Re: Don't miss the point
The data has to be resistant to quantum attack n years before a QC attack is feasible, where n is the time value of the data.
That's a naive threat model. Data has to be resistant to attack by GQC machines until that attack's cost drops below the value of the data - just as with any other attack vector.
Even if the NSA has a unicorn-powered large-scale GQC machine now (vanishingly improbable), it is orders of magnitude less likely that using it to using it to crack a large number of keys is possible, much less cheap enough to be worth doing. Given the vast number of qubits required for QEC for decent-sized problems, even a big-enough-to-be-useful GQC machine will almost certainly be applied to only a handful of extremely valuable problems.
I think research into post-quantum crypto is swell. It's nice that RLWE and similar algorithm families are becoming feasible for everyday use. But the data-lifespan arguments for PQC are mostly based on some highly unlikely assumptions.