Ethereum elevated post-quantum cryptography to a high strategic precedence this month, forming a devoted PQ group led by Thomas Coratger and asserting $1 million in prizes to harden hash-based primitives.
The announcement got here in the future earlier than a16z crypto revealed a roadmap arguing that quantum threats are ceaselessly overstated and untimely migrations danger buying and selling recognized safety for speculative safety.
Each positions are defensible, and the obvious pressure reveals the place the actual battle lies.
The Ethereum Basis’s announcement frames PQ safety as an inflection level. Multi-client consensus devnets are dwell, bi-weekly All Core Devs calls begin subsequent month to coordinate precompiles and account abstraction paths, and a complete roadmap guarantees “zero lack of funds and nil downtime” throughout a multi-year transition.
Coinbase launched an unbiased quantum advisory board on Jan. 21, together with Ethereum researcher Justin Drake, signaling cross-industry alignment round long-horizon planning.
Solana ran PQ signature experiments on testnet in December underneath Mission Eleven, explicitly branding the work as “proactive” slightly than emergency-driven.
Polkadot’s JAM proposal outlines ML-DSA and Falcon deployment alongside SNARK-based migration proofs.
Bitcoin’s conservative BIP-360 proposal for pay-to-quantum-resistant-hash represents an incremental first step constrained by governance realities.
The sample resembles an arms race, however not one pushed by an imminent risk.
This can be a competitors in institutional readiness, the place the winner preserves price economics, consensus effectivity, and pockets UX whereas upgrading cryptographic foundations earlier than exterior strain forces rushed coordination.
The harvest paradox
a16z’s core argument hinges on distinguishing harvest-now-decrypt-later danger from signature vulnerability. HNDL assaults matter when adversaries can intercept encrypted information at present and decrypt it as soon as quantum computer systems obtain enough scale.
That risk maps cleanly to TLS, VPNs, and data-at-rest encryption. Much less so to blockchain signatures, which authenticate transactions in actual time and depart no encrypted payload to retailer for future cracking.
Ethereum’s response implicitly accepts this framing however argues operational urgency stays excessive as a result of altering signature schemes touches all the things: wallets, account codecs, {hardware} signers, custody infrastructure, mempools, price markets, consensus messages, and L2 settlement proofs.
Migration requires years of lead time, not as a result of quantum computer systems are imminent, however as a result of the engineering floor is huge and failure modes are catastrophic.
NIST finalized its first post-quantum requirements in 2024, FIPS 203, 204, and 205, and chosen HQC as a backup key encapsulation mechanism whereas advancing Falcon and FN-DSA towards draft phases.
The EU issued a coordinated PQC transition roadmap in June 2025. These developments cut back “which algorithms?” uncertainty and make migration planning concrete, even when cryptographically related quantum computing stays distant.
Citi’s January 2026 report cites chance ranges for widespread breaking of public key encryption by 2034 and 2044, although many specialists view CRQC within the 2020s as extremely unlikely.
The timeline ambiguity does not remove the planning crucial: it amplifies it, as a result of chains that wait till risk indicators are unambiguous will face compressed timelines and coordination chaos.
Signature bloat because the base-layer bottleneck
The quick technical problem is signature measurement.
ECDSA signatures devour roughly 65 bytes, which interprets to roughly 1,040 gasoline underneath Ethereum’s calldata pricing mannequin at 16 gasoline per non-zero byte.
ML-DSA candidates produce signatures within the 2-3 KB vary, with Dilithium variants more likely to see extensive adoption. A 2,420-byte signature consumes roughly 38,720 gasoline only for the signature bytes, a 37,680-gas delta versus ECDSA.
That overhead is materials sufficient to have an effect on throughput and costs until chains compress or combination signatures on the protocol degree.
That is the place Ethereum’s wager on hash-based cryptography and the $1 million Poseidon Prize turns into strategic. Hash-based signatures keep away from the algebraic construction that quantum algorithms exploit, and hash features combine naturally with zero-knowledge proof programs.
If Ethereum could make STARK-based signature aggregation sensible, it preserves price economics whereas upgrading safety assumptions. The problem is that no sensible post-quantum analogue to BLS aggregation exists but, and zk-based aggregation introduce actual efficiency constraints.
Consensus effectivity is determined by this drawback.
Ethereum’s consensus layer depends closely on BLS signature aggregation at present. Validators signal attestations and sync committee messages, and the protocol aggregates 1000’s of signatures into compact proofs.
Dropping that functionality and not using a alternative would power dramatic modifications to consensus participation economics or liveness assumptions.
EF’s public emphasis on “lean” cryptographic foundations and interop calls coordinating multi-client PQ devnets suggests the group understands aggregation is the hidden cliff.
| Signature scheme | Signature measurement (bytes) | Calldata gasoline @ 16 gasoline / non-zero byte | Delta vs ECDSA (gasoline) | Implication |
|---|---|---|---|---|
| ECDSA (secp256k1, r||s||v) | 65 | 1,040 | 0 | Baseline at present |
| ML-DSA-44 | 2,420 | 38,720 | +37,680 | Payment + throughput shock |
| ML-DSA-65 | 3,309 | 52,944 | +51,904 | Aggregation turns into obligatory |
| ML-DSA-87 | 4,627 | 74,032 | +72,992 | L1 scaling strain spikes |
Pockets UX because the social layer of cryptography
Protocol help alone does not full the migration.
Externally owned accounts cannot rotate keys cleanly underneath Ethereum’s present design. Customers want one-click migration flows that do not require deep technical data. {Hardware} wallets should ship firmware updates. Custodians want a secure bulk migration tooling.
Ethereum researchers have explored key-recovery-friendly proof programs and seed-based migration approaches exactly to scale back coordination danger and UX friction.
a16z warns that untimely migration introduces fragility, together with immature implementations, shifting requirements after deployment, and bugs in new cryptographic libraries.
The group argues that present safety points, corresponding to governance failures and software program bugs, pose a higher quick danger than quantum computer systems.
That is the crux of the “do not panic” framing: migrating too early trades recognized safety for speculative safety, and the price of getting it improper is doubtlessly larger than the price of ready for requirements maturity and higher tooling.
Each positions are defensible as a result of they optimize for various failure modes. EF prioritizes avoiding rushed coordination underneath strain.
a16z prioritizes avoiding self-inflicted wounds from hasty deployment. The divergence reveals the actual battleground: chains that thread the needle, constructing migration infrastructure early with out prematurely forcing customers onto immature requirements, will acquire a aggressive benefit.
Three situations, completely different winners
The migration timeline is determined by exterior breakthroughs that nobody controls.
In a slow-burn situation the place CRQC does not arrive till the 2040s, migration happens on a regulatory and requirements cadence, prioritizing security over pace. Chains that invested in crypto agility, with dual-signature durations, hybrid schemes, break-glass playbooks, can adapt with out disruption.
Within the base case the place materials quantum threats emerge within the mid-2030s, at present’s work determines outcomes. If the ecosystem needs easy transitions by 2035, pockets tooling and aggregation analysis have to be production-ready years earlier.
That is the situation EF’s roadmap optimizes for, and the one the place multi-year lead occasions justify present funding.
In a fast-shock situation the place breakthroughs sign credible danger earlier than 2030, the differentiator turns into how shortly a series can freeze publicity, migrate accounts, and keep liveness. a16z argues this end result is unlikely, however the group’s emphasis on planning suggests even low-probability tail dangers justify preparation.
Triggers to look at embrace credible demonstrations of error-corrected scaling, logical qubit stability, and sustained gate fidelities. NIST or main governments advancing migration deadlines, and main custodians transport PQ-capable signing in manufacturing.
None are imminent, however all would compress choice timelines.
| Battleground layer | Why it issues | What EF’s push indicators | a16z “don’t panic” counterpoint | KPI to look at |
|---|---|---|---|---|
| Planning & crypto agility | Migration is a multi-year program; the failure mode is rushed coordination underneath strain | Devoted PQ group + governance cadence (PQ ACD) = treating migration as a protocol program, not a analysis thread | Untimely shifts can enhance danger (immature libs, shifting requirements, new bugs) | Existence of a revealed chain roadmap + clear “break-glass” plan + staged rollout milestones |
| Pockets UX & account migration | Customers gained’t migrate until it’s near-frictionless; EOAs are the lengthy tail | Emphasis on account abstraction paths + “zero downtime / zero loss” messaging = UX is… |
