Quantum computers do not break "all known practically useful cryptography".
For symmetric crypto, some schemes will have to be dropped, and others will require larger keys. But we can (for example) just keep right on using AES 256.
For asymmetric crypto, we'll have to switch to some new schemes, but those exist (though I don't know of any current software using them). For example:
It's true that symmetric crypto isn't entirely broken by quantum computers, although in many cases the key sizes need to be doubled. However, I wrote my original statement with that fully in mind, because symmetric crypto by itself is not really all that useful. All useful applications need at least some asymmetric crypto, even if it's just to distribute keys for more efficient symmetric crypto.
As for the alternatives to asymmetric crypto: I like lattices, I've studied them a lot myself, though not in a crypto context. But have you looked at the required key sizes of those alternative schemes? They're pretty horrible and not at all comparable to what we have today.
Obviously people will continue research on this, and perhaps something close to elliptic curves in terms of efficiency will be found. I certainly hope so, but I'm not holding my breath.
I agree that archived traffic is an issue as well, but personally I'm more worried about the future than the past.
I hadn't previously looked at lattice crypto in much detail, and was not aware the keys were as big as they are; thanks for pointing that out. That said, a big performance hit isn't necessarily the same thing as being practically unusable. It certainly explains why nobody's using it now. I'd be curious to read some concrete performance analyses.
A sibling comment points out one use case for symmetric-only crypto.
I'm also curious what people would actually do if forced to deal with a symmetric-only world.
I think it is more likely that we'd see cumbersome ways of dealing with key distribution than that people would just stop using crypto in all the places we rely on public key schemes today. Think symmetric keys printed on your bank statement (maybe with a qr code?) We'd definitely see it used a lot less than now.
That said, we'd probably have about the same number of people doing end to end email encryption; key distribution with an asymmetric scheme is no picnic either :P.
For symmetric crypto, some schemes will have to be dropped, and others will require larger keys. But we can (for example) just keep right on using AES 256.
For asymmetric crypto, we'll have to switch to some new schemes, but those exist (though I don't know of any current software using them). For example:
https://en.m.wikipedia.org/wiki/Lattice-based_cryptography
The bigger worry I think is what about all of the existing traffic that has been archived?