alt Hacker News> so there's a case to be made for switching to quantum-resistant cryptography (like lattice-based cryptography) sooner rather than later.
This.
People seems to think that because something is end to end encrypted it is secure. They don't seem to grasp that the traffic and communication that is possibly dumped/recorded now in encrypted form could be used against them decades later.
Well. Yes, but currently there are no well tested (ie. recommended by the ITsec community) post-quantum cryptosystems as far as I understand.
https://crypto.stackexchange.com/a/61596
But ... AES is believed to be quantum-safe-ish, so with perfect forwards secrecy this exact threat can be quite well managed.
The currently best known quantum attack on AES requires a serial computation of "half of key length" (Grover's algorithm ... so if they key is 128 bit long then it requires 2^64 sequential steps)
https://www.reddit.com/r/AskNetsec/comments/15i0nzp/aes256_i...