Buterin believes that the probability of quantum computers breaking existing cryptography before 2030 is not negligible, estimated at about 20%, and advocates that Ethereum should start preparing for this possibility.

A key risk involves ECDSA. Once a public key is visible on-chain, future quantum computers could theoretically use it to recover the corresponding private key.

Buterin's quantum emergency plan includes rolling back blocks, freezing EOAs, and migrating funds to quantum-resistant smart contract wallets.

Mitigation paths include smart contract wallets, NIST-approved post-quantum signatures, and cryptographic agile infrastructure that can switch schemes without causing chaos.

At the end of 2025, Ethereum co-founder Vitalik Buterin did something unusual: he provided a probability figure for a risk typically discussed in a science fiction context.

Citing the prediction platform Metaculus, Buterin stated that "there is about a 20% chance" of a quantum computer capable of breaking today's cryptography appearing before 2030, with the median prediction closer to 2040.

Months later, he warned at Devconnect in Buenos Aires that elliptic curve cryptography, which underpins Ethereum and Bitcoin, "could be broken before the next U.S. presidential election in 2028." He urged Ethereum to migrate to quantum resistance within about four years.

In his view, the probability of a quantum computer having a practical impact on cryptography in the 2020s is not negligible; if so, this risk should enter Ethereum's research roadmap rather than be seen as a distant future issue.

Did you know? As of 2025, Etherscan data shows that the number of Ethereum independent addresses has exceeded 350 million, highlighting the widespread growth of the network, although only a small portion of those addresses hold meaningful balances or remain active.

Most of Ethereum's security is built on the elliptic curve discrete logarithm problem (ECDLP), which is the basis of the elliptic curve digital signature algorithm (ECDSA). Ethereum uses the secp256k1 elliptic curve for these signatures. In short:

Your private key is a large random number.

Your public key is a curve point derived from that private key.

Your address is the hash of that public key.

On classical hardware, deriving a public key from a private key is easy, but reverse calculation is considered computationally infeasible. This asymmetry means that a 256-bit key is regarded as practically unguessable.

Quantum computing threatens this asymmetry. The Shor algorithm, proposed in 1994, shows that a sufficiently powerful quantum computer could solve the discrete logarithm problem and related factorization problems in polynomial time, undermining schemes like Rivest-Shamir-Adleman (RSA), Diffie-Hellman, and ECDSA.

The Internet Engineering Task Force (IETF) and the National Institute of Standards and Technology (NIST) both recognize that classical elliptic curve systems will be vulnerable in the presence of a quantum computer with practical cryptographic impact (CRQC).

Buterin's post on the Ethereum research forum about potential quantum emergencies emphasizes a key detail of Ethereum: if you have never spent funds from a certain address, only your public key hash is visible on-chain, which is still considered quantum safe. Once you send a transaction, your public key is exposed, providing future quantum attackers with the means to recover the private key and empty the account.

Thus, the core risk is not that quantum computers will break Keccak or Ethereum's data structures; rather, it is that future machines can target any address that has ever exposed a public key, covering most user wallets and many smart contract vaults.

Buterin's recent statements have two main points.

First is the probability estimate. He is not guessing randomly but pointing to Metaculus's prediction: there is about a one in five chance of a quantum computer capable of breaking today's public key cryptography appearing before 2030. The same prediction places the median scenario around 2040. His argument is that even this "tail risk" is high enough for Ethereum to prepare in advance.

Second is the framing around 2028. At Devconnect, he reportedly told the audience, "elliptic curves will die," citing research that suggests quantum attacks on 256-bit elliptic curves could become feasible before the 2028 U.S. presidential election. Some reports condensed this into "Ethereum has only four years left," but his message is more nuanced:

Current quantum computers cannot attack Ethereum or Bitcoin.

Once CRQC exists, ECDSA and related systems will become structurally insecure.

Migrating the global network to post-quantum solutions will take years, so waiting for a clear danger is itself risky.

In other words, his way of thinking is like that of a security engineer. You wouldn't evacuate a city because there is a 20% chance of a major earthquake in the next decade, but you would reinforce bridges while there is still time.

Did you know? IBM's latest roadmap pairs the new quantum chips Nighthawk and Loon, aiming to demonstrate fault-tolerant quantum computing before 2029. It also recently showcased a key quantum error correction algorithm that runs efficiently on conventional AMD hardware.

Long before these public warnings, Buterin had proposed in a 2024 Ethereum research post "How to Save Most User Funds in a Quantum Emergency via Hard Fork." It outlined what Ethereum could do if a sudden quantum breakthrough caught the ecosystem off guard.

Imagine a public announcement about the launch of large-scale quantum computers, and attackers are already emptying wallets protected by ECDSA. What should be done?

Ethereum would roll back the chain to the last block before large-scale quantum theft became apparent.

Traditional externally owned accounts (EOAs) using ECDSA would be frozen from sending funds, cutting off further theft through exposed public keys.

A new transaction type would allow users to prove they control the original seed or derivation path of vulnerable addresses through zero-knowledge STARKs—such as the original of Bitcoin Improvement Proposal (BIP) 32 HD wallets.

This proof would also specify new verification code for a quantum-resistant smart contract wallet. Once verified, control of the funds would migrate to that contract, which would then enforce the use of post-quantum signatures.

Due to the large size of STARK proofs, this design is expected to be processed in batches. Aggregators submit proof bundles, allowing many users to migrate simultaneously while keeping each user's secret original private.

Crucially, this is positioned as a last-resort fund recovery tool rather than a preferred solution. Buterin's argument is that the protocol pipeline needed to support such a fork—including account abstraction, robust ZK proof systems, and standardized quantum-safe signature schemes—can and should be built in advance.

In this sense, preparing for quantum emergencies becomes a design requirement for Ethereum's infrastructure, rather than just an interesting thought experiment.

If Buterin relies on public predictions, what are hardware and cryptography experts actually saying?

In terms of hardware, Google's Willow chip, set to launch at the end of 2024, is one of the most advanced public quantum processors to date, featuring 105 physical qubits and logical qubits with error correction that can outperform classical supercomputers on specific benchmarks.

However, Google's quantum AI director has explicitly stated, "The Willow chip cannot break modern cryptography." He estimates that breaking RSA would require millions of physical qubits and at least a decade.

Academic resources point in the same direction. A widely cited analysis found that quantum bits protected by surface codes would require tens of millions to hundreds of millions of physical qubits to break 256-bit elliptic curve encryption within an hour, far exceeding current availability.

In terms of cryptography, academic bodies like NIST and MIT have warned for years that once a quantum computer with cryptographic capabilities exists, it will break nearly all widely deployed public key systems through the Shor algorithm, including RSA, Diffie-Hellman, elliptic curve Diffie-Hellman, and ECDSA. This applies retrospectively, through decrypting collected traffic, and prospectively, through forging signatures.

This is why NIST has spent nearly a decade conducting its post-quantum cryptography competition, ultimately finalizing its first three PQC standards in 2024: ML-KEM for key encapsulation and ML-DSA and SLH-DSA for signatures.

There is no expert consensus on a precise "Q day." Most estimates fall within a 10 to 20-year window, although some recent work considers optimistic scenarios where fault-tolerant attacks on elliptic curves could become feasible in the late 2020s under radical assumptions.

Policy institutions like the White House and NIST take this risk seriously enough to push for a transition to PQC in federal systems by the mid-2030s, indicating that the possibility of a cryptographic quantum computer emerging within this timeframe is not to be ignored.

From this perspective, Buterin's "20% before 2030" and "possibly before 2028" framing is part of a broader risk assessment, with the real message being uncertainty plus long migration lead times, rather than the idea of a machine secretly going live today that can break codes.

Did you know? A report from the National Institute of Standards and Technology and the White House in 2024 estimated that U.S. federal agencies will spend about $7.1 billion to migrate their systems to post-quantum cryptography between 2025 and 2035, and this is just for one country's government IT stack.

In terms of protocols and wallets, several threads are already converging:

Through ERC-4337-style account abstraction, users are migrating from bare EOAs to upgradable smart contract wallets, making it easier to change signature schemes later without an emergency hard fork. Some projects have already demonstrated Lamport-style or extended Merkle signature scheme (XMSS)-style quantum-resistant wallets on Ethereum.

Ethereum will need to select (and field-test) one or more families of PQC signatures (potentially from NIST's ML-DSA/SLH-DSA or hash-based constructions) and address trade-offs regarding key size, signature size, verification costs, and smart contract integration.

Elliptic curves are not only used for user keys. BLS signatures, KZG commitments, and some rollup proof systems also rely on the difficulty of discrete logarithms. A serious quantum resistance roadmap needs to provide alternatives for these building blocks.

In terms of social and governance aspects, Buterin's quantum emergency fork proposal reminds us of how much coordination any real response would require. Even with perfect cryptographic technology, rolling back blocks, freezing traditional accounts, or enforcing large-scale key migrations would be politically and operationally contentious. This is also part of why he and other researchers advocate for:

Building automatic trigger migration rules or quantum canary mechanisms that activate once a smaller, deliberately vulnerable test asset is proven to be broken.

Viewing post-quantum migration as a gradual adoption process that users can engage in long before any credible attack, rather than a last-minute rush.

For individuals and institutions, the recent checklist is simpler:

Prioritize wallets and custody setups that can upgrade their cryptographic technology without forcing migration to entirely new addresses.

Avoid unnecessary address reuse to minimize the number of exposed public keys on-chain.

Track Ethereum's eventual post-quantum signature choices and be prepared to migrate when robust tools are available.

Quantum risk should be treated like engineers view floods or earthquakes. The likelihood of it destroying your house this year is low, but the long-term probability is high enough to warrant consideration in the design of foundations.

Related: Fed Rate Cut Bets Surge: Can Bitcoin (BTC) Ultimately Break Through $91,000 for a New High?

Original article: “Why Vitalik Believes Quantum Computing Could Break Ethereum's Cryptography Sooner Than Expected”

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。