Ethereum co-founder Vitalik Buterin has outlined a comprehensive plan to protect the network from future quantum computing threats. He identified four cryptographic components currently vulnerable, proposing replacements with quantum-resistant systems like hash-based signatures and STARKs. A core challenge involves managing significantly higher transaction costs, which Buterin suggests addressing through recursive aggregation mechanisms outlined in Ethereum Improvement Proposal 8141.
Ethereum co-founder Vitalik Buterin has called for a broad overhaul of the network’s cryptographic foundations, warning that advances in quantum computing could break core parts of the protocol. In a post, he laid out a multi-stage plan to replace vulnerable systems.
Buterin identified four vulnerable areas: consensus-layer BLS signatures, data availability KZG commitments, the ECDSA signature scheme, and zero-knowledge proof systems. He stated each could be tackled step by step with dedicated solutions at each protocol layer.
“One important thing upstream of this is choosing the hash function,” Buterin wrote. “This may be ‘Ethereum’s last hash function,’ so it’s important to choose wisely.” The post comes as the Ethereum Foundation elevated post-quantum security to a top priority, launching a dedicated team and releasing a seven-fork upgrade plan.
At the consensus layer, Buterin proposed replacing BLS signatures with hash-based alternatives and using STARKs to compress validator signatures. For data availability, he noted STARKs could replace KZG commitments but lack a property that complicates distributed blob selection.
User accounts and proof systems face steep cost increases under quantum-resistant cryptography. Verifying a hash-based signature would cost roughly 200,000 gas compared to 3,000 gas for today’s ECDSA.
Buterin pointed to EIP-8141 for a solution using protocol-layer recursive signature and proof aggregation. Under this proposal, validation frames in a block could be aggregated into a single proof to keep the on-chain footprint small.
He said the proving step could occur at the mempool layer, with nodes propagating valid transactions every 500 milliseconds alongside a proof of validity. “It’s manageable, but there’s a lot of engineering work to do,” Buterin concluded.
