Today a crazy quantum story just got wilder.
On March 31, the Google Quantum AI team published a landmark result on Shor's algorithm for elliptic curve cryptography. Technically, the paper was a bombshell: a dramatic 10x improvement over the state-of-the-art. As a stunt and wakeup call to the blockchain space, those optimisations were illustrated on secp256k1, the elliptic curve underlying Bitcoin and Ethereum signatures.
But perhaps the most striking part of the paper was sociological, not technical. Instead of following standard academic process, the optimisations were kept secret, hidden behind a zero-knowledge (ZK) proof. Google's accompanying blog post mentions they "engaged with the U.S. government". The ZK proof demonstrates the existence of algorithmic improvements without leaking details. Academic censorship with ZK, a historic first!
As a co-author of the Google paper I witnessed some of the context surrounding this censorship. To be honest, multiple aspects of that context don't sit well with me. As much as I believe the general public ought to know more, I am limited in my ability to whistleblow. Though let me be clear about one thing: the Google team's professionalism has been absolutely exemplary, and they deserve nothing but praise.
Censorship has a way of backfiring. The Streisand effect, where an attempt to bury something only draws more attention to it, is exactly what's unfolding today. First, Google's key optimisation has been rediscovered by the French. And in a thrilling turn of events, a collaborative Shor-at-home challenge just launched. The initiative, available at ecdsa[.]fail, breached a new Shor world record in a matter of hours.
Let's start with the rediscovery. Just two months after Google's paper, French quantum expert André Schrottenloher cracks the main secret optimisation. His paper, titled "Optimized Point Addition Circuits for Elliptic Curve Discrete Logarithms", landed on the arXiv today. Big congrats to André, who beat several other nerdsnipped experts to it. In a blog post also published today, Craig Gidney, the world expert on Shor optimisations, revealed that he'd been sitting on this very optimisation for a whole year under censorship pressure.
Interestingly, André missed a handful of minor optimisations, both from Google's original publication and from improvements found since. It's plausible there's still plenty of juice left to squeeze out of Shor, and this is exactly what the ecdsa[.]fail challenge is about. The verifier program developed for the ZK proof does double duty, automatically filtering for valid submissions. Dozens of compounding small and micro improvements are rolling in. As of the time of writing there's an 8.4% improvement to Google's circuit, as measured by the product of logical qubit count and Toffoli gate count. Nice!
The nerdsnipping ran deeper than anyone expected. Over the last few weeks it became clear it extended well beyond André and other quantum experts. Behind the scenes, a small army of amateurs quietly got to work. Inspired by Karpathy-style autoresearch, they turned AI on Shor. Ironically, the verifier program for the ZK proof makes an ideal reward function for AIs. The barrier to entry for this modern style of research is refreshingly low, with several non-experts, even a teenager, finding nice optimisations. Get in touch if you'd like to join a Telegram group with fellow autoresearchers :)
Part 2: neutral atoms and qday
The story doesn't end with Google. On the same day Google went public, a stealthy startup called Oratomic published its own Shor paper in a coordinated release. It made a splash, ultimately becoming the most upvoted paper on scirate[.]com, a website ranking arXiv papers.
Oratomic's claim was wild. By building on Google's logical optimisations and applying custom physical optimisations for neutral atoms, they claimed just 10K physical qubits were sufficient to run Shor's algorithm on secp256k1. That number is mind-bogglingly low.
Knowing essentially nothing about neutral atoms when Oratomic's paper landed, I was intrigued and decided to learn more about the tech. I fell straight down the rabbit hole and spent a couple hundred hours on the topic. I got a little obsessed and watched every YouTube video I could find and spoke to a bunch of experts.
My conclusion? The tech is real, very real. Even Google recently decided to start a neutral atom lab, a notable pivot from their sole focus on superconducting qubits. If you care about qday, i.e. the day a quantum computer will break the first piece of cryptography in production, neutral atoms demand your attention. I shared some of my learnings on Shor and neutral atoms in a 30min talk at the ZKProof cryptography conference. You can find it on YouTube by searching "zkproof neutral atom".
Here's an interesting observation about this duo of breakthrough papers: neither Google nor Oratomic say a word about what their results mean for qday. No timelines. Zero. Nada. That is especially baffling given that the whole point of whitehat quantum cryptanalysis is to inform qday estimations and help the general public make good decisions.
So let me attempt to partially fill the silence, similarly to what Scott Aaronson did in his April 29 post. Given everything I know, including scary non-public information, I now put the odds of qday by 2032 at 50%. 10% by 2030.
Anecdotally, the US government has its own date: 2035. Originating at the NSA and later adopted by NIST, it's when branches of the US government will be disallowed from using quantum-vulnerable cryptography. In plain language: with hindsight, that date is a joke and should be discounted entirely. I don't see how NIST avoids being forced to pull it forward by years.
Part 3: post-quantum cryptography
There are good reasons to sound the alarm today, but please do not panic. Rushing carelessly towards immature post-quantum cryptography is a recipe for disaster. IMO a good target date for migration is 2029, roughly 3.5 years out. 2029 happens to be the date selected by Google, Cloudflare, and the Ethereum Foundation.
These days most of my time goes to safely migrating Ethereum towards post-quantum cryptography as part of the broader lean Ethereum effort. There's a lot to do. We need to rip out and replace BLS signatures at the consensus layer, KZG commitments at the data layer, and ECDSA signatures at the execution layer.
The plan to get there is compelling, and is based on hash-based cryptography. Within the Ethereum Foundation we've developed a Swiss army knife called leanVM (github[.]com/leanEthereum/leanVM) powered by the magic of hash-based SNARKs. Thanks to truly exceptional work by Emile, Thomas, and others, its performance is derisked. Regarding security, leanVM is a jewel, a minimal zkVM crafted for end-to-end formal verification and maximum security.
Want to help? There are two $1M initiatives. First, the Proximity Prize (proximityprize[.]org). Solve a long-standing mathematical conjecture in coding theory, improve hash-based SNARKs, and go home a millionaire. Second, the Poseidon Initiative (poseidon-initiative[.]info), offers $1M for breaking Poseidon, the SNARK-friendly hash function.
The situation in Iran is continuing to get much worse. Much respect for everyone going through extreme danger to try to increase the chance that Iranian people can be free.
Ethproofs call 6b, proximity gaps
This session dives deep into proximity gaps—why conjectures are failing, what provable alternatives look like, and how this reshapes zkVM security foundations heading into 2026.
Watch here 👇
https://t.co/sANTLDGPZ6
We're doing an Engineering Residency at LambdaClass in Buenos Aires for people who want to work on system programming, artificial intelligence, distributed systems, cryptography, high performance and low level infrastructure.
It's gonna last 6 months, full time, on site. You will be working on real production systems and applied research.
Before joining, candidates must complete our Hacking Learning Path autonomously.
If you're interested fill the form: https://t.co/OtVUMl3Py6
Please share and like for students and young people to find out about the opportunity.
Ethereum snarkificiation north star:
To prove(>128 bits of security) giga-gas blocks on a single mobile machine: ~"M4 max/Ryzen Al Max+ 395, 128GB of memory".
If @eth_proofs calls for it, the community will deliver in less than two years.
Higher please.
Next target: viable client-side proving (on desktop and mobile)
This would enable private account abstraction: control private funds by making zk-proofs that you are able to spend from your main wallet, which could be a Safe etc (without revealing the wallet address, of course)
This allows total convergence: your ETH account becomes a universal authorization mechanism, and can even secure offchain applications (including things like eg. zupass)
Craaazy 365 days of @leanEthereum progress. Cheers to the builders. Cheers to the dreamers. Cheers to anti-fragility, too :)
Devcon, Bangkok — Nov 12, 2024. The suspense is real. The room overflows; hundreds can't get in. An "announcement of an announcement" had sparked wild speculation about my "most ambitious initiative".
Who knew the beam chain vision would evolve into lean Ethereum? Next-level ambition, seeping into all layers of L1. Snarks for consensus and execution. Fort mode and beast mode.
What's new? zkEVMs. Real-time proving. Full validation in a tab, on a phone. Let's pump L1 gas with the exponential snark curve. Starting in months, not years. To me it all points to 10K TPS, the gigagas frontier.
Dream bigger dreams for L1. Believe in something.
———
part 1—lean consensus
devnets
→ clients: 4 new lean CL clients (Zeam, Ream, Qlean, Lantern)
→ languages: 3 new CL languages (Zig, C++, C)
→ specs: by @tcoratger + 14 others; 3SF-mini subspec by @vitalikbuterin
→ testing: revamped test framework by @fselmo2; @Sib_Katya metrics
→ devnets: multi-client 3SF with 4s slots and 12s finality; PQ soon™
coordination
→ hires: EF Protocol coordinators @corcoranwill and @ladislaus0x
→ CL teams: led by @Gajpower, @unnawut, @kamil_abiy, @mstore80
→ 7 consensus calls: teams, PQ, p2p, exit queue, APS, 3SF, PQ specs
→ Cannes workshop: 1 day at EthCC in June; interop kicked off
→ 13 interop calls: by @corcoranwill on Wednesdays at 2pm UTC
→ Cambridge Oct workshops: 1 day leanVM, 3 days PQ, 3 days CL
cryptography
→ leanSig: 3 papers on hash sigs by Benedikt, @khovr, @kudinov_mikhail
→ leanVM: fast minimal aggregation zkVM by Emile
→ WHIR: fast Plonky3 implementation by @tcoratger
→ optimisoors: @AngusGruen, @GiacomoFenzi, @lambdaclass, @kiliconu
→ Poseidon2: 4 cryptanalysis workshops by @khovr, @asanso
→ maths: $1M Millennium-like proximity prize; papers flowing
→ formal verification: ArkLib by @QuangVDao
research
→ consensus team: hires @yannvon and lead @robsaltini join @luca_zanolini
→ faster finality: 1- or 2-round designs with Ethereum-grade liveness
→ 3sf-gold: new fast inclusion by @fradamt, @vitalikbuterin from Cambridge
→ p2p: @qdrvm_io simulator; @raulvk ethp2p; @soispoke leanp2p
→ rainbow staking: new Cambridge ideas; specs by Dan Goron & Alex Vlad
———
part 2—lean execution
zkEVM tech
→ real-time proving: ~100 engineers pushing across ~10 zkVM teams
→ GPU proving: 16 5090s (10kW) proving mainnet; $0.01/block
→ guests: revm (Reth), levm (Ethrex), evmone (Zilkworm), ZKSync OS
→ more guest programs: Geth, Besu, Nethermind and others soon™
→ RISC-V: de facto ISA of choice for zkEVM proving
→ Picus: prolific Veridise tool to identify under-constraints
→ formal verification: $4M across 40 grants by @alexanderlhicks
Ethproofs community
→ zkVM integrations: Airbender, OpenVM, Pico, R0VM, SP1, Ziren, ZisK
→ other integrations: Cysic, Fermah, Marlin, Snarkify, Zilkworm, ZkCloud
→ website: driven by @fbwoolf under new EF Ethproofs team
→ 7 calls: zkVMs, RTP, gigagas, RISC-V, native rollups, proximity gaps
→ Ethproofs day: Nov 22 at Devconnect; register at ethproofs[.]day
→ zkAttester demo: my home validator on zkEVM proofs at Ethproofs day
EF zkEVM team
→ new team: led by @kevaundray with Cody, Han, Ignacio, Radek, Sophia
→ EF blog post: real-time proving requirements by @_sophiagold_
→ zkLighthouse: modified Lighthouse client by @kevaundray
→ zkEVM/acc: @ignaciohagopian benchmarks; @codytouchgrass tests
→ more zkEVM/acc: @kevaundray standardisation; Ere by @han__0110
future of EL
→ Fusaka: per-tx gas limit (EIP 7825); MODEXP killer (EIPs 7823, 7883)
→ EVM 2.0: @vitalikbuterin proposal to enshrine RISC-V under the EVM
→ native rollups: championed by @lucadonnoh; wrote book and draft EIP
→ gas auto-pumps: 3x/year gas pumps (EIP-7938 by @dankrad)
→ gigagas L1: champion wanted—reach out :) [email protected]
lowercase snarks
Words like laser, scuba, radar began uppercase.
LASER — Light Amplification by Stimulated Emission of Radiation
SCUBA — Self-Contained Underwater Breathing Apparatus
RADAR — RAdio Detection And Ranging
When a technology matures and becomes reliable, trusted, commoditised, it earns the lowercase. Lean Ethereum is a bet on snarks, not Succinct Non-interactive ARguments of Knowledge.
Post-quantum security. Provable soundness. End-to-end formal verification. Deep cryptanalysis. Real-time proving. zkVM programmability. Simplicity and elegance. All essential for the lowercase. All inevitable.
Ethereum L1 has 10y uptime and $1T secured with hashes and signatures, our cryptographic workhorses. I believe in 100y uptime and $1Q secured with snarks, our cryptographic jet engines.
* L1 scale — 10K TPS gigagas scale with real-time zkEVMs
* L1 security — post-quantum security with snarked signatures
* L1 privacy — Zcash-grade stealth with wormholes (eg EIP-7503)
Shipping snarks is a cryptographic Manhattan Project, one the EF is investing tens of millions into:
* verified-zkevm[.]org — formal verification
* poseidon-initiative[.]info — deep cryptanalysis
* ethproofs[.]org — real-time proving
* proximityprize[.]org — provable soundness
* zkevm.ethereum[.]foundation — enshrinement
* pse[.]dev — privacy
Step by step, the EF is evolving into a snark-first org:
* cryptography team — driving soundness and cryptanalysis
* snarkification team — driving formal verification
* zkEVM team — driving protocol integration
* Ethproofs team — driving real-time proving
* PSE team — driving privacy
* PQ consensus team — soon™
Believe in something magical.
Believe in lowercase snarks.