Here is Antoine Ponsoit's take on responding to quantum threats. I like that he takes a zero-tolerance stance on confiscation but also doesn't ignore how bitcoin would be affected by widespread theft of coins:
most people expect to be safer storing value in Bitcoin than in any of the competing alternatives. I believe this expectation largely matches reality, but the way Bitcoin approaches the CRQC threat could drastically change this.
Two possible responses to this risk could undermine trust in Bitcoin so severely as to make it indistinguishable from an altcoin. The first one is that a large portion of the userbase gets their coins stolen, as that would be a fatal blow to network effects. The other one is that the vast majority of the economy coordinates to pre-emptively freeze other people’s coins, deemed to pose a systemic risk if a CRQC materializes, as that would directly undermine Bitcoin’s value proposition. It is important to stress that the latter is not merely an ideological position: confiscation being impractical is the whole reason why users trust Bitcoin to have value in the first place. Break this trust, and you’ll eventually lose the network effects.
the goal of a PQ migration should be to allow Bitcoin as we know it to survive a break of the discrete logarithm assumption. Transforming Bitcoin into yet another altcoin by permitting widespread theft, or by enabling confiscation, is not an interesting goal. The major challenge is that each individual Bitcoin user would strongly benefit from everyone else migrating, while migration itself is individually costly and would need to begin long before we can be reasonably certain whether the CRQC threat will materialize. The P2TRv2 strategy addresses this issue by shifting the migration costs from individual users opting into using the new output type in the short term, to ~all Bitcoin users coordinating to update consensus rules in the medium to long term. And P2TRv2 variants that allow users to avoid revealing their public key onchain before spending make, in my view, the wrong set of tradeoffs.
Poinsot seems to think that P2TRv2 (first proposed by @TheBlueMatt here is the best quantum resistant proposal we have to date).
Here is how Corallo described the idea:
Because taproot script-path spends are strongly-bound (the taproot script-path hash t includes the internal key in its hash), a future QC could determine the associated private key and script-path merkle root, but it cannot forge an alternative script-path merkle-root.
This provides a compelling hook for post-QC security - with the simple addition of an OP_SPHINCS (or equivalent post-QC non-one-time-use (i.e. not Lamport/Winternitz) signature verification opcode, functioning in much the same was OP_CHECKSIG works today), wallets simply need to construct their taproot outputs to always contain a script-path alternative spending condition. When QCs are becoming a reality, key-path taproot spends could be disabled via soft-fork, forcing spends to be done using the QC-secure path.
This seems like a pretty good way to provide opt-in escape hatches, as Ponsoit points out:
P2TRv25, which prescribes introducing a Taproot clone with a PQ signature scheme available in leaf scripts, so users can attach a PQ escape hatch to their coins at no cost, to later complete the migration by disabling EC operations in this output type if/when the CRQC threat materializes. Because it is no more expensive to use, wallets would start defaulting to this output type and progressively migrate the long tail of users over the next ~decade6. As time passes, more information about the progress of CRQCs can guide the next steps.
One thing I do wonder about is that such a scheme might encourage everyone to use Taproot addresses which are currently have exposed public keys, so I think this scheme would be committing to some hasty soft fork disabling the keypath spend in taproot addresses in the event of a quantum computer that can break elliptic curve cryptography.
But I like opt-in schemes and I don't think bitcoiners should be too hasty to commit to a specific quantum resistant cryptography scheme -- so something like P2TRv2 might fit the bill.