How a quantum safe wallet design can protect Ethereum users with ephemeral keys and account abstraction

Researchers propose a new quantum safe wallet architecture that reuses today’s Ethereum tools to mitigate future quantum attacks without touching consensus or signature primitives.

Quantum risk to Ethereum wallets and ECDSA

The threat posed by quantum computing to elliptic curve cryptography is becoming more concrete, even though a cryptographically relevant machine does not yet exist. However, Shor’s algorithm already shows how efficiently it could solve the discrete logarithm problem and therefore break ECDSA.

The Ethereum Foundation has launched dedicated post-quantum research initiatives, and a broader PQ roadmap has been sketched out. Moreover, developers across the ecosystem are exploring alternatives that could harden Ethereum before large-scale quantum hardware arrives.

On Ethereum, an externally owned account (EOA) that has never sent a transaction is effectively quantum-resistant, because its public key is hidden behind a hash. That said, once the EOA signs a transaction, the public key becomes permanently exposed onchain, and that address is effectively burned from a quantum-resistance perspective.

Limitations of current post-quantum signature efforts

Several projects aim to bring post-quantum signature schemes to the EVM, with Falcon and Poqeth standing out as prominent examples. These solutions are essential for long-term security. However, onchain verification remains expensive, costing upwards of 1M gas per Falcon verification, while hash-based signatures currently sit around ~200k gas.

These costs could drop if proposals such as EIP-8051 and EIP-8052 are added to the EVM in the future. Moreover, gas efficiency is not the only barrier: standardization, integration with hardware wallets, and battle-tested resistance to classical cryptographic attacks remain challenging hurdles for any new ETH signing standard.

Even if a robust post-quantum signature were technically ready, standardization would still take time, and fully replacing ECDSA would demand protocol-level changes. Instead of discarding ECDSA outright, the design described here makes each ECDSA key disposable, using it exactly once.

Designing quantum safety through ephemeral key pairs

The core concept leverages account abstraction to separate the user’s persistent identity from the signing key. The smart contract wallet maintains a static onchain identity while the authorized signer address rotates after every transaction, effectively creating ephemeral key pairs.

This design does not stop a quantum computer from recovering the private key linked to a past transaction. However, it ensures that any recovered key is useless for future operations, since the smart contract wallet will already have moved on to a new signer.

The basic workflow is straightforward and fits naturally into smart contract wallet logic. Moreover, it uses only today’s infrastructure and does not require any changes to Ethereum’s underlying protocol rules.

Transaction flow and ECDSA key rotation

The proposed scheme follows four clear steps for every transaction:

• The user appends a new address to the calldata of their userOp.
• The smart contract wallet validates the userOp and checks the current signer.
• The userOp is executed as usual, for example performing a token transfer.
• Finally, the smart contract wallet updates its authorized signer to the new address.

After execution, the old private key, even if recovered, cannot sign anything meaningful for that wallet again. Only the new address is stored in the smart contract wallet, revealing only a hash-derived value and keeping the new key quantum-resistant until the next transaction.

In practice, user experience can be improved by generating the sequence of new addresses using a BIP44 derivation path. This method is already standard in widely used wallets, so it keeps implementation overhead low while enabling automatic ecdsa key rotation under the hood.

Practical implementation on Ethereum

This architecture can be implemented by applying minor changes to a base SimpleWallet design. All that is required is logic to parse the next signer address from calldata and a function that updates the owner of the smart contract wallet accordingly.

A proof-of-concept implementation already exists and demonstrates that signer rotation can be finalized even when the userOp reverts. Moreover, this addresses a key issue: if rotation only occurred on success, a reverted transaction would still expose the current signer and leave the wallet vulnerable.

With the current implementation, sample transactions show costs of around ~136k gas units for an ERC20 transfer. That implies a gas overhead of less than 100k gas compared with a standard token transfer on the same chain. The overhead is significantly below the cost of verifying most post-quantum signatures onchain today.

Cost profile and account abstraction Ethereum benefits

The gas cost for the signer rotation logic alone, when plugged into an existing account abstraction based wallet, is even lower and almost negligible in the broader context of complex DeFi interactions. Moreover, users inherit all the usual benefits of ethereum account abstraction, such as batched operations and flexible validation rules.

Because the wallet address stays constant while signers change, this design preserves a stable onchain identity for dapps, explorers, and counterparties. That said, it changes the security model: users must ensure their key generation and storage setup can handle a continuous stream of new keys safely.

Using social recovery mechanisms for key rotation

An alternative way to reach similar behavior is by reusing the social recovery features already present in many smart contract wallets. Unless a specific restriction forbids it, a user can set their own address as the recovery guardian and trigger a recovery procedure after each transaction.

This approach effectively rotates control to a new key via the recovery logic. However, it incurs a slightly higher gas cost because a mechanism designed for emergency recovery is being repurposed for routine use. The upside is that users can adopt this quantum-aware structure without deploying custom onchain architectures.

Experiments suggest that the additional gas cost for this recovery-based operation is approximately ~30k gas, while the total overhead of the baseline architecture without recovery is around ~110k gas. Moreover, wallet developers can tune these parameters depending on their security and UX priorities.

Mempool exposure risk and remaining vulnerabilities

The authors acknowledge a key vulnerability that this model does not completely remove: mempool exposure risk during the waiting period before a transaction is mined. During that window, the user’s public key is visible in the mempool, and a quantum-capable attacker could, in theory, recover the private key and frontrun the transaction.

Given current quantum capabilities, this scenario is not considered immediately alarming, because the attacker would have only a very short timeframe to perform the computation. However, if one wants to be as conservative as possible, routing transactions through private mempools can virtually eliminate this mempool-level leak.

Furthermore, deploying this architecture on Layer 2 networks helps mitigate the risk. L2s typically have shorter confirmation times and different sequencing mechanisms, reducing the window during which the public key is exposed to an adversary.

Positioning within broader post quantum mitigation strategies

This design should be viewed as a complementary tool within the broader landscape of post-quantum mitigation on Ethereum. It does not attempt to be the best quantum safe wallet in an absolute sense, nor does it replace the long-term need for native post-quantum signatures in the protocol.

Instead, it addresses one specific weakness: the long-term public key exposure that Shor’s algorithm would exploit on the execution layer. Moreover, it uses only current infrastructure and familiar smart contract patterns, making it deployable without waiting for new EIPs or signature standards.

Outlook for quantum safe transactions on Ethereum

The proposed quantum safe wallet scheme achieves execution-layer quantum safety by rotating ECDSA key pairs after every transaction while preserving a stable smart contract address. It requires no protocol changes and adds roughly ~100k gas over a baseline transfer, a fraction of current post-quantum verification costs.

It does not replace upcoming post-quantum signature schemes, which remain vital for a complete, long-term solution on Ethereum. However, by eliminating long-lived public key exposure, it offers a practical, incremental defense that users and wallet developers can adopt today, with private mempools providing the strongest mitigation for remaining mempool-level exposure.