Taproot is post-quantum secure when restricted to script-path spends

It is pointed out that wallet descriptors with public keys, once exposed, could leave taproot wallets susceptible to quantum attacks despite script-spending paths that are generally considered secure. This assertion challenges the prevailing assumption of taproot's invulnerability to such futuristic threats. Furthermore, the concern extends to the potential for quantum-powered miners or nodes to alter transactions maliciously, substituting them with different ones, thus undermining the transactional integrity within the Bitcoin network.

In contrast, a research paper from the Cryptology ePrint Archive, titled "The Post-Quantum Security of Bitcoin's Taproot as a Commitment Scheme," offers a more optimistic view on the matter. According to the paper, under the quantum random oracle model (QROM) which assumes SHA256's robustness against quantum attacks, Taproot outputs cannot be manipulated by an attacker to reveal an unexpected Merkle root. This finding significantly bolsters the argument for Bitcoin's resilience against quantum threats, particularly in its scripting capabilities. The paper advocates for a two-phase softfork upgrade to incorporate post-quantum signatures into Bitcoin's scripting language, a suggestion aligned with Matt Corallo and others' proposals. The initial phase would introduce these signatures, and the second phase, anticipatory of the emergence of large-scale quantum computing, would discontinue Schnorr and ECDSA signatures for transaction verification.

The study meticulously quantifies the challenge posed to quantum attackers, noting that a minimum of 2^81 SHA256 evaluations would be required to compromise a Taproot output with a 50% success rate. It delineates the improbability of assembling the requisite quantum computational power under current technological constraints, effectively setting a security threshold below the aspirational 2^128 level but still within a range deemed adequate against existing quantum capabilities. With this stance, the research shifts the spotlight back onto classical computing advancements as the more immediate threat to Taproot's security rather than quantum computing. The paper concludes that without significant breakthroughs in quantum algorithms, the latter does not currently pose a substantial risk to the integrity of script-path spends within the Bitcoin ecosystem. This perspective underscores the importance of ongoing vigilance against classical computational threats that could potentially undermine the secure framework established by Bitcoin's taproot mechanism before quantum computing becomes a viable concern.