Skip to content

Ephemeral ECDSA Rotation

Quantum safety with current signature scheme

The NiceTry baseline design achieves a practical form of quantum safety without replacing ECDSA or changing any Ethereum protocol rules. Instead of switching to a post-quantum signature scheme, it makes ECDSA keys disposable: each key is used exactly once, and rotated out before it can become a liability.

This design is described in full in the ethresear.ch post by Vicari and Baiocchi.

The Quantum Threat to ECDSA

On Ethereum, an EOA that has never transacted is quantum-safe: its public key is hidden behind a hash, giving a quantum adversary nothing to work with. The moment an address signs a transaction, however, the public key is permanently exposed on-chain. Shor's algorithm can recover the private key from a known public key, so any address that has ever sent a transaction is, eventually, under a sufficiently capable quantum computer, compromised.

The standard response to this is to replace ECDSA with a post-quantum signature scheme. That is the right long-term answer, but it requires protocol changes, new standards, hardware wallet support, and on-chain verification infrastructure that does not yet exist at acceptable cost. The ephemeral rotation approach is complementary: it eliminates long-term public key exposure using only current infrastructure.

Core Idea

We employ account abstraction to create a smart account that authorises a single ECDSA signer at a time. Each transaction rotates that signer: the new address is committed within the same operation that executes the user's intent. After execution, the old private key is useless, even if a quantum adversary recovers it, it is no longer authorised to sign anything.

Because the smart account address is constant, the rest of the ecosystem (DeFi protocols, other contracts, front-ends) sees a stable identity. Only the underlying signer changes, and it changes with every transaction.

How It Works

Prepare

User generates a fresh ECDSA key pair for the next rotation. The next signer address can be derived from the current seed using a BIP44 derivation path, so no manual key management is required.

Sign

User signs the UserOperation with the current private key. The calldata includes the address of the next signer.

Execute

The ERC-4337 bundler submits the UserOperation. The smart account validates the signature against the current signer, then executes the intended transaction.

Rotate

Immediately post-execution, the smart account updates its authorised signer to the new address. The previous private key is discarded.

A critical implementation detail: rotation must happen even if the inner transaction reverts. If a failed UserOperation left the current key exposed without rotating, that key would remain the active signer despite its public key being visible. The NiceTry implementation handles this by separating the rotation step from the execution step — the signer update is always finalised regardless of whether the user's calldata succeeded.

Gas Overhead

The scheme adds minimal overhead relative to a standard ERC-4337 transaction. Benchmarks on Base Sepolia show approximately 136k gas for an ERC-20 transfer with rotation, representing an overhead of under 100k gas compared to the equivalent transfer without account abstraction. This is already significantly lower than on-chain post-quantum signature verification, which runs above 1M gas for Falcon and around 200k gas for hash-based schemes.

Additionally, if the rotation is layered on top of an existing account abstraction wallet, the incremental cost of the rotation itself is close to negligible.

Mempool Exposure

The design has one known vulnerability: during the mempool waiting period, the current signer's public key is visible. A quantum adversary with sufficient speed could, in principle, recover the private key and submit a conflicting transaction before the original is included.

In practice this window is very short, and a capable quantum computer does not yet exist. If one wants to further mitigate this risk, the following options are available:

  • Private mempools (e.g. Flashbots Protect) route transactions directly to block builders without public mempool exposure, eliminating the attack surface entirely.
  • L2s reduce the mempool window to the point where the exposure period is extremely short even without private infrastructure.

Limitations

The ephemeral rotation design does not provide unconditional quantum safety, it eliminates long-term public key exposure, but ECDSA itself remains breakable by a quantum computer. The guarantee is: a key that has been used once is immediately retired, so a quantum adversary can only ever target a key during its brief window of exposure.

This is a meaningful security improvement over standard ECDSA usage, but it is not equivalent to using a hash-based or lattice-based post-quantum scheme. It is best understood as a near-term mitigation that buys time until post-quantum signature verification on Ethereum becomes practical at acceptable cost.

For a design that replaces ECDSA signing with a more expensive, but quantum-safe, primitive entirely, see the WOTS+C alternative.