This looks nice. I wonder why they decided on security comparable to RSA 2048? It won't be useful in practical application for a few more years anyways.<p>For sure attacks on a Post-quantum signature schemes would be different in every way than RSA,but if that comparison is meant to compare how long a full key space search would take utilizing existing computational limits,then wouldn't that security be a wee bit on the weak side by the time this gets mainstream acceptance?<p>I would certainly not accept RSA-2048 signatures 5 years from now any more than I would RSA-1024 now.