haltingprobability, thank you for your informative overview of the sitation.
A few nits:
In fact, this is why Bitcoin uses the public-key hash instead of the public-key itself and recommends against address-reuse; in the event of working, at-scale QC, your coins are still secured behind 128-bit-equivalent security as long as you don't reuse addresses or publish the public-keys for your addresses.
0. Actually, that would be 160-bit equivalent security, yes?
1. As a general point, I will worry about disclosing Bitcoin public keys at the same time I start to worry about disclosing my long-term PGP public key. (For those in the peanut gallery: The latter would be entirely useless without public disclosure.)
There are excellent reasons to avoid address reuse; but this is not one of them. I say this as a paranoid security nut: The security of publicly disclosed public keys is just fine. That is why they are called
public keys. The only exception I would here make is if you have coins which you intend to potentially leave in cold storage for
decades. Then, yes, you will want the extra security margin of the key being unpublished. Thats not only a concern about quantum computers: Unexpected cryptanalytic techniques could develop over the course of many years. For cryptography which really needs to stand the test of time, reducing your security requirements to a hash is simply good security hygiene. (For the same reason, I want to switch from the trust anchoring of my nullius nym from Ed25519 to Lamport signatures; I simply need to find or build a readily available, reasonably usable,
long-term stable implementation.)