varx/tech@cuchaz There's some truth to that. For instance, the top post-quantum schemes seem to have pretty large keys, which might violate some protocol assumptions.
But they also might just work really differently in ways that don't match either RSA *or* ECC. Think of how ECC relies on key exchange rather than RSA's traditional asymmetric encryption, and doesn't have a notion of unifying encryption and signing. It seems to me there's a not-inconsiderable chance of further fundamental changes in the available primitives. Without being a serious cryptographer (let alone one who is up-to-date and has an eye for trends) it's impossible for me to make that kind of prognostication, though! I think keeping an eye on later versions of the protocol being able to swap out cryptosystems at a lower level makes sense, but I feel like it would be easy to unduly constrain the overall protocol.
(That said, all of the round-4 NIST PQ submissions appear to describe KEMs, making them more similar in shape to public-key ECC than to RSA, if I'm not totally misunderstanding things.)
All GNU social JP content and data are available under the