ప్రధాన కంటెంట్‌కి స్కిప్ చేయండి

Post-quantum cryptography on Ethereum

How Ethereum is preparing for the post-quantum era, what is vulnerable, and what is being built to protect it.

Quantum computers will eventually be able to break the cryptographic methods that secure Ethereum and most other digital systems today. This page explains what that means, how the network is proactively developing improvements to mitigate this risk, and what you need to know.

Why post-quantum cryptography matters

Ethereum relies on several forms of to keep the network secure and protect user funds. The most important are:

  • Elliptic curve digital signature algorithm (ECDSA): The cryptography used to sign transactions. Your Ethereum account's security depends on this.
  • BLS signatures: Used by to reach on the state of the network.
  • KZG polynomial commitments: Used for in Ethereum's scaling roadmap.
  • ZK-proof systems: Used by rollups and other applications to verify computations offchain.

All of these rely on mathematical structures, such as Abelian groups, that are hard for classical computers but can be solved efficiently by a quantum computer using Shor's algorithm (opens in a new tab).

When will quantum computers threaten Ethereum?

In March 2026, Google Quantum AI published research estimating that breaking 256-bit elliptic curve cryptography (the type Ethereum uses for account signatures) could require roughly 1,200 logical qubits. Previous estimates put this number much higher. Google has set a 2029 internal deadline for migrating its own systems to post-quantum cryptography.

Current quantum hardware is far from this scale, operating with a few thousand noisy physical qubits. Logical qubits (which correct for errors and perform reliable computation) require many physical qubits each. The gap between current hardware and what is needed to break Ethereum's cryptography remains significant, but it is narrowing faster than many expected. Notably, the U.S. National Institute of Standards and Technology (NIST) anticipates deprecating ECDSA by 2030 and disallowing it by 2035.

This is not an imminent threat. But cryptographic transitions take years, and Ethereum's security model is designed to last centuries. Ethereum's response is the Lean Ethereum roadmap, a deliberate, multi-year mission to rebuild Ethereum around primitives that will survive any cryptographic threat.

Four areas vulnerable to quantum attack

In February 2026, Vitalik Buterin published a roadmap (opens in a new tab) identifying four distinct areas of Ethereum's cryptography that need post-quantum upgrades. Each has different challenges and different solution paths.

1. Consensus-layer BLS signatures

What it does: Ethereum's protocol uses BLS signatures to aggregate votes from hundreds of thousands of validators. BLS allows many signatures to be combined into one, keeping the network efficient.

Why it is vulnerable: BLS signatures rely on elliptic curve pairings, which a quantum computer could break.

The approach: The Lean Consensus roadmap includes developing two complementary tools:

  • leanXMSS: Ethereum will replace BLS signatures with leanXMSS, a hash-based signature scheme for validators. Hash-based signatures are considered quantum-safe because they rely only on the security of hash functions, which quantum computers weaken but do not break.
  • leanVM: A minimal zkVM (zero-knowledge virtual machine) for SNARK-based signature aggregation. Because hash-based signatures are significantly larger (roughly 3,000 bytes compared to 96 bytes for BLS), switching to leanXMSS would produce significantly more data per slot. To solve this, leanVM acts as an aggregation engine, compressing the data by 250x. This preserves the efficiency benefits of combining many signatures into one, even after switching to quantum-safe schemes.

2. Data availability: KZG commitments

What it does: KZG polynomial commitments ensure that data (particularly data from rollups) is available on the network without requiring every node to download all of it.

Why it is vulnerable: KZG commitments rely on elliptic curve pairings, the same mathematical structure that quantum computers can attack.

Current mitigation: KZG commitments use a "trusted setup" where many participants contributed randomness. As long as at least one participant was honest and discarded their secret, the setup is secure, even against quantum computers attempting to reverse-engineer it after the fact.

Long-term solution: Replace KZG with a quantum-safe commitment scheme. The two leading candidates are:

  • STARK-based commitments: Rely on hash functions rather than elliptic curves. Already used in some ZK-rollups.
  • Lattice-based commitments: Rely on the hardness of lattice problems, which are believed to be quantum-resistant.

Both approaches are still being researched for efficiency and practicality at Ethereum's scale.

3. Account signatures: ECDSA

What it does: Every standard Ethereum account (externally owned account, or ) uses ECDSA on the secp256k1 curve to sign transactions. This is what protects your funds.

Why it is vulnerable: For any account that has sent a transaction, the public key is exposed onchain. A quantum computer could derive the private key from this exposed public key data.

Important nuance: Accounts that have only received ether and never sent a transaction have not exposed their public key. Only the address (a hash of the public key) is visible, which provides some additional protection.

The approach: Rather than a single protocol-wide migration, Ethereum plans to use account abstraction (specifically EIP-8141, being considered for Hegotá in second half of 2026) to give users signature agility. Individual accounts could switch to a post-quantum signature scheme without waiting for the entire protocol to change.

This is a pragmatic approach. Users and wallets that want post-quantum protection early can adopt it voluntarily, while the broader migration happens over time.

4. Application-layer ZK-proofs

What it does: Zero-knowledge proof systems are used by L2 rollups and other applications to verify computations without revealing underlying data.

Why it is vulnerable: Many popular ZK-proof systems (SNARKs using elliptic curve pairings) rely on quantum-vulnerable assumptions.

The approach: STARKs, which rely on hash functions rather than elliptic curves, are already quantum-resistant and are used by several rollups. Natural ecosystem adoption of STARK-based systems is already providing post-quantum security at the application layer.

NIST standards

In August 2024, the U.S. National Institute of Standards and Technology (NIST) finalized three post-quantum cryptography standards (opens in a new tab). These matter because they give the entire technology industry, including Ethereum, a shared set of vetted algorithms to build on rather than each project inventing its own.

StandardNameTypeUse case
FIPS 203ML-KEMLattice-basedKey encapsulation (key exchange)
FIPS 204ML-DSA (Dilithium)Lattice-basedDigital signatures
FIPS 205SLH-DSA (SPHINCS+)Hash-basedDigital signatures

These standards provide a foundation for the broader industry's post-quantum transition. Ethereum's work builds on and extends these, with particular focus on the unique challenges of a decentralized network where efficiency and aggregation matter.

The Ethereum Foundation's approach

The Ethereum Foundation formed a dedicated Post-Quantum Security team in January 2026, led by Thomas Coratger. The team's work is tracked publicly at pq.ethereum.org (opens in a new tab).

Current activity (as of April 2026)

  • Weekly interop devnets: More than 10 client teams participate in regular post-quantum interoperability testing, including Lighthouse, Grandine, Zeam, Ream Labs, and PierTwo.
  • Poseidon Prize: A $1 million research prize targeting improvements in hash-based cryptographic primitives.
  • Open-source implementations: leanXMSS, leanVM, leanSpec (Python), leanSig (Rust), and leanMultisig are all available under the leanEthereum GitHub organization (opens in a new tab).
  • 2nd Annual PQ Research Retreat: Planned for 9-Oct-2026 to 12-Oct-2026 in Cambridge, UK.
  • NIST Alignment: Ethereum's work builds upon the post-quantum cryptography standards finalized by NIST in August 2024 (such as ML-KEM, ML-DSA, and SLH-DSA).

Migration milestones

The team has outlined a series of protocol upgrades to incrementally introduce post-quantum cryptography into Ethereum. These are planning milestones, not guaranteed commitments. Names and ordering may change.

MilestoneWhat it introduces
I*PQ key registry. Validators can register post-quantum public keys alongside existing BLS keys.
J*PQ signature verification precompiles. Smart contracts and wallets can verify PQ signatures natively.
L*PQ attestations and real-time consensus-layer proofs via leanVM. Validators begin using PQ signatures for consensus.
M*Full PQ signature aggregation and PQ-safe blob commitments.

Target: The structured fork milestones target the completion of core post-quantum infrastructure by approximately 2029. Full execution-layer and ecosystem migration extends beyond that.

What do users need to do?

Right now: nothing. Your funds are safe. No quantum computer today can threaten Ethereum's cryptography.

In the future: Once post-quantum signature schemes are widely supported on Ethereum (expected following the Hegotá hard fork and implementation of EIP-8141), you will want to migrate your account to quantum-safe signatures. Wallet software will guide you through this transition.

If your account has never sent a transaction (meaning your public key has not been exposed onchain), it has an additional layer of protection. But all accounts should eventually migrate.

The question of how to handle dormant wallets (accounts whose owners may not be aware of the need to migrate) is an open governance topic. The Ethereum community has not yet reached consensus on this.

Frequently asked questions

Further reading

ఈ పేజీ ఉపయోగపడిందా?