Close Menu
    Ethereum

    Vitalik Buterin Discusses Quantum Computing and the Security of Ethereum

    Ethan CarterBy No Comments9 Mins Read

    Key takeaways

    • Buterin estimates a significant 20% chance that quantum computers may compromise existing cryptography before 2030, urging Ethereum to proactively prepare.

    • A primary risk relates to ECDSA. When a public key becomes visible onchain, a future quantum computer could, theoretically, retrieve the associated private key.

    • Buterin’s plan for a quantum emergency includes rolling back blocks, freezing EOAs, and transitioning funds to quantum-resistant smart contract wallets.

    • Mitigation involves using smart contract wallets, NIST-approved post-quantum signatures, and crypto-agile infrastructure to switch schemes without disruption.

    In late 2025, Ethereum co-founder Vitalik Buterin made an unusual move by quantifying a risk often depicted in science fiction terms.

    Referencing Metaculus, Buterin mentioned a “20% chance” that quantum computers capable of breaking today’s cryptography could emerge before 2030, with a median projection leaning toward 2040.

    Months later at Devconnect in Buenos Aires, he warned that elliptic curve cryptography, central to Ethereum and Bitcoin, “might break before the 2028 US presidential election.” He urged Ethereum to transition to quantum-resistant foundations within approximately four years.

    019ada9e b87a 7507 be63 ccfeba9ca4fc

    He believes there’s a legitimate chance of a cryptographically relevant quantum computer arriving within the 2020s; if that occurs, Ethereum’s research roadmap should prioritize this risk rather than consider it a distant concern.

    Did you know? As of 2025, Etherscan data shows over 350 million unique Ethereum addresses, illustrating the network’s extensive growth despite a small fraction holding significant balances or remaining active.

    Why quantum computing is a problem for Ethereum’s cryptography

    The security of Ethereum primarily relies on the elliptic curve discrete logarithm (ECDLP) equation, the foundation of the elliptic curve digital signature algorithm (ECDSA). Ethereum employs the secp256k1 elliptic curve for these signatures. In simpler terms:

    • Your private key is a large random number.

    • Your public key is a point on the curve derived from that private key.

    • Your address is a hash of that public key.

    On classical systems, transitioning from private key to public key is straightforward, but the reverse process is considered computationally unfeasible. This asymmetry is why a 256-bit key is deemed effectively unguessable.

    019adaa0 6a32 7e72 8c69 ca35b07afeea

    Quantum computing poses a threat to this asymmetry. Shor’s algorithm, introduced in 1994, demonstrates that a sufficiently powerful quantum computer could efficiently solve the discrete log and related factorization problems, jeopardizing systems like Rivest-Shamir-Adleman (RSA), Diffie-Hellman, and ECDSA.

    Both the Internet Engineering Task Force and the National Institute of Standards and Technology (NIST) acknowledge that classical elliptic curve systems would be susceptible if a cryptographically relevant quantum computer (CRQC) appears.

    Buterin’s post on potential quantum emergencies highlights a crucial aspect for Ethereum. If you have never transacted from an address, only the hash of your public key is visible onchain and is assumed quantum-safe. Once a transaction is made, your public key is disclosed, providing future quantum attackers the means to obtain your private key and drain your funds.

    Thus, the main risk is not that quantum computers will break Keccak or Ethereum’s data structures; it’s that a future machine could target any address whose public key has ever been made public, affecting most user wallets and various smart contract treasuries.

    What Buterin said and how he frames risk

    Buterin’s recent remarks encompass two primary aspects.

    Firstly, the probability estimate. Instead of relying on his own intuition, he referred to Metaculus’s forecasts that suggest a roughly one in five chance of quantum computers capable of breaking current public key cryptography emerging before 2030. The same forecasts indicate a median timeline around 2040. His assertion is that even this kind of tail risk warrants advance preparations for Ethereum.

    Secondly, the framing around 2028. At Devconnect, he reportedly informed the audience that “elliptic curves are going to die,” referencing studies indicating that quantum attacks on 256-bit elliptic curves might become feasible before the 2028 US presidential election. Some interpretations condensed this into a tidbit suggesting “Ethereum has four years,” but his message is more intricate:

    • Current quantum computers cannot attack Ethereum or Bitcoin at this time.

    • Once CRQCs manifest, ECDSA and related systems become inherently unsafe.

    • Transitioning a global network to post-quantum frameworks takes years, making complacency amid looming threats inherently risky.

    In essence, he approaches the situation as a safety engineer would. You don’t evacuate a city due to a 20% chance of a major earthquake in the next decade, but you do fortify the bridges while there’s still time.

    Did you know? IBM’s latest roadmap pairs new quantum chips, Nighthawk and Loon, aiming for fault-tolerant quantum computing by 2029. It also demonstrated that a significant quantum error correction algorithm can efficiently run on conventional AMD hardware.

    Inside the “quantum emergency” hard-fork plan

    Prior to these recent public alerts, Buterin outlined a 2024 Ethereum Research post titled “How to hard-fork to save most users’ funds in a quantum emergency.” It details potential actions Ethereum could take if an unforeseen quantum breakthrough disrupts the ecosystem.

    Imagine a public declaration about large-scale quantum computers coming online, followed by attackers swiftly draining ECDSA-secured wallets. What would be the response?

    Detect the attack and roll back

    Ethereum would revert the chain to the last block before the large-scale quantum theft was evident.

    Disable legacy EOA transactions

    Traditional externally owned accounts (EOAs) utilizing ECDSA would be frozen from sending funds, halting further theft through exposed public keys.

    Route everything through smart-contract wallets

    A new transaction type would allow users to demonstrate, via a zero-knowledge STARK, that they control the original seed or derivation path — for example, a Bitcoin Improvement Proposal (BIP) 32 HD wallet preimage for a vulnerable address.

    The proof would also detail new validation code for a quantum-resistant smart contract wallet. Once confirmed, control of the funds transfers to that contract, which can enforce post-quantum signatures from then on.

    Batch proofs for gas efficiency

    Since STARK proofs are substantial, the design plans for batching. Aggregators would submit proof bundles, facilitating multiple users to move simultaneously while maintaining individual users’ secret preimages confidential.

    Importantly, this is envisioned as a last-resort recovery tool, not a primary strategy. Buterin argues that much of the protocol framework required for such a fork, including account abstraction, robust ZK-proof systems, and standardized quantum-safe signature methods, should be developed proactively.

    In this way, readiness for a quantum emergency evolves into a design necessity for Ethereum’s infrastructure, rather than merely an intriguing thought experiment.

    What the experts say about timelines

    If Buterin relies on public forecasts, what do hardware and cryptography specialists say?

    Regarding the hardware landscape, Google’s Willow chip, introduced in late 2024, stands as one of the most advanced publicly available quantum processors, featuring 105 physical qubits and error-corrected logical qubits capable of outperforming classical supercomputers on specific benchmarks.

    Yet, Google’s quantum AI director has clearly stated that “the Willow chip is not capable of breaking modern cryptography.” He estimates that breaking RSA would necessitate millions of physical qubits and is still at least 10 years away.

    Academic studies support a similar conclusion. A widely referenced analysis indicates that breaking 256-bit elliptic curve cryptography in under an hour using surface code-protected qubits would require tens to hundreds of millions of physical qubits, far exceeding current capacities.

    On the cryptography front, NIST and academic institutions like the Massachusetts Institute of Technology have been voicing concerns for years that, once cryptographically relevant quantum computers materialize, they will dismantle nearly all commonly utilized public key systems, including RSA, Diffie-Hellman, Elliptic Curve Diffie-Hellman, and ECDSA, via Shor’s algorithm. This applies both retrospectively, by decrypting captured traffic, and predictively, by forging signatures.

    This urgency is part of why NIST has committed nearly a decade to its Post Quantum Cryptography competition and, in 2024, finalized its first three PQC standards: ML-KEM for key encapsulation, along with ML-DSA and SLH-DSA for signatures.

    There remains no consensus among experts on a specific “Q-Day.” Most evaluations reside within a 10-to-20-year timeframe, although some recent analyses propose optimistic scenarios where fault-tolerant attacks on elliptic curves may be viable in the late 2020s under aggressive assumptions.

    Agencies like the US White House and NIST regard the risk seriously enough to advocate for the transition to PQC in federal systems by the mid-2030s, implying a significant chance that cryptographically relevant quantum computers could emerge within that timeframe.

    In that context, Buterin’s “20% by 2030” and “potentially before 2028” remarks reflect a broader spectrum of risk evaluations, where the essential message is uncertainty coupled with lengthy migration timelines, rather than suggesting a code-breaking machine is secretly operational today.

    Did you know? A 2024 report from the National Institute of Standards and Technology and the White House estimates that US federal agencies will require about $7.1 billion to transition their systems to post-quantum cryptography between 2025 and 2035, reflecting only one country’s government IT infrastructure.

    What needs to change in Ethereum if quantum progress accelerates

    On both protocol and wallet aspects, several threads are converging:

    Account abstraction and smart-contract wallets

    Transitioning users from basic EOAs to upgradeable smart contract wallets through ERC-4337-style account abstraction simplifies later signature scheme swaps without emergency hard forks. Some ongoing projects already demonstrate Lamport-style or eXtended Merkle Signature Scheme (XMSS)-styled quantum-resistant wallets on Ethereum now.

    Post-quantum signature schemes

    Ethereum will need to select—and rigorously test—one or more PQC signature families (likely from NIST’s ML-DSA/SLH-DSA or hash-based constructions) and assess trade-offs in key size, signature size, validation costs, and smart contract integration.

    Crypto agility for the rest of the stack

    Elliptic curves aren’t exclusively utilized for user keys. BLS signatures, KZG commitments, and certain rollup proving systems also depend on discrete log hardness. A robust quantum-resilient roadmap necessitates alternatives for those foundational elements as well.

    From a social and governance perspective, Buterin’s quantum emergency fork proposal emphasizes the extensive coordination required for any genuine response. Even with optimal cryptography, reverting blocks, freezing legacy accounts, or facilitating mass key migrations would be politically and operationally contentious. This is why he and other researchers advocate for:

    • Establishing kill switch or quantum canary mechanisms that can automatically trigger migration protocols once a minor, intentionally vulnerable asset is demonstrably compromised.

    • Approaching post-quantum migration as a gradual opt-in process that users can adopt long before any credible threat arises, instead of a last-minute scramble.

    For individuals and institutions, the immediate checklist is more straightforward:

    • Opt for wallets and custody setups capable of upgrading their cryptography without necessitating a complete address overhaul.

    • Minimize unneeded address reuse to reduce the exposure of public keys onchain.

    • Stay informed about Ethereum’s eventual post-quantum signature selections and be prepared to migrate once robust tools become available.

    Quantum risk should be treated similarly to how engineers consider floods or earthquakes. While it may not jeopardize your home this year, the risk over a prolonged period necessitates designing the foundations with that potential in mind.

    Share.
    Avatar photo

    Ethan is a seasoned cryptocurrency writer with extensive experience contributing to leading U.S.-based blockchain and fintech publications. His work blends in-depth market analysis with accessible explanations, making complex crypto topics understandable for a broad audience. Over the years, he has covered Bitcoin, Ethereum, DeFi, NFTs, and emerging blockchain trends, always with a focus on accuracy and insight. Ethan's articles have appeared on major crypto portals, where his expertise in market trends and investment strategies has earned him a loyal readership.

    Related Posts