Hi Or,
Thanks for the research.
> The complexity of the attack is ~1/r^2 epochs, where r is the fraction of the block rewards that the quantum miner would have received if they mined honestly. This attack (or variants thereof) provides essentially the same benefits as classical 51% attacks, including double spending, and all the revenue from the block rewards.
Quantum algorithm like Grover's algorithm are well-adapted to solve problems with a hidden structure, e.g where the answer can be easily verified.
This is the case any randomly yielded state from a qubit vector can be fast verified as a PoW on a classical computer architecture.
However, I'm not sure Grover's algorithm works well for dynamic block template construction and corresponding PoW calculations.
Any last-minute high-fee transaction might be selected in the block template, invalidating all the oracle calls performed so far by the run of the Grover's algorithm.
Classical computers do not have this issue that you cannot observe the state until the computation ends, contrary to quantum computers.
Inability to adapt to a fast-dynamic fee market might render this 51% attack unsustainable, in a post-subsidy world.
> The attack isn't relevant for the forthcoming years, requiring an extremely fast, noise-tolerant quantum computer.
Information on what is the qubit format and associated solid-state technology used for the estimation can be valuable. Especially to estimate the real-world energy cost compared to hydro pure ASIC-based mining infrastructure.
Best,
Antoine