[jcranmer]

> Also, PFS uses 256-bit ECC, which only requires a 512-qubit quantum computer to break it.

Grover's algorithm is a quadratic, not exponential speedup. It may require 512 qubits, but it still requires 2^128 time.

[Zaak]

ECC is vulnerable to Shor's algorithm, which gives exponential speedup. A rough calculation implies that 256-bit ECC would take on the order of 25k quantum operations to break.