At a Glance: The 2029 Quantum Deadline and the Shrinking Window to Move
The Ethereum Foundation has published one of the most comprehensive post-quantum migration roadmaps of any major Layer 1. It covers four quantum-vulnerable cryptographic surfaces across seven protocol upgrades planned through 2029.
Ethereum's quantum vulnerability lies primarily in Externally Owned Accounts (EOAs) that have transacted at least once. The moment an account broadcasts a transaction, its public key is exposed on-chain. From there, a sufficiently powerful quantum computer could reverse-engineer the corresponding private key.
While the hardware required for such an attack does not yet exist, the timeline is shrinking. Google Quantum AI is actively targeting the development of a large-scale, error-corrected quantum computer by 2029.
In December 2024, its Willow processor became the first superconducting chip to achieve quantum error correction below the surface-code threshold. The timeline between today's milestone and that future machine defines the industry's narrow window to migrate.
The institutions exposed are custodians, exchanges, banks, asset managers, foundations, and treasury teams. No layer-1 ecosystem is immune. Bitcoin, Solana, Avalanche, and Cosmos all rely on the same vulnerable elliptic curve cryptograph, and each is at a vastly different stage of readiness.
This article covers the threat, Ethereum's response, and what that response asks of the institutions exposed to it.
The Single Point of Failure: What a Quantum Breakthrough Breaks on Ethereum
Ethereum’s architecture relies on three core cryptographic building blocks, and a single class of quantum attack breaks them all:
- ECDSA: Secures the private keys controlling user accounts.
- BLS: Secures the validator signatures that finalize the chain's consensus history.
- KZG Commitments: Secure the data availability proofs powering modern scaling.
Because all three primitives are rooted in elliptic curve mathematics, they share the exact vulnerability targeted by Shor’s algorithm. This is why a single quantum breakthrough dismantles Ethereum's entire cryptographic foundation at once.
Peter Shor's 1994 algorithm is the mathematical foundation that makes this attack possible. On an advanced quantum computer, deriving a private key from an exposed public key shifts from practically impossible to straightforward. This hardware threshold is well-defined. In a landmark March 2026 paper, Google Quantum AI estimated that breaking a standard Ethereum-sized key requires roughly 1,450 logical qubits.
To understand the timeline, it helps to separate the two types of qubits involved, logical qubits and physical qubits. Logical qubits perform the calculations. However, because modern quantum hardware is inherently unstable, each logical qubit requires a protective layer of hundreds to thousands of physical qubits to manage error correction. This means the target threshold of 1,450 logical qubits actually requires fewer than 500,000 physical qubits working together.
Today's leading quantum processors are still orders of magnitude away from this scale. While the threat is real, the hardware is not yet here. This precise delay provides the exact buffer necessary for a coordinated, network-wide response. Ethereum is already leveraging this window to deploy its post-quantum architecture.
Which Quantum Attack Actually Matters for Ethereum
Two distinct quantum attacks are worth separating. One does not apply to Ethereum, while the other defines the core risk.
The first threat is 'Harvest-Now-Decrypt-Later'. In this scenario, an adversary records encrypted communications today to decrypt them years later once a capable quantum computer exists. This does not threaten Ethereum's chain state because blockchain data is inherently public and unencrypted. There is simply no ciphertext to harvest.
While this attack matters for the encrypted communication channels and private key management systems that institutions run alongside their crypto operations, it remains a separate risk surface from the protocol itself.
In contrast, the 'On-Spend' attack defines the true threat to the ledger. When an EOA broadcasts a transaction, it sits in the public mempool before confirmation, exposing the signer's public key.
A sufficiently fast quantum computer could extract the private key within that brief confirmation window, allowing the attacker to frontrun the user and redirect the funds before the original transaction settles.
Two defenses exist. The first hides the public key until the moment of spend which Bitcoin partially adopted, since its newer address types store only a fingerprint of the key rather than the key itself. The second replaces the vulnerable signature scheme outright which is what the Ethereum Foundation has chosen to pursue.
How Ethereum's Multi-Layer Roadmap Compares to Rival Layer 1s
Ethereum's replacement schedule is one of the most comprehensive of any major Layer 1. It spans consensus, accounts, data availability, and the application layer. Vitalik Buterin set out the approach in a widely read public post in February 2026, building on the Foundation's dedicated post-quantum team and protocol research. The roadmap gives each of the four vulnerable components its own engineering track.
Validator and wallet signatures both move to hash-based schemes. The commitments that secure data availability move to quantum-safe proofs, either STARK-based or lattice-based. The proof systems behind Layer 2 networks and privacy tools move to quantum-resistant versions of their own.
Justin Drake and the Foundation's architecture team paired the roadmap with a sequencing plan called the strawmap. It maps the migration into seven network upgrades, with completion targeted around 2029.
Four of those upgrades carry the post-quantum work: a public-key registry, a quantum-resistant data availability layer, validator attestations, and the full user-facing transition. These are placeholder milestones, not fixed dates. The Foundation frames the ordering and timing as planning targets instead of commitments.
Other major Layer 1s are moving at different speeds. Ripple has published a four-phase roadmap to make the XRP Ledger quantum-resistant by 2028. Algorand has gone furthest on deployment. It shipped quantum-safe State Proofs in 2022 and ran its first post-quantum mainnet transaction in November 2025.
Cardano has outlined a post-quantum track of its own. Bitcoin has a proposed standard, BIP-360, for quantum-resistant address formats, plus active research on recovering legacy addresses, but no committed timeline. Solana offers an opt-in quantum-safe vault on mainnet, but no network-wide migration plan.
Avalanche and Cosmos are still largely at the research stage.
What sets Ethereum apart is the breadth of its plan. It runs one coordinated program across all four surfaces, backed by a dedicated team and connected to academic cryptography researchers.
The Irreversible Hash Function Decision
For Ethereum, the most critical architectural decision is selecting the hash function beneath its new signatures. Hash functions are cryptography's most proven building block. The ones in wide use, like SHA-256, have absorbed decades of attacks without breaking, and a signature scheme built on one inherits that track record. Ethereum chose hash-based signatures for consensus on that basis.
The choice is foundational and effectively permanent, so the Foundation is running an open cryptanalysis bounty through December 2026. It invites outside cryptographers to attack the candidate hash functions before anything is locked in, and it has already widened the candidate set when analysis raised concerns. The appendix covers the alternatives, and why lattice-based and multivariate schemes were set aside for the core protocol.
Solving the Prohibitive Gas Cost of Post-Quantum Proofs
The new signatures come at a cost. They are far more expensive to verify. An ECDSA signature verifies for about 3,000 gas, Ethereum's unit of computation. An unaggregated hash-based post-quantum signature runs near 200,000, more than sixty times as much. A standalone quantum-resistant proof reaches roughly 10 million. Left unaddressed, that cost would be prohibitive at network scale.
| Stage | Gas Cost per Signature |
|---|---|
| ECDSA verification today | 3,000 |
| Unaggregated hash-based post-quantum signature | ~200,000 |
| Standalone quantum-resistant STARK proof | ~10,000,000 |
| After recursive aggregation | near today's level |
Gas cost figures via Vitalik Buterin (X, February 26, 2026).
The solution to this overhead is recursive aggregation. Instead of verifying individual signatures one by one, the network bundles thousands of them into a singular zero-knowledge proof and verifies that single object.
The computational and data costs are then shared across every transaction in the batch. Executed correctly, this optimization returns the per-signature cost to roughly where it sits today.
Stranded Assets: What Happens to Dead Wallets and Billion-Dollar Lost Keys?
Some supply will never migrate. While the exact aggregate volume cannot be pinned down, the categories of stranded capital are clear and verifiable:
- Permanently lost keys: Most notably, the 250,000 ETH in Rain Lõhmus's 2014 presale wallet that he can no longer access. Inactive accounts: - Long-term holders who remain inactive past the protocol's migration deadline. - Immutable code: Ether permanently locked in non-upgradeable legacy smart contracts. - Delayed migrations: Active users and protocols that simply fail to transition past the point of safety.
It's important to note that not all dormant ETH is exposed. The 513,000 ETH frozen in the Parity multisig bug and the 11,500 ETH locked in Akutars cannot be moved by any signature, because broken contract code blocks extraction.
The 26,800 ETH in burn addresses is safe for a different reason. Those addresses were never created from a private key, so there is no public key for a quantum computer to attack. The real exposure stays with externally owned accounts that have transacted.
Ethereum can amend its own protocol rules through community consensus, which is a real advantage in handling stranded ETH. The Foundation can advance several options at the protocol level: a claim window for owners to come forward, a structured sweep that redirects at-risk funds, a coordinated freeze that locks vulnerable addresses, or some combination.
The supporting cryptography is already in research. Paradigm's Provable Address-Control Timestamps proposal, published for Bitcoin in May 2026, shows the kind of mechanism Ethereum could adapt.
It lets the rightful owner of an inactive wallet prove control through a cryptographic record of past chain state, without moving funds, and it still works after a quantum computer arrives.
Why Your DeFi Capital Demands a Separate Upgrade Path
Accounts are only half the problem. Roughly $50 billion sits in Ethereum DeFi smart contracts. Each one needs its own upgrade, redeployment, or wind-down, and the situation varies by protocol. Aave and Compound are well-placed, because their core contracts can be upgraded through governance.
Uniswap is harder. Its core contracts are immutable by design, so migration means deploying new versions and moving users across to them. The hardest case is the cross-chain bridges secured by ECDSA and EdDSA signatures, which have to migrate across several chains at once.
The Institutional Action Plan: Crucial Questions to Ask Your Custody Vendors Today
The quantum migration is a multi-year program, not an imminent event. Its pace depends on a few things that are not yet settled: when the hash function is chosen, whether recursive aggregation delivers the cost reduction it promises, and when capable quantum hardware actually arrives. The right approach is to track these milestones, not the headlines.
- Watch the hash-function decision, expected across 2026 to 2027. Everything downstream depends on it, so it is the clearest single gauge of whether the timeline is holding.
- Ask custodians and wallet providers two direct questions. Do they have a post-quantum migration plan, and will they support Ethereum's new signature scheme when it ships? The answers separate the prepared vendors from the rest.
- Map exposure across custodied and treasury holdings. Addresses that have already transacted carry exposed public keys and come first for migration. Never-spent addresses and funds in non-upgradeable contracts carry different profiles. That inventory is the starting point for any credible plan.
None of this requires any change to the underlying assets themselves. This is a matter of operational readiness, and it can be fully implemented well before the hardware that makes the threat real ever materializes.
The Work the Transition Requires
Few major Layer 1s have pulled together the technical, economic, and governance pieces this transition needs the way Ethereum has. Its program is the clearest sign yet that post-quantum migration is moving from research to roadmap across the industry.
For institutional market participants, the challenge lies in executing this transition with minimal disruption. At Quantum, we solve this friction point through a modular and entirely migration-free post-quantum signing and verification suite that integrates seamlessly into legacy MPC wallets, hardware security modules, and multisig configurations, protecting your assets without tearing down your infrastructure.
Our solutions are engineered to comply with global regulations, anchored in the official NIST post-quantum standards: FIPS 203, FIPS 204, and FIPS 205.