Ethereum Researchers Propose SPHINCS- Post-Quantum Wallet Signatures for EVM Security

Ethereum researchers are proposing SPHINCS-, a post-quantum signature scheme designed to work on the EVM without protocol changes. It is a serious attempt to make quantum-resistant wallet security practical before the quantum boogeyman stops being a theory and starts wrecking signatures.

• SPHINCS-: stateless post-quantum signature scheme for Ethereum wallets
• Uses KECCAK256 instead of SHAKE256 for EVM compatibility
• No base-layer changes: can be implemented in Solidity
• C13 variant: about 127,000 gas, 3,704-byte signatures
• Research-stage only: not yet a standard or finished account format

Published on June 12 on Ethereum Research by nicocsgy, with acknowledgments to Vitalik Buterin and other contributors, the proposal frames SPHINCS-—pronounced “SPHINCS minus”—as “an efficient stateless post-quantum signature verification scheme designed for EVM compatibility.”

For readers not living and breathing cryptography: post-quantum signatures are digital signatures designed to survive attacks from future quantum computers, which could eventually break today’s common public-key systems. In plain English, they are the backup plan for when the old math starts getting punched in the face by new hardware.

The idea matters because wallet signatures are what prove you control funds and authorize transactions. If a future quantum computer can forge those signatures, self-custody gets a lot less self-custody and a lot more “surprise, your keys were never that safe.”

The core trick behind SPHINCS- is straightforward: replace the standard SHAKE256 functions used in the broader SPHINCS+ family with Ethereum-native KECCAK256. That gives Ethereum a practical edge, because KECCAK256 already lives inside the network. As the proposal puts it, “The design replaces standard SHAKE256 functions with EVM-native KECCAK256, allowing a Solidity implementation without protocol changes or precompiles.”

That means the verification logic can be written in Solidity, Ethereum’s main smart contract language, and executed directly on the EVM, Ethereum’s execution engine where smart contracts run. No new precompile. No base-layer surgery. No waiting around for a chain-wide upgrade while everyone pretends migration is easy. It is a wallet-layer path, not a protocol-level moonshot.

That’s the upside. The catch is that SPHINCS- is explicitly stateless, which in this context means the signer does not need to keep track of evolving secret state between signatures. That is a good thing for wallet security and recoverability, since stateful schemes can be a headache to manage safely. But SPHINCS- is also non-standard and does not strictly match FIPS 205 because it uses Keccak and limited signing budgets. Standards matter because they help with interoperability, auditing, and adoption. Brilliant math is nice; hardware makers, wallet developers, and compliance teams still have to ship something users can actually use.

The proposal reduces the standard 2^64 signatures per key down to a more wallet-realistic 2^14–2^20. That sounds like a downgrade, and mathematically it is. But the reasoning is pragmatic: most Ethereum users are nowhere near that ceiling. The post says “the average annual 99.9th percentile of Ethereum transactions is around 431 per address since the Merge.” In other words, the vast majority of wallets are not signing like they’re running an exchange desk or a DeFi farm with a caffeine problem.

For Ethereum, the practical question is not whether a scheme can be made theoretically elegant. It is whether it can survive contact with real wallets, real users, and real devices. SPHINCS- is trying to sit in that uncomfortable middle ground where the security model is strong enough to matter, but the usability is not so bad that people throw their hardware wallets into the sea.

The performance numbers are encouraging enough to take seriously. The C13 variant reportedly verifies at about 127,000 gas and produces a 3,704-byte signature. For comparison, the standard SLH-DSA-SHA2-128-24 configuration comes in at about 142,000 gas with a 3,856-byte signature. Gas is the computational cost of doing work on Ethereum, so lower is better. Signature size matters too, because every extra byte has to be carried, stored, and paid for. Onchain, bloat has a habit of turning into a tax.

The signing side is less cozy. The comparison scheme needs about 1.07 billion hash calls to sign, which sounds less like cryptography and more like a machine being asked to file a small mountain of paperwork by hand. Hardware wallet support is where the proposal gets more concrete: the C11 and C12 variants are said to be compatible with hardware wallets, and on the ST33K1M5 secure element, signing times were measured at 390 seconds for C11 and 47.5 seconds for C12.

Forty-seven and a half seconds is not exactly a smooth consumer experience, but it is a lot more workable than a multi-minute slog for every signature. C11 at 390 seconds is a tougher sell for everyday use unless your personal workflow includes lots of waiting and very patient coffee. That is the real rub with post-quantum cryptography: the math can be excellent while the UX remains a small crime scene.

Here is the uncomfortable truth: post-quantum security is still a future-facing issue, but migration takes years, not weekends. Wallet standards, user interfaces, hardware wallet firmware, custodial infrastructure, exchange integrations, and education all need to move together. As the proposal notes, “Post-quantum security is still a future-facing issue, but blockchain networks cannot wait until quantum attacks are practical before thinking about migration.”

That is the part worth taking seriously. Waiting until quantum attacks are practical would be the crypto equivalent of buying a roof when the house is already on fire. The industry loves to act surprised by basic time horizons, but cryptography does not care about marketing calendars.

Ethereum is unusually well-positioned for this kind of experimentation because its execution environment is flexible enough to test wallet-layer upgrades without requiring a consensus rewrite. That does not mean Ethereum gets a free pass. It means researchers can prototype a path forward faster than on more rigid systems. The downside is that flexible systems can accumulate complexity like a junk drawer: useful, powerful, and occasionally held together by vibes and duct tape.

What is SPHINCS-?

SPHINCS- is a proposed stateless post-quantum signature verification scheme designed for Ethereum wallet security and EVM compatibility.

Why does Ethereum need it?

Because wallet signatures are the last line of defense for self-custody. If quantum computers eventually break current signature schemes, Ethereum needs a migration path that does not depend on emergency protocol changes under pressure.

How does it work?

It swaps SHAKE256 for Ethereum-native KECCAK256, which allows a Solidity implementation directly on the EVM without needing precompiles or base-layer upgrades.

Is it standard-compliant?

No. SPHINCS- is non-standard and does not strictly match FIPS 205 parameters because it uses Keccak and limited signing budgets.

How efficient is it?

The C13 variant reportedly verifies at about 127,000 gas with a 3,704-byte signature, which is lighter than the compared SLH-DSA-SHA2-128-24 configuration.

Is it ready for production wallets?

No. It is still research-stage and not yet a finished Ethereum account standard.

What is the biggest trade-off?

It improves practicality for Ethereum, but it comes with reduced signing budgets, non-standard parameters, and hardware-wallet signing times that may still be awkward for mainstream users.

Does quantum computing threaten Ethereum wallets today?

Not today. But post-quantum migration is slow, and the point of proposals like SPHINCS- is to start building a path before the threat stops being theoretical.

The broader implication is bigger than one signature scheme. Ethereum’s account model, wallet ecosystem, and abstraction layers may eventually need a coordinated post-quantum upgrade path. That likely means more research into account abstraction, better wallet migration tooling, and standards that are secure without being miserable to use. Security that nobody can deploy is just academic wallpaper.

SPHINCS- is not a finished answer, but it is a real one. It shows Ethereum researchers are thinking about quantum-resistant wallets before panic becomes policy. That is a healthy sign. The hard part will not just be making signatures secure enough. It will be making them usable enough that people actually adopt them instead of sticking with the old system until the very last minute, which is the human way and also, frankly, a terrible plan.