the difficult part is dealing with the 5+ million vulnerable coins (p2pk outputs, outputs sitting in reused addresses, shared xpubs, etc). implementing a post-quantum signature scheme alone doesn't address the fact that 1/3 of the supply is vulnerable to theft. people need to voluntarily move their coins to quantum-safe addresses for the fork to be effective. that could take a few years, based on the adoption rate of segwit.
Indeed. The question of what to do with the coins that are
not moved to quantum-proof addresses is a huge problem.
From my amateurish perspective, it seems to me that if the problem couldn't be solved in time, and it came to a choice between either
(a) burning anything that hasn't been moved, or
(b) leaving them there to be scooped up by a QC
... then I think option (a) is far preferable.
You can't just soft-fork to a situation where some bitcoins are quantum resistant and some aren't
i agree, (a) is hands down the most reasonable option.
you've just highlighted the crux of the problem:
https://bitcointalk.org/index.php?topic=1469099.0it's crazy, but most bitcoiners would prefer
not to burn QC-vulnerable outputs. they would prefer to let QC wreak havoc on bitcoin's monetary integrity. the consensus is that burning outputs is "stealing" and that we simply shouldn't worry about the QC boogeyman.
if that's what the community plans to do, then everyone should stop repeating that "lost coins are a donation to holders". that's a lie---they aren't a donation because they can be stolen and dumped on the market once ECDSA is compromised.
If it did come down to it I honestly cannot see anybody complaining about a hard fork if it was a simple choice between the end of Bitcoin or it carrying on (but those who did not move their coins before any fork just might have a differing view).
it could even be done with soft forks---one soft fork to implement a post-quantum signature scheme, and another to destroy all ECDSA-secured outputs after date
x.