there is every chance an update will be made to counter any threat before it arises
The problems here are a) achieving sufficient consensus on a QC-proof update to avoid a damaging chain-split and, more importantly b) deciding what to do with any coins that remain vulnerable to QCs after the upgrade.
If a QC-proof upgrade of bitcoin is implemented, the coins are not safe until they are moved to QC-proof addresses. Some coins have not been moved in years, and early coins are particularly vulnerable. There is the highly contentious issue of how to resolve this impasse for coins that are not moved in time, or that can no longer be accessed classically. Should they be burned to prevent theft by a QC? Or should they be left alone to be stolen? What constitutes theft anyway? It's been discussed at length and quite some time ago.
Yes, sooner or later a QC will be developed that can run Shor to break public key cryptography. ECDSA is utterly insecure. Private keys can be derived from public keys. A solution is obviously needed
in advance of such a QC becoming available. The problem here is that all coins will have to be moved to quantum-proof addresses. What happens to those coins that (for whatever reason) aren't moved? Do we leave them to be stolen by a QC, wreaking havoc and potentially destroying all of crypto? This is not hyperbole; it's a genuine threat. Or do we burn them before they can be stolen? It's a hugely contentious issue that goes right to the heart of bitcoin, cryptocurrencies, and decentralisation.
Theymos, ahead of the (elliptic) curve, posted about this back in 2016 (quote below). The
thread that this triggered on bitcointalk was full of misunderstanding and outrage, and is perhaps indicative of the scale of opposition that such a move to QC-safe cryptography will face.
I've been looking for later news on the web, but not found much. Presumably (hopefully) the discussion has moved on considerably since 2016. If anyone is familiar with the latest discussions on this topic, please respond in this thread!
Edit: To be absolutely clear: I am not proposing (and would never propose) a policy that would have the goal of depriving anyone of his bitcoins. Satoshi's bitcoins (which number far below 1M, I think) rightfully belong to him, and he can do whatever he wants with them. Even if I wanted to destroy Satoshi's bitcoins in particular, it's not possible to identify which bitcoins are Satoshi's. I am talking about destroying presumably-lost coins that are going to be stolen, ideally just moments before the theft would occur.
This issue has been discussed for several years. I think that the very-rough consensus is that old coins should be destroyed before they are stolen to prevent disastrous monetary inflation. People joined Bitcoin with the understanding that coins would be permanently lost at some low rate, leading to long-term monetary deflation. Allowing lost coins to be recovered violates this assumption, and is a systemic security issue.
So if we somehow learn that people will be able to start breaking ECDSA-protected addresses in 5 years (for example), two softforks should be rolled out now:
One softfork, which would activate ASAP, would assign an OP_NOP to OP_LAMPORT (or whatever QC-resistant crypto will be used). Everyone would be urged to send all of their bitcoins to new OP_LAMPORT-protected addresses.
One softfork set to trigger in 5 years would convert OP_CHECKSIG to OP_RETURN, destroying all coins protected by OP_CHECKSIG. People would have until then to move their BTC to secure addresses. Anyone who fails to do so would almost certainly have lost their money due to the ECDSA failure anyway -- the number of people who lose additional BTC would be very low. (There might be a whitelist of UTXOs protected by one-time-use addresses, which would remain secure for a long time.)
https://www.reddit.com/r/Bitcoin/comments/4isxjr/petition_to_protect_satoshis_coins/d30we6f/There's a later discussion here:
I've been looking for later news on the web, but not found much. Presumably (hopefully) the discussion has moved on considerably since 2016. If anyone is familiar with the latest discussions on this topic, please respond in this thread!
I'm unsure if it counts as a considerable move but my imagination has stopped there.
https://bitcointalk.org/index.php?topic=5191219.msg52769870#msg52769870