PQ Transaction Signatures #001
Transcript
Ask about this call
Answered from this call's summary and transcript only.
AI-generated — verify against the recording.
Call summary
Targets
- •EthCC - Full proof of seed demonstrator with concrete implementation — 00:47:18
- •February 18, 2026 - Next PQTS breakout call covering multi-sig and aggregation — 01:04:21
Decisions
- •Support multiple PQ signature schemes simultaneously; users choose based on requirements — 01:00:58
- •Account abstraction is the foundational layer for all PQ transaction work — 00:46:26
Highlights
- Organizational:
- ·Breakout room scope: execution layer only (transactions); other layers separate efforts — 00:15:03
- ·Next call in 2 weeks: multi-signatures, aggregatable signatures, additional topics — 01:04:21
- Post Quantum Context:
- ·Four Ethereum components rely on elliptic curves: execution, consensus, DAS, state — 00:09:07
- ·NIST standardization took 2016-2022; implementation still ongoing since 2017 — 00:12:08
- ·NIST winners: ML-DSA, Falcon (lattice-based), Sphincs+ (hash-based) for signatures — 00:13:18
- ·Quantum computing acceleration in 2024 from Google, Microsoft requires action now — 00:14:30
- Precompile Proposals:
- ·EIP-8051: ML-DSA precompile, NIST-compliant and Keccak variant, 8M gas target — 00:17:04
- ·EIP-8052: Falcon precompile, 1.6M gas using Keccak, smaller signatures than ML-DSA — 00:24:07
- ·ML-DSA standardized (FIPS 204); Falcon standardization still in progress — 00:20:42
- ·ML-DSA easier to implement, works on hardware wallets; Falcon RAM-intensive — 00:22:50
- Cryptographic Agility:
- ·Crypto agility: add/remove algorithms without major protocol changes — 00:49:22
- ·Current transactions not crypto-agile: V,R,S values encode specific ECDSA algorithm — 00:51:03
- ·Agile design: separate signature from transaction payload, easily swap algorithms — 00:52:20
- ·Support multiple PQ schemes simultaneously; add/remove independently over time — 00:56:19
- Account Abstraction Integration:
- ·Demo: ML-DSA transactions working today via 4337 at ~$2 cost on L1 — 00:26:53
- ·4337 deployment vulnerable to front-running; native AA needed for full security — 00:28:54
- ·EIP-8141: Frame transactions enable native AA with flexible signature validation — 00:31:41
- ·Frame transactions: verification frame (no gas), execution frame (gas charged) — 00:36:19
- Proof Of Seed Emergency Mitigation:
- ·Proof of seed: graceful emergency fallback requiring no prior user action — 00:39:04
- ·ZK proof lifts ECDSA to quantum-resistant by proving knowledge of seed — 00:42:28
- ·BIP-32/BIP-39: Multiple lifting opportunities from child key to master seed — 00:44:37
- ·MPC-in-the-Head proofs fit secure element memory constraints (2KB footprint) — 00:45:52
Action Items
- •Danno, Nico, frame transaction team — Integrate cryptographic agility principles with EIP-8141 frame transaction design — 00:57:10
- •Renaud, Stefano, Fabrizio — Collaborate on BIP-39 proof of seed implementation between ZKnox and NeverLocal teams — 00:49:22
Meeting chat119
- Parthasarathy Ramanujam
What are the key sizes and signatures sizes?
- Renaud-ZKNOX
Our slides: https://github.com/ZKNoxHQ/Communications/tree/main/pqts-breakout Running the demo: https://visionary-nougat-217eaa.netlify.app/
- Parthasarathy Ramanujam
Reacted to "Our slides: https://..." with 👍
- Antonio Sanso
Reacted to "Our slides: https://..." with 👍
- Mike
You are aiming for LVL1 security guarantees for Lattices. How confident are you with LVL one (128 classical), I heard comments that it is likely that the parameters will need adjustments in the future. Should not we have a security gap to account for attack improvements?
- Sergey Shemyakov | L2BEAT
How did you determine the precompile gas cost? And how does native implementations of Dilithium and Falcon compares with native ECDSA in terms of performance?
- frangio
does the on chain cost for precompiles include the calldata cost of signatures?
- Renaud-ZKNOX
A Pimlico key ot paste if you don't have one: pim_Y8VztkEto45P6yzNiEt5Tx Our very secret key if you are lazy: 0x0000000000000000000000000000000000000000000000000000000000000001 to paste both in prequantum and postquantum private keys (seed) (no need to connext extension once you have an ac ount).
- Parthasarathy Ramanujam
Is there a need to change the hashing algorithm (from keccak to poseidon2?) when we choose either of these signature schemes?
- Renaud-ZKNOX
precompile gas cost is a rule of thumb looking at CPU cycles (SUPERCOP) compared to ecdsa
- Sergey Shemyakov | L2BEAT
Reacted to "precompile gas cost ..." with 👍
- Antonio Sanso
Replying to "Is there a need to c..." This is something to discuss
- Parthasarathy Ramanujam
Reacted to "This is something to..." with 👍
- Benedikt Wagner
Replying to "Is there a need to c..." Assuming you are referring to the hash inside the signature scheme: If you modify it, it is a different scheme and no longer the standardized one. At the same time, you may gain some advantages wrt L1-zkEVMs or aggregation of these signatures (which we don’t do for ECDSA, but may be interesting for large PQ signatures)
- Benedikt Wagner
Reacted to "This is something to..." with 👍
- Renaud-ZKNOX
falcon propose this separation of hash directly in the precompile, we did a FALZKON in Cairo, replacing keccak by a more zk friendly function (blake2s has its AIR)
- Parthasarathy Ramanujam
Replying to "Is there a need to c..." Apologies, I was referring to the hashing to arrive at the account address corresponding to the new keys.
- Renaud-ZKNOX
We also specified a zk friendly version of DILITHIUM over M31
- Benedikt Wagner
Replying to "Is there a need to c..." Ah. That one seems mostly independent to me
- Antonio Sanso
Replying to "You are aiming for L..." Dilithium has already a specification that is official
- Danno Ferrin - Tectonic.xyz
Replying to "You are aiming for L..." Shoudn’t we wait for FN-DSA instead of integrating Falcon? It will be Keccak/Sha3 all over again.
- Simon - ZKNOX
We also instantiated a ZK version of Dilithium for BabyBear, KoalaBear.
- Mike
Replying to "You are aiming for L..." https://blog.cloudflare.com/pq-2025/#ml-kem-768-and-x25519 Discusses how they choose to use a higher level security (level 3) but aim is just to get 128 bits classical
- Renaud-ZKNOX
What will happen to the current 4337 ecosystem (bundlers, etc), still working the same ?
- Parthasarathy Ramanujam
Two questions: First, 8141, is still compatible with 7701, isn’t it? And second, Can you pls elaborate on the migration paths that is being considered? We have EOA, delegated EOA, 4337 smart accounts and several non 4337 smart accounts.
- David Nugent
Is there supposed to be slides? We can’t see them
- Antonio Sanso
Replying to "Is there supposed to..." No slide for this specific contribution
- David Nugent
Reacted to "No slide for this sp..." with 👍
- Renaud-ZKNOX
aggregation for CL ? or EL ?
- Antonio Sanso
Replying to "aggregation for CL ?..." EL
- Benedikt Wagner
Replying to "aggregation for CL ?..." I think this was referring to EL
- Antonio Sanso
Reacted to "I think this was ref..." with 👍
- Renaud-ZKNOX
A réagi à "I think this was r..." avec 👍
- Danno Ferrin - Tectonic.xyz
Replying to "How did you determin..." falcon is much faster for verificaiton, dilitium a little faster for verification Signing times are where the performance issues are
- Danno Ferrin - Tectonic.xyz
Replying to "How did you determin..." Sig/key size are the biggger impact
- Simon - ZKNOX
Replying to "does the on chain ..." No
- Danno Ferrin - Tectonic.xyz
Replying to "does the on chain co..." It can. There is the cost of memory expansion and the CALLDATA carrier cost that would be part of it too.
- Jay || Silence Laboratories
Is there link to these slides as well?
- Fab
Replying to "Is there link to the..." We'll provide it as soon as the presentation is over
- Jay || Silence Laboratories
Reacted to "We'll provide it as ..." with 🙌
- Antonio Sanso
Reacted to "We'll provide it as ..." with 🙌
- Renaud-ZKNOX
Would you use the proof of seed for migration, or as a signature scheme itself (use a PQ proving scheme and some nonce and binding with the message) ?
- Fab
Replying to "Would you use the pr..." The latter
- Fab
Replying to "Would you use the pr..." Migration requires user input and we believe many users will be laggards when it comes to this sort of stuff, unfortunately...
- Renaud-ZKNOX
Répondre à "Would you use the ..." Totally agree, consensus solving is hard in term of conception easy in term of migration. execution layer is the opposite. We have a working solution today, but convincing users and protocols will take years.
- Fab
Replying to "Would you use the pr..." Indeed!
- Benedikt Wagner
For the proof of seed and the variants you mentioned right now, does the verifier need to know which variant is used, i.e., which part in the chain was exposed and which was not?
- Renaud-ZKNOX
Répondre à "Would you use the ..." We need this red button as a parachute. We don't want to use it, but you of course prefer to be seated with a proper one just in case.
- Fab
Replying to "For the proof of see..." We need to settle on a specific circuit, so I'd say yes
- Fab
Replying to "Would you use the pr..." This is 100% our point. We're developing this stuff with the hope of never having to use it. Basically having wasted our time will be the best outcome lol
- Benedikt Wagner
Replying to "For the proof of see..." Ok, but it could be that different users exposed different intermediate keys, right? How do you know which one to pick?
- Gaudenzio NeverLocal
Reacted to "This is 100% our poi..." with 💯
- Gaudenzio NeverLocal
Reacted to "We need this red but..." with 👏
- Renaud-ZKNOX
If user use a proper BIP39 derivation, which is the case of most wallets and hardware, they are covered
- Fab
Replying to "For the proof of see..." This is a very important topic and I'd defer it to discussion time afterwards
- Antonio Sanso
Reacted to "If user use a proper..." with 👍
- Benedikt Wagner
Reacted to "This is a very impor..." with 👍
- Renaud-ZKNOX
That is also having this in mind we specified proper derivation path for the PQ keys. We are compatible with this solution.
- Renaud-ZKNOX
Would gladly sync here
- Ooia oo - OKX
Institutions typically don't use seed phrases for wallets storing the bulk of their funds though
- Mahdi Sedaghat | Soundness
Reacted to "Institutions typical..." with 👍
- Fab
Replying to "Institutions typical..." I hear you but institutions are also much more proactive, and will likely migrate as soon as they can
- Renaud-ZKNOX
Having partial solution is better than no solution. Sorry for them if they chose to deviate from standards
- Danno Ferrin - Tectonic.xyz
My slides on Cryptographic Agility: https://docs.google.com/presentation/d/1bP-4kwKojabAnv_FSmfbzIl0pQs_PP8YLBgjrwLKzw0/edit?usp=sharing
- Stefa
Reacted to "Having partial solut..." with 👍
- Renaud-ZKNOX
And institutions will be easier to convince than single users.
- Ooia oo - OKX
Reacted to Having partial solut... with "👍"
- Jayamine Alupotha
Reacted to "Having partial solut..." with 👍
- Renaud-ZKNOX
Because they will have experts to warn them internally.
- Ooia oo - OKX
Reacted to I hear you but insti... with "👍"
- Stefa
Replying to "That is also having ..." Yeah, I was very excited to see this mentioned on your slides! Let's set a meeting up to get things going.
- Mahdi Sedaghat | Soundness
Proof of seed works much better with EdDSA over RFC 8032. You can check the details here: https://fc26.ifca.ai/preproceedings/190.pdf
- Renaud-ZKNOX
Actually, if you use hardened path, the proof of seed described works fine
- Renaud-ZKNOX
Eddsa is better for non hardened.
- Stefa
Reacted to "This is a very impor..." with 👍
- Parthasarathy Ramanujam
Does proof of seed work with a compromised 7702 delegated account as well? Most of them have a sweeper in place atm.
- Renaud-ZKNOX
here is a description of how the proof of seed applies: https://github.com/ZKNoxHQ/PQBIP39
- Parthasarathy Ramanujam
Reacted to "here is a descriptio..." with 👍
- Renaud-ZKNOX
(quantum safe eoa migration part)
- Mahdi Sedaghat | Soundness
Replying to "Actually, if you use..." Actually, if you use hardened path, the proof of seed described works fine True but I am not sure if this has been the regime for a good range of accounts specially for the custodians and HSM-managed accounts.
- Renaud-ZKNOX
Our derived path and how it is managed in most wallet is compatible with the circuit
- Renaud-ZKNOX
Répondre à "Does proof of seed..." we need seed deactivation quick
- Renaud-ZKNOX
Répondre à "Does proof of seed..." i mean, eao deactivation
- Parthasarathy Ramanujam
Reacted to "i mean, eao deactiva..." with 👍
- Renaud-ZKNOX
Répondre à "Does proof of seed..." https://ethereum-magicians.org/t/eip-7851-deactivate-reactivate-a-delegated-eoas-key/22344
- Stefa
It's a really broad technique, it works with pretty much every key-derivation step which involves at least one cryptographic hashing step between master seed and master key. BIP-32 and ECDSA are an interesting special case, but they are very much a special case.
- Renaud-ZKNOX
A réagi à "It's a really broa..." avec 👍
- Benedikt Wagner
Reacted to "It's a really broad ..." with 👍
- Mahdi Sedaghat | Soundness
Reacted to "here is a descriptio..." with 👍
- Parthasarathy Ramanujam
But wouldn’t apps need to change their signature schemes to support this as well?
- Renaud-ZKNOX
no
- Renaud-ZKNOX
we prove it with the Aave integration, no change in the contract
- Renaud-ZKNOX
this is aave sepolia contract we interact with
- Fab
The beauty of AA!
- Parthasarathy Ramanujam
Aren’t there several apps that still rely on ecrecover. It took us a lot of work to convince them to support EIP1271
- Fab
If you mean "a smart contract with some on-chain custom cryptographic logic" tho, then you are right. But that's a compeltely different can of worms and I don't think we can do much about it anyway
- Stefa
No change necessary on user wallets other than installing the proof of seed app, that was a fixed point in our development process.
- Renaud-ZKNOX
yes, some Dapp still use msg.sender and need to be updated
- Stefa
As for apps, they would need AA support or delegation features, yes. Some of them don't, and those would need change.
- Nico Consigny
I will open a group Danno
- Renaud-ZKNOX
actually some needs to update, like safe
- Renaud-ZKNOX
- Fab
Indeed. But again, I wouldn't stress too much over this. The only apps becoming insecure in this case are the apps that are dead (team walked away). Actively maintained apps will probably migrate in time anyway.
- Fab
Again, it's not the devs that worry me...
- Stefa
Reacted to "Indeed. But again, I..." with 👍
- Stefa
Reacted to "Again, it's not the ..." with 👍
- Renaud-ZKNOX
Yeah, agreed, convincing users will be easier than big Dapps
- Parthasarathy Ramanujam
Reacted to "Indeed. But again, I..." with 👍
- Renaud-ZKNOX
i meant harder
- Fab
Reacted to "i meant harder" with 😄
- Fab
I was like "wait wat?" lol
- Parthasarathy Ramanujam
Convincing users to migrate is the most difficult. Both 4337 and 7702 have shown that
- Stefa
Reacted to "i meant harder" with 😄
- Stefa
Reacted to "I was like "wait wat..." with 😂
- Stefa
They don't need to do anything. I forgot to mention in the call: the 4337 accounts can be safely opened FOR the users by sponsors, and they deterministically derive from the EOA address.
- Danno Ferrin - Tectonic.xyz
We do need to worry about developers, wallets, and HW wallets, before we settle on a set of sigs. Their input is a concern we need to think about once we have a general path.
- Renaud-ZKNOX
Actually native AA, or disabling eoa in 7702 is required to have a clean deployment without front running
- Parthasarathy Ramanujam
Replying to "They don't need to d..." I cofounded an AA company that provides AA infra on several chains. We provide it for Ethereum Foundation as well. But our biggest challenge in the past 3 years is convincing users to migrate to an AA account. That is the reason for my question.
- Renaud-ZKNOX
bye thx antonio
Key decisions
Support multiple PQ signature schemes simultaneously; users choose based on requirements
Users will be able to choose between different PQ signature schemes based on their requirements.Account abstraction is the foundational layer for all PQ transaction work
Account abstraction will be the foundational layer for all PQ transaction work.

