以量子安全保護以太坊：安全未來的精簡區塊鏈革命

以太坊開發者正迎接一個量子電腦或可破解現有加密技術的未來。以太坊基金會的Justin Drake等研究人員，正提出一個稱為「精簡以太坊」（Lean Ethereum）的願景——這是一項致力於簡化以太坊技術架構同時強化量子安全性的協作行動。

這個倡議既是對量子計算威脅的回應，也是針對以太坊本身複雜性的一種批評。實踐層面上，意味着要從智能合約執行、區塊驗證等各方面重新思考，以確保未來的量子安全。「精簡以太坊」在共同創辦人Vitalik Buterin等領袖支持下，反映了整個行業的思考轉變：防範量子攻擊，不再只是審慎，已成為需要。

於本文，我們會拆解為何量子安全成為區塊鏈議程的重點，以及以太坊正在採取甚麼應對措施。我們將解釋現時加密技術（如保護比特幣及以太幣的橢圓曲線簽名）的局限，以及未來量子電腦如何動搖這些演算法。之後，我們會介紹後量子密碼學——這類專為抵擋量子攻擊而設的新一代加密演算法——以及美國國家標準與技術研究院（NIST）制定這些標準的努力。隨後，會深入分析「精簡以太坊」方案的重點技術：零知識證明驅動的虛擬機、資料可用性抽樣、以及以簡化的RISC-V架構重建部分以太坊。文中會介紹這些概念背後的關鍵人物，如Drake、Buterin和密碼學家范鑫鑫（XinXin Fan），也會比對以太坊邁向量子安全的路線圖與比特幣及其他區塊鏈的異同。最後，將衡量實施量子抗性升級的好處、取捨和風險，以及這些改變對用戶、開發者、驗證者和整個加密行業的長遠影響。

全文將以淺白易明的語言說明，毋須高深物理學位又不失技術準確性。雖然量子電腦時代未必即將來臨，但以太坊的例子顯示，現在就是做好準備的時機。以下講述全球最大區塊鏈生態圈之一，如何及為何加強自身以迎戰量子時代。

即將來臨的量子威脅

量子計算有望以指數級速度解決某些傳統電腦難以完成的問題，這令區塊鏈開發人員相當憂慮。不同於只能是0或1的經典位元，量子位元（qubit）可於多個狀態同時存在（即「疊加」），並能「糾纏」互相影響以平行運算。目前多間科技巨企正火速競賽：Google於2023年發表了433 qubit的量子處理器，聲稱在特定任務上達到「量子霸權」；IBM則計劃於2027年推出超過4,000 qubit的系統。有研究團隊估算，要破解如比特幣這類加密貨幣所用的加密，可能需要數百萬個qubit——遠超現時原型。不過發展勢頭十分明顯：全球風險研究院2024年報告稱，能破解主流加密（如RSA-2048或256位橢圓曲線）的量子電腦在2032年出現的機會為50%，2040年更高達90%。換言之，量子電腦威脅區塊鏈安全，已不再是「會否」而是「何時」發生的問題。

經典加密面臨危機

現時區塊鏈依賴的多種加密原則，正面臨量子計算的顛覆。加密貨幣普遍利用公私鑰加密來驗證交易——例如，比特幣和以太坊地址是靠橢圓曲線數字簽名演算法（ECDSA）保障。傳統電腦下，ECDSA極難破解，用公鑰還原私鑰幾乎不可能。但如果有足夠先進的量子電腦，便可利用Shor演算法做到這一點。Shor演算法能將大數拆因子，並在多項式時間內解決離散對數問題（即RSA和橢圓曲線的數學基礎），原本需數百萬年時間的運算，在量子電腦下或只需數小時或幾日。對區塊鏈來說，這代表壞消息：量子攻擊者一旦獲取私鑰，可以偽造交易、盜走資金，甚至假冒合法簽名者改寫區塊數據。根本信任模式——只有持有私鑰才可動用資產——會被徹底打破。

問題還不止於此。區塊鏈運作時，公鑰會在正常交易中公開。例如你由某地址花錢，該地址的公鑰便會在簽名中揭示。量子攻擊者可等高值地址一有交易，截取公鑰並破解出私鑰，在該交易確認前，即時盜走餘下的資產。就算長期沒動用的地址，如部分早期比特幣地址或智能合約金庫，只要公鑰外洩，也可能受威脅。據Deloitte分析，約25%比特幣——價值數千億美元——存於公開公鑰的地址，隨著技術趨成熟，這些很易成為量子攻擊的目標。

除了偷私鑰，量子運算亦會對區塊鏈共識帶來衝擊。在工作量證明（PoW）機制中，有可能以量子演算法大幅提升解密雜湊運算的速度，攻擊者或僅憑26%算力便能發起51%攻擊，重寫歷史（以往認為要有過半算力）。在權益證明（PoS）機制，威脅主要仍集中於簽名安全，如有人偽造簽名，有機會造成共識混亂、衝突記錄或搶占驗證槽位。整個區塊鏈堆疊層——從錢包、挖礦到驗證——全被量子計算針對其加密基石。

何以迫切

的確，功能全面的大型量子電腦仍在研發，預計何時能達到威脅程度眾說紛紜。部分專家指這類電腦尚需十年以上，亦有警告說有限但已足夠的原型在數年內便可破解弱加密系統。不確定才是問題所在。加密行業已體會到升級區塊鏈是緩慢且需詳細討論的過程，往往需耗時多年。例如，比特幣僅為了討論OP_RETURN這類細節已拉鋸多年；而以太坊由工作量證明轉為權益證明（The Merge）亦耗時超過五年才能規劃、測試和實施。若單純日常升級都需這麼久，要全面導入量子抗性，需時更難以估計。

區塊鏈治理並不適合應對急促威脅。「BIP和EIP的決策機制有助謹慎和民主，但對應對緊急威脅則很慢，」量子安全初創公司創辦人Colton Dillion警告。屆時即使整體社群察覺量子威脅迫在眉睫，惡意分子很可能早已悄然利用漏洞。不像現時那些鬧哄哄的黑客事件，量子攻擊更可能是一場靜悄悄的資金搬運。「真正的量子攻擊未必有聲有色，而是大戶悄悄走資，等社群反應過來已經太遲，」Dillion說。資產流失、異常動向發生，直至事後才發現加密安全已被攻破。

這種威脅已經由理論逐步變成業界積極應對的實際議題。重點不是恐慌，而是預備。量子安全已經成為區塊鏈規劃的必要條件，因為如果毫無準備，信任機制突崩潰，將會帶來滅頂之災。儘管解決方案正陸續出現，如何在去中心化網絡廣泛實行依然是巨大挑戰。

現時加密的局限

在談及解決方案前，先了解現有加密工具為何無法抵擋量子攻擊：ECDSA及RSA是現時常用的加密支柱（ECDSA常用於比特幣/以太坊簽名，RSA則廣泛應用於安全通訊等地方），其安全建立於經典電腦難以計算的數學難題。所謂單向數學函數，例如：將兩個大質數相乘易，分解回原本的質數則極難（RSA），以橢圓曲線一個基點與秘密數相乘簡單，而由結果反推出秘密數（即離散對數）極難（ECDSA）。這些難題令你的私鑰得以保密。

但量子計算會徹底打破這種不對稱性。利用Shor演算法，量子電腦能高效地分解整數及逆向計算離散對數，這代表昔日的保護障礙於... essence, quantum computing is like a master key that can pick the locks of RSA and ECDSA given enough qubits and stable operation. Estimates vary on how many logical qubits (error-corrected, reliable qubits) are needed to break, say, Bitcoin’s 256-bit elliptic curve. One analysis from the Ethereum Foundation’s research team suggests around 6,600 logical qubits might threaten the secp256k1 curve (used in Bitcoin/Ethereum), and ~20,000 logical qubits could completely compromise it. Due to error-correction overhead, that corresponds to millions of physical qubits – a bar quantum hardware may reach in 15–20 years if progress continues. It’s a moving target, but clearly today’s cryptography has an expiration date if no changes are made.

本質上，量子計算就好似一把萬能鎖匙，只要有足夠嘅量子位同穩定運作，就可以破解RSA同ECDSA呢啲加密方法。估算破解比特幣256位橢圓曲線大約需要幾多個邏輯量子位（即已經糾錯、可靠嘅量子位）就有唔同講法。以太坊基金會研究團隊有一份分析就話，用大約6,600個邏輯量子位就可能威脅到secp256k1曲線（比特幣／以太坊用緊嗰種），而大約20,000個邏輯量子位就可以完全破解。由於糾錯負擔好重，咁其實要幾百萬個物理量子位——如果量子硬件發展繼續，每隔十五至二十年可能就到。呢個目標一路移動緊，但好明顯，如果無改變，今日嘅加密科技都係有「有效期」。

Another limitation of current methods is key and signature exposure. As mentioned, address reuse is dangerous in a quantum context – yet many users, out of convenience, send multiple transactions from the same address, leaving their public key exposed on-chain after the first spend. This was historically common in Bitcoin’s early days (pay-to-public-key addresses that directly exposed keys), and even after best practices improved, an estimated 2.5 million BTC (over $130 billion) remain in older address types that are particularly vulnerable to a future quantum break. Ethereum, by design, exposes public keys only after they are used, but active Ethereum accounts do reuse keys regularly. In short, the longer our networks run on non-quantum-safe crypto, the more “quantum debt” accumulates – i.e., more assets sit in forms that a quantum computer could pilfer once it’s powerful enough.

而現有加密方式嘅另一個限制，就係有機會洩露密鑰同簽名。好似頭先提到，喺量子時代重用地址係好危險——但好多用戶為咗方便，都會用同一個地址做多個交易，結果喺第一次用完之後，公鑰就已經暴露咗喺鏈上。依家嚟睇，呢情況係比特幣初期（用pay-to-public-key直接暴露公鑰嘅地址）好常見，即使後來最佳做法有改善，估計而家仲有大約250萬個BTC（超過一千三百億美元）留喺舊式地址度，呢啲資產對未來量子破解特別脆弱。以太坊設計上淨係喺用咗先暴露公鑰，但活躍帳戶一般都會重用密鑰。簡單講，我哋網絡用量子唔安全加密愈耐，積落嚟嘅「量子債」就愈多——即係話，有更多資產用住一啲量子電腦一旦夠力就可以攞走嘅形式儲存。

Finally, current cryptography wasn’t built with agility in mind. Protocols like Bitcoin’s are hard-coded to ECDSA and specific hash functions. Swapping them out for new algorithms isn’t simple; it requires community consensus on a hard fork or a clever soft-fork hack. Ethereum is somewhat more flexible (it’s gone through multiple upgrades and has conceptually embraced the idea of account abstraction, which could allow different signature schemes to be used on the same network), but still, upgrading crypto primitives at scale is uncharted territory. The limitations of today’s methods thus extend beyond just math – they’re also baked into governance and technical debt.

最後一點，現有嘅密碼學並無考慮到「靈活性」。好似比特幣咁，協議根本已經寫死咗要用ECDSA同特定哈希函數。如果要換新算法，唔止咁簡單，要靠社群同意硬分叉，或者用啲好聰明嘅軟分叉技巧，以太坊就算彈性再大啲（都升級過幾次，仲有account abstraction等，理論上容許唔同簽名方案共存），但大規模升級基礎加密方法其實無乜人有實戰經驗。咁樣，今日用開嘅加密手段，其實除咗數學本身，仲牽涉到治理同技術債。

The good news is the cryptography community has seen this coming and has been developing alternatives. So, what does the next generation of quantum-resistant cryptography look like, and can it plug into blockchains?

好消息係，加密學界已經見到呢個問題，並且開發緊其他方案。咁，下一代量子抗性密碼學會點樣？可唔可以用落區塊鏈？

Post-Quantum Cryptography and NIST Standards

Post-quantum cryptography (PQC) refers to encryption and signature algorithms designed to be secure against quantum attacks. Importantly, these are mostly based on mathematical problems believed to be hard for both quantum and classical computers (unlike factoring or discrete log). Throughout the late 2010s and early 2020s, researchers worldwide proposed and analyzed dozens of candidate algorithms. In 2016, the U.S. National Institute of Standards and Technology (NIST) launched a formal process to evaluate these and select new cryptographic standards for the post-quantum era. After several rounds of scrutiny (and some dramatic defeats, like one algorithm being cracked by classical means during the competition), NIST announced its first set of winners in 2022.

後量子密碼學（PQC）就係設計嚟對抗量子攻擊嘅加密同簽名算法。最緊要，呢啲算法通常係基於一啲被認為「對量子同經典電腦都難」嘅數學問題（唔似因子分解或離散對數咁）。2010年代後期至2020年代初，全球研究人員提出咗好多候選算法又不斷分析。去到2016年，美國國家標準與技術研究院（NIST）正式啟動咗一個流程，評估同制定未來用於「後量子時代」嘅新加密標準。歷經數輪審查（仲有啲戲劇性事件——有啲參賽算法甚至畀傳統方法破解），NIST喺2022年公布咗首批獲選算法。

For digital signatures, NIST’s primary recommendation is CRYSTALS-Dilithium, a lattice-based signature scheme, with FALCON (also lattice-based) as an option for use-cases needing smaller signatures, and SPHINCS+ (a hash-based signature scheme) as another alternative for those wanting a completely different security basis. For key encapsulation / key exchange, the top pick is CRYSTALS-Kyber (lattice-based), with some others like Classic McEliece (code-based) and BIKE/HQC (also code-based or structured lattices) as alternate choices. These algorithms are expected to be formally standardized by around 2024–2025 as the new FIPS standards.

數碼簽名方面，NIST最推介係CRYSTALS-Dilithium，一種格子基礎（lattice-based）嘅簽名方案，要細啲簽名可以揀FALCON（都係lattice-based），想要完全唔同基礎就揀SPHINCS+（哈希基礎）。密鑰包裝／交換方面，首選就係CRYSTALS-Kyber（lattice-based），同場仲有Classic McEliece（代碼基礎code-based）、BIKE/HQC（都係代碼或結構格子法）做備選。預計到2024～2025年呢批算法會正式納入新一代FIPS加密標準。

What makes these algorithms “quantum-safe”? In the case of lattice-based cryptography (the foundation of Dilithium and Kyber), security comes from problems like the Shortest Vector Problem (SVP) or Learning With Errors (LWE) in a high-dimensional lattice. Intuitively, it’s like finding a needle in a multi-dimensional haystack – even quantum computers don’t have known efficient methods to solve these problems. Lattice schemes are quite efficient on classical computers and have reasonably sized keys and signatures (kilobytes rather than bytes, which is larger than ECDSA but manageable). For instance, a Dilithium signature might be a few kilobytes and verify quickly, and Kyber can perform key agreement with keys ~1.5 KB in size, with speeds comparable to RSA/ECDSA encryption today. This combination of speed and small size is why NIST gravitated to lattice algorithms for general use.

點解呢啲算法叫「量子安全」？以格子基礎密碼學（Dilithium同Kyber嗰類）來講，安全性來自一啲問題，例如最短向量問題（SVP）或者帶錯學習（LWE），喺高維格子入面計數。通俗啲講，即係要喺多維稻草堆搵針——連量子電腦都未有已知高效方法搞掂。格子方案喺傳統電腦上運算算快，而密鑰／簽名體積亦合理（用KB計，比ECDSA大啲但又唔算離譜）。舉例講，Dilithium簽名只係幾KB，可以好快驗證，而Kyber做密鑰協議時，用到嘅密鑰都係大約1.5KB，而且速度同RSA/ECDSA其實相約。呢個速度加細體積組合，就係點解NIST會揀格子算法做大眾用途。

Other approaches include hash-based signatures (like SPHINCS+ or the stateful XMSS). These rely only on the security of hash functions, which are one of the most quantum-resistant primitives we have (Grover’s algorithm can brute-force hash preimages with a quadratic speedup, but that’s far less devastating than Shor’s polynomial speedup for factoring). Hash-based signatures are extremely secure in theory; however, they come with downsides: signatures can be huge (tens of kilobytes), and some types allow only a limited number of uses per key (stateful schemes require you to track usage of one-time keys). This makes them less practical for frequent transactions or bandwidth-limited environments. Still, they could be useful in certain blockchain contexts, perhaps for high-security multisig or as a stopgap measure.

其他方法有哈希基礎簽名（好似SPHINCS+或者stateful XMSS）。呢啲方法淨係靠哈希函數嘅安全性——而哈希係目前最抵抗量子攻擊嘅原始元件（Grover算法會令哈希預像暴力破解加速一啲，不過比Shor對因子分解嘅影響細好多）。哈希啲簽名理論上極之安全，不過有缺點：簽名體積好大（幾十KB），仲有啲要限制密鑰使用次數（stateful方案要記住用咗邊個一叮即棄密鑰）。所以對於高頻交易或帶寬有限就唔太實用，不過喺區塊鏈用嚟做高安全Gold Multisig或者臨時措施可能work。

There are also code-based cryptosystems (like McEliece, which has gigantic public keys but has withstood cryptanalysis since the 1970s) and multivariate quadratic schemes. These offer diversity – different hardness assumptions in case lattices or hashes have unforeseen weaknesses – but they tend to have large key sizes or slower performance, making them less attractive for blockchain use right now. Security experts often recommend a diverse portfolio of algorithms to hedge bets, but most likely, blockchains will favor lattice-based solutions and perhaps some hash-based techniques for specific purposes.

仲有代碼基礎密碼系統（例如McEliece，雖然公鑰巨大但七十年代以來未畀破解過），同多元二次方案。呢啲提供多樣性——即萬一格子或者哈希個hardness有漏洞都唔怕晒——但通常鑰匙大／慢，現階段區塊鏈唔會首選。專家多數建議混合多啲演算法分散風險，但實際上區塊鏈最大機會會採用格子方案，哈希簽名就留返某啲特定情況用。

NIST Standards and Blockchain Adoption

The standardization by NIST is a big deal because it provides an agreed-upon set of algorithms that many industries (not just blockchain) will start adopting. By late 2025, we expect formal standards documentation for Dilithium, Kyber, etc., to be published. Many blockchain developers have been tracking this process closely. Ethereum researchers, for example, have already been experimenting with lattice-based signature schemes (like Dilithium) to see how they’d perform in practice on a blockchain. The goal is that once standards are finalized, the transition can begin with confidence that the algorithms have been vetted.

NIST制訂標準好重要，因為等於有一套大家認可嘅算法，唔淨止區塊鏈，其他行業都會陸續用。去到2025年尾，預計Dilithium、Kyber等都會有正式標準文件。好多區塊鏈開發人員都密切留意緊。以太坊研究團隊都開始用格子簽名（好似Dilithium）做實際測試，睇放落區塊鏈表現點。理想就係，一旦標準定好，大家可以有信心過渡，因為算法已經過審視。

However, adopting these in a live blockchain isn’t plug-and-play. As we’ll discuss, PQC algorithms usually mean larger transaction sizes and perhaps heavier computation. But fundamentally, post-quantum cryptography gives blockchain communities a toolbox to defend themselves. It turns a seemingly insurmountable threat into a solvable (if difficult) engineering problem: update the cryptography before the bad guys have quantum weapons. The Ethereum community’s proactive stance – pushing for research and early integration of PQC – exemplifies how to use that toolbox. And indeed, Ethereum’s “Lean Ethereum” initiative is all about weaving quantum resistance into the fabric of the blockchain, alongside other simplifications.

不過，啲新算法要攞嚟即刻放落live區塊鏈其實唔係即插即用。正如繼續會講，PQC通常會令交易大咗、計算重少少。但最基本，後量子加密係俾咗區塊鏈一個防身嘅「工具箱」。原本不可抗拒嘅威脅，轉變成一個可以（即使困難）工程解決嘅問題：你要喺壞人攞到量子武器之前，做齊加密升級。以太坊社群好主動——推動研究同早着先機整合PQC——正正係點樣活用呢個工具箱。而「Lean Ethereum」都係想將量子抗性徹底融入區塊鏈，同時令設計簡單化。

Lean Ethereum: Simplifying for Quantum Resilience

In mid-2025, Ethereum Foundation researcher Justin Drake put forward a proposal dubbed “Lean Ethereum.” Its aim is straightforward to state but ambitious to execute: make Ethereum’s base layer as simple and robust as possible, while ensuring it can withstand future quantum-based attacks. This vision comes from a realization that Ethereum’s protocol, after years of rapid development, has grown quite complex. Unlike Bitcoin – which intentionally moves slowly and keeps things simple – Ethereum has added layer upon layer of new features (from state-rich smart contracts to various VM upgrades and layer-2 constructions). That complexity can breed bugs, raise the barrier for new developers, and even introduce security risks if obscure parts of the system hide vulnerabilities. Drake and others argue that now is the time to streamline Ethereum’s design, and that doing so goes hand-in-hand with preparing for quantum threats. A leaner Ethereum could be easier to upgrade with new cryptography and easier for nodes to secure and verify.

2025年年中，以太坊基金會研究員Justin Drake提出咗一個叫「Lean Ethereum」嘅建議。佢目標講就容易，做就ambitious：要將以太坊基礎層簡單到極致，同時可以抵擋未來量子基礎攻擊。呢個視野源於一個感悟：以太坊協議經年高速進化，越嚟越複雜。唔同比特幣（故意慢慢嚟、保持簡單），以太坊功能層層疊上去（有強狀態智能合約、各種VM升級同第二層）。太複雜會有臭蟲，會增加新開發者門檻，甚至容易喺隱蔽位出現安全隱患。Drake同其他人認為，依家係時候簡化以太坊設計，而呢步同準備好應付量子威脅最好同步做。Lean Ethereum會令日後換新加密技術、節點驗證安全都更加順暢。

So, what does Lean Ethereum entail? The proposal targets Ethereum’s three main pillars – the execution layer (where smart contracts run), the data layer (how blockchain data is stored and accessed), and the consensus layer (how blocks are finalized) – and suggests reforms in each:

咁，Lean Ethereum 其實係啲乜？建議針對以太坊三大支柱：執行層（即智能合約區），數據層（即區塊鏈數據點存法）、同共識層（即區塊點確定），三方面都提咗改革方向：

Zero-Knowledge-Powered Virtual Machines

For the execution layer, Drake proposes leveraging zero-knowledge proofs (ZK-proofs) to create “zero-knowledge powered virtual machines.” In simple terms, a ZK-powered VM would allow Ethereum to prove the correctness of computations on-chain without revealing all the underlying data. Instead of every node re-executing every smart contract instruction (as it happens now), a node could execute a batch of transactions and then produce a succinct proof that “these transactions were processed correctly.” Other nodes would just verify the proof, which is much faster than redoing all the work. This idea is already in the air thanks to zkRollups on Ethereum’s layer 2, but Drake’s vision is to bring it into layer 1 execution.

執行層方面，Drake建議用零知識證明（ZK-proofs）打造「零知識推動虛擬機」。簡單講，ZK虛擬機可以令以太坊喺唔公開底層資料下，都可以證明鏈上計算正確。即係唔使再每個節點逐步重做所有智能合約指令（即現狀），可以由一個節點處理一批交易，再整個簡明證明話「呢啲交易全部做得正確」。人哋節點只需驗證證明，而唔使重複啲計算。其實依家layer-2有zkRollups都已經做梗類似concept，不過Drake諗住連layer-1執行都帶埋入去。

Crucially for quantum security, certain types of zero-knowledge proofs (especially those based on cryptographic hashes

**（請補充落去未翻譯嘅內容，再講明。）**or other quantum-resistant assumptions）可以令執行層預設具備抗量子電腦能力。如果你無喺鏈上公開敏感資料或者公開密鑰，而係用ZK證明去驗證，你就已經收窄咗量子電腦攻擊嘅範圍。即使有量子電腦想偽造交易，佢都要同時偽造有效性證明——如果你用嘅證明系統係抗量子（例如STARK，主要依賴雜湊同訊息理論安全性），攻擊者都冇乜優勢。換句話講，ZK VM可以「保護」執行層。Drake 嘅提案符合業界更廣泛趨勢：結合 zk-SNARKs 同 zk-STARKs 做擴容同私隱用途，而家呢個技術亦可以當安全層來用。

呢個概念可能聽落好技術性，但實際上意思都幾直觀：以後以太坊每個節點唔使做咁多執行負載，區塊鏈會變得更加精簡，用啲連量子電腦都難以僞造嘅數學證明帶嚟更高安全性。呢個係一個長遠研究方向——將以太坊虛擬機(EVM)或者下一代虛擬機變成ZK友善嘅格式——而家開始有相關工作。坊間已經有項目想做ZK證明生成VM（例如Risc Zero同其他用RISC-V 架構嘅項目，我哋陣間會講）。Lean Ethereum 計劃會加快同統籌呢類努力，納入以太坊核心發展路線圖入面。

Data Availability Sampling

Lean Ethereum 另一大支柱就係減少節點要負擔數據可用性。以太坊嘅區塊鏈，同所有鏈一樣，會隨住時間紀錄愈嚟愈多交易同區塊數據。如果每個節點都要下載同儲存每一個區塊嘅每一粒數據去驗證，咁你要運行節點嘅硬件需求就會愈嚟愈高。長遠嚟睇，只有得起能力有龐大儲存空間同頻寬嘅人才可以keep住跑節點，分散化就會受威脅。Data availability sampling（DAS）就係一種精明嘅方法去解決呢個問題。佢唔需要full node下載每個區塊所有數據，而係隨機抽樣測試每個區塊的小部分數據，驗證整個區塊嘅數據都齊全完整。

點做到？你可以諗下咩叫「糾錯碼」或者Reed-Solomon編碼：一個區塊數據可以用冗餘方式編碼，例如你隨機驗證1%嘅碎片，如果全部合規，咁有99.9999%甚至更高嘅概率，整個區塊數據都齊晒。如果有部分數據遺失或者損壞，隨機抽樣可以好大概率捉到。呢個做法令節點可以又輕又安全——大家都知道，如果有區塊數據唔見，一定會有節點發現；所以可以靠統計原理保障安全。同埋，以太坊之後分片升級本來已經打算用DAS去驗證分片嘅區塊。Drake提出Lean Ethereum時，主張將呢種技術推展到整個主層：即使係主鏈都用DAS，唔洗所有節點永久keep住所有數據。

DAS令節點運作大大簡化。節點唔需要煩數據容量無限膨脹，唔使prune舊數據（更唔需要信任其他人keep住你prune咗嘅數據），靠sampling都可以做驗證。好似做audit一樣：唔使每張數都查，查一個代表樣本，數學上保證夠可靠。咁既保證區塊鏈完整性，又唔驚overload節點。對長遠分散化有好處（因為更多人可以跑節點），更有能力應對將來挑戰。間接都有利抗量子安全：節點容易運作，節點數多，無論咩攻擊（量子或其他）都難得手。

總括來講，Data availability sampling係一個streamline驗證嘅技術。有啲似區塊鏈界嘅「唔洗食晒成個蛋糕都知味道」——抽一小舊已經統計上足夠。以太坊落地實現時就係：用糾錯碼切件區塊數據，節點隨機查幾件。如發現有一件失效，成個區塊就當無效（因為有人可能夾硬唔公開某啲數據）。呢套想法都係以太坊未來danksharding重心功能，同Lean Ethereum嘅極簡主義非常Match。

Embracing RISC-V for Secure Consensus

Lean Ethereum第三個重點就係consensus layer——即係決定咗邊個區塊被接受，同PoS下點揀分叉、validator責任、finality gadget 等運作。呢層同節點處理網絡訊息、執行底層碼（驗簽、雜湊運算等）有直接關係。Drake 嘅建議係引入 RISC-V 架構做Consensus計算基礎。RISC-V係一種開源精簡指令集電腦架構——簡單啲講，佢提供一套超精簡、容易理解嘅電腦指令集合，比一般電腦指令集更少、更一致。呢點對區塊鏈有乜好處？簡單同安全。小一啲、大家都熟悉嘅指令集，更易分析，藏bug或後門都難啲。如果以太坊consensus規則同任何共識級邏輯VM都由RISC-V描述（或者編譯到RISC-V），咁會令驗證和執行都更可信。

實際操作層面，即係以太坊client軟件未來可能用RISC-V VM嚟執行重要嘅共識邏輯，唔再用高階語言，減少複雜性。有啲人甚至諗住連以太坊狀態轉換函數都變做超底層、完全確定式設計。RISC-V最大好處就係夠精簡、驗證性高。佢唔包專利（唔似x86咁又複雜又封閉），而且模組化設計，想加咩功能自己加。支持者認為可以減少攻擊面——部件越少，錯誤或安全漏洞都少。

至於抗量子，RISC-V有咩幫助？佢本身唔係抗量子算法，但使以太坊更精簡、更有彈性。如果要更換密碼學算法（例如轉用後量子簽名方案），一個清晰、統一架構下，會更加簡單。另外，某啲抗量子算法可能會由專用硬件受益，用RISC-V 你可以開放自定義加速器或指令，唔怕破壞compatibility，因為佢係一個可擴展標準。Vitalik Buterin其實都大力支持以太坊試用RISC-V。事實上，2025年四月Buterin出咗四步計劃，希望以太坊逐步過渡去RISC-V架構，提升網絡嘅速度同安全。

要轉用RISC-V當然唔會一朝一夕，區塊鏈唔會即刻切換。理想係未來幾年分階段實現，例如先推出用RISC-V 嘅alternative client，或者內部某啲計算先用，慢慢將佢納入核心架構。呢個方向都係以太坊想參考比特幣保守主義，但又唔放棄創新。Buterin對Bitcoin簡單架構（例如opcode設計）非常欣賞，佢想以太坊未來五年都可以「做到同比特幣一樣簡單」。咁擁抱RISC-V極簡架構就係呢種思路。

Community Support and Developer Insights

Justin Drake嘅Lean Ethereum唔係無啦啦爆出嚟。其實係以太坊開發社群越嚟越多人感受到：協議複雜度要收斂返，對安全性同可持續性都好緊要。以太坊一直以嚟，最大優點就係彈性同高速演化，但同時搞到「過度開發支出、種種安全風險、同研發圈子過度封閉，而好多時未必帶嚟真正好處」，正如Vitalik Buterin近排講。Buterin響2025年中公開表明，佢都想以太坊邁向簡單化。佢明言未來五年希望技術棧向比特幣果種直接簡單（雖然有限）的設計靠攏。聯合創辦人咁講，等於為Lean Ethereum咁嘅「斷捨離、重工程質素」努力開咗綠燈。

Vitalik同時支持加強抗量子安全。他多次提過account abstraction同密碼學靈活性係以太坊長遠路線圖重點。Account abstraction，最大好處係戶口可以用多種簽名算法，甚至同時用幾種。例如你個錢包同時有傳統ECDSA同post-quantum公鑰，協議可以接受任意一隻（甚至要兩隻都簽）作為有效。咁就可以smooth咁搬過去quantum-safe key，唔使全網迫切一次過轉換。Buterin同專家建議一開始opt-in地畀用戶選擇。講到Endgame（即以太坊最終狀態），抗量子密碼學現已納入路線圖，等sharding、rollups等層推出晒後就會跟進。

不止以太坊基金會，開發社群都諗緊其他量子安全建議。其中一位比較出名嘅係鑫鑫范博士，IoTeX（主攻物聯網區塊鏈）密碼學主管。范博士響2024年合著咗一篇......migrating Ethereum to post-quantum security and won a “Best Paper” award for it. His proposal centers on using hash-based zero-knowledge proofs to secure Ethereum transactions. In an interview, Dr. Fan explained that you could append a tiny zero-knowledge proof to each transaction proving that the signature (ECDSA) is valid without revealing the signature itself. The trick is to design that proof in a quantum-resistant way (using hash-based techniques, like zk-STARKs). The result: even if ECDSA becomes vulnerable, an attacker can’t forge the proof without breaking the hash-based scheme, and users wouldn’t even need to change their wallets immediately. In simpler terms, Fan’s method adds an extra layer of quantum-safe validation to transactions, invisibly to the user. “The way we are implementing this allows the user to use their current wallet, but we attach each transaction with a zero-knowledge proof that is quantum-safe,” he said. This approach emphasizes usability – it’s aiming for a seamless transition where users don’t have to manage new keys or addresses, at least initially.

將Ethereum轉移到量子安全後的狀態，並因此贏得「最佳論文」獎。他的提案是利用基於雜湊的零知識證明來保障Ethereum交易。在受訪時，范博士解釋，你可以喺每一次交易加上一個細小嘅零知識證明，證明該簽名（ECDSA）係有效嘅而唔需要透露簽名本身。重點在於要用抗量子計算嘅方式（例如用基於哈希嘅技術，如zk-STARKs）去設計個證明。咁樣做嘅話，即使ECDSA將來有漏洞，攻擊者都無法偽造證明，除非佢可以破解哈希基礎嘅方案，而用戶亦無需即時更換錢包。簡單啲講，范博士方法係為每筆交易加多一層量子安全驗證，而對用戶來講係完全無感嘅。「我哋呢個做法係用戶唔洗轉新錢包，但每筆交易我哋都會加上一個量子安全嘅零知識證明。」佢咁講。呢個方案強調易用性——目標係做到過渡無縫，用戶起碼一開始唔使煩新密鑰或者新地址。

Such ideas show that the developer community isn’t solely relying on one strategy. Ethereum’s core devs are simplifying and building upgrade pathways, while researchers in academia and other projects are inventing clever patches and additions that could enhance quantum resilience. It’s a “defense in depth” mindset: if one approach proves too slow or insufficient, another might cover the gap.

呢啲構思反映開發者社群唔係淨係靠單一方案。以太坊核心開發人員正努力簡化同建立升級路徑，學界同其他項目嘅研究人員亦都不斷發明新方法或小修補，去加強系統抗量子風險嘅能力。整體心態係多重防禦：如果一條路行唔通，第二條可以頂上。

The collective effort is also formalizing in collaborative groups. For instance, an industry coalition called the Cryptocurrency Quantum Resistance Alliance (CQRA) has been formed, bringing together teams from over a dozen blockchain projects to coordinate on standards and research. Their goal is to avoid a fractured outcome where different chains implement completely different quantum solutions that don’t interoperate. Ethereum is a part of these conversations, as are developers from Bitcoin and various altcoins.

呢股集體努力已演化成正式嘅協作組織。例如有個行業聯盟叫加密貨幣抗量子聯盟（CQRA），已集合十幾個區塊鏈項目嘅團隊去協調標準同研究方向。目標係避免出現各自為政，唔同鏈用晒完全唔兼容嘅量子解決方案。Ethereum（以太坊）亦有份參與，Bitcoin（比特幣）及一啲山寨幣開發者都係。

In summary, Ethereum’s push for a lean, quantum-secure design is supported by both its leadership and the community at large. Drake may have coined “Lean Ethereum,” but its themes resonate widely. Ethereum’s culture is often at the forefront of technical innovation in crypto, and here again it seems to be taking a proactive stance: better to start the hard work of quantum-proofing now, than to scramble under duress later. Next, we’ll compare how Ethereum’s stance compares to that of Bitcoin and other networks, to see who else is stepping up – and who might be lagging behind – in the race for quantum safety.

總結嚟講，以太坊推動精簡而量子安全的設計，無論係領導層定社群成員都鼎力支持。雖然「Lean Ethereum」呢個講法係Drake提出，但其理念已走入各界。以太坊文化長期處於加密技術創新前線，而家顯然都採取主動態度：寧願而家就準備好量子安全，唔好等到遲啲出事至慌忙應急。下一步我哋會比較以太坊同比特幣，以及其他網絡喺量子安全上面嘅進展——睇吓仲有邊啲項目緊貼住步伐，又有邊啲可能會落後。

Ethereum vs. Bitcoin (and Others) on Quantum Readiness

以太坊對比比特幣（同其他項目）喺量子安全準備嘅情況

How does Ethereum’s roadmap for quantum security stack up against Bitcoin’s, or against other blockchain projects? The contrast is striking. Bitcoin, true to form, has been extremely cautious and slow-moving in this arena. As of 2025, there is no official Bitcoin Improvement Proposal (BIP) approved or implemented for post-quantum cryptography. The topic of quantum resistance is discussed in Bitcoin circles, but largely in theoretical terms. Part of the reason is cultural: Bitcoin’s core developers prioritize stability and minimal changes, especially to fundamental components like the signature scheme. Another reason is that any switch would likely require a hard fork – a coordinated network-wide change – which the Bitcoin community is generally loath to do unless absolutely necessary.

以太坊嘅量子安全路線圖同比特幣，或者其他區塊鏈項目比有咩分別？對比之下非常明顯。比特幣一如以往，喺呢方面特別謹慎亦執行極慢。到2025年為止，仍然未有任何正式嘅BIP（Bitcoin Improvement Proposal，比特幣改進提案）係關於後量子密碼學獲批准或實施。喺比特幣圈子，有討論過量子抗性，但主要都只係理論層面。一個原因係文化：比特幣核心開發者優先考慮穩定同最少變動，特別係對重要底層組件好似簽名機制。另一個原因係只要一改，幾乎肯定要全網硬分叉，即大規模協調改制，而比特幣社群除非迫不得已，一般都極唔願意做。

Some proposals have been floated in Bitcoin forums. For example, developer Agustin Cruz introduced an idea called QRAMP (Quantum-Ready Address Migration Proposal) which envisions a hard fork to migrate all bitcoins to quantum-safe addresses. Essentially, it suggests giving every BTC holder a window to move their coins to new addresses secured by a post-quantum signature (perhaps something like XMSS or Dilithium), and eventually rendering the old ECDSA-based addresses invalid. It’s a dramatic plan, but one that guarantees no coins get left in vulnerable form. However, QRAMP is far from being implemented; it’s more of a thought experiment at this stage, precisely because it would break backward compatibility and needs overwhelming consensus. More modest suggestions for Bitcoin include introducing new address types that are quantum-resistant (so users could opt in to safety) or using cross-chain swaps to move to a quantum-safe sidechain. None of these have advanced beyond discussion or early research.

比特幣論壇亦有部分人提出過不同建議。例如開發者Agustin Cruz曾提出一個叫QRAMP（Quantum-Ready Address Migration Proposal，量子就緒地址遷移提案），主意係用硬分叉，令所有比特幣都轉去新嘅量子安全地址。大致上即係每個持幣人有一段時間可以將持有嘅BTC搬去一個用後量子簽名（類似XMSS或Dilithium）保護嘅新地址，最後舊嘅ECDSA地址就會失效。呢個計劃好激進，但咁就可以確保無BTC會暴露於高危狀態。不過，QRAMP離真正落實仲好遠，現階段其實只係思考實驗——因為佢會破壞兼容性，同時需要壓倒性共識先得。其他較溫和建議，包括比特幣增設抗量子新地址類型（用戶可自選更安全）或者用跨鏈換幣將BTC轉去量子安全側鏈。不過全部都未有實質進展，只停留喺討論或早期研究階段。

The reality is, if quantum computing became an imminent threat, Bitcoin would face a tough dilemma: how to do a once-in-a-generation upgrade quickly without splitting the network. A gradual transition with dual-signature support (accepting transactions that have both an ECDSA signature and a post-quantum signature during a long transition phase) is one idea. Another is an emergency hard fork, essentially a do-or-die event if a quantum hack is detected. But until there’s clear danger, Bitcoin’s inertia is likely to continue. The lesson from the Taproot upgrade – which was a relatively minor improvement taking years of debate and coordination to activate in 2021 – is that a quantum-driven change would be even more contentious and complex. And indeed, Taproot, while improving privacy and flexibility, did nothing to address quantum vulnerabilities in Bitcoin’s cryptography.

事實係，如果量子計算真係帶來迫切威脅，比特幣就要面對一個兩難問題：點樣極速做一次世代級升級而唔會令網絡分裂。一個方案係分階段過渡，長時間內同時接受雙簽名（ECDSA 同後量子簽名）的交易。另一個就係萬一一日發現量子攻擊，緊急硬分叉，好似last resort 做法。不過，冇明確威脅出現前，比特幣嘅定力（或者叫慣性）多數會繼續。從Taproot升級學到嘅——嗰次都係相對細改，但都要多年討論、協調到2021年先落地——即係話，真係因量子風險推動重大改動，爭議同複雜性只會更大。而且，Taproot雖然提升左隱私性同靈活性，但完全冇解決比特幣加密學的量子漏洞問題。

One very concrete measure of Bitcoin’s exposure comes from BitMEX Research, which pointed out that about 2.5 million BTC are held in addresses known as Pay-to-Pubkey (P2PK) where the public key is directly on the blockchain (an artifact of early Bitcoin transactions, including Satoshi’s coins). These coins, worth tens of billions, could be immediately stolen by a quantum computer that can do ECDSA breaking – no waiting for the owner to transact, since the public keys are already out there. There’s an informal understanding that if a quantum threat became urgent, Bitcoin developers might sound the alarm and try something drastic to secure those, possibly via a rapid hard fork that “locks down” old outputs. But that scenario veers into territory that Bitcoiners avoid contemplating: violating some of the sacrosanct rules of the ledger to save it. It underscores the governance challenge: Bitcoin’s greatest strength (decentralized, conservative governance) could be a weakness in reacting swiftly to quantum threats.

BitMEX Research 明確指出，比特幣有個「量子暴露」指標：大約有250萬BTC存喺Pay-to-Pubkey（P2PK）地址，即公開密鑰直接寫死喺區塊鏈上 —— 多數係早期比特幣嘅artifact，包括中本聰啲幣。咁多錢，市值以千億計，如果有量子電腦破解ECDSA，嗰啲錢即刻俾人偷晒——因為唔使等持有人再轉帳，公開密鑰已經公開。圈內有共識，如果量子威脅急切，開發者都會吹雞搞啲激烈措施救呢啲幣，例如高速硬分叉將舊output鎖死。但呢種情境已經去到比特幣社群唔想面對嘅地方：為咗保住本體而違例破壞賬本神聖性。呢個事實凸顯咗管治難題：比特幣最大強項（高度去中心化、極保守治理）正正可能係面對量子威脅時，反應過慢的大漏洞。

Ethereum, by contrast, has shown it can evolve when needed. The transition from proof-of-work to proof-of-stake in 2022–2023 (the Merge) is a prime example of a major, coordinated technical overhaul that succeeded. Ethereum’s culture is more open to upgrading and iterating. That said, Ethereum also requires consensus for big changes and faces the danger of splits (recall Ethereum itself split into ETH and Ethereum Classic in 2016 over the DAO incident). The approach Ethereum is taking toward quantum readiness is to bake it into the roadmap early. Vitalik Buterin has indicated that after the current slate of scaling improvements (sharding, rollups, etc.), the “Endgame” upgrades would likely include switching out cryptography for quantum-resistant alternatives. Work is already being done in testnets and research to gauge the performance hit. For instance, experiments show that replacing Ethereum’s ECDSA with Dilithium (post-quantum signatures) would bloat transaction sizes by about 2.3 KB and increase gas costs roughly 40–60% for a basic transfer. That’s a noticeable overhead, but not a deal-breaker given Ethereum’s other scaling plans (like Proto-Danksharding, which massively increases data throughput). The Ethereum community could potentially absorb such costs, especially if quantum security was on the line.

相反以太坊已證明佢需要時可以進化。由工作量證明(PoW)轉到權益證明(PoS)（2022-2023年「The Merge」）正正係一次成功而龐大的協調式技術革新。以太坊社群對升級同迭代嘅開放態度明顯較高。但其實，任何大型改變都總要有共識，分鏈危機一樣存在（2016年DAO醜聞以太坊就分左ETH同ETC）。以太坊應對量子計算風險嘅方法，就係早早放入路線圖。Vitalik Buterin曾講，等現時幾個擴容升級（分片、rollup等）整好之後，下一階段（Endgame）大機會就係換晒量子抗性加密算法。目前測試網同研究已經有進展，例如取代ECDSA用Dilithium（後量子簽名方案），測試結果係普通交易size會增大大約2.3KB，油費成本都要加約40-60%。呢個開支唔細，但考慮到以太坊有其他擴容方案（類似Proto-Danksharding等），空間都仲有。只要係為量子安全，社群未必唔可以吸收呢啲成本。

Ethereum’s notion of cryptographic agility – the ability to change cryptographic algorithms with minimal disruption – is likely to be key. This could involve contract-level changes (like new precompiled contracts or opcodes for verifying PQ signatures) and client-level support for multiple algorithms in parallel. In fact, one could imagine an Ethereum hard fork where for a period, every transaction needs two signatures: one from the old scheme and one from the new. That way, even if one is broken, the other stands as a safety net. Such hybrid approaches are discussed in Ethereum research circles and would mirror what some security experts recommend (for example, the U.S. NSA has advocated for “crypto agility” in protocols for years, anticipating transitions like this).

以太坊提出嘅「加密靈活性」（cryptographic agility）——即係能夠最小成本換加密算法——好可能會成為關鍵。例如合約層可以加新precompile（預編譯）、新opcode去驗證PQ（Post-Quantum）簽名，客戶端亦都要同時支援多種算法。甚至可以想像，有一次硬分叉時會有段時間每單交易都要兩個簽名：一個舊制，一個新制。咁就算其中一個制被破解，另一個制都仲有防護力。以太坊研究圈長期有討論呢類混合方案，而事實上呢啲同好多安全專家建議嘅方向一致（例如美國NSA多年來都鼓勵協定保留「加密靈活性」準備類似過渡）。

What about other blockchains beyond Bitcoin and Ethereum? There’s a spectrum of approaches:

至於比特幣同以太坊以外其他區塊鏈，又點樣處理？

A few smaller projects have been quantum-resistant from day one. The most notable is the Quantum Resistant Ledger (QRL), launched in 2018 specifically to address the quantum threat. QRL uses a hash-based signature scheme (XMSS – eXtended Merkle Signature Scheme) for all transactions. This means its addresses and signatures are quantum-safe by design. The project has demonstrated that such a blockchain can function, though not without trade-offs. QRL’s signatures are about 2.5 KB each on average (compared to Bitcoin’s ~72 bytes), which makes transactions bigger and the blockchain grow faster in size. Indeed, QRL’s chain grows roughly 3.5 times faster per transaction than Bitcoin’s because of this overhead. So far, QRL has produced millions of blocks with no security issues, showcasing that hash-based cryptography is viable in practice. But its relatively large resource needs and niche status mean it hasn’t been widely adopted outside its community.
少數細規模專案一出世已經全量子抗性。最著名就係Quantum Resistant Ledger（QRL），2018年為咗解決量子威脅而成立。QRL所有交易都用哈希基礎簽名（XMSS，即eXtended Merkle Signature Scheme），設計上地址、簽名全部係量子安全。佢證明左咁做的確可行，但有明顯trade-off。QRL平均每個簽名要2.5KB（比特幣只係~72bytes），使得交易肥咗、區塊鏈增長比比特幣快好多。真係計算，QRL區鏈增速大約係比特幣每交易3.5倍。不過到目前，QRL已經生產咗幾百萬個區塊，未有出現明顯安全問題，證明哈希加密確實實務可行。但因為資源需求幾大又偏門，係圈外未算受歡迎。
Other established networks have dabbled in quantum security. IOTA, for example, early on touted quantum-resistant signatures (it used a variant of Winternitz One-Time Signatures). However, that introduced complexity – users couldn’t re-use addresses safely, which led to a lot of confusion and even vulnerabilities when users did accidentally reuse them. IOTA later switched back to classical Ed25519 signatures in an upgrade (Chrysalis) to improve performance and UX, essentially postponing the quantum issue. They have plans to reintroduce PQC (likely following NIST standards) in a future Coordicide upgrade once it’s more mature. IOTA’s journey is instructive: it shows the tension between security idealism and practical usability.
有啲較新嘅平台就以量子抗性做賣點。例如 QANplatform 就聲稱喺智能合約平台上整合咗 lattice-based 演算法（Kyber 同 Dilithium，正如 NIST 揀嘅那些）。佢採用混合模式，容許傳統同 PQ 演算法共存，有機會令遷移過渡容易啲。呢啲項目依家規模都唔大，但可以當做測試場，睇下 PQC 喺區塊鏈環境嘅表現。值得鼓舞嘅係，QANplatform 講佢哋的 lattice-based 交易驗證大約用 1.2 秒，跟普通區塊鏈速度差唔多。即係話，表現上雖然真係有差距，但而家技術水平都仲係可以應付。

值得一提就連部分「傳統」區塊鏈都開始喺官方文件或者申報入面承認呢個問題。全球最大資產管理公司 BlackRock，就喺為一隻比特幣 ETF 向 SEC 申請時，明確列出量子計算係比特幣潛在風險。當管理緊幾萬億嘅機構都開始警告量子風險，證明呢個問題唔再只係學術討論，已經進入金融主流視野。

總結嚟講，Ethereum 算係對量子安全比較主動，有規劃地早早編入未來發展路線，而且積極凝聚開發者參與。Bitcoin 雖然識得有呢個問題，但始終比較被動，除非有壓力否則都可能唔郁，仲希望「遲啲先有事」。細啲嘅項目就已經開始實踐量子安全加密，測試技術並暴露咗挑戰，不過規模就唔及 Bitcoin 或 Ethereum。而好多野區塊鏈都仲未正式面對呢個話題——進入 2030 年代可能會係一個盲點。Ethereum 呢種策略，特別 Lean Ethereum 主張簡化同未雨綢繆，如果成功可能會成為楷模。即係用逐步、自選形式去強化網絡，而唔係臨急抱佛腳。不過想克服阻力唔易，等陣會討論喺權衡利益同風險時要注意咩。

量子抗性升級嘅好處、代價同風險

要令區塊鏈成為量子抗性唔係一件簡單嘅事，當中有明顯好處，同時都涉及唔細嘅代價。我哋以 Ethereum 嘅計劃做例子，逐一拆解進入量子安全加密所涉及嘅利與弊、同埋潛在風險。

及早變得量子安全的好處

最直接嘅好處就係長遠保安。可以為區塊鏈打好未來抗擊量子攻擊嘅根基，保證資產同交易即使量子電腦技術進步都安全無憂。呢點好重要，等持有 BTC 或 ETH 嘅人唔洗擔心突然有量子駭客一夜爆錢包。因為呢個系統本身就靠信任保證生存，所以維持安全保障等於維持生存根本。經濟層面上，第一個成功安全抗量子嘅大型區塊鏈，有潛力建立 2030 年代最具價值儲存聲譽，吸引驚量子風險嘅資金流入。

另一個有利之處，就係趁住升級機會，可以一併優化和整理協議。好似 Ethereum 嘅 Lean 行動：一邊處理量子安全，一邊簡化架構、減輕節點要求、提升擴展性。有得順便重構太複雜嘅系統。引入新型加密都可以開啟新功能。例如一啲 lattice-based 演算法具備便利特性：可以更易做可聚合簽署（多個簽名合一）、甚至原生支援零知識證明。量子抗性加密有機會令區塊鏈隱私同智能合約功能升級，用 ECDSA 做唔到嘅嘢都做到。本質上，應對新威脅都可以推動創新，最終令網絡更堅強同多元。

協調層面都有好處：提早做，唔等到出事先做，可以慢慢設計遷移機制，利益相關者（交易所、錢包、託管）都可參與，用戶又有時間學習同做準備，相比起打後先臨急應變而一片混亂好得多。有圈內人都指出，唔行動直到大難臨頭其實係最糟糕情況，分分鐘可以一夜崩壞信心。所以就算升級有成本（稍後會講），但價值主要就係預防之後更大成本發生。

取捨與成本

轉用後量子加密演算法，最大取捨主要集中喺效能、效率同複雜度。現時嘅 PQC 演算法每方面都比現有重身啲：

鎖匙、簽名變大：而家比特幣或者以太坊一個簽名都係大約 64 字節。用一個例如 Dilithium 嘅 PQ 簽名，可能係幾千字節，交易份量即時大咗。除非加大區塊或者調高 gas 限制，否則一個區塊可以裝載嘅交易少咗（而加大尺寸又有傳播速度同存儲壓力）。如果 Ethereum 採用 2.3 KB 簽名，即大約細咗 30–50 倍，區塊要大咗或者單區塊 transaction 數咁少咗，直接影響區塊空間同手續費——用戶為多咗嘅位元組畀多啲錢，或者網絡要調高承載能耐咁又令節點壓力增大。公匙都有可能變大（不過有啲方案例如 Dilithium 公匙同 ECDSA 嘅 33byte 相差唔遠；視乎方案）。
計算負擔加重：PQC 通常需要更大計算量。例如驗一個 lattice-based 簽名要好多矩陣運算同隨機操作；基於 hash 的簽署要計特多 hash。可以再優化（而家學術界都有研究加速），但現階段 行一個全節點每秒驗幾百個 ECDSA 簽署不難，PQC 驗同數量就可能已推到硬件極限。Ethereum 研究指經優化後，lattice 簽名驗簽開支可以壓到係 ECDSA 嘅 2-3 倍範圍，尚可接受但都係升幅，節點要做多咗工，出塊者要用更勁硬件先唔會落後。對於主打高 TPS 嘅鏈就更加要擔心，愈重型加密愈有樽頸風險。
儲存同頻寬：數據大咗，全節點儲存要加，下載區塊用嘅頻寬都要升級，長遠會令區塊鏈規模膨脹得更快。多年後，冇解決辦法就會越嚟越少人可能肯運行 full node，除非用 pruning 或狀態到期機制。有啲緩解方式，例如署名聚合（多個合成一個），可以幫手減細膨脹。Ethereum 都玩緊 BLS 簽名聚合用喺共識層，將來如果有合適方案都可以應用喺交易。又例如將驗署移去 layer-2 或鏈下，只喺主鏈放證明，都係 idea（rollup 負責重加密，淨係交證明上 layer 1）。
易用性考慮：有啲 PQ 方案係有狀態（stateful）（好似 XMSS 或 Merkle 簽名），即係唔可以重用咗好多次，對用戶、開發者都係麻煩，一開始 IOTA 就受過困擾。咁 trade-off 就係錢包管理複雜咗。好在 NIST 揀揸旗嗰啲（Dilithium、Falcon...）係無狀態，可以當而家用緊的 ECDSA 無需擔心重用。但如果有區塊鏈貪 XMSS 抗性最高實用，咁就要面對一次性密鑰同用戶 friction。
經濟誘因同協調：唔咁實在嘅 trade-off 就係，即時升級未必人人覺得有著數，但手續費、速度變差啲就即時感受到，搞到協調困難。例如如果 Ethereum 俾你選「量子安全地址」，有啲人嫌大、貴就唔轉，繼續拖，變相有啲網絡安全有啲無，搞到分裂。即係安全同效率拉鋸。如果大戶或者交易所早用量子安全地點（搞吓獎勵或者減手續費等），其他小戶可以繼續舊模式直到逼不得已。期間 legacy 地址就成為弱點，量子駭客可以專攻。最終搞到安全層面唔平均，有啲 ultra 安全，有啲紙咁薄。一旦有 subset 用戶中招，信心都可以損失。

風險與挑戰

升級至量子安全加密嘅過程有幾個風險：

治理同社群風險：推重大改動可以引起社群大分裂。區塊鏈社群分裂過之事多（區塊大小爭議、智能合約回滾...）。一次有爭議嘅量子升級，理論上都可能引發分叉，一邊 insists on upgrading and another refusing to abandon the classic crypto. If that happened, it would be chaotic – which chain is “real” Bitcoin or Ethereum? Does the upgraded one win out or does value split? Attackers could even exploit the confusion. Avoiding this requires near-unanimous agreement or very careful planning and communication. Ethereum’s advantage is its community is generally tech-forward and likely to coalesce around a sensible upgrade if the need is clear. Bitcoin’s risk of a split might be higher because there’s a strong “don’t change what isn’t broken” sentiment until absolutely necessary.

升級同時又有另一部分人堅持唔放棄舊有加密，咁樣會變得好混亂——究竟邊一條鏈先至係「正宗」嘅 Bitcoin 定 Ethereum？究竟升級咗嗰條會勝出，定價值會被分裂？黑客甚至可能利用呢種混亂嚟發動攻擊。要避免出現呢啲情況，就需要幾乎全體一致嘅同意，或者好嚴謹嘅規劃同溝通。Ethereum 嘅優勢係佢嘅社群一般都好願意接受新科技，如果需要明確，大家都傾向會支持合理嘅升級；反而 Bitcoin 更加有機會出現分裂，因為社區有一種「唔好亂改啲運行緊嘅嘢」嘅強烈心態，除非真係去到最後關頭先會願意改動。

New Tech Bugs: Introducing new cryptography and protocols invites the possibility of implementation bugs. The cryptographic algorithms themselves may be secure, but the way they’re integrated could have flaws. We’ve seen this historically: early implementations of new crypto (even post-quantum candidates) sometimes had side-channel leaks or memory bugs. In a blockchain, a bug in signature validation or address parsing could be disastrous (imagine if someone found a way to fake a PQ signature due to a software bug – it could lead to theft or chain consensus issues). Rigorous testing, audits, and maybe phased rollouts (starting in testnets, then optional on mainnet, etc.) are crucial to mitigate this.
新技術漏洞：引入新加密或者協議，難免會有實作層面嘅漏洞。加密演算法本身可能冇問題，但實際應用時點樣加埋落去都有機會出錯。歷史上都見過，啱啱推出新加密（包括某啲抗量子加密）嘅時候，有機會有旁路洩漏（side-channel）或者記憶體漏洞。喺區塊鏈，如果簽名驗證或者地址解析出咗 bug，後果可以好嚴重——諗下如果有人因為軟件漏洞搵到方法假造 PQ 簽名，可以導致盜竊或者共識崩潰。要減低風險，必須做足嚴格測試、審計，甚至分階段逐步推出（比如由測試鏈開始，再到主網選擇性啟用等）。
Algorithmic Uncertainty: While the PQC algorithms chosen by NIST underwent a lot of scrutiny, it’s not impossible that some weakness is found in the future. The history of cryptography is full of algorithms that were trusted for a while then got broken (for instance, certain lattice schemes or multivariate schemes fell to advanced math or even brute force improvements). If the blockchain bets on one algorithm and it turns out sub-par, you’d have to pivot again. This is why experts advise cryptographic diversity – not putting all eggs in one algorithm basket. Ethereum’s notion of agility and supporting multiple algorithms can hedge this risk. But doing multiple algorithms also means more code and complexity, which is itself a risk. It’s a tricky balance.
演算法唔確定性：雖然 NIST 揀咗啲 PQC 演算法已經經過好多審查，但將來都唔排除會發現弱點。密碼學嘅歷史其實好多時都係用咗一排、信咗一排然後畀人攻破（例如有啲格子（lattice）或者多變量（multivariate）演算法最後因為數學突破或者蠻力都淪陷過）。如果區塊鏈揀咗一個演算法掉曬賭注，之後發覺唔掂，就要再轉。專家建議要有密碼學多樣性──即唔好將所有雞蛋放喺一個演算法籃度。Ethereum 一向提倡靈活同支援多種演算法，有一定保險作用。但多演算法即代表多咗好多 code，同埋系統更複雜，呢個本身都係風險，所以要好小心平衡。
Partial Measures vs. Comprehensive Fixes: Some interim solutions (like the “quantum vaults” or wrapping keys in quantum-safe layers) might give a false sense of security if people assume the problem is solved when it’s not system-wide. For instance, a custodian might secure its large cold wallet with a quantum-safe scheme, but the network as a whole is still on old crypto. This is fine – it protects that custodian – but if observers think “oh, Bitcoin is handling quantum now,” it could delay necessary broader action. Also, those user-level solutions can create haves and have-nots in security, as mentioned. It risks leaving the smaller players exposed, which ethically and practically is a problem.
局部措施 vs. 全面解決方案：有啲過渡方案（例如「量子保險庫」或者用量子安全層包住密鑰）如果令大家誤會咗成個系統安全咗，其實會有風險。舉例，有託管方用量子安全方案保護佢嘅大冷錢包，但全網仍然係用舊加密。呢個方法只係保護咗個別大戶，但如果外界誤會 Bitcoin 已經搞掂量子問題，可能拖慢咗全面升級嘅步伐。再者，呢啲方案會造成安全上嘅貧富懸殊，即係有啲人好 secure、有啲就冇咁安全，對細戶又唔公平，亦會埋下實際問題。
Timing and Complacency: Perhaps the biggest risk is timing. Move too early, and you incur costs and complexity perhaps unnecessarily (if large-scale quantum computers take 20+ years, there was more time to let tech improve). But move too late, and obviously you’re in trouble. There’s also the scenario of a stealth advance in quantum tech – what if a government or a corporation achieves a breakthrough in secret? The crypto community might not know until suddenly addresses start getting drained. This is the nightmare scenario because the response time would be near zero. It’s unlikely (most believe quantum progress will be visible via academic and industry milestones), but not impossible. This uncertainty leads some to advocate sooner-rather-than-later for upgrades. But it’s a hard sell to the public when the threat still seems abstract to many. One could say there’s a communication challenge: how to convey the urgency of quantum risk without causing unwarranted fear or pushing people away from crypto? It must be framed as a solvable, active engineering problem – which is exactly how Ethereum is treating it.
時機與自滿：最大風險可能係揀幾時做。做得太早，白白加咗複雜同成本（如果量子電腦要廿年以上先有突破，其實仲有好多時間改善技術）；做得太遲又會好大件事。仲有一個可能性係量子技術「暗中」突破——如果有政府或者大公司偷偷做到重大突破，區塊鏈社群可能等到錢包被人洗劫先知出事——呢種情況反應時間等於零，最恐怖。雖然大部分人相信量子進展會好明顯，喺學術或者業界都有風聲傳出，但都唔係絕對冇可能。咁嘅不確定性令到有啲人主張早啲搞升級好過遲，但要說服公眾又好難，因為好多普通人都覺得量子風險好遙遠。其實而家最大嘅溝通難題就係：點樣表達量子風險嘅急切性，但又唔會引起無謂恐慌或者嚇怕人唔玩 crypto？一定要用工程手法包裝成一個可解決、已經有人積極處理嘅技術挑戰——Ethereum 就正正咁樣去推動件事。

In weighing all this, it’s clear there are no simple answers, but Ethereum’s strategy attempts to maximize benefits and minimize risks by doing things gradually and in a technically open way. They’re not betting on a single silver bullet, but a combination (simplify the system, add PQC, use ZK proofs, etc.). This multi-pronged approach might dilute some trade-offs (for example, if ZK-proofs lighten the load, they can offset heavier signatures). It’s also spreading the transition out over years, which could reduce shock. In contrast, if a crisis hit, Bitcoin might have to do a rapid, heavy trade-off (like “everyone move in the next 6 months or your coins are burned”) – effective if it works, but socially and technically extreme.

總結以上，其實冇一個簡單答案，但以 Ethereum 為例，佢嘅策略係逐步、開放咁推進，最大化好處、最細化風險。佢哋唔係靠「一招制勝」，而係多管齊下（簡化系統、加入量子抗性加密、用 ZK 證明等等）。多方面同時做，某啲弊端可以互相抵消（好似 ZK 證明效率高啲，可以抵銷啲重型簽名）。同時，條 transition 拉長幾年進行，衝擊就唔會咁大。反觀，如果 Bitcoin 真係中咗招，可能要快刀斬亂麻（例如「全世界 6 個月內轉帳，否則資產歸零」），如果啱可以快狠準，但社會同技術衝擊極大。

Now, assuming these upgrades do happen successfully, what then? Let’s look at what a quantum-resistant Ethereum (and crypto industry) means for the various participants and the ecosystem as a whole.

假設順利升級成功，之後會點？我哋一齊睇下量子抗性嘅 Ethereum（同成個 crypto 行業）對參與者和生態整體會有咩意義。

Long-Term Implications for Users, Developers, and the Crypto Industry

對用戶、開發者同加密產業嘅長遠影響

If Ethereum and other blockchains execute a quantum-secure transition well, the long-term outlook for the crypto ecosystem remains strong – arguably stronger than before. Here are some key implications for different stakeholders:

如果 Ethereum 同其他區塊鏈平台成功搞好量子安全升級，成個 crypto 生態長遠來講可以話仲比以前更加穩健。以下係對唔同利益相關者嘅主要影響：

For Everyday Users and Holders

普通用戶及持有人

The ideal outcome is that users experience the quantum upgrade as a non-event in their day-to-day usage. They might notice some changes – perhaps new address formats or slightly higher transaction fees due to bigger transactions – but otherwise continue transacting as normal. Achieving that seamless feel will take work: wallet software will need to handle new cryptography under the hood without making users do complicated steps. In Ethereum’s case, account abstraction could allow a wallet to manage multiple key types so the user doesn’t have to think about whether they’re using an ECDSA key or a Dilithium key – it “just works.” Users may eventually be prompted to migrate funds to a new address (as a one-time security upgrade), but with clear instructions and perhaps tools that automate most of it, the process can be user-friendly. Think of it like when HTTPS became the norm on websites – under the hood a big crypto change happened (symmetric keys got longer, certs got stronger), but users just saw a lock icon in their browser and perhaps had to update some software.

最理想嘅情況係，普通用戶日常用得好少感受到升級，好似根本冇乜大件事發生。可能有啲細節會唔同咗——例如地址格式變咗，或者因為交易資料大咗而手續費高少少——但基本上都係照用照收唔影響。要做到呢個 seamless 用戶體驗要好多功夫：錢包軟件要喺後台自己處理新加密，而唔需要叫用戶做複雜操作。以 Ethereum 為例，Account Abstraction 可以令錢包同時管理多種密鑰，用戶唔需要理自己係用 ECDSA 定 Dilithium，"自動搞掂"。可能某啲時候用戶會被提示要將資產轉去新地址（一次性安全升級），但如果有清晰指示同自動化工具，成個過程就會 user-friendly。好似當年 HTTPS 普及時，底層加密有重大變動（session key 加長，憑證加強），但用戶只係見到個鎖頭，可能要 update software，但用法無變。

One piece of advice that’s already emerging for crypto holders is to practice good “key hygiene” even before quantum hits. This includes things like avoiding address reuse – don’t keep using the same address for thousands of transactions; generate new ones periodically so your public key isn’t constantly exposed. Also, key rotation – moving funds to fresh addresses every so often (which implicitly means new keys) – could mitigate some risk, because an old address that hasn’t been used in years with an exposed key is more vulnerable than one that’s new. Multisignature wallets are another safeguard; even if one key were cracked, the attacker would need others to move funds. And of course, cold storage (keeping coins in addresses whose keys have never touched an online device) remains a recommended practice; those coins’ public keys aren’t revealed until you make a transaction, which gives quantum adversaries no target until you decide to move them. These are measures users can take now, and many already do as basic security. They also happen to align well with reducing quantum exposure. In the long run, after upgrades, users might not need to worry about this as much, but it’s a healthy habit regardless.

而家其實已經有建議叫 crypto 持有人要養成好嘅「密鑰衛生」習慣，即使未到量子時代都好。包括：唔好重用地址——千祈唔好用同一個 address 同幾千個人交易，每隔一段時間生新地址，盡量少露 public key；定期更換密鑰，例如定期將資產轉去新地址，減少用一個已經曝露咗好耐嘅舊 key，因為愈耐愈風險大。加上多簽錢包就更加安全，就算裂咗一把 key，hacker 都仲要有埋其他 key 先攞到錢。當然仲有冷錢包（offline 生成密鑰、未試過連網嘅地址），啲資產做 transaction 前，public key 都未暴露過，對抗量子攻擊特別有效。呢啲其實以家已經係常識安全步驟，同抗量子都 perfectly align。升級之後大家可能唔使太擔心，但當做習慣好過冇。

If the industry handles it poorly, users could face more dramatic impacts: for instance, being forced to manually convert all their assets to new formats under time pressure, or even losing funds if deadlines pass. But given the awareness we see, it’s likely there will be ample warnings and grace periods. One positive implication is that users might become more educated about the cryptography behind their assets. The quantum discussion can spur broader public knowledge of how crypto actually works. We saw a bit of this when the community learned about different signature schemes and address types; quantum might similarly push people to learn about lattice cryptography or why one address is safer than another. That demystification can be empowering and reduce the reliance on a few experts.

如果成行業處理得唔好，用戶可能要面對好大壓力，例如要喺限期內手動將所有資產轉換新格式，趕唔切甚至有機會失去資產。不過而家大家認知提高，應該會有足夠嘅通知同寬限期。好處係，因為量子話題，可能會推動多啲普羅大眾理解密碼學，明白背後加密其實點運作。好似當年大家開始識唔同簽名制同地址類型一樣，量子時代有機會令更多人理解 lattice cryptography，或者點解有啲地址安全過其他。普及化知識可以 empower 大眾，減少對權威專家的依賴。

For Developers and Protocol Engineers

對開發者及協議工程師

For developers – both those working on core protocols and those building applications – a quantum-resilient future means new tools and new paradigms. Core devs will need to be proficient in implementing and optimizing post-quantum algorithms. We might see an uptick in demand for cryptography experts in the blockchain space (already a trend). Libraries that handle signatures, key generation, hashing, etc., will get overhauled, so developers maintaining blockchain clients or writing smart contracts that verify signatures (think of complex contracts that do multisig or custom crypto stuff) will have to update their code.

對開發者嚟講，無論係寫底層協議定建應用程式，「抗量子時代」就等於要有新工具同新設計思維。核心開發必須熟習點樣實作同優化後量子演算法。區塊鏈領域對密碼專家需求會上升（而家都已經咁）。負責簽名、密鑰生成、雜湊等部分嘅 library 會大換血，開發者維護區塊鏈客戶端或者 smart contract（例如負責多簽、自訂驗證邏輯等）都要更新 code。

One big implication is the importance of cryptographic agility in system design, which we mentioned. Developers will likely architect systems with upgradable cryptography in mind. That might mean designing smart contracts or protocols that aren’t rigid about one algorithm. It’s a mindset shift from “ECDSA everywhere” to “maybe this year’s scheme is X, but we might slot in Y later.” We already see some of that: e.g., Ethereum’s move toward account abstraction can let developers specify alternative verification logic for transactions (say, a contract wallet could require a Dilithium signature instead of an ECDSA signature). This kind of flexibility is going to be invaluable and will probably become a best practice in new blockchain designs.

其中一個最大分別係設計上要有密碼學靈活性。開發者要預留俾日後 upgrade 加密演算法嘅彈性。以往成個系統都係「全用 ECDSA」，而家要轉 mindset：今年可以 X 演算法，唔定幾年之後要 Y。其實已經有端倪，例如 Ethereum account abstraction 俾 smart contract 指定自訂驗證邏輯（例如合約錢包規定要用 Dilithium 簽名而唔係 ECDSA）。呢類可彈性插拔嘅設計會變成主流同 best practice。

For application developers (like those making dApps or services), the changes might be subtle. They might rely on the underlying blockchain or wallet libraries to handle the crypto details. But they should be aware of things like transaction size changes (perhaps

至於做應用（dApp、服務）嘅開發者，改動可能相對唔咁大——多數只係底層區塊鏈或 wallet library 自己搞掂加密。但都需要留意，好似交易數據大小變化、（中略——如內容有下文請再提供）調節應用程式中的 gas 限額），甚至可能會有新的交易類型或者操作碼（opcode）。相關的文件和教育資源都需要更新。不過，好消息是，當協議層面辛苦的部分完成後，應用開發者只需付出較少額外努力，就能獲得更安全的基礎。

另一個影響在於測試和開發環境：我們大概會見到專門針對後量子密碼學的測試網（其實已經有部份存在），讓開發者可以試驗 PQ（Post-Quantum）交易。提早熟習這些技術，有助於日後過渡更加順暢。開發工具（例如硬件錢包）亦會作出調整——不少硬件錢包採用針對某些算法優化的安全元件晶片。它們需升級，支持 PQC，或者有新裝置面世。這對加密硬件行業來說，既是挑戰，也是機遇。

對驗證人及節點營運者的影響

驗證人（如以太坊等 PoS 系統）及礦工（如比特幣等 PoW 系統，但 PoW 在後量子時代可能沒那麼重要，因為 PoW 本身可能會面對新問題）將需符合新要求。節點軟件可能變得更高要求——需要更多 CPU 能力，甚至專用硬件，才能高效推算後量子密碼學。如果管理不善（例如只有得起高階伺服器、或特定加速器的人，才可以以需要的速度驗證），就會導致過度中心化。不過以太坊等項目正嘗試簡化和減輕其他部分的開支，以彌補這個問題。這是一場平衡遊戲：你不想換了一種中心化（量子脆弱性），卻又帶來了另一種（只有大戶才能營運節點）。

長遠來講，硬件加速可能變得普及。正如現時部份礦工用 ASICs 進行雜湊運算，將來驗證人或會用硬件加速格子算術（lattice arithmetic）或者基於雜湊簽名的運算。如果普及生產，成本應會下降，甚至能內置於消費者裝置內。上文提過的 RISC-V，只要加入自訂的加密指令，人人都能以低成本使用，也許會發揮作用。如果實行得宜，反而有機會推動安全密碼技術全民普及——試想像每部 laptop 都有內置、開源兼標準化的量子安全加密模組。

驗證人還有一個影響，是協議達成共識的複雜性。如果遇上緊急情況（如偵測到量子攻擊，需快速升級），驗證人可能要迅速應變。未來協議甚至可能會包括新規則，例如「當發現 X（如大量無效簽名）時，就做 Y」。這類應變措施有機會寫入協議內，或最少有完善應急計劃（有人就提出過一個「紅色按鈕」硬分叉機制，萬一量子發展快於預期時可啟動）。驗證人群體之間必須有暢通溝通渠道，協作應急對策，這意味著更主動的治理。這其實有點諷刺：量子威脅可能推動一個以去中心化見稱的網絡，更加依賴社會溝通。不過，有這類急煞掣，最終對生態系統很重要。

對整個加密行業及生態的影響

以行業層面看，往量子安全方向發展，或會帶動更多合作與標準制定，程度比過往在競爭激烈的加密圈中更多。例如 CQRA 這類聯盟，體現項目之間協作共同對抗難題。未來可能會出現跨鏈標準（如共用一個量子抗性地址格式，或統一新類型金鑰在錢包中的編碼方法），方便交易所及多鏈錢包一次過支援多個網絡。這種合作，能強化整個行業，並為日後面對其他挑戰立下集體協作的先例。

同時，這還涉及地緣政治及監管層面。政府及監管機構以往關注加密貨幣多集中於金融穩定和合規問題，一旦量子計算機趨近現實，他們或會開始著眼安全基礎設施。有些政府甚至可能規定金融機構（以及他們使用的區塊鏈網絡）於某日之前必須實施量子抗性加密技術，情況像銀行業某些標準升級一樣。例如，到 2030 年美國或歐盟要求「所有數字資產託管人都必需在金鑰管理中用 PQC」，加密貨幣界採用 PQC 的進程自然會加快。有遠見的政策制定者亦可能會鼓勵行業預早升級以未雨綢繆。這方面已有先例：如 NIST 等部門正提供相關指引，軍事部門亦研究區塊鏈在自身業務下怎樣加強安全。

經濟層面，量子抗性加密產業，有機會吸引本來猶疑的資金進場。有些機構投資者指出技術風險（包括量子）是他們對加密內容謹慎的原因。例如以太坊若做到「我們已落實 NIST 標準的量子安全加密」，除去了一個投資疑慮，同時展示成熟形象。反之，市場若感覺加密行業對量子威脅視若無睹，則更難吸引審慎資金。

還可以預見有新產品或服務湧現：量子安全託管方案（已有初創公司提供結合多種加密方式的「量子保險庫」）、針對「量子風險」的保險產品，以及專攻區塊鏈系統升級的顧問服務。下個十年，所謂「後量子區塊鏈服務」很大機會成為嶄新迷你產業。

最後，若加密貨幣能成功度過量子轉型這關，從歷史長河來看，將是一個展現其韌性的強力佐證。懷疑者經常問：「咁點算？量子會唔會搞死 crypto？」到時答案可以是：唔會，我哋成功適應，仲比以前更強。講到底，網絡或會變得更去中心化（例如透過 DAS 等令輕節點更容易）、更可擴展性（若 ZK-proofs 等效率技術普及），以及更安全。這加強咗個觀念：區塊鏈如同生物，可以因應威脅自我演化，在新技術時代繼續提供抗審查、最小信任的價值轉移。

總結來說，以太坊推動簡約化、量子安全設計，正體現了解決這個挑戰所需的主動及創新精神。量子計算機的來臨，唔一定係加密貨幣界的危機——相反，這可以成為推動技術改進、生態合作的轉捩點。現在開始投資解決方案，以太坊及其同儕目標係確保去中心化金融及數字資產，在未來面對再強大的計算機時都可以屹立不倒。走向量子安全的路需要全行業細心平衡各種取捨，及集體付出，不過最終達到的目標——一個在量子時代依然安全的加密世界——絕對值得付出。

結語：擁抱量子安全的未來

量子計算機這個曾經遙遠的威脅正迅速成為區塊鏈業界面前的現實。不過，以太坊和整個加密行業的回應，傳達一個審慎樂觀多於災難的訊息。無錯，量子電腦可能會顛覆現時賴以為本的安全假設——但只要善用這段時間和現有工具，我們足以避免最壞的情況。現時推算，大約仲有 5－10 年，才會出現足以威脅主流密碼學的量子計算機。這窗口極之珍貴，有充足時間作好準備，讓社群可以有系統咁測試後量子方案、凝聚共識推動升級，並小心實施。以太坊方面，開發者已經將這個時程視為必須達標的死線。

其中一個重要啟示：唔可以將所有信心寄託於單一方案。需多元化密碼學防禦——結合格子方法、基於雜湊技術及其他被證實穩健的方案——區塊鏈可以建立多重保護。如其中一個算法失效，另一個可以頂上。這種「密碼學多樣性」或會成為新常態。未來區塊鏈有機會同時支援多類簽名，甚至用戶自行揀選演算法，令系統整體更有韌性。有點像自然界重視生物多樣性以增加生存力，加密生態同樣可避免單一密碼混一色。

還有一個「銀色邊」：量子安全推動下一波創新，相關副產品亦能受惠。隱私技術、效率提升及新一代智能合約功能，都是因對抗量子威脅而帶來的新芽。例如 Zero-Knowledge Proofs 及格子密碼學不單可以防禦量子攻擊，亦令交易更可擴展及隱私度更高。換句話說，「量子危機」反而推動區塊鏈協議正面演進。到頭來，網絡不單更安全，可能比以往更快、更有功能。

走向量子安全，極有可能成為區塊鏈行業成長路上一個關鍵章節。它會考驗治理框架——去中心化社群能否為長遠利益，承受短期不便？它會考驗項目之間的協作——競爭對手能否為更大的安全福祉，統一標準？用戶信心亦受考驗——用戶能否理解並支持這些改動，明白係為整體更好？如果答案係肯定，成功克服量子威脅，好大機會令去中心化技術信心加強長達數十年。

以太坊及早並積極咁應對，亦為大家提供一個典範：要及早承認威脅，善用專家研究成果（例如 NIST 工作）、協助专家研究，涉及...community in planning, and integrate solutions into the roadmap before crisis hits. Bitcoin and others will each forge their own path, but the end goal is shared – ensuring that the core promise of cryptocurrency, trustless and censorship-resistant value transfer, endures in the quantum era. The work being done now is essentially to guarantee that promise holds true no matter what computers of the future are capable of.

總結而言，雖然量子運算確實帶嚟一個真實嘅挑戰，但加密貨幣社群已經越嚟越有準備去正面迎接呢個挑戰。只要有務實嘅工程方案、開放嘅溝通同及時嘅行動，區塊鏈可以喺量子時代轉變之後不單止無受損，仲可以變得更強壯——成功克服咗又一個被認為係「不可能」嘅難題。以太坊精簡、量子安全嘅方向，其實最終都係關於堅韌同未雨綢繆。呢一點提醒咗大家，去中心化唔係一個死板嘅理想，而係一個可以適應威脅、繼續為用戶提供安全服務嘅活生生體系。隨住我哋推進到呢個新領域，加密貨幣行業正正展示到，佢哋真係可以無懼將來，以先進嘅密碼學同集體努力，去打造一個量子安全嘅金融世界基礎。