Title: Post-Quantum Threats · Domain · EthSystems

URL Source: https://original.es-internal.pages.dev/domains/post-quantum/

Markdown Content:
---
description: A Cryptographically Relevant Quantum Computer (CRQC) breaks ECDSA, BLS, ECDH, Groth16, PLONK/KZG; Ethereum consensus, execution, and application privacy layers all affected. Harvest Now, Decrypt Later (HNDL) means confidentiality-critical applications face urgency now, even though CRQC is years away. Hash-based and lattice-based primitives provide migration paths; STARKs are already PQ-safe.
title: Post-Quantum Threats · Domain · EthSystems
image: https://original.es-internal.pages.dev/og.png
---

[Skip to content](#main-content) 

## PQ Threat Landscape

Quantum computers threaten cryptography through two algorithms. Shor's algorithm provides exponential speedup against problems based on the structure of algebraic groups (discrete logarithms, integer factorization). Grover's algorithm provides quadratic speedup against unstructured search, effectively halving the security level of symmetric primitives and hash functions.

### Quantum Algorithms

| Algorithm                     | Speedup     | Target                                               | Effect                                                        |
| ----------------------------- | ----------- | ---------------------------------------------------- | ------------------------------------------------------------- |
| **Shor**                      | Exponential | Discrete logarithms, integer factorization           | Fully breaks the underlying hardness assumption               |
| **Grover**                    | Quadratic   | Unstructured search (symmetric keys, hash preimages) | Halves effective security bits (e.g., 256-bit → 128-bit)      |
| **Brassard-Hoyer-Tapp (BHT)** | Moderate    | Collision finding in hash functions                  | Reduces collision resistance (e.g., 256-bit hash → \~170-bit) |

### Broken Hardness Assumptions (via Shor)

All assumptions that derive security from discrete-log or factorization structure are fully broken by Shor's algorithm.

| Hardness Assumption                                   | Quantum Route | Affected Schemes                                    | Ethereum Impact                                                 |
| ----------------------------------------------------- | ------------- | --------------------------------------------------- | --------------------------------------------------------------- |
| Elliptic-Curve Discrete Log Problem (ECDLP)           | Shor (direct) | ECDSA, EdDSA, ECDH, Schnorr                         | Transaction signing (secp256k1), stealth address derivation     |
| Discrete Log over finite fields                       | Shor (direct) | DSA, Diffie-Hellman                                 | Legacy key exchange                                             |
| Computational / Decisional Diffie-Hellman (CDH / DDH) | via ECDLP     | Diffie-Hellman key exchange, ElGamal, Oblivious PRF | TLS, on-chain encryption, viewing keys                          |
| Pairing assumptions (Bilinear DH, q-Strong DH, SXDH)  | via ECDLP     | BLS signatures, Groth16, PLONK/KZG commitments      | Consensus (BLS), zero-knowledge proof systems, blob commitments |
| Integer factorization / Strong RSA                    | Shor (direct) | RSA, RSA accumulators                               | Accumulators, RSA-based Verifiable Delay Functions              |

### Weakened Primitives (via Grover / BHT)

These primitives are not broken but require increased parameter sizes to maintain target security levels.

| Primitive Category                                                                          | Security Property    | Quantum Effect        | Mitigation                                                  | Post-Quantum Security       |
| ------------------------------------------------------------------------------------------- | -------------------- | --------------------- | ----------------------------------------------------------- | --------------------------- |
| Hash functions (SHA-256, Keccak)                                                            | Preimage resistance  | Grover: halves bits   | Use 256-bit hashes for 128-bit PQ security                  | Sufficient at current sizes |
| Hash functions (SHA-256, Keccak)                                                            | Collision resistance | BHT: reduces by \~1/3 | 256-bit hash retains \~170-bit collision security           | Sufficient at current sizes |
| Symmetric encryption (AES)                                                                  | Key security         | Grover: halves bits   | AES-256 for 128-bit PQ security (AES-128 drops to \~64-bit) | Use AES-256                 |
| Message Authentication Codes, Pseudorandom Functions, Key Derivation Functions (HMAC, HKDF) | Key security         | Grover: halves bits   | Double key sizes                                            | Use 256-bit keys            |

### PQ-Safe Foundations

Assumptions and schemes with no known quantum speedup. These form the basis for post-quantum migration.

| Assumption Family     | Hardness Problem                                                   | Representative Schemes             | NIST Status                  | Notes                                                                                       |
| --------------------- | ------------------------------------------------------------------ | ---------------------------------- | ---------------------------- | ------------------------------------------------------------------------------------------- |
| Lattice-based         | Learning With Errors (LWE), Ring-LWE, Short Integer Solution (SIS) | ML-KEM (Kyber), ML-DSA (Dilithium) | Standardized (FIPS 203, 204) | Primary PQ replacement for key exchange and signatures                                      |
| Hash-based signatures | One-time signatures + Merkle trees                                 | XMSS, SPHINCS+ (SLH-DSA)           | Standardized (FIPS 205)      | Stateful (XMSS) or stateless (SPHINCS+); conservative: depends on hash security assumptions |
| Hash + FRI (STARKs)   | Hash collision resistance                                          | STARK proof systems                | N/A                          | Already deployed in Ethereum L2s; PQ-safe by construction                                   |

## Ethereum Layer Analysis

| Layer           | Today (Broken)            | Migration Path                                                                                                                                                                               | Target End State                             |
| --------------- | ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------- |
| **Consensus**   | BLS (pairings, Dlog)      | Replace fixed BLS with programmable verification; use hash-based sigs or STARK aggregation (see [Lean Ethereum](/patterns/pattern-lean-ethereum/), [Lean Roadmap](https://leanroadmap.org/)) | Validators submit **proofs**, not signatures |
| **Execution**   | ECDSA (secp256k1)         | Account abstraction (EIP-8141-style); modular validation (custom sig / ZK checks)                                                                                                            | Account = **verification logic**             |
| **Application** | Groth16, PLONK, KZG, ECDH | Replace pairings & Dlog: STARKs, hash commitments, PQ KEMs                                                                                                                                   | **Hash/STARK-first stack**                   |

## Application-Layer Breakages

HNDL makes privacy migration more urgent than authentication: harvested ciphertexts can never be re-encrypted, while signature forgery is at least partially remediable through emergency coordination. New designs should use PQ key exchange for any confidentiality surface that persists beyond a single session.

Ethereum inherits PQ transport encryption for some surfaces (Go 1.24 ships hybrid PQ TLS by default for HTTPS/JSON-RPC). What it _cannot_ inherit is application-layer privacy: on-chain ciphertexts, ECDH-based key derivation, stealth address generation, ZK-proven encryption, and access pattern hiding are blockchain-specific problems with no industry equivalent.

### Anonymity and Unlinkability

| Surface           | Broken Primitive            | Solution Path                                                                                                                                                | Status          | Pattern                                                    |
| ----------------- | --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------- | ---------------------------------------------------------- |
| Stealth Addresses | ECDH key exchange           | ML-KEM + OMR sidecar (33x ciphertext bloat; [Module-LWE protocol](https://eprint.iacr.org/2025/112) \~66.8% faster scan)                                     | Active research | [Stealth Addresses](/patterns/pattern-stealth-addresses/)  |
| zkTLS             | MPC/2PC on ECDH handshake   | Co-design MPC with ML-KEM algebraic structure; TLS 1.3 support prerequisite                                                                                  | Unsolved        | [zk-TLS](/patterns/pattern-zk-tls/)                        |
| zkID (export)     | EC-based signatures         | Poseidon-internal hash-based PQ sigs + STARK verification on device                                                                                          | Tractable       | [ZK KYC/ML ID](/patterns/pattern-zk-kyc-ml-id-erc734-735/) |
| zkID (import)     | NIST PQ sig arithmetization | 131x gap vs Groth16; [EIP-8051](https://eips.ethereum.org/EIPS/eip-8051)/[8052](https://eips.ethereum.org/EIPS/eip-8052) precompiles for direct verification | Open research   | [ZK KYC/ML ID](/patterns/pattern-zk-kyc-ml-id-erc734-735/) |

### Confidentiality

| Surface                              | Broken Primitive               | Solution Path                                                                                      | Status    | Pattern                                                                                                        |
| ------------------------------------ | ------------------------------ | -------------------------------------------------------------------------------------------------- | --------- | -------------------------------------------------------------------------------------------------------------- |
| Note discovery / viewing keys        | EC-based key derivation        | ML-KEM (outside ZK circuit) + OMR                                                                  | Tractable | [Shielding](/patterns/pattern-shielding/), [Noir Private Contracts](/patterns/pattern-noir-private-contracts/) |
| Proven-correct encryption to auditor | ElGamal (EC scalar mul)        | Lattice PKE outside circuit + Poseidon symmetric encryption inside circuit (detect-and-flag model) | Partial   | [Regulatory Disclosure](/patterns/pattern-regulatory-disclosure-keys-proofs/)                                  |
| Protocol-enforced decryptability     | Proving lattice PKE in-circuit | Field mismatch (q=3,329 vs BN254); simpler than full ML-KEM but still expensive                    | Unsolved  | N/A                                                                                                            |

### Dependencies

* **Client-side GPU proving**: PQ privacy requires on-device ZK proofs. NTT-based PQ primitives align well with GPU architecture ([client-side-gpu-everyday-ef-privacy](https://pse.dev/blog/client-side-gpu-everyday-ef-privacy)).
* **STARK migration**: SNARKs (Groth16, PLONK/KZG) broken; STARKs (hash + FRI) survive. See [ZK Proof Systems](/patterns/pattern-zk-proof-systems/).

## Affected Patterns

| Pattern                                                                                   | PQ-Broken Primitive                | HNDL Risk | Mitigation Path                    |
| ----------------------------------------------------------------------------------------- | ---------------------------------- | --------- | ---------------------------------- |
| [Stealth Addresses](/patterns/pattern-stealth-addresses/)                                 | ECDH (shared secret)               | High      | ML-KEM + OMR sidecar               |
| [PSI-DH](/patterns/pattern-private-set-intersection-dh/)                                  | DDH / commutative encryption       | Medium    | Lattice-based PSI                  |
| [MPC Custody](/patterns/pattern-mpc-custody/)                                             | Threshold ECDSA/EdDSA              | Low       | ML-DSA / hash-based threshold      |
| [TEE Key Manager](/patterns/pattern-tee-key-manager/)                                     | ECDSA/BLS signing                  | Low       | PQ signing in TEE                  |
| [Noir Private Contracts](/patterns/pattern-noir-private-contracts/)                       | Barretenberg (PLONK)               | High      | Hash-based commitments / STARKs    |
| [Private Shared State (co-SNARK)](/patterns/pattern-private-shared-state-cosnark/)        | Groth16                            | Medium    | co-STARK alternatives              |
| [TEE+ZK Settlement](/patterns/pattern-tee-zk-settlement/)                                 | Groth16/PLONK                      | Medium    | STARKs                             |
| [co-SNARK](/patterns/pattern-co-snark/)                                                   | co-SNARK (Groth16-based)           | Medium    | co-STARK                           |
| [Threshold Encrypted Mempool](/patterns/pattern-threshold-encrypted-mempool/)             | Pairing-based threshold encryption | Medium    | Lattice-based threshold encryption |
| [Shielding](/patterns/pattern-shielding/)                                                 | ZK proofs (impl-dependent)         | High      | STARK-based shielded pools         |
| [vOPRF Nullifiers](/patterns/pattern-voprf-nullifiers/)                                   | EC-based OPRF (DDH)                | Low       | Lattice-based OPRF                 |
| [Pretrade Privacy](/patterns/pattern-pretrade-privacy-encryption/)                        | Threshold encryption               | Medium    | Lattice-based threshold            |
| [zk-TLS](/patterns/pattern-zk-tls/)                                                       | MPC on ECDH key exchange           | Medium    | MPC/2PC over ML-KEM (unsolved)     |
| [ZK KYC/ML ID](/patterns/pattern-zk-kyc-ml-id-erc734-735/)                                | Underlying proof system            | Medium    | STARK-based proving                |
| [ZK Proof Systems](/patterns/pattern-zk-proof-systems/)                                   | Groth16, PLONK/KZG (pairing/Dlog)  | Medium    | PLONK/IPA, STARKs, folding schemes |
| [Origin-Locked Confidential Ledger](/patterns/pattern-origin-locked-confidential-ledger/) | ElGamal (EC-based)                 | High      | Lattice-based PKE                  |
| [Safe Proof Delegation](/patterns/pattern-safe-proof-delegation/)                         | Recursive ZK (if EC-based)         | Medium    | STARK-based recursion              |
| **PQ-safe patterns** (no mitigation needed):                                              |                                    |           |                                    |

* [Private Shared State (FHE)](/patterns/pattern-private-shared-state-fhe/): lattice-based
* [Private MTP Auth](/patterns/pattern-private-mtp-auth/): Merkle trees, hash-based
* [Plasma Stateless Privacy](/patterns/pattern-plasma-stateless-privacy/): hash-based ZK

## See also

* [Lean Ethereum](/patterns/pattern-lean-ethereum/): consensus-layer PQ migration
* [Native Account Abstraction](/patterns/pattern-native-account-abstraction/): execution-layer PQ auth agility
* [ZK Proof Systems](/patterns/pattern-zk-proof-systems/): STARK vs SNARK PQ comparison
* [Permissionless Spend Auth](/patterns/pattern-permissionless-spend-auth/): application-layer auth agility
* [NIST PQC standards](https://csrc.nist.gov/projects/post-quantum-cryptography)
* [Ethereum PQ tasklist (ethresear.ch)](https://ethresear.ch/t/tasklist-for-post-quantum-eth/21296)
* [How to hard-fork to save most users' funds in a quantum emergency](https://ethresear.ch/t/how-to-hard-fork-to-save-most-users-funds-in-a-quantum-emergency/18901)

## Building blocks for post-quantum threats

[ Delegated Proving (co-SNARKs) hybrid testnet Censorship-resistance: mediumOpen source: yesPrivacy: fullSecurity: mediumCRCensorship-resistancemediumOSOpen sourceyesPPrivacyfullSSecuritymedium ](/patterns/pattern-co-snark/)[ Hybrid TEE + ZK settlement hybrid research Censorship-resistance: mediumOpen source: partialPrivacy: partialSecurity: mediumCRCensorship-resistancemediumOSOpen sourcepartialPPrivacypartialSSecuritymedium ](/patterns/pattern-tee-zk-settlement/)[ Lean Ethereum L1 research Censorship-resistance: highOpen source: yesPrivacy: noneSecurity: mediumCRCensorship-resistancehighOSOpen sourceyesPPrivacynoneSSecuritymedium ](/patterns/pattern-lean-ethereum/)[ MPC Custody and Transaction Control offchain production Censorship-resistance: lowOpen source: partialPrivacy: noneSecurity: mediumCRCensorship-resistancelowOSOpen sourcepartialPPrivacynoneSSecuritymedium ](/patterns/pattern-mpc-custody/)[ Noir Private Contracts L2 production Censorship-resistance: mediumOpen source: yesPrivacy: fullSecurity: mediumCRCensorship-resistancemediumOSOpen sourceyesPPrivacyfullSSecuritymedium ](/patterns/pattern-noir-private-contracts/)[ Origin-Locked Cross-Chain Confidential Ledger hybrid testnet Censorship-resistance: mediumOpen source: partialPrivacy: partialSecurity: highCRCensorship-resistancemediumOSOpen sourcepartialPPrivacypartialSSecurityhigh ](/patterns/pattern-origin-locked-confidential-ledger/)[ Pre-trade Privacy (Encrypted Order Flow) hybrid testnet Censorship-resistance: lowOpen source: partialPrivacy: partialSecurity: lowCRCensorship-resistancelowOSOpen sourcepartialPPrivacypartialSSecuritylow ](/patterns/pattern-pretrade-privacy-encryption/)[ Private Client Authentication for Institutional EOAs hybrid testnet Censorship-resistance: lowOpen source: yesPrivacy: fullSecurity: highCRCensorship-resistancelowOSOpen sourceyesPPrivacyfullSSecurityhigh ](/patterns/pattern-private-mtp-auth/)[ Private Set Intersection (DH-based) offchain testnet Censorship-resistance: highOpen source: yesPrivacy: fullSecurity: highCRCensorship-resistancehighOSOpen sourceyesPPrivacyfullSSecurityhigh ](/patterns/pattern-private-set-intersection-dh/)[ Private Shared State (FHE) hybrid testnet Censorship-resistance: mediumOpen source: partialPrivacy: fullSecurity: mediumCRCensorship-resistancemediumOSOpen sourcepartialPPrivacyfullSSecuritymedium ](/patterns/pattern-private-shared-state-fhe/)[ Private Shared State (MPC + ZK / co-SNARKs) hybrid testnet Censorship-resistance: mediumOpen source: yesPrivacy: fullSecurity: mediumCRCensorship-resistancemediumOSOpen sourceyesPPrivacyfullSSecuritymedium ](/patterns/pattern-private-shared-state-cosnark/)[ Safe Proof Delegation L1 testnet Censorship-resistance: lowOpen source: yesPrivacy: partialSecurity: highCRCensorship-resistancelowOSOpen sourceyesPPrivacypartialSSecurityhigh ](/patterns/pattern-safe-proof-delegation/)[ Selective Disclosure (Viewing Keys + Zero-Knowledge Proofs) hybrid testnet Censorship-resistance: mediumOpen source: partialPrivacy: fullSecurity: mediumCRCensorship-resistancemediumOSOpen sourcepartialPPrivacyfullSSecuritymedium ](/patterns/pattern-regulatory-disclosure-keys-proofs/)[ Shielding hybrid production Censorship-resistance: mediumOpen source: partialPrivacy: fullSecurity: mediumCRCensorship-resistancemediumOSOpen sourcepartialPPrivacyfullSSecuritymedium ](/patterns/pattern-shielding/)[ Stateless Plasma Privacy L2 testnet Censorship-resistance: mediumOpen source: partialPrivacy: fullSecurity: mediumCRCensorship-resistancemediumOSOpen sourcepartialPPrivacyfullSSecuritymedium ](/patterns/pattern-plasma-stateless-privacy/)[ Stealth Addresses L1 production Censorship-resistance: mediumOpen source: yesPrivacy: partialSecurity: highCRCensorship-resistancemediumOSOpen sourceyesPPrivacypartialSSecurityhigh ](/patterns/pattern-stealth-addresses/)[ TEE Key Manager offchain testnet Censorship-resistance: lowOpen source: partialPrivacy: partialSecurity: mediumCRCensorship-resistancelowOSOpen sourcepartialPPrivacypartialSSecuritymedium ](/patterns/pattern-tee-key-manager/)[ Threshold-Encrypted Mempool L1 testnet Censorship-resistance: highOpen source: partialPrivacy: partialSecurity: mediumCRCensorship-resistancehighOSOpen sourcepartialPPrivacypartialSSecuritymedium ](/patterns/pattern-threshold-encrypted-mempool/)[ vOPRF Nullifiers hybrid testnet Censorship-resistance: mediumOpen source: partialPrivacy: fullSecurity: mediumCRCensorship-resistancemediumOSOpen sourcepartialPPrivacyfullSSecuritymedium ](/patterns/pattern-voprf-nullifiers/)[ ZK Proof Systems hybrid concept Censorship-resistance: mediumOpen source: yesPrivacy: fullSecurity: mediumCRCensorship-resistancemediumOSOpen sourceyesPPrivacyfullSSecuritymedium ](/patterns/pattern-zk-proof-systems/)[ zk-KYC/ML + ERC-734/735 identity claims hybrid testnet Censorship-resistance: lowOpen source: partialPrivacy: partialSecurity: mediumCRCensorship-resistancelowOSOpen sourcepartialPPrivacypartialSSecuritymedium ](/patterns/pattern-zk-kyc-ml-id-erc734-735/)[ zk-TLS offchain testnet Censorship-resistance: lowOpen source: partialPrivacy: partialSecurity: mediumCRCensorship-resistancelowOSOpen sourcepartialPPrivacypartialSSecuritymedium ](/patterns/pattern-zk-tls/) 

×

```json
{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://ethsystems.org/#organization","name":"EthSystems","url":"https://ethsystems.org/","logo":"https://ethsystems.org/icon-maskable.png","sameAs":["https://x.com/eth_systems","https://www.linkedin.com/company/ethsystems/","https://github.com/ethsystems"]},{"@type":"WebSite","@id":"https://ethsystems.org/#website","url":"https://ethsystems.org/","name":"EthSystems","publisher":{"@id":"https://ethsystems.org/#organization"}}]}
```
