We need post-quantum key exchanges right now because future quantum computers might break messages encrypted today.

We’d prefer post-quantum signatures be deployed at the moment a quantum computer comes online. We only push for post-quantum signatures sooner because deployment takes ages. Also, there is a good case that quantum annoying signatures suffice for at least some time after a quantum computer comes online. And quantum annoying signatures might help prove a quantum computer exists in secret.

There is a much stronger argument that deployed VDFs need only be quantum annoying at the moment a quantum computer comes online. In essence, we expect that

- the first quantum computers should be too expensive and slow for an attack,
- VDFs are already vulnerable to super-conducting computing, ASICs, better ASICs, etc., which demands more robust usage from deployments.

Both Wesolowski’s and Pietrzak’s VDFs are already quantum annoying, if using the prefered class group instantiation where you hash to p. Also the isogenies VDF is quantum annoying. Among the serious VDF proposals, only the RSA VDF is not quantum annoying.

We should eventually devise a real post-quantum VDF that is compact , but we’re looking pretty good right now.

In this vein, VRFs are like signatures in that quantum annoying suffices for now, but we do want a post-quantum VRF eventually. It’s true hash chaining like RANDAO gives a VRF with singleton domain, except these suck and real VRFs have so many uses in consensus algorithms. I suppose hash-based signatures and zkSTARKs should both provide VRFs but they’re both too large for consensus protocols. It’s dubious if lattice-based techniques can ever yield a compact VRF. Isogenies seem like our best bet for a post-quantum VRF that is both compact and flexible. I’m super happy the construction in @asanso 's paper gives a quantum annoying VRF .