Is Ethereum's Quantum Problem Solvable for Less Than a Dime?

Ethereum quantum protection could cost as little as $0.07 per account, according to a proposal published on June 14, 2026, by Nicolas Consigny, the Ethereum Foundation's Kohaku project lead. The approach adapts SPHINCS+, a post-quantum signature standard approved by the US National Institute of Standards and Technology (NIST), into a leaner variant called SPHINCS- (read: "SPHINCS minus") that runs natively on Ethereum without needing a hard fork or any protocol-level change.

What is a hard fork? A hard fork is when a blockchain network makes a major rule change that requires every user, wallet, and exchange to upgrade at the same time. It is slow, expensive to coordinate, and politically contentious. SPHINCS- avoids all of that.

What Is SPHINCS- and Why Does It Matter?

Ethereum accounts today rely on something called ECDSA, short for Elliptic Curve Digital Signature Algorithm. Think of it as the digital lock that proves you own your wallet and authorized a transaction. Every time you send ETH or interact with a smart contract, ECDSA is what confirms the instruction came from you and not someone else.

That lock is very strong against today's computers. But quantum computers work differently. A sufficiently powerful quantum machine could work backwards from your public key, the address visible to everyone on-chain, and figure out your private key, which is supposed to be secret. Once someone has your private key, they control your funds. The technique that makes this possible is called Shor's algorithm, a mathematical shortcut that quantum computers can run but normal computers cannot.

The SPHINCS- proposal directly targets that problem. Instead of waiting for the entire Ethereum network to upgrade, it lets individual users add quantum-resistant protection to their own accounts right now, through a smart contract, with no network-wide vote or coordination required.

Here is what makes the cost figure realistic:

• A working version of SPHINCS- built in Solidity (Ethereum's programming language) can check a quantum-safe signature on-chain using roughly 150,000 gas units. Gas is the fee unit Ethereum uses to measure how much computing work a transaction requires.
• At current gas prices, 150,000 gas translates to approximately $0.07 per check.
• The system uses Ethereum's built-in KECCAK256 hashing function — the same one Ethereum already uses internally — rather than an external standard. This means no special additions to Ethereum's core code are needed.
• The math behind the verifier was formally checked using Lean 4 with Verity, a software tool that proves code is mathematically correct, similar to having an auditor verify every line of logic before it goes live.

The original SPHINCS+ standard, now officially called SLH-DSA under NIST's FIPS 205, was built to handle up to 2^64 signatures per key. That is an astronomically large number: 18 quintillion. A blockchain wallet does not come close to needing that many. 

According to Dune Analytics data cited in the paper, even the most active Ethereum users made around 431 transactions per year after the Merge. SPHINCS- is designed specifically for that real-world range, capping the signature budget at between 2^14 (16,384) and 2^20 (about one million) — more than enough for any wallet, and far cheaper to verify on-chain as a result.

How Does Post-Quantum Cryptography Actually Work?

Post-quantum cryptography means building security systems that quantum computers cannot break. Most encryption today, including what protects your Ethereum wallet, relies on math problems that are very hard for normal computers to solve but that quantum computers can crack using algorithms like Shor's.

Hash-based signatures like SPHINCS+ take a different approach. Instead of relying on hard math problems, they rely on hash functions. A hash function is a one-way street: you can easily run data through it to get an output, but you cannot reverse the process to get the original data back. No quantum algorithm currently known can reverse a strong hash function, which is why hash-based signatures are considered reliable for long-term quantum resistance.

SPHINCS+ builds its security by stacking three components on top of each other:

• Hash chains — imagine a row of locked boxes where each box can only be opened by the key inside the previous one. Revealing the right key proves you started at the beginning of the chain, without exposing everything else.
• Merkle trees — a structure that lets you bundle thousands of individual keys into a single short fingerprint. You can prove any one key belongs to the bundle without revealing the others.
• FORS (Forest of Random Subsets) — a signing method that lets a single key handle a limited number of signatures before it needs to be replaced. Think of it as a key that can only open a door a fixed number of times.

These three pieces are stacked into what the paper calls a hypertree, essentially a tree made of smaller trees. When you sign a transaction, the system picks a specific branch of that tree to use, based on a hash of your message. The person checking your signature then climbs back up that branch, verifying each step with hash calculations. Every one of those calculations costs gas on Ethereum, so the entire engineering goal of SPHINCS- is to reduce the number of steps the checker has to take.

After extensive testing, Consigny's team found the settings that keep verification cheap while maintaining solid security. In plain terms:

• Using 16-byte hash outputs (called n=16) keeps the signature small while still providing 128-bit security — the accepted minimum for strong cryptography.
• Stacking just two tree layers (d=2) instead of the standard seven means the checker does far less work on-chain.
• Setting the chain length to 8 steps (w=8) means each individual check is short and fast, even though there are more of them. The team found that short-and-many beats long-and-few when modeling how Ethereum actually charges for computation.
• Two compression tricks called WOTS+C and FORS+C shift extra work onto the person creating the signature — your wallet, running on your device — so the on-chain checker does less. The signer does more grinding upfront; the network does less computing later.

Is the Quantum Threat to Ethereum Real Right Now?

No quantum computer exists today that can break the cryptography protecting Ethereum wallets. But the pace of progress is real and measurable.

On April 24, 2026, post-quantum startup Project Eleven awarded its Q-Day Prize — a one Bitcoin bounty, to researcher Giancarlo Lelli for breaking a 15-bit elliptic curve key on a publicly accessible quantum computer. Project Eleven called it the largest public demonstration to date of the type of attack that could one day threaten Bitcoin, Ethereum, and over $2.5 trillion in assets secured by elliptic-curve cryptography. 

Bitcoin's real keys are 256 bits long, far larger than 15 bits, so this was not an immediate danger. But Project Eleven CEO Alex Pruden noted that the resource requirements for this type of attack keep dropping, and that Lelli used only cloud-accessible hardware, with no national lab or specialized chip required.

The bigger near-term concern is a strategy called "harvest now, decrypt later." Here is how it works: a well-resourced attacker — a government agency, for example — could quietly copy and store encrypted blockchain transactions today. They cannot read them yet. But once a powerful enough quantum computer exists, they could go back and decrypt everything they stored. For most encrypted data this would be worrying. 

For public blockchain data, it is a different kind of risk: the transaction data is already visible to everyone, but the private key behind a wallet is not. A quantum computer could eventually work backwards from what is public to expose what is private, draining old wallets years after the original transactions happened.

On the Bitcoin side, Glassnode published an analysis on May 20, 2026, classifying 1.92 million BTC, about 9.6% of total supply, as structurally unsafe under a future quantum attack. Another 4.12 million BTC, or 20.6% of supply, were flagged as operationally unsafe because of how users manage their keys and addresses. Ethereum uses the same underlying cryptographic system, so it faces the same category of exposure.

What Would a $0.07 Quantum Fix Actually Cost at Scale?

Seven cents per account is negligible for an individual user. For a DeFi protocol managing tens of thousands of user addresses, the total bill would be a few thousand dollars at most. For custodians, exchanges, and large holders sitting on multi-million-dollar wallets, paying pocket change for quantum readiness is a straightforward decision.

The design also sidesteps the governance bottleneck that usually slows Ethereum upgrades. Because SPHINCS- works at the individual account level — not the protocol level — any wallet can choose to add it as an optional feature. No network-wide vote, no waiting for other stakeholders, no hard fork required.

That said, this is still a research proposal, not a finished product. An initial security review with an auditing firm called Fable has been completed, but independent formal audits still need to happen before developers would consider it safe to ship in a major wallet.

There is also no formal Ethereum Improvement Proposal (EIP) written yet. An EIP is the official document that kicks off the community review process for any change to Ethereum's ecosystem, without one, nothing moves toward production. Integration into widely used wallets like MetaMask or Ledger would likely take several more months after that process begins.

What Comes After SPHINCS-?

Consigny describes SPHINCS- explicitly as a stepping stone, not the final answer. The longer-term goal is a variant called leanSPHINCS, designed to work inside Ethereum's next generation of zero-knowledge proof systems.

Zero-knowledge proofs (ZK proofs) are a way of proving that something is true without revealing the underlying data. They are increasingly used in Ethereum to make transactions faster and cheaper by letting a single proof cover thousands of operations at once. 

For a signature scheme to work inside a ZK proof system, its internal math needs to be compatible with ZK circuits, the underlying computational structure of ZK proofs. KECCAK256, the hash function SPHINCS- uses, is not naturally ZK-friendly, which means it is expensive to include inside a ZK proof.

A draft EIP called "Frame type for PQ sig and STARK aggregation" describes a future model where post-quantum signatures do not need to be checked individually by every node on the network. Instead, multiple signatures would be bundled off-chain into a single compact proof called a STARK, and only that one proof gets checked on-chain. Under this model, a leanSPHINCS verification would drop from 150,000 gas to roughly 3,000 gas — because the checking cost is shared across many transactions instead of repeated for each one.

The tradeoff is that KECCAK-based signatures like SPHINCS- would need an extra wrapping step done on the user's device before being bundled into the proof. A companion project called JARDIN, expected to be published soon, addresses this specifically for hardware wallets, targeting a signing time of 3 seconds on standard secure chip hardware.

Conclusion

The SPHINCS- proposal shows that post-quantum account protection on Ethereum is a solvable problem at practical cost using tools that already exist. A 150,000-gas on-chain verifier, no hard fork required, and a formal mathematical proof of correctness are concrete milestones. The $0.07 figure comes from a working Solidity implementation tested against real gas prices — not a theoretical estimate. What remains is the path from research to production: audits, an EIP, and wallet integration. The quantum threat is still years away from being critical, but the cost of getting ahead of it just became very hard to argue against.

Resources

Resources

1. Ethresearch – SPHINCS-: EVM-Optimised Post-Quantum Signatures by Nicolas Consigny, June 2026
2. NIST CSRC – FIPS 205: Stateless Hash-Based Digital Signature Standard (SLH-DSA / SPHINCS+)
3. NIST – NIST Releases First 3 Finalized Post-Quantum Encryption Standards
4. Project Eleven Blog – Project Eleven Awards 1 BTC Q-Day Prize for Largest Quantum Attack on Elliptic Curve Cryptography to Date
5. CoinDesk – Researcher Wins 1 Bitcoin Bounty for Largest Quantum Attack on Underlying Tech
6. Crypto.news – Glassnode: Bitcoin Quantum Risk Covers 1.92M BTC
7. Bitcoinist – Ethereum Researchers Propose SPHINCS- Signature Scheme for Post-Quantum Wallets
8. CryptoAdventure – Ethereum Researcher Says Post-Quantum Account Protection Can Start for $0.07