Close Menu
    DeFi

    Vitalik Buterin Discusses Quantum Computing and Its Impact on Ethereum Security

    Ethan CarterBy No Comments9 Mins Read
    1764729985

    Key takeaways

    • Buterin estimates a significant 20% chance that quantum computers may disrupt current cryptography by 2030, advocating for Ethereum to start preparations.

    • A major risk is associated with ECDSA. Once a public key is exposed onchain, a future quantum computer could theoretically utilize it to retrieve the corresponding private key.

    • Buterin’s quantum emergency strategy includes rolling back blocks, freezing EOAs, and transitioning funds into quantum-resistant smart contract wallets.

    • Mitigation involves smart contract wallets, NIST-approved post-quantum signatures, and crypto-agile infrastructure that allows for seamless scheme transitions.

    In late 2025, Ethereum co-founder Vitalik Buterin made an unusual move by quantifying a risk typically viewed through a sci-fi lens.

    Referring to the forecasting platform Metaculus, Buterin noted a “approximately 20% chance” that quantum computers could break existing cryptography before 2030, with median forecasts leaning toward 2040.

    Months later, during Devconnect in Buenos Aires, he cautioned that elliptic curve cryptography, essential for Ethereum and Bitcoin, “might fail before the next US presidential election in 2028.” He urged Ethereum to transition to quantum-resistant foundations within four years.

    019ada9e b87a 7507 be63 ccfeba9ca4fc

    He highlighted a credible likelihood of encountering a cryptographically relevant quantum computer in the 2020s; thus, this risk should be prioritized in Ethereum’s research agenda rather than relegated to a distant future scenario.

    Did you know? As of 2025, Etherscan data indicates over 350 million unique Ethereum addresses, showcasing the network’s expansive growth, despite a limited percentage of addresses holding meaningful balances or remaining active.

    Why quantum computing is a problem for Ethereum’s cryptography

    The majority of Ethereum’s security relies on the elliptic curve discrete logarithm (ECDLP) equation, forming the basis of the elliptic curve digital signature algorithm (ECDSA). Ethereum employs the secp256k1 elliptic curve for these signatures. To summarize:

    • Your private key is a substantial random number.

    • Your public key is a point on the curve derived from that private key.

    • Your address is a hash of that public key.

    On traditional hardware, transitioning from private key to public key is straightforward, but the reverse process is believed to be computationally unfeasible. This asymmetry is why a 256-bit key is considered practically impossible to guess.

    019adaa0 6a32 7e72 8c69 ca35b07afeea

    Quantum computing jeopardizes that asymmetry. Shor’s algorithm, introduced in 1994, illustrates that a sufficiently advanced quantum computer could solve the discrete log equation and related factorization equations in polynomial time, undermining systems like Rivest-Shamir-Adleman (RSA), Diffie-Hellman, and ECDSA.

    Organizations like the Internet Engineering Task Force and the National Institute of Standards and Technology (NIST) acknowledge that classical elliptic curve systems would be compromised in the presence of a cryptographically relevant quantum computer (CRQC).

    Buterin’s post on a potential quantum emergency underscores a crucial nuance for Ethereum. If an address has never been utilized, only the hash of your public key is exposed onchain, and that is still considered quantum safe. However, once you initiate a transaction, your public key becomes visible, giving a potential quantum attacker the raw data to recover your private key and deplete the account.

    Hence, the primary risk lies not in quantum computers compromising Keccak or Ethereum’s data structures; rather, it is that a future machine could target any address whose public key has been previously exposed, affecting a majority of user wallets and numerous smart contract treasuries.

    What Buterin said and how he frames risk

    Buterin’s recent statements encompass two essential components.

    Firstly is the probability estimate. Instead of speculating on his own, he referenced Metaculus’s forecasts suggesting a 20% chance that quantum computers might disrupt existing public key cryptography prior to 2030. The same forecasts indicate a median timeline around 2040. His point is that even this kind of tail risk warrants advance preparation for Ethereum.

    Secondly, there’s the 2028 framing. During Devconnect, he reportedly told the attendees that “elliptic curves are going to cease to function,” referencing research suggesting that quantum attacks on 256-bit elliptic curves could become plausible by the 2028 US presidential election. Some reports condensed this into a headline like “Ethereum has four years,” but his message conveyed more complexity:

    • Current quantum computers cannot pose a threat to Ethereum or Bitcoin today.

    • Once CRQCs are established, ECDSA and similar systems will become inherently unsafe.

    • Transitioning a global network to post-quantum schemes is a time-consuming process, making procrastination in the face of recognizable danger itself hazardous.

    In essence, he approaches the situation like a safety engineer. You wouldn’t evacuate a city merely due to a 20% chance of a significant earthquake occurring in the next decade, but you would reinforce bridges while you still can.

    Did you know? IBM’s recent roadmap pairs new quantum chips, Nighthawk and Loon, aiming for a demonstration of fault-tolerant quantum computing by 2029. They have also recently proven that an essential quantum error correction algorithm can operate effectively on conventional AMD hardware.

    Inside the “quantum emergency” hard-fork plan

    Prior to these recent public warnings, Buterin outlined a 2024 Ethereum Research article titled “How to hard-fork to preserve most users’ funds in a quantum crisis.” It describes potential actions Ethereum could take if an unexpected quantum breakthrough surprises the community.

    Envision a public announcement regarding the launch of large-scale quantum computers, alongside ongoing attacks draining ECDSA-secured wallets. What should be done?

    Detect the attack and roll back

    Ethereum would revert the chain to the last block before large-scale quantum theft became obvious.

    Disable legacy EOA transactions

    Traditional externally owned accounts (EOAs) utilizing ECDSA would be restricted from sending funds, halting further theft through exposed public keys.

    Route everything through smart-contract wallets

    A new transaction type would allow users to prove, through a zero-knowledge STARK, that they control the original seed or derivation path — e.g., a Bitcoin Improvement Proposal (BIP) 32 HD wallet preimage, for a compromised address.

    The proof would also outline new validation code for a quantum-safe smart contract wallet. Upon verification, control of the funds would transfer to that contract, capable of enforcing post-quantum signatures henceforth.

    Batch proofs for gas efficiency

    Given that STARK proofs are substantial, the design anticipates aggregation. Aggregators submit batches of proofs, enabling numerous users to transact simultaneously while maintaining the confidentiality of each user’s secret preimage.

    Importantly, this is perceived as a last-resort recovery strategy, not the initial plan. Buterin contends that much of the protocol infrastructure necessary for such a fork, including account abstraction, robust ZK-proof systems, and standardized quantum-resistant signature frameworks, can and should be created now.

    In this light, quantum emergency preparedness evolves into a design criterion for Ethereum infrastructure, rather than just an intriguing thought experiment.

    What the experts say about timelines

    If Buterin is relying on public forecasts, what are hardware and cryptography specialists actually expressing?

    From the hardware perspective, Google’s Willow chip, introduced in late 2024, stands as one of the most sophisticated public quantum processors to date, featuring 105 physical qubits and error-corrected logical qubits capable of outpacing classical supercomputers on select benchmarks.

    However, Google’s quantum AI director has been clear that “the Willow chip cannot break contemporary cryptography.” He estimates that breaking RSA would necessitate millions of physical qubits and remains at least a decade away.

    Academic research supports similar conclusions. A widely referenced analysis indicates that defeating 256-bit elliptic curve cryptography in under an hour using surface code-protected qubits would require tens to hundreds of millions of physical qubits, which is far beyond current capabilities.

    In the cryptography domain, both NIST and academic groups at institutions like the Massachusetts Institute of Technology have warned for years that when cryptographically relevant quantum computers emerge, they will undermine essentially all widely used public key systems, including RSA, Diffie-Hellman, Elliptic Curve Diffie-Hellman, and ECDSA, via Shor’s algorithm. This risk applies retrospectively, allowing for decryption of previously harvested traffic, and prospectively, enabling signature forgery.

    That is why NIST has dedicated nearly a decade to conducting its Post Quantum Cryptography competition, and in 2024, finalized its initial three PQC standards: ML-KEM for key encapsulation and ML-DSA and SLH-DSA for signatures.

    There is no consensus among experts regarding a specific “Q-Day.” Most estimates fall within a 10-to-20-year timeframe, while some recent analysis explores optimistic scenarios where fault-tolerant assaults on elliptic curves might be feasible in the late 2020s under aggressive assumptions.

    Policy entities such as the US White House and NIST regard the risk seriously enough to encourage federal systems to shift toward PQC by the mid-2030s, suggesting a nontrivial chance that cryptographically relevant quantum computers could manifest within that timeframe.

    When viewed through this lens, Buterin’s “20% by 2030” and “possibly before 2028” perspectives reflect a broader spectrum of risk evaluations, where the essential message is uncertainty paired with extended migration timelines—rather than the implication that a code-breaking machine is covertly operational at present.

    Did you know? A 2024 report from the National Institute of Standards and Technology and the White House estimates a migration cost of around $7.1 billion for US federal agencies transitioning to post-quantum cryptography between 2025 and 2035, representing just one country’s government IT framework.

    What needs to change in Ethereum if quantum progress accelerates

    On both the protocol and wallet fronts, several themes are already converging:

    Account abstraction and smart-contract wallets

    Transitioning users from basic EOAs to upgradeable smart contract wallets via ERC-4337-style account abstraction simplifies future signature scheme changes without necessitating emergency hard forks. Several projects are already showcasing Lamport-style or eXtended Merkle Signature Scheme (XMSS)-style quantum-safe wallets on Ethereum.

    Post-quantum signature schemes

    Ethereum will need to select (and rigorously test) one or more PQC signature families (likely sourced from NIST’s ML-DSA/SLH-DSA or hash-based schemes) and address trade-offs related to key and signature size, verification complexity, and smart contract integration.

    Crypto agility for the entire stack

    Elliptic curves extend beyond just user keys. BLS signatures, KZG commitments, and certain rollup proving systems are also dependent on discrete log hardness. A coherent, quantum-resilient roadmap must encompass alternatives for these foundational components.

    On the social and governance front, Buterin’s quantum emergency fork proposal underscores the extensive coordination required for any viable response. Even with optimal cryptography, actions such as rolling back blocks, freezing legacy accounts, or imposing mass key migrations would be politically and operationally contentious. This is why he and fellow researchers advocate for:

    • Developing kill switch or quantum canary mechanisms capable of automatically activating migration protocols once a smaller, deliberately vulnerable test asset is definitively compromised.

    • Considering post-quantum migration as a gradual opt-in process that users may adopt well before any plausible attack, rather than as a last-minute scramble.

    For individuals and institutions, the immediate checklist is more straightforward:

    • Favor wallets and custody arrangements capable of upgrading their cryptography without necessitating a shift to entirely new addresses.

    • Avoid unnecessary address reuse to limit the exposure of public keys onchain.

    • Monitor Ethereum’s eventual selection of post-quantum signatures and prepare to migrate once reliable tools are accessible.

    Quantum risk should be approached in the same manner as engineers handle potential floods or earthquakes. While it may be improbable to devastate your home this year, the risk is sufficiently tangible over the long term to justify building the foundations with this consideration in mind.

    Share.
    Avatar photo

    Ethan is a seasoned cryptocurrency writer with extensive experience contributing to leading U.S.-based blockchain and fintech publications. His work blends in-depth market analysis with accessible explanations, making complex crypto topics understandable for a broad audience. Over the years, he has covered Bitcoin, Ethereum, DeFi, NFTs, and emerging blockchain trends, always with a focus on accuracy and insight. Ethan's articles have appeared on major crypto portals, where his expertise in market trends and investment strategies has earned him a loyal readership.

    Related Posts