So, is there some alternative quantum-resistant cipher ready (i.e. with open source implementation, say on github) that we can use today to encrypt out long-term secrets?
AES-256 is believed to be quantum-resistant. The only known quantum attack on AES-256 is utilizing Grover's algorithm, which is an universal approach.
As for assymetric crypto, the ones we have now are susceptible to quantum attacks. There are a bunch of proposals for quantum-proof algorithms but nothing officially standardized yet. There is a NIST competition going on right now that is trying to find a new suite of assymetric cryptographic algorithms [1]. You can find an awesome talk on the topic here [2].
If quantum computers are possible, we should switch to quantum proof algorithms now rather than later, because then we'd reduce the traffic that can be decrypted at a later point in time. It's quite dangerous right now considering that basically everything is protected by quantum-non-resistant ciphers.
Take your secret. Write it on a piece of grid paper. Fill EVERY FIELD on another piece of grid paper with random data. Transform every character on the first piece of paper based on the corresponding characters on the second piece of paper and write the result on a third piece of grid paper. Then burn the first piece of paper.
It's not possible to read the 3rd piece of paper without the 2nd now. You also obscure the length by filling the second piece of paper with data.
One-time pads are extremely impractical and error-prone. You need:
1. A secret key as long as the plaintext.
2. A consistent source of true randomness and a way of sampling it such that your secret key is truly random.
3. To never reuse a key once it's been used once.
Imagine the ramifications of retrofitting servers to use one-time pads for TLS. Moreover, essentially everything we take for granted in cryptography relies on constructions which use pseudorandom permutations and generators. Even if we resolved all these problems and forged ahead in a brave new world using stream cipher-like constructions based on one-time pads, we'd still have to rethink all of public-key cryptography.
This impracticality is one of the major reasons we moved on from information theoretic security to complexity theoretic security by the mid 20th century.
There is a variety of post-quantum public-key cryptography. These cryptosystems are based on a few different intractibility assumptions: multivariate polynomials, lattices, error-correcting codes and supersingular isogenies.
Code is available for most of these proposals because NIST is currently running a PQCrypto Standardization CFP[1]. However I strongly recommend against deploying your own post-quantum cryptosystem for a few reasons:
1. As I've cited elsewhere in this thread, this paper notwithstanding, most leading researchers in the field are frankly bearish about the prospects of 2048-bit RSA being broken in the next 20 years or so.[2] This can obviously change, which leads me to the next few points of consideration.
2. Most of the post-quantum cryptosystems are not well-studied, relatively speaking. They are fundamentally unproven compared to classical systems - we just haven't had enough academic scrutiny yet. It's still premature to say which post-quantum cryptosystems will remain secure under academic scrutiny over the next few years. Many were dropped from consideration after Round 1 of the NIST standardization review.
3. Most (perhaps all) of the implementations are immature and not well-supported. The majority of them are proofs of concept for NIST, not production-ready code. Authors themselves will caution you against using them. We don't have a libnacl for post-quantum public-key cryptography right now, which means that you'd be substantially rolling your own interfaces to underlying primitive implementations. It's hard enough maintaining secure cryptography in production when everything has been done to keep you from footgunning yourself - you won't have such guardrails for post-quantum cryptosystems.
4. Unfortunately, all post-quantum cryptosystems are grievously inefficient in either time or spatial performance compared to classical cryptosystems. As a general rule of thumb, lattice and error-correcting code based cryptography tends to be on the faster side with very large key requirements, and isogeny-based cryptography tends to be on the slower side with lower key size requirements. But all are noticeably slower than classical systems across both dimensions.
You should wait until these cryptosystems have been proven out by academic and industrial research. Google[3] began implementing lattice-based cryptography for TLS in Google Chrome in 2016. Adam Langley has a nice writeup[4] which also includes a few performance concerns. He's also written a blog post to talk about the next round of implementations they'll start experimenting with[5].
