[ryao]

That seems like a mistake, since PQAs are an objective downgrade from ECC in everything except for immunity to Shor’s algorithm. It is not clear that machines with the tens of millions of qubits needed to run Shor’s algorithm will be constructed since there is no quantum moore’s law that gives us a clear roadmap to making them. If they never are made, then all of these PQAs will have been a waste and we will have missed opportunities for improvements from improved curves. For example, the failure to deploy EdDSA certificates in PKI has been a missed opoortunity. I hope the industry reverses course and deploys them, since they are a clear improvement over the current ECDSA certificates.

I can see using hybrid PQAs for key agreement as a hedge against quantum machines actually being constructed, but with the upcoming 47 day certificates, there really is no need to avoid EdDSA. If we come anywhere near constructing a quantum computer that can crack the public keys, the industry could pivot to ML-DSA with the older EdDSA certificates expiring before there is any risk of them being cracked.

[Retr0id]

If we assume cryptographically-relevant quantum computers will one day exist, you don't just need to worry about certs being cracked before they expire, but also the ECDH-established session keys being cracked. These keys are ephemeral, but if you store the ciphertexts long-term, you can crack them at any point in the future (aka https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later).

[ryao]

Perfect forward secrecy means harvest now, decrypt later does not apply to signature algorithms when ephemeral keys are used and TLSv1.3 mandates ephemeral keys. If the ephemeral keys are cracked, that would be the fault of the key agreement algorithm, not the signature algorithm.

> If we assume cryptographically-relevant quantum computers will one day exist

One day could be 10,000 years in the future, so what meaning is there to such an assumption? You need to assume much more than that such machines will be constructed one day to suggest that there is a need for action. The industry is switching to hybrid key agreement algorithms out of an abundance of caution that it is not just one day that such a machine will be made, but one day in our lifetimes. It is not certain that will actually happen, but if it does, having adopted hybrid key exchange algorithms years in advance is enough. There is no need to switch signature algorithms from ECC until the creation of such a machine is imminent. Thus it is fine to proceed with EdDSA adoption in PKI.

[Retr0id]

The Eccfrog512ck2 curve can be used for both signatures and key agreement.