Not reusing addresses not a solution


This is not correct. In the transaction you send, you include your public key. The public key is needed to check the signature. As soon as you send your transaction from your device, your public key is exposed on the internet.

Local vs Global quantum security is also an important distinction. Even before a QC can derive a private key from a public key in under 10 minutes, many wallets already have exposed public keys (such as Satoshi's). If Satoshi’s coins are stolen and the market price crashes, your safe BTC will still be worth less because the network as a whole will not be sufficiently quantum-resistant to retain confidence.

There are 3 distinct stages that a transaction passes through on its journey to confirmation:

  • On its way over the internet from your device to the node(s), where it is vulnerable to MITM attacks. At this point in time, there is no threat from such a transmission being intercepted. There is no incentive to attempt such an attack, because the exposed public key in your transaction is useless for a hacker. But as soon as a quantum computer can derive a private key from a public key, these transactions in transit will become gold for hackers.
  • When it is received by the nodes, your transactions waits in the "mempool" for a miner to add it to a to-be-mined block. The time it waits here depends on the network capacity, the fee associated with the transaction, and the number of other transactions that are also waiting to be added to a block (pending). When the network / mempool is overloaded, a transaction can be stuck for a bit (or for quite some time) until it's selected to be added to a block.
  • Once your transaction is added to a block and the miner starts hashing, the blocktime starts out. That is 10 minutes, on average.

During this entire process after tx submission, a public key is published and can be obtained. A hijack can be done during all 3 periods, given a QC of sufficient power. A hijack during the last part, the blocktime, is explained in this paper For hijacks during blocktime, there is a time-limit of 10 minutes (the blocktime) where a transaction is vulnerable. According to the paper, quantum computers could be powerful enough to do this as early as 2027. But MITM attackers, in general, have a much bigger window of time to launch attacks when you consider that some transactions spend hours "pending" in the mempool, especially when the BTC network is congested / operating at max capacity. This, and the reality of already-exposed public keys, creates a significant risk even before 2027.

Transactions from both unused wallets and re-used wallets are the same and can be hijacked during the stages described above.

"Okay, but if you don’t reuse your address, you don’t have to worry until there is a sufficiently powerful quantum computer that can derive the private key from the public key within the 10 minute blocktime."

There are many addresses (see "address reuse" chart) out there that already have an exposed public key. These addresses don’t have the 10 minute time limit protecting them. Even if it takes a quantum computer half a year to hack such an address, there could be negative effects on the BTC price if detected.

This is especially true if Satoshi's 1M BTC are the subject of such an attack. Before 2012, block rewards were paid to an ECC public key, even though they are now paid to the hash of a public key. This means that any coins generated by early miners (including Satoshi) which remain unmoved are vulnerable, even if the wallet in question has not sent any transactions.