Thank you for doing this experiment!

> [W]e did not find any un­ex­pected im­ped­i­ment to de­ploy­ing some­thing like NewHope. There were no re­ported prob­lems caused by en­abling it.

It's great to have this data.

Minor question: I assume CECPQ1 stands for something like Concatenated Elliptic Curve w/ Post-Quantum #1, right?

Bigger question: will there be a CECPQ2 experiment? I really hope so! Based on how CECPQ1 was constructed (X25519+Newhope), and how this experiment was executed, I'd love to see Google continue playing an active role in PQ experimentation.

No plans for a CECPQ2 at the moment, although I believe that the general structure of running both an EC and PQ key agreement concurrently is likely a good idea in the future until time gives us better confidence in the PQ half.

I'm hoping that we'll have some consensus in a year or two on a good candidate PQ algorithm that we can get deployed across several implementations. It might be very similar to NewHope, or perhaps Shor et al will break lattices in general :)

(C in CECPQ1 was "combined".)

Holy shit, this is potentially huge.

Any good "Cryptography Engineering"-style post on this NewHope algorithm explaining what it does and its limitations? Any reason not to get excited about this being done in a practical application?

Watch this video: https://www.youtube.com/watch?v=X6V1N64eEuc

I learned quite a lot. It's from one of NH's inventors (Peter Schwabe aka cryptojedi).

https://www.imperialviolet.org/2015/12/24/rlwe.html might be helpful.

I'm a bit disappointed that google is finishing this experiment so early.

I think there are good arguments to deploy postquantum-ecc-hybrid schemes today. If quantum computers are only 10-15 years away, which some scientists think, then there is a legitimate interest to protect today's communication against future adversaries.

Therefore I would've liked to see something like CECPQ1 as a preliminary cipher suite that gets used for a couple of years until we have something better.