At the Devconnect conference in Buenos Aires, the co-founder of Ethereum issued an unprecedented warning: elliptic curves securing Bitcoin and Ethereum “ are destined to die“. With a 20% chance that quantum computers can break current cryptography before 2030, the crypto industry has less than four years to migrate to quantum-resistant systems.
In Brief
- Vitalik Buterin warns that there is a 20% chance that quantum computers will break current crypto security before 2030.
- Ethereum and Bitcoin rely on ECDSA, which becomes vulnerable once public keys are exposed on-chain.
- Post-quantum cryptography already exists, and the industry needs to start migrating now.
20% probability before 2030: Vitalik’s figures
End of 2025, Vitalik Buterin did something unusual for a risk usually discussed in science fiction terms: he gave it numbers. Citing forecasts from the Metaculus platform, he estimated that there is about 20% chance that quantum computers capable of breaking current cryptography arrive before 2030. The median forecast is more around 2040.
A few months later at Devconnect in Buenos Aires, Buterin toughened his tone: “Elliptic curves are destined to die,” he said, citing research suggesting that quantum attacks on 256-bit elliptic curves could become achievable before the 2028 US presidential election.
These statements are not intended to create panic, but to mobilize action. As Buterin summarized: “Quantum computers will not break cryptocurrency today. But the industry needs to start adopting post-quantum cryptography well before quantum attacks become practical.“
Why ECDSA is vulnerable to quantum computing
The security of Ethereum (like that of Bitcoin) relies on the ECDSA (Elliptic Curve Digital Signature Algorithm) using the secp256k1 curve. The principle is simple: your private key is a large random number, your public key is a point on the curve derived from this private key, and your address is a hash of this public key.
On typical hardware, switching from private key to public key is easy, but the reverse is considered computationally infeasible. This asymmetry makes a 256-bit key virtually impossible to guess.
Quantum computing threatens this asymmetry. Shor's algorithm, proposed in 1994, demonstrates that a sufficiently powerful quantum computer could solve the discrete logarithm equation (and associated factorization equations) by polynomial time – which would compromise the RSA, Diffie-Hellman, and ECDSA schemes.
Buterin highlights a crucial subtlety: if you have never spent from an address, only the hash of your public key is visible onchain (which remains quantum resistant). But once you send a transaction, your public key is revealed – providing a future quantum attacker with the raw materials needed to recover your private key.
Google Willow: a signal of acceleration
Buterin's warnings come as technological progress accelerates. In December 2024, Google revealed Willowits quantum processor with 105 superconducting qubits. The chip completed a calculation in less than five minutes that would take today's supercomputers about 10 septillion (10²⁵) years.
Even more significant: Willow demonstrated quantum error correction “ under the threshold“, where to increase the number of qubits reduces error rate instead of increasing it. This is a major breakthrough that has been sought for nearly 30 years.
However, Hartmut Neven, director of Google Quantum AI, clarified that “ the Willow chip is not capable of breaking modern cryptography. » He estimates that breaking RSA would require millions of physical qubits and is at least 10 years away.
Academic analyzes converge: breaking 256-bit elliptical cryptography in less than an hour would require tens to hundreds of millions of physical qubits – well beyond current capabilities. But IBM and Google's roadmaps aim for fault-tolerant quantum computers by 2029-2030.
Ethereum's Quantum Contingency Plan
Well before these public statements, Buterin had published a post in 2024 on Ethereum Research entitled “ How to hard fork to save most user funds in case of quantum emergency“. This plan describes what Ethereum could do if a quantum breakthrough catches the ecosystem off guard:
- Detect the attack and roll back : Ethereum would return to the chain until the last block before large-scale quantum theft becomes visible.
- Disable legacy EOA transactions : Traditional External Accounts (EOAs) using ECDSA would be frozen, cutting off further theft via exposed public keys.
- Switch to smart contract wallets : a new type of transaction would allow users to prove (via a STARK zero-knowledge proof) that they control the original seed, then migrate to a quantum-resistant smart contract wallet.
This plan remains a recovery tool of last resort. Buterin's argument is that the necessary infrastructure – account abstraction, robust ZK systems, standardized post-quantum signature schemes – can and must be built now.
Post-quantum cryptography: existing solutions
The good news: the solutions already exist. In 2024, NIST (National Institute of Standards and Technology) finalized its first three standards post-quantum (PQC) : ML-KEM for key encapsulation, ML-DSA and SLH-DSA for signatures.
These algorithms, based on lattice networks or hash functions, are designed to resist attacks by Shor's algorithm. A 2024 NIST/White House report estimates $7.1 billion the cost to migrate US federal systems to PQC between 2025 and 2035.
On the blockchain side, several projects are working on this transition. Naoris Protocol develops a decentralized cybersecurity infrastructure natively integrating post-quantum algorithms compliant with NIST standards. In September 2025, the protocol was cited in a submission to the US SEC as a reference model for quantum-resistant blockchain infrastructure.
Naoris' approach relies on a mechanism called dPoSec (Decentralized Proof of Security) : each device on the network becomes a validator node that checks the security status of others in real time. Combined with post-quantum cryptography, this decentralized mesh eliminates the single points of failure of traditional architectures.
What needs to change in Ethereum
Several avenues are already converging at the protocol and wallet level. Account Abstraction (ERC-4337) allows EOA users to be migrated to scalable smart contract wallets, facilitating the replacement of signature schemes without emergency hard forks. Some projects are already demonstrating quantum-resistant wallets such as Lamport or XMSS on Ethereum.
But elliptic curves aren't just used for user keys. BLS signatures, KZG commitments, and certain rollup proof systems also rely on the difficulty of the discrete logarithm. A serious roadmap towards quantum resistance must provide alternatives for all of these components.
According to data published by Naoris Protocolits testnet launched in January 2025 processed more than 100 million secure post-quantum transactions and has mitigated over 600 million threats in real time. The mainnet is planned for the first quarter of 2026, offering a “Sub-Zero Layer” infrastructure capable of operating under existing blockchains.
Dissenting voices: Back and Szabo call for caution
Not all experts share Buterin's urgency. Adam BackCEO of Blockstream and pioneer of Bitcoin, believes that the quantum threat is “ decades away » and recommends a “ constant research rather than rushed or disruptive protocol changes. His fear is that panic-driven updates will introduce bugs more dangerous than the quantum threat itself.
Nick Szabocryptographer and pioneer of smart contracts, considers quantum risk as “ possibly inevitable » but places more importance on current legal, social and governance threats. He uses the metaphor of a “ fly trapped in amber »: the more blocks there are accumulated around a transaction, the more difficult it is to dislodge it – even against powerful adversaries.
These positions are not incompatible with those of Buterin: they reflect different time horizons. The emerging consensus seems to be that migration must start noweven if the attack is not imminent – precisely because the transition from a decentralized network takes years.
What Crypto Holders Should Remember
For traders, the message is clear: continue normal operations while staying informed of protocol updates. For long-term holders, the priority is to ensure that their chosen platforms and protocols are actively preparing for a post-quantum future.
Some best practices to reduce exposure: prefer wallets and custody solutions that can update their cryptography without forcing a change of addresses, avoid address reuse (fewer public keys exposed onchain), and follow Ethereum's post-quantum signature choices to migrate once robust tools become available.
The 20% probability by 2030 also means that there is 80% chance that quantum computers do not threaten crypto in this time frame. But in a $3 trillion market, even a 20% risk of catastrophic security failure deserves serious attention.
As Buterin summarizes: quantum risk must be treated like engineers think of earthquakes or floods. It is unlikely to destroy your house this year, but likely enough over the long term to justify designing the foundation accordingly.
No. Current quantum computers (like Google's 105-qubit Willow) fall far short of the millions of qubits needed to threaten modern cryptography.
A quantum algorithm proposed in 1994 capable of solving the discrete logarithm problem in polynomial time, which would compromise current cryptographic schemes like ECDSA.
Encryption and signature algorithms designed to resist attacks from quantum computers. NIST standardized the first (ML-KEM, ML-DSA, SLH-DSA) in 2024.
Not today. But as soon as a sufficiently powerful quantum computer exists, any address that has already revealed its public key (via a transaction) would theoretically be vulnerable.
Maximize your Tremplin.io experience with our 'Read to Earn' program! For every article you read, earn points and access exclusive rewards. Sign up now and start earning benefits.
