The intersection of quantum computing and blockchain presents a substantial cryptographic challenge. As Ethereum secures hundreds of billions in digital assets, its reliance on classical Elliptic Curve Cryptography (ECC) constitutes a quantifiable risk.
There has recently been much debate, often acrimonious, about this risk.
In this series of three articles I will provide the technical background and examine the threats to Ethereum, Bitcoin and the process of transitioning to a quantum safe blockchain.
In this first article I want to explore the threat that, what are known as Cryptographically Relevant Quantum Computers (CRQCs), pose to the Ethereum ecosystem.
Even if we can transition to Post-Quantum Cryptography (PQC) we will face economic as well as purely cryptographic challenges.
The primary candidate solution, Module-Lattice-Based Digital Signature Algorithm (ML-DSA), entails signature sizes 40 to 60 times larger than current standards.
To move to this would have severe consequences for gas costs and network throughput. Successful migration depends on Account Abstraction (ERC-4337) and the maturation of Layer 2 scaling solutions to manage the associated data overhead.
The Cryptographic Debt of the Decentralised Economy
Ethereum relies on the computational hardness of the discrete logarithm problem to secure Externally Owned Accounts (EOAs) via the secp256k1 curve and in the consensus mechanism via the BLS12-381 curve.
These primitives were selected for efficiency and compact signature sizes. however, the emergence of quantum computing invalidates the assumption that deriving a private key from a public key is computationally infeasible.
Unlike classical computers, quantum algorithms can solve the discrete logarithm problem in polynomial time, if you are unfamiliar with this term, you can think of this as being a feasible amount of time.
For a permissionless blockchain, this point is critical; if the underlying cryptography is compromised, then the ledger loses integrity.
Quantum Mechanics and Cryptographic Vulnerability
Lets have a look at what is possible in quantum computation, the threat to cryptography is affected by algorithmic efficiency and hardware stability, specifically the distinction between physical and logical qubits.
Quantum algorithms : Shor’s algorithm and Grover's algorithm
Shor’s algorithm provides an exponential speedup in solving the hidden subgroup problem. While classical algorithms require exponential time to solve the Elliptic Curve Discrete Logarithm Problem (ECDLP), Shor’s algorithm reduces this to polynomial time.
What this means for blockchains is that a CRQC could effectively break the ECDSA scheme, authorising transactions by deriving a private key from a public key rapidly.
Another quantum algorithm Grover’s algorithm offers only a quadratic speedup for hashing algorithms like Keccak-256.
This reduces 256-bit security to 128-bit security, which remains is still seen as robust robust.
Consequently, the immediate failure point is the signing algorithm, not the hash function.
The 523 Logical Qubit Threshold
A critical metric for forecasting the threat is the number of logical qubits (error-corrected units) required to break secp256k1. Recent research suggests an algorithmic lower bound of 523 logical qubits. Even conservative models estimating 2,500 logical qubits present a concerning timeline when compared against hardware roadmaps projecting systems with over 1,000 logical qubits by the early 2030s.
The Intercept Problem
The urgency arises from the disparity between hardware velocity and migration latency. Quantum development is accelerating, while upgrading a decentralised protocol requires social consensus, standardisation, and user migration. If hardware capabilities outpace the migration timeline, Ethereum faces an "intercept" scenario where the network is vulnerable before defences are fully deployed.
Ethereum’s Unique Attack Surface
Ethereum’s architecture creates specific vulnerabilities across the execution and consensus layers.
Execution Layer: Externally Owned Accounts (EOAs)
An Ethereum address is a hash of the public key. Addresses that have never sent a transaction are quantum-safe because the public key remains unrevealed. However, once a transaction is signed and broadcast, the public key is recorded on the blockchain. A quantum attacker could harvest exposed public keys from the chain's history and derive the corresponding private keys from those.
This specifically threatens high-value targets such as protocol treasuries and early adopters who reuse addresses.
Unlike the UTXO model which encourages address rotation, Ethereum's account-based model encourages identity persistence, increasing the attack surface.
The risk to the consensus layer: BLS Signatures
The Proof-of-Stake mechanism utilises BLS signatures for their aggregation properties, allowing thousands of validator attestations to be verified simultaneously. A quantum breach of the BLS scheme would allow attackers to forge attestations, equivocate without penalty, and compromise finality.
The Mempool: Quantum Front-Running
Migration itself presents a risk. When a user broadcasts a transaction to move funds to a quantum-secure wallet, the public key is revealed in the mempool. A quantum adversary could derive the private key and broadcast a competing transaction with a higher gas fee, effectively stealing the funds before the migration transaction is processed. We will explore this risk further in the final article in the series.
Post-Quantum Cryptographic Alternatives
To mitigate these risks, Ethereum must transition to PQC standards finalised by NIST in 2024, here are some candidate solutions.
Lattice-Based Cryptography: ML-DSA
The primary candidate is ML-DSA (formerly Dilithium). It relies on the 'Module Learning With Errors' problem. While verification is computationally efficient, the data requirements are significant.
An ML-DSA signature is approximately 3,309 bytes, compared to 65 bytes for ECDSA. This represents a substantial increase in data availability costs.
Hash-Based Cryptography: SLH-DSA
SLH-DSA (formerly SPHINCS+) serves as a conservative backup relying solely on hash functions. However, its signature sizes (8KB to 30KB) and slow verification speeds make it impractical for standard transaction throughput.
Zero-Knowledge Proofs (STARKs)
STARKs offer a blockchain native alternative. They allow users to generate a proof of knowledge of a private key. Their primary advantage is recursive aggregation, where thousands of proofs can be compressed into a single proof, potentially resolving the scaling issues inherent in other PQC solutions.
Comparative Analysis of these solutions
| Feature | ECDSA (Current) | ML-DSA | SLH-DSA | STARK Proofs |
|---|---|---|---|---|
| Problem | Discrete Logarithm | Module Lattices | Hash Functions | Hash Functions |
| Quantum Resistance | Broken | Strong | Very Strong | Very Strong |
| Public Key Size | 33 bytes | 1,952 bytes | 32-64 bytes | N/A (Hashed) |
| Signature Size | 65 bytes | 3,309 bytes | ~8KB - 30KB | Tiny (Aggregated) |
| Gas Cost | Low | High | Prohibitive | High Fixed Cost |
The Economics and Feasibility of Transition
The "defensive downgrade" we face highlights that PQC migration increases costs without immediate functional benefits.
Gas and Throughput
Ethereum’s block gas limit constrains computational throughput. The 50-fold increase in signature size required by ML-DSA would drastically raise the base cost of transactions due to calldata pricing.
Without optimisation, this could reduce Layer 1 throughput by 70-80%.
State Bloat and Centralisation
Moving to larger public keys increases the size of the Ethereum state. This necessitates higher hardware requirements for node operators, potentially driving centralisation.
Solutions such as Stateless Clients or Verkle Trees (alreaady part of the Ethereum roadmap) are essential prerequisites to mitigate this bloat.
Account Abstraction
Account Abstraction (ERC-4337) is critical for migration. It decouples the asset-holding address from the signature scheme, allowing Smart Contract Wallets to upgrade their validation logic.
With this we couls have a smooth transition where wallets can rotate from ECDSA to ML-DSA or STARKs without moving funds to a new address.
Emergency Response: The Quantum Hard Fork
In the event of a sudden quantum breakthrough, a "Freeze and Recover" strategy has been proposed.
- Rollback: The chain reverts to a state prior to the attack.
- Freeze: The protocol rejects all EOA transactions.
- Recovery: Users prove ownership via ZK-proofs of their seed phrase (which remains quantum-secure as it is hashed).
This approach carries significant governance risks. The coordination required to execute a hard fork takes time, during which markets could suffer catastrophic disruption. Furthermore, the political decision of when to rollback could undermine trust in the network's immutability. Recall the controversy regarding the DAO hardfork.
Conclusion
The vulnerability of secp256k1 to a quantum computer with approximately 523 logical qubits places the risk horizon potentially within the early 2030s.
While emergency protocols exist, they would entail severe economic disruption.
The sustainable path involves proactive adoption of Account Abstraction and ML-DSA signatures.
This transition will fundamentally alter network economics, necessitating reliance on Layer 2 scaling to absorb the data overhead required for post-quantum security.
Top comments (0)