Thanks for the great report. Good to see the threat to PoW addressed. The argument that it is (much) further away than breaking the ECDLP is convincing. However it seems the leap from breaking the ECDLP to breaking PoW could be smaller than going from nothing to breaking the ECDLP? It also appears to be more of an existential threat to Bitcoin (even as a concept, not today’s network specifically).
Some nits i collected as i was reading through.
In the table on page 18 you discuss the resource usage associated with various schemes but two of them have the same name+date identifier:
On page 30 you discuss the amount of BTC behind revealed public keys:
Did you mean “mid January 2025” instead of “mid January 2015”?
On page 35 you discuss private submission of CRQC-vulnerable transactions to trusted miners:
I think it’s worth mentioning in the footnote this approach also trusts the attacker wouldn’t reorg the last block(s) to steal the funds. For vulnerable transactions spending large UTxOs in a post-2032-halving world this does not seem unlikely at all.