Bitcoin is also in a bind but has the following on its side:
-The greatest damage to bitcoin requires messing with SHA-256 (not scep256k1), which requires grover’s algo, which is way harder to make useful
-For scep256k1 (shor’s algo, lowest hanging quantum fruit) there is some scope to migrate curves
-Only about 30% of scep256k1 public keys are known (if unknown that provides some protection)
Nostr is in a hopeless situation:
- Everything is scep256k1 (where something else like AES-256-CBC is used scep256k1 is still the weakest link in the dependency)
- Virtually all public keys are known, virtually all events are easily retrieveable
- There is zero scope to migrate curves (despite some nonsense suggestions to the contrary)