The main thing that changed "recently" is that NIST standardized ML-KEM (aka Kyber) for post-quantum cryptography, which was important for implementors. However, ML-KEM is still quite new, so it is mostly used in hybrid schemes with the "store-now-decrypt-later" threat in mind.

Other than that, I don't think anything fundamentally changed during the last 10-20 years.

PQC is useful because you can capture and hoard data now and decrypt it later when the hardware becomes available.

I know, but I'm thinking about the timing. Just speculating.

The sooner you get it, the less vulnerable data will be captured.

Related: i was under the impression that AES was safe (even aes-128). If it is so, why did Apple go for full pqc and not just the key exchange?

Would it be a good idea for signal to double the key size?

That's a good question. I thought they are only using PQC for key exchange (which is referred to as Level 2) but they are not.

In the article, Apple explains why they choose to use Level 3:

> At Level 2, the application of post-quantum cryptography is limited to the initial key establishment, providing quantum security only if the conversation key material is never compromised. But today’s sophisticated adversaries already have incentives to compromise encryption keys, because doing so gives them the ability to decrypt messages protected by those keys for as long as the keys don’t change. To best protect end-to-end encrypted messaging, the post-quantum keys need to change on an ongoing basis to place an upper bound on how much of a conversation can be exposed by any single, point-in-time key compromise — both now and with future quantum computers. Therefore, we believe messaging protocols should go even further and attain Level 3 security, where post-quantum cryptography is used to secure both the initial key establishment and the ongoing message exchange, with the ability to rapidly and automatically restore the cryptographic security of a conversation even if a given key becomes compromised.

Article link: https://security.apple.com/blog/imessage-pq3/

The imminent nonsense of fear-mongering and money wasting, mostly. Academic funds spent billions on PQC and academia has been paid to shill nonsense for long enough to convince some of these players to "ah, let's just integrate PQC, whatever". It's nothing more than a waste of money and resources.

Sorry, huh? Who's paying academia to shill? This is conspiracy thinking.

Changing cryptographic algorithms takes a long time - there are a lot of systems with this stuff embedded in them. Taking some modestly low-cost efforts _now_ to be prepared for a potentially "really bad" future event is more like buying insurance than anything else.

Is it a good choice? I dunno; I have no bets on the likelihood of a working crypto-breaking QC emerging in the next 30 years. But it's not really an irrational thing to worry about on a 10-30 year time horizon, and to simultaneously think that some of the computer systems we design and build today will still be running then.