You may have heard that Taproot signatures only reveal the spending conditions actually used in the transaction and not any alternative spending conditions the locking script might have.
This is cool, because it means you can have a multisig that has 3 keys, any 2 of which are needed to spend, but when you spend it will look like a 2 of 2. People won't be able to see all the different ways your coins can be spent. You might have any number of scripts that can be used to spend your coins, but people only ever see the spending conditions you actually use when spending. This is called script path spending.
Well, the flip side of Taproot addresses is that they are also simple public key addresses.
Every Taproot output corresponds to a combination of a single public key condition (the internal key), and zero or more general conditions encoded in scripts organized in a tree. -BIP 341
So here's the problem: that single public key spending path would be vulnerable to a quantum computer (if quantum computers ever get good enough to threaten Bitcoin in general). This means that if you think quantum computers are a real threat in the future, you might not want to use Taproot addresses...
...unless there was a way to disable the public key pending path. (note that it's possible to select a public key that is provably unspendable, but you have to do this when you create the wallet, before sending coins to any addresses in it).
But wouldn't it be great if one of the proposed quantum resistant upgrades to Bitcoin allowed us to disable all Taproot public key path spends, while retaining the ability to spend from their scripts? (it might not be great if you used Taproot and chose zero script path spending conditions...)
That's what this paper by Tim Ruffing is about.
Specifically, it provides concrete upper bounds on the probability that a quantum adversary making some number of queries to a quantum random oracle can break the binding or hiding property.
I believe what this means is that they were able to demonstrate that Taproot addresses are quantum resistant if they only have script path spending conditions.
It appears to be a common assumption on this list that an attacker can't break script-path spends. But I'm not aware that a convincing justification for this assumption has been presented by anyone before.