I'm not a believer (I'm not qualified to have an opinion but neither is almost anyone else here) in PQC, but to be clear, the logic behind moving forward on PQC is straightforward: everybody acknowledges that there are no known useful QC attacks on cryptography, nor really any on the horizon, but adversaries can easily stockpile terabytes of recorded network conversations today and keep them around to break when QC attacks do work.
If you think QC attacks are 20 years away from real-world demonstrations, then conventional cryptography has a 20-year ceiling, which would be a hair-on-fire analysis in any other context. How long are you willing to bet conventional cryptography will hold out? 50 years is also too short by cryptographic standards. And 50 years is a long time. You willing to bet 100 years? I am, but, like, nobody should listen to me on this.
This is also why KEMs are a priority over signatures for PQC deployment.
A larger number of qubits allows us to do effective quantum error correction. The idea is to group multiple physical qubits into one logical qubit, think of it as redundancy.
So what's the number of logical qubits we have achieved working practically then? Is this scalable, or is it just going to exponentially require physical qubits for each additional logical qubit?
Quantum error correction has been experimentally demonstrated for a single logical qubit, e.g. [0][1]. Even though there might be implementations of multiple such qubits, we're still very much in the "Noisy Intermediate-Scale Quantum" era.
Generally, the number of physical qubits scales linearly with the number of logical qubits.
If you think QC attacks are 20 years away from real-world demonstrations, then conventional cryptography has a 20-year ceiling, which would be a hair-on-fire analysis in any other context. How long are you willing to bet conventional cryptography will hold out? 50 years is also too short by cryptographic standards. And 50 years is a long time. You willing to bet 100 years? I am, but, like, nobody should listen to me on this.
This is also why KEMs are a priority over signatures for PQC deployment.