Olivia
Online
Wolfgang Vitale
@w4vitale
Protocol specialist @BitcoinSuisseAG | prev. R&D nanoelectronics @EPFL, power semiconductors @Hitachi
Joined December 2009
486 Following
947 Followers
477 Posts
https://t.co/SSzsiWNJsK
Circuit parity achieved and more on the effects of using zk-proofs. Gidney concludes with "We should just publish openly". Of course these are not the only possible alternatives, and a group might just decide to delay publishing anything. In general we can't rely only on what's openly disclosed to try figuring out timelines. And again, the timeline question is not super important when we know it's time to act on the PQ migration (there are still questions on optimal resource allocation though)
Blog post: "The French have the Quantum Circuits" https://t.co/cP5hbTWl2B
André Schrottenloher just published a preprint showing how to construct quantum ECDLP circuits with costs similar to the ones in our zero knowledge proofs.
This panel with @danboneh and @drakefjustin at zkproof8 was very insightful on what was going to happen
"The question is just can you implement elliptic curve addition using a small number of Toffoli gates. That’s like a question that all of you can pose to Claude and work on yourself"
Scott Aaronson also predicted it, referring to the effectiveness of not disclosing the circuit but rather using a zk-proof of its existence: "I’m not sure how much it will actually help, once other groups know that a smaller circuit exists, it might be only a short time until they’re able to find it as well."
The thing is, once you know there is a solution and you are told what to optimize, it definitely makes sense to dedicate effort / compute at it. Still super impressive ofc... AI (and attention to the problem in general, sparked by the Google paper) changed the game. But I won't use this result to give for granted further, extreme algorithmic improvements any time soon.
One thing is sure, there is no time to waste in getting PQ ready.
https://t.co/2PNyFNV6Oi
link to the panel
https://t.co/Hn89ptZ6Yq
We're thrilled to announce Wolfgang Amadeus Vitale @w4vitale as a speaker at ctrl/shift 2026. He will take the stage to explore one of the most urgent questions in the Bitcoin ecosystem today: "The Road to Post-Quantum Bitcoin."
Quantum computing is coming. Is Bitcoin ready?
Panel at CVC 2026: "Bitcoin's Quantum Countdown: Tech, Governance, and Ethics"
🎙 Sonia Duc, @Adnovum
🎙 @maol Perdrizat, CVA | ACK
🎙 @w4vitale , @BitcoinSuisseAG
🎙 Cedric Maire, CVA | Bitcoin Suisse
📅 May 28, Zug. Tickets: https://t.co/yWBDtsfXyA
This is what you can do if you are worried *today* about CRQC short-exposure attacks on Bitcoin. Alternatives based on commit / reveal like Lifeboat by @tdryja are more "lightweight" in construction and stronger in safety (@riva_labs bitcoin vault is "just" buying you time) but require private send to miner for the commitment.
New paper by @matteovena and @matteVicari: a Bitcoin vault design that imposes a multi-hour cost on a quantum computer attempting to steal its contents at spend time. No soft fork or miner-direct services required.
https://t.co/1ym5ZSxq47
“The road to post-quantum Ethereum” by Wolfgang Vitale (@w4vitale )
Wolfgang gives a clear status update on post-quantum readiness for Ethereum, covering quantum timelines, impact on signatures, account model, BLS aggregation, KZG commitments, and what to watch in 2026.
Good reminder of how far social engineering can go.
One can read it as "don't trust anyone ever, always adversarial mindset" but that's not always ideal. The way to go is:
1) critical systems deserve the highest security. Critical signing devices should never touch anything else
2) NEVER take shortcuts on your security protocols. Trust the process. It's there to protect you from the most insidious threats, not the obvious ones.
https://t.co/qYBMCup9i6
@claudedonze @EthCC I'm glad you liked it! Such a fun topic to do research about and reason around! I was lucky to talk with @tcoratger @fabgenovese @asanso and @drakefjustin during the week and I incorporated some of their insights :D
My talk on postquantum Ethereum @EthCC is live! I tried to keep it in 20 minutes :D @leanEthereum will be fine!
https://t.co/2r0t29JCqV
@YuviLightman @cryptoquick @grok Yes 1e-3 physical error rate. For the logical error rate we cn estimate a bound based on toffoli gate count
If you're interested in these topics let's meet at EthCC or pass by my talk this Thursday on the current status of quantum computing and what it means for Ethereum, I'd like to chat about it
https://t.co/eP4bDZQ9Dy
Very impressive result
1) we can expect further optimizations with renewed focus on ECDLP
2) it might become "normal" now not to disclose algorithmic optimizations (a key enabler was zk-proven but still)
3) the gap to CRQC capability is narrower but ofc there are still huge, huge fundamental scalability milestones to be proven.
4) it's good to see proper analysis of impact on blockchain based systems and more nuanced topics related to migration strategies, also from players like Google who are not specifically focused on our industry.
The thing is, it's not time to panic, but there is no time to relax. It was already true before this paper, but it might be more obvious now.
Today is a monumentous day for quantum computing and cryptography. Two breakthrough papers just landed (links in next tweet). Both papers improve Shor's algorithm, infamous for cracking RSA and elliptic curve cryptography. The two results compound, optimising separate layers of the quantum stack. The results are shocking. I expect a narrative shift and a further R&D boost toward post-quantum cryptography.
The first paper is by Google Quantum AI. They tackle the (logical) Shor algorithm, tailoring it to crack Bitcoin and Ethereum signatures. The algorithm runs on ~1K logical qubits for the 256-bit elliptic curve secp256k1. Due to the low circuit depth, a fast superconducting computer would recover private keys in minutes. I'm grateful to have joined as a late paper co-author, in large part for the chance to interact with experts and the alpha gleaned from internal discussions.
The second paper is by a stealthy startup called Oratomic, with ex-Google and prominent Caltech faculty. Their starting point is Google's improvements to the logical quantum circuit. They then apply improvements at the physical layer, with tricks specific to neutral atom quantum computers. The result estimates that 26,000 atomic qubits are sufficient to break 256-bit elliptic curve signatures. This would be roughly a 40x improvement in physical qubit count over previous state-of-the-art. On the flip side, a single Shor run would take ~10 days due to the relatively slow speed of neutral atoms.
Below are my key takeaways. As a disclaimer, I am not a quantum expert. Time is needed for the results to be properly vetted. Based on my interactions with the team, I have faith the Google Quantum AI results are conservative. The Oratomic paper is much harder for me to assess, especially because of the use of more exotic qLDPC codes. I will take it with a grain of salt until the dust settles.
→ q-day: My confidence in q-day by 2032 has shot up significantly. IMO there's at least a 10% chance that by 2032 a quantum computer recovers a secp256k1 ECDSA private key from an exposed public key. While a cryptographically-relevant quantum computer (CRQC) before 2030 still feels unlikely, now is undoubtedly the time to start preparing.
→ censorship: The Google paper uses a zero-knowledge (ZK) proof to demonstrate the algorithm's existence without leaking actual optimisations. From now on, assume state-of-the-art algorithms will be censored. There may be self-censorship for moral or commercial reasons, or because of government pressure. A blackout in academic publications would be a tell-tale sign.
→ cracking time: A superconducting quantum computer, the type Google is building, could crack keys in minutes. This is because the optimised quantum circuit is just 100M Toffoli gates, which is surprisingly shallow. (Toffoli gates are hard because they require production of so-called "magic states".) Toffoli gates would consume ~10 microseconds on a superconducting platform, totalling ~1,000 sec of Shor runtime.
→ latency optimisations: Two latency optimisations bring key cracking time to single-digit minutes. The first parallelises computation across quantum devices. The second involves feeding the pubkey to the quantum computer mid-flight, after a generic setup phase.
→ fast- and slow-clock: At first approximation there are two families of quantum computers. The fast-clock flavour, which includes superconducting and photonic architectures, runs at roughly 100 kHz. The slow-clock flavour, which includes trapped ion and neutral atom architectures, runs roughly 1,000x slower (~100 Hz, or ~1 week to crack a single key).
→ qubit count: The size-optimised variant of the algorithm runs on 1,200 logical qubits. On a superconducting computer with surface code error correction that's roughly 500K physical qubits, a 400:1 physical-to-logical ratio. The surface code is conservative, assuming only four-way nearest-neighbour grid connectivity. It was demonstrated last year by Google on a real quantum computer.
→ future gains: Low-hanging fruit is still being picked, with at least one of the Google optimisations resulting from a surprisingly simple observation. Interestingly, AI was not (yet!) tasked to find optimisations. This was also the first time authors such as Craig Gidney attacked elliptic curves (as opposed to RSA). Shor logical qubit count could plausibly go under 1K soonish.
→ error correction: The physical-to-logical ratio for superconducting computers could go under 100:1. For superconducting computers that would be mean ~100K physical qubits for a CRQC, two orders of magnitude away from state of the art. Neutral atoms quantum computers are amenable to error correcting codes other than the surface code. While much slower to run, they can bring down the physical to logical qubit ratio closer to 10:1.
→ Bitcoin PoW: Commercially-viable Bitcoin PoW via Grover's algorithm is not happening any time soon. We're talking decades, possibly centuries away. This observation should help focus the discussion on ECDSA and Schnorr. (Side note: as unofficial Bitcoin security researcher, I still believe Bitcoin PoW is cooked due to the dwindling security budget.)
→ team quality: The folks at Google Quantum AI are the real deal. Craig Gidney (@CraigGidney) is arguably the world's top quantum circuit optimisooor. Just last year he squeezed 10x out of Shor for RSA, bringing the physical qubit count down from 10M to 1M. Special thanks to the Google team for patiently answering all my newb questions with detailed, fact-based answers. I was expecting some hype, but found none.
Midnight is betting on lattice-based cryptography for post-quantum. This and more on the state of crypto, token economics, AI and more in the new Verified podcast with @IOHK_Charles
https://t.co/jzuuLRTgeZ
The main research time/money was not on "crypto" but on optimizing shor's algorithm for solving ECDLP with reduced requirements. The findings have impact on other systems who rely on elliptic curves.
How blockchains are dealing or will deal with the upgrade is an interesting technical and social question, honestly I like seeing this treated with the rigor and attention it deserves.
Most Popular Users
Elon Musk
@elonmusk
240.3M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.5M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.3M followers
Taylor Swift
@taylorswift13
81.1M followers
Lady Gaga
@ladygaga
72.6M followers
Kim Kardashian
@kimkardashian
69.6M followers
Virat Kohli
@imvkohli
69.3M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.6M followers
The Ellen Show
@theellenshow
62.5M followers
Neymar Jr
@neymarjr
61.9M followers
CNN
@cnn
61.9M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.4M followers