[yanmaani]

PoS is not more quantum-resistant, because of the situation with Shor's algorithm, and that a key compromise would be much more damaging.

It might be, in the future, if you replaced the keys, but it isn't now. Words mean things, and it really is important to use them correctly.

(Also, wouldn't the network respond by just raising the difficulty, miners respond by buying quantum computers, and the world to spin as usual?)

[DennisP]

PoS is a class of consensus protocol, not any particular blockchain. It's orthogonal to signature algorithms. A blockchain can incorporate any combination of consensus algorithm and signature algorithm. So yes, please use your terms correctly.

If sufficiently powerful quantum computers become readily available to anyone, sure, everybody will upgrade. Given the exotic hardware they typically require, it seems likely that for a while only a few large organizations will have them.

[yanmaani]

If you're fine with changing algorithms, wouldn't PoW also be able to change to something more quantum-resistant?

[DennisP]

Grover's algorithm is pretty general, I don't think there is anything we know about that we could switch to.

Shor's is faster but more specific. It works on factoring and elliptic curves, but not on hashes. The advantage of Shor's is that if you have enough qubits, you can get the answer immediately. Grover's only offers quadratic speedup, effectively halving the number of bits in the hash function.

So for signatures we just need to switch to something like a hash-based signature algorithm, with keys having twice as many bits as we'd want against classical attackers. But we don't have hash functions that keep Grover's from working, so a quantum miner be way faster than classical miners.