EIPsInsight

Loading Experience

Preparing your insights...

Loading0%
PQTS2026-02-04_001

PQ Transaction Signatures #001

2026-02-04 2 decisions 435 transcript lines

Transcript

Ask about this call

Answered from this call's summary and transcript only.

AI-generated — verify against the recording.

Call summary

Targets
  • EthCC - Full proof of seed demonstrator with concrete implementation — 00:47:18
  • February 18, 2026 - Next PQTS breakout call covering multi-sig and aggregation — 01:04:21
Decisions
  • Support multiple PQ signature schemes simultaneously; users choose based on requirements — 01:00:58
  • Account abstraction is the foundational layer for all PQ transaction work — 00:46:26
Highlights
  • Organizational:
    • ·Breakout room scope: execution layer only (transactions); other layers separate efforts — 00:15:03
    • ·Next call in 2 weeks: multi-signatures, aggregatable signatures, additional topics — 01:04:21
  • Post Quantum Context:
    • ·Four Ethereum components rely on elliptic curves: execution, consensus, DAS, state — 00:09:07
    • ·NIST standardization took 2016-2022; implementation still ongoing since 2017 — 00:12:08
    • ·NIST winners: ML-DSA, Falcon (lattice-based), Sphincs+ (hash-based) for signatures — 00:13:18
    • ·Quantum computing acceleration in 2024 from Google, Microsoft requires action now — 00:14:30
  • Precompile Proposals:
    • ·EIP-8051: ML-DSA precompile, NIST-compliant and Keccak variant, 8M gas target — 00:17:04
    • ·EIP-8052: Falcon precompile, 1.6M gas using Keccak, smaller signatures than ML-DSA — 00:24:07
    • ·ML-DSA standardized (FIPS 204); Falcon standardization still in progress — 00:20:42
    • ·ML-DSA easier to implement, works on hardware wallets; Falcon RAM-intensive — 00:22:50
  • Cryptographic Agility:
    • ·Crypto agility: add/remove algorithms without major protocol changes — 00:49:22
    • ·Current transactions not crypto-agile: V,R,S values encode specific ECDSA algorithm — 00:51:03
    • ·Agile design: separate signature from transaction payload, easily swap algorithms — 00:52:20
    • ·Support multiple PQ schemes simultaneously; add/remove independently over time — 00:56:19
  • Account Abstraction Integration:
    • ·Demo: ML-DSA transactions working today via 4337 at ~$2 cost on L1 — 00:26:53
    • ·4337 deployment vulnerable to front-running; native AA needed for full security — 00:28:54
    • ·EIP-8141: Frame transactions enable native AA with flexible signature validation — 00:31:41
    • ·Frame transactions: verification frame (no gas), execution frame (gas charged) — 00:36:19
  • Proof Of Seed Emergency Mitigation:
    • ·Proof of seed: graceful emergency fallback requiring no prior user action — 00:39:04
    • ·ZK proof lifts ECDSA to quantum-resistant by proving knowledge of seed — 00:42:28
    • ·BIP-32/BIP-39: Multiple lifting opportunities from child key to master seed — 00:44:37
    • ·MPC-in-the-Head proofs fit secure element memory constraints (2KB footprint) — 00:45:52
Action Items
  • Danno, Nico, frame transaction team — Integrate cryptographic agility principles with EIP-8141 frame transaction design — 00:57:10
  • Renaud, Stefano, Fabrizio — Collaborate on BIP-39 proof of seed implementation between ZKnox and NeverLocal teams — 00:49:22

Meeting chat119

  • Parthasarathy Ramanujam

    What are the key sizes and signatures sizes?

  • Renaud-ZKNOX

    Our slides: https://github.com/ZKNoxHQ/Communications/tree/main/pqts-breakout Running the demo: https://visionary-nougat-217eaa.netlify.app/

  • Parthasarathy Ramanujam

    Reacted to "Our slides: https://..." with 👍

  • Antonio Sanso

    Reacted to "Our slides: https://..." with 👍

  • Mike

    You are aiming for LVL1 security guarantees for Lattices. How confident are you with LVL one (128 classical), I heard comments that it is likely that the parameters will need adjustments in the future. Should not we have a security gap to account for attack improvements?

  • Sergey Shemyakov | L2BEAT

    How did you determine the precompile gas cost? And how does native implementations of Dilithium and Falcon compares with native ECDSA in terms of performance?

  • frangio

    does the on chain cost for precompiles include the calldata cost of signatures?

  • Renaud-ZKNOX

    A Pimlico key ot paste if you don't have one: pim_Y8VztkEto45P6yzNiEt5Tx Our very secret key if you are lazy: 0x0000000000000000000000000000000000000000000000000000000000000001 to paste both in prequantum and postquantum private keys (seed) (no need to connext extension once you have an ac ount).

  • Parthasarathy Ramanujam

    Is there a need to change the hashing algorithm (from keccak to poseidon2?) when we choose either of these signature schemes?

  • Renaud-ZKNOX

    precompile gas cost is a rule of thumb looking at CPU cycles (SUPERCOP) compared to ecdsa

  • Sergey Shemyakov | L2BEAT

    Reacted to "precompile gas cost ..." with 👍

  • Antonio Sanso

    Replying to "Is there a need to c..." This is something to discuss

  • Parthasarathy Ramanujam

    Reacted to "This is something to..." with 👍

  • Benedikt Wagner

    Replying to "Is there a need to c..." Assuming you are referring to the hash inside the signature scheme: If you modify it, it is a different scheme and no longer the standardized one. At the same time, you may gain some advantages wrt L1-zkEVMs or aggregation of these signatures (which we don’t do for ECDSA, but may be interesting for large PQ signatures)

  • Benedikt Wagner

    Reacted to "This is something to..." with 👍

  • Renaud-ZKNOX

    falcon propose this separation of hash directly in the precompile, we did a FALZKON in Cairo, replacing keccak by a more zk friendly function (blake2s has its AIR)

  • Parthasarathy Ramanujam

    Replying to "Is there a need to c..." Apologies, I was referring to the hashing to arrive at the account address corresponding to the new keys.

  • Renaud-ZKNOX

    We also specified a zk friendly version of DILITHIUM over M31

  • Benedikt Wagner

    Replying to "Is there a need to c..." Ah. That one seems mostly independent to me

  • Antonio Sanso

    Replying to "You are aiming for L..." Dilithium has already a specification that is official

  • Danno Ferrin - Tectonic.xyz

    Replying to "You are aiming for L..." Shoudn’t we wait for FN-DSA instead of integrating Falcon? It will be Keccak/Sha3 all over again.

  • Simon - ZKNOX

    We also instantiated a ZK version of Dilithium for BabyBear, KoalaBear.

  • Mike

    Replying to "You are aiming for L..." https://blog.cloudflare.com/pq-2025/#ml-kem-768-and-x25519 Discusses how they choose to use a higher level security (level 3) but aim is just to get 128 bits classical

  • Renaud-ZKNOX

    What will happen to the current 4337 ecosystem (bundlers, etc), still working the same ?

  • Parthasarathy Ramanujam

    Two questions: First, 8141, is still compatible with 7701, isn’t it? And second, Can you pls elaborate on the migration paths that is being considered? We have EOA, delegated EOA, 4337 smart accounts and several non 4337 smart accounts.

  • David Nugent

    Is there supposed to be slides? We can’t see them

  • Antonio Sanso

    Replying to "Is there supposed to..." No slide for this specific contribution

  • David Nugent

    Reacted to "No slide for this sp..." with 👍

  • Renaud-ZKNOX

    aggregation for CL ? or EL ?

  • Antonio Sanso

    Replying to "aggregation for CL ?..." EL

  • Benedikt Wagner

    Replying to "aggregation for CL ?..." I think this was referring to EL

  • Antonio Sanso

    Reacted to "I think this was ref..." with 👍

  • Renaud-ZKNOX

    A réagi à "I think this was r..." avec 👍

  • Danno Ferrin - Tectonic.xyz

    Replying to "How did you determin..." falcon is much faster for verificaiton, dilitium a little faster for verification Signing times are where the performance issues are

  • Danno Ferrin - Tectonic.xyz

    Replying to "How did you determin..." Sig/key size are the biggger impact

  • Simon - ZKNOX

    Replying to "does the on chain ..." No

  • Danno Ferrin - Tectonic.xyz

    Replying to "does the on chain co..." It can. There is the cost of memory expansion and the CALLDATA carrier cost that would be part of it too.

  • Jay || Silence Laboratories

    Is there link to these slides as well?

  • Fab

    Replying to "Is there link to the..." We'll provide it as soon as the presentation is over

  • Jay || Silence Laboratories

    Reacted to "We'll provide it as ..." with 🙌

  • Antonio Sanso

    Reacted to "We'll provide it as ..." with 🙌

  • Renaud-ZKNOX

    Would you use the proof of seed for migration, or as a signature scheme itself (use a PQ proving scheme and some nonce and binding with the message) ?

  • Fab

    Replying to "Would you use the pr..." The latter

  • Fab

    Replying to "Would you use the pr..." Migration requires user input and we believe many users will be laggards when it comes to this sort of stuff, unfortunately...

  • Renaud-ZKNOX

    Répondre à "Would you use the ..." Totally agree, consensus solving is hard in term of conception easy in term of migration. execution layer is the opposite. We have a working solution today, but convincing users and protocols will take years.

  • Fab

    Replying to "Would you use the pr..." Indeed!

  • Benedikt Wagner

    For the proof of seed and the variants you mentioned right now, does the verifier need to know which variant is used, i.e., which part in the chain was exposed and which was not?

  • Renaud-ZKNOX

    Répondre à "Would you use the ..." We need this red button as a parachute. We don't want to use it, but you of course prefer to be seated with a proper one just in case.

  • Fab

    Replying to "For the proof of see..." We need to settle on a specific circuit, so I'd say yes

  • Fab

    Replying to "Would you use the pr..." This is 100% our point. We're developing this stuff with the hope of never having to use it. Basically having wasted our time will be the best outcome lol

  • Benedikt Wagner

    Replying to "For the proof of see..." Ok, but it could be that different users exposed different intermediate keys, right? How do you know which one to pick?

  • Gaudenzio NeverLocal

    Reacted to "This is 100% our poi..." with 💯

  • Gaudenzio NeverLocal

    Reacted to "We need this red but..." with 👏

  • Renaud-ZKNOX

    If user use a proper BIP39 derivation, which is the case of most wallets and hardware, they are covered

  • Fab

    Replying to "For the proof of see..." This is a very important topic and I'd defer it to discussion time afterwards

  • Antonio Sanso

    Reacted to "If user use a proper..." with 👍

  • Benedikt Wagner

    Reacted to "This is a very impor..." with 👍

  • Renaud-ZKNOX

    That is also having this in mind we specified proper derivation path for the PQ keys. We are compatible with this solution.

  • Renaud-ZKNOX

    Would gladly sync here

  • Ooia oo - OKX

    Institutions typically don't use seed phrases for wallets storing the bulk of their funds though

  • Mahdi Sedaghat | Soundness

    Reacted to "Institutions typical..." with 👍

  • Fab

    Replying to "Institutions typical..." I hear you but institutions are also much more proactive, and will likely migrate as soon as they can

  • Renaud-ZKNOX

    Having partial solution is better than no solution. Sorry for them if they chose to deviate from standards

  • Danno Ferrin - Tectonic.xyz

    My slides on Cryptographic Agility: https://docs.google.com/presentation/d/1bP-4kwKojabAnv_FSmfbzIl0pQs_PP8YLBgjrwLKzw0/edit?usp=sharing

  • Stefa

    Reacted to "Having partial solut..." with 👍

  • Renaud-ZKNOX

    And institutions will be easier to convince than single users.

  • Ooia oo - OKX

    Reacted to Having partial solut... with "👍"

  • Jayamine Alupotha

    Reacted to "Having partial solut..." with 👍

  • Renaud-ZKNOX

    Because they will have experts to warn them internally.

  • Ooia oo - OKX

    Reacted to I hear you but insti... with "👍"

  • Stefa

    Replying to "That is also having ..." Yeah, I was very excited to see this mentioned on your slides! Let's set a meeting up to get things going.

  • Mahdi Sedaghat | Soundness

    Proof of seed works much better with EdDSA over RFC 8032. You can check the details here: https://fc26.ifca.ai/preproceedings/190.pdf

  • Renaud-ZKNOX

    Actually, if you use hardened path, the proof of seed described works fine

  • Renaud-ZKNOX

    Eddsa is better for non hardened.

  • Stefa

    Reacted to "This is a very impor..." with 👍

  • Parthasarathy Ramanujam

    Does proof of seed work with a compromised 7702 delegated account as well? Most of them have a sweeper in place atm.

  • Renaud-ZKNOX

    here is a description of how the proof of seed applies: https://github.com/ZKNoxHQ/PQBIP39

  • Parthasarathy Ramanujam

    Reacted to "here is a descriptio..." with 👍

  • Renaud-ZKNOX

    (quantum safe eoa migration part)

  • Mahdi Sedaghat | Soundness

    Replying to "Actually, if you use..." Actually, if you use hardened path, the proof of seed described works fine True but I am not sure if this has been the regime for a good range of accounts specially for the custodians and HSM-managed accounts.

  • Renaud-ZKNOX

    Our derived path and how it is managed in most wallet is compatible with the circuit

  • Renaud-ZKNOX

    Répondre à "Does proof of seed..." we need seed deactivation quick

  • Renaud-ZKNOX

    Répondre à "Does proof of seed..." i mean, eao deactivation

  • Parthasarathy Ramanujam

    Reacted to "i mean, eao deactiva..." with 👍

  • Renaud-ZKNOX

    Répondre à "Does proof of seed..." https://ethereum-magicians.org/t/eip-7851-deactivate-reactivate-a-delegated-eoas-key/22344

  • Stefa

    It's a really broad technique, it works with pretty much every key-derivation step which involves at least one cryptographic hashing step between master seed and master key. BIP-32 and ECDSA are an interesting special case, but they are very much a special case.

  • Renaud-ZKNOX

    A réagi à "It's a really broa..." avec 👍

  • Benedikt Wagner

    Reacted to "It's a really broad ..." with 👍

  • Mahdi Sedaghat | Soundness

    Reacted to "here is a descriptio..." with 👍

  • Parthasarathy Ramanujam

    But wouldn’t apps need to change their signature schemes to support this as well?

  • Renaud-ZKNOX

    no

  • Renaud-ZKNOX

    we prove it with the Aave integration, no change in the contract

  • Renaud-ZKNOX

    this is aave sepolia contract we interact with

  • Fab

    The beauty of AA!

  • Parthasarathy Ramanujam

    Aren’t there several apps that still rely on ecrecover. It took us a lot of work to convince them to support EIP1271

  • Fab

    If you mean "a smart contract with some on-chain custom cryptographic logic" tho, then you are right. But that's a compeltely different can of worms and I don't think we can do much about it anyway

  • Stefa

    No change necessary on user wallets other than installing the proof of seed app, that was a fixed point in our development process.

  • Renaud-ZKNOX

    yes, some Dapp still use msg.sender and need to be updated

  • Stefa

    As for apps, they would need AA support or delegation features, yes. Some of them don't, and those would need change.

  • Nico Consigny

    I will open a group Danno

  • Renaud-ZKNOX

    actually some needs to update, like safe

  • Renaud-ZKNOX

    https://pqbeat.xyz/protocols/

  • Fab

    Indeed. But again, I wouldn't stress too much over this. The only apps becoming insecure in this case are the apps that are dead (team walked away). Actively maintained apps will probably migrate in time anyway.

  • Fab

    Again, it's not the devs that worry me...

  • Stefa

    Reacted to "Indeed. But again, I..." with 👍

  • Stefa

    Reacted to "Again, it's not the ..." with 👍

  • Renaud-ZKNOX

    Yeah, agreed, convincing users will be easier than big Dapps

  • Parthasarathy Ramanujam

    Reacted to "Indeed. But again, I..." with 👍

  • Renaud-ZKNOX

    i meant harder

  • Fab

    Reacted to "i meant harder" with 😄

  • Fab

    I was like "wait wat?" lol

  • Parthasarathy Ramanujam

    Convincing users to migrate is the most difficult. Both 4337 and 7702 have shown that

  • Stefa

    Reacted to "i meant harder" with 😄

  • Stefa

    Reacted to "I was like "wait wat..." with 😂

  • Stefa

    They don't need to do anything. I forgot to mention in the call: the 4337 accounts can be safely opened FOR the users by sponsors, and they deterministically derive from the EOA address.

  • Danno Ferrin - Tectonic.xyz

    We do need to worry about developers, wallets, and HW wallets, before we settle on a set of sigs. Their input is a concern we need to think about once we have a general path.

  • Renaud-ZKNOX

    Actually native AA, or disabling eoa in 7702 is required to have a clean deployment without front running

  • Parthasarathy Ramanujam

    Replying to "They don't need to d..." I cofounded an AA company that provides AA infra on several chains. We provide it for Ethereum Foundation as well. But our biggest challenge in the past 3 years is convincing users to migrate to an AA account. That is the reason for my question.

  • Renaud-ZKNOX

    bye thx antonio

Key decisions

  • Support multiple PQ signature schemes simultaneously; users choose based on requirements

    Users will be able to choose between different PQ signature schemes based on their requirements.
  • Account abstraction is the foundational layer for all PQ transaction work

    Account abstraction will be the foundational layer for all PQ transaction work.