TLDR:
- Researchers say Ethereum users can secure accounts against quantum attacks today for as little as $0.07.
- SPHINCS- verifies post-quantum signatures on-chain at ~150,000 gas using Ethereum’s native KECCAK256 opcode.
- C11 and C12 variants support hardware wallet signing, tested at 390s and 47.5s on a Ledger secure element.
- Future leanSPHINCS variant targets STARK aggregation, cutting per-transaction verification to 3,000 gas.
Researchers say Ethereum users could add quantum-resistant account protection for as little as $0.07, without a hard fork.
A developer known as nicocsgy published SPHINCS-, a family of EVM-optimized post-quantum signature schemes derived from SPHINCS+.
The system verifies post-quantum signatures on-chain at around 150,000 gas using only existing Ethereum infrastructure. Formal proofs via Lean 4 with Verity are included, and additional audits are in progress.
Quantum Threat to Ethereum Accounts Is Closer Than Expected
Quantum computers capable of breaking ECDSA, the signature scheme securing Ethereum and Bitcoin, are no longer a distant concern. Recent resource estimates by Babbush et al. have brought attack timelines closer than previously projected.
This makes post-quantum alternatives at the execution layer increasingly urgent for wallet holders and institutions alike. SPHINCS- addresses that gap by enabling quantum-resistant verification on Ethereum today.
The researcher shared on X: “Ethereum can already start preparing accounts for a post-quantum world, without waiting for a hard fork. Today, it would be just $0.07.”
The core technical insight came from a conversation with Vitalik Buterin. Since SPHINCS+ is built entirely from hash functions, replacing the standard SHAKE256 with Ethereum’s native KECCAK256 opcode makes on-chain verification possible.
This substitution removes any dependency on new precompiles or protocol changes. Users and organizations can therefore deploy quantum-resistant account protection right now.
Parameter tuning drove the bulk of the gas optimization work. Extensive modeling under EIP-7623 and EIP-7976 floor pricing revealed that the Winternitz parameter w=8 produces the lowest real verification cost.
Short hash chains with more iterations proved cheaper than fewer but longer chains. That finding overturned assumptions from earlier calldata-only models.
Four Variants Cover Hardware Wallets to FIPS-Compliant Deployments
Researchers produced four main variants, each targeting a different signer profile and security requirement. The C13 variant uses WOTS+C and FORS+C compression, verifying at 127,000 gas with a 3,704-byte signature.
It suits laptop-class signers and requires around 4.3 million hash calls per signature. Organizations pursuing FIPS compliance can instead use SLH-DSA-SHA2-128-24, a standardized-style alternative.
C11 and C12 were tested on a Ledger Nano S+ ST33K1M5 secure element to assess hardware wallet viability. Signing times came in at 390 seconds and 47.5 seconds respectively, making hardware deployment realistic.
Both variants carry a reduced per-key signature budget compared to the NIST standard’s 2^64 limit. However, on-chain data shows the average active Ethereum address sends roughly 431 transactions per year, making smaller budgets sufficient.
The SLH-DSA Keccak twin cuts on-chain verification costs by around 34% against its FIPS-aligned counterpart. It trades bit-exact NIST compliance for meaningfully cheaper gas, which suits blockchain-native deployments.
Verifier contracts for all variants are publicly available on GitHub for audit and deployment. NIST is also developing smaller SLH-DSA parameter sets with a 2^24 signature budget, narrowing the gap further.
Future research targets ZK-friendly hash functions under the working name “leanSPHINCS.” That variant would support STARK-based aggregation, dropping verification to around 3,000 gas per transaction at the protocol level.
A companion post on JARDIN, expected soon, aims to cut hardware wallet signing time to three seconds. Together, these efforts position hash-based post-quantum signatures as a practical near-term path for Ethereum account security.
