I just want to note you only need an algorithm that protects against 2^80 quantum operations for short-term keys. Regardless, I doubt anyone is going to be spending a billion dollars to crack data sent over a single Tor connection.