Putting on my tinfoil hat, I think there’s also an argument to be made that the NSA might want to slow down adoption of post-quantum algorithms, which their stance against hybrids definitely accomplishes. If there’s a single organization that could be 10-20 years ahead of where people think they are on something like a useful quantum computer, it’s the NSA (powered by the US’s absurd defense budget). If they can slow down the adoption of post-quantum algorithms, they can maintain their potential head start for longer and be able to break current cryptosystems and extract actually valuable information.
Outside of the NSA (and its affiliates), most of the cryptographic community seems to have come together in support of hybrids, which would greatly accelerate the adoption of some level of post-quantum defense. With even the most “liberal” cryptographers thinking that more careful cryptanalysis of post-quantum algorithms is needed before widespread adoption as the sole line of cryptographic defense, if the NSA manages to convince sufficient people that hybrids aren’t viable enough for production (and thus stick with classical algorithms) they may be able to maintain the ability to break sensitive communications for longer when and if their quantum computer efforts have a breakthrough.
Or could it be a bluff. Act like they don't want it, so some players feel they can use more advanced post-quantum algorithms and be secure, while NSA is decrypting it.
Maybe, but this argument holds less weight given that they’re the ones pushing for inclusion of these algorithms in the NIST standards, and are really only advocating against the hybrid algorithms.
I honestly think the NSA learned their lesson with the whole debacle around Dual_EC_DRBG and skepticism about their elliptic curve seeds - especially given the continued exponential growth in sensitive electronic communications and records, they want the algorithms as secure as possible without a backdoor that could leak and be a foot-gun for US communications as well.
Instead, they’ll just throw more money at making a usable quantum computer than the next country spends on their entire cryptographic infrastructure, and get targeted backdoors into software/hardware implementations of the encryption algorithms so they can focus their attacks more precisely.
I'd be fairly certain they have hardware backdoors into most things...
My guess would be that there are multiple segments to the NSA, some of whom have access to the hardware level backdoors and others that want the software to be easier to compromise.
I would suggest that if you are a target of the NSA the encryption you are using does not matter one bit, they will find a way to hack you and steal any keys to systems they need and you probably won't even know about it. I'm not so convinced about the mass surveillance actually being that useful to be honest, even with current tech there is just too much of it to help.
Outside of the NSA (and its affiliates), most of the cryptographic community seems to have come together in support of hybrids, which would greatly accelerate the adoption of some level of post-quantum defense. With even the most “liberal” cryptographers thinking that more careful cryptanalysis of post-quantum algorithms is needed before widespread adoption as the sole line of cryptographic defense, if the NSA manages to convince sufficient people that hybrids aren’t viable enough for production (and thus stick with classical algorithms) they may be able to maintain the ability to break sensitive communications for longer when and if their quantum computer efforts have a breakthrough.