·12 min read·QuantumSafe Team

How to Migrate Ethereum Keys from ECDSA to Post-Quantum Cryptography

Step-by-step guide for migrating Ethereum wallet keys from quantum-vulnerable ECDSA to NIST-standardized post-quantum algorithms ML-DSA and SLH-DSA using the QuantumSafe SDK.

EthereumMigrationECDSAML-DSATutorial

Why Migrate from ECDSA to Post-Quantum Cryptography?

Ethereum and most blockchain networks rely on the Elliptic Curve Digital Signature Algorithm (ECDSA) with the secp256k1 curve for transaction signing and wallet authentication. ECDSA is secure against classical computers, but Shor's algorithm running on a cryptographically-relevant quantum computer (CRQC) can derive the private key from a known public key in polynomial time.

This is not a theoretical concern. Any Ethereum wallet that has sent a transaction has its ECDSA public key permanently exposed on the blockchain. Under the Harvest Now, Decrypt Later (HNDL) threat model, adversaries are already collecting this data.

Migration to NIST-standardized post-quantum cryptography (PQC) algorithms — specifically ML-DSA (FIPS 204) and SLH-DSA (FIPS 205) — protects your assets against both current and future quantum threats.

Migration Strategy Overview

The migration from ECDSA to PQC is not a single step — it is a phased process that maintains backward compatibility while progressively building quantum resilience.

  1. Phase 1: Assessment — Identify quantum-vulnerable wallets and prioritize by value
  2. Phase 2: PQC Key Generation — Generate ML-DSA-65 key pairs alongside existing ECDSA keys
  3. Phase 3: Hybrid Attestation — Sign transactions with both ECDSA and ML-DSA
  4. Phase 4: Asset Migration — Transfer assets to quantum-safe addresses
  5. Phase 5: PQC-Only — Transition to PQC-only signing (when ecosystem supports it)

Phase 1: Assess Your Quantum Vulnerability

Before migrating, you need to understand your exposure. Use the QuantumSafe Quantum Scanner to analyze your Ethereum wallets.

The scanner evaluates:

  • Public Key Exposure: Has the wallet sent any transactions? If so, the ECDSA public key is permanently on-chain.
  • Transaction Count: More transactions mean more on-chain data for potential analysis.
  • Balance at Risk: Higher-value wallets should be prioritized for migration.
  • Nonce Patterns: Certain nonce reuse patterns can weaken ECDSA security even classically.

The scanner outputs a quantum risk score from 0–100, with recommendations based on severity. Wallets scoring above 60 should be prioritized for immediate migration planning.

Phase 2: Generate PQC Key Pairs

Generate quantum-resistant key pairs using ML-DSA-65 (recommended) or SLH-DSA. QuantumSafe uses a BYOK (Bring Your Own Key) model — private keys are generated and stored locally, never transmitted to the server.

Using the TypeScript SDK

import { QuantumSafe } from '@quantumsafe/sdk';

const qs = new QuantumSafe({ apiKey: 'qs_pub_...' });

// ML-DSA-65 키 생성 (NIST 기본 추천)
const keyPair = await qs.keys.generate({
  algorithm: 'ml-dsa-65',
  label: 'eth-treasury-pqc',
});

console.log('Public Key:', keyPair.publicKey);
console.log('Key ID:', keyPair.keyId);
// 프라이빗 키는 로컬에만 저장됨

Using the Python SDK

from quantumsafe import QuantumSafe

qs = QuantumSafe(api_key="qs_pub_...")

# ML-DSA-65 키 생성
key_pair = qs.keys.generate(
    algorithm="ml-dsa-65",
    label="eth-treasury-pqc",
)

print(f"Public Key: {key_pair.public_key}")
print(f"Key ID: {key_pair.key_id}")

Using the REST API

curl -X POST https://api.qsafe.dev/v1/keys/generate \
  -H "Authorization: Bearer qs_sec_..." \
  -H "Content-Type: application/json" \
  -d '{
    "algorithm": "ml-dsa-65",
    "label": "eth-treasury-pqc"
  }'

Phase 3: Hybrid Attestation

Hybrid attestation creates a cryptographic proof that links your existing ECDSA wallet to your new PQC key pair. This establishes a verifiable chain of ownership:

  1. Sign a message with your ECDSA private key (proves you own the Ethereum wallet)
  2. Sign the same message with your ML-DSA private key (proves you own the PQC key)
  3. QuantumSafe creates a hybrid attestation certificate linking both signatures
// 하이브리드 인증 생성
const attestation = await qs.attestation.create({
  ecdsaAddress: '0x1234...abcd',
  ecdsaSignature: ecdsaSig,  // ECDSA로 서명한 메시지
  pqcKeyId: keyPair.keyId,
  pqcSignature: pqcSig,      // ML-DSA로 서명한 동일 메시지
});

console.log('Attestation ID:', attestation.id);
console.log('Status:', attestation.status);
// => "verified"

This attestation serves as on-record proof that the holder of ECDSA wallet 0x1234...abcd is the same entity that controls the PQC key. When quantum computers arrive, this attestation enables provable ownership transition.

Phase 4: Asset Migration

Once your PQC keys are generated and attested, the next step is to plan the actual asset migration. This varies depending on your use case:

For Individual Wallets

  • Create a new wallet address derived from (or associated with) your PQC key pair
  • Transfer assets from your ECDSA wallet to the PQC-linked wallet
  • Update any smart contract permissions, multisig configurations, or DAO voting registrations

For Smart Contracts

  • Deploy PQC signature verification logic (verifier precompile or library)
  • Update contract access control to accept ML-DSA signatures
  • Implement a transition period where both ECDSA and PQC signatures are accepted

For DAO Governance

  • Register PQC public keys in the governance contract alongside existing ECDSA keys
  • Update voting mechanisms to verify PQC signatures
  • Set a governance-approved deadline for full PQC migration

Phase 5: PQC-Only (Future)

The final phase — transitioning to PQC-only signing — depends on ecosystem-wide adoption. This includes:

  • Ethereum protocol-level support for PQC signature schemes (EIP proposals are in development)
  • Wallet software support for PQC key management
  • Layer 2 networks adopting PQC verification
  • Cross-chain bridges supporting PQC signatures

This phase is likely 3–5 years away, but the groundwork you lay in Phases 1–4 ensures you are ready when it arrives.

Migration Checklist

  • Scan all wallets for quantum vulnerability (risk score)
  • Prioritize wallets by value and exposure level
  • Generate ML-DSA-65 key pairs for high-priority wallets
  • Create hybrid attestations linking ECDSA and PQC keys
  • Document your PQC key management procedures
  • Plan asset transfer timeline for high-value wallets
  • Update smart contract permissions to accept PQC signatures
  • Monitor Ethereum PQC EIPs and ecosystem readiness

Start your migration today. Scan your wallet for free, then create an account to generate PQC keys and hybrid attestations with 500 free API calls/month.