Post-Quantum Cryptography
Post-quantum (PQ) migration for Ethereum is on a forced timeline: NIST 2030 deprecation of ECDSA, 2035 full replacement, with qubit estimates collapsing rapidly — from millions (pre-2024 consensus) → 500K (Google, Sept 2024) → 100K (early 2026 algorithmic improvements). The bottleneck is social coordination, not mathematics. (→ EthCC[9] — Conference Overview)
Timeline Pressure
- Google (Sept 2024): 500K qubits needed to break ECDSA — much lower than prior estimates of millions.
- Early 2026 update: Algorithmic improvements (ETHDenver panel) reduced the estimate further to ~100K qubits — from 20M in 2017 to 500K in 2024 to 100K by early 2026. Each revision accelerates the threat timeline.
- NIST schedule: Deprecate current signatures by 2030, full replacement by 2035.
- Justin Drake (EF): PQ signatures required in Ethereum staking roadmap by ~2027–2029 (LAR fork window).
- Arthur Breitman (Tezos): “Being early has very few downsides; being late causes severe disruption.” STARK-based PQ aggregation is unsolved — only EF is working on it.
- Charles Guillemet (Ledger): 8M+ Ledger devices securing ~20% of crypto market cap. Most current hardware cannot run PQ schemes due to RAM constraints.
Candidate Algorithm Families
| Family | Example | Signature Size | Key Properties | Risk |
|---|---|---|---|---|
| Lattice | Dilithium (ML-DSA), Falcon | Dilithium: 2.5KB; Falcon: 666B | Dilithium: NIST-standardized, stateless; Falcon: smallest sig | Falcon uses floating-point hardware — implementation vulnerability risk |
| Hash-based | SPHINCS+, XMSS | Large (SPHINCS+ ~8–50KB) | Most conservative assumptions | XMSS is stateful (problematic for multi-device wallets); SPHINCS+ stateless but huge |
| Isogeny | SQISIGN | Competitive | Novel math | Less mature, ongoing cryptanalysis |
| Code-based | Various | Large | Old math, well-studied | Large key sizes |
EF direction: Hash-based (XMSS via SNARK aggregation) for consensus layer. SNARK wrapping solves the native aggregation gap — but requires proof infrastructure. No consensus yet on execution layer.
Critical insight (Alexander / Andrey Ivasko): “Implementation risk can arrive before quantum risk.” Floating-point vulnerabilities in Falcon and algebraic attacks on multivariate schemes are live threats today, before any quantum computer exists.
Account Abstraction as Migration Bridge
Antonio Sanso (EF): Ephemeral key rotation via account abstraction lets users stay on ECDSA now while smoothly migrating:
- EOA address remains stable (hash of public key) but signing key rotates per transaction.
- Non-native AA (ERC-4337): available today.
- Native AA (EIP-8141 “Frame Transactions”): expected ~2029.
- Allows ECDSA use now + hash-based one-time signatures later without UX disruption.
Proof-of-Seed for Key Recovery (ZK & TEEs track)
Vitalik’s 2023 proposal: prove ownership of seed phrase (not private key) via ZK, because seed → private key involves hashing (quantum-resistant path). Implementation:
- ZK-Boo runs on 32KB ledger stack (7.5KB heap) — extreme hardware constraint.
- Two-stage: ZK-Boo on secure element → succinct wrapper (Binius or similar).
- Enables key rotation via counter abstraction without breaking ECDSA until 2029+.
CAFE Framework (Oleg Lodygensky)
Crypto Agility Framework for Ethereum — iterative discovery → policy → remediation:
- Discovery: Map cryptographic dependencies via blockchain analysis (wallet address types, RPC endpoints, blast radius of each scheme).
- Policy: Define target algorithm + rotation mechanism (EOA rotation, hardware HSM migration timelines).
- Remediation: Execute via partner integrations (Trezor, Ledger new HSMs with PQ support).
Key blocker for Ethereum-wide migration: social consensus on which algorithm + block space impact (bigger signatures/keys) + legacy address migration incentives.
Hardware Constraints
Ledger (Charles Guillemet): Most current Ledger devices have <32KB RAM — eliminates most PQ schemes. Migration path: new HSM hardware + software upgrade for existing devices where possible. Users with old hardware face forced replacement.
World Orb (0xPenryn): Custom silicon for iris biometrics already demonstrates that PQ-ready hardware must be purpose-built, not retrofitted onto general-purpose devices.
Aggregation Is the Hard Problem
Aggregating PQ signatures (e.g., from 500K validators) is computationally expensive. STARK-based aggregation is the proposed path — but as of EthCC[9], only EF is researching this. No working implementation. Without aggregation, PQ sigs explode block size (Dilithium alone is 40× larger than ECDSA).
Connections
- ZK Proving Infrastructure — ZK proofs wrap and compress PQ signatures; SWIRL/multilinear proof systems relevant
- Ethereum Staking Dynamics — Staking strawmap targets PQ migration in validator set by ~2029
- Smart Contract Security (2026 State) — CAFE framework intersects with security shift-left movement
- Stablecoins & RWA Convergence — Institutional custody infrastructure must also migrate
Open Questions
- Which PQ algorithm will EF standardize on for the execution layer?
- Will SNARK-based aggregation of XMSS signatures be production-ready before 2027?
- How do holders of old hardware wallets (pre-PQ) migrate without losing assets?
- Can the social coordination required for Ethereum-wide migration happen in a ~3-year window?
Bitcoin Quantum Risk (ETHDenver 2026 Panel)
Severity: Approximately 6.9M BTC in exposed public keys are at quantum risk today (~33% of circulating supply; the panel cited “~30%” as a round figure).
- 1.7M of those likely belong to Satoshi-era wallets and are probably immobile
- A quantum break could trigger a massive market dump as stolen coins hit exchanges
Timeline update: Recent algorithmic improvements reduced required qubits from 20M (2017 estimate) to 100K (early 2026). Google’s Willow demonstrated scalable error correction below threshold — proving quantum architectures can scale.
BIP 360: Proposes voluntary opt-in quantum hardening for Bitcoin without consensus changes. Problem: old address types (P2PK) cannot be hardened without forking. Some proposals advocate freezing Satoshi’s coins — extreme political and philosophical controversy.
Governance bottleneck: Bitcoin’s immutability constraint on consensus changes means quantum migration requires near-universal agreement. Ethereum’s account abstraction path is faster.
Ethereum’s PQ Advantage (Tomasz Stańczak + Jerome de Tychey, ETHDenver 2026)
Ethereum has a 2-year head start on Bitcoin’s consensus-constrained approach:
- Separate Lean Ethereum research branch for PQ work now merging into core protocol
- EIP-7702 (account abstraction) enables quantum signatures at the execution layer first, before the harder consensus layer migration
- NIST 2030 deadline creates institutional fiduciary pressure; Ethereum moving faster positions it as quantum-safe standard
- Emergency mechanisms: freeze dormant addresses + ZK proof of seed knowledge to unfreeze — bridge for inevitable late adopters
Migration path (revised from EthCC[9] understanding):
- Account abstraction enables optional PQ signatures on execution layer (no fork needed)
- Validator attestation migration (harder; requires STARK aggregation)
- Binary Merkle trees replace Merkle-Patricia (enabling efficient PQ proofs)
- Mandatory PQ signatures enforced
Ledger Hardware Quantum Context (Charles Guillemet, ETHDenver 2026)
Threat nuance:
- Encryption: at risk from harvest-now-decrypt-later (record today, decrypt when quantum computer exists)
- Hash functions: largely safe (Grover only doubles key strength requirement)
- Signatures: completely broken by Shor’s algorithm — but ~5–25 years away from cryptographically-relevant quantum computers
Hardware constraint reality: Most current hardware devices (including Ledger) cannot run PQ schemes due to RAM constraints. This is not a software problem — physical devices holding crypto assets need hardware upgrades.
BLS signature aggregation (Ethereum’s consensus mechanism) is incompatible with most post-quantum schemes. Neither consensus layer nor execution layer has locked an approach as of early 2026.