The problems arise when data is intercepted now. Sure, some encrypted information won’t be useful/sensitive once the advent of cryptographically significant quantum computers comes but if any packets are simply stored now and saved for the future, that encryption will be rendered broken and the information leaked once there’s a practical Shor’s/Grover’s implementation.
Store those packets long enough and even ordinary, non-quantum computers will become fast enough to factor the requisite large numbers within a reasonable period of time to unlock the comparatively primitive encryption which had been in use back when the packets were captured.
We're really just saying that quantum computers could theoretically decrypt those old stored packets sooner than the non-quantum computers will be able to do it.
But the non-quantum computers will definitely be able to do it someday. Those stored packets are not staying encrypted forever, regardless of whether or not quantum computing is eventually made to work effectively and efficiently and economically.
That’s true, but the absolute values of the timeframes involved are quite different. Classical computing is speeding up, for sure, but breaking RSA-4096 (as an example) will take significantly longer to be feasible than the 10-20 year estimate for quantum computers. That’s assuming that classical computers are still roughly following Moore’s Law. For quantum computers, the difference between RSA-2048 and RSA-4096 is pretty negligible (it’s linear) while it’s exponentially more difficult for classical computers.
10-20 years a short enough timeframe that all sorts of PII could remain useful. Some people haven’t changed their passwords in a decade or two. If you extend those timeframes out over 100+ years then the sensitivity of PII begins to decline pretty significantly, though admittedly not to zero.
Unfortunately that’s a problem regardless of quantum computing because the computational power of classical computing continues to even without the threat of QC on the horizon.
PFS is not magic, it depends on exactly the same type of trapdoor algorithm as other asymmetric cryptography but using randomly chosen keys which are then forgotten. Forgetting the keys + Breaking them being too hard = Forward Secrecy. If someone finds out the key later, they can decrypt the messages, just as if they'd been told it at the time.
A Quantum Computer that breaks say, 2048-bit RSA also breaks the PFS-enabled Diffie-Hellman style key exchanges, it's almost exactly the same trick, a variant of the Discrete Logarithm Problem.
That's only really useful in key exchange scenarios (DH/ECDH). A lot of implementations use RSA or similar to directly encrypt packets of information, though it's generally not recommended for reasons such as this.
