1. Not all Bitcoin on legacy address is vulnerable, only address where it's public known is at risk.
2. Quantum Computer can brute-force private key from public key far faster, but not instant. The actual owner can move their Bitcoin to quantum-resistant address with high fees.
2. so how this is different than brute-force from just an address?
Existence of quantum computer and whether public key of an address is known/not.
1. Not all Bitcoin on legacy address is vulnerable, only address where it's public known is at risk.
i didn't say
all legacy addresses were vulnerable, but we already know that
many millions of coins currently are. consider this:
https://twitter.com/pwuille/status/1108085284862713856My answer is (c) 5M-10M BTC. This includes all outputs with P2PK/raw multisig outputs, plus P2PKH outputs with known pubkeys, and P2SH/P2WSH with known scripts.
XXXXXXXXX
2. Quantum Computer can brute-force private key from public key far faster, but not instant. The actual owner can move their Bitcoin to quantum-resistant address with high fees.
i think it would be reckless to make that assumption. it underestimates the potential power of the adversary's hypothetical machine. we may be talking about the same situation as a race attack. if the adversary forces a holder to spend all their coins as mining fees, the end result is the same---he loses his coins and they are recirculated into the supply.
it's also very unlikely that all holders of vulnerable outputs would be in a position to race the adversary. we're talking about a window of minutes or even seconds.
Good point, but you forget that race attack can start when quantum-resistant address is available for use. If it's deployed before quantum computer with sufficient qubits exists (some source mention 1500 qubits for 256-bit ECC), then the owner have big start.
Fees is only problematic when the owner decide to move when the network is busy or after such quantum computer exist.