Vitalik Buterin on Quantum Computing and Ethereum Security

Key takeaways

• Buterin sees a nontrivial 20% chance that quantum computers could break current cryptography before 2030, and he argues that Ethereum should begin preparing for that possibility.

• A key risk involves ECDSA. Once a public key is visible onchain, a future quantum computer could, in theory, use it to recover the corresponding private key.

• Buterin’s quantum emergency plan involves rolling back blocks, freezing EOAs and moving funds into quantum-resistant smart contract wallets.

• Mitigation means smart contract wallets, NIST-approved post-quantum signatures and crypto-agile infrastructure that can swap schemes without chaos.

In late 2025, Ethereum co-founder Vitalik Buterin did something unusual. He put numbers on a risk that is usually discussed in sci-fi terms.

Citing forecasting platform Metaculus, Buterin said there is “about a 20% chance” that quantum computers capable of breaking today’s cryptography could arrive before 2030, with the median forecast closer to 2040.

A few months later at Devconnect in Buenos Aires, he warned that elliptic curve cryptography, the backbone of Ethereum and Bitcoin, “could break before the next US presidential election in 2028.” He also urged Ethereum to move onto quantum-resistant foundations within roughly four years.

According to him, there is a nontrivial chance of a cryptographically relevant quantum computer arriving in the 2020s; if so, then the risk belongs on Ethereum’s research roadmap. It should not be treated as something for a distant future bucket.

Did you know? As of 2025, Etherscan data shows more than 350 million unique Ethereum addresses, highlighting how widely the network has grown even though only a small share of those addresses hold meaningful balances or remain active.

Why quantum computing is a problem for Ethereum’s cryptography

Most of Ethereum’s security rests on the elliptic curve discrete logarithm (ECDLP) equation, which is the basis for the elliptic curve digital signature algorithm (ECDSA). Ethereum uses the secp256k1 elliptic curve for these signatures. Simply:

• Your private key is a large random number.

• Your public key is a point on the curve derived from that private key.

• Your address is a hash of that public key.

On classical hardware, going from private key to public key is easy, but going backwards is believed to be computationally infeasible. That asymmetry is why a 256-bit key is treated as effectively unguessable.

Quantum computing threatens that asymmetry. Shor’s algorithm, proposed in 1994, shows that a sufficiently powerful quantum computer could solve the discrete log equation and related factorization equations in polynomial time, which would undermine schemes like Rivest-Shamir-Adleman (RSA), Diffie-Hellman and ECDSA.

The Internet Engineering Task Force and the National Institute of Standards and Technology (NIST) both recognize that classical elliptic curve systems would be vulnerable in the presence of a cryptographically relevant quantum computer (CRQC).

Buterin’s Ethereum Research post on a potential quantum emergency highlights a key subtlety for Ethereum. If you have never spent from an address, only the hash of your public key is visible onchain, and that is still believed to be quantum safe. Once you send a transaction, your public key is revealed, which gives a future quantum attacker the raw material needed to recover your private key and drain the account.

So, the core risk is not that quantum computers break Keccak or Ethereum’s data structures; it is that a future machine could target any address whose public key has ever been exposed, which covers most user wallets and many smart contract treasuries.

What Buterin said and how he frames risk

Buterin’s recent comments have two main pieces.

First is the probability estimate. Instead of guessing himself, he pointed to Metaculus’s forecasts that put the chance of quantum computers capable of breaking today’s public key cryptography at roughly one in five before 2030. The same forecasts place the median scenario around 2040. His argument is that even this kind of tail risk is high enough for Ethereum to prepare in advance.

Second is the 2028 framing. At Devconnect, he reportedly told the audience that “elliptic curves are going to die,” citing research that suggests quantum attacks on 256-bit elliptic curves might become feasible before the 2028 US presidential election. Some coverage compressed this into a headline like “Ethereum has four years,” but his message was more nuanced:

• Current quantum computers cannot attack Ethereum or Bitcoin today.

• Once CRQCs exist, ECDSA and related systems become structurally unsafe.

• Migrating a global network to post-quantum schemes takes years, so waiting for obvious danger is itself risky.

In other words, he is thinking like a safety engineer. You do not evacuate a city because there is a 20% chance of a major earthquake in the next decade, but you do reinforce the bridges while you still have time.

Did…