Vitalik Buterin Maps Quantum Upgrade to Ethereum to Replace Core Cryptography

In brief

• Buterin pointed out four Ethereum components that rely on cryptography vulnerable to quantum attacks.
• The plan replaces BLS, KZG, and ECDSA with hash-based, lattice-based, or STARK-based systems.
• Recursive aggregation aims to reduce high gas costs from quantum-safe signatures and proofs.

Ethereum co-founder Vitalik Buterin on Thursday called for a broad overhaul of the network’s cryptographic foundations, warning that advances in quantum computing could break core parts of the protocol, while laying out a multi-stage plan to replace them. In a post on X, Buterin identified four vulnerable areas: consensus-layer BLS signatures, data availability tools known as KZG commitments, the ECDSA signature scheme used by standard user accounts, and zero-knowledge proof systems used by applications and layer-2 networks. Each could be tackled step by step, he said, with dedicated solutions at each layer of the protocol. “One important thing upstream of this is choosing the hash function,” Buterin wrote. “This may be ‘Ethereum’s last hash function,’ so it’s important to choose wisely.” The post comes as the Ethereum Foundation elevated post-quantum security to a top priority.

 Quantum computers threaten Ethereum, Bitcoin, and the broader crypto industry because they could eventually break the public-key cryptography that secures wallets and signs transactions, allowing attackers to derive private keys from exposed public keys and move funds. To face this issue head-on, the Ethereum Foundation launched a dedicated Post-Quantum team in January and earlier this month released a seven-fork upgrade plan, dubbed the “Strawmap,” that would integrate quantum-resistant signatures and STARK-friendly cryptography into the network’s consensus design through 2029. At the consensus layer, Buterin proposed replacing BLS signatures—the cryptographic proofs validators use to approve blocks—with hash-based alternatives, which researchers view as more resistant to quantum attacks. He also suggested using STARKs, a type of zero-knowledge proof, to compress many validator signatures into a single attestation.

For data availability, Buterin said there would be tradeoffs. Ethereum relies on KZG commitments to verify that block data is properly structured and available. STARKs could perform the same function, but they lack a mathematical property called linearity that enables two-dimensional data availability sampling. “This is okay, but the logistics of this get harder if you want to support distributed blob selection,” Buterin wrote. User accounts and proof systems face steep cost increases under quantum-resistant cryptography. Verifying today’s ECDSA signature costs about 3,000 gas, while a hash-based quantum-resistant signature would cost roughly 200,000 gas. The difference is larger for proofs: a ZK-SNARK costs 300,000 to 500,000 gas to verify, compared with about 10 million gas for a quantum-resistant STARK—an expense too high for most privacy and layer-2 applications. “The solution again is protocol-layer recursive signature and proof aggregation,” Buterin said, pointing to the Ethereum Improvement Proposal 8141. Under EIP-8141, each transaction would include a “validation frame” that can be replaced by a STARK verifying it executed correctly. All validation frames in a block could then be aggregated into a single proof, keeping the on-chain footprint small even as individual signatures grow larger. Buterin said the proving step could occur at the mempool layer rather than during block production, with nodes propagating valid transactions every 500 milliseconds alongside a proof of validity. “It’s manageable, but there’s a lot of engineering work to do,” he said.