Quantum-safe cryptography could slow Ethereum

Ethereum developers and the Ethereum Foundation are evaluating a move to post-quantum cryptography to protect accounts and validator signatures against future quantum computers. Research and prototype patches have been active for more than a year, but no hard fork to implement a full transition has been scheduled.

The network currently uses secp256k1 elliptic-curve signatures for externally owned accounts and BLS12-381 for validator attestations. Cryptographers warn that a large, fault-tolerant quantum computer running Shor’s algorithm could break these schemes. National standards bodies have selected several quantum-resistant algorithms based on problems such as lattices, including CRYSTALS-Dilithium, which have larger keys and different verification costs.

Post-quantum signatures are typically much larger than today’s elliptic-curve signatures. Where current account signatures are a few dozen bytes, candidate post-quantum schemes often produce signatures measured in hundreds or thousands of bytes. Larger signatures increase calldata per transaction, which raises gas for calldata-priced operations and reduces the number of transactions that fit in a block. Some post-quantum schemes also require more CPU time to verify, which can lengthen node processing, block validation and peer propagation.

The consensus layer faces particular constraints. Ethereum’s proof-of-stake system relies on BLS aggregation to compress many validators’ attestations into a small packet. Most standardized post-quantum signature schemes do not yet offer straightforward, mature aggregation. If aggregation cannot be preserved, aggregate attestation sizes would grow, increasing network bandwidth use and validator processing and complicating block propagation and finality.

Developers are testing technical approaches to limit performance impacts. Options under consideration include hybrid signatures that combine classical and post-quantum algorithms, storing compact commitments or public-key fingerprints on-chain while keeping larger keys or signatures off-chain, and research into signature compression, post-quantum aggregation and threshold schemes. Hardware acceleration for verification and updates to layer-2 systems, client software and wallets are also being explored.

Economic effects could follow. Larger transaction sizes would raise gas costs for calldata-heavy operations and could prompt developers to redesign contracts to use fewer on-chain bytes. Validator and node operators may face higher CPU and bandwidth costs, which could be reflected in fees or slower confirmations for users.

Timing remains uncertain. Standards bodies have set selections for quantum-resistant algorithms and the risk of “store now, decrypt later” attacks has prompted planning. At the same time, large quantum computers capable of breaking current elliptic-curve schemes are not yet available, and community discussion favors careful testing, backward compatibility and gradual or optional deployment approaches rather than an immediate network-wide switch.