pith. sign in

arxiv: 2602.06655 · v2 · pith:XHLWSEQUnew · submitted 2026-02-06 · 💻 cs.CR · cs.DC

Wonderboom -- Efficient, and Censorship-Resilient Signature Aggregation for Million Scale Consensus

Zeta Avarikioti , Ray Neiheiser , Krzysztof Pietrzak , Michelle X. Yeo This is my paper

Pith reviewed 2026-05-21 14:22 UTC · model grok-4.3

classification 💻 cs.CR cs.DC
keywords signature aggregationEthereum consensusmillion validatorscensorship resilienceblockchain securitysimulation tool
0
0 comments X

The pith

Wonderboom aggregates signatures from a million Ethereum validators 32 times faster than current methods while resisting adversarial attacks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces Wonderboom, a new protocol for aggregating and disseminating digital signatures among nearly one million validators on Ethereum. Current methods take about 15 minutes to finalize blocks, limiting practical uses, and can be exploited by adversaries to unfairly shift stake towards malicious nodes. Wonderboom claims to complete this aggregation in a single 12-second slot, offering better security. A reader cares because Ethereum secures over 650 billion dollars, so improvements affect global financial infrastructure and enable faster applications.

Core claim

Wonderboom is the first protocol that can efficiently aggregate the signatures of millions of validators in a single Ethereum slot while offering higher security guarantees than the state of the art protocol used in Ethereum. It achieves this 32 times faster and the authors provide a simulation showing it handles more than 2 million signatures in worst case conditions.

What carries the argument

Wonderboom aggregation protocol that combines efficient signature collection with censorship resilience to operate at million-validator scale.

If this is right

  • Blocks on Ethereum can finalize much quicker, around one slot instead of 15 minutes.
  • Adversaries cannot easily shift stake proportions from honest to adversarial nodes.
  • The system supports aggregation of over 2 million signatures per slot.
  • Real-world applications requiring fast finality become feasible on Ethereum.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • If implemented, this could increase Ethereum's overall throughput and adoption for time-sensitive uses.
  • Similar methods might improve consensus in other decentralized systems with large participant sets.
  • Further optimizations could reduce the slot time even more or handle even larger validator sets.

Load-bearing premise

The custom simulation tool must accurately model real-world network delays, dissemination costs, and adversarial behaviors at million-validator scale without introducing biases that favor Wonderboom.

What would settle it

Deploying Wonderboom in a large-scale test environment with one million simulated or real validators and verifying whether signature aggregation completes reliably within a 12-second slot under adversarial network conditions.

Figures

Figures reproduced from arXiv: 2602.06655 by Krzysztof Pietrzak, Michelle X. Yeo, Ray Neiheiser, Zeta Avarikioti.

Figure 1
Figure 1. Figure 1: WONDERBOOM system architecture. Ethereum specifications WONDERBOOM has approximately 4 seconds to verify the previous block, verify and aggregate N signatures and transmit signature aggregates representing all N validators to the next proposer. There are two main types of validators in the aggrega￾tion protocol. First, leaf validators receive a block proposal through the gossip layer, verify the proposal a… view at source ↗
Figure 2
Figure 2. Figure 2: Comparison of censorship resilience of Wonder [PITH_FULL_IMAGE:figures/full_fig_p009_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Worst-Case Configurations of millions of nodes. The simulator is written in Rust and implements the essential functionality of WONDERBOOM, including communication, signature verification, aggregation, and protocol logic3 . To evaluate WONDERBOOM at scale, the tool executes the actual protocol logic for one node per role in sequence while simulating the responses of all other nodes in the system. This appro… view at source ↗
Figure 4
Figure 4. Figure 4: Runtime of WONDERBOOM under varying partici￾pation rates. 1.00M 1.25M 1.50M 1.75M 2.00M 2.25M 2.50M Number of Nodes 5.0 7.5 10.0 12.5 15.0 17.5 20.0 Latency (s) Approach Ethereum Wonderboom [PITH_FULL_IMAGE:figures/full_fig_p011_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: WONDERBOOM vs Ethereum available cores. The number of nodes ranges from 1 million to 2.5 million (fanout 256 to 320). For the current Ethereum configuration of about 1 million validators, all N signatures can be aggregated in under 4 seconds with only 4 cores, which matches the minimum Ethereum node requirement. For larger configurations (1.5 to 2 million nodes), aggregation remains possible with 8 cores, … view at source ↗
read the original abstract

Over the last years, Ethereum has evolved into a public platform that safeguards the savings of hundreds of millions of people and secures more than $650 billion in assets, placing it among the top 25 stock exchanges worldwide in market capitalization, ahead of Singapore, Mexico, and Thailand. As such, the performance and security of the Ethereum blockchain are not only of theoretical interest, but also carry significant global economic implications. At the time of writing, the Ethereum platform is collectively secured by almost one million validators highlighting its decentralized nature and underlining its economic security guarantees. However, due to this large validator set, the protocol takes around 15 minutes to finalize a block which is prohibitively slow for many real world applications. This delay is largely driven by the cost of aggregating and disseminating signatures across a validator set of this scale. Furthermore, as we show in this paper, the existing protocol that is used to aggregate and disseminate the signatures has several shortcomings that can be exploited by adversaries to shift stake proportion from honest to adversarial nodes. In this paper, we introduce Wonderboom, the first million scale aggregation protocol that can efficiently aggregate the signatures of millions of validators in a single Ethereum slot (x32 faster) while offering higher security guarantees than the state of the art protocol used in Ethereum. Furthermore, to evaluate Wonderboom, we implement the first simulation tool that can simulate such a protocol on the million scale and show that even in the worst case Wonderboom can aggregate and verify more than 2 million signatures within a single Ethereum slot.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 1 minor

Summary. The manuscript introduces Wonderboom, a signature aggregation protocol for million-scale validator sets in systems like Ethereum. It claims to aggregate and verify signatures from more than 2 million validators within a single 12-second Ethereum slot (32x faster than the current protocol), while providing stronger security guarantees against adversarial stake shifting. Evaluation relies on a newly developed custom simulation tool that models the protocol at this scale and demonstrates compliance with timing requirements even under worst-case conditions.

Significance. If the simulation accurately captures real network conditions, dissemination costs, and adversarial behaviors, the work would represent a meaningful advance in scalable consensus, enabling substantially faster finality times and improved censorship resistance for large proof-of-stake networks securing hundreds of billions in value.

major comments (1)
  1. [Simulation Results section] Simulation Results section: the headline claims of 32x speedup and successful aggregation of >2M signatures in one slot rest entirely on outputs from an unvalidated custom simulator. The manuscript supplies no description of how the tool models per-validator bandwidth/latency distributions, gossip-sub message costs under partial synchrony, or adaptive adversarial dropping/equivocation, nor any cross-check against smaller-scale runs of deployed Ethereum clients. This modeling gap is load-bearing for both the performance and security conclusions.
minor comments (1)
  1. [Abstract and Introduction] The abstract and introduction repeatedly reference 'as we show in this paper' without explicit section pointers to the protocol construction, security argument, or simulation methodology; adding such cross-references would improve traceability.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for their careful and constructive review of the manuscript. We address the major comment below and outline the revisions we will make to strengthen the presentation of the simulation results.

read point-by-point responses

  1. Referee: [Simulation Results section] Simulation Results section: the headline claims of 32x speedup and successful aggregation of >2M signatures in one slot rest entirely on outputs from an unvalidated custom simulator. The manuscript supplies no description of how the tool models per-validator bandwidth/latency distributions, gossip-sub message costs under partial synchrony, or adaptive adversarial dropping/equivocation, nor any cross-check against smaller-scale runs of deployed Ethereum clients. This modeling gap is load-bearing for both the performance and security conclusions.

    Authors: We agree that the current manuscript provides only a high-level overview of the custom simulation tool and does not supply sufficient detail on its modeling assumptions or validation steps. This is a substantive gap that affects the strength of the performance and security claims. In the revised version we will expand the Simulation Results section (and add a dedicated subsection on the simulator) to describe: the concrete distributions and parameter ranges used for per-validator bandwidth and latency (derived from publicly available Ethereum network measurements); the accounting for gossip-sub message sizes and propagation delays under partial synchrony; the implementation of adaptive adversarial actions including selective dropping and equivocation; and the results of cross-validation experiments performed on smaller validator sets against actual Ethereum client code. These additions will make the modeling choices explicit and allow independent assessment of the simulator's fidelity. revision: yes

Circularity Check

0 steps flagged

No circularity: protocol design and simulation results are independent of target claims

full rationale

The paper presents Wonderboom as a newly designed aggregation protocol whose performance (x32 faster aggregation of >2M signatures in one slot) and security advantages are obtained by direct evaluation in a custom million-scale simulator. No equations, parameters, or uniqueness theorems are shown to reduce to self-definitions, fitted inputs renamed as predictions, or self-citation chains. The central claims rest on the protocol construction plus simulation outputs rather than any step that is equivalent to its own inputs by construction; the simulation framework is external to the claimed results even if its fidelity remains unvalidated.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim depends on unstated details of the aggregation mechanism and the fidelity of the simulation to real deployment conditions, which are not elaborated in the abstract.

axioms (1)
  • domain assumption The underlying network model permits reliable dissemination of aggregated signatures within a single slot even under adversarial conditions.
    Required for the single-slot performance claim to hold in a distributed setting.

pith-pipeline@v0.9.0 · 5819 in / 1260 out tokens · 82881 ms · 2026-05-21T14:22:08.348366+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

46 extracted references · 46 canonical work pages · 1 internal anchor

  1. [1]

    https://github.com/randao/randao

    Randao. https://github.com/randao/randao . Accessed on 26.08.2025

    work page 2025

  2. [2]

    Run a validator and vfn

    Aptos. Run a validator and vfn. https://aptos.dev/ network/nodes/validator-node , 2025. Accessed on 11.08.2025

    work page 2025

  3. [3]

    A fast confirmation rule for the ethereum consensus protocol.arXiv preprint arXiv:2405.00549, 2024

    Aditya Asgaonkar, Francesco D’Amato, Roberto Saltini, Luca Zanolini, and Chenyi Zhang. A fast confirmation rule for the ethereum consensus protocol.arXiv preprint arXiv:2405.00549, 2024

    work page arXiv 2024

  4. [4]

    CoBRA: A Universal Strategyproof Confirmation Protocol for Quorum-based Proof-of-Stake Blockchains

    Zeta Avarikioti, Eleftherios Kokoris Kogias, Ray Nei- heiser, and Christos Stefo. Cobra: A universal strate- gyproof confirmation protocol for quorum-based proof- of-stake blockchains, 2025. URL: https://arxiv.or g/abs/2503.16783,arXiv:2503.16783

    work page internal anchor Pith review Pith/arXiv arXiv 2025

  5. [5]

    History of daily active validators

    Beaconcha.in. History of daily active validators. ht tps://beaconcha.in/charts/validators , 2025. Accessed on 11.08.2025

    work page 2025

  6. [6]

    Ethereum staking ecosystem overview

    Beaconcha.in. Ethereum staking ecosystem overview. https://beaconcha.in/entities, 2026. Accessed on 11.08.2025

    work page 2026

  7. [7]

    Com- pact multi-signatures for smaller blockchains

    Dan Boneh, Manu Drijvers, and Gregory Neven. Com- pact multi-signatures for smaller blockchains. In Thomas Peyrin and Steven Galbraith, editors,Advances in Cryptology – ASIACRYPT 2018, pages 435–464, Cham, 2018. Springer International Publishing

    work page 2018

  8. [8]

    Short signatures from the weil pairing.Journal of cryptology, 17(4):297–319, 2004

    Dan Boneh, Ben Lynn, and Hovav Shacham. Short signatures from the weil pairing.Journal of cryptology, 17(4):297–319, 2004

    work page 2004

  9. [9]

    The economic limits of permissionless consensus

    Eric Budish, Andrew Lewis-Pye, and Tim Roughgarden. The economic limits of permissionless consensus. In Proceedings of the 25th ACM Conference on Economics and Computation, EC ’24, page 704–731, New York, NY , USA, 2024. Association for Computing Machinery. doi:10.1145/3670865.3673548

    work page doi:10.1145/3670865.3673548 2024

  10. [10]

    Paths toward single-slot finality.https: //notes.ethereum.org/@vbuterin/single_slot _finality, 2022

    Vitalik Buterin. Paths toward single-slot finality.https: //notes.ethereum.org/@vbuterin/single_slot _finality, 2022. Accessed on 11.08.2025

    work page 2022

  11. [11]

    Practical byzantine fault tolerance

    Miguel Castro, Barbara Liskov, et al. Practical byzantine fault tolerance. InOsDI, volume 99, pages 173–186, 1999

    work page 1999

  12. [12]

    Algorand: A secure and efficient distributed ledger.Theoretical Computer Sci- ence, 777:155–183, 2019

    Jing Chen and Silvio Micali. Algorand: A secure and efficient distributed ledger.Theoretical Computer Sci- ence, 777:155–183, 2019. In memory of Maurice Nivat, a founding father of Theoretical Computer Science - Part I. URL: https://www.sciencedirect.co 14 m/science/article/pii/S030439751930091X , doi:10.1016/j.tcs.2019.02.001

    work page doi:10.1016/j.tcs.2019.02.001 2019

  13. [13]

    Chia greenpaper,

    Bram Cohen and Krzysztof Pietrzak. Chia greenpaper,

    work page

  14. [14]

    URL: https://docs.chia.net/green-paper -abstract

    work page

  15. [15]

    A simple single slot finality protocol for ethereum

    Francesco D’Amato and Luca Zanolini. A simple single slot finality protocol for ethereum. InEuropean Sympo- sium on Research in Computer Security, pages 376–393. Springer, 2023

    work page 2023

  16. [16]

    Upgrading ethereum, bls signatures

    Ben Edgington. Upgrading ethereum, bls signatures. ht tps://eth2book.info/latest/part2/building_ blocks/signatures/, 2025. Accessed on 30.07.2025

    work page 2025

  17. [17]

    Upgrading ethereum, committees

    Ben Edgington. Upgrading ethereum, committees. ht tps://eth2book.info/latest/part2/building_ blocks/committees/, 2025. Accessed on 30.07.2025

    work page 2025

  18. [18]

    Sync committee penalties

    Ethereum. Sync committee penalties. https://eth2bo ok.info/latest/part2/incentives/penalties/ ,

    work page

  19. [19]

    Accessed on 21.08.2025

    work page 2025

  20. [20]

    Wiley, January 1968

    William Feller.An Introduction to Probability Theory and Its Applications, volume 1. Wiley, January 1968. URL: http://www.amazon.ca/exec/obidos/redi rect?tag=citeulike04-20{&}path=ASIN/04712 57087

    work page 1968

  21. [21]

    Deanonymizing ethereum validators: The p2p network has a privacy issue,

    Lioba Heimbach, Yann V onlanthen, Juan Villacis, Lu- cianna Kiffer, Roger Wattenhofer, et al. Deanonymizing ethereum validators: The p2p network has a privacy issue.arXiv preprint arXiv:2409.04366, 2024

    work page arXiv 2024

  22. [22]

    All you need is DAG

    Idit Keidar, Eleftherios Kokoris-Kogias, Oded Naor, and Alexander Spiegelman. All you need is DAG. InPODC, pages 165–175. ACM, 2021

    work page 2021

  23. [23]

    Enhancing bitcoin security and performance with strong consistency via collective signing

    Eleftherios Kokoris Kogias, Philipp Jovanovic, Nicolas Gailly, Ismail Khoffi, Linus Gasser, and Bryan Ford. Enhancing bitcoin security and performance with strong consistency via collective signing. In25th USENIX Security Symposium (USENIX Security 16), pages 279– 296, Austin, TX, August 2016. USENIX Association

    work page 2016

  24. [24]

    Om- niledger: A secure, scale-out, decentralized ledger via sharding

    Eleftherios Kokoris-Kogias, Philipp Jovanovic, Linus Gasser, Nicolas Gailly, Ewa Syta, and Bryan Ford. Om- niledger: A secure, scale-out, decentralized ledger via sharding. In2018 IEEE Symposium on Security and Privacy (SP), pages 583–598, San Francisco, CA, USA,

    work page

  25. [25]

    Consistently faster and smaller compressed bitmaps with roaring.Software: Practice and Experience, 46(11):1547–1569, 2016

    Daniel Lemire, Gregory Ssi-Yan-Kai, and Owen Kaser. Consistently faster and smaller compressed bitmaps with roaring.Software: Practice and Experience, 46(11):1547–1569, 2016

    work page 2016

  26. [26]

    Low-resource eclipse attacks on ethereum’s peer-to-peer network.IACR ePrint Cryptology Report, 2020

    Yuval Marcus, Ethan Heilman, and Sharon Goldberg. Low-resource eclipse attacks on ethereum’s peer-to-peer network.IACR ePrint Cryptology Report, 2020

    work page 2020

  27. [27]

    Bitcoin: A peer-to-peer electronic cash system

    Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system. 2008

    work page 2008

  28. [28]

    Kauri: Scalable bft consensus with pipelined tree-based dissemination and aggregation

    Ray Neiheiser, Miguel Matos, and Luís Rodrigues. Kauri: Scalable bft consensus with pipelined tree-based dissemination and aggregation. InProceedings of the ACM SIGOPS 28th Symposium on Operating Sys- tems Principles, SOSP ’21, page 35–48, New York, NY , USA, 2021. Association for Computing Machinery. doi:10.1145/3477132.3483584

    work page doi:10.1145/3477132.3483584 2021

  29. [29]

    Market statistics - february 2026

    World Federation of Exchanges. Market statistics - february 2026. https://focus.world-exchanges .org/issue/february-2026/market-statistics ,

    work page 2026

  30. [30]

    Accessed on 26.01.2026

    work page 2026

  31. [31]

    Byzantine attacks exploiting penal- ties in ethereum pos

    Ulysse Pavloff, Yackolley Amoussou-Guenou, and Sara Tucci-Piergiovanni. Byzantine attacks exploiting penal- ties in ethereum pos. In2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pages 53–65, 2024. doi:10.1109/DS N58291.2024.00020

    work page doi:10.1109/ds 2024

  32. [32]

    Gossipsub message propagation latency

    Yiannis Psaras. Gossipsub message propagation latency. https://ethresear.ch/t/gossipsub-message-p ropagation-latency, 2024. Accessed on 11.08.2025

    work page 2024

  33. [33]

    Scalable and proba- bilistic leaderless bft consensus through metastability,

    Team Rocket, Maofan Yin, Kevin Sekniqi, Robbert van Renesse, and Emin Gün Sirer. Scalable and proba- bilistic leaderless bft consensus through metastability,

    work page

  34. [34]

    URL: https://arxiv.org/abs/1906.08936 , arXiv:1906.08936

    work page arXiv 1906

  35. [35]

    Network emulation with netem

    HEMMINGER S. Network emulation with netem. https://cir.nii.ac.jp/crid/1572543024894323456, 2005. Accessed on 18.04.2022

    work page arXiv 2005

  36. [36]

    Navigating rewards, risks, and attesta- tion efficiency

    Reza Sabernia. Navigating rewards, risks, and attesta- tion efficiency. https://figment.io/insights/st rategies-for-ethereum-validators-navigatin g-rewards-risks-and-attestation-efficiency ,

    work page

  37. [37]

    Accessed on 30.07.2025

    work page 2025

  38. [38]

    Impact of geo-distribution and mining pools on blockchains: A study of ethereum

    Paulo Silva, David Vavricka, João Barreto, and Miguel Matos. Impact of geo-distribution and mining pools on blockchains: A study of ethereum. In2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pages 245–252, 2020. doi:10.1109/DSN48063.2020.00041

    work page doi:10.1109/dsn48063.2020.00041 2020

  39. [39]

    Corwin Smith, Nicolas Consigny, Julio, nixo, Tim Beiko, Sam Calder-Mason, Mario Havel, and wackerow. Pectra. https://ethereum.org/roadmap/pectra/ , 2025. Accessed on 17.09.2025. 15

    work page 2025

  40. [40]

    Share of cryptocurrency owners in 53 countries and territories worldwide as of january 2025, 2025

    Statista. Share of cryptocurrency owners in 53 countries and territories worldwide as of january 2025, 2025. Ac- cessed on 08.10.2025. URL: https://www.statista .com/forecasts/1452605/share-of-cryptocur rency-owners-in-selected-countries-worldwi de

    work page arXiv 2025

  41. [41]

    Supranational. blst. https://github.com/suprana tional/blst, 2025. Accessed on 11.08.2025

    work page 2025

  42. [42]

    Ecosystem total value locked

    tokenterminal. Ecosystem total value locked. https: //tokenterminal.com/explorer/projects/ethe reum/ecosystem/ecosystem-tvl , 2026. Accessed on 26.01.2026

    work page 2026

  43. [43]

    Ethereum: A secure decentralised gen- eralised transaction ledger.Ethereum project yellow paper, 151:1–32, 2014

    Gavin Wood. Ethereum: A secure decentralised gen- eralised transaction ledger.Ethereum project yellow paper, 151:1–32, 2014. Accessed on 18.04.2022. URL: https://files.gitter.im/ethereum/yellowpap er/VIyt/Paper.pdf

    work page 2014

  44. [44]

    Wong, and Hao Wang

    Guangquan Xu, Bingjiang Guo, Chunhua Su, Xi Zheng, Kaitai Liang, Duncan S. Wong, and Hao Wang. Am i eclipsed? a smart detector of eclipse attacks for ethereum.Computers & Security, 88:101604, 2020. URL: https://www.sciencedirect.com/scie nce/article/pii/S0167404818313798 , doi: 10.1016/j.cose.2019.101604

    work page doi:10.1016/j.cose.2019.101604 2020

  45. [45]

    Peiyun Zhang, Fuya Xu, Tianlin Huang, Haibin Zhu, and Qinglin Zhao. Ctt: A three-layer tree consensus mech- anism for consortium blockchains with enhanced secu- rity and reduced communication cost.IEEE Transac- tions on Industrial Informatics, 21(6):4355–4366, 2025. doi:10.1109/TII.2025.3534426. C Omitted Proofs and Analysis C.1 Proof of Lemma 2 Lemma 2.F...

    work page doi:10.1109/tii.2025.3534426 2025

  46. [46]

    Now we compute the probability that the proposer is cor- rect

    Thus, at depth d−2 from the first internal aggregator to the proposer, the probability to con- sistently pick a correct aggregate by random over all d−2 depths is at least 2 3 d−2 · 16− 16 3 15 . Now we compute the probability that the proposer is cor- rect. As there is only a single proposer, there is only a 2 3 chance for the proposer to be correct. As ...

    work page