but at the same time, the amount of bitcoins stolen from legacy addresses could have a catastrophic inflationary effect on the market.
since moving one's coins into quantum-resistant addresses is voluntary, millions of coins would likely remain unmoved. those would be stolen and circulated back into the economy.
1. Not all Bitcoin on legacy address is vulnerable, only address where it's public known is at risk.
i didn't say
all legacy addresses were vulnerable, but we already know that
many millions of coins currently are. consider this:
https://twitter.com/pwuille/status/1108085284862713856My answer is (c) 5M-10M BTC. This includes all outputs with P2PK/raw multisig outputs, plus P2PKH outputs with known pubkeys, and P2SH/P2WSH with known scripts.
granted, as the threat nears, a lot of those coins will be moved to quantum-resistant outputs. but if any of the estimates about the # of lost coins are remotely correct and we account for user ignorance/inaction, we could still be talking 3, 4, 5+ million vulnerable coins.
2. Quantum Computer can brute-force private key from public key far faster, but not instant. The actual owner can move their Bitcoin to quantum-resistant address with high fees.
i think it would be reckless to make that assumption. it underestimates the potential power of the adversary's hypothetical machine. we may be talking about the same situation as a race attack. if the adversary forces a holder to spend all their coins as mining fees, the end result is the same---he loses his coins and they are recirculated into the supply.
it's also very unlikely that all holders of vulnerable outputs would be in a position to race the adversary. we're talking about a window of minutes or even seconds.