If an attacker in posession of a quantum computer can break the ECDLP, they can of course spend every Taproot output using the key path. However, do they also have the ability to construct a valid control block and spend using the script path with a script of their own choosing?
1 Answer
This was answered by Pieter Wuille on Delving Bitcoin:
As long as SHA256 remains preimage resistant, script path spends remain secure (obviously only under the assumption the script itself isn’t vulnerable to a DL break).