Dr. Sarah ChenWhy Ethereum Has a Clearer Post-Quantum Migration Path Than Bitcoin
Ethereum's architecture gives it a structural advantage in post-quantum migration that Bitcoin does not have. Ethereum's account model (as opposed to Bitcoin's UTXO model) and its native programmability mean that signature verification logic can be replaced at the account level without requiring a network-wide consensus change for each new scheme. This is not a solved problem, but it is a more tractable one.
The path runs through account abstraction: the process of turning every Ethereum account into a smart contract that can define its own signature verification logic. By 2026, this migration pathway is partially deployed and actively developed, with several EIPs (Ethereum Improvement Proposals) specifically targeting post-quantum signature integration.
Understanding what is deployed, what is proposed, and what remains speculative is important for ETH holders assessing their timeline relative to Bitcoin holders. The comparison with Ethereum's quantum vulnerability sets the baseline for why migration is needed.
Account Abstraction as the Migration Mechanism
Ethereum currently uses two account types: externally owned accounts (EOAs), controlled by secp256k1 private keys, and contract accounts, controlled by code. All EOAs use the same signature scheme: ECDSA over secp256k1, verified by the ecrecover precompile. There is no protocol-level mechanism for an EOA to use a different signature algorithm.
ERC-4337 (deployed on mainnet in March 2023) introduced account abstraction without protocol changes, using a system of UserOperations and a bundler infrastructure. ERC-4337 wallets are smart contracts that define their own validation logic. A post-quantum signature scheme can be implemented in a validation contract today, for ERC-4337 wallets specifically.
EIP-7702 (included in the Pectra upgrade, deployed in May 2025) extends this further by allowing EOAs to temporarily delegate to a smart contract for a transaction. This enables any existing EOA to behave like a smart contract wallet for specific transactions, including transactions that use custom signature validation.
EIP-7701 (proposed, not yet scheduled) would make account abstraction native at the protocol level, eliminating the distinction between EOAs and contract accounts entirely. Under EIP-7701, every account would have programmable validation logic, making post-quantum signature schemes a standard option selectable per account.
EIP-5106 and ERC-7777: Quantum-Safe Account Recovery
EIP-5106 proposes a standardized recovery mechanism for Ethereum accounts using quantum-resistant keys as backup signers. The design allows an account to pre-register a post-quantum public key (ML-DSA or SLH-DSA) as a recovery credential. If the primary secp256k1 key is compromised (including by quantum attack), the account can be recovered using the post-quantum backup key.
ERC-7777 is a complementary standard for wallet-level post-quantum recovery UX. It specifies how wallets should present quantum recovery options to users and how recovery credentials should be stored and verified. Both proposals remain in draft status as of mid-2026, with active discussion in the Ethereum Magicians forum.
The practical implication of these proposals, if finalized and adopted: Ethereum users could pre-register post-quantum backup keys before any quantum threat is imminent, then use those keys to recover accounts if secp256k1 security is broken. This provides a migration path that does not require users to move all their funds proactively before the threat materializes.
EVM Precompiles for Post-Quantum Signature Verification
Ethereum's EVM includes precompiles: hardcoded contracts at specific addresses that provide efficient implementation of cryptographic primitives. The current ecrecover precompile (address 0x01) verifies secp256k1 ECDSA signatures. Adding post-quantum verification requires new precompiles.
Several EIPs propose precompiles for NIST's standardized post-quantum schemes. A draft EIP for ML-DSA verification proposes adding a precompile that takes a public key, message, and signature as inputs and returns a success flag, analogous to ecrecover. A similar proposal exists for SLH-DSA.
Without precompiles, post-quantum signature verification in EVM contracts is prohibitively expensive. ML-DSA verification implemented in Solidity using existing EVM opcodes would cost approximately 40 to 100 million gas per verification, compared to roughly 3,000 gas for ecrecover. This makes on-chain post-quantum verification economically infeasible without precompile support.
With dedicated precompiles, the gas cost for ML-DSA verification would drop to approximately 50,000 to 200,000 gas per verification, based on comparable precompile implementations. This is 15 to 60 times more expensive than ecrecover but within the range of practical use for high-value transactions and recovery operations.
As of mid-2026, no post-quantum precompile has been included in a scheduled Ethereum hardfork. The proposals are under active review, with inclusion in a future upgrade dependent on finalized specifications and security audits.
The Challenge of Migrating 230 Million Ethereum Addresses
Ethereum has approximately 230 million unique addresses with non-zero ETH or token balances. The vast majority are EOAs using secp256k1 keys. Migrating all of them to post-quantum signature schemes requires either user action (each user moves their funds or upgrades their account) or a protocol-level mechanism that converts all EOAs automatically.
Automatic conversion is not feasible without knowing each account's public key. Unlike Bitcoin P2PK outputs, Ethereum EOA addresses are derived from the keccak-256 hash of the public key. The public key is only revealed when the account sends a transaction. Approximately 30 to 40 million Ethereum addresses have never sent a transaction and have no on-chain public key.
For addresses that have sent at least one transaction, the public key is recoverable from the signature on that transaction. These addresses are quantum-vulnerable in the same way as spent Bitcoin P2PKH addresses: their public keys are on-chain and accessible to an attacker with sufficient quantum capability.
For never-sent addresses, the secp256k1 public key is protected by its keccak-256 hash, similar to Bitcoin P2PKH. These addresses carry only the transaction-broadcast-window quantum risk, not the at-rest risk.
This creates a migration challenge similar to Bitcoin's post-quantum migration problem: users with active addresses need to take action, and users who have lost access to their keys cannot migrate at all. But Ethereum's account abstraction infrastructure provides more migration options than Bitcoin's UTXO model currently offers.
Gas Cost Overhead: Post-Quantum vs ecrecover
The transaction cost implications of post-quantum signatures are significant. A standard Ethereum transfer currently costs 21,000 gas. The ecrecover call for signature verification costs approximately 3,000 gas of that total.
Replacing ecrecover with ML-DSA verification (assuming a future precompile costs 100,000 gas) would increase the verification cost by roughly 32x. For simple transfers, this adds $0.15 to $1.50 in fees at typical gas prices. For complex DeFi operations already costing $5 to $50, the percentage overhead is smaller but still meaningful.
SLH-DSA signatures are larger (8,080 bytes minimum for the fast parameter set) and verification is slower, suggesting precompile costs would be higher than ML-DSA. The compact parameter sets for SLH-DSA use smaller signatures but are slower to verify, creating a different cost tradeoff.
Ethereum researchers have discussed the possibility of a gas schedule reform that adjusts base costs downward to offset post-quantum overhead, but no specific proposal has been finalized. The DeFi-specific implications of post-quantum migration on Ethereum cover how protocol costs affect liquidity and composability in practice.
Timeline Estimates and What ETH Holders Should Do Now
Ethereum Foundation researchers have discussed post-quantum migration as a "Endgame" phase priority, following the completion of the Merge, the Surge (scaling), the Scourge (MEV mitigation), and the Verge (Verkle trees). No specific block number or year target for full post-quantum migration has been announced.
Vitalik Buterin has written that account abstraction provides sufficient flexibility to handle post-quantum migration when it becomes necessary, and that the timeline should be driven by quantum hardware progress rather than fixed schedules. Current estimates from Ethereum Foundation researchers suggest 2030 to 2035 as the plausible window for needing active migration, with the caveat that hardware timelines are uncertain.
For ETH holders with addresses that have sent transactions, the quantum risk profile is similar to Bitcoin P2PKH addresses that have been spent from: public key on-chain, vulnerable once a sufficient quantum computer exists. For addresses that have never sent, the protection is the keccak-256 hash, which holds as long as no quantum algorithm efficiently inverts it (currently considered safe, unlike elliptic curve cryptography).
The practical near-term action for ETH holders is to watch EIP-7702 adoption by major wallets and to consider moving to ERC-4337 smart wallet infrastructure now. These wallets can integrate post-quantum signature support as soon as precompiles are available, without requiring another migration step at that point.
