Research / Research
Ethereum's Multi-Billion Dollar Race for Post-Quantum Security

Ethereum's Multi-Billion Dollar Race for Post-Quantum Security

Ethereum is replacing the cryptography a quantum computer could break. This is how that migration works, and what it means for institutions holding ETH.

Nadeem Sharaf

Quantum

· 12 min read
EthereumPost-QuantumCryptography

At a Glance: Ethereum’s 2029 Post-Quantum Target and the Shrinking Window to Prepare

The Ethereum Foundation and Ethereum researchers have published one of the most comprehensive post-quantum migration roadmaps of any major Layer 1. It covers four quantum-vulnerable cryptographic surfaces across a staged upgrade plan whose post-quantum milestones currently point toward the late 2020s.

The urgency comes from a simple mechanic. Ethereum's account-level quantum vulnerability lies primarily in Externally Owned Accounts (EOAs) that have transacted at least once. The moment an account broadcasts a transaction, its public key is exposed on-chain. From there, a sufficiently large, fault-tolerant quantum computer could derive the corresponding private key.

That hardware does not exist yet, but the timeline is narrowing. Google Quantum AI has introduced a 2029 migration timeline for moving its own systems to post-quantum cryptography, and its March 2026 research lowered the estimated resources needed to break 256-bit elliptic-curve cryptography.

Google's hardware progress is just as concrete. In December 2024, its Willow processor became the first superconducting chip to achieve quantum error correction below the surface-code threshold. The gap between that milestone and a future cryptographically relevant quantum computer defines the industry’s preparation window.

The institutions exposed are custodians, exchanges, banks, asset managers, foundations, and treasury teams, and the problem extends well beyond Ethereum. Most major Layer 1 ecosystems still rely on quantum-vulnerable public-key cryptography in parts of their stack. Bitcoin, Solana, Avalanche, and Cosmos each face different migration challenges, and each is at a different stage of readiness.

This article covers the threat, Ethereum's response, and what that response asks of the institutions exposed to it.

The Shared Vulnerability: What a Quantum Breakthrough Threatens on Ethereum

Ethereum’s most quantum-sensitive public-key primitives sit across three major areas: user accounts, validator signatures, and data availability commitments.

  • ECDSA: Secures the private keys controlling user accounts.
  • BLS: Secures the validator signatures that finalize the chain's consensus history.
  • KZG Commitments: Secure the data availability proofs powering modern scaling.

All three primitives are rooted in elliptic-curve mathematics or pairing-based assumptions, which means they share the vulnerability targeted by Shor’s algorithm. A cryptographically relevant quantum computer would therefore force Ethereum to replace several core public-key assumptions at once, rather than patching a single account type or application.

Peter Shor's 1994 algorithm is the mathematical foundation of the attack. On a sufficiently large, fault-tolerant quantum computer, deriving a private key from an exposed elliptic-curve public key becomes computationally feasible. The open question has always been how large that computer needs to be, and recent resource estimates are now more concrete, though still assumption-dependent. In its March 2026 paper, Google Quantum AI estimated two attack circuits for ECDLP-256: one using fewer than 1,200 logical qubits and 90 million Toffoli gates, and another using fewer than 1,450 logical qubits and 70 million Toffoli gates.

Those figures only make sense once you separate the two types of qubits involved, logical qubits and physical qubits. Logical qubits perform the calculations. Modern quantum hardware is inherently unstable, though, so each logical qubit requires a protective layer of hundreds to thousands of physical qubits to manage error correction. Under Google’s stated superconducting-architecture assumptions, the target threshold could require fewer than 500,000 physical qubits working together.

Today's leading quantum processors are still orders of magnitude away from that scale. The threat is real, and the machine that delivers it has not been built. That gap provides the buffer necessary for a coordinated, network-wide response, and Ethereum is already using it to develop its post-quantum architecture.

Which Quantum Attack Actually Matters for Ethereum

Two quantum attack models matter here, and they affect Ethereum in very different ways.

The first is Harvest-Now-Decrypt-Later. In its classic form, an adversary records encrypted communications today and decrypts them years later, once a capable quantum computer exists. That scenario does not apply to Ethereum's chain state. The data on a blockchain is already public, so there is no cipher text to steal and decrypt later.

Classic Harvest-Now-Decrypt-Later still matters for the encrypted communication channels and private key management systems that institutions run alongside their crypto operations. The protocol-level account risk works differently.

Ethereum accounts face the quantum threat in two ways, depending on whether they have ever transacted. An externally owned account that has already sent a transaction has its public key visible on-chain. A capable quantum computer could derive its private key at any time, with no new spend required.

An account that has never spent is in a different position. Only the hash of its public key is on-chain, so the key stays hidden until the first transaction is broadcast. That broadcast opens the on-spend window. For the few seconds a transaction sits in the mempool, a fast enough attacker could derive the key and push a competing transaction ahead of it.

Two broad defenses exist. The first hides the public key until the moment of spend. Bitcoin has historically reduced some exposure this way, through address formats that commit to a hash of a public key until spend time. But that protection is uneven across output types, spent outputs remain exposed, and BIP-360 is only a proposal rather than a committed network-wide migration. The second defense replaces the vulnerable signature scheme outright. That is the path Ethereum’s roadmap is designed to explore.

How Ethereum's Multi-Layer Roadmap Compares to Rival Layer 1s

Ethereum's replacement schedule spans consensus, accounts, data availability, and the application layer, which makes it one of the most comprehensive of any major Layer 1. Vitalik Buterin set out the approach in a widely read public post in February 2026, building on Ethereum’s dedicated post-quantum research effort and protocol work. The roadmap gives each of the four vulnerable components its own engineering track.

Validator signatures currently point toward hash-based schemes such as leanXMSS, paired with leanVM for aggregation. User-account migration runs as a separate execution-layer track, with the final account abstraction and signature path still subject to research and governance. The commitments that secure data availability move to quantum-safe proofs, either STARK-based or lattice-based. And the proof systems behind Layer 2 networks and privacy tools move to quantum-resistant versions of their own.

Justin Drake and Ethereum researchers paired the roadmap with a sequencing plan called the strawmap, which maps the migration into a sequence of network upgrades with core post-quantum infrastructure targeted around 2029. Four of those upgrades carry the post-quantum work: a public-key registry, a quantum-resistant data availability layer, validator attestations, and the full user-facing transition. These are placeholder milestones rather than fixed dates; Ethereum researchers frame the ordering and timing as planning targets instead of commitments.

Other major Layer 1s are moving at different speeds. Ripple has published a four-phase roadmap to make the XRP Ledger quantum-resistant by 2028. Algorand has gone furthest on deployment, shipping quantum-safe State Proofs in 2022 and running its first post-quantum mainnet transaction in November 2025.

Cardano has outlined a post-quantum track of its own. Bitcoin has a proposed standard, BIP-360, for quantum-resistant address formats, plus active research on legacy-address recovery, but no committed timeline. Solana offers an opt-in quantum-safe vault on mainnet without a network-wide migration plan. Avalanche and Cosmos are still largely at the research stage.

What sets Ethereum apart is the breadth of its plan. It runs one coordinated program across all four surfaces, backed by a dedicated research effort and connected to academic cryptography researchers.

The Irreversible Hash Function Decision

For Ethereum, one of the most critical architectural decisions is selecting the hash function beneath its new consensus signatures. Hash functions are cryptography's most proven building block. The ones in wide use, like SHA-256, have absorbed decades of attacks without breaking, and a signature scheme built on one inherits that track record. That track record is why Ethereum’s current consensus roadmap points toward hash-based signatures.

The choice is foundational and difficult to reverse, so Ethereum researchers are stress-testing it in public. An open cryptanalysis bounty running through December 2026 invites outside cryptographers to attack the candidate hash functions before anything is locked in.

Solving the Prohibitive Gas Cost of Post-Quantum Proofs

Security is only half the engineering problem. The new signatures are far more expensive to verify. An ECDSA signature verifies for about 3,000 gas, Ethereum's unit of computation. An unaggregated hash-based post-quantum signature runs near 200,000, more than sixty times as much. A standalone quantum-resistant proof reaches roughly 10 million. Left unaddressed, that cost would be prohibitive at network scale.

Stage Gas Cost per Signature
ECDSA verification today 3,000
Unaggregated hash-based post-quantum signature ~200,000
Standalone quantum-resistant STARK proof ~10,000,000
After recursive aggregation Target is amortized cost closer to today’s economics, final production cost still under research

Gas cost figures via Vitalik Buterin (X, February 26, 2026).

The proposed answer is recursive aggregation. Instead of verifying individual signatures one by one, the network bundles thousands of them into a single zero-knowledge proof and verifies that single object. The computational and data costs are then shared across every transaction in the batch. If it works at production scale, recursive aggregation could amortize verification costs enough to make post-quantum signatures economically viable for Ethereum users.

Stranded Assets: What Happens to Dead Wallets and Billion-Dollar Lost Keys?

Some supply will never migrate. The exact aggregate volume cannot be pinned down, but the categories of stranded capital are clear and verifiable:

  • Permanently lost keys: Most notably, the 250,000 ETH in Rain Lõhmus's 2014 presale wallet that he can no longer access.
  • Inactive accounts: Long-term holders who remain inactive past the protocol’s migration window.
  • Immutable code: Ether permanently locked in non-upgradeable legacy smart contracts.
  • Delayed migrations: Active users and protocols that simply fail to transition past the point of safety.

Not all dormant ETH is exposed, though. The 513,000 ETH frozen in the Parity multisig bug and the 11,500 ETH locked in Akutars cannot be moved by any signature, because broken contract code blocks extraction.

The 26,800 ETH in burn addresses is safe for a different reason. Those addresses were never created from a private key, so there is no public key for a quantum computer to attack. The real exposure stays with externally owned accounts that have transacted.

So what can be done about the rest? Ethereum can amend its own protocol rules through community consensus, which gives it a real governance path for handling stranded ETH. Options the community could evaluate at the protocol level include voluntary claim windows, migration deadlines, freezing rules for vulnerable account types, recovery frameworks, or some combination. None has community consensus today.

The supporting cryptography is already in research. Paradigm's Provable Address-Control Timestamps proposal, published for Bitcoin in May 2026, shows the kind of mechanism Ethereum could adapt. It lets the rightful owner of an inactive wallet prove control through a cryptographic record of past chain state, without moving funds, and it still works after a quantum computer arrives.

Why Your DeFi Capital Demands a Separate Upgrade Path

Accounts are only half the problem. Tens of billions of dollars sit in Ethereum DeFi smart contracts, and each one needs its own upgrade, redeployment, or wind-down. The situation varies by protocol. Aave and Compound are well-placed, because their core contracts can be upgraded through governance.

Uniswap is harder. Its core contracts are immutable by design, so migration means deploying new versions and moving users across to them. The hardest case is the cross-chain bridges secured by ECDSA and EdDSA signatures, which have to migrate across several chains at once.

The Institutional Action Plan: Crucial Questions to Ask Your Custody Vendors Today

The quantum migration is a multi-year program rather than an imminent event. Its pace depends on a few things that are not yet settled: when the hash function is chosen, whether recursive aggregation delivers the cost reduction it promises, and when capable quantum hardware actually arrives. The right approach is to track those milestones rather than the headlines.

  • Watch the hash-function decision, expected across 2026 to 2027. Everything downstream depends on it, so it is the clearest single gauge of whether the timeline is holding.
  • Ask custodians and wallet providers two direct questions. Do they have a post-quantum migration plan, and will they support Ethereum's new signature scheme when it ships? The answers separate the prepared vendors from the rest.
  • Map exposure across custodied and treasury holdings. Addresses that have already transacted carry exposed public keys and come first for migration. Never-spent addresses and funds in non-upgradeable contracts carry different profiles. That inventory is the starting point for any credible plan.

None of this requires any change to the underlying assets themselves. It is a matter of operational readiness, and it can be fully implemented well before the hardware that makes the threat real ever materializes.

The Work the Transition Requires

Few major Layer 1s have pulled together the technical, economic, and governance pieces this transition needs the way Ethereum has. Its program is the clearest sign yet that post-quantum migration is moving from research to roadmap across the industry.

For institutions, the practical requirement is cryptographic agility: the ability to add post-quantum signing and verification without tearing out existing custody, MPC, HSM, or multisig infrastructure. At Quantum, our approach is modular and migration-free, designed to deploy alongside legacy signing systems while aligning with the official NIST post-quantum standards: FIPS 203, FIPS 204, and FIPS 205.

Share this post

Share on X LinkedIn

Post-Quantum Economy

Built for the era ahead

Quantum is an EVM-compatible Layer-1 secured by NIST-standard post-quantum cryptography — designed from the ground up for what's coming.

Learn about Quantum GitHub