Why Vitalik believes quantum computing could break Ethereum’s cryptography sooner than expected

Key Takeaways

•
Vitalik Buterin estimates a 20% chance that quantum computers could break current cryptography before 2030, urging Ethereum to prepare.
•
A significant risk involves ECDSA, where a visible public key on-chain could theoretically be used by a quantum computer to recover the private key.
•
Buterin's proposed quantum emergency plan includes rolling back blocks, freezing externally owned accounts (EOAs), and migrating funds to quantum-resistant smart contract wallets.
•
Mitigation strategies involve adopting smart contract wallets, NIST-approved post-quantum signatures, and crypto-agile infrastructure for seamless transitions.

In late 2025, Ethereum co-founder Vitalik Buterin took an unusual step by quantifying a risk often relegated to science fiction. Citing the forecasting platform Metaculus, Buterin stated there is "about a 20% chance" that quantum computers capable of breaking today's cryptography could emerge before 2030, with the median forecast suggesting this timeline closer to 2040.

A few months later, at Devconnect in Buenos Aires, he issued a stark warning: elliptic curve cryptography, which underpins both Ethereum and Bitcoin, "could break before the next US presidential election in 2028." He also advocated for Ethereum to transition to quantum-resistant foundations within approximately four years.

Vitalik Buterin believes quantum computing could break Ethereum’s cryptography sooner than anticipated.

According to Buterin, there is a nontrivial probability of a cryptographically relevant quantum computer appearing in the 2020s. If this occurs, the associated risk must be integrated into Ethereum's research roadmap and not dismissed as a future concern.

As of 2025, Etherscan data indicates over 350 million unique Ethereum addresses. This highlights the network's significant growth, although only a small fraction of these addresses hold substantial balances or remain actively used.

Why Quantum Computing Poses a Threat to Ethereum's Cryptography

The security of most of Ethereum relies on the elliptic curve discrete logarithm (ECDLP) problem, which forms the basis of the elliptic curve digital signature algorithm (ECDSA). Ethereum specifically utilizes the secp256k1 elliptic curve for these signatures.

•
Your private key is a large, randomly generated number.
•
Your public key is a point on the curve mathematically derived from your private key.
•
Your address is a hash of that public key.

On classical computing hardware, it is straightforward to derive a public key from a private key, but the reverse process is considered computationally infeasible. This asymmetry is why a 256-bit key is treated as virtually unguessable.

The relationship between private keys, public keys, and addresses in cryptography.

Quantum computing fundamentally challenges this asymmetry. Shor's algorithm, introduced in 1994, demonstrates that a sufficiently powerful quantum computer could solve the discrete logarithm problem and related factorization problems in polynomial time. This capability would undermine cryptographic systems such as Rivest-Shamir-Adleman (RSA), Diffie-Hellman, and ECDSA.

Both the Internet Engineering Task Force and the National Institute of Standards and Technology (NIST) acknowledge that current elliptic curve systems would be vulnerable in the presence of a cryptographically relevant quantum computer (CRQC).

Buterin's Ethereum Research post regarding a potential quantum emergency highlights a critical nuance for Ethereum. If an address has never been used to send a transaction, only the hash of its public key is visible on the blockchain, which is still considered quantum-safe. However, once a transaction is initiated, the public key is revealed. This exposed public key provides a future quantum attacker with the necessary information to potentially recover the private key and drain the associated account.

Therefore, the primary threat is not that quantum computers will break Keccak or Ethereum's data structures themselves. Instead, the danger lies in a future quantum machine's ability to target any address whose public key has ever been exposed, a category that encompasses most user wallets and numerous smart contract treasuries.

Buterin's Risk Assessment and Framing

Buterin's recent statements encompass two main points. Firstly, the probability estimation. Rather than providing his own figures, he referenced Metaculus's forecasts, which suggest a roughly one-in-five chance of quantum computers capable of breaking current public key cryptography emerging before 2030. These same forecasts place the median scenario around 2040. Buterin's core argument is that even this "tail risk" is significant enough to warrant proactive preparation by Ethereum.

Secondly, the 2028 timeline framing. At Devconnect, he reportedly informed the audience that "elliptic curves are going to die," citing research indicating that quantum attacks on 256-bit elliptic curves might become feasible before the 2028 US presidential election. Some media coverage simplified this into headlines like "Ethereum has four years," but his message was more nuanced:

•
Current quantum computers are not capable of attacking Ethereum or Bitcoin today.
•
Once CRQCs become available, ECDSA and related systems will become structurally insecure.
•
Migrating a global network to post-quantum schemes is a multi-year undertaking, making a reactive approach to obvious danger inherently risky.

In essence, Buterin is adopting the perspective of a safety engineer. While one would not evacuate a city based on a 20% chance of a major earthquake in the next decade, reinforcing critical infrastructure like bridges during periods of calm is a prudent measure.

IBM's latest roadmap outlines new quantum chips, Nighthawk and Loon, with a goal of demonstrating fault-tolerant quantum computing by 2029. The company has also recently shown that a key quantum error correction algorithm can be efficiently executed on conventional AMD hardware.

The "Quantum Emergency" Hard-Fork Plan

Long before these recent public pronouncements, Buterin outlined a potential strategy in a 2024 Ethereum Research post titled "How to hard-fork to save most users’ funds in a quantum emergency." This proposal details how Ethereum could respond if a sudden quantum breakthrough were to disrupt the ecosystem.

Consider a scenario where there is a public announcement of large-scale quantum computers becoming operational, and attackers are already exploiting ECDSA-secured wallets. What would the response entail?

Detect the Attack and Roll Back

Ethereum would revert the blockchain to the last block preceding the widespread emergence of quantum theft.

Disable Legacy EOA Transactions

Traditional externally owned accounts (EOAs) secured by ECDSA would be prevented from sending funds. This measure would halt further theft via exposed public keys.

Route Everything Through Smart Contract Wallets

A new transaction type would allow users to prove, using a zero-knowledge STARK, that they control the original seed or derivation path for a vulnerable address. This proof would also specify new validation code for a quantum-resistant smart contract wallet. Once this proof is verified, control of the funds would be transferred to the smart contract wallet, which would then enforce post-quantum signatures moving forward.

Batch Proofs for Gas Efficiency

Given the significant size of STARK proofs, the design anticipates batching. Aggregators would submit bundles of proofs, enabling multiple users to migrate simultaneously while preserving the confidentiality of each user's secret preimage.

Crucially, this plan is positioned as a last-resort recovery mechanism, not a primary strategy. Buterin's argument is that much of the necessary protocol infrastructure for such a fork—including account abstraction, robust ZK-proof systems, and standardized quantum-safe signature schemes—can and should be developed proactively. In this context, preparing for a quantum emergency becomes a fundamental design requirement for Ethereum's infrastructure, rather than a purely theoretical exercise.

Expert Perspectives on Timelines

While Buterin refers to public forecasts, what are hardware and cryptography specialists actually saying?

From a hardware perspective, Google's Willow chip, unveiled in late 2024, is among the most advanced publicly available quantum processors, featuring 105 physical qubits and error-corrected logical qubits capable of outperforming classical supercomputers on specific benchmarks. However, Google's quantum AI director has clarified that "the Willow chip is not capable of breaking modern cryptography." He estimates that breaking RSA would necessitate millions of physical qubits and is at least a decade away.

Academic resources offer a similar outlook. One frequently cited analysis suggests that breaking 256-bit elliptic curve cryptography within an hour, using surface code-protected qubits, would require tens to hundreds of millions of physical qubits—a scale far beyond current capabilities.

On the cryptography front, NIST and academic institutions like the Massachusetts Institute of Technology have consistently warned for years that once cryptographically relevant quantum computers exist, they will compromise nearly all widely deployed public key systems, including RSA, Diffie-Hellman, Elliptic Curve Diffie-Hellman, and ECDSA, through Shor's algorithm. This threat applies both retrospectively, by decrypting harvested encrypted data, and prospectively, by enabling signature forgery.

This concern has driven NIST's decade-long Post Quantum Cryptography competition. In 2024, NIST finalized its first three PQC standards: ML-KEM for key encapsulation, and ML-DSA and SLH-DSA for digital signatures.

There is no definitive expert consensus on a precise "Q-Day." Most estimates fall within a 10-to-20-year window, although some recent research explores optimistic scenarios where fault-tolerant attacks on elliptic curves could become feasible in the late 2020s, assuming aggressive advancements.

Policy bodies such as the US White House and NIST acknowledge the risk sufficiently to mandate the migration of federal systems to PQC by the mid-2030s. This implies a nontrivial probability of cryptographically relevant quantum computers emerging within that timeframe.

Viewed in this context, Buterin's "20% by 2030" and "possibly before 2028" framing is part of a broader spectrum of risk assessments. The underlying message emphasizes uncertainty coupled with extended migration lead times, rather than an assertion that a code-breaking machine is currently operational and hidden.

A 2024 report by the National Institute of Standards and Technology and the White House estimates that US federal agencies will incur approximately $7.1 billion in costs to migrate their systems to post-quantum cryptography between 2025 and 2035. This figure represents only the IT infrastructure costs for one country's government.

Necessary Changes in Ethereum for Accelerated Quantum Progress

On the protocol and wallet levels, several developments are already converging:

Account Abstraction and Smart Contract Wallets

Migrating users from basic EOAs to upgradeable smart contract wallets, facilitated by ERC-4337-style account abstraction, simplifies the process of swapping signature schemes in the future without requiring emergency hard forks. Some projects are already demonstrating quantum-resistant wallets on Ethereum today, utilizing schemes like Lamport or eXtended Merkle Signature Scheme (XMSS).

Post-Quantum Signature Schemes

Ethereum will need to select and rigorously test one or more PQC signature families, likely from NIST's ML-DSA/SLH-DSA or hash-based constructions. This process will involve evaluating trade-offs concerning key size, signature size, verification cost, and integration within smart contracts.

Crypto Agility for the Broader Stack

Elliptic curves are not solely used for user keys. BLS signatures, KZG commitments, and certain rollup proving systems also depend on the hardness of the discrete logarithm problem. A comprehensive quantum-resilient roadmap necessitates the development of alternatives for these foundational components as well.

On the social and governance fronts, Buterin's quantum emergency fork proposal underscores the extensive coordination required for any genuine response. Even with perfect cryptography, actions such as rolling back blocks, freezing legacy accounts, or enforcing mass key migrations would be politically and operationally contentious. This is precisely why he and other researchers advocate for:

•
Developing kill switch or quantum canary mechanisms that can automatically trigger migration rules once a smaller, deliberately vulnerable test asset is provably compromised.
•
Treating post-quantum migration as a gradual, opt-in process that users can adopt well in advance of any credible threat, rather than a last-minute scramble.

For individuals and institutions, the near-term checklist is more straightforward:

•
Prioritize wallets and custody solutions that can upgrade their cryptography without necessitating a move to entirely new addresses.
•
Minimize unnecessary address reuse to reduce the on-chain exposure of public keys.
•
Stay informed about Ethereum's eventual post-quantum signature choices and prepare to migrate once robust tooling becomes available.

Quantum risk should be approached similarly to how engineers consider risks like floods or earthquakes. While the immediate threat may seem low, the long-term probability is significant enough to warrant designing foundational systems with such eventualities in mind.