An update from our side. Since posting this we’ve shifted the core of the design away from rotating ECDSA and toward proper post-quantum signature schemes.
The architectural idea is the same: a stable ERC-4337 account address with per-transaction signer rotation. What rotates is now a hash-based keypair rather than a disposable ECDSA one. The primary motivation is the mempool exposure we flagged in the original write-up.
We presented the original design at EthCC and across the PQ call series, and feedback converged on the same point: the construction was elegant but the residual mempool window made it hard to recommend as a standalone defense. Hash-based one-time and few-time signatures remove that window entirely, at a gas cost that is not dramatically out of line with the overhead we measured for the ECDSA-rotation scheme.
What we experimented with, considering NIST Level 1 security:
- Winternitz one-time (WOTS+C) as the signature primitive. Onchain verifier available here. Signature size 468 bytes in the current encoding and verify gas ~73k example tx on sepolia
- FORS+C as a few-time signature. Verifier available here. signature size 2448 bytes in the current encoding and verify gas ~35k example tx on sepolia
These values depend on parameters that can be tuned while maintaining NIST Level 1 security, trading off a larger signature for cheaper verification and vice-versa.
Signing cost (hash calls to build the keypair): ~830 for WOTS+C, ~2.4k for our standalone FORS+C, vs. ~35k for full SPHINCS. Fewer hashes also means faster signing, which matters a lot on devices that are slow at hashing such as hardware wallets, where signing time is dominated by hash throughput.
We’re currently treating FORS+C as the primary scheme. The deciding factor is the failure mode under key reuse, which causes WOTS+C to break catastrophically the moment two messages are signed under the same key. FORS+C degrades gracefully under bounded reuse, which we judged more important than WOTS+C’s advantage in signature size and verification cost, at least for certain use cases.
Testing FORS, WOTS, SPHINCS, and Protating ECDSA exposed how much signature size, signing time, gas overhead, and key reuse risk each shape the protocol in practice. The qualitative chart below maps each scheme across these four axes. A smaller area indicates better overall user experience.
The full spec is available on Github, alongside the reference implementation. Issues, PRs, and pushback all welcome.