor ~2^50, which is clearly unacceptable.
Unfortunately, because adherents of Dan Bernstein will pop up, and start saying a bunch of stuff confidently that is much too annoying to refute, as they have no clue what the actual conversation is. So the conversation becomes
1. people who know things, who tend to not bother saying anything (with rare exceptions), and
2. people who parrot Dan's (very wrong at this point honestly, but they've shifted over time, so it's more of 'wrong' and 'unwilling to admit it was wrong') opinions.
the dynamic is similar to how when discussions of vaccines on the internet occur, many medical professionals may not bother engaging, so you'll get a bunch of insane anti-vax conspiracies spread.
In the context of: a green username offering some salacious/conspiratorial things about djb around a topic I'm only a little familiar with... Its worth a lot. Its the difference between me writing it off as (at best) a poorly informed misunderstanding of a complex topic, and me choosing to spend some time learning more. Ty
None of this is really salacious or conspiratorial. I don't know how big a deal the attacks they're citing are. But this is directionally mostly stuff I've heard from lots of cryptography engineers over the last couple years. I know the comment is off comparing attacks on classical NTRU to SNTRUP though!
> anyway, someone popular among some people in tech (the cryptographer Dan Bernstein) has been trying (successfully) to slow the PQC transition for ~10 years
Sounds enough like throwing shade to make me doubt it's value, in absence of other signals.
My point was your history of posting knowledgeably about security and cryptography provides the credibility for me to go do more reading about the stuff in mswphd's post.
Oh, Bernstein is a vocal and relentless opponent of MLKEM. Both the industry and research cryptography have settled on MLKEM. That's the subtext. You could word it differently and more charitably, but I wouldn't.
reply