Exploring lean Ethereum
We deep dive into Lean Ethereum and the PQ L1
Three weeks ago, we kicked off the six-part lean Ethereum miniseries. The first three episodes moved from high-level vision to cryptographic design and, now, proof-system security. In the opener, Nico chatted with Justin Drake to outline the scope of lean Ethereum. In the second episode, he spoke with Benedikt Wagner and Dmitry Khovratovich about the post-quantum signature scheme intended to replace BLS and the aggregation machinery required to make it work. And this week, we released the third episode, with Nico going one layer deeper with Giacomo Fenzi and Antonio Sanso, focusing on the theory and security analysis of the post-quantum SNARK stack that underpins hash-based aggregation and LeanVM.
It felt like an appropriate moment to look closely at what this migration actually implies. The lean Ethereum roadmap is framed as a coordinated rewrite of the L1 stack that touches consensus, data, and execution in a single effort.
In the first conversation, Justin described lean Ethereum as combining post-quantum cryptography, faster finality, and enshrined zero knowledge. At the consensus layer, the immediate challenge is replacing BLS attestations with post-quantum signatures. BLS offers compact aggregation and efficient verification. Hash-based signatures do not. They are larger and lack algebraic aggregation.
This constraint drives the core design shift. Instead of aggregating signatures through group operations, lean Ethereum aggregates them with SNARKs. An aggregate becomes a proof that many valid signatures exist, with verification logic embedded in a circuit. That decision introduces requirements for recursive proofs, careful circuit design, and a minimal execution environment optimized for hashing.
This is where LeanVM enters. Justin introduced it as a deliberately minimal ZK virtual machine with a small instruction set and a Poseidon precompile, designed specifically for hash-based cryptography. The aim is consolidation; in other words, the same machinery can verify consensus aggregates, transaction signature aggregates, and potentially other commitments across the stack.
The second episode focused on the signature construction itself. LeanSig, a variant of the XMSS signature scheme, builds from one-time hash-based signatures organized in Merkle trees, producing an L-time scheme with a practically unbounded validator lifetime. The main tradeoff lies between signature size and verification cost, since verification happens inside a SNARK circuit.
This week, we moved to the proof system layer underlying this aggregation stack. Nico spoke with Giacomo Fenzi and Antonio Sanso about the hash-based SNARK design intended for LeanVM. The construction uses multilinear arithmetization and sum-check protocols, aligning with the broader goal of minimizing reliance on elliptic-curve assumptions. Much of the discussion focused on the security analysis of these systems. In particular, recent work examines the “proximity gap” problem in hash-based SNARKs, where batching many claims into a single proof depends on coding-theoretic distance properties. A wave of recent papers has refined the bounds used in these analyses, revealing small security degradations but also improving the theoretical understanding of where proofs remain sound.
Across the series, one theme stood out. Post-quantum migration also reshapes aggregation, proof systems, VM design, and security analysis. lean Ethereum treats the transition as an opportunity to simplify primitives, rely heavily on hashing, and place formal verification and provable security at the center of the stack.
The next parts of the series will dive further into LeanSig, LeanVM, formal verification, and the security assumptions behind the post-quantum transition.
Cheers,
The Zero Knowledge Podcast Team
P.S. To support the show and get more reports and insight, consider joining a zkMesh+ paid tier. We recently released for zkMesh+ subs an Addendum on Post-Quantum Cryptography, available to paid subscribers.