From researching post-quantum cryptographic schemes it seems hash-based and lattice-based algorithms are the most promising (MQ-based seem to be covered by patents and have more potential unknowns which could be used to exploit them.) Hash-based schemes seem like the most reliable, but lack certain features found in lattice-based algorithms like the ability to do blind signatures.
For these reasons I'm curious what the potential issues with lattice-based cryptographic systems are and how likely they are to result in practical issues for implementations (be it key and signature size increases to compensate or hard-stop issues where you simply can't work around them with lattice-based cryptosystems.)
- What key and signature sizes are expected to be secure currently?
- What if new algorithms come along as a worst-case scenario? (Assuming 256 bits of security in both cases.)
