[cevi]

Why would SHA-256 be vulnerable to quantum computing? Grover's algorithm only gives a square-root speedup for reversing hash functions, and that's in the best-case scenario where there are no engineering issues (e.g. the need for error correction) which could create polynomial overhead. That still leaves you with 128 bits of security.

Quantum computing could certainly break elliptic curve cryptography, but my understanding is that this only becomes an issue if you publish your public keys (e.g. if you use your key to digitally sign a message) instead of just publishing their hash, which is not standard practice in Bitcoin (for exactly this reason).

[saurik]

When you sign something with your private key you expose your public key. This means 1) if you receive money to an address and move that money elsewhere, subsequent money sent to that address is going to an address whose public key is public; and 2) if you publish a transaction to the blockchain someone else can see it before it commits and get your public key and attempt to race you to having a transaction including in a block.

[cevi]

These are both good points!

[mahieddine]

Public keys are published that's the basis of any asymmetric encryption algorithm, on ethereum, bitcoin you are publishing a signed message that means you are also emitting your public otherwise how one can verify that you signed the tx. Regarding Quantum computing i wouldn't be so sure knowing that we can see a quantum computer with 1500 QBIT starting from 2028, this will be sufficient to crack any bitcoin wallet in less than 10minutes. As you mentioned the current hurdles are the huge error rate but dont be fooled that its going to be that way, even modern computing used to have this kind of errors (not the same nature but still errors) in the beginning...