以量子安全為本的以太坊：精簡區塊鏈革命，守護未來安全

以太坊的開發者正積極迎戰未來量子電腦可能破解現有加密技術的時代。區塊鏈研究人員，由以太坊基金會的 Justin Drake 等領導，正在推動所謂「精簡以太坊」（Lean Ethereum）的願景——這是一場致力於簡化以太坊技術結構、並同時實現量子安全的協作行動。

此舉不僅是對量子計算威脅的直接回應，也意在反思以太坊本身的複雜度。實務上，這意味著從智能合約的執行方式，到區塊驗證的流程都將被重新思考，以實現後量子安全。這一推動獲得以太坊高層，包括共同創辦人 Vitalik Buterin 的支持，並反映出業界更廣泛的共識：加密貨幣若想防禦量子攻擊，未來採取量子安全措施已成必要之舉。

本文將解析為何量子安全正快速成為區塊鏈發展重點，以及以太坊如何著手應對。我們將探討現有密碼學（如目前保護你的比特幣與以太幣的橢圓曲線簽名）的侷限，以及未來量子電腦如何威脅到這些基礎。我們也將介紹後量子密碼學——專為抵禦量子攻擊設計的新一代加密演算法——及美國國家標準與技術研究院（NIST）致力於制定相關標準的進程。接著，將深入以太坊「精簡計劃」的重點技術，包括零知識證明虛擬機、資料可用性取樣技術，以及以精簡化 RISC-V 架構重建部分以太坊的方案。我們會介紹 Justin Drake、Vitalik Buterin、資安專家范鑫鑫（XinXin Fan）等主導這些理念的核心人物，並比較以太坊在量子防禦上的進展與比特幣及其它主流公鏈的異同。最後，也會分析導入量子抗性升級的優勢、權衡與風險，思考此變革對用戶、開發者、驗證者乃至整個加密產業的長遠影響。

全文將以淺顯易懂的語言說明，同時保有技術準確度——你不需擁有物理博士學位也能輕鬆理解。雖然量子電腦時代尚未到來，但以太坊的經驗提醒我們：準備的時機就是現在。以下解析全球最大區塊鏈生態系之一，如何積極築起量子世代的防線與其背後理由。

區塊鏈即將面臨的量子威脅

量子計算承諾能以指數級提升速度解決某些難題，這也讓區塊鏈開發者倍感壓力。不同於僅為 0 或 1 的傳統位元，量子位元可同時處於多重狀態（稱為「疊加」），還能「糾纏」彼此來平行計算。大型科技公司正積極搶進此領域：Google 於 2023 年宣布推出 433 量子位元處理器，宣稱在特定任務上實現「量子霸權」；IBM 的路線圖則預計 2027 年可達 4000+ 量子位元。研究團隊評估，要在 24 小時內破解像比特幣這類加密貨幣所用的密碼技術，可能需達百萬顆量子位元，這遠非現有原型所能及。儘管如此，發展方向明確。全球風險研究院（Global Risk Institute）2024 年的報告甚至給出預測機率：量子電腦能破解主流加密（如 RSA-2048 或 256 位元橢圓曲線）在 2032 年前實現的機率為 50%，2040 年前則達 90%。換句話說，量子計算會成為區塊鏈資安重大威脅，已不是「是否」而是「何時」的問題。

傳統密碼學正面臨威脅

今日的區塊鏈基於的加密假設正被量子科技顛覆。數位貨幣主要使用非對稱密碼學保障交易簽名安全——如比特幣和以太坊的地址，都採用了橢圓曲線數位簽章算法（ECDSA）。在傳統電腦架構下，ECDSA 極其安全：一般電腦幾乎無法從公開金鑰反推出你的私鑰。但一台足夠先進的量子電腦卻能利用 Shor 演算法直接做到這點。該演算法可在多項式時間內分解巨數及求解離散對數（也即是 RSA 與橢圓曲線所賴以安全的困難數學問題），也就是說，原本用傳統電腦需數百萬年的運算，在量子電腦上幾個小時到幾天就能完成。對區塊鏈來說，這是毀滅性消息：量子攻擊者若取得私鑰，比特幣或以太幣都可被偽造交易、竊走資金、甚至偽冒有效持有人改寫整個區塊。基本信任假設——僅有私鑰持有人能操控資產——將被打破。

情況更糟的是，區塊鏈在正常運作時會公開金鑰。當你從某地址發送資金時，該地址的公鑰會在交易簽章中揭露。擁有量子電腦的攻擊者可等高價值地址啟動轉帳時，搶先抓取曝光的公鑰，再推導出私鑰，在交易確認前將該地址餘額盜取。即便是長期未動用的早期比特幣地址或某些智能合約金庫，只要公鑰曾經曝光也將陷於危險。根據 Deloitte 分析，現有約 25% 的比特幣——價值數千億美元——存放於已公開金鑰的地址。一旦量子科技成熟，這些資金將成為量子竊賊首要目標。

除了竊取金鑰外，量子計算也威脅到區塊鏈共識機制。在工作量證明（PoW）系統裡，量子算法可能大幅加速加密雜湊運算，使具有量子優勢的攻擊者挖礦速度遠超他人。理論上這將大幅降低 51% 攻擊的發動門檻，按部分預估甚至只需全網 26% 的算力即可改寫區塊鏈歷史。在權益證明（PoS）系統中，雖然威脅主要仍環繞於簽章（因驗證者需簽署投票及檢查點），但若簽章能被偽造，攻擊者同樣可製造共識混亂，比如產生分歧歷史或奪取驗證者席位。簡而言之，從錢包到挖礦、驗證，區塊鏈每個層面都可能受到量子計算對核心密碼學的衝擊。

為什麼這個威脅變得急迫

誠然，大規模可用的量子電腦仍在發展中，對於威脅真正到來的時間點，專家意見分歧。有些人認為全功能量子電腦還需十年以上，另一些則警告僅有部分功能、卻足以破解較弱密碼系統的原型機可能五年內就現身。這種不確定性本身也成為問題。加密社群已經知道，區塊鏈的升級是一個緩慢且深思熟慮的過程，經常需經歷數年討論。譬如比特幣單單圍繞 OP_RETURN 的小功能如何處理，社群就爭論多年；以太坊重大升級從工作量證明轉為權益證明的「合併」更規劃、測試、執行超過五年。例行變更都要花數年，若要進行事關全網抗量子的重大變革，所需時間可想而知。

區塊鏈治理本來就不適合迅速轉向。「BIP 和 EIP 流程雖然適合謹慎民主決策，但要應急反擊威脅就顯得極慢，」量子安全新創公司創辦人 Colton Dillion 警告。當所有人意識到量子威脅迫在眉睫時，極可能已為時已晚——惡意分子或許早已悄悄利用漏洞。與現今常見的駭客攻擊不同，量子攻擊可能極為隱蔽。「真正的量子攻擊不會轟動一時，而是悄悄伸手——大戶靜悄悄轉移資金，在系統被察覺前獲利，」Dillion 說。一筆筆資金悄然消失或異常轉移，直到事後才明白是加密技術出了問題。

這個日益逼近的威脅，已從紙上談兵變為業界積極解決的難題。結論不是要人恐慌，而是要提前做好準備。量子安全業已成為區塊鏈規劃的關鍵，因為若無防範，密碼信任一夕崩解，將對產業造成生死攸關的衝擊。目前的確已有多種解方出現，但要落地到去中心化網路，依然是一項艱巨挑戰。

現有密碼學的極限

在探討解決方案前，值得理解為何我們現有的密碼工具箱，難以抵禦量子對手。ECDSA 與 RSA 這兩大現代加密支柱（ECDSA 用於比特幣／以太坊簽章，RSA 則廣泛用於安全通訊）都依賴於傳統電腦難以破解的數學問題。他們的安全性來自數學單向函式：兩大質數相乘容易，反過來分解卻困難（如 RSA）——或者，用秘密數值乘以橢圓曲線生成點容易，由結果反推出秘密（離散對數）卻困難（如 ECDSA）。這些問題保障了私鑰秘密。

量子計算將這種不對稱顛覆。利用 Shor 演算法，量子電腦可高效進行整數分解與離散對數運算。此時，「陷阱門」失效——問題變得可解。 In essence, quantum computing is like a master key that can pick the locks of RSA and ECDSA given enough qubits and stable operation. Estimates vary on how many logical qubits (error-corrected, reliable qubits) are needed to break, say, Bitcoin’s 256-bit elliptic curve. One analysis from the Ethereum Foundation’s research team suggests around 6,600 logical qubits might threaten the secp256k1 curve (used in Bitcoin/Ethereum), and ~20,000 logical qubits could completely compromise it. Due to error-correction overhead, that corresponds to millions of physical qubits – a bar quantum hardware may reach in 15–20 years if progress continues. It’s a moving target, but clearly today’s cryptography has an expiration date if no changes are made.

本質上，量子運算就像一把萬能鑰匙，只要有足夠的量子位元與穩定的操作，就能破解 RSA 和 ECDSA 的鎖。針對要破解比特幣 256 位元橢圓曲線需要多少邏輯（錯誤修正過、可靠的）量子位元，目前的估計各有不同。以太坊基金會研究團隊的一項分析認為，大約 6,600 個邏輯量子位元就會對 secp256k1 曲線（用於比特幣／以太坊）構成威脅，而約 20,000 個邏輯量子位元則可能完全攻陷它。由於錯誤修正會帶來額外負擔，這相當於需要幾百萬個實體量子位元——如果硬體持續進步，可能在 15 到 20 年內實現。這是一個不斷移動的目標，但如果不加以改進，現今的密碼學顯然都有「保存期限」。

Another limitation of current methods is key and signature exposure. As mentioned, address reuse is dangerous in a quantum context – yet many users, out of convenience, send multiple transactions from the same address, leaving their public key exposed on-chain after the first spend. This was historically common in Bitcoin’s early days (pay-to-public-key addresses that directly exposed keys), and even after best practices improved, an estimated 2.5 million BTC (over $130 billion) remain in older address types that are particularly vulnerable to a future quantum break. Ethereum, by design, exposes public keys only after they are used, but active Ethereum accounts do reuse keys regularly. In short, the longer our networks run on non-quantum-safe crypto, the more “quantum debt” accumulates – i.e., more assets sit in forms that a quantum computer could pilfer once it’s powerful enough.

目前方法的另一個侷限，是密鑰和簽章的暴露。正如前述，地址重複使用在量子環境下非常危險——但許多用戶為了方便，會從同一地址多次發送交易，使他們的公鑰在首次花費後即暴露在鏈上。在比特幣早期（採用 pay-to-public-key 直接暴露公鑰的地址）這種情況很常見，即便最佳實踐已大為改善，據估計仍有 250 萬顆比特幣（逾 1,300 億美元）持續留在特別易受未來量子破解威脅的舊地址型態之中。以太坊在設計上僅在公鑰首次使用後暴露，但活躍帳戶仍然經常重複利用公鑰。簡言之，我們的網絡使用尚未量子安全的加密技術時間越長，「量子債務」就越多——也就是說，愈多資產正以未來量子電腦有能力竊取的形式存在。

Finally, current cryptography wasn’t built with agility in mind. Protocols like Bitcoin’s are hard-coded to ECDSA and specific hash functions. Swapping them out for new algorithms isn’t simple; it requires community consensus on a hard fork or a clever soft-fork hack. Ethereum is somewhat more flexible (it’s gone through multiple upgrades and has conceptually embraced the idea of account abstraction, which could allow different signature schemes to be used on the same network), but still, upgrading crypto primitives at scale is uncharted territory. The limitations of today’s methods thus extend beyond just math – they’re also baked into governance and technical debt.

最後，現有密碼學並非以彈性為設計重點。例如比特幣這類協議將 ECDSA 及特定雜湊函數寫死；想切換新演算法並不容易，往往需要社群同意硬分叉，或靠巧妙的軟分叉技巧。以太坊雖較有彈性（曾多次升級，也從概念上接受「帳戶抽象」以容納不同簽章方案於同一路網絡），但大規模升級底層密碼學工具仍屬前所未見。這意味著當前技術限制不僅只是數學問題，也深埋於治理與技術債務當中。

The good news is the cryptography community has seen this coming and has been developing alternatives. So, what does the next generation of quantum-resistant cryptography look like, and can it plug into blockchains?

好消息是，密碼學界早已意識到這點，並在積極開發替代方案。那麼，新一代抗量子密碼學是什麼樣貌？它能否無縫整合進區塊鏈？

Post-Quantum Cryptography and NIST Standards

Post-quantum cryptography (PQC) refers to encryption and signature algorithms designed to be secure against quantum attacks. Importantly, these are mostly based on mathematical problems believed to be hard for both quantum and classical computers (unlike factoring or discrete log). Throughout the late 2010s and early 2020s, researchers worldwide proposed and analyzed dozens of candidate algorithms. In 2016, the U.S. National Institute of Standards and Technology (NIST) launched a formal process to evaluate these and select new cryptographic standards for the post-quantum era. After several rounds of scrutiny (and some dramatic defeats, like one algorithm being cracked by classical means during the competition), NIST announced its first set of winners in 2022.

後量子密碼學（PQC）是指為抵禦量子攻擊而設計的加密及簽章演算法。特別要強調的是，這些算法大多基於被認為無論對量子還是經典電腦都很難解的數學問題（不像傳統的質因數分解或離散對數）。2010 年代末至 2020 年代初，全球研究人員共提出並分析了數十種候選算法。2016 年，美國國家標準與技術研究院（NIST）啟動正式流程，評選並為後量子時代挑選新的密碼標準。經過多輪嚴格審查（過程中還出現候選算法被傳統方法破解的戲劇性事件），NIST 於 2022 年公布了第一批勝出者。

For digital signatures, NIST’s primary recommendation is CRYSTALS-Dilithium, a lattice-based signature scheme, with FALCON (also lattice-based) as an option for use-cases needing smaller signatures, and SPHINCS+ (a hash-based signature scheme) as another alternative for those wanting a completely different security basis. For key encapsulation / key exchange, the top pick is CRYSTALS-Kyber (lattice-based), with some others like Classic McEliece (code-based) and BIKE/HQC (also code-based or structured lattices) as alternate choices. These algorithms are expected to be formally standardized by around 2024–2025 as the new FIPS standards.

在數位簽章領域，NIST 的主要推薦是 CRYSTALS-Dilithium（一種格基簽章方案），FALCON（同為格基算法）則適合追求較小簽章的應用，SPHINCS+（基於雜湊的簽章算法）則為另類選擇，適合想採用完全不同安全基礎的場合。至於密鑰包封／密鑰交換，首選是 CRYSTALS-Kyber（格基），而 Classic McEliece（碼基）和 BIKE/HQC（同為碼基或結構格基）則作為備選方案。預期這些算法會在 2024～2025 年間正式納入新一代 FIPS 標準。

What makes these algorithms “quantum-safe”? In the case of lattice-based cryptography (the foundation of Dilithium and Kyber), security comes from problems like the Shortest Vector Problem (SVP) or Learning With Errors (LWE) in a high-dimensional lattice. Intuitively, it’s like finding a needle in a multi-dimensional haystack – even quantum computers don’t have known efficient methods to solve these problems. Lattice schemes are quite efficient on classical computers and have reasonably sized keys and signatures (kilobytes rather than bytes, which is larger than ECDSA but manageable). For instance, a Dilithium signature might be a few kilobytes and verify quickly, and Kyber can perform key agreement with keys ~1.5 KB in size, with speeds comparable to RSA/ECDSA encryption today. This combination of speed and small size is why NIST gravitated to lattice algorithms for general use.

那麼這些算法到底怎麼實現「量子安全」？以格基密碼學（Dilithium 與 Kyber 的基礎）為例，其安全性來自高維格子上的最短向量問題（SVP）或帶有誤差的學習（LWE）等難題。直觀來說，這等同於在多維稻草堆裡找針——即便是量子電腦目前也沒已知高效解法。格基算法在傳統電腦上效率頗高，密鑰和簽章都只需幾 KB（比 ECDSA 大，但仍屬可管理範圍），比如 Dilithium 一組簽章也就數 KB，檢驗極快；Kyber 則可以用約 1.5 KB 規模的密鑰完成密鑰協議，速度與當今 RSA／ECDSA 類似。這種速度與尺寸兼具的特性，正是 NIST 選擇格基算法做為主力標準的原因。

Other approaches include hash-based signatures (like SPHINCS+ or the stateful XMSS). These rely only on the security of hash functions, which are one of the most quantum-resistant primitives we have (Grover’s algorithm can brute-force hash preimages with a quadratic speedup, but that’s far less devastating than Shor’s polynomial speedup for factoring). Hash-based signatures are extremely secure in theory; however, they come with downsides: signatures can be huge (tens of kilobytes), and some types allow only a limited number of uses per key (stateful schemes require you to track usage of one-time keys). This makes them less practical for frequent transactions or bandwidth-limited environments. Still, they could be useful in certain blockchain contexts, perhaps for high-security multisig or as a stopgap measure.

其他策略則包含基於雜湊的簽章（如 SPHINCS+ 或「帶狀態」XMSS）。這類方案只依賴雜湊函數的安全性，而雜湊函數是目前已知最具抗量子特性的基本元件之一（Grover 演算法能將雜湊反推暴力搜索加速到平方根，但遠不及 Shor 演算法對質因數分解的災難性提升）。理論上雜湊型簽章極其安全，但也帶來缺點：簽章本身動輒數十 KB，有些方案每把金鑰只能少數次使用（帶狀態方案則要追蹤一次性金鑰使用紀錄）。因此高頻交易或頻寬受限環境較難採用，但在特定區塊鏈應用（如高安全多簽、應急措施）仍有用武之地。

There are also code-based cryptosystems (like McEliece, which has gigantic public keys but has withstood cryptanalysis since the 1970s) and multivariate quadratic schemes. These offer diversity – different hardness assumptions in case lattices or hashes have unforeseen weaknesses – but they tend to have large key sizes or slower performance, making them less attractive for blockchain use right now. Security experts often recommend a diverse portfolio of algorithms to hedge bets, but most likely, blockchains will favor lattice-based solutions and perhaps some hash-based techniques for specific purposes.

還有碼基加密系統（如 McEliece，自 1970 年代以來經多方密碼攻擊仍毫髮無傷，但公鑰非常龐大），以及多變數二次型方案。這些設計有助多元化——萬一格基或雜湊演算法未來爆出弱點，可減少風險——但它們的密鑰體積龐大或運算緩慢，現階段用於區塊鏈應用較不實際。專家通常建議採多元算法組合作為風險對沖，但大多區塊鏈最終會以格基方案為主，並視情況搭配雜湊技術。

NIST Standards and Blockchain Adoption

The standardization by NIST is a big deal because it provides an agreed-upon set of algorithms that many industries (not just blockchain) will start adopting. By late 2025, we expect formal standards documentation for Dilithium, Kyber, etc., to be published. Many blockchain developers have been tracking this process closely. Ethereum researchers, for example, have already been experimenting with lattice-based signature schemes (like Dilithium) to see how they’d perform in practice on a blockchain. The goal is that once standards are finalized, the transition can begin with confidence that the algorithms have been vetted.

NIST 的標準化進程意義重大，因為它確立了全行業（非僅區塊鏈）都將逐步適用的一致算法組。預計到 2025 年底，Dilithium、Kyber 等正式標準文件將發布。許多區塊鏈開發者都密切關注這一進展。以太坊研究人員甚至已經著手實驗如 Dilithium 這類格基簽章機制，評估其鏈上實用性。目標就在標準定稿後，能信心十足地開始轉換，因為這些演算法已經歷大量驗證。

However, adopting these in a live blockchain isn’t plug-and-play. As we’ll discuss, PQC algorithms usually mean larger transaction sizes and perhaps heavier computation. But fundamentally, post-quantum cryptography gives blockchain communities a toolbox to defend themselves. It turns a seemingly insurmountable threat into a solvable (if difficult) engineering problem: update the cryptography before the bad guys have quantum weapons. The Ethereum community’s proactive stance – pushing for research and early integration of PQC – exemplifies how to use that toolbox. And indeed, Ethereum’s “Lean Ethereum” initiative is all about weaving quantum resistance into the fabric of the blockchain, alongside other simplifications.

但要在現有區塊鏈大規模部署這些算法並非即插即用。正如我們將討論的，PQC 演算法通常會導致交易體積變大、運算量變重。但從根本上說，後量子密碼學為區塊鏈社群提供了自保的工具箱。這將一個看似無解的重大威脅，化為一個（雖然艱困但有望）解決的工程難題——搶在「壞人」擁有量子武器前更新密碼學技術。以太坊社群積極態度——推動研究並提前整合 PQC——正是工具箱應用的最佳示範。而事實上，以太坊「Lean Ethereum」計畫的核心目標之一，就是將「抗量子機制」與其它簡化措施一併編織進區塊鏈底層結構中。

Lean Ethereum: Simplifying for Quantum Resilience

In mid-2025, Ethereum Foundation researcher Justin Drake put forward a proposal dubbed “Lean Ethereum.” Its aim is straightforward to state but ambitious to execute: make Ethereum’s base layer as simple and robust as possible, while ensuring it can withstand future quantum-based attacks. This vision comes from a realization that Ethereum’s protocol, after years of rapid development, has grown quite complex. Unlike Bitcoin – which intentionally moves slowly and keeps things simple – Ethereum has added layer upon layer of new features (from state-rich smart contracts to various VM upgrades and layer-2 constructions). That complexity can breed bugs, raise the barrier for new developers, and even introduce security risks if obscure parts of the system hide vulnerabilities. Drake and others argue that now is the time to streamline Ethereum’s design, and that doing so goes hand-in-hand with preparing for quantum threats. A leaner Ethereum could be easier to upgrade with new cryptography and easier for nodes to secure and verify.

2025 年中，以太坊基金會研究員 Justin Drake 提出「Lean Ethereum」計畫。這項主張說起來簡單、做起來雄心勃勃：要讓以太坊底層協議極致簡化、強健、且具備抵禦未來量子攻擊能力。其理念來自這樣的體會：過去數年以太坊協議急速演化，如今結構已很複雜。與刻意動作緩慢且極簡設計的比特幣相反，以太坊層層堆疊新功能（從豐富狀態的智能合約到 VM 升級，再到 layer-2 各式建構）。這種複雜性可能滋生漏洞、阻礙新手進入，還可能因系統冷僻區出現潛在威脅而導致安全隱患。Drake 等人認為，現在正是理順以太坊設計的時機，而精簡的架構更易於隨時導入新一代密碼學以應對量子威脅。一個「精簡版」的以太坊上下參透，不僅容易注入新加密算法，也更利於節點安全維護與驗證。

So, what does Lean Ethereum entail? The proposal targets Ethereum’s three main pillars – the execution layer (where smart contracts run), the data layer (how blockchain data is stored and accessed), and the consensus layer (how blocks are finalized) – and suggests reforms in each:

那麼「精簡以太坊」到底改哪些？這計畫聚焦以太坊三大支柱——執行層（智能合約運行處）、資料層（鏈上數據儲存與存取）、共識層（區塊最終定案）——並對各層提出改革建議：

Zero-Knowledge-Powered Virtual Machines

For the execution layer, Drake proposes leveraging zero-knowledge proofs (ZK-proofs) to create “zero-knowledge powered virtual machines.” In simple terms, a ZK-powered VM would allow Ethereum to prove the correctness of computations on-chain without revealing all the underlying data. Instead of every node re-executing every smart contract instruction (as it happens now), a node could execute a batch of transactions and then produce a succinct proof that “these transactions were processed correctly.” Other nodes would just verify the proof, which is much faster than redoing all the work. This idea is already in the air thanks to zkRollups on Ethereum’s layer 2, but Drake’s vision is to bring it into layer 1 execution.

對執行層，Drake 提議充分利用零知識證明（ZK-proofs），打造「零知識加持」的虛擬機（VM）。簡單說，ZK 驅動的 VM 能讓以太坊鏈上驗證運算正確性而無需公開全部底層資料。目前每個節點都必須重執每條智能合約 (如現行方式），未來則單一節點可批次執行一組交易，並產生一份簡要證明「這些交易都正確」。其他節點僅需驗證該證明，而不必從頭重算所有細節，速度大幅提升。這個構想在以太坊 layer 2 的 zkRollup 已初見端倪，但 Drake 的遠景是將這理念帶進 layer 1 主執行層。

Crucially for quantum security, certain types of zero-knowledge proofs (especially those based on cryptographic hashes

（為量子安全鋪路，部分零知識證明——尤其基於雜湊的證明——也能天然具備高度抗量子能力。）

---or other quantum-resistant assumptions) could make the execution layer quantum-proof by default. If you’re not revealing sensitive data or public keys on-chain and instead are verifying via ZK-proofs, you close some of the attack surface a quantum computer would target. Even if a quantum computer tried to falsify a transaction, it would also have to falsify a validity proof – which, if the proof system is quantum-safe (for example, a STARK, which mainly relies on hashes and information-theoretic security), the attacker gains no advantage. In essence, ZK VMs could “shield” the execution layer. Drake’s proposal aligns with a broader industry trend to incorporate zk-SNARKs and zk-STARKs for scalability and privacy, and here it doubles as a security layer.

其他量子抗性假設）可以讓執行層預設具備抗量子能力。如果你沒有在鏈上暴露敏感數據或公鑰、而是透過零知識證明進行驗證，就關閉了量子電腦可能鎖定的部分攻擊面。即使量子電腦試圖偽造交易，還必須同時偽造有效性證明——如果這個證明系統本身是量子安全的（例如主要依賴雜湊函數及資訊理論安全性的STARK），攻擊者並無優勢。基本上，ZK虛擬機可「屏蔽」執行層。Drake 的提案也呼應了業界更廣泛結合 zk-SNARKs、zk-STARKs 以提升擴展性與隱私的趨勢，而這裡更兼具資安層意義。

The concept might sound technical, but the benefit is intuitive: Ethereum could become leaner by not carrying as much execution load on every node, and more secure by using math proofs that even quantum computers can’t fake easily. It’s a long-term research direction – turning the Ethereum Virtual Machine (EVM) or a successor into a ZK-friendly format – but work is underway. There are already projects aiming to build ZK-proof generating VMs (like Risc Zero and others using the RISC-V architecture, which we’ll get to shortly). The Lean Ethereum plan would accelerate and coordinate these efforts as part of Ethereum’s core roadmap.

這個概念或許技術性很高，但它的好處卻很直觀：以太坊將減少每個節點要負擔的執行層壓力，變得更精簡；同時利用數學證明來強化安全性，即使量子電腦也難以偽造。這是個長期研究方向——將以太坊虛擬機（EVM）或其後繼者轉型為 ZK 友善格式——而相關工作已經啟動。目前已有不少專案致力打造可生成 ZK 證明的虛擬機（如 Risc Zero 及其他基於 RISC-V 架構的專案，稍後我們會介紹）。Lean Ethereum 計畫將加速和協調這些努力，納入以太坊核心藍圖。

Data Availability Sampling

資料可用性抽樣

Another major pillar of Lean Ethereum is reducing the burden of data availability on nodes. Ethereum’s blockchain, like any, grows over time with all the data of transactions and blocks. If every node must download and store every byte of every block to verify it, the requirements for running a node constantly increase. This can threaten decentralization because eventually only those with large storage and bandwidth can keep up. Data availability sampling (DAS) is a clever method to get around that. Instead of requiring full nodes to download every block in full, nodes can sample random pieces of each block’s data to verify that the entire block is available and intact.

Lean Ethereum 的另一個主要支柱是降低節點對資料可用性的負擔。以太坊區塊鏈如同其他鏈一樣，交易和區塊數據會隨時間持續增長。如果每個節點必須下載、儲存每一個區塊的每一個位元組來驗證，運作節點的門檻就會不斷升高，最終可能只剩有巨量儲存與頻寬能力的人能跟上，這將威脅去中心化。資料可用性抽樣（DAS）就是一種巧妙的解法：不是強迫完整節點下載所有區塊資料，而是讓節點隨機抽查每個區塊的一部分數據，以驗證整個區塊是可用且完整的。

How does that work? Think of erasure codes or Reed-Solomon coding techniques: a block’s data can be encoded with redundancy such that if you randomly inspect, say, 1% of the pieces and all are present and correct, there’s a very high probability (99.9999%+) that the entire block data is available somewhere. If some chunks were missing or corrupted, a random sampler would catch that with high probability given enough samples. This idea allows nodes to be lightweight yet secure – they can trust that the whole community would notice if block data went missing because statistically someone’s sample would fail. Ethereum’s upcoming sharding plans already use data availability sampling for shard block validation. Drake’s Lean Ethereum suggests applying it broadly: even for the base layer, use DAS so nodes don’t have to store everything, only what they need.

這是怎麼實現的？可以聯想到抹除碼或 Reed-Solomon 編碼技術：區塊數據會帶有冗餘編碼，只要你隨機檢查例如1%的片段且都正確無誤，整個區塊數據在某處完整存在的機率就高達99.9999%以上。如果某些區塊片段遺失或損壞，只要抽得足夠多的樣本，隨機抽查很大可能發現問題。這個方法讓節點既輕量又安全——大家都能相信，假如有區塊資料遺失，全社群都會察覺，因為一定有人抽樣失敗。以太坊即將推行的分片計畫也已經導入資料可用性抽樣用於分片區塊驗證。Drake提出 Lean Ethereum，希望能推廣到基礎層：節點只需抽樣、儲存自身所需，而不用存下所有資料。

The result of DAS is a big simplification for node operators. Instead of worrying about disk space growing without bound or needing to prune old data (and possibly trust others for that data), nodes could maintain security by sampling. It’s like an audit: you don’t check every transaction’s data, just a random subset, and the math guarantees that’s enough to be confident. This preserves the integrity of the blockchain without overloading every participant. By reducing resource requirements, Ethereum could remain decentralized (more people can run nodes) and better prepared for the future. It also indirectly helps quantum security – if nodes are easier to run, there will be more of them, making an attack (quantum or otherwise) harder due to sheer number of validators.

DAS 帶來的是節點營運極大的簡化。節點不再需要苦惱磁碟用量不斷成長、必須修剪舊資料（甚至可能被迫信任第三方保管資料），而是透過抽樣維持安全。這就像稽核：你無須檢查每一筆交易數據，只需查驗隨機的一部分，數學上即可確保結果的信心度。這確保了區塊鏈的完整性，不會讓每個參與者負擔過重。透過降低資源門檻，以太坊有望保持去中心化（更多人能跑節點），也更能因應未來變化。這也間接強化量子安全——節點運作越簡單，節點越多，攻擊（無論是量子還是其他攻擊）就因驗證者數量巨大而難以奏效。

In summary, data availability sampling is a way to streamline verification. It’s a bit like the blockchain equivalent of not needing to eat the whole cake to know it tastes good; a small sample can statistically represent the whole. In practice, Ethereum would implement this by breaking blocks into pieces with error-correcting codes and having nodes randomly check pieces. If even one piece can’t be obtained, the network would treat the block as invalid (since that could mean someone withheld part of the block data). This concept is pivotal in Ethereum’s planned danksharding upgrade and meshes perfectly with the Lean Ethereum ethos of minimalism.

總結來說，資料可用性抽樣是一種簡化驗證流程的方法。有點像你不必吃完整個蛋糕就知道它好不好吃；少部分取樣便可代表整體。在實作上，以太坊會把區塊資料用糾錯碼切分成多個片段，由節點隨機抽查。如果連一個片段都無法取得，網路會將該區塊視為無效（因為有可能有人蓄意隱藏數據片段）。這個觀念是以太坊即將提出的 danksharding 重大升級的關鍵，也完美呼應 Lean Ethereum 最小主義的精神。

Embracing RISC-V for Secure Consensus

擁抱 RISC-V 提升共識安全

The third leg of Lean Ethereum concerns the consensus layer – the part of Ethereum that comes to agreement on the chain, which in proof-of-stake includes the fork-choice rules, validator duties, finality gadget, etc. This layer also involves nodes interpreting network messages and potentially running low-level code (for instance, verifying signatures, hashing, etc.). Drake’s proposal is to adopt a RISC-V framework in Ethereum’s consensus, meaning use RISC-V as the base for any protocol-related computing. RISC-V is an open standard for a reduced instruction set computer architecture – basically a minimalist set of machine instructions that computers can execute. Why would that matter for a blockchain? Simplicity and security. A smaller, well-understood set of instructions is easier to analyze and less prone to hidden bugs or backdoors. If Ethereum’s consensus rules and any virtual machines at the consensus level were expressed in RISC-V (or compiled to RISC-V), it could be run and verified with greater confidence.

Lean Ethereum 的第 3 個支點聚焦於共識層——也就是以太坊決定鏈狀態的那一層。在權益證明（PoS）機制下，這包括分叉選擇規則、驗證者職責、終局裝置等。這一層也涉及節點解析網路訊息及潛在執行底層程式碼（如驗證簽名、雜湊等）。Drake 的建議是將 RISC-V 框架引入以太坊共識層，也就是以 RISC-V 作為所有協定相關運算的底層標準。RISC-V 是一種開放標準的精簡指令集電腦架構——本質上是一組簡約、易理解又容易執行的機器指令。這對區塊鏈有什麼幫助？簡單說，帶來簡約與安全。指令集越小、越透明，就越容易分析、難被塞入隱藏漏洞或後門。如果以太坊共識規則或共識層虛擬機能用 RISC-V 描述或編譯至 RISC-V，執行與驗證的可靠度將大幅提升。

In practical terms, this could mean that Ethereum clients (the software nodes run) use a RISC-V virtual machine to execute consensus-critical logic, rather than higher-level languages that might introduce complexity. Some have even imagined Ethereum’s state transition function being defined in such a low-level deterministic way. The benefit is that RISC-V is extremely lean and designed for verifiability. It has no proprietary parts (unlike, say, x86 chips which are complex and closed) and has a modular design where you only include the extensions you need. Proponents argue this reduces the attack surface – there are simply fewer moving parts where something could go wrong or be exploited.

實際上，這意味著——以太坊客戶端（節點運行的軟體）能用 RISC-V 虛擬機執行關鍵的共識邏輯，而不用高階語言引入的複雜性。有人甚至想像過，以太坊的狀態轉換函數可以如此用低階和確定性的方式定義。其優勢在於，RISC-V 極度精簡，且為驗證性而生。它沒有專屬封閉（如 x86 晶片那般複雜而封閉的部分），且架構模組化——你只需引入真正需要的延伸模組。支持者認為，這降低了攻擊面，因為可出錯或被利用的地方大幅減少。

For quantum resistance, how does RISC-V help? It’s not directly about quantum algorithms, but it ties into making Ethereum more agile and robust. If you need to swap out cryptographic algorithms (like introducing a post-quantum signature scheme), doing so in a system built on a clean, uniform architecture might be easier. Also, certain post-quantum algorithms might benefit from specialized hardware; RISC-V’s openness could allow custom accelerators or instructions to be added without breaking compatibility, because it’s an extendable standard. Vitalik Buterin has been a strong supporter of exploring RISC-V for Ethereum. In fact, in April 2025, Buterin outlined a four-phase plan to transition Ethereum to a RISC-V-based architecture, hoping to boost both speed and security of the network.

至於量子抗性，RISC-V 有什麼幫助？這和量子演算法本身無太直接關係，但能讓以太坊自適應性和穩健性提升。如果要更換加密演算法（如導入後量子簽章方案），在一個乾淨、一致的架構下會更容易實現。同時，某些後量子演算法可能適合專用硬體加速——RISC-V 的開放性讓你能加進自定加速器或指令又不會破壞相容性，因為它本來就是可擴展的標準。Vitalik Buterin 非常支持以太坊探索 RISC-V。事實上，2025年4月Buterin就提出以四個階段將以太坊轉向 RISC-V 架構的大規劃，目標是大幅提升網路速度和安全性。

Switching to RISC-V is a long-term project – it’s not something you flip on overnight in a live blockchain. But the idea is that over the next few years, Ethereum could move toward it incrementally. Possibly first by having an alternate client implementation in RISC-V, or using RISC-V internally for certain operations, and eventually making it core to how Ethereum works. This aligns with Ethereum’s attempts to learn from Bitcoin’s conservatism without sacrificing innovation. Bitcoin’s simplicity (e.g. in using basic opcodes for transactions) is admired by Buterin; he wants Ethereum to shed some weight so that it can be “as simple as Bitcoin’s” architecture within five years. Embracing an ultra-lean architecture like RISC-V is part of that philosophy.

切換成 RISC-V 其實是一個長線專案，不可能在主網一夜間完成。但構想是在未來幾年內讓以太坊逐步接軌，可以從開發一個基於 RISC-V 的替代客戶端做起，也可以先在部分內部運算採用，最終變成以太坊核心運作方式。這也呼應以太坊吸取比特幣保守經驗、又不丟棄創新的努力。Buterin 一直很欣賞比特幣的簡約（如交易用基本運算碼），他期望以太坊精簡到可在五年後「像比特幣一樣簡單」。擁抱極致精簡的 RISC-V 架構，是這個理念的一環。

Community Support and Developer Insights

社群支持及開發者觀察

Justin Drake’s Lean Ethereum initiative did not emerge in a vacuum. It taps into a growing sentiment among Ethereum developers: that the protocol’s complexity needs to be reined in for the sake of security and sustainability. Ethereum’s very strength – its flexibility and rapid evolution – has also led to “excessive development expenditure, all kinds of security risk, and insularity of R&D culture, often in pursuit of benefits that have proven illusory,” as Vitalik Buterin put it recently. Buterin’s public comments in mid-2025 made it clear he shares the desire to simplify. He explicitly stated an intention to simplify Ethereum’s tech stack over the next five years, aiming to make it more like Bitcoin’s straightforward (if limited) design. Those words from Ethereum’s co-founder carry weight: it’s essentially a green light for efforts like Lean Ethereum that prioritize clean-ups and careful engineering over piling on new bells and whistles.

Justin Drake 的 Lean Ethereum 構想並非橫空出世，它反映出以太坊開發者社群愈來愈強烈的共識：協議的複雜度必須壓制，保障安全性與永續性。以太坊最大優勢——靈活與快速演進——同時也導致了「過度的開發花費、各式安全風險，以及 R&D 文化的內捲，追逐那些往往被證明不切實際的好處」，如 Vitalik Buterin 近期說的。2025年中，Buterin 公開表明他和大家一樣希望簡化，並明確宣布五年內要主動精簡以太坊技術堆疊，往比特幣那種直接簡單（雖然有其侷限）的設計靠攏。來自以太坊創辦人的這番話份量十足：等同為像 Lean Ethereum 這樣以減重、重工程品質為重的努力開了綠燈，不再是堆疊新功能的比賽。

Vitalik’s support also extends to the quantum-safety aspect. He has discussed account abstraction and cryptographic agility as key components of Ethereum’s long-term roadmap. Account abstraction, in particular, would let Ethereum accounts use different signature algorithms or even multiple algorithms at once. For example, your wallet could have a post-quantum public key in addition to the traditional ECDSA key, and the protocol could accept a signature from either (or require both). This kind of flexibility is crucial for a smooth migration – users could gradually move to quantum-safe keys without the entire system flipping in one go. Buterin and others have proposed that Ethereum implement this in an “opt-in” fashion at first. In Ethereum’s envisioned Endgame (a term used for its ultimate scaled state), quantum-resistant cryptography is indeed part of the plan, slated for introduction once technologies like sharding and rollups are fully deployed.

Vitalik 也支持量子安全相關方向。他曾討論帳戶抽象以及加密演算法彈性作為以太坊長遠路線的一部分。尤其帳戶抽象能讓以太坊帳戶採用不同簽章演算法，甚至同時多種。例如，你的錢包可同時持有傳統 ECDSA 公鑰和一組後量子公鑰，協議可以接受任一（或同時要求兩者）簽章。這種彈性能確保平順轉換——用戶可逐步升級至量子安全金鑰，而無需一次性全體切換。Buterin 與部分社群已建議以「自願選用（opt-in）」方式先推動。以太坊願景中的Endgame（終極擴容形態）確實計畫納入量子安全密碼學，一旦如分片、Rollup 等技術全數到位即逐步導入。

Beyond the Ethereum Foundation, the broader developer ecosystem is also contributing ideas for quantum security. A notable voice is Dr. XinXin Fan, head of cryptography at IoTeX (a blockchain platform focused on Internet-of-Things). XinXin Fan co-authored a research paper in 2024 about

除了以太坊基金會，整個開發者生態系也正為量子安全貢獻想法。其中一個值得留意的人物是 IoTeX（主打物聯網應用的區塊鏈平台）密碼學主管范新新博士。范新新於2024年共同發表了一篇關於migrating Ethereum to post-quantum security and won a “Best Paper” award for it. His proposal centers on using hash-based zero-knowledge proofs to secure Ethereum transactions. In an interview, Dr. Fan explained that you could append a tiny zero-knowledge proof to each transaction proving that the signature (ECDSA) is valid without revealing the signature itself. The trick is to design that proof in a quantum-resistant way (using hash-based techniques, like zk-STARKs). The result: even if ECDSA becomes vulnerable, an attacker can’t forge the proof without breaking the hash-based scheme, and users wouldn’t even need to change their wallets immediately. In simpler terms, Fan’s method adds an extra layer of quantum-safe validation to transactions, invisibly to the user. “The way we are implementing this allows the user to use their current wallet, but we attach each transaction with a zero-knowledge proof that is quantum-safe,” he said. This approach emphasizes usability – it’s aiming for a seamless transition where users don’t have to manage new keys or addresses, at least initially.

將以太坊遷移到後量子安全性，並因此獲得「最佳論文」獎。他的提案核心是利用基於雜湊的零知識證明來保護以太坊交易。在一次採訪中，樊博士解釋，你可以在每筆交易上附加一個極小的零知識證明，以證明簽章（ECDSA）是有效的，同時不洩露簽章本身。關鍵在於將該證明設計成抗量子的方式（使用基於雜湊的技術，例如 zk-STARKs）。結果就是：即使 ECDSA 變得不安全，攻擊者也無法偽造這個證明，除非能破解雜湊為基礎的方案，而且使用者甚至不需要立即更改他們的錢包。簡單來說，樊博士的方法為交易增加了一道量子安全的驗證層，對用戶來說是無感知的。「我們這種實作方式可讓用戶繼續使用現有錢包，但在每筆交易中綁上量子安全的零知識證明，」他說。這種做法強調易用性——目標是讓用戶一開始無需管理新的密鑰或位址，就能順利過渡。

Such ideas show that the developer community isn’t solely relying on one strategy. Ethereum’s core devs are simplifying and building upgrade pathways, while researchers in academia and other projects are inventing clever patches and additions that could enhance quantum resilience. It’s a “defense in depth” mindset: if one approach proves too slow or insufficient, another might cover the gap.

這些想法展現出開發者社群並非只依賴單一方案。以太坊的核心開發者正在簡化並建構升級路徑，而學術界及其他項目的研究人員，則發明了各種巧妙的修補與新增功能，來提升對量子的韌性。這是一種「縱深防禦」的思維：如果某個方法過於緩慢或不足以應對，另一種方案或許可以填補空缺。

The collective effort is also formalizing in collaborative groups. For instance, an industry coalition called the Cryptocurrency Quantum Resistance Alliance (CQRA) has been formed, bringing together teams from over a dozen blockchain projects to coordinate on standards and research. Their goal is to avoid a fractured outcome where different chains implement completely different quantum solutions that don’t interoperate. Ethereum is a part of these conversations, as are developers from Bitcoin and various altcoins.

這種集體努力也逐漸組成了協作團體。例如，業界成立了加密貨幣量子抗性聯盟（CQRA），集合了十多個區塊鏈專案的團隊，協調標準與研究。他們的目標是避免出現各自為政的局面——即不同鏈分別採用完全不同且無法互通的量子方案。以太坊參與了這些對話，比特幣和多種替代幣的開發者也有加入。

In summary, Ethereum’s push for a lean, quantum-secure design is supported by both its leadership and the community at large. Drake may have coined “Lean Ethereum,” but its themes resonate widely. Ethereum’s culture is often at the forefront of technical innovation in crypto, and here again it seems to be taking a proactive stance: better to start the hard work of quantum-proofing now, than to scramble under duress later. Next, we’ll compare how Ethereum’s stance compares to that of Bitcoin and other networks, to see who else is stepping up – and who might be lagging behind – in the race for quantum safety.

總結來說，以太坊推動簡潔、量子安全設計，獲得核心團隊和廣大社群的支持。雖然 Drake 首次提出「精簡以太坊」，但這個概念獲得普遍共鳴。以太坊的文化經常走在加密技術創新的前線，如今剛好再次展現主動姿態：現在就開始量子防護的艱難工作，總比之後在壓力下倉促行動要好。接下來，我們會對比以太坊在量子安全上的立場與比特幣及其他區塊鏈網路的做法，看看還有誰在積極應對——誰又可能在這場量子安全競賽中落後。

Ethereum vs. Bitcoin (and Others) on Quantum Readiness

以太坊與比特幣（及其他區塊鏈）在量子準備度上的比較

How does Ethereum’s roadmap for quantum security stack up against Bitcoin’s, or against other blockchain projects? The contrast is striking. Bitcoin, true to form, has been extremely cautious and slow-moving in this arena. As of 2025, there is no official Bitcoin Improvement Proposal (BIP) approved or implemented for post-quantum cryptography. The topic of quantum resistance is discussed in Bitcoin circles, but largely in theoretical terms. Part of the reason is cultural: Bitcoin’s core developers prioritize stability and minimal changes, especially to fundamental components like the signature scheme. Another reason is that any switch would likely require a hard fork – a coordinated network-wide change – which the Bitcoin community is generally loath to do unless absolutely necessary.

以太坊在量子安全的路線圖上，與比特幣或其他區塊鏈相比如何？差異相當明顯。一直以來，比特幣在這方面非常謹慎且進展緩慢。截至 2025 年，尚無任何官方比特幣改進提案（BIP）被核准或實作於後量子密碼學。比特幣社群會討論量子抗性話題，但多停留在理論層面。部分原因是文化因素：比特幣的核心開發者極度重視穩定性與最小更動，尤其對簽章機制等基礎元件更是如此。另一個原因是，任何轉換很可能需要透過硬分叉——也就是全網協調一致的更動——比特幣社群通常極度排斥這種作法，除非迫不得已。

Some proposals have been floated in Bitcoin forums. For example, developer Agustin Cruz introduced an idea called QRAMP (Quantum-Ready Address Migration Proposal) which envisions a hard fork to migrate all bitcoins to quantum-safe addresses. Essentially, it suggests giving every BTC holder a window to move their coins to new addresses secured by a post-quantum signature (perhaps something like XMSS or Dilithium), and eventually rendering the old ECDSA-based addresses invalid. It’s a dramatic plan, but one that guarantees no coins get left in vulnerable form. However, QRAMP is far from being implemented; it’s more of a thought experiment at this stage, precisely because it would break backward compatibility and needs overwhelming consensus. More modest suggestions for Bitcoin include introducing new address types that are quantum-resistant (so users could opt in to safety) or using cross-chain swaps to move to a quantum-safe sidechain. None of these have advanced beyond discussion or early research.

比特幣論壇中有提出過一些建議。例如，開發者 Agustin Cruz 提出了 QRAMP（Quantum-Ready Address Migration Proposal，量子安全可遷移位址提案），構想以硬分叉方式將所有比特幣遷移至量子安全的位址。大致上，就是給每位 BTC 持有人一個時限，讓他們將持幣遷移到由後量子簽章（像是 XMSS 或 Dilithium）保護的新位址，最後讓基於 ECDSA 的舊位址變成無效。這是個激進的方案，但能確保沒有比特幣會裸露在脆弱狀態。不過，QRAMP 距離實作還很遙遠，目前只是個思想實驗，因為它會破壞相容性，也需要巨大的共識。比較保守的建議包括：新增量子抗性的位址型別（讓用戶自行選擇是否升級安全性）、或透過跨鏈兌換把幣移到量子安全的側鏈。但這些都還沒有進展到實作階段，只停留在討論或初步研究。

The reality is, if quantum computing became an imminent threat, Bitcoin would face a tough dilemma: how to do a once-in-a-generation upgrade quickly without splitting the network. A gradual transition with dual-signature support (accepting transactions that have both an ECDSA signature and a post-quantum signature during a long transition phase) is one idea. Another is an emergency hard fork, essentially a do-or-die event if a quantum hack is detected. But until there’s clear danger, Bitcoin’s inertia is likely to continue. The lesson from the Taproot upgrade – which was a relatively minor improvement taking years of debate and coordination to activate in 2021 – is that a quantum-driven change would be even more contentious and complex. And indeed, Taproot, while improving privacy and flexibility, did nothing to address quantum vulnerabilities in Bitcoin’s cryptography.

事實上，如果量子計算真正成為迫在眉睫的威脅，比特幣會面臨一個艱鉅的兩難：如何在不分裂網路的前提下，迅速完成這個世代性的升級。其中一種構想是雙重簽章過渡期（在長時間內允許同時具有 ECDSA 與後量子簽章的交易），另一種則是進行緊急硬分叉——一但發現量子攻擊，立即破釜沉舟。然而在威脅沒有明確到來之前，比特幣的慣性大概還會持續下去。從 Taproot 升級中得到的教訓——那還只是個相對小的改良，就花了數年協商與整合，直到 2021 年才正式啟用——可以預見若因量子威脅而推動大的變革，將會更加棘手且有爭議。事實上，Taproot 雖帶來了隱私與彈性的改善，但對於比特幣密碼學的量子漏洞毫無幫助。

One very concrete measure of Bitcoin’s exposure comes from BitMEX Research, which pointed out that about 2.5 million BTC are held in addresses known as Pay-to-Pubkey (P2PK) where the public key is directly on the blockchain (an artifact of early Bitcoin transactions, including Satoshi’s coins). These coins, worth tens of billions, could be immediately stolen by a quantum computer that can do ECDSA breaking – no waiting for the owner to transact, since the public keys are already out there. There’s an informal understanding that if a quantum threat became urgent, Bitcoin developers might sound the alarm and try something drastic to secure those, possibly via a rapid hard fork that “locks down” old outputs. But that scenario veers into territory that Bitcoiners avoid contemplating: violating some of the sacrosanct rules of the ledger to save it. It underscores the governance challenge: Bitcoin’s greatest strength (decentralized, conservative governance) could be a weakness in reacting swiftly to quantum threats.

BitMEX Research 提供一項很具體的比特幣風險指標——目前約有 250 萬枚比特幣儲存在被稱為 Pay-to-Pubkey（P2PK）的位址，這些位址的公鑰直接暴露在區塊鏈上（這是早期比特幣交易，包括中本聰創世幣的產物）。總價值數百億美元的這些幣，只要量子電腦可以破解 ECDSA，立刻就能被竊取——因為公鑰已經全部公開，完全不必等到擁有者發起交易。雖然有個非正式共識：若量子威脅迫在眉睫，比特幣開發者或許會拉警報並採取激烈措施設法搶救這些舊幣（譬如迅速硬分叉來「鎖定」舊的交易輸出）。但這種做法接近比特幣人不願細想的禁區：為了自救而觸犯帳本神聖不可侵犯的規則。這也凸顯了治理困境：比特幣最大的優勢（去中心化、保守治理），同時也可能成為面對量子危機時的最大劣勢。

Ethereum, by contrast, has shown it can evolve when needed. The transition from proof-of-work to proof-of-stake in 2022–2023 (the Merge) is a prime example of a major, coordinated technical overhaul that succeeded. Ethereum’s culture is more open to upgrading and iterating. That said, Ethereum also requires consensus for big changes and faces the danger of splits (recall Ethereum itself split into ETH and Ethereum Classic in 2016 over the DAO incident). The approach Ethereum is taking toward quantum readiness is to bake it into the roadmap early. Vitalik Buterin has indicated that after the current slate of scaling improvements (sharding, rollups, etc.), the “Endgame” upgrades would likely include switching out cryptography for quantum-resistant alternatives. Work is already being done in testnets and research to gauge the performance hit. For instance, experiments show that replacing Ethereum’s ECDSA with Dilithium (post-quantum signatures) would bloat transaction sizes by about 2.3 KB and increase gas costs roughly 40–60% for a basic transfer. That’s a noticeable overhead, but not a deal-breaker given Ethereum’s other scaling plans (like Proto-Danksharding, which massively increases data throughput). The Ethereum community could potentially absorb such costs, especially if quantum security was on the line.

相比之下，以太坊展現了在必要時有能力自我演化的特質。2022~2023 年從工作量證明過渡到權益證明（合併事件）就是一個大型協調成功的技術革新案例。以太坊的文化對於升級與版本迭代更為開放。話雖如此，以太坊的大改也仍需全社群共識，也有分裂風險（如 2016 年 DAO 事件導致 ETH 與 ETC 分家的前例）。以太坊對量子安全的應對方式，是及早納入發展路線圖。Vitalik Buterin 就表示，在接下來一波（分片、Rollup 等）擴容改進後，最終階段 Endgame 升級很有可能會把核心密碼算法替換成量子抗性的新方案。目前已有測試網和研究活動，評估性能衝擊。例如實驗顯示，若以 Dilithium（後量子簽章）取代引以太坊的 ECDSA，會讓一筆基本轉帳的資料量增加約 2.3 KB，氣體費用升高約 40~60%。這雖然是明顯的成本增長，但考慮到以太坊其它擴容計畫（如 Proto-Danksharding 可大幅增加資料吞吐），社群或可完全吸收這部分成本，特別是假如量子風險已迫在眉睫。

Ethereum’s notion of cryptographic agility – the ability to change cryptographic algorithms with minimal disruption – is likely to be key. This could involve contract-level changes (like new precompiled contracts or opcodes for verifying PQ signatures) and client-level support for multiple algorithms in parallel. In fact, one could imagine an Ethereum hard fork where for a period, every transaction needs two signatures: one from the old scheme and one from the new. That way, even if one is broken, the other stands as a safety net. Such hybrid approaches are discussed in Ethereum research circles and would mirror what some security experts recommend (for example, the U.S. NSA has advocated for “crypto agility” in protocols for years, anticipating transitions like this).

以太坊「密碼靈活性」的理念——即在最小干擾下更換密碼算法的能力——將會是關鍵。這可能涉及契約層（如新增預編譯合約或操作碼以驗證 PQ 簽章）、以及客戶端同時支援多種算法層級的配合。你甚至可以想像一個以太坊分叉階段：每筆交易同時需要兩個簽章，一個來自舊方案、一個來自新方案。如此要是某一種被破解，另一種就成為安全後盾。這類混合過渡方式在以太坊研究圈討論甚多，也呼應部分資安專家（如美國 NSA 多年來就提倡協定要有「密碼靈活性」）的建議。

What about other blockchains beyond Bitcoin and Ethereum? There’s a spectrum of approaches:

那比特幣與以太坊之外的其他區塊鏈又怎麼做？其實有不少不同做法：

• A few smaller projects have been quantum-resistant from day one. The most notable is the Quantum Resistant Ledger (QRL), launched in 2018 specifically to address the quantum threat. QRL uses a hash-based signature scheme (XMSS – eXtended Merkle Signature Scheme) for all transactions. This means its addresses and signatures are quantum-safe by design. The project has demonstrated that such a blockchain can function, though not without trade-offs. QRL’s signatures are about 2.5 KB each on average (compared to Bitcoin’s ~72 bytes), which makes transactions bigger and the blockchain grow faster in size. Indeed, QRL’s chain grows roughly 3.5 times faster per transaction than Bitcoin’s because of this overhead. So far, QRL has produced millions of blocks with no security issues, showcasing that hash-based cryptography is viable in practice. But its relatively large resource needs and niche status mean it hasn’t been widely adopted outside its community.

• 部分較小型的專案從一開始就主打量子抗性。最知名的應屬 QRL（Quantum Resistant Ledger，量子抗性帳本），2018 年專為解決量子威脅而誕生。QRL 所有交易都使用基於雜湊的簽章方案（XMSS——擴展版 Merkle 簽章機制），代表其位址與簽章從設計上就具備量子安全。該專案證明了這類區塊鏈是可行的，雖然也有缺點。例如 QRL 簽章平均約為 2.5 KB（而比特幣約 72 位元組），導致交易檔案較大、區塊鏈同步成長也快。實際上 QRL 區塊鏈的成長速度以每筆交易計大約是比特幣的 3.5 倍。迄今 QRL 已產生數百萬區塊卻未發生安全事件，也證明基於雜湊的密碼學在實務上可行。但由於其資源需求高且屬於小眾領域，除了社群內早期支持者外，尚未在更廣泛層面普及。

• Other established networks have dabbled in quantum security. IOTA, for example, early on touted quantum-resistant signatures (it used a variant of Winternitz One-Time Signatures). However, that introduced complexity – users couldn’t re-use addresses safely, which led to a lot of confusion and even vulnerabilities when users did accidentally reuse them. IOTA later switched back to classical Ed25519

• 一些較成熟的網路也曾嘗試過量子安全措施。例如 IOTA 早期就主打量子抗性簽章（採用過 Winternitz 一次性簽章的變體）。但這導入了額外複雜度——用戶不能重複使用同一位址，否則安全無法保障，這導致了大量混淆，甚至因位址 不小心 重用而衍生漏洞。後來 IOTA 就又換回傳統的 Ed25519 簽名方案。signatures in an upgrade (Chrysalis) to improve performance and UX, essentially postponing the quantum issue. They have plans to reintroduce PQC (likely following NIST standards) in a future Coordicide upgrade once it’s more mature. IOTA’s journey is instructive: it shows the tension between security idealism and practical usability.

• Some newer platforms advertise quantum resistance as a selling point. QANplatform is one that claims to integrate lattice-based algorithms (Kyber and Dilithium, just like NIST’s picks) into a smart-contract platform. It runs a hybrid model allowing both classical and PQ algorithms, which might ease migration. These projects are still relatively small, but they serve as testbeds for how PQC performs in blockchain environments. Encouragingly, QANplatform reported that their lattice-based transactions take on the order of 1.2 seconds to validate, which is in line with normal blockchain speeds. That suggests the performance gap, while real, can be managed even at current tech levels.

甚至連某些「傳統」區塊鏈也開始在官方文件和申報中承認這個問題。例如全球最大資產管理公司 BlackRock（貝萊德），在提交比特幣 ETF 的美國證券交易委員會（SEC）申請文件中，明確指出量子計算被視為比特幣的一大潛在風險。當管理數兆美元資產的機構把量子視為風險因素時，這代表這個議題已不再只是學術討論，而是進入主流金融界的意識層面。

總結來說，Ethereum 在量子安全議題上表現相對積極，將其納入未來規劃並早早凝聚開發者共識。Bitcoin 雖有所意識，但態度靜止，除非被迫應變，否則不太可能主動採取行動（並希望這一天能越晚越好）。較小的新專案則現在就積極嘗試量子安全加密，驗證技術、揭露挑戰，但規模無法和 Bitcoin、Ethereum 相比。而很多區塊鏈根本還未認真正視這個議題——這恐怕成為我們邁向 2030 年代時的潛在盲點。Ethereum 以 Lean Ethereum 的簡化與超前部署精神作為範例，若能成功，將為其他區塊鏈提供最佳學習對象。這條路強調漸進、用戶自選的防禦強化，理想上能避免集體恐慌的重大硬分叉。不過，要克服的困難不少，這些在我們接下來探討權衡與風險時會更進一步說明。

量子抗性升級的好處、取捨與風險

將區塊鏈升級為量子抗性並非小事，其間有明顯的優點，也伴隨重大的權衡與挑戰。我們以 Ethereum 的規劃作為參考，逐一說明遷移到量子安全加密的利弊與潛在風險。

早期量子安全的優勢

推動量子抗性加密最明顯的好處，就是長期的安全性。這可為區塊鏈核心防範量子攻擊提供保障，確保資產和交易在量子電腦問世之後依然安全可靠。這對於建立在信任最小化保證之上的體系來說，是賴以生存的根本。此外，提早取得量子安全性，也有經濟層面意義：若首個大型區塊鏈能徹底量子防護，2030 年代可能會成為資產避險首選，吸引那些對量子風險感到憂慮的資金。

另一項優勢是，量子升級可同時當作協議優化和系統重構的機會。例如 Ethereum 的 Lean 計畫，同步針對量子安全、簡化架構、降節點門檻並提升可擴展性，藉機重整過於繁雜的系統。導入新型加密法，也可能解鎖新功能。例如某些格基鍵簽章可較輕易支援簽章聚合（多重簽章合併為一），甚至能原生佈建零知識證明。傳統 ECDSA 難以支援的功能，量子抗性加密可能能實現，提升隱私或智能合約能力。換言之，因應威脅反而能帶動創新，讓網路比原先更強更靈活。

還有協作上的好處：在壓力發生前，提早部署，便能從容設計遷移機制。各利益相關者（交易所、錢包服務商、託管者）可及早參與，教育與工具準備工作可事先完善。這和危機過後才匆忙應變截然不同——那將混亂不堪。如業界常說，「等災難發生才改善」才是真正的最壞情況——因為它會一夕摧毀所有信心。所以雖然升級會有代價（下節說明），但預防未來更大災難的代價，終將划算許多。

取捨與成本

導入後量子加密（PQC）的取捨多圍繞在效能、效率與複雜度的平衡。目前 PQC 演算法在多方面都比現有方案「更重」：

• 鍵值與簽章較大：現今的 Bitcoin 或 Ethereum 交易，其簽章通常約 64 bytes；而如 Dilithium 這類 P-Q 簽章要大上數千 bytes，意味著交易變更肥大。要不就提高區塊/ gas 上限承載更多資料（會影響同步與儲存），要不就每區塊成交筆數下降。如果 Ethereum 採用 2.3 KB 簽章，舊有大小直逼 30–50 倍成長，區塊容量或手續費勢必受衝擊；或者需大規模擴容，但會推高節點負擔。另外，公鑰大小也可能提升（不過像 Dilithium 公鑰比 ECDSA 33 bytes 並未大太多，詳細還要看選型）。

• 計算需求提高：多數 PQC 執行需更高運算，如格基簽章牽涉大量矩陣運算、隨機化，雜湊型簽章則需頻繁呼叫雜湊函式。雖有各種優化研究中，但目前一個區塊鏈節點輕鬆驗證數百個 ECDSA 簽章，但要驗同樣數量的 PQC 可能逼近硬體極限。Ethereum 研究顯示，部份優化後，格基驗簽成本約僅提升 2-3 倍內，算是尚可接受，但運算量終究增加，節點、區塊產生者需更強硬體以免落後。高吞吐鍊尤需警覺，因加密更重也較易成為系統瓶頸。

• 儲存與頻寬：資料變大後，節點要備有更多硬碟與頻寬來下載區塊，鏈體積膨脹速度就加快。數年後或使得能運行全節點的用戶驟減，除非一起實施如修剪、狀態過期等機制。部分改善方法包括簽章聚合（多簽章合併減少體積）、或將簽章驗證移至 Layer 2/鏈下、僅將證明（如 rollup 的 zk-proof）記錄到主鏈。Ethereum 亦正在共識層實驗 BLS 簽章聚合，未來若切換 PQC，類似技術也能用在交易簽名上。

• 可用性考量：部份 PQC 方案屬於有狀態型（如 XMSS 或 Merkle 簽章），在重複使用次數上有嚴格限制，否則會有安全疑慮。這對用戶和開發者而言是管理大麻煩——IOTA 初期就因此吃盡苦頭。因此增加了钱包管理的複雜度。好消息是，目前 NIST 主推（如 Dilithium、Falcon 等）屬於無狀態類型，與現簽章機制無異（重複使用沒問題）。但若某鏈考慮實施像 XMSS 這種有數學安全證明的機制，就得面對一次性金鑰與使用者體驗上的折衷。

• 經濟誘因與協同難題：另一個隱形取捨在於，並非所有用戶都會即刻看到升級好處，但立即感受到的只有成本（如手續費變高、速度變慢）。這會造成協同難題。假設 Ethereum 推出「量子抗性地址」做為選項，部分用戶可能因更貴更難用而暫不採用——形成新舊方案並存，安全落差拉大。特定用戶（如大戶、交易所、託管）可能優先導入甚至配合補貼，而一般用戶僅在被迫才跟進。在這期間「舊地址」就成了致命弱點，量子攻擊者自會針對而來。結果，網絡安全呈現不均——某些幣極度安全、某些幣形同裸奔。這種碎裂狀態本身就很危險，如一旦發生少數量子盜竊事件，未受影響用戶的信心也可能受損。

風險與挑戰

The process of upgrading to quantum-safe crypto carries several risks:

1. 治理與社群風險：推動重大變革容易引發社群分裂。我們過往就已見識（如區塊大小、智能合約回滾等），一旦量子升級爭議巨大，理論上甚至會導致鏈分叉，有一派主張...upgrading and another refusing to abandon the classic crypto. If that happened, it would be chaotic – which chain is “real” Bitcoin or Ethereum? Does the upgraded one win out or does value split? Attackers could even exploit the confusion. Avoiding this requires near-unanimous agreement or very careful planning and communication. Ethereum’s advantage is its community is generally tech-forward and likely to coalesce around a sensible upgrade if the need is clear. Bitcoin’s risk of a split might be higher because there’s a strong “don’t change what isn’t broken” sentiment until absolutely necessary.

升級與堅持傳統加密貨幣的兩派若發生分歧，結果會非常混亂——到底哪一條鏈才是“真正的”比特幣或以太坊？升級的那一條會勝出，還是價值將被分裂？攻擊者甚至可能趁亂作亂。避免這種狀況需要接近一致的共識，或極為謹慎的規劃與溝通。以太坊的優勢在於其社群通常較為科技導向，若有明確升級必要，社群大多會聚攏在合理的升級方案之下。比特幣分裂的風險較高，因為直到萬不得已前，社群強烈堅持「能不變就不變」的原則。

2. New Tech Bugs: Introducing new cryptography and protocols invites the possibility of implementation bugs. The cryptographic algorithms themselves may be secure, but the way they’re integrated could have flaws. We’ve seen this historically: early implementations of new crypto (even post-quantum candidates) sometimes had side-channel leaks or memory bugs. In a blockchain, a bug in signature validation or address parsing could be disastrous (imagine if someone found a way to fake a PQ signature due to a software bug – it could lead to theft or chain consensus issues). Rigorous testing, audits, and maybe phased rollouts (starting in testnets, then optional on mainnet, etc.) are crucial to mitigate this.

3. 新技術漏洞：引入新型加密技術與協議，可能帶來實作層面的漏洞。加密演算法本身或許安全，但整合的過程可能有問題。歷史上曾出現過，早期的新型加密（即使是後量子候選方案）有時也會有側信道洩漏或記憶體漏洞。在區塊鏈中，若簽名驗證或位址解析出現錯誤，後果可能災難性（想像有人發現軟體漏洞可偽造 PQ 簽名——這可能導致竊盜或鏈上共識危機）。嚴格的測試、審計，以及分階段部署（如先於測試網，接著可選用於主網等）對於降低風險至關重要。

4. Algorithmic Uncertainty: While the PQC algorithms chosen by NIST underwent a lot of scrutiny, it’s not impossible that some weakness is found in the future. The history of cryptography is full of algorithms that were trusted for a while then got broken (for instance, certain lattice schemes or multivariate schemes fell to advanced math or even brute force improvements). If the blockchain bets on one algorithm and it turns out sub-par, you’d have to pivot again. This is why experts advise cryptographic diversity – not putting all eggs in one algorithm basket. Ethereum’s notion of agility and supporting multiple algorithms can hedge this risk. But doing multiple algorithms also means more code and complexity, which is itself a risk. It’s a tricky balance.

5. 演算法不確定性：雖然 NIST 選定的後量子密碼學演算法經過大量審查，但未來出現弱點也並非不可能。密碼學發展史上，曾有許多被信任一段時間但最終被破解的演算法（如某些格子結構或多變數方案被進階數學或蠻力破解所擊敗）。若區塊鏈選定某一種演算法，結果後來發現不夠好，還得再次轉換。因此，專家建議分散風險——不要把所有雞蛋放在同一個演算法籃子裡。以太坊的靈活性理念，以及支援多種演算法，可分散這項風險。但同時實作多種演算法，也會帶來更多程式碼及複雜性，本身亦成為風險。這裡取得平衡非常困難。

6. Partial Measures vs. Comprehensive Fixes: Some interim solutions (like the “quantum vaults” or wrapping keys in quantum-safe layers) might give a false sense of security if people assume the problem is solved when it’s not system-wide. For instance, a custodian might secure its large cold wallet with a quantum-safe scheme, but the network as a whole is still on old crypto. This is fine – it protects that custodian – but if observers think “oh, Bitcoin is handling quantum now,” it could delay necessary broader action. Also, those user-level solutions can create haves and have-nots in security, as mentioned. It risks leaving the smaller players exposed, which ethically and practically is a problem.

7. 局部措施 vs. 全面修補：某些暫時性方案（如「量子保險庫」或把金鑰包進量子安全層）如果被誤以為已解決系統性問題，可能帶來錯誤的安全感。比如某個託管機構用量子安全機制保護了其冷錢包，但整個區塊鏈網路仍用舊有加密。這樣雖可保護該託管人，但外界若以為「哦，比特幣已經解決量子威脅了」，反而會拖延更全面的行動。且這些用戶級解法可能如前所述，在安全層面形成「有」與「沒有」的分化，小型參與者因此裸露於風險之下，倫理與實務上都不是好事。

8. Timing and Complacency: Perhaps the biggest risk is timing. Move too early, and you incur costs and complexity perhaps unnecessarily (if large-scale quantum computers take 20+ years, there was more time to let tech improve). But move too late, and obviously you’re in trouble. There’s also the scenario of a stealth advance in quantum tech – what if a government or a corporation achieves a breakthrough in secret? The crypto community might not know until suddenly addresses start getting drained. This is the nightmare scenario because the response time would be near zero. It’s unlikely (most believe quantum progress will be visible via academic and industry milestones), but not impossible. This uncertainty leads some to advocate sooner-rather-than-later for upgrades. But it’s a hard sell to the public when the threat still seems abstract to many. One could say there’s a communication challenge: how to convey the urgency of quantum risk without causing unwarranted fear or pushing people away from crypto? It must be framed as a solvable, active engineering problem – which is exactly how Ethereum is treating it.

9. 時機與自滿：或許最大的風險在於時機。如果行動太早，可能會因量子電腦二十多年都還未問世而白白承擔不必要的成本與複雜度；但若行動太遲，顯然會陷入危機。另有一種狀況是假設量子科技「悄悄進步」，譬如某國家或公司秘密取得突破，直到有天地址突然被掏空，區塊鏈社群才發現，這就是惡夢場景，因為幾乎沒有反應時間。雖然多數人相信量子發展會從學界和業界的進展中可見端倪，但非不可能。這種不確定性使得部分人士主張「寧可早點升級」。但威脅仍顯得抽象時，這說服大眾並不容易。可以說，這是一項「溝通挑戰」：該如何傳達量子風險的急迫性，又不致引發過度恐慌或令群眾遠離加密貨幣？必須把這件事框定為可解決、持續進行中的工程問題——這正是以太坊目前採取的態度。

In weighing all this, it’s clear there are no simple answers, but Ethereum’s strategy attempts to maximize benefits and minimize risks by doing things gradually and in a technically open way. They’re not betting on a single silver bullet, but a combination (simplify the system, add PQC, use ZK proofs, etc.). This multi-pronged approach might dilute some trade-offs (for example, if ZK-proofs lighten the load, they can offset heavier signatures). It’s also spreading the transition out over years, which could reduce shock. In contrast, if a crisis hit, Bitcoin might have to do a rapid, heavy trade-off (like “everyone move in the next 6 months or your coins are burned”) – effective if it works, but socially and technically extreme.

綜合上面種種，可以看出並無簡單答案，但以太坊的策略是追求漸進、技術開放、降低風險並爭取最大實益。他們並不押注於單一「銀彈」，而是多項並進（簡化系統、引進後量子密碼、使用 ZK 證明等）。這多管齊下的方法有助於分散權衡（例如若 ZK 證明能減輕系統負擔，便可平衡更大的簽名負擔）。同時將過渡期拉長好幾年，也能降低震撼。相較之下，若危機爆發，比特幣可能被迫非常快地做出嚴厲抉擇（如「所有人六個月內遷移，否則資產作廢」），這如果奏效當然好，但無論技術面或社會面都很極端。

Now, assuming these upgrades do happen successfully, what then? Let’s look at what a quantum-resistant Ethereum (and crypto industry) means for the various participants and the ecosystem as a whole.

現在，假設這些升級成功落實，接下來會怎麼樣？我們來看看實現量子抗性的以太坊（以及加密產業）對於不同參與者及整體生態的意義與影響。

Long-Term Implications for Users, Developers, and the Crypto Industry

對用戶、開發者與加密產業的長期影響

If Ethereum and other blockchains execute a quantum-secure transition well, the long-term outlook for the crypto ecosystem remains strong – arguably stronger than before. Here are some key implications for different stakeholders:

如果以太坊與其他區塊鏈順利完成量子安全過渡，整體加密生態的長遠發展依然樂觀，甚至可說比以往更強。以下是對於不同利害關係人的主要影響：

For Everyday Users and Holders

對一般用戶與持有人

The ideal outcome is that users experience the quantum upgrade as a non-event in their day-to-day usage. They might notice some changes – perhaps new address formats or slightly higher transaction fees due to bigger transactions – but otherwise continue transacting as normal. Achieving that seamless feel will take work: wallet software will need to handle new cryptography under the hood without making users do complicated steps. In Ethereum’s case, account abstraction could allow a wallet to manage multiple key types so the user doesn’t have to think about whether they’re using an ECDSA key or a Dilithium key – it “just works.” Users may eventually be prompted to migrate funds to a new address (as a one-time security upgrade), but with clear instructions and perhaps tools that automate most of it, the process can be user-friendly. Think of it like when HTTPS became the norm on websites – under the hood a big crypto change happened (symmetric keys got longer, certs got stronger), but users just saw a lock icon in their browser and perhaps had to update some software.

理想的情境是，用戶在日常使用上幾乎感受不到這波量子升級，或僅可能注意到一些變化——例如新地址格式、因交易變大而略增的手續費等等——但照樣一切如常交易。要達到這種無縫體驗，需要錢包軟體在背後自行處理新型密碼技術，讓用戶免於繁瑣操作。以太坊的帳戶抽象機制，可以讓錢包同時管理多種金鑰類型，用戶不必分辨自己到底用了 ECDSA 還是 Dilithium——「就能用」。用戶日後也許會收到資產遷移到新位址（作為一次性安全升級）的提示，但只要說明清楚、工具周全，大部分流程能自動化，這樣遷移也可很友善。就像網站汰換成 HTTPS 時——底層加密大變革（對稱金鑰變長、憑證變強），但用戶看到的不過是瀏覽器上多了一把鎖、可能更新個軟體而已。

One piece of advice that’s already emerging for crypto holders is to practice good “key hygiene” even before quantum hits. This includes things like avoiding address reuse – don’t keep using the same address for thousands of transactions; generate new ones periodically so your public key isn’t constantly exposed. Also, key rotation – moving funds to fresh addresses every so often (which implicitly means new keys) – could mitigate some risk, because an old address that hasn’t been used in years with an exposed key is more vulnerable than one that’s new. Multisignature wallets are another safeguard; even if one key were cracked, the attacker would need others to move funds. And of course, cold storage (keeping coins in addresses whose keys have never touched an online device) remains a recommended practice; those coins’ public keys aren’t revealed until you make a transaction, which gives quantum adversaries no target until you decide to move them. These are measures users can take now, and many already do as basic security. They also happen to align well with reducing quantum exposure. In the long run, after upgrades, users might not need to worry about this as much, but it’s a healthy habit regardless.

已有針對加密貨幣持有者的建議：在量子危機來臨前，先養成良好「金鑰衛生」。包括避免重複使用同一個位址——不要拿一個位址做幾千次交易，而應定期產生新位址，讓公鑰不要長時間暴露。另外要做金鑰輪換——偶爾把資產移到新地址（也就是新金鑰），這能降低風險，畢竟暴露多年的舊金鑰，比新的危險得多。多重簽名錢包也是保險，即便一把金鑰被破解，攻擊者還需要其他金鑰才能移動資產。當然，冷錢包（保存於從沒上過網、金鑰未暴露的位址），也是一項持續推薦的作法——這種地址直到你動資產才會公開公鑰，量子攻擊者沒機會下手。這些措施現在就可以做，而很多人已視為基本安全操作。它們同時也很適合減少未來的量子暴露。隨著升級推動，長遠來看，也許用戶不必再過度擔心，但養成好習慣無壞處。

If the industry handles it poorly, users could face more dramatic impacts: for instance, being forced to manually convert all their assets to new formats under time pressure, or even losing funds if deadlines pass. But given the awareness we see, it’s likely there will be ample warnings and grace periods. One positive implication is that users might become more educated about the cryptography behind their assets. The quantum discussion can spur broader public knowledge of how crypto actually works. We saw a bit of this when the community learned about different signature schemes and address types; quantum might similarly push people to learn about lattice cryptography or why one address is safer than another. That demystification can be empowering and reduce the reliance on a few experts.

如果產業處理不當，用戶可能面對更劇烈的影響：例如必須在極短時限內手動轉換資產格式，甚至如果錯過期限就會失去資產。不過以目前普遍意識來看，未來應會有充足的通知與寬限期。另一個正面影響是，這個過程能讓用戶對支撐其資產的加密學認識更深。以往社群在學習不同簽名方式與位址類型時，就見過這種現象；量子議題也可能促使大家主動認識格子密碼學，了解為什麼某地址更安全。這去除神秘色彩的過程有助於培養對科技的理解，也減少只依賴少數專家的情形。

For Developers and Protocol Engineers

對開發者與協議工程師

For developers – both those working on core protocols and those building applications – a quantum-resilient future means new tools and new paradigms. Core devs will need to be proficient in implementing and optimizing post-quantum algorithms. We might see an uptick in demand for cryptography experts in the blockchain space (already a trend). Libraries that handle signatures, key generation, hashing, etc., will get overhauled, so developers maintaining blockchain clients or writing smart contracts that verify signatures (think of complex contracts that do multisig or custom crypto stuff) will have to update their code.

對開發者來說——無論是核心協議作者還是應用開發者——未來要面對量子抗性，就代表要學習全新的工具與思維模式。核心開發者需精於實作與優化後量子密碼學演算法。這將使區塊鏈行業對密碼學專家的需求再度上升（這趨勢已經出現）。處理簽名、金鑰產生、雜湊等的函式庫都要重寫，因此維護 blockchain 客戶端或開發驗證簽名智能合約的工程師（例如處理多重簽名、客製密碼驗證之類的複雜合約）都得更新自己的程式碼。

One big implication is the importance of cryptographic agility in system design, which we mentioned. Developers will likely architect systems with upgradable cryptography in mind. That might mean designing smart contracts or protocols that aren’t rigid about one algorithm. It’s a mindset shift from “ECDSA everywhere” to “maybe this year’s scheme is X, but we might slot in Y later.” We already see some of that: e.g., Ethereum’s move toward account abstraction can let developers specify alternative verification logic for transactions (say, a contract wallet could require a Dilithium signature instead of an ECDSA signature). This kind of flexibility is going to be invaluable and will probably become a best practice in new blockchain designs.

一項重大啟示是密碼技術「彈性設計」的重要性。開發者未來極可能要以「可升級密碼技術」為基礎規劃架構。換言之，開發智能合約或協議時，不能再僅綁死單一演算法。這種思維從「到處 ECDSA」轉向「今年用 X，明年可能要換 Y」。其實現在已開始：比如以太坊朝帳戶抽象發展，就讓開發者可以針對交易指定多樣驗證邏輯（像讓合約錢包可要求 Dilithium 或 ECDSA 不同簽名）。這種靈活性將極有價值，也可能成為未來區塊鏈設計的標準作法。

For application developers (like those making dApps or services), the changes might be subtle. They might rely on the underlying blockchain or wallet libraries to handle the crypto details. But they should be aware of things like transaction size changes (perhaps

對於應用程式開發者（如製作 dApp 或加密服務的團隊），變化也許較隱晦。他們可以繼續仰賴底層區塊鏈與錢包函式庫來處理加密細節。但他們還是該注意像是交易資料大小變動等新狀況（也許……adjusting gas limits in their apps)、甚至可能包括全新的交易類型或操作碼（opcode）。文件與教育資源都需要更新。好消息是，一旦協議層完成這些繁重的基礎工作，應用開發者便能以相對小的額外努力，獲得更安全的基礎。

另一個影響是測試與開發環境：我們很可能會看到專為後量子密碼技術（post-quantum cryptography, PQC）設計的測試網路（有些已經存在），讓開發者能夠實驗 PQ 交易。事先熟悉這些流程，將讓過渡更加順利。開發工具（比如硬體錢包）也會隨之演變——現在許多硬體錢包使用針對特定演算法最佳化的安全元件晶片。它們需要升級以支援 PQC，或是推出新的裝置。對加密硬體產業來說，這既是挑戰也是新機會。

For Validators and Node Operators

節點驗證者（在像 Ethereum 這樣的 PoS 系統中）以及礦工（在像 Bitcoin 這樣的 PoW 系統中。不過在 PQ 未來，PoW 可能會受挑戰，挖礦也可能沒那麼相關）將必須符合新的需求。節點軟體可能會變得更吃資源——需要更強的 CPU，甚至是專用硬體，才能有效處理後量子密碼學。如果沒有良好的控制，這會讓系統趨向中心化（例如，只有能負擔高階伺服器或特定加速卡的人才能以所需速度驗證），但像以太坊透過簡化和降低其他部分負擔的努力正是為了抵消這種趨勢。這是一場平衡：你不會希望用量子威脅的去中心化劣勢，換來硬體資本的中心化優勢。

長遠來看，硬體加速可能會變為常態。正如今天有些礦工用 ASIC 來計算雜湊，未來驗證者或許會用加速格子運算或雜湊式簽章生成的專用硬體。如果這些元件開始量產，成本將會降低，甚至可能整合進一般消費性裝置。前面提過的 RISC-V，如果加進特製的密碼指令，人人都能用上便宜又開源的解決方案。做得好甚至能讓量子安全加密更加民主化——想像每台筆電都內建開放標準的量子安全密碼模組。

另一個對驗證者的影響，是共識協定的複雜度。如果遇到緊急情形（例如偵測到量子攻擊需緊急升級），驗證者必須能夠快速適應。可能會增加新共識規則，例如「如果我們看到 X 發生（比如大量無效簽名），就執行 Y」。這類備案或許會寫進協議或至少事先規劃好（有人建議建立「紅色按鈕」的硬分叉機制，以防量子發展超預期）。驗證者之間必須維持良好通訊，才能協調應對，這意味著更活躍的治理機制。這有些矛盾：量子威脅反倒可能推動這些原本以去中心化自豪的網路展開更多社會協作。但設立安全閥，或許很重要。

For the Broader Crypto Industry and Ecosystem

從整個產業層面來看，邁向量子安全恐怕會促成比以往更多的合作與標準制定。在一向競爭激烈的加密領域裡，像 CQRA 這樣的聯盟促使項目協力解決共同問題。我們或會看到跨鏈標準（例如，共同的量子抗性地址格式，或錢包中統一的金鑰編碼方式），讓交易所與多鏈錢包能夠「一次實作、多鏈適用」。這類合作提升了產業整體韌性，亦為集體克服重大挑戰樹立榜樣。

還有地緣政治／監管層面。過去監管單位主要關注加密貨幣的金融穩定與合規問題，當量子電腦逐漸成為現實，政界與監管機構可能會把重點放到底層安全基礎設施。有些政府甚至可能要求金融機構（甚至延伸至他們使用的區塊鏈）要在特定日期前全面導入量子抗性密碼技術，類似過去銀行標準的升級。例如若美國或歐盟 2030 年規定「所有數位資產託管機構必須採用 PQC 金鑰管理」，就會大幅加速加密貨幣的相關佈局。具前瞻性的政策制定者可能會鼓勵產業在危機發生前提前升級。這是有先例的：像 NIST 這樣的單位已經在提出指引，甚至國防部門也研究過如何保護區塊鏈。

從經濟面來看，具備量子韌性的加密產業，能吸引過去觀望的投資人。有些機構投資人曾經因技術風險（包括量子）而對加密產業觀望。如果以太坊能宣稱「我們已實作 NIST 標準的量子安全密碼學」，那就消除了潛在疑慮，展現其成熟度。相對地，產業若被認為無視量子威脅，反而可能打消保守資金的興趣。

還可以預期新產品與服務出現：量子安全託管方案（已有新創進場，主打「混合密碼學」加密保險庫）、針對量子風險的保險產品、專精於區塊鏈升級顧問服務等。一個「後量子區塊鏈服務」的小型產業，有望在未來十年茁壯。

最終，從歷史的長遠眼光來看，若加密貨幣能順利度過量子過渡，那就是其韌性的證明。質疑者常問：「那量子怎麼辦？它不是會毀了加密嗎？」答案可以變成：「不會，我們適應了，甚至因此變得更強。」網路甚至可能變得更加去中心化（例如 DAS 等機制帶來的輕量節點）、更加可擴展（如 ZK 證明與其他效率提升）、而且比過去更安全。這將強化區塊鏈如生物有機體一樣，能因應威脅進化，持續提供抗審查、信任最小化的價值轉移，即使進入全新技術時代亦然。

總結來說，以太坊推動簡化且量子安全的設計，展現了主動前瞻、創新求變的精神來面對挑戰。量子電腦的來臨，不一定非得是加密貨幣的危機——反而能成為推動生態系邁向更好工程與更廣泛合作的重要節點。現在投資於對策的以太坊及其他項目，目的就是確保去中心化金融與數位資產即使面對未來最強大的電腦，依然能維持堅實防禦。通往量子安全的路需要謹慎權衡和集體努力，但最終目標——一個量子時代依然安全的加密世界——絕對值得大家奮鬥。

Conclusion: Embracing the Quantum-Secure Future

量子計算的陰影，原本只屬於遙遠的理論，如今正迅速成為區塊鏈產業不可忽視的現實。不過，從以太坊的實踐與整個產業的對策來看，主基調是審慎樂觀，而非宿命論。沒錯，量子電腦可能會顛覆我們目前倚賴的加密安全基礎——但只要善用現有工具與時間，最壞情況完全可以預防。現有評估認為，主流密碼技術會受到實質威脅的量子機器約需 5 到 10 年才會問世，這是一段寶貴的準備時期。這表示社群可以有步驟地測試後量子方案，凝聚升級共識，並用心執行它們。對以太坊而言，開發者已經把這個時間表當做落實量子防禦的最後期限。

一個關鍵教訓是：不要把所有希望押在單一解決方案上。多元化密碼防禦——例如同時運用格基、雜湊等各種方案——能建構分層防線。一旦某算法出現缺陷，還有另一個頂替。這種「密碼多樣性」將成為常態。未來的區塊鏈或許會同時採用多種簽章類型，甚至由用戶自選演算法，讓整體系統更加堅固。這讓人聯想到自然界的生物多樣性如何帶來韌性；加密生態若能避免密碼「單一作物」現象，同樣會更強壯。

此外還有個光明面：追求量子安全也正在催生帶來附加好處的創新。隱私技術、效率提升、新智能合約能力都從這股研究動力中萌芽。例如零知識證明和格子密碼學，不但抵禦量子風險，也讓交易更可擴展與私密。某種程度上，「量子危機」成了促進區塊鏈協議正向進化的催化劑。最後我們也許會發現，新網路不僅更安全，還更加快速、功能豐富。

通向量子安全加密的轉型，極可能成為區塊鏈產業成熟的代表性篇章。它會檢驗治理架構——分散式社群能否為長遠利益共同行動、克服短期不便？它會檢驗項目間合作——競爭對手能否為整體安全協同制定標準？更會檢驗用戶信任——大家能否了解這些改變是為了長遠好處而願意共度過渡期？如果這三者都能達成，那麼徹底應對量子威脅，將有助於去中心化技術未來數十年發展的信心。

以太坊這種早期且認真的行動，提供了一個範例：及早正視威脅，善用專家研究成果（如 NIST 的工作），廣泛...community in planning, and integrate solutions into the roadmap before crisis hits.
在規劃階段就讓社群參與，並在危機發生之前，將解決方案整合進發展藍圖中。

Bitcoin and others will each forge their own path, but the end goal is shared – ensuring that the core promise of cryptocurrency, trustless and censorship-resistant value transfer, endures in the quantum era.
比特幣和其他加密貨幣都會走出各自的道路，但最終目標是一致的 —— 確保加密貨幣的核心承諾，也就是「無需信任、抗審查的價值轉移」，能夠在量子時代依然持續下去。

The work being done now is essentially to guarantee that promise holds true no matter what computers of the future are capable of.
目前所做的努力，本質上就是要確保，無論未來的電腦有什麼樣的能力，這項承諾都能成立。

In conclusion, while quantum computing poses a real challenge, it is one that the crypto world is increasingly ready to face head-on.
總結來說，儘管量子運算帶來了真正的挑戰，加密世界也越來越準備好正面迎戰。

With pragmatic engineering, open dialogue, and timely action, blockchains can emerge on the other side of the quantum transition not only unharmed but invigorated – having conquered yet another “impossible” problem.
透過務實的工程、開放的對話以及及時的行動，區塊鏈在經歷量子轉型之後，不僅能安然無恙，甚至會更加充滿活力 —— 再次征服了一個原本被認為「不可能」的難題。

The story of Ethereum’s lean, quantum-secure initiative is ultimately about resilience and foresight.
以太坊輕量且具量子安全性的計畫，最終展現的是彈性和前瞻性。

It’s a reminder that decentralization is not a static ideal but a living system that can adapt to threats and continue to serve its users securely.
這提醒我們，去中心化並不是一個靜止的理想，而是一個能夠因應威脅、繼續安全服務用戶的活生生系統。

As we push into this new frontier, the crypto industry is demonstrating that it can indeed embrace the future without fear, turning advanced cryptography and collective effort into the foundation of a quantum-secure financial world.
隨著我們推進到這個新領域，加密產業證明了它能夠無懼擁抱未來，讓先進的密碼技術與集體努力成為一個量子安全金融世界的基石。