I think this being a reasonable utilitarian point to make is not a point in utilitarianism’s favor.

Instead, you proceed in layers of abstraction. For example

1. the main claim may rest on some set of sub-claims, as well as some local (to teh main claim) work to "patch things together"

2. each of those sub-claims themselves may require other sub-claims + local work, etc

These can be collected into a dependency graph. In lean, this is often called a "blueprint". Here is the blueprint for the formalization of the Polynomial Frieman-Rusza conjecture (now a theorem, by Gowers, Green, Manners, and Tao).

https://teorth.github.io/pfr/blueprint/

This layer of abstractions is (roughly) equivalent a different way to format mathematics. You could remove the Lean component (let alone any AI), and create such a dependency graph for a paper. I would argue this is a clearer way to format mathematics (again, ignoring both the formal verification applications of it, as well as AI).

Any mathematics paper intrinsically has a graph such as this underlying it, and tries to make the various linkages in the graph clear via prose. Prose is only so powerful a way to organize things. I'm sure you're familiar with the way early mathematicians would describe various formula (e.g. the quadratic formula) via prose. It is very hard to understand.

Separately from this dependency-graph perspective, you can do things like

1. add formal verification. Now, each component in the dependency graph is verifiable with high confidence (though harder to write and read). This has some benefits and downsides. Harder to write and read is bad. Being able to have high confidence in the veracity of the result is *very* good. It allows larger collaborations in mathematics. Previously, a large collaboration would require all mathematicians to trust eachother to a large extent. This is (practically) difficult.

2. when each component can now be verified to high accuracy, you can now throw AI at it. I won't extoll the virtue of this. There are parts of it that seem interesting, but many "AI for Math" things currently are stil producing unformalized papers (in prose).

Maybe the main thing I'd say is that this type of "graph structure, with each component trusted" is already implicitly what mathematicians do. You write papers that cite other papers etc. Except now, instead of needing to look for status signals to trust papers (or invest personal effort), you can look for another (honestly fairer) signal to trust papers. So there's a sense in which formalization allows for the democratization of mathematics. I do think there's something beautiful about that.

It is relatively easy to take the proceeds of a massive fraud, buy a relatively small (as a percentage of the fraud) $ amount of mosquito nets, and save more lives than the lives impacted by your massive theft. Is this a correct application of the utilitarian calculus? What sort of data would we need a priori to do this calculation "correctly"? Do you think he had a careful estimate of the suicide rate of victims of ponzi schemes before perpetuating the fraud, or would any suicide rate have made the decision net [pun intended] moral, as any such victim of fraud would lead to >> 1 net purchased (so you would almost always net save lives).

The above is of course snarky. It is also a best-effort way of analyzing a notable utilitarian's actions. I do not think it would be difficult at all to use this type of argument to argue that SBF's actions net raised utility in the world. If only we all would become fraudsters, then we could truly live in Omelas --- a notable utilitarian paradise.

https://www.reddit.com/r/LocalLLM/comments/1ti9w4o/qwen3635b...

Qwen 3.5 was released 3/2/2026. It includes models up to a 397B-A17B model

https://huggingface.co/collections/Qwen/qwen35

A day afterwards, a high-up technical leader working on Qwen was let go

https://techcrunch.com/2026/03/03/alibabas-qwen-tech-lead-st...

The more recent Qwen 3.6 was released on 4/16

https://huggingface.co/collections/Qwen/qwen36

This does not include any particularly large models. But the models it contains (Qwen3.6 27B and Qwen3.6 35B-A3B) are the local models people have been very excited about lately. So they didn't release any larger models, and the models people praise so much are from this most recent release.

There still is a naming collision between |X| (cardinality of a set) and |x| (absolute value of a scalar). Sometimes this happens. It generally is still unambiguous though, as mathematicians tend to use different segments of the alphabet for different purposes, and also additionally tend to capitalize sets, and leave scalars lower case.

1. defense contracting, which can definitely be lucrative, but (hopefully) will dry up quickly after the PQ transition (and especially will if we successfully transition before QCs are advanced enough, which is the goal), and

2. theft, with things like e.g. stealing bitcoins or whatever.

The second is plausibly a large market. It may be difficult to put it on a quarterly report though. So the economic basis industrial QC research may not end up panning out.

This is especially true because they often lie in their fear-mongering. For example, you appear to be a follower of Dan. You seem to think the argument against hybrids is an argument against hybrid KEMs. It's not. That is a lie. Even Dan's recent tirade on the TLS-WG mailing list has been against putting forward an informational RFC on ML-DSA, a (pure lattice) digital signature scheme.

Perhaps you misunderstood this, and Dan accurately described the setting he is fear-mongering over. Perhaps Dan misrepresented things again, as he has been doing for nearly a decade again. I don't particularly care either way. All that matters to me is accurate evaluation of our current options. It is exceedingly frustrating that a high-profile cryptographer seems incapable of doing this, either due to incompetence or malice.

Industry quantum computing has made precipitous progress in the last few years, leading to industry companies (e.g. Cloudflare) to upping their personal targets for transition to 2029. You can read their motivation in the first few paragraphs of the following

https://blog.cloudflare.com/post-quantum-roadmap/

We are currently in a place where it is entirely plausible that nation states will have quantum computers capable of breaking EC crypto (and RSA, although paradoxically it is mildly harder to break quantumly due to larger data sizes) by 2030. This is not guaranteed. But there have been increasingly many warning signs.

Maybe you don't care, and want to bury your head in the sand. That's your prerogative. But cryptographers do care, and so are taking all of the above very seriously.

This doesn't guarantee things will work. In cryptography there are no guarantees. In particular, failing to transition fast enough can also lead to vulnerabilities (by this I mean quantum attacks. Cryptographers are increasingly worried this may happen very soon. I've seen some estimate as soon as 2030). So there is an underlying tension in changing, and also a clear worry about not changing.

This is not a particularly realistic attack model. People typically instead want security against an "active" adversary who does whatever they can (say IND-CCA2 security). You can achieve this information-theoretically, given enough pre-shared randomness, by (roughly) taking some standard Authenticated Encryption with Associated Data (AEAD) construction, and swapping out whatever primitives that are used with information-theoretically secure components. A OTP for the block cipher and a Wegmen-Carter MAC for the MAC should work.

Note that this gives you a scheme with roughly the same practical security as standard ones (unless you think someone can break AES), but it still can be subject to non-trivial attacks that AES cannot. In particular

1. randomness used on both sides MUST never be repeated, and MUST stay in sync throughout, so

2. both sides MUSt stay in sync as to where 1. they are in terms of the randomness they're using, and where 2. the other half of the communication is. Realistically these should be two completely different randomness streams to guard against race conditions where otherwise each side may accidentally reuse a block of randomness

3. having to stay in sync adds several difficulties. In particular, network issues become much more annoying to deal with. This is true for e.g. environmental network disruptions, but also (plausibly) an adversary can disrupt the network temporarily. If this causes you to lose synchronization, then best case this temporary network disruption becomes a permanent network disruption. Worst case it manages to get randomness re-used on one side, which then breaks everything.

The above is likely not an exhaustive list of the problems you have to deal with. But still, you can see how it quickly becomes unclear if things are easy to implement.

https://blog.cloudflare.com/post-quantum-roadmap/

Part of this is because of a 3rd reason to transition early, which is the "long tail" of deployments which will switch over (potentially very) slowly. Think embedded/iot devices that are either difficult to patch, or have vendors who are not as security-focused.

Second, hybridization can add weaknesses in several ways

1. Hybridization may preserve some, but not all, security properties of the constituent parts. This is the case for hybrid signatures. In particular, ML-DSA signatures have a better than SUF-CMA type of security typically called "BUFF" security. Known hybridization techniques lose this security.

2. Hybridization is also more code (and more complex code) to write. Historically, the vast majority of cryptographic issues come from implementation issues, not fundamental weaknesses in the underlying hard problems. So suggesting to obtain security by doing more complex things may not always achieve the desired goal.

why believe this about PQ schemes vs about pre-existing schemes? Or any other schemes?

It's also worth mentioning that it appears that other countries (in particular China) will adopt fundamentally similar schemes. The NSA loves vulnerabilities, but generally only vulnerabilities of a certain type. These are generally referred to as "NOBUS"

https://en.wikipedia.org/wiki/NOBUS

It includes things like backdoors (say DUAL_EC_DRBG), as well as historically things like reducing the key size of DES, where the US thought they'd be able to brute force it (but other countries would lack the compute). Historically the NSA has actually assisted in removing non-NOBUS vulnerabilities (at least they did this with the SBOX design of DES, which was vulnerable to differential/linear cryptanalysis --- I forget which).

The NSA hasn't publicly assisted/disclosed any vulnerabilities with currently suggested schemes, though a close US ally (Isreal, through an IDF group known by Matzov) has. If America was hoarding vulnerabilities, one might imagine America would have pressured Isreal to keep this secret.

A final point is that it's not clear where the NSA would source the vulnerabilities. By a peculiar chain of coincidences, nearly all of the most successful lattice cryptanalysts are European. None have "gone dark" in a way that would be concerning (say how Don Coppersmith did, when he moved to a NSA affiliate in the mid 2000s). This isn't to say that it would be impossible for the NSA to have better-than-public vulnerabilities, but more to say that they can't just take some of the most successful people who have publicly attacked the problem, and throw more money at them. Their "talent-pipeline" for this particular problem is not as available (and many cryptographers soured on working with them post-Snowden anyway).

The Chinese Academy of Science made their own professional recommendation to the Chinese government a few years ago to use fundamentally similar schemes. The Chinese government this year is planning to start on their own standardization. Again, it is expected they will use fundamentally similar schemes.

The German BSD has suggested their own schemes as well, which are fundamentally similar (they suggested unstructured lattices, which is mildly different. They've also made some incompetent suggestions regarding quantum networking though iirc, so it might be a BSD-specific quirk).

Cryptographers are paranoid by default. It's really the only reasonable way to evaluate things competently. Even among the paranoid though, there's been no plausible argument suggested that something bad is happening with the PQ transition. People will point various fingers, for example

1. a backdoor! Except we can typically detect the possible presence of a backdoor, and nobody has suggested anything despite the designs being fundamentally fixed over the last 15 years (again, except the "one obvious" possible backdoor of standardizing a ML-KEM lattice, which was decided against for this reason), or

2. lattice-based problems are classically weak! There is no publicly visible reason to suspect this. One might then conjecture that they're weak in only a way a nation-state can detect/exploit. Then it would be very weird that it appears that both the US and China will both adopt lattice-based schemes.

It takes more to be a competent cryptographer to be blindly paranoid. There has been zero credible reasons presented though, and the cryptographic community has been looking into these problems and constructions for well over a decade now.