Vitalik Buterin published a staged “strawmap” that lays out a multi-year plan to replace four cryptographic primitives used across Ethereum. The proposal is framed as an execution roadmap, backed by a dedicated $2 million Quantum Defense Team, to deliver phased forks through 2029. The intent is to move post-quantum security from “research topic” to an engineered program with milestones.
Buterin’s argument is that quantum risk is no longer abstract, and he quantifies it in operational terms. He described an estimated 20% quantum risk by 2030 and highlighted “harvest now, decrypt later” as a compounding threat model that increases urgency. If sufficiently capable quantum computers emerge, the failure modes are severe: private-key recovery, validator forgery, and large-scale fund exfiltration.
Now, the quantum resistance roadmap.
Today, four things in Ethereum are quantum-vulnerable:
* consensus-layer BLS signatures
* data availability (KZG commitments+proofs)
* EOA signatures (ECDSA)
* Application-layer ZK proofs (KZG or groth16)We can tackle these step by step:…
— vitalik.eth (@VitalikButerin) February 26, 2026
The four primitives Ethereum wants to replace
At the consensus layer, Buterin singled out BLS signatures used for validator attestations as a primary vulnerability. The strawmap prioritizes replacing BLS with quantum-safe, hash-based schemes to reduce exposure to Shor-style private-key recovery and signature forgery. The risk framing is explicit: if validator signatures can be forged, finality and censorship resistance become fragile, and the network’s safety assumptions degrade quickly.
On data availability, the focus is KZG commitments that underpin EIP-4844 and Danksharding sampling. The plan calls for shifting toward STARK-style, hash-based commitments to remove elliptic-curve pairings from the data-availability stack while preserving verifiability under quantum threat. This is positioned as a foundational change because data availability is core to rollup-centric scaling, not a niche feature.
For users and institutions, wallet signatures are the most visible pressure point because ECDSA remains dominant for account keys. Buterin backed EIP-8141 as a flexible validation framework that lets accounts migrate by swapping validation logic rather than forcing an immediate, network-wide key rotation. The strawmap explicitly contemplates quantum-resistant options such as lattice and hash-based approaches, with the operating goal of reducing single-point exposure during migration.
Zero-knowledge proofs are treated with more nuance, separating proof systems by their cryptographic dependencies. The roadmap distinguishes STARKs as generally quantum-resistant while treating many SNARK designs as higher-risk when they rely on pairing-based assumptions. The recommendation is to lean on STARKs for long-term resilience, while acknowledging that verification cost must be managed to keep the system usable.
Keeping costs sane with protocol-level aggregation
Buterin does not downplay the economic friction of quantum-safe cryptography, and he quantifies the gap directly. His note contrasts roughly 200,000 gas for a hash-based signature versus about 3,000 gas for ECDSA, which would make “business as usual” transactions materially more expensive. That cost delta is why the strawmap emphasizes protocol-level aggregation as a gating capability rather than a nice-to-have optimization.
The plan’s cost strategy centers on protocol-layer recursive aggregation so thousands of sub-validations can be checked via a single compact STARK proof. The thesis is that aggregation is the only realistic path to make quantum-safe signatures economically viable for wallets, Layer 2 systems, and privacy applications at scale. Without compact aggregation, the security upgrade could become self-defeating by pricing routine usage out of reach.
The Ethereum Foundation is positioning post-quantum security as a top strategic priority and is funding the $2 million Quantum Defense Team to drive research and engineering. The strawmap sketches a staged rollout: near-term replacement of consensus BLS, mid-term work on data availability and EIP-8141, and longer-term deployment of recursive aggregation to normalize on-chain costs. That sequencing is designed to harden the highest-risk surfaces first while preserving an upgrade path that teams can actually deliver.
Buterin’s framing is deliberately pragmatic and operational rather than apocalyptic. The objective is for Ethereum to “keep chugging along” even if quantum capability arrives earlier than widely expected, instead of scrambling under emergency conditions. The roadmap effectively treats quantum resilience as a long-duration change-management program that must be executed under live-network constraints.
The strawmap’s emphasis on flexible validation and staged migration changes the risk posture. A controlled migration path reduces the chance that one forced cutover becomes a single point of failure for key compromise across the ecosystem. For product teams, the dependency is clear: aggregation must land in a form that restores acceptable gas economics, or adoption will stall due to cost and user friction.
The “harvest now, decrypt later” vector also raises urgency for institutions holding long-tail encrypted records that could become vulnerable if historical public keys are later breakable. The text suggests that operational readiness will increasingly include migration plans and proof-of-reserves narratives that account for quantum exposure.
The Quantum Defense Team is expected to publish technical milestones and audit reports as work progresses, and the strawmap points to EIP-8141 adoption as a key adoption signal. Security teams that want to stay ahead of exposure should track those milestones and the pace of validation migration to keep risk models current. The roadmap’s real test will be whether Ethereum can deliver stronger primitives without breaking cost, usability, or ecosystem coordination.