3

If an attacker in posession of a quantum computer can break the ECDLP, they can of course spend every Taproot output using the key path. However, do they also have the ability to construct a valid control block and spend using the script path with a script of their own choosing?

Improve this question

1 Answer 1

Reset to default
2

This was answered by Pieter Wuille on Delving Bitcoin:

As long as SHA256 remains preimage resistant, script path spends remain secure (obviously only under the assumption the script itself isn’t vulnerable to a DL break).

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.