Re: Encryption is complicated enough already
I don't think AES is at all safe in a post-quantum world, no matter what keys you choose.
A comment I found from 2013: "The best known theoretical attack is Grover's quantum search algorithm... this allows us to search an unsorted database of n entries in √n operations. As such, AES-256 is medium term secure against a quantum attack, however AES-128 is broken, and AES-192 isn't looking too good. With the advances in computational power (doubling every 18 months, etc.), no set keysize is safe indefinitely."
And that's the worst-case example of just using a QC as nothing more than brute-force on the keys, not even taking advantage of any particular exposed weakness, etc.
A QC will radically change the landscape of encryption forever, because it just works in a very different way. It's not a case of "just increase the keysize" any longer. The solution is IMMEDIATE. The keysize barely matters, it affects only the size of the QC that you need build, not the time to solution. Once someone starts building decent-sized QCs and joining them together you won't be able to make the key large enough to be practical for you to use, while impractical for them to build a machine capable of breaking it instantaneously.
AES is dead in such circumstances. As is pretty much every conventional encryption algorithm. That's why post-quantum cryptography is an entire area of research and relies on things which we have but which we DO NOT yet use in the ways we'd need to to make them post-Q safe. Even ECC cannot escape this and requires reinvention to be valid post-Q.
Think about how it works - it's no longer a case of just "making things laborious" in terms of brute-force. That's gone, in a post-Q world. No amount of brute-force can withstand instantaneous calculation. What works is literally: you get billions of possible answers (hashes used on an enormous scale as an integral part of the basic encryption system which they currently aren't), or you have to build a quantum computer so huge that your adversary can't afford it.
The latter is literally just a matter of time and effort again, though.
Post-Q instantly invalidates all currently deployed encryption methods overnight. They all become nothing more than plaintext, in effect. Now matter how carefully you chose your keys, how big they were, how well you secured them, or what flaws may exist in the algorithm, etc.
Post-Q cryptography has to be a reinvention from first principles, which is why things like SPHINCS just don't have any resemblance to a current encryption system. Currently we USE encryption to build hashes. Post-Q we'll use hashes to build encryption.