At the time of this writing, QC is a very expensive technology and it is not scalable, i.e. costs grow exponentially by the scale of the system (number of qubits, number of gates and their resistance level to decoherence, ... ). We are not expecting large QCs showing up out of nowhere, breaking sec256k1 keys in few seconds. Rather there will be generations and development phases and it is highly expected that we will have machines that are able to break bitcoin public keys in feasible time but not in a glance or in few minutes.
I agree, and it is mentioned in the article that what is most likely to happen is that we see QCs evolve and get better and better over time. By watching their evolution and planning ahead, we can move to post quantum cryptography before quantum computers even get to the point that they can break ECDLP in feasible time. It is highly unlikely that a QC would show up overnight that can break ECDLP. However, the point of the article is to discuss hashing in the worst case scenario: QCs magically appear and can break ECDLP in feasible time (not minutes, seconds, or at a glance, feasible time is the worst case scenario).
Hashed public keys are safe in such a transient phase and what I absolutely don't understand is why we should include a proposal about public keys being exposed for an eternity waiting for their turn to be destroyed by any innovation or technology that shows up?
There won't be a transient phase. Either we have moved onto PQC by the time QCs can break ECDLP in feasible time, or Bitcoin is doomed.
The reason there is no transient phase and why "feasible time" is the worst case, we need to consider the fact that there are already millions of Bitcoin in outputs with their public keys exposed. They don't need to target new outputs with hashed pubkeys, there are millions of exposed pubkeys already in the blockchain that are with outputs that haven't been touched in years, such as Satoshi's outputs. They could just spend a lot of time cracking those keys, and then at some point in the future after the machine was created, they use all those private keys at once to move a bunch of coins. This would devastate the Bitcoin economy and kill it, unless we move to PQC before that happens (but the attacker would know, and could attack earlier). Either way, hashing did nothing.
If the attacker decides to just slowly steal old outputs that have had their pubkeys exposed, then he's slowly destroying Bitcoin and its value because people's money is being stolen. By the time it's realized, the damage would be done and people would probably panic to get out of Bitcoin before their coins are stolen too. It's extremely probably that the fear that a QC exists that can just steal millions of old coins would kill Bitcoin itself (cause the value to plummet, and people to rightfully no longer trust the cryptography). Either way, Bitcoin is killed.
And of course, in both of these, the attacker has time to just stockpile cracked private keys. During that time, QCs will also improve, so the attacker could get newer and better ones that crack even faster. Or he could just build more of them and crack in parallel. And so long as QCs can break ECDLP in reasonable time, it's only a matter of time before it gets to the point that they can break them very very quickly.
The point of the article is to say that while hashed public keys protects your coins specifically, they do nothing against the millions of already exposed public keys from which an attacker with an ECDLP break can use to wreak havoc and destroy the value of Bitcoin. Yes, your coins will be safe, but they won't have any value, so what's the point?
And all of this was just to say that there won't be a transient phase where hashing matters at all. The attacker will just target the already exposed pubkeys in outputs that haven' been touched in years.
Either we move to PQC before QCs can break ECDLP, and hashing didn't do anything. Or a QC comes along and can break ECDLP, and hashing did nothing because there are millions of available pubkeys with outputs that they can target, and hashing did nothing.
It would be a completely different story if Bitcoin had hashed pubkeys in everything since the beginning (but it did not, pay to pubkey was the expected method of usage) and no one ever reused addresses (so pubkeys were only exposed once and had no value afterwards). If those things were true, then I would say that there is a transient period and hashing does help protect against QCs. But that didn't happen.