[kickopotomus]

It seems that your primary concern is that the government (or some bad actor) will be able to install a backdoor into PQC algorithms. Is that right? Why would PQC be more exposed to this type of subversion than existing public-key cryptography?

To your point about PQC being used exclusively, post-quantum encryption methods are designed to be resistant to both quantum and classical attacks. That is one of the key stated goals of the NIST post-quantum cryptography program.

[adgjlsfhk1]

it's less about a backdoor and more about just being a lot less robust in general. classical crypto is based on ~100 years of math on finite fields and ~50 years of heavy scrutiny by cryptographers. the post quantum algorithms are much newer and built on much less well studied math. (and empirically, a large number of them have been found to be completely broken). we're at least 20 years from PQC that can be widely trusted. there really just isn't an alternative to having a generation of grad students studying an algorithm that's as old as they are

[coppsilgold]

For signatures, hash based signatures are quantum computer resistant and are also more secure than any other signature scheme. No reliance on a math problem if you don't count the cryptographic permutation to be one, but then everything relies on it regardless of what scheme is used.

The McEliece cryptosystem[1] is one of finalists in the PQC competition and it's also quite old - developed in 1978. It didn't face as much scrutiny as RSA or ECC due to its large key sizes which resulted in nonexistent adoption.

My understanding is that all the other PQC candidates including Kyber are much newer and far less studied.

[1] https://en.wikipedia.org/wiki/McEliece_cryptosystem