[tromp]

I think that "having no known quantum attack" is a reasonable interpretation of "quantum resistant". If there were no possible "quantum attack" (under appropriate complexity assumptions, such as EC-DLP not being in P), then we could call it "quantum proof" instead of quantum resistant.

[DoctorOetker]

I understand what you mean, but I think such a concept or definition would be highly misleading: "having no known quantum attack" means every novel encryption method would be automatically "quantum resistant" for having had 0 adversarial attempts to find quantum or even classical weaknesses!

There should be some measure of competence-level-adjusted man-hours of cryptographers and mathematicians trying to swing their favorite hammers at the problem; in order to estimate this "quantum resilience".

[defrost]

In minutes, on a single computer, for example, is the lowest bar.

* https://mathematical-research-institute.sydney.edu.au/quantu...

* https://magma.maths.usyd.edu.au/magma/

Props to John Cannon, George Havas, Charles Leedham-Green, et al.