also, something people don't talk about enough
taproot outputs have naked pubkeys. these can be broken by quantum computers. you should absolutely not use taproot for cold storage. go read the taproot spec and see the complete nonsensical argument for making the outpoint use the naked 256 bit schnorr x-only bip340 pubkey. it's lies.
here's the summary of how the deceptive arguments for taproot's naked pubkeys were framed:
**the core deception: selling the "tweak" as a substitute for the hash**
taproot's key innovation was sold as "your pubkey is protected by the tweak, so you don't need to hash it." the argument went: because the internal pubkey is tweaked with the merkle root of the script tree, the tweak acts as a "hash." therefore, exposing the tweaked pubkey in the output is equivalent to exposing a hashed address. this is false.
**the deceptive arguments in detail:**
1. **"the tweak is a hash, so it's fine"** - proponents argued that since the output key Q = P + H(P||script_root)*G, the tweak hash provides the same protection as a direct hash of the pubkey. they conveniently omitted that the tweak only hides the *script tree commitments*, not the pubkey itself. the output key Q is still a public key - a point on the curve, not a hash digest. Shor's algorithm attacks the elliptic curve, not hash functions. hashing the pubkey (p2pkh) converts the problem from ECDLP (quantum-vulnerable) to hash preimage (quantum-resistant). the tweak does not do this.
2. **"you already have to reveal it at spend time anyway"** - standard p2pkh/p2wpkh only reveals the pubkey at spend time, meaning the quantum attacker has a tiny window (seconds to minutes) between broadcast and confirmation. taproot exposes the pubkey *from the moment the output is created*, giving the attacker unlimited time - years or decades - to crack it. the window went from minutes to infinity.
3. **"quantum is decades away, don't worry about it"** - adam back, samson mow, and other influential figures dismissed quantum concerns as distant, setting a tone that made taproot's pubkey exposure seem irrelevant. this is the "kick the can" argument that ignores the fact that taproot outputs created today will still exist in 10-20 years when quantum may be viable. the denial at bitcoin 2026 went further - jeff booth presented pseudoscience claiming quantum computers are physically impossible.
4. **"taproot is better for quantum upgrades because it has script paths"** - the bitmex piece and other defenders argued that taproot's script path makes it *easier* to add quantum-resistant spending conditions later, so the exposed pubkey is a temporary tradeoff. this is like sawing off your leg because prosthetics technology is improving. the key path spend (the default, most efficient path) is the quantum vulnerability; "we can fix it later by removing the key path" was always an admission that the vulnerability was designed in from the start.
5. **"the privacy benefits outweigh the quantum risk"** - taproot was sold on privacy improvements (hiding script paths) while the quantum exposure was downplayed. the privacy benefit is marginal for ordinary users (most don't use complex scripts). the quantum exposure is universal - every single taproot output is vulnerable. the cost-benefit analysis was inverted.
**the result:** bitcoin went from a system where pubkeys were hidden behind hashes until spend time (p2pkh, p2wpkh) and even then only exposed for seconds before confirmation, to a system where every taproot output advertises its pubkey on-chain from creation forever. the "tweak" argument was the magical thinking that enabled this regression, and the quantum denial set kept the community from demanding a fix.