The headline is clickbait. The only reference to not rushing into quantum-proof encryption happens near the end of the article, and the warning is that folks adopt them gradually so that any vulnerabilities are caught.
This is standard practice blown out of proportion.
I don't get that sentiment from the article at all. The article is talking about the difficulty of targeting a problem space 'too early' vs 'too late'. Too early and you solve the wrong problem, too late and, well, the obvious.
Breaking the old RSA requires more quantum computing horsepower than breaking newer ECC schemes. So although ECC is far more resistant to current attacks, it is less resistant to quantum attacks. The NSA is just saying that you're better off staying with strong RSA security than you are investing tons into migrating to Suite B since you'll just have to migrate to whatever NIST has coming that is quantum-proof.
It's a totally different ball game though: this isn't about NIST recommending a shady algorithm with mysterious parameters, this is about a well-known standardization process that accept submissions from cryptographers all around the world where anyone can review the proposals and make comments.
I don't care what they end up selecting as the winner (and to be honest, I'm so ridiculously paranoid that I don't trust Keccak, for instance), I just think that having a competition where everyone is spending all their energy into looking for flaws on the others candidates is a great thing.
Next year China will announce a similar standardization process. Do I trust China? of course not, but I really welcome this initiative anyways.
How can you be so sure? What if a nation state invents one and treats it as a Manhattan Project style secret?
> Whether post-quantum crypto exists today or not doesn't matter
Unless the first "Quantum computers that can break traditional crypto" are invented and announced tonight... then it matters about the current state of post-quantum crypto.
