Ethereum’s massive fee shock: New post-quantum signatures are 40x larger, threatening to crush network throughput and user costs
Ethereum elevated post-quantum cryptography to a prime strategic precedence this month, forming a devoted PQ staff led by Thomas Coratger and asserting $1 million in prizes to harden hash-based primitives.
The announcement got here someday earlier than a16z crypto revealed a roadmap arguing that quantum threats are incessantly overstated and untimely migrations threat buying and selling identified safety for speculative safety.
Both positions are defensible, and the obvious rigidity reveals the place the true battle lies.
The Ethereum Foundation’s announcement frames PQ security as an inflection point. Multi-client consensus devnets are stay, bi-weekly All Core Devs calls begin subsequent month to coordinate precompiles and account abstraction paths, and a complete roadmap guarantees “zero lack of funds and zero downtime” throughout a multi-year transition.
Coinbase launched an impartial quantum advisory board on Jan. 21, together with Ethereum researcher Justin Drake, signaling cross-industry alignment round long-horizon planning.
Solana ran PQ signature experiments on testnet in December under Project Eleven, explicitly branding the work as “proactive” reasonably than emergency-driven.
Polkadot’s JAM proposal outlines ML-DSA and Falcon deployment alongside SNARK-based migration proofs.
Bitcoin’s conservative BIP-360 proposal for pay-to-quantum-resistant-hash represents an incremental first step constrained by governance realities.
The sample resembles an arms race, however not one pushed by an imminent menace.
This is a contest in institutional readiness, the place the winner preserves fee economics, consensus effectivity, and pockets UX whereas upgrading cryptographic foundations earlier than exterior strain forces rushed coordination.
The harvest paradox
a16z’s core argument hinges on distinguishing harvest-now-decrypt-later threat from signature vulnerability. HNDL assaults matter when adversaries can intercept encrypted knowledge at the moment and decrypt it as soon as quantum computer systems obtain enough scale.
That menace maps cleanly to TLS, VPNs, and data-at-rest encryption. Less so to blockchain signatures, which authenticate transactions in actual time and go away no encrypted payload to retailer for future cracking.
Ethereum’s response implicitly accepts this framing however argues operational urgency stays high as a result of altering signature schemes touches every part: wallets, account codecs, {hardware} signers, custody infrastructure, mempools, fee markets, consensus messages, and L2 settlement proofs.
Migration requires years of lead time, not as a result of quantum computer systems are imminent, however as a result of the engineering floor is huge and failure modes are catastrophic.
NIST finalized its first post-quantum standards in 2024, FIPS 203, 204, and 205, and chosen HQC as a backup key encapsulation mechanism whereas advancing Falcon and FN-DSA towards draft levels.
The EU issued a coordinated PQC transition roadmap in June 2025. These developments scale back “which algorithms?” uncertainty and make migration planning concrete, even when cryptographically related quantum computing stays distant.
Citi’s January 2026 report cites probability ranges for widespread breaking of public key encryption by 2034 and 2044, although many specialists view CRQC within the 2020s as extremely unlikely.
The timeline ambiguity would not get rid of the planning crucial: it amplifies it, as a result of chains that wait till menace indicators are unambiguous will face compressed timelines and coordination chaos.
Signature bloat because the base-layer bottleneck
The instant technical problem is signature dimension.
ECDSA signatures consume roughly 65 bytes, which interprets to roughly 1,040 fuel below Ethereum’s calldata pricing mannequin at 16 fuel per non-zero byte.
ML-DSA candidates produce signatures within the 2-3 KB vary, with Dilithium variants probably to see vast adoption. A 2,420-byte signature consumes roughly 38,720 fuel only for the signature bytes, a 37,680-gas delta versus ECDSA.
That overhead is materials sufficient to have an effect on throughput and charges until chains compress or combination signatures on the protocol stage.
This is the place Ethereum’s guess on hash-based cryptography and the $1 million Poseidon Prize turns into strategic. Hash-based signatures keep away from the algebraic construction that quantum algorithms exploit, and hash features combine naturally with zero-knowledge proof programs.
If Ethereum could make STARK-based signature aggregation sensible, it preserves fee economics whereas upgrading safety assumptions. The problem is that no sensible post-quantum analogue to BLS aggregation exists but, and zk-based aggregation introduce actual efficiency constraints.
Consensus effectivity is determined by this drawback.
Ethereum’s consensus layer depends closely on BLS signature aggregation at the moment. Validators signal attestations and sync committee messages, and the protocol aggregates hundreds of signatures into compact proofs.
Losing that functionality and not using a alternative would power dramatic adjustments to consensus participation economics or liveness assumptions.
EF’s public emphasis on “lean” cryptographic foundations and interop calls coordinating multi-client PQ devnets suggests the group understands aggregation is the hidden cliff.
| Signature scheme | Signature dimension (bytes) | Calldata fuel @ 16 fuel / non-zero byte | Delta vs ECDSA (fuel) | Implication |
|---|---|---|---|---|
| ECDSA (secp256k1, r||s||v) | 65 | 1,040 | 0 | Baseline at the moment |
| ML-DSA-44 | 2,420 | 38,720 | +37,680 | Fee + throughput shock |
| ML-DSA-65 | 3,309 | 52,944 | +51,904 | Aggregation turns into necessary |
| ML-DSA-87 | 4,627 | 74,032 | +72,992 | L1 scaling strain spikes |
Wallet UX because the social layer of cryptography
Protocol assist alone would not full the migration.
Externally owned accounts cannot rotate keys cleanly below Ethereum’s present design. Users want one-click migration flows that do not require deep technical information. Hardware wallets should ship firmware updates. Custodians want a protected bulk migration tooling.
Ethereum researchers have explored key-recovery-friendly proof systems and seed-based migration approaches exactly to scale back coordination threat and UX friction.
a16z warns that untimely migration introduces fragility, together with immature implementations, shifting requirements after deployment, and bugs in new cryptographic libraries.
The group argues that present safety points, reminiscent of governance failures and software program bugs, pose a larger instant threat than quantum computer systems.
This is the crux of the “do not panic” framing: migrating too early trades identified safety for speculative safety, and the price of getting it fallacious is doubtlessly increased than the price of ready for requirements maturity and higher tooling.
Both positions are defensible as a result of they optimize for various failure modes. EF prioritizes avoiding rushed coordination below strain.
a16z prioritizes avoiding self-inflicted wounds from hasty deployment. The divergence reveals the true battleground: chains that thread the needle, constructing migration infrastructure early with out prematurely forcing customers onto immature requirements, will acquire a aggressive benefit.
Three eventualities, completely different winners
The migration timeline is determined by exterior breakthroughs that nobody controls.
In a slow-burn situation the place CRQC would not arrive till the 2040s, migration happens on a regulatory and requirements cadence, prioritizing security over velocity. Chains that invested in crypto agility, with dual-signature durations, hybrid schemes, break-glass playbooks, can adapt with out disruption.
In the bottom case the place materials quantum threats emerge within the mid-2030s, at the moment’s work determines outcomes. If the ecosystem needs clean transitions by 2035, pockets tooling and aggregation analysis have to be production-ready years earlier.
This is the situation EF’s roadmap optimizes for, and the one the place multi-year lead occasions justify present funding.
In a fast-shock situation the place breakthroughs sign credible threat earlier than 2030, the differentiator turns into how rapidly a sequence can freeze publicity, migrate accounts, and preserve liveness. a16z argues this end result is unlikely, however the group’s emphasis on planning suggests even low-probability tail dangers justify preparation.
Triggers to watch embrace credible demonstrations of error-corrected scaling, logical qubit stability, and sustained gate fidelities. NIST or main governments advancing migration deadlines, and main custodians delivery PQ-capable signing in manufacturing.
None are imminent, however all would compress choice timelines.
| Battleground layer | Why it issues | What EF’s push indicators | a16z “don’t panic” counterpoint | KPI to watch |
|---|---|---|---|---|
| Planning & crypto agility | Migration is a multi-year program; the failure mode is rushed coordination below strain | Dedicated PQ staff + governance cadence (PQ ACD) = treating migration as a protocol program, not a analysis thread | Premature shifts can improve threat (immature libs, shifting requirements, new bugs) | Existence of a revealed chain roadmap + clear “break-glass” plan + staged rollout milestones |
| Wallet UX & account migration | Users gained’t migrate until it’s near-frictionless; EOAs are the lengthy tail | Emphasis on account abstraction paths + “zero downtime / zero loss” messaging = UX is central | Avoid forcing customers onto new schemes too early; UX failures turn out to be self-inflicted losses | % of wallets/custodians supporting dual-sign / key rotation flows; time-to-migrate for non-technical customers |
| Aggregation & fee economics | PQ sigs could be giant; with out aggregation you lose throughput and increase charges | LeanVM + hash/zk foundations + devnets suggest the guess is protocol-level compression | Even “appropriate” PQ could be unusable if it breaks economics; don’t commerce usability for theoretical security | Demonstrated signature aggregation efficiency (proof dimension/verification time) and ensuing price per tx/attestation |
| Consensus effectivity & validator overhead | Ethereum’s consensus depends on aggregation at the moment; shedding it threatens liveness/economics | Multi-client PQ consensus devnets + interop calls = treating consensus because the onerous half, not simply wallets | New consensus crypto is high-risk engineering; conservative rollout beats rushed redesign | Measured bandwidth/CPU overhead per validator vs at the moment; attestation inclusion charges below load |
| Interop & requirements maturity | Standards scale back “which algorithm?” uncertainty; ecosystems converge on safer selections | Prizes + workshops + exterior alignment (advisory boards) = ecosystem coordination | Wait for requirements/implementations to mature earlier than forcing mass migration | NIST/EU milestone alignment; delivery PQ assist in main libraries/HW wallets with out important CVEs |
The new standing sport
Post-quantum readiness is changing into an institutional credibility metric, following the identical path L2 maturity took in earlier cycles.
Chains with out credible PQ roadmaps threat being perceived as unprepared for long-term settlement assurance, even when the instant menace is distant.
This dynamic explains why Solana, Polkadot, and Bitcoin all have energetic PQ workstreams regardless of the absence of imminent Q-day consensus.
The arms race is not about who flips PQ first. Instead, it is about who preserves UX, fee economics, and consensus effectivity whereas doing it.
Ethereum’s method bets on hash-based foundations, zk aggregation, and governance coordination.
Solana’s high-throughput structure makes signature overhead significantly acute, forcing design innovation.
Polkadot’s heterogeneous sharding mannequin permits per-chain experimentation.
Bitcoin’s conservatism displays governance constraints and an extended tail of legacy outputs that may’t be migrated with out proprietor cooperation.
If PQ turns into the subsequent L1 arms race, the winner will not be the chain that says essentially the most prizes or devnets. It would be the chain that ships a migration path regular customers really full, preserves throughput regardless of multi-KB signature candidates, and replaces at the moment’s aggregation assumptions with out sacrificing liveness.
The planning layer, pockets UX layer, and aggregation layer are now the true battleground, and the clock began years earlier than most contributors realized the race had begun.
The publish Ethereum’s massive fee shock: New post-quantum signatures are 40x larger, threatening to crush network throughput and user costs appeared first on CryptoSlate.
