Skip to content

Ephemeral ECDSA

First-generation legacy scheme

The initial Ephemeral Keys design achieved a practical form of quantum safety without replacing ECDSA: it made ECDSA keys disposable. Each key signs exactly once and is rotated out before it can become a liability, while the smart-account address stays constant. This is described in the ethresear.ch writeup by Vicari and Baiocchi.

The idea

On Ethereum, an address that has never transacted is quantum-safe: its public key is hidden behind a hash. The moment it signs, the public key is exposed onchain, and Shor's algorithm can recover the private key. The ephemeral-ECDSA design uses account abstraction to authorize one ECDSA signer at a time and rotate it every transaction, so a key that has been used once is immediately retired.

The account stored addr(pk_i). Validation:

  1. Recover the signer from the UserOp signature via ecrecover; compare to the stored addr(pk_i). ECDSA mode signs toEthSignedMessageHash(userOpHash), matching OpenZeppelin ECDSA.recover.
  2. On match, return SIG_VALIDATION_SUCCESS.
  3. Rotate atomically: overwrite the stored value with addr(pk_{i+1}), supplied in the UserOp calldata.

Why it was superseded

Security relied on the rotation race (retiring each key before an adversary could recover it), which leaves a residual vulnerability:

  • Mempool window. Between broadcast and inclusion, the current signer's public key is visible. A sufficiently fast quantum adversary could recover the private key and front-run the user. The intended mitigation was private-mempool relays (e.g. Flashbots Protect); on most L2s bundlers already use private mempools, restricting the trust assumption to the mempool owner.
  • Reuse collapses the guarantee. Reusing a key isn't catastrophic against a classical adversary, but the protocol's quantum-safety guarantee simply collapses to ordinary ECDSA semantics.

Both WOTS+C and FORS+C eliminate the mempool window entirely: an observed hash-based signature reveals nothing a quantum adversary can invert. FORS+C is the current primary because it adds graceful reuse degradation on top.

Cost

ECDSA verification is ecrecover (~3k gas), the cheapest of all three schemes. Benchmarks showed roughly 136k gas for an ERC-20 transfer with rotation on Base Sepolia, under 100k gas of overhead versus a plain transfer. Cheapness is the one dimension where this scheme still wins; it is otherwise dominated by FORS+C on security.