Ethereum pushed post-quantum cryptography to a top strategic priority this month, forming a dedicated PQ team led by Thomas Collager and announcing a $1 million prize to power its hash-based primitives.
The announcement came a day before A16Z Crypto unveiled its roadmap, arguing that quantum threats are often overstated and that premature transitions risk trading known security for speculative protection.
Both positions are defensible, and the obvious tension reveals where the real fight lies.
The Ethereum Foundation’s announcement positions PQ Security as an inflection point. Multi-client consensus development net goes live every two weeks. An all-core developer meeting to coordinate precompilation and account abstraction passes begins next month. A comprehensive roadmap promises “zero money loss and zero downtime” during the multi-year transition.
On January 21, Coinbase launched an independent quantum advisory board that includes Ethereum researcher Justin Drake, signaling industry collaboration around long-term planning.
Solana conducted a PQ signing experiment on the testnet in December under Project Eleven, explicitly branding the work as “proactive” rather than emergency response.
Polkadot’s JAM proposal outlines the implementation of ML-DSA and Falcon, along with SNARK-based migration proofs.
The conservative BIP-360 proposal for payments to quantum-resistant hashes of Bitcoin represents an incremental first step constrained by governance realities.
This pattern is similar to an arms race, but it is not driven by an immediate threat.
This is a competition for organizational readiness, with winners upgrading their crypto infrastructure while maintaining fee economics, consensus efficiency, and wallet UX before external pressures force adjustments.
harvest paradox
A16z’s central argument revolves around distinguishing between “harvest-now-de-encrypt-later” risks and signature vulnerabilities. HNDL attacks become important if an attacker can intercept currently encrypted data and decrypt it once quantum computers reach sufficient scale.
This threat clearly maps to TLS, VPN, and data-at-rest encryption. Blockchain signatures authenticate transactions in real-time and leave no encrypted payload to store for future cracking.
Ethereum’s response tacitly accepts this framework, but argues that operational urgency remains high, as changes to signature schemes affect everything from wallets, account formats, hardware signers, custody infrastructure, menpools, fee markets, consensus messages, and L2 proof of payment.
The transition requires years of lead time, not because quantum computing is imminent, but because the engineering scope is vast and the failure modes are catastrophic.
NIST completed its first post-quantum standards, FIPS 203, 204, and 205, in 2024 and selected HQC as the backup key encapsulation mechanism while advancing Falcon and FN-DSA to draft stage.
The EU published a harmonized PQC transition roadmap in June 2025. These developments reduce the question, “Which algorithm should I use?” Eliminate uncertainty and make your transition plan concrete, even if cryptography-related quantum computing is still a long way off.
Although Citi’s January 2026 report cited a range of possible widespread breaches of public-key cryptography by 2034 to 2044, many experts see a very low chance of CRQC occurring in the 2020s.
Timeline ambiguity does not eliminate the obligation to plan, but it amplifies it because chains that wait until threat signals are clear will face timeline compression and coordination disruption.
Characteristic expansion as a base layer bottleneck
The immediate technical challenge is the size of the signature.
ECDSA signatures consume approximately 65 bytes. This equates to approximately 1,040 gas at 16 gas per non-zero byte in Ethereum’s call data pricing model.
ML-DSA candidates generate signatures in the 2-3 KB range, and the dilithium variant is likely to be widely adopted. A 2,420-byte signature consumes approximately 38,720 gas just for signature bytes. Compared to ECDSA, Delta is 37,680 gas.
This overhead is significant enough to impact throughput and pricing unless the chain compresses or aggregates signatures at the protocol level.
This is where Ethereum’s bet on hash-based cryptography and the $1 million Poseidon Prize becomes strategic. Hash-based signatures avoid the algebraic structures utilized by quantum algorithms, and hash functions integrate naturally with zero-knowledge proof systems.
If Ethereum can operationalize STARK-based signature aggregation, it could maintain fee economics while upgrading its security assumptions. The challenge is that a practical post-quantum analog to BLS aggregation does not yet exist, and zk-based aggregation introduces real performance constraints.
Consensus efficiency depends on this issue.
Currently, Ethereum’s consensus layer relies heavily on BLS signature aggregation. Validators sign certificates and synchronize committee messages, and the protocol aggregates thousands of signatures into compact proofs.
Losing that ability without a replacement would force a dramatic change in the economics and vitality assumptions of consensus participation.
EF’s public emphasis on interop calls to orchestrate a “lean” crypto foundation and multi-client PQ Devnet suggests that the organization understands that aggregation is a hidden cliff.
| signature scheme | Signature size (bytes) | Calldata gas @ 16 gases / non-zero bytes | Delta vs ECDSA (Gas) | implication |
|---|---|---|---|---|
| ECDSA (secp256k1, r||s||v) | 65 | 1,040 | 0 | today’s baseline |
| ML-DSA-44 | 2,420 | 38,720 | +37,680 | Price + throughput shock |
| ML-DSA-65 | 3,309 | 52,944 | +51,904 | Aggregation becomes necessary |
| ML-DSA-87 | 4,627 | 74,032 | +72,992 | L1 scaling pressure spike |
Wallet UX as the social layer of cryptography
Protocol support alone is not enough to complete a migration.
Ethereum’s current design does not allow externally owned accounts to cleanly rotate keys. Users require a one-click migration flow that doesn’t require deep technical knowledge. Hardware wallets need to distribute firmware updates. Administrators need secure bulk migration tools.
Ethereum researchers have been exploring proof systems and seed-based migration approaches suitable for key recovery to precisely reduce reconciliation risk and UX friction.
a16z warns that premature migration will result in vulnerabilities such as immature implementations, changes in standards after deployment, and bugs in new cryptographic libraries.
The organization argues that current security issues such as governance failures and software bugs pose greater immediate risks than quantum computers.
This is the core of the “Don’t Panic” framework. Moving too soon trades known security for speculative security, and the cost of getting it wrong can be higher than the cost of waiting for standards to mature and better tools.
Both positions are defensible because they are optimized for different failure modes. EF prioritizes avoiding hasty adjustments under pressure.
a16z prioritizes avoiding self-harm through hasty deployment. This difference reveals the real battlefield. Chains that thread the needle by building migration infrastructure early, without prematurely imposing immature standards on users, gain a competitive advantage.
3 scenarios, different winners
The timeline for the transition depends on external breakthroughs that no one can control.
In a slow-burn scenario, where CRQC does not reach until the 2040s, the transition occurs at the pace of regulations and standards, prioritizing safety over speed. Chains invested in the agility of cryptocurrencies with dual signature periods, hybrid schemes, and extremely difficult strategies can adapt without interruption.
In the base case of a material quantum threat emerging in the mid-2030s, our efforts today will determine the outcome. If the ecosystem wants a smooth transition by 2035, wallet tools and aggregation research will need to be production-ready years in advance.
This is the scenario that EF’s roadmap optimizes for, and where a multi-year lead time justifies the current investment.
In rapid shock scenarios where breakthroughs suggest a credible risk before 2030, the differentiator will be how quickly chains can freeze exposures, migrate accounts, and maintain viability. Although a16z maintains that this outcome is unlikely to occur, the organization’s emphasis on planning suggests that preparation is justified even for low-probability tail risks.
Notable triggers include reliable demonstration of error-corrected scaling, logic qubit stability, and sustained gate fidelity. NIST or a major government has accelerated the transition deadline and major administrators are shipping PQ-ready signatures into production.
None of these are urgent, but they all compress the decision-making timeline.
| battlefield layer | why is it important | What are push signals in EF? | a16z “Don’t panic” counterpoint | KPIs to watch |
|---|---|---|---|---|
| Planning and encryption agility | The transition is a multi-year program. Failure mode is hasty adjustment under pressure | Dedicated PQ Team + Governance Cadence (PQ ACD) = Treat migration as a protocol program rather than a research thread | Premature shifts increase Risks (immature libraries, changing standards, new bugs) | existence of published Chain roadmap + clear “break the glass” plan + gradual deployment milestones |
| Wallet UX and account migration | Users will not migrate unless there is little friction. EOA is a long tail | Account Abstraction Path + “Zero Downtime/Zero Loss” Messaging Focus = UX Focus | Avoid forcing new schemes on users too early. UX failure is a self-inflicted loss | Percentage of supported wallets/custodians Dual sign/key rotation It flows. Migration time for non-technical users |
| Aggregation and fee economics | PQ sig can be large. Without aggregation, throughput decreases and prices increase | LeanVM + hash/ZK foundation + devnet is a bet implied. Protocol level compression | Even the “correct” PQ may become unusable if it makes it uneconomical. Don’t trade ease of use for theoretical safety | proven Signature aggregation Performance (proof size/verification time) and resulting cost per transmission/proof |
| Consensus efficiency and validator overhead | Currently, Ethereum consensus relies on aggregation. Losing it threatens lives and the economy. | Multi-client PQ consensus devnet + interop calls = not just wallets, but treat consensus as the hard part | New consensus cryptography is high-risk engineering. Conservative deployment trumps hasty redesign | measured Bandwidth/CPU overhead per validator Against today. Certificate inclusion rate under load |
| Interoperability and standards maturity | Standards alleviate the question, “Which algorithm?” Uncertainty. Ecosystem converges on safer choices | Prizes + Workshops + External Collaboration (Advisory Board) = Ecosystem Alignment | Wait until standards/implementations mature before forcing large-scale migrations | NIST/EU Milestone Coordination. Ships PQ support in major libraries/HW wallets without significant CVEs |
new status game
Post-quantum readiness is following the same path that L2 maturity followed in previous cycles, becoming an indicator of institutional trustworthiness.
Chains without a reliable PQ roadmap risk being deemed unprepared for long-term settlement guarantees, even if the immediate threat is far away.
This dynamic explains why Solana, Polkadot, and Bitcoin all have active PQ workstreams despite the lack of an imminent Q-day consensus.
The arms race is not about who returns the PQ first. Instead, it’s about who maintains UX, fee economics, and consensus efficiency in doing so.
Ethereum’s approach bets on hash-based infrastructure, ZK aggregation, and governance alignment.
Solana’s high-throughput architecture makes signature overhead particularly acute and requires design innovation.
Polkadot’s heterogeneous sharding model enables chain-by-chain experimentation.
Bitcoin’s conservatism reflects governance constraints and a long tail of legacy outputs that cannot be migrated without the cooperation of owners.
If PQ becomes the next L1 arms race, the winner will not be the chain that announces the most prizes or development nets. This provides a migration path for regular users to actually complete, maintains throughput despite multi-KB signature candidates, and becomes a chain that replaces today’s aggregation assumptions without sacrificing uptime.
The planning layer, the wallet UX layer, and the aggregation layer are now the real battlegrounds, and the clock started years before most participants realized the race had begun.