Without near 100% use of quantum signatures, short range quantum attacks would mean Bitcoin game theory is over.
By now, it's well-discussed that anyone using an older Bitcoin transaction type which exposes their public keys is the most vulnerable to a quantum attack on Bitcoin, if that ever materializes: If your public key is sitting in the open for years, the first Q-swiper can take months or years to focus engineering efforts on that single public key.
It's also been mentioned that any transaction type requiring you to reveal your public key while spending is vulnerable to a short range attack. Suppose that the Q-swipers have cleaned out all the vulnerable address types, and now want to go after a transaction where the public key is hashed. The instant the transaction is posted to the mempool, if the Q-swipers work quickly they can find the private key, repost a different transaction with higher fees and double-spend the UTXO before it gets into the next block.
This sound bad, and the solution usually offered is to submit the transaction privately to miners. You can trust the miner to whom you have submitted the transaction (they have a reputation.) Once it's included, you're safe right?
No. That's not exactly how Nakamoto Consensus works. Finality is always up to probabilistic assurances, and the probabilistic assurances are only good provided that actors are motivated to follow predictable behaviors. If they don't, the probabilistic assurances are worthless.
It's worse than you think - it immediately unravels and it's gruesome.
Let's look at today's numbers (never mind dwindling subsidy, which makes this all much worse): blocks pay miners about $250,000. The total value transacted is often 1000 times that. If even 90% of the value transacted in a block is from previously quantum safe UTXOs, the 10% that remain exposed after a block is mined is still an order of 100x the block reward itself. This means there's 100x the block reward available to be double spent by overwriting a single block.
If quantum can deploy quickly and cheaply, then immediately after any block, you will see $10M- $100M worth of "Hail Mary" double spend attempts. Naturally, since anyone with quantum can play, there will be auction dynamics, and the miner fees will be astronomical.
Just to reiterate; in full gory details. Miner mines a block and gets, say $250,000 in subsidy and fees. A few minutes later, then mempool now has $50,000,000 worth of fees sitting there for any miner who writes a competing block. That competing miner is clever, of course, and they aren't going to take all $50M for themselves. They're going to take, say $40 M, and leave the next miner to decide whether they want to take $10,000,000 in fees to consummate the 1-block reorg, or take the $250,000 to build on the original tip, and hope that all the other miners are like-minded.
The incentives for any individual miner to take this payout are so asymmetrical that at this point we have to be relying and norms and understandings among the miners themselves.
But Nakamoto consensus works because short range reorgs are very very difficult to make profitable. They aren't impossible; If a miner with 10% of the hashrate made it their goal to supplant a block, they would on average succeed more than once a day. Just having the attack available to any miner with a small chunk of hashrate means we have to put lots of trust in miners and their norms and gentleman's rules that go beyond the protocol itself.
