bip32 hdkey derivation
Probably just say “hardened keys only” because it’s not clear how to do non-hardened derivation as that depends on having a homomorphism. Something lattice-based eventually?
Transaction signing
User chooses what sig algo they want, using account abstraction. See EIP-7701: Native Account Abstraction with EOF for a reasonably simple way to do this.
Sender address recovery
Agree we should dump this and just include sender address in the tx. The AA standards (eg. EIP-7701) already do this.
Address format
Grover reduces brute-force cost from 2^160 to 2^80, still extremely high esp if you take into account quantum computers realistically being much slower per computation step. So, not worried here.
Encrypted wallets
Agree it’s worth looking into.
KZG EIP-4844 verification
STARKed Merkelized erasure coded blobs.
EVM 0x20 opcode (KECCAK256)
I don’t think 256-bit hashes will be a problem, same reason as why addresses are ok
EVM precompile for ECRECOVER
EVM precompiles for BN / BLS / KZG
Yeah we will phase ECDSA out entirely, so at some point just replace this with EVM code for backwards compatibility and dump the precompile.
- ZK-rollups (non STARK)
Replace with STARKs, and consider adding in-protocol aggregation to make it more cost-friendly in the protocol.