[ifwinterco]

It’s also because harvest now decrypt later is the main concern.

This means even if you think viable quantum computers are 20 years away, in contexts where HNDL is an issue that means really you should be thinking about this now.

In contexts where that isn’t an issue you can debate whether we have 5 years, 10 years, 20 years or 50 years but in the case of the SSL key exchange we need to think about it now regardless

[mswphd]

these have always been an issue, and were the motivation for starting the NIST standardization in ~2016. My point is more that recent developments in quantum computing have caused many cryptographers to go from "we should do this so people are secure if progress happens in the decades from now" to "this may be a near-term issue, and we should prioritize transition for user safety issues". You can read some about this in a cloudflare article from 2 months ago, which mentions some recent developments that have people concerned about possible "Q-day" being in ~2029-2030". This is much earlier than what was the consensus 5 years ago.

https://blog.cloudflare.com/post-quantum-roadmap/

Part of this is because of a 3rd reason to transition early, which is the "long tail" of deployments which will switch over (potentially very) slowly. Think embedded/iot devices that are either difficult to patch, or have vendors who are not as security-focused.

[ifwinterco]

Yeah I think once this ball started rolling it was inevitable it would gain momentum from both sides.

More money for quantum research increases the possibility of breakthroughs, while simultaneously more money for PQC research means more practical, reliable post-quantum cryptosystems that can actually be implemented.

End result is fairly quickly you go from "this is a problem for the fairly distant future and ECDHE is fine" to "we should implement PQ key exchange basically right now"