[jongjong]

That's why I like simple hash-based cryptographic algorithms such as Lamport OTP for digital signatures. Hash-based algorithms are broadly believed to be quantum-resistant and this makes sense intuitively because hashing destroys information.

The statefulness of Lamport OTP adds some implementation and usability hurdles but IMO, the simplicity and intuitiveness of the algorithm makes it worthwhile.

Source: I worked on a quantum-resistant blockchain which is based on Lamport OTP and Merkle Signature Trees (for key reuse) - https://capitalisk.com/

[tptacek]

We're discussing key exchange mechanisms, not signatures. The distinction is important: KEMs are what we need now if QC is a real threat, because they're what enable us to protect traffic from retroactive decryption.

[jongjong]

The encryption side of things does appear to be a lot more challenging. I like solutions which allow complexity to be side-stepped somehow but I'm not aware of anything like that for encryption.