Comment by daneel_w

> Tangentially related but regarding RSA and ECC... With RSA can't we just say: "Let's use 16 384 bit keys" and be safe for a long while?

That's correct. The quantum computer needs to be "sufficiently larger" than your RSA key.

> Basically: for RSA and ECC, is there anything preventing us from using keys 10x bigger?

For RSA things get very unwieldy (but not technically infeasible) beyond 8192 bits. For ECC there are different challenges, some of which have nothing to do with the underlying cryptography itself: one good example is how the OpenSSH team still haven't bothered supporting Ed448, because they consider it unnecessary.