To make a complete and realistic estimate of the expected timeline for upgrading and migration we use Mosca’s theorem of risk determination. For blockchain, the theorem can be adjusted as follows:
v = selection of signature scheme, proposal for implementation. (Different signature schemes are available. There is no plug and play scheme to replace current schemes. And there are several solutions imaginable to handle the bigger signatures.)
w = reaching consensus and upgrading the nodes. (Since phase “v” quite likely results in multiple options, the consensus is not a given and might be a trajectory like we seen with the SegWit fork. Besides the need to chose between different options, there should be decided when the upgrade will be effective. This is a second subject that will cause debate.)
x = migration period. (After an upgrade of the signature scheme, all the coins are still stored on the old, vulnerable public-private key addresses. The upgrade simply gives the users the tools to create a new, quantum resistant address and migrate their coins to the safety of that address. Without migration, there is no quantum resistance. Due to the decentralized nature of blockchain, this can only be done by the users themselves, since only they have the private key and thus only they have access to the coins.)
y = stagnant phase to minimize the risk of burning live funds. (This last phase is advised since for most existing blockchains a considerable amount of their circulating supply is lost and can never be migrated to quantum resistant addresses. A solution should be found for these so-called lost addresses. The only solution to this problem would be to burn them. Otherwise, they will be hanging like Damocles’ sword of uncertainty over the value of the blockchain forever. Due to the fact that none of the users are registered and thus cannot be contacted, you can not determine which addresses are really lost and which are simply longtime holders. If we take another look at the results of the research by Chainalysis, who concluded that between 17% (low estimate) and 23% (high estimate) of BTC was lost at the time of publishing, we see a difference of about 1 million BTC in the high and low estimate range. The big discrepancy between the high and low estimate (about 1 million BTC), shows the issues there will be to determine with certainty what stagnant addresses are lost and what are long term holders. This is important to notice for anyone who proposes to just burn the lost addresses in any neglect able period of time after upgrading to a quantum resistant signature scheme. Their phase should be a serious period of time. And then still, if at a certain point in time the decision is made to burn any leftover coins, you will risk burning peoples live funds. This makes the last phase controversial if not impossible to fulfill without trading one risk for the other.
z = The time we have until a quantum computer of a critical level has materialized
q = is the margin we should deduct from z as a safe margin to compensate the blind spot caused by the fact that any assessment of the development curve of quantum computers is based on incomplete information. Additionally, q accounts for the fact that developments on other levels like algorithms improvements can contribute to a quicker reach of the moment a quantum computer can break the cryptography in question.
V, w, x, y, z, and q are all undetermined. V, w, x, y will need to be done for every single blockchain that is serious about risk determination personally. Since for none of these periods there is a substantiated period of time known, no serious risk determination can be done.