I'm a little more in my wheelhouse here -- without an algo change, Grover's algorithm would privilege quantum miners significantly, but not any more than the industry has seen in the last 13 years (C code on CPU -> GPU -> Large Geometry ASIC -> Small Geometry ASIC are similarly large shifts in economics for miners probably).
As to faking signatures and, e.g. stealing Satoshi's coins or just fucking up the network with fake transactions that verify, there is some concern and there are some attack vectors that work well if you have a large, fast quantum computer and want to ninja in. Essentially you need something that can crack a 256 bit ECDSA key before a block that includes a recently released public key can be inverted. That's definitely out of the reach of anyone right now, much less persistent threat actors, much less hacker hobbyists.
But it won't always be. The current state of the art plan would be to transition to a quantum-resistant UTXO format, and I would imagine, knowing how Bitcoin has managed itself so far, that will be a well-considered, very safe, multi-year process, and it will happen with plenty of time.
You fool! And I say that affectionately. Another fool says: the security of Bitcoin relies on the inability to (among other things) derive a private key from a public key. This is just basic cryptography, like Turning vs enigma. This machine can "calculate" solutions to problems in time frames that break the whole way that cryptocurrency works. You better believe that what we hear about is old. These types of systems, and there must be non-public versions, could solve a private key from a public key, in easy less than O(fu) time.
EDIT: it's like rainbow hashes, but every possible variation is a color, not granular like binary, but all and any are included.
I think you’re going to need about 10,000,000 qbits to divert a transaction, but that’s still within foreseeable scale. I think it’s extreme likely that the foundation will have finished their quantum resistance planning before we get to 10MM coherent qbits, but still, it’s a potential scenario.
More likely that other critical infrastructure failures will happen within trad-finance, much larger vulnerability footprint, and being able to trivially reverse engineer every logged SSL session is likely to be a much more impactful turn of events. I’d venture that there are significant ear-on-the-wire efforts going on right now in anticipation of a reasonable bulk SSL de cloaking solution. Right now we think it doesn’t matter who can see our “secure” traffic. I think that is going to change, retroactively, in a big way.
Hopefully replay attacks will not be useful, but confidential information will be abundant. There will be actionable information mixed in there , and it will be a lot of data. Just imagine if everything whispered suddenly became shouted.
Banking communications and transactions will all be protected by quantum-resistant protocols and ciphers well before that will become a problem. Most of these already exist, and some of them can even be deployed.
Bitcoin will just fork to a quantum proof encryption scheme and there will be something called "bitcoin classic" that is the old protocol (which few would care about)
eh, they will add a quantum-resistant signature scheme (already a well-understood thing) then people can transfer their funds to the new addresses before it is viable to crack the existing addresses
So the first company that can break bitcoin addresses using quantum computers gets a prize of how many billion(?) dollars by stealing all the non-migrated addresses.
A very interesting philosophical and moral can of worms you just opened there. Bitcoin is governed by the protocol, so if the protocol permits anyone who can sign a valid transaction involving a given UTXO to another address, then it technically isn't a "crime". Morally I'm not sure I'd be able to sleep well at night if I unilaterally took what I didn't exchange value for.
As for the forgotten key case, I think the only way to prove you had the key at some point would need to involve the sender vouching for you and cryptographically proving they were the sender.
Morally, there is no quandary: it's obviously morally wrong to take someone else's things, and knowing their private key changes nothing.
Legally, the situation is the same: legal ownership is not in any way tied to the mechanism of how some system or another keeps track of ownership. Your BTC is yours via a contract, not because the BTC network says so. Of course, proving to a judge that someone else stole your BTC may be extremely hard, if not impossible.
Saying "if the protocol permits anyone who can sign a valid transaction involving a given UTXO to another address, then it technically isn't a "crime"" is like saying "traditional banking is governed by a banker checking your identity, so if someone can convince the banker they are you, then it technically isn't a "crime"".
The only thing that wouldn't be considered a crime, in both cases, is the system allowing the transaction to happen. That is, it's not a crime for the bank teller to give your money to someone else if they were legitimately fooled; and it's not a crime for the Bitcoin miners to give your money to someone else if that someone else impersonated your private key. But the person who fooled the bank teller /the miners is definitely committing a crime.
Traditional banking is governed by men with guns who depend on votes (for appearances). They always have recourse and motivation to intervene with private transactions. Not so much the case with bitcoin, which is extralegal for the most part and doesn't depend on them.
Yup, like Bitcoin going to zero.