Why is ECDSA so vulnerable to quantum computers?
ECDSA's security comes from the computational hardness of the Elliptic Curve Discrete Logarithm Problem: deriving a private key from a public key would take longer than the age of the universe on classical hardware. Shor's algorithm changes that premise — it can solve this class of discrete logarithm problem efficiently on a quantum computer. In theory, once a large enough and stable enough quantum computer exists, any account whose public key is on-chain could have its private key derived, and its funds stolen. This is exactly why 'spent addresses' (public key already on-chain) are more dangerous than addresses that only expose a hash.
What's the core breakthrough of SPHINCS-minus, and where does the $0.07 come from?
The single most important move is substituting Keccak256 — natively cheap in the EVM — for the SHAKE256 hash function in the SPHINCS+ standard. This lets post-quantum signature verification run entirely on-chain without any new low-level support or network upgrade. According to the paper's parameter benchmarks, the optimized SPHINCS-minus variant (SLH-DSA-Keccak-128-24) costs about 94,000 gas to verify on-chain; another variant optimized for laptop-side signing (C13) runs about 127,000 gas — approximately $0.07 at current gas prices. That figure will fluctuate with ETH price and network congestion, but the order of magnitude is firmly in 'near-free' territory.
How far are quantum computers from actually cracking an Ethereum account?
Still very far — but closing faster than expected. The April 15-bit break is 2^241 times easier than the 256-bit problem Ethereum uses; no known quantum hardware even approaches that. Google estimated a full break would need under 500,000 physical qubits, with optimistic research putting it as low as 10,000 in a neutral-atom architecture. Today's best machines have thousands to tens of thousands of qubits with error rates and stability far below what's needed. Mainstream estimates put meaningful threat no earlier than the early 2030s. But because migration takes years, 'the best time to start is now' is industry consensus. More importantly, theoretical resource estimates dropped sharply within months — which is precisely why Consigny frames SPHINCS-minus as a 'bridge' rather than the long-term answer.
Does Bitcoin have similar plans, and how is the broader crypto community viewing the threat?
Bitcoin has BIP-360, a proposal to introduce post-quantum address formats, but discussion is slower and more contentious — partly because Bitcoin culture is extremely conservative about protocol changes. Developer Adam Back has noted that a post-quantum migration could inadvertently reveal the location of Satoshi's holdings, since early address formats differ and may have exposed public keys. Tron, StarkWare, Ripple, and others also have their own post-quantum migration efforts. Ethereum is more agile: its upgrade roadmap, including account abstraction, can facilitate post-quantum migration, and proposals like SPHINCS-minus allow interim deployment before a formal protocol-layer solution. The broader shift is industry-wide — from 'quantum threat is a distant hypothesis' to 'seriously planning migration timelines.' The $0.07 figure signals not just a cost, but a shift in urgency.
The crypto community recently got rattled by a number: seven cents. That's what Ethereum Foundation researcher Nicolas Consigny claims it would cost to upgrade a single Ethereum account to resist quantum attacks — without touching the protocol, without waiting for a hard fork. The proposal comes from a technical paper he published on ethresear.ch on June 12, 2026, and it's tied to a threat that's accelerating: quantum computers will eventually break ECDSA, the elliptic-curve digital signature algorithm that currently protects Ethereum (and Bitcoin) accounts.
Every Ethereum wallet and every transaction relies on ECDSA to prove "I own this account." That algorithm's security rests on the premise that deriving a private key from a public key is computationally infeasible — on classical computers, it genuinely is. But for a quantum computer running Shor's algorithm, this problem becomes solvable, which would instantly invalidate ECDSA. In April 2026, independent researcher Giancarlo Lelli broke a 15-bit elliptic curve key on publicly accessible quantum hardware, winning Project Eleven's 1 BTC Q-Day Prize — the largest public quantum attack demonstration on record.
The distance between 15 bits and the 256-bit security Ethereum uses represents roughly 2 to the power of 241 in computational difficulty; today's quantum hardware is nowhere near there. But the trajectory is alarming: from a 6-bit break in September 2025 to a 15-bit break in April 2026 is a 512-fold jump in six months. Google's April 2026 whitepaper estimated that a full 256-bit break might require fewer than 500,000 physical qubits; a separate Caltech/Oratomic paper put the figure as low as 10,000 under a neutral-atom architecture.
Consigny leads the Ethereum Foundation's Kohaku project. In his paper he introduces "SPHINCS-" (pronounced Sphincs Minus) — a derivative of SPHINCS+, the hash-based post-quantum signature scheme NIST standardized as SLH-DSA. The key move is swapping the standard's SHAKE256 hash function for Keccak256, which is natively cheap in the EVM, allowing the verifier to run entirely on-chain with no new precompile, no protocol change, and no hard fork required. With the optimized parameter set, on-chain verification costs roughly 94,000 to 127,000 gas — approximately $0.07 at current gas prices. Consigny describes SPHINCS-minus as a bridge toward a future, more complete post-quantum system called "leanSPHINCS," which would layer in ZK aggregation to reduce costs further. The paper received acknowledgements from Vitalik Buterin, Justin Drake, and others, signaling it is part of Ethereum's broader post-quantum roadmap.
On-chain analytics firm Glassnode estimates roughly 1.92 million BTC — nearly 10% of total supply — as "structurally unsafe," with another 4.12 million BTC (about 20.6% of supply) classified as "operationally unsafe." These are addresses whose public keys are already visible on-chain and would be directly vulnerable if a sufficiently capable quantum computer appears. Ethereum faces analogous exposure, since it uses the same elliptic-curve cryptography as Bitcoin.
SPHINCS-minus remains a research proposal; actual deployment is some distance away, and it is non-standard (replacing SHAKE256 with Keccak256 breaks FIPS compliance). But it signals something important: the Ethereum community is seriously exploring how existing accounts could add a layer of quantum protection at near-zero cost while waiting for a formal protocol upgrade. The quantum threat's actual timeline remains contested — pessimists put meaningful risk in the early 2030s, conservatives see a decade or more of runway. Whichever estimate is right, a $0.07 per-account protection cost eliminates the cost barrier almost entirely.
This article is for information only and does not constitute investment or financial advice. Figures cited are estimates at time of publication; quantum computing developments move quickly — follow primary research sources for updates.