Post-quantum crytography and TLS and other applications

There are two widespread misconceptions about quantum attacks on cryptography. The first, which you avoid, is that it&#x27;s devastating to <i>all</i> cryptography; quantum attacks make some brute force searches faster, which would be a reason to consider AES256 rather than AES128, but do not directly threaten typical block cipher cores.<p>The second misconception is that quantum attacks ruin all public-key encryption. But that&#x27;s also not true. What&#x27;s actually true is that the most widespread public-key algorithms are mathematically <i>very</i> straightforward and are thus maximally exposed to quantum algorithmic advances. That implicates RSA, the classical DLP algorithms like DH, ElG, and DSA, and most probably their EC variants.<p>But there are many public-key algorithms that are not as mathematically straightforward as RSA or DH. McEliece is an example of a public-key system that uses binary error correction codes as a trapdoor function; lattice crypto uses the closest vector problem instead. These systems are all pq-crypto candidates.<p>It&#x27;s likely that if the day comes where, say, quantum IFP solutions can start addressing numbers larger than 21, we could swap RSA out of TLS for a pq public key system.<p>In the meantime, moving aggressively to pq public key is silly. We have a hard time just getting sites to use TLS at all, let alone TLS with forward secrecy. The post-quantum candidates we have now are significantly slower than RSA. A push for pq crypto today would harm security more than help it.