There is no particular negative interactions with the hash functions and quantum cryptography.
Bitcoin is designed so that different asymmetric crypto governing controlling coins can be compatibility introduced-- as has been done a couple times in the past (to introduce revisions to the script system). PQ crypto could be introduced in that way.
Unfortunately existing PQ signature schemes don't have a great mix of maturity and performance that make them especially attractive absent a clear and present need.
For years I maintained a private patch set to introduce hash based signatures on short notice if needed. I haven't for a number of years now in part because there are now enough contributors I'm confident that if it were needed it could be done quickly without any special preparatory effort.
Users can change the rules governing their coins just by moving them.
This includes seamlessly migrating wallet keys to a quantum resistant scheme without end user intervention? Seems that users would need to do a kind of transaction using existing keys to new wallet/key pair?
Yes, users would need to take some action-- otherwise how would you know if your coins were being moved to your new key vs my new key. :)
We know how to construct kinds of forward compatibility that could allow being spent with a new scheme but the specific scheme would have to be set in advance so they users could generate the future keys at the same time the generate the current ones. And, as mentioned, the existing choices aren't that great (for this application).
Is it reasonable to assume that many wallets won't get migrated and could eventually be seized by whoever (eventually) possesses a sufficiently strong QC? If Larry Fink is right, then that could be untold billions, assuming for sake of argument BTCUSD goes to $1,000,000 by the time such a QC is feasible.
If Satoshi Nakamoto did lose his keys to those treasure trove wallets, those will be up for grabs, as will anyone who lost keys.
Perhaps hoarded encrypted PCAP's aren't the only motivator for quantum opportunists.
Bitcoin is designed so that different asymmetric crypto governing controlling coins can be compatibility introduced-- as has been done a couple times in the past (to introduce revisions to the script system). PQ crypto could be introduced in that way.
Unfortunately existing PQ signature schemes don't have a great mix of maturity and performance that make them especially attractive absent a clear and present need.
For years I maintained a private patch set to introduce hash based signatures on short notice if needed. I haven't for a number of years now in part because there are now enough contributors I'm confident that if it were needed it could be done quickly without any special preparatory effort.
Users can change the rules governing their coins just by moving them.