[Out_of_Characte]

What many miss is that updating your encryption algorithm now means decrypting all your previous data and then reencrypting it with the new algo. This is very expensive, time consuming and is something that you must do before encryption is broken or before your encrypted data is stored for later decryption.

This move, hopefully, promises to avoid this headache if the algo is actually post-quantum.

[mjl-]

I'm not so sure it's expensive (in general at least, not sure about their case). I think the typical approach for encrypting data is: Use asymmetric crypto to protect a master symmetric key. Then use that master key to get per-data (eg per file) symmetric keys. Then encrypt all the data with the data symmetric keys.

You can just replace the non-pq asymmetric protection with pq asymmetric protection.

[Out_of_Characte]

I would agree with you if the risk was only the in-flight asymmetric crypto data. But as I understand it, when you use non-pq asymmetric crypto to roll the symmetric key in, then you would still risk the unbreakable symmetric encryption when the carrier protocol gets broken. Reusing the same key would be an amateur mistake. Now, 'just replace the asymmetric crypto' becomes, 'your data is only safe in-flight because everyone knows our shared symmetric key'

All of this is very low risk but anyone wishing to have post quantum encryption probaly wouldn't appreciate three letter agencies having all of the symmetric keys if you ever used the weaker algo versions in a post quantum world.

>You can just replace the non-pq asymmetric protection with pq asymmetric protection.

Would you really feel safe with that?