TLDR
- Ethereum identifies four quantum-vulnerable components.
-
BLS and ECDSA signatures face planned replacement.
-
KZG commitments may transition toward STARK systems.
-
Recursive STARK aggregation was proposed to cut gas costs.
Ethereum co-founder Vitalik Buterin has outlined a structured roadmap to prepare the network for quantum computing risks. He identified four areas that are currently vulnerable, including consensus layer signatures, data availability systems, externally owned account signatures, and certain zero-knowledge proofs.
The proposal focuses on gradual upgrades rather than a single overhaul. The plan introduces hash-based signatures, recursive STARK aggregation, and adjustments to Ethereum’s validation model to reduce long term cryptographic exposure.
Vitalik Buterin’s Four Quantum Vulnerabilities
Vitalik Buterin stated that consensus layer BLS signatures, KZG commitments used in data availability, ECDSA account signatures, and application layer ZK proofs remain quantum vulnerable. These components rely on cryptographic primitives that quantum computers could potentially weaken in the future.
Now, the quantum resistance roadmap.
Today, four things in Ethereum are quantum-vulnerable:
* consensus-layer BLS signatures
* data availability (KZG commitments+proofs)
* EOA signatures (ECDSA)
* Application-layer ZK proofs (KZG or groth16)We can tackle these step by step:…
— vitalik.eth (@VitalikButerin) February 26, 2026
Consensus layer upgrades would replace BLS signatures with hash based signatures such as Winternitz variants. Aggregation would rely on STARK proofs to maintain efficiency. Before full implementation, a lean available chain could operate with fewer signatures per slot.
Hash function selection remains a key upstream decision. Options discussed include Poseidon2 with extra rounds, Poseidon1 for greater security, or conventional hashes such as BLAKE3.
Data Availability and KZG Replacement Challenges
Ethereum currently relies on KZG commitments for erasure coding and blob verification. Buterin explained that STARK systems could replace KZG, though engineering complexity remains high.
Two primary challenges exist. Current two-dimensional data availability sampling depends on KZG linearity, which STARKs lack. Ethereum may instead rely on one-dimensional sampling through PeerDAS.
Another challenge involves proof size. STARK proofs are larger than blobs, which requires recursive constructions to remain efficient. Buterin noted that the transition is manageable but involves extensive engineering coordination.
Native Account Abstraction and Signature Upgrades
Externally owned accounts currently use ECDSA signatures that cost around 3000 gas to verify. Quantum-resistant signatures are larger and heavier to validate.
Buterin proposed native account abstraction through EIP 8141, enabling accounts to use alternative signature algorithms. Hash-based signatures may cost around 200,000 gas, while lattice-based signatures require mathematical optimizations.
Vectorized math precompiles are under research to reduce lattice verification costs. Long term protocol layer recursive aggregation could reduce signature verification overhead to near zero.
Recursive STARK Aggregation at the Mempool Layer
Zero knowledge proofs currently cost hundreds of thousands of gas, while quantum resistant STARK proofs may cost around 10 million gas. This level is unsuitable for privacy protocols and Layer 2 systems.
The roadmap introduces recursive STARK aggregation within validation frames. Transactions would include validation frames that could later be replaced by aggregated proofs verifying correctness.
Buterin described a mempool level aggregation model. Nodes would generate recursive STARK proofs every 500 milliseconds that verify all valid objects they hold. This approach limits bandwidth overhead to one proof per tick rather than per transaction.
Each object would be broadcast without its heavy proof data. Nodes would combine direct proofs and recursive proofs into unified attestations. Builders could merge multiple recursive proofs when assembling blocks.
According to Buterin, the total overhead becomes predictable and constant. The approach maintains scalability while preparing Ethereum for a post quantum environment.