Post Quantum Cryptography

My thoughts on Post Quantum Cryptography in 2022

Today we rely primarily upon cryptography that is hard for classical computers to crack. The underlying strength relies on trapdoor functions, which are easy to go one way and hard to go the other way. We consider something secure if the cryptography is so hard to crack with current methods that the time taken to intelligently explore all possibilities would surpass the heat death of the universe.
We expect the future will deliver quantum computers that can disrupt classical cryptography and undo the trapdoor functions in use today. We call that future "post-quantum". Post-quantum cryptography (PQC) is cryptography that is resistant to an adversary with a sufficiently advanced quantum computer. PQC is an active field of research and PQC solutions are still being investigated and analyzed.
"Crypto Agile" has been a buzz word in the security space lately. Can I be agile and transition to PQC now?
Only as an experiment! By experimenting you will see where your existing system will break. However, PQC algorithms have not reached approved and recommended status! (2022) The keys and signatures (either or) are absolutely massive. If your system limits how large your key sizes and signatures may be then your system will break because of PQC.
I've heard about doing hybrids, what about that?
Hybrids exist as a transitionary stage in case classical cryptography is broken. But the PQC side may also be broken like SIKE did.
X.509, the technology behind certificates, is an extensible specification for storing cryptographically bound assertions and establishing trust. While the technology is sound, paying money for these certificates is not. NIST and others have not settled on what our future holds. Browsers and other applications will not deploy PQC algorithms outside of limited experiments.
My CISO thinks we should get these in production and he found a vendor ready to sell us some certificates at a discount!
Push back on that. Wait until Lets Encrypt deploys PQC hybrid certificates before hopping on the bandwagon with any certificate authority. History repeats itself as the PKI dot com bubble toots its horns again.
How would I do a crypto agile hybrid algorithm for my application?
That's dangerous! Do you really want to roll your own cryptography? Without knowing these tools or options, you might invent a flexible cryptography engine. With that in place, can you protect yourself from downgrade attacks? Will you have dedicated resources later to migrate away from whatever crypto you invented when it breaks? PQC is an active area of research. Unless you are experimenting, stay far away and do not bring cryptographic experiments into your product.
Oh! So I should buy a product off the shelf instead! They've done the experiments already to know what's good!
Don't waste your business's resources. PQC is still new and being evaluated by experts. Adding PQC to your application is likely premature. You can be crypto agile without PQC, for more see Cryptographic Agility.