Vitalik Buterin said keyed nonces could become more than a privacy upgrade for Ethereum. In an X post, he described them as a possible first step toward a new state scaling strategy built around specialized storage.
The idea focuses on moving certain use cases away from Ethereum’s fully dynamic state. Meanwhile, privacy transactions remain a key example, as nullifiers keep growing over time and cannot be pruned after they enter the system.
Vitalik Explains Keyed Nonces
Buterin said keyed nonces add stronger protocol-level support for privacy solutions. However, he also framed them as part of a wider plan to create storage types optimized for specific categories of Ethereum activity.
The proposal would replace a single sender nonce with a structure using a nonce key and nonce sequence. That model gives accounts more flexible transaction ordering while supporting use cases that need separate nonce lanes.
Notably, Buterin linked the idea to in-protocol nullifiers. Privacy systems use nullifiers to stop the same coin or note from being spent twice, and each transaction adds another value to a set that keeps expanding.
He gave a large-scale example with 2,000 privacy-preserving transactions per second over eight years. That scenario would create about 500 billion nullifiers on-chain, leaving Ethereum with a major storage challenge.
Nullifier Storage Becomes Key Issue
Buterin said Ethereum would stay more decentralized if those 500 billion nullifiers sat in a dedicated nullifier store. He said that the outcome would work better than placing them in the current general state.
The reason comes from how nullifiers are used. They only need validity checks, and transactions can explicitly provide the nullifier ID, so nodes do not need the same level of dynamic access required by DeFi applications.
According to the technical note, default privacy support could require storing 32 bytes per transaction in the VOPS. At 1,000 private transactions per second over eight years, that would create an 8 TB nullifier set.
A bloom filter offers another path. The note said a filter could reduce the requirement to about one byte per nullifier, or about 277 GiB after eight years at large scale, with a low false-positive rate.
Bloom Filters and Sharding Enter Plan
Buterin also cited sharding as a possible option for nullifier storage. Under that structure, each node could hold only a small percentage of nullifiers and maintain links to honest peers across other shards.
Nevertheless, the bloom filter proposal takes a different route. Each node would maintain its own private filter, check whether a nullifier appears spent, and accept that some valid transactions may face random rejection.
The note estimated false rejections near 3% for one-nullifier transactions and around 9% for transactions spending three nullifiers. It said redundancy in FOCIL and mempools could absorb that tradeoff.
Buterin said a fully dynamic state becomes much harder to manage at tens or hundreds of terabytes. Specialized state could keep gas cheaper for restricted use cases, while preserving dynamic storage for DeFi and other applications that need full flexibility.
Related: Ripple Shares DPRK Threat Intel With Crypto ISAC to Fight Crypto Infiltration
