Ethereum pushed post-quantum cryptography to a high strategic precedence this month, forming a devoted PQ group led by Thomas Collager and saying a $1 million prize to energy its hash-based primitives.
The announcement got here a day earlier than A16Z Crypto unveiled its roadmap, arguing that quantum threats are sometimes overstated and that untimely transitions threat buying and selling recognized safety for speculative safety.
Each positions are defensible, and the apparent pressure reveals the place the actual combat lies.
The Ethereum Basis’s announcement positions PQ Safety as an inflection level. Multi-client consensus growth web goes reside each two weeks. An all-core developer assembly to coordinate precompilation and account abstraction passes begins subsequent month. A complete roadmap guarantees “zero cash loss and 0 downtime” through the multi-year transition.
On January 21, Coinbase launched an unbiased quantum advisory board that features Ethereum researcher Justin Drake, signaling business collaboration round long-term planning.
Solana carried out a PQ signing experiment on the testnet in December beneath Challenge Eleven, explicitly branding the work as “proactive” relatively than emergency response.
Polkadot’s JAM proposal outlines the implementation of ML-DSA and Falcon, together with SNARK-based migration proofs.
The conservative BIP-360 proposal for funds to quantum-resistant hashes of Bitcoin represents an incremental first step constrained by governance realities.
This sample is much like an arms race, however it’s not pushed by a direct menace.
This can be a competitors for organizational readiness, with winners upgrading their crypto infrastructure whereas sustaining charge economics, consensus effectivity, and pockets UX earlier than exterior pressures drive changes.
harvest paradox
A16z’s central argument revolves round distinguishing between “harvest-now-de-encrypt-later” dangers and signature vulnerabilities. HNDL assaults turn out to be necessary if an attacker can intercept presently encrypted knowledge and decrypt it as soon as quantum computer systems attain enough scale.
This menace clearly maps to TLS, VPN, and data-at-rest encryption. Blockchain signatures authenticate transactions in real-time and depart no encrypted payload to retailer for future cracking.
Ethereum’s response tacitly accepts this framework, however argues that operational urgency stays excessive, as adjustments to signature schemes have an effect on all the pieces from wallets, account codecs, {hardware} signers, custody infrastructure, menpools, charge markets, consensus messages, and L2 proof of cost.
The transition requires years of lead time, not as a result of quantum computing is imminent, however as a result of the engineering scope is huge and the failure modes are catastrophic.
NIST accomplished its first post-quantum requirements, FIPS 203, 204, and 205, in 2024 and chosen HQC because the backup key encapsulation mechanism whereas advancing Falcon and FN-DSA to draft stage.
The EU printed a harmonized PQC transition roadmap in June 2025. These developments cut back the query, “Which algorithm ought to I exploit?” Remove uncertainty and make your transition plan concrete, even when cryptography-related quantum computing remains to be a great distance off.
Though Citi’s January 2026 report cited a spread of potential widespread breaches of public-key cryptography by 2034 to 2044, many consultants see a really low probability of CRQC occurring within the 2020s.
Timeline ambiguity doesn’t eradicate the duty to plan, nevertheless it amplifies it as a result of chains that wait till menace indicators are clear will face timeline compression and coordination disruption.
Attribute enlargement as a base layer bottleneck
The rapid technical problem is the dimensions of the signature.
ECDSA signatures eat roughly 65 bytes. This equates to roughly 1,040 fuel at 16 fuel per non-zero byte in Ethereum’s name knowledge pricing mannequin.
ML-DSA candidates generate signatures within the 2-3 KB vary, and the dilithium variant is prone to be broadly adopted. A 2,420-byte signature consumes roughly 38,720 fuel only for signature bytes. In comparison with ECDSA, Delta is 37,680 fuel.
This overhead is critical sufficient to impression throughput and pricing except the chain compresses or aggregates signatures on the protocol stage.
That is the place Ethereum’s wager on hash-based cryptography and the $1 million Poseidon Prize turns into strategic. Hash-based signatures keep away from the algebraic constructions utilized by quantum algorithms, and hash capabilities combine naturally with zero-knowledge proof programs.
If Ethereum can operationalize STARK-based signature aggregation, it may preserve charge economics whereas upgrading its safety assumptions. The problem is {that a} sensible post-quantum analog to BLS aggregation doesn’t but exist, and zk-based aggregation introduces actual efficiency constraints.
Consensus effectivity is dependent upon this subject.
At the moment, Ethereum’s consensus layer depends closely on BLS signature aggregation. Validators signal certificates and synchronize committee messages, and the protocol aggregates 1000’s of signatures into compact proofs.
Dropping that capacity with no alternative would drive a dramatic change within the economics and vitality assumptions of consensus participation.
EF’s public emphasis on interop calls to orchestrate a “lean” crypto basis and multi-client PQ Devnet means that the group understands that aggregation is a hidden cliff.
| signature scheme | Signature dimension (bytes) | Calldata fuel @ 16 gases / non-zero bytes | Delta vs ECDSA (Fuel) | implication |
|---|---|---|---|---|
| ECDSA (secp256k1, r||s||v) | 65 | 1,040 | 0 | at the moment’s baseline |
| ML-DSA-44 | 2,420 | 38,720 | +37,680 | Value + throughput shock |
| ML-DSA-65 | 3,309 | 52,944 | +51,904 | Aggregation turns into crucial |
| ML-DSA-87 | 4,627 | 74,032 | +72,992 | L1 scaling stress spike |
Pockets UX because the social layer of cryptography
Protocol assist alone is just not sufficient to finish a migration.
Ethereum’s present design doesn’t permit externally owned accounts to cleanly rotate keys. Customers require a one-click migration move that does not require deep technical data. {Hardware} wallets must distribute firmware updates. Directors want safe bulk migration instruments.
Ethereum researchers have been exploring proof programs and seed-based migration approaches appropriate for key restoration to exactly cut back reconciliation threat and UX friction.
a16z warns that untimely migration will end in vulnerabilities corresponding to immature implementations, adjustments in requirements after deployment, and bugs in new cryptographic libraries.
The group argues that present safety points corresponding to governance failures and software program bugs pose better rapid dangers than quantum computer systems.
That is the core of the “Do not Panic” framework. Shifting too quickly trades recognized safety for speculative safety, and the price of getting it mistaken might be greater than the price of ready for requirements to mature and higher instruments.
Each positions are defensible as a result of they’re optimized for various failure modes. EF prioritizes avoiding hasty changes beneath stress.
a16z prioritizes avoiding self-harm by means of hasty deployment. This distinction reveals the actual battlefield. Chains that thread the needle by constructing migration infrastructure early, with out prematurely imposing immature requirements on customers, achieve a aggressive benefit.
3 situations, totally different winners
The timeline for the transition is dependent upon exterior breakthroughs that nobody can management.
In a slow-burn situation, the place CRQC doesn’t attain till the 2040s, the transition happens on the tempo of rules and requirements, prioritizing security over velocity. Chains invested within the agility of cryptocurrencies with twin signature intervals, hybrid schemes, and very tough methods can adapt with out interruption.
Within the base case of a cloth quantum menace rising within the mid-2030s, our efforts at the moment will decide the end result. If the ecosystem needs a clean transition by 2035, pockets instruments and aggregation analysis will should be production-ready years upfront.
That is the situation that EF’s roadmap optimizes for, and the place a multi-year lead time justifies the present funding.
In fast shock situations the place breakthroughs counsel a reputable threat earlier than 2030, the differentiator will likely be how rapidly chains can freeze exposures, migrate accounts, and preserve viability. Though a16z maintains that this consequence is unlikely to happen, the group’s emphasis on planning means that preparation is justified even for low-probability tail dangers.
Notable triggers embrace dependable demonstration of error-corrected scaling, logic qubit stability, and sustained gate constancy. NIST or a significant authorities has accelerated the transition deadline and main directors are transport PQ-ready signatures into manufacturing.
None of those are pressing, however all of them compress the decision-making timeline.
| battlefield layer | why is it necessary | What are push indicators in EF? | a16z “Don’t panic” counterpoint | KPIs to observe |
|---|---|---|---|---|
| Planning and encryption agility | The transition is a multi-year program. Failure mode is hasty adjustment beneath stress | Devoted PQ Crew + Governance Cadence (PQ ACD) = Deal with migration as a protocol program relatively than a analysis thread | Untimely shifts enhance Dangers (immature libraries, altering requirements, new bugs) | existence of printed Chain roadmap + clear “break the glass” plan + gradual deployment milestones |
| Pockets UX and account migration | Customers won’t migrate except there’s little friction. EOA is a protracted tail | Account Abstraction Path + “Zero Downtime/Zero Loss” Messaging Focus = UX Focus | Keep away from forcing new schemes on customers too early. UX failure is a self-inflicted loss | Share of supported wallets/custodians Twin signal/key rotation It flows. Migration time for non-technical customers |
| Aggregation and charge economics | PQ sig might be giant. With out aggregation, throughput decreases and costs enhance | LeanVM + hash/ZK basis + devnet is a wager implied. Protocol stage compression | Even the “right” PQ might turn out to be unusable if it makes it uneconomical. Do not commerce ease of use for theoretical security | confirmed Signature aggregation Efficiency (proof dimension/verification time) and ensuing value per transmission/proof |
| Consensus effectivity and validator overhead | At the moment, Ethereum consensus depends on aggregation. Dropping it threatens lives and the financial system. | Multi-client PQ consensus devnet + interop calls = not simply wallets, however deal with consensus because the exhausting half | New consensus cryptography is high-risk engineering. Conservative deployment trumps hasty redesign | measured Bandwidth/CPU overhead per validator Towards at the moment. Certificates inclusion price beneath load |
| Interoperability and requirements maturity | Requirements alleviate the query, “Which algorithm?” Uncertainty. Ecosystem converges on safer selections | Prizes + Workshops + Exterior Collaboration (Advisory Board) = Ecosystem Alignment | Wait till requirements/implementations mature earlier than forcing large-scale migrations | NIST/EU Milestone Coordination. Ships PQ assist in main libraries/HW wallets with out important CVEs |
new standing sport
Submit-quantum readiness is following the identical path that L2 maturity adopted in earlier cycles, changing into an indicator of institutional trustworthiness.
Chains with no dependable PQ roadmap threat being deemed unprepared for long-term settlement ensures, even when the rapid menace is way away.
This dynamic explains why Solana, Polkadot, and Bitcoin all have energetic PQ workstreams regardless of the shortage of an imminent Q-day consensus.
The arms race is just not about who returns the PQ first. As an alternative, it is about who maintains UX, charge economics, and consensus effectivity in doing so.
Ethereum’s method bets on hash-based infrastructure, ZK aggregation, and governance alignment.
Solana’s high-throughput structure makes signature overhead notably acute and requires design innovation.
Polkadot’s heterogeneous sharding mannequin permits chain-by-chain experimentation.
Bitcoin’s conservatism displays governance constraints and a protracted tail of legacy outputs that can not be migrated with out the cooperation of householders.
If PQ turns into the subsequent L1 arms race, the winner won’t be the chain that says essentially the most prizes or growth nets. This gives a migration path for normal customers to really full, maintains throughput regardless of multi-KB signature candidates, and turns into a sequence that replaces at the moment’s aggregation assumptions with out sacrificing uptime.
The planning layer, the pockets UX layer, and the aggregation layer at the moment are the actual battlegrounds, and the clock began years earlier than most members realized the race had begun.
