Post-quantum security & Ethereum's 2026 roadmap

A comprehensive presentation by Tomasz Stańczak at ETHBoulder covering the Ethereum Foundation's progress in 2025, the state of post-quantum security research, and the concrete implementation roadmap for quantum-resistant cryptography across Ethereum's consensus and execution layers.

This transcript is an accessible copy of the original video transcript (opens in a new tab) published by ETHBoulder. It has been lightly edited for readability.

EF progress and the cultural shift (0:12)

Some of you may have come here with the idea that you'd hear about the Ethereum Foundation's vision and direction. I was told before that I'd talk about post-quantum money, so that's what I prepared for, but I quickly prepared slides for the other one too. So maybe we'll rush through both — I think I have 20 to 25 minutes.

This is a summary of 2025 — since I joined around March last year, here's what we've done at the foundation. The comms team has been doing an amazing job on improvements to social media, communication, and storytelling — talking about very technical things, important things about enterprises and institutions, but also finally finding a new voice for talking to the new generation about exciting things. That attracts a lot of fresh new talent to the EF, to the Ethereum ecosystem, and generally creates a vibe that things are cool. If Boulder also contributes to the feeling that the EF is cool again, that would be wonderful.

The institutional aspect of Ethereum was super important in 2025. We knew it would be a very pivotal year for institutions. Then we did a bit of response to people saying Ethereum doesn't care about founders — that founders went to other ecosystems. So we restructured EcoDev and put a lot of effort into founders and applications. James Smith brought a lot of talent, structure, and leadership. We changed the grant strategy — we made it much harder for local events to get funding directly from the foundation, but put much more effort into amplification, promoting events through the new communication strategy and social media.

One very big and important thing was restructuring the protocol cluster at the Ethereum Foundation — connecting more closely the researchers and engineers. We've been told that in the past, researchers and engineers would have to organize special dinners at events to talk to each other. Now they are working on the same teams, mixed together, and they focus on specific tracks — particularly Scale 1, Scale 2, and Improve UX Interop. That's where researchers and engineers are working together on getting the goals delivered.

The Trillion Dollar Security initiative was a big effort — reviewing the ecosystem for the biggest pain points on security aspects. Then we had two forks shipped. Big feedback from the ecosystem was that we didn't ship on time, that sometimes we took one and a half years to deliver a fork. So we showed that we can deliver two forks a year, and maybe this year we'll repeat it — maybe it will be more like every nine months, but it's going in a good direction. Privacy cluster changes are still being structured. We talked about 10 years of Ethereum celebrated around the world. The decentralized AI team was established. We started physical hubs with external teams — in most cases they're either not funded at all or barely funded by the Ethereum Foundation. We push a lot for local teams being able to be self-sufficient with local sponsors, usually VCs or vibrant communities. And zkVMs were really a big topic.

2026 strategy and priorities (4:30)

We announced protocol changes in June. In May we announced the Trillion Dollar Security initiative. This is the dashboard that was just launched recently — more of a result of that work for 2026. Treasury policy was announced in June. I think we'll see more results of this in a week or two — we'll be announcing the DeFi coordination team. We finally made some important hires for that team. I'm super excited about the people who will be supporting DeFi at the foundation. I also just learned that we are in a queue for the validators to push them to mainnet, so the Ethereum Foundation will maintain some validators to stake its own ETH. These are two parts of the treasury policy. The AI team recently announced the very timely ERC-8004 landing on mainnet to support agentic AI.

London, San Francisco, Lagos, Dubai, Rome, Hong Kong — those are the hubs. For 2026, what I would love to see — and I should mention most of you probably know I'm stepping down as the COA of the foundation — but this is mostly the strategy we're setting for 2026. I think with the team, we agree this is the direction. This is also the reason I feel very comfortable and confident that the team knows where to go, that we have the leaders to execute, and they can do that definitely super well without any extra chasing or nudging.

Certifications and credentials for enterprise Ethereum — we want institutions to be really sure who to work with around the world. Post-quantum security — very big announcement, and soon we'll talk about it in detail. OAF becoming the interoperability standard that is fastest to integrate and ship. DevCon Mumbai — super excited about India finally welcoming all the thought leaders and visitors to share the joy of Ethereum, probably with thousands or tens of thousands of people. A unified five-year roadmap, merging Lean Ethereum into the core development process — this should be announced next week. The Agentic Ethereum initiative — we've seen fantastic work from Austin and the communication team talking about agents on Ethereum using ERC-8004. Ethereum with Base mainnet managed to capture the initial attention of building agents on Ethereum, and lots of new founders and builders.

ETHBoulder, ETHDenver — it's a bit of our effort to be here, to send much more people from the EF to come and present and discuss with everyone. New York City welcoming Ethereum on the institutional side — independent from the foundation, EVE Global runs the major conference in New York, planning like 6,000 to 8,000 people. Global policy support team launched last year so we can support policy makers and regulators around the world. The DeFi coordination team launching next week. The platform team is about talking about Ethereum as the best platform for L2s to build on — two weeks ago it was over 70 people, over 20 L2s meeting together to discuss strategy, roadmap, and technology. Issuance roundtable discussion at EFCC coming, and hopefully we'll talk a lot about culture and art on Ethereum through DevCon Mumbai as well.

Why post-quantum matters now (8:30)

This is the topic my team told me I should talk about, which is a bit funny because I don't feel the strongest on this one — I understand the idea, I understand why it's super important for us, and I try to explain why. But technically I felt like, I don't know exactly what we're doing on the EIP levels or how the team delivered. It doesn't mean I'm not prepared — I spent eight hours today preparing this for you and reading all the materials that the team sent me. But you have to forgive me if there are some technical details that I don't explain best, or if I share information that might be a few months old.

So why is post-quantum so important now? Maybe not because the timelines are so bad. The timelines might be suggesting that maybe it's 2030, maybe it's 2035 — some people would say it's 2040 when we have computers that are actually relevant for risks to cryptography on Ethereum. But a big aspect of everyone talking about post-quantum security is that there's already some anxiety among people in the financial industry who are looking at Ethereum and thinking: is this technology for many years? When you're relying on blockchain and you want to deploy systems on public mainnet for many years, you don't want any type of catastrophic risk looming five to ten years away without people telling you they have everything under control.

The majority of our effort now is to show how much work we've put into planning, researching, scheduling, and building roadmaps for post-quantum security. Bitcoin particularly is very worried about post-quantum threats. The biggest worry is that there are around 6 million BTC at risk total — some from Taproot accounts, around 1.9 million BTC from Satoshi accounts and other legacy accounts. Then you have accounts on the fly that can be intercepted when you're signing transactions, but that's less of a threat because you'd have to have quantum computers capable of breaking the cryptography very fast. Those majority of addresses are at risk in Bitcoin even with quantum computers that take weeks to break those addresses. This creates a lot of uncertainty among people who think — what if it comes earlier, especially with AI acceleration now? Lots of new announcements around quantum are coming very fast, and there's also uncertainty about how much we know about quantum computers, as much of that technology might be developed by governments in stealth mode.

Market anxiety and institutional response (12:00)

Massive uncertainty. Some people claim that investors aren't selling BTC because of quantum computers, but we see announcements from large banks and investment funds that say it's exactly why their customers are saying "sell BTC" — or Ethereum. Some problems are "harvest now, decrypt later" — the idea that with quantum computers you'll be able to look at existing encrypted traffic, store it for the future, and then decrypt it. When you think about threats to blockchain — if you're using it for privacy, for encryption, and you hope you'll have forward security — this is a problem. Specifically for chains that rely on privacy like Monero, practically in the future you'll be able to decrypt the entire past of the chain, all the states and transitions.

However, for signatures and ZK proofs, what's important is that everything in the past is actually safe. We're just risking that in the future, when quantum computers are advanced enough, you could generate false signatures or break signatures, and also generate proofs for false statements in the ZK space. But everything before the quantum computers — you can say this was proved in the past and it's not at risk. That's why on blockchains like Ethereum, we're not that worried about past signatures. It's just that when quantum computers appear, you have to either be ready and have transitioned all accounts to post-quantum security, or have emergency solutions.

We see Coinbase announcing an advisory board — Justin Drake from the Ethereum Foundation and a few other well-distinguished people. More and more institutions are trying to announce they're getting ready. The Ethereum Foundation is trying to be very vocal about it to calm everyone down and say yes, Ethereum is credibly secure for many years forward.

Nick Carter mentions that there's a discrepancy between how developers think about post-quantum security and how markets think about it. Markets think in terms of risks; developers usually think about timelines — "when it appears, we can quickly update." They don't think about being ready two to three years before, because otherwise there's this anxiety in the market. The financial markets are one aspect, but the other is the anxiety about deciding to build on that technology in an institution where you have to plan strategically two to five years ahead.

Here is the announcement from Jeff — 10% BTC allocation removed from an Asia portfolio, citing quantum as an existential threat. First major institutional portfolio example, Bloomberg article. Citibank announced the quantum threat and trillion-dollar security race — not only blockchain, they were talking about cryptography used in banks and financial institutions, but they also mentioned risks related to Bitcoin. 25% of bitcoins potentially quantum-exposed, and a large probability that things break by 2034.

NIST standards and Vitalik's walkaway test (16:00)

Here is NIST announcing the post-quantum secure cryptography standards — the signatures that should be used. They say by 2030, people should be ready. Systems should deprecate legacy signature algorithms, and by 2035 those should be banned entirely. It doesn't mean that by that time we'll for sure have post-quantum computers that are threats, but the expectation is that everyone is ready by that time — institutions, government agencies, licensed operators in the US.

Vitalik quotes post-quantum security as a very important requirement for the walkaway test for Ethereum — that we cannot ossify Ethereum unless it's quantum secure, because really everything would break. Over the next few years, a very important set of deliveries is making the entire Ethereum stack quantum secure — all aspects: signatures, data availability, signatures on the execution layer, and signatures on the consensus layer.

Post-quantum signature schemes (17:30)

There is a series of blog posts on the Ethereum Foundation research forum that talk about proposed transaction signature schemes and how to approach post-quantum security from the account abstraction side on Ethereum. First, Falcon is a lattice-based signature scheme — one of the schemes proposed by NIST as a standard. The good thing is it has very well-defined worst-case running time, which is important in the EVM context where you don't want to calculate gas costs based on absolutely worst scenarios. In Ethereum, when you think about scaling, we always look at the worst-case scenario, not the average. It would be nice to think about average performance, but it doesn't matter because the moment you do that, the attacker will flood the network with transactions specifically designed to trigger the worst case. So it's important to know what that worst case is.

The bad thing is that Falcon signatures and many post-quantum signatures are considered very difficult math and cryptography. Because of that, we don't have the comfort of many years of established libraries considered very safe. If you implement these, you have risks of side-channel attacks — not only do you need to implement the cryptography correctly, you also have to implement it in a way that ensures the execution times and effects on hardware are not affected by the actual numbers, operations, or paths you're taking. You have to ensure your library always takes the same paths and uses the same CPU load — otherwise you can observe it through side channels and extract information. Many cryptographers say one thing is to implement it properly; the other is to prevent any optimization that would potentially expose the libraries to side-channel attacks.

There are also problems with aggregation — there are aggregation solutions for Falcon-based signatures, but they decrease efficiency even more. What is really suggested is hash-based multi-signature solutions. Ethereum on the consensus layer is choosing XMSS. The Ethereum research is now proposing solutions around XMSS — that's what was mostly worked on for the Lean Ethereum roadmap. We're integrating Lean Ethereum into the core development protocol roadmap proposal, which means we'll be proposing a post-quantum security roadmap to the All Core Devs for review. We have implementations and we've been tracking goals and metrics on execution speed.

The migration challenge (20:30)

Coming back to the requirements for post-quantum work at Ethereum — knowing exactly what the threats are, what types of attacks can be executed, and having very predictable migration paths for accounts. This is one of the biggest problems with post-quantum security. You have to take all existing accounts on the blockchain and ensure that somehow users execute an action of upgrading to post-quantum signature schemes. If they don't take any action, the accounts are at risk. Even if those accounts are dead — nobody holds the keys because they were lost — it's still a problem because quantum attacks may recover those keys. That may create a general feeling of uncertainty and additional risk around the technology.

There are some solutions on Ethereum — the emergency approach. You assume that if somebody holds keys, they most likely also hold the preimage — the seed phrase. So you can do the emergency approach where people ZK-prove that they hold the seed phrase that generated the public key. Then you can lock those accounts until someone posts the proof. But you're still risking that those who generated keys directly without a seed phrase might never be able to recover their funds.

Performance, formal verification, and implementation progress (23:00)

We want to have a bunch of implementations with formal verification, which is accelerating a lot now. We've had examples of formal verification done very fast thanks to AI. We want to analyze performance changes — the economy of block space changes. How quickly signatures can be verified, and what's the cost of hardware to execute. The good thing is that by scaling L1, we create more space for the new type of signatures. Basic transactions might be 10 to 20 times more expensive than today because of the larger signatures in post-quantum schemes. We generally expect the entire ecosystem to be ready — wallets, validators, operators — everyone switches and is ready to upgrade together. One thing is to do the research and implementations; the other is the entire migration transition. If the first part might be two to three years, then integration will take another two to three years unless people really feel there's an emergency.

What are the misconceptions about the work? The first one I really love pointing out — just because the action might be limited at some point, it doesn't mean there hasn't been a lot of work already done. Researchers might decide to go with simple changes and gradual improvements, but this is a result of three or four years of review of all the details and very good understanding of all the possibilities and attacks. The misunderstanding is that we would do this with a single change — most likely it will be a series of changes and multiple modules being changed over time.

The full roadmap and devnet progress (25:29)

This is a quick review of things we're doing — consensus layer, Lean EVM, Lean Spec. Three things we're working on. There are also precompiles for the new signatures. Here's the roadmap — when it was presented in Bangkok, people said Ethereum is slow and thinking very slowly about roadmaps. But now it shows we're already two years into a lot of preparation for post-quantum, and it's starting to calm people down because they say, "oh, we're already midway and building the solutions." So that roadmap was not that bad in the end — Ethereum shows it's being followed.

We're tracking the performance of the lean signatures — this one is for hash-based XMSS. We're already seeing verification times that look promising. For multi-signatures and aggregation, it's a bit slower, but generally the progress is very promising. We're super happy with the work. These are the devnets launched for interoperability between clients — multiple clients implementing devnets for post-quantum. Post-quantum devnet 2 is active at the moment.

The Lean Ethereum roadmap website is extremely detailed and very well-coordinated for all post-quantum security efforts on Ethereum. Here are some video examples — the post-quantum security link call 2 in February last year, SubSpec in September 2025, and we continue with lots of specifications you can track. Here is the emergency response I mentioned. Here are announcements from Justin Drake from two or three weeks ago — we rushed immediately after we realized that financial markets globally are talking more and more about the threats and feeling very anxious. We said, OK, let's publish — this is really well-prepared, and a lot of work has been done. The All Core Devs post-quantum calls are run by Antonio Sanso every two weeks. Devnets running, workshops being executed — there was a meeting in Cambridge, and we plan another one this year in Cologne and then again in Cambridge in October. Formal verification, and massive funding — million dollars for the post-quantum roadmap bounties. Integration, education, and implementation. Here's a roadmap that Ethereum announced for 10 years. This website is coming with the post-quantum material very soon. And here are all the references. Thank you so much.