None. Worrying about SHA256 being broken in our lifetimes is a waste of time. Also, if SHA256 gets broken it will mean the entire society of information is done since most of the encryption behind all kind of infrastructures including traditional banking are backed by SHA256 so it would be game over for everyone not only Bitcoin.
It seems like there's a lot of half-informed discussion on this thread. SHA256 isn't the signature algorithm.
This thread was supposed to be about ECDSA, and as far as I know, a good QC weakens ECC in a way that it doesn't do to RSA. Shorena's first post in here correctly points out that public keys aren't directly revealed in a transaction which spends to an address (just the hash of them is), so there's some security there for addresses which haven't been reused.
I guess I'm still wondering about how the UTXO set would be protected in the case where a QC which could break ECC was developed. Clearly some sort of hard-fork, but what would it look like? How could you get all of the bitcoin owners to take notice and do X to protect their transactions? It seems like people with paper wallets and cold-storage might have to take action. How could they be notified? Maybe I'm missing something obvious, but I'd like to hear discussion on that topic because it's definitely not obvious to me what to do.
I think that all the talk of SHA256 and mining and asics is missing the point of this thread.
I dont think everyone will react in time, but I also have problems with the idea that such an attack comes out of nowhere. My hope is that (similar to suggested RSA key sizes) to switch to a different algorithm will be done in advance.
Its a bit late, but this[1] paper by DJB is probably an interesting read.
[1] http://www.pqcrypto.org/www.springer.com/cda/content/document/cda_downloaddocument/9783540887010-c1.pdf
