It's a race though, and note that it is co-gov funded (=you're paying for your cryptographic secrets to be broken) so if you are a poor soul that is exposed to fiat (you probably are even if you aren't using it), then you also benefit if it succeeds, because then at least you weren't diluted for nothing.

I'm still in the camp of "do it right" rather than "move fast and break things", but since even NIST is focusing right now on transition w/ hybrid solutions, I'm still a fan of staging BIP-360, to at least get taproot at the same level as p2wpkh.

Maybe @Murch has knowledge about what's happening around BIP-360?

We can barely keep modern chips cool now I am expecting a company to solve this physics problem in three years?

To me the huge operational cost to get one of these things running is the saving grace. Such cost will require massive investment, which is ultimately going to require public demonstration and announcements of a working model....its practically not going to happen completely in secret.

This all becomes a huge criminal / legal liability for the lab. Imagine the lawsuits if google just started trying to brute-force crack everyones servers using classical computers....its no different just because they develop QC.

The counter-argument is: But this will be done by governments....yes thats probably true. But it doesn't really change much because instead of legal pushback (although there could certainly be legal fights over this), there would in fact be military response. No different if Country A discovered Country B was hacking its computing infrastructure....theres always nukes.

My point on this is: Everyone keeps assuming that these QC attacks would be cost free, but thats not realistic, there would be massive legal / criminal / military cost to just causally "cracking all public key encryption".