Are Taproot addresses quantum vulnerable?
Yes — more exposed than P2PKH. Taproot outputs publish a 32-byte x-only public key directly in the scriptPubKey, so the key is on-chain the moment the address receives, not only after spending.
P2PKH and P2WPKH addresses commit only to a HASH160 of the public key in their output script. The public key itself is not revealed until the owner spends — which is what makes never-spent legacy addresses quantum-safe in the strict cryptographic sense.
Taproot is different. A bech32m P2TR output script is OP_1 <32-byte x-only pubkey>. The pubkey is in the clear from the first confirmation. A cryptographically relevant quantum computer running Shor's algorithm could in principle derive the private key from that pubkey without waiting for the owner to spend.
The practical risk today is still zero — no machine exists with the ~2,000-4,000 logical qubits Shor needs against secp256k1. But the threat model differs from P2PKH: with Taproot, the harvest-now-decrypt-later window opens at receive, not at first spend.
Related questions
Should I avoid Taproot today because of quantum risk?
For most users the practical answer is no — Taproot's signature aggregation, MAST, and Schnorr benefits are real and concrete, while a cryptographically relevant quantum computer is still many years away. For multi-decade cold storage, holding in a never-spent P2WPKH or P2PKH address gives a strictly stronger quantum posture, at the cost of larger transactions when you eventually spend.
Is the difference between Taproot and legacy addresses overstated?
The cryptographic difference is real, but the magnitude depends on timeline. If usable quantum capability arrives in 10+ years, every reused or spent address — Taproot or not — is exposed by then. The distinction matters most for long-dormant funds: never-spent P2PKH/P2WPKH outputs would still be safe in that scenario, while never-spent P2TR would not.