Using a sealed_box type construct (eg. tool like age[1]) with non-hybrid ECC.
Payload is encrypted to some recipient ECC public key.
In this scenario, the recipient public key remains secret.
Having nothing but the encrypted payload, can a cryptographically relevant quantum computer (CRQC) crack the ECC to obtain the symmetric key?
Would using the public key itself as an additional input to the KDF (which determines the symmetric key) help?
Can a CRQC crack ECC without a public key?
Actually, that depends on how ECC is being used.
The most obvious example is ECDSA; even if you don't give the adversary that public key, he can with the signature and the message recover the public key (within a few possibilities); and then use his fancy CRQC to break that.
On the other hand, if you're doing ECIES, that is, the message is $rG, \text{Enc}( \text{KDF}( rH ), \text{message} )$, he can't really - he could recover $r$, but without knowing $H$ (which is the public key), $rH$ could be any curve point, and so that's effectively symmetric crypto, which CRQC's are not good against.
Given that age doesn't document (at least from what I can find, and I'm not about to go about code spelunking) what it does internally, I wouldn't say which way it is. On the other hand, this reasoning works only if the recipient's public key is completely unknown - if the adversary has (say) 1000 public keys, and the recipient's public key is somewhere on this list, this reasoning doesn't work.
