Filippo Valsorda has reversed his position on hybrid signatures. In a post on the Geomys blog dated 6 April, he argues that classical-plus-PQ composite signatures cost more in time and complexity than they buy in cryptographic insurance, and that deployments should ship pure ML-DSA-44 directly. His position on hybrid key exchange has not changed; that part of the migration remains a sensible hedge.
The shift matters because Filippo’s previous position lined up with current regulatory guidance. Germany’s BSI TR-02102 requires hybrid PQC for both key exchange and signatures. France’s ANSSI takes a similar line. The IETF is several drafts deep into draft-ietf-lamps-pq-composite-sigs, now at revision 16 (April 8, 2026), with eighteen composite key types nearing publication. The latest revision’s abstract describes the construction as “tailored to meet regulatory guidelines in certain regions.” That language itself acknowledges the regulatory-divergence framing this post is about. A meaningful part of the standards work to date has assumed hybrid is the default path.
The reasoning for the change is straightforward. Hybrid key exchange is cheap: ephemeral keys, no wire format for composite private keys, minimal protocol surface. Hybrid authentication is expensive: durable keys, type negotiation, certificate format work, and significant collective time spent figuring out how the ecosystem treats composite identities. The benefit of that cost is protection against the case where ML-DSA breaks classically before a CRQC arrives. Two years of deployment experience with lattice-based hybrids in the wild, plus an aggressive timeline for the quantum threat, reweights that tradeoff toward shipping pure PQ now.
The 2029 number
Google’s Heather Adkins and Sophie Schmieg published a migration timeline with a 2029 internal deadline for completing PQ migration. We covered the deployment-team implications when that deadline first appeared. It is the most aggressive credible timeline from a non-vendor source to date, and it is grounded in two recent technical developments. Google’s Babbush et al paper revises down the logical qubit and gate counts required to break 256-bit elliptic curves, putting the attack within minutes on superconducting architectures. A separate paper from Oratomic shows the same attack class in approximately ten thousand physical qubits with non-local connectivity, which neutral-atom platforms appear to offer. Germany’s Quantum Computing Competition is funding the consortia building exactly that hardware.
Both papers move ECC into the immediate threat window before RSA, where modern ECDSA-and-X25519 stacks are most exposed (prior post).
Migration duration remains the binding constraint. Typical enterprise cryptography rollouts take five to ten years. A thirty-three-month window for completion implies that organizations not already in active migration are already late.
What this means for scanners
Two compliance profiles, both correct, will increasingly disagree. The shape of that disagreement was already visible in the IETF working group, where the hybrid-versus-pure question split implementers along almost identical lines.
A scan against BSI TR-02102 will require hybrid signatures and grade pure ML-DSA-44 as non-compliant for German federal use. A scan against the position now articulated by Geomys, OpenSSH, age, and adjacent open-source maintainers will treat hybrid signatures as a reasonable but unnecessary cost and flag pure ML-DSA-44 as the preferred forward path. The same TLS endpoint will receive different verdicts depending on which standard the scan is run against.
The split reflects different threat models. BSI is reasoning about long-term sovereign cryptographic resilience, where lattice cryptanalysis surprises must be survivable independently. Filippo is reasoning about deployment latency against a thirty-three-month wall. Both reasoning chains are defensible. The two will reconverge as cryptanalytic confidence in lattices accumulates and as the timeline pressure either materializes or eases.
For the scan output that matters today: non-PQ key exchange is the urgent failure. OpenSSH treats it as a user-facing warning, on the basis that secrets transmitted over the connection rarely have shelf lives shorter than three years. Filippo’s position is that any non-PQ KEX session in 2026 should be treated as a potential active compromise. The actual share of the internet that has crossed even the hybrid threshold is much smaller than vendor adoption tables suggest (false floor, Cloudflare’s gap). Hybrid versus pure signature debates are secondary.
The Grover footnote
One adjacent shift worth noting. Filippo also argues that 256-bit symmetric key requirements driven by Grover concerns are net harmful, on the grounds that a 128-bit symmetric key against a Grover attack with realistic circuit depth limits requires roughly 2106 operations with a circuit-depth budget of 264 logical gates, well beyond reach. Bundling 256-bit symmetric requirements with PQ asymmetric requirements muddles interoperability targets and slows the rollout of the asymmetric cryptography under near-term threat. The original proof that Grover’s speedup does not parallelize backs this up.
For scanners and compliance grading: AES-128 is fine. The pressure should be on signatures, not block ciphers.
Now what
The action item for operators is unchanged from six months ago, only more urgent. Inventory cryptographic surface, prioritize key exchange first, size the handshake for ML-DSA’s larger signatures, and start the migration that the timeline now compresses to thirty-three months. The same inventory work surfaces in Microsoft’s Cryptographic Posture Management framework.
The action item for compliance frameworks is harder. BSI, ANSSI, NIST, and the IETF will need to decide whether the cost-benefit math on hybrid signatures still holds when the deadline is 2029 and the lattice cryptanalysis surprise has not arrived in eight years of intense academic scrutiny since NIST round 1. That decision will not be unanimous. Scanners will need to report against multiple profiles for the foreseeable future.
pqprobe’s grading currently follows BSI TR-02102 strictly for the BSI compliance profile. The Geomys/OpenSSH posture will be added as a separate profile in an upcoming release, alongside notes that flag the divergence on individual scan reports. Both verdicts will be available; the operator can choose which one applies to their threat model.