Post-Quantum Roadmap
Aligning eth2030 with Vitalik's Ethereum quantum resistance roadmap. Covering 4 vulnerable areas, 7 packages, a pluggable architecture for hash function agility, and 26/26 gaps audited & fixed across 3 rounds.
4 Vulnerable Areas
Each area of Ethereum at risk from quantum attacks, and how eth2030 addresses it
CL BLS Signatures
BLS12-381 signatures used for consensus attestations are vulnerable to Shor's algorithm.
STARK-aggregated hash-based signatures. Validators sign with Dilithium3, then a single STARK proves all N signatures are valid.
DA KZG Commitments
KZG polynomial commitments rely on elliptic curve pairings vulnerable to quantum attacks.
Lattice-based blob commitments using Module-LWE (MLWE). Dual-commit (KZG + MLWE) during migration.
EOA ECDSA Signatures
ECDSA signatures on user transactions are vulnerable to Shor's algorithm.
EIP-8141 frame transactions with PQ algorithm registry. Programmable tx validation with Dilithium, Falcon, SPHINCS+, WOTS+/XMSS.
Application-layer Proofs
ZK proofs verified on-chain may use quantum-vulnerable assumptions (elliptic curve pairings).
Recursive STARK mempool aggregation. Every 500ms, nodes create a STARK proving validity of all validated transactions.
Workflow
How post-quantum transactions and proofs flow through eth2030
PQ Transaction Flow
Proof Aggregation Pipeline
Hash Function Pluggability
Coverage Matrix
Mapping Vitalik's roadmap items to eth2030 implementations
| Roadmap Item | Package | Status |
|---|---|---|
| Hash-based sigs (WOTS+/XMSS) | pkg/crypto/pqc/ | complete |
| Pluggable hash functions | pkg/crypto/pqc/hash_backend.go | complete |
| STARK proof aggregation | pkg/proofs/stark_prover.go | complete |
| STARK constraint evaluation | pkg/proofs/stark_prover.go | complete |
| FRI polynomial folding | pkg/proofs/stark_prover.go | complete |
| Merkle auth paths | pkg/proofs/stark_prover.go | complete |
| Recursive STARK composition | pkg/proofs/recursive_prover.go | complete |
| STARK mempool aggregation | pkg/txpool/stark_aggregation.go | complete |
| STARK CL sig aggregation | pkg/consensus/stark_sig_aggregation.go | complete |
| EIP-8141 frame transactions | pkg/core/ (17 files) | complete |
| NTT precompile (EIP-7885) | pkg/core/vm/precompile_ntt.go | complete |
| Lattice sigs (Dilithium/Falcon) | pkg/crypto/pqc/ | complete |
| PQ attestations | pkg/consensus/pq_attestation.go | complete |
| Lattice blob commitments | pkg/crypto/pqc/lattice_blob.go | complete |
| PQ algorithm registry | pkg/crypto/pqc/registry.go | complete |
| PQ gas tables in EVM | pkg/core/vm/gas.go, gas_table.go | complete |
| Per-topic gossip bandwidth | pkg/p2p/gossip_topics.go | complete |
| Finality BLS adapter (PQ fallback) | pkg/consensus/finality_bls_adapter.go | complete |
References
Reference submodules supporting the PQ roadmap
NTT Precompile
EIP-7885 Number Theoretic Transform at address 0x15
| Op | Field | Use Case |
|---|---|---|
| 0x00 | BN254 (254-bit) | ZK-SNARK circuits, Groth16 |
| 0x01 | BN254 (inverse) | Polynomial interpolation |
| 0x02 | Goldilocks (2^64-2^32+1) | STARK proofs, FRI, Plonky2 |
| 0x03 | Goldilocks (inverse) | STARK polynomial recovery |
Gas cost: base(1000) + n × log2(n) × 10
Full report available at docs/PQ_ROADMAP_REPORT.md