Each could be tackled step by step, he said, with dedicated solutions at each layer of the protocol. “One important thing upstream of this is choosing the hash function,” Buterin wrote. “This may be ‘Ethereum’s last hash function,’ so it’s important to choose wisely.”
The post comes as the Ethereum Foundation elevated post-quantum security to a top priority.
At the consensus layer, Buterin proposed replacing BLS signatures—the cryptographic proofs validators use to approve blocks—with hash-based alternatives, which researchers view as more resistant to quantum attacks. He also suggested using STARKs, a type of zero-knowledge proof, to compress many validator signatures into a single attestation.
For data availability, Buterin said there would be tradeoffs. Ethereum relies on KZG commitments to verify that block data is properly structured and available. STARKs could perform the same function, but they lack a mathematical property called linearity that enables two-dimensional data availability sampling.
“This is okay, but the logistics of this get harder if you want to support distributed blob selection,” Buterin wrote.
User accounts and proof systems face steep cost increases under quantum-resistant cryptography. Verifying today’s ECDSA signature costs about 3,000 gas, while a hash-based quantum-resistant signature would cost roughly 200,000 gas.
The difference is larger for proofs: a ZK-SNARK costs 300,000 to 500,000 gas to verify, compared with about 10 million gas for a quantum-resistant STARK—an expense too high for most privacy and layer-2 applications.
“The solution again is protocol-layer recursive signature and proof aggregation,” Buterin said, pointing to the Ethereum Improvement Proposal 8141.
Buterin said the proving step could occur at the mempool layer rather than during block production, with nodes propagating valid transactions every 500 milliseconds alongside a proof of validity.
“It’s manageable, but there’s a lot of engineering work to do,” he said.
