Ethereum post-quantum accounts could be shielded from future cryptographic threats for as little as $0.07 each, according to Nicolas Consigny, project lead of the Ethereum Foundation’s Kohaku initiative. The proposal does not require a hard fork or a new precompile, positioning it as a near-term stopgap while a more comprehensive solution is developed.
SPHINCS- and the $0.07 Bridge
Consigny published a paper on the Ethereum Foundation’s research notes platform describing a scheme called SPHINCS-, adapted from SPHINCS+, the post-quantum signature algorithm that NIST formally standardised as FIPS 205 in August 2024 under the title “Stateless Hash-Based Digital Signature Standard.”
As documented in the FIPS 205 specification, SPHINCS+ is stateless, meaning no state needs to be tracked between signatures. The trade-off is longer signatures compared with ML-DSA (FIPS 204). SPHINCS- is Consigny’s attempt to strip back on-chain verification costs while preserving that stateless property.
The paper, titled “SPHINCs-: Efficient Stateless Post-Quantum Signature Verification on the EVM,” frames the scheme as a bridge toward a further-optimised system called leanSPHINCS, which is intended to reduce costs further through aggregation. SPHINCS- addresses Ethereum’s existing Elliptic Curve Digital Signature Algorithm (ECDSA) exposure without waiting for a dedicated upgrade cycle.
Context from IEEE Xplore’s publication on NIST post-quantum standards notes that SPHINCS+ was originally selected as a backup standardisation candidate, included specifically in case ML-DSA proves vulnerable, before being renamed SLH-DSA and published as FIPS 205. That backstop rationale now translates directly into Ethereum’s deployment calculus: the scheme is hardened against a wider class of failure modes than a single-algorithm approach.
The Case for Ethereum Post-Quantum Accounts Now
The core argument behind the SPHINCS- proposal is that Ethereum post-quantum accounts can be hardened incrementally, without coordination overhead. A soft deployment path, bypassing the precompile and hard-fork processes, makes the $0.07 per-account figure achievable at relatively low protocol risk.
The broader question for Ethereum post-quantum accounts shifts from “whether” to “when” once the cost sits below the price of a typical ERC-20 transfer on most days. The remaining uncertainty is adoption mechanics: whether users will opt in before a cryptographically relevant quantum computer exists, or wait until the threat is more concrete.
Bitcoin’s Quantum Exposure, by the Numbers
The urgency for Ethereum reflects a threat already being stress-tested against Bitcoin’s cryptography. In April, post-quantum startup Project Eleven awarded its Q-Day Prize, worth one Bitcoin, to researcher Giancarlo Lelli for breaking a 15-bit elliptic-curve key on a quantum computer using a variant of Shor’s algorithm.
Bitcoin’s keys are 256 bits, far beyond the 15-bit key Lelli cracked. The practical gap between a proof-of-concept and a production-scale attack on live keys remains wide. But the directional trajectory has prompted on-chain analysis of supply exposure.
According to Glassnode, about 1.92 million Bitcoin, representing nearly 10% of total supply, are considered structurally unsafe in a quantum attack scenario. Another 4.12 million BTC, or 20.6% of supply, are classified as operationally unsafe due to key or address management practices. Glassnode estimates the remaining 69.8% of supply, or 13.99 million Bitcoin, remains unexposed, broadly consistent with Ark Invest’s March estimate that 65% of supply was safe.
Ethereum’s ECDSA shares the same underlying vulnerability class. A quantum adversary capable of deriving private keys from public keys would threaten both chains equally at the signature layer. The SPHINCS- proposal is one of the few concrete attempts to quantify and reduce that attack surface before the threat matures.
The next meaningful milestone is whether the Ethereum research community moves the SPHINCS- paper toward an EIP, or whether leanSPHINCS aggregation research accelerates fast enough to leapfrog the interim step entirely.
