Today a crazy quantum story just got wilder. On March 31, the Google Quantum AI team published a landmark result on Shor's algorithm for elliptic curve cryptography. Technically, the paper was a bombshell: a dramatic 10x improvement over the state-of-the-art. As a stunt and wakeup call to the blockchain space, those optimisations were illustrated on secp256k1, the elliptic curve underlying Bitcoin and Ethereum signatures. But perhaps the most striking part of the paper was sociological, not technical. Instead of following standard academic process, the optimisations were kept secret, hidden behind a zero-knowledge (ZK) proof. Google's accompanying blog post mentions they "engaged with the U.S. government". The ZK proof demonstrates the existence of algorithmic improvements without leaking details. Academic censorship with ZK, a historic first! As a co-author of the Google paper I witnessed some of the context surrounding this censorship. To be honest, multiple aspects of that context don't sit well with me. As much as I believe the general public ought to know more, I am limited in my ability to whistleblow. Though let me be clear about one thing: the Google team's professionalism has been absolutely exemplary, and they deserve nothing but praise. Censorship has a way of backfiring. The Streisand effect, where an attempt to bury something only draws more attention to it, is exactly what's unfolding today. First, Google's key optimisation has been rediscovered by the French. And in a thrilling turn of events, a collaborative Shor-at-home challenge just launched. The initiative, available at ecdsa[.]fail, breached a new Shor world record in a matter of hours. Let's start with the rediscovery. Just two months after Google's paper, French quantum expert André Schrottenloher cracks the main secret optimisation. His paper, titled "Optimized Point Addition Circuits for Elliptic Curve Discrete Logarithms", landed on the arXiv today. Big congrats to André, who beat several other nerdsnipped experts to it. In a blog post also published today, Craig Gidney, the world expert on Shor optimisations, revealed that he'd been sitting on this very optimisation for a whole year under censorship pressure. Interestingly, André missed a handful of minor optimisations, both from Google's original publication and from improvements found since. It's plausible there's still plenty of juice left to squeeze out of Shor, and this is exactly what the ecdsa[.]fail challenge is about. The verifier program developed for the ZK proof does double duty, automatically filtering for valid submissions. Dozens of compounding small and micro improvements are rolling in. As of the time of writing there's an 8.4% improvement to Google's circuit, as measured by the product of logical qubit count and Toffoli gate count. Nice! The nerdsnipping ran deeper than anyone expected. Over the last few weeks it became clear it extended well beyond André and other quantum experts. Behind the scenes, a small army of amateurs quietly got to work. Inspired by Karpathy-style autoresearch, they turned AI on Shor. Ironically, the verifier program for the ZK proof makes an ideal reward function for AIs. The barrier to entry for this modern style of research is refreshingly low, with several non-experts, even a teenager, finding nice optimisations. Get in touch if you'd like to join a Telegram group with fellow autoresearchers :) Part 2: neutral atoms and qday The story doesn't end with Google. On the same day Google went public, a stealthy startup called Oratomic published its own Shor paper in a coordinated release. It made a splash, ultimately becoming the most upvoted paper on scirate[.]com, a website ranking arXiv papers. Oratomic's claim was wild. By building on Google's logical optimisations and applying custom physical optimisations for neutral atoms, they claimed just 10K physical qubits were sufficient to run Shor's algorithm on secp256k1. That number is mind-bogglingly low. Knowing essentially nothing about neutral atoms when Oratomic's paper landed, I was intrigued and decided to learn more about the tech. I fell straight down the rabbit hole and spent a couple hundred hours on the topic. I got a little obsessed and watched every YouTube video I could find and spoke to a bunch of experts. My conclusion? The tech is real, very real. Even Google recently decided to start a neutral atom lab, a notable pivot from their sole focus on superconducting qubits. If you care about qday, i.e. the day a quantum computer will break the first piece of cryptography in production, neutral atoms demand your attention. I shared some of my learnings on Shor and neutral atoms in a 30min talk at the ZKProof cryptography conference. You can find it on YouTube by searching "zkproof neutral atom". Here's an interesting observation about this duo of breakthrough papers: neither Google nor Oratomic say a word about what their results mean for qday. No timelines. Zero. Nada. That is especially baffling given that the whole point of whitehat quantum cryptanalysis is to inform qday estimations and help the general public make good decisions. So let me attempt to partially fill the silence, similarly to what Scott Aaronson did in his April 29 post. Given everything I know, including scary non-public information, I now put the odds of qday by 2032 at 50%. 10% by 2030. Anecdotally, the US government has its own date: 2035. Originating at the NSA and later adopted by NIST, it's when branches of the US government will be disallowed from using quantum-vulnerable cryptography. In plain language: with hindsight, that date is a joke and should be discounted entirely. I don't see how NIST avoids being forced to pull it forward by years. Part 3: post-quantum cryptography There are good reasons to sound the alarm today, but please do not panic. Rushing carelessly towards immature post-quantum cryptography is a recipe for disaster. IMO a good target date for migration is 2029, roughly 3.5 years out. 2029 happens to be the date selected by Google, Cloudflare, and the Ethereum Foundation. These days most of my time goes to safely migrating Ethereum towards post-quantum cryptography as part of the broader lean Ethereum effort. There's a lot to do. We need to rip out and replace BLS signatures at the consensus layer, KZG commitments at the data layer, and ECDSA signatures at the execution layer. The plan to get there is compelling, and is based on hash-based cryptography. Within the Ethereum Foundation we've developed a Swiss army knife called leanVM (github[.]com/leanEthereum/leanVM) powered by the magic of hash-based SNARKs. Thanks to truly exceptional work by Emile, Thomas, and others, its performance is derisked. Regarding security, leanVM is a jewel, a minimal zkVM crafted for end-to-end formal verification and maximum security. Want to help? There are two $1M initiatives. First, the Proximity Prize (proximityprize[.]org). Solve a long-standing mathematical conjecture in coding theory, improve hash-based SNARKs, and go home a millionaire. Second, the Poseidon Initiative (poseidon-initiative[.]info), offers $1M for breaking Poseidon, the SNARK-friendly hash function.

Today I had the opportunity to present Ethereum's post-quantum security strategy at the Institutional Ethereum Forum in NYC. 15 minutes to explain why every proof-of-stake blockchain faces the same signature aggregation problem — and what the EF is doing about it. We also launched — a dedicated resource that brings together everything the PQ/Crypto teams have been working on: → How PQ impacts each protocol layer → The full PQ roadmap → Open resources — repos, specs, papers → FAQ — 14 questions we keep getting from institutions, now open-sourced → Interest form for the 2nd Annual PQ Research Retreat (Cambridge, Oct 2026) Huge thanks to @drakefjustin @tcoratger @asanso and the entire PQ team, the @leanEthereum client teams shipping devnets every week. Next week: Fort Mode in Cannes.

Now that ZKEVMs are at alpha stage (production-quality performance, remaining work is safety) and PeerDAS is live on mainnet, it's time to talk more about what this combination means for Ethereum. These are not minor improvements; they are shifting Ethereum into being a fundamentally new and more powerful kind of decentralized network. To see why, let's look at the two major types of p2p network so far: BitTorrent (2000): huge total bandwidth, highly decentralized, no consensus Bitcoin (2009): highly decentralized, consensus, but low bandwidth - because it’s not “distributed” in the sense of work being split up, it’s *replicated* Now, Ethereum with PeerDAS (2025) and ZK-EVMs (expect small portions of the network using it in 2026), we get: decentralized, consensus and high bandwidth The trilemma has been solved - not on paper, but with live running code, of which one half (data availability sampling) is *on mainnet today*, and the other half (ZK-EVMs) is *production-quality on performance today* - safety is what remains. This was a 10-year journey (see the first commit of my original post on DAS here: , and ZK-EVM attempts started in ~2020), but it's finally here. Over the next ~4 years, expect to see the full extent of this vision roll out: * In 2026, large non-ZKEVM-dependent gas limit increases due to BALs and ePBS, and we'll see the first opportunities to run a ZKEVM node * In 2026-28, gas repricings, changes to state structure, exec payload going into blobs, and other adjustments to make higher gas limits safe * In 2027-30, large further gas limit increases, as ZKEVM becomes the primary way to validate blocks on the network A third piece of this is distributed block building. A long-term ideal holy grail is to get to a future where the full block is *never* constituted in one single place. This will not be necessary for a long time, but IMO it is worth striving for us at least have the capability to do that. Even before that point, we want the meaningful authority in block building to be as distributed as possible. This can be done either in-protocol (eg. maybe we figure out how to expand FOCIL to make it a primary channel for txs), or out-of-protocol with distributed builder marketplaces. This reduces risk of centralized interference with real-time transaction inclusion, AND it creates a better environment for geographical fairness. Onward.

zkEVMs crushed the 2025 boss: real-time proving ✅ 2026 boss: 128-bit provable security👾 New blog post on the next level for Ethereum zkEVMs: three milestones, paving the path to mainnet-grade L1 zkEVMs. Game on.

Turns out this data is accurate (we just had ~23% of the network fall off due to a bug with Prysm). If Lighthouse had had the bug instead, then the network would've lost finalization (not good)! So if you're a node operator (especially a big one) running Lighthouse, it's time to switch to a minority client. Do your part for Ethereum client diversity 🫡

LIVE NOW -- Why No Big Stage 2 Rollup? | Luca Donno In our tenth talk of the Bankless Summit, L2 researcher @donnoh_eth of @l2beat/@ethereum explains why no major rollup has reached Stage 2 and what must change for true decentralization to finally happen. He breaks down the hidden complexity inside modern proof systems, why current rollups remain dependent on security councils, and how native rollups could let L2s inherit Ethereum’s safety and client diversity directly from L1. ----- [Bankless Summit in partnership with @m0]

🤯 two 5090s now prove every L1 EVM block 🤯 The @zksync Airbender team pulled off something insane ahead of tomorrow's demo. Mainnet proofs on two gaming GPUs. One box, ~1kW—basically a toaster. Props to @robik, Michael Carrili, @MarcinM02, @Shamatar. The L1 gas limit is going higher. So much higher. Beast mode. Gigagas L1. Believe in something.

LIVE NOW — @ethereum Beast Mode - Scaling L1 to 10k and Beyond | @drakefjustin TPS without datacenters: validators flip from executing to verifying. We cover: - Execute → Verify and real-time zk (<12s) - On-prem provers (~10 kW) - 3×/year gas target (EIP-7938) - “Fort mode”: censorship resistance, fast finality, PQ path - Native rollups + RISC-V simplification - EthProofs race and the phased rollout to mandatory proofs --- TIMESTAMPS 0:00 Intro: What is Lean Ethereum? 3:32 Beast Mode? Gas & Blocks 5:39 GigaGas, TeraGas, Gap to Target 9:32 Why Scale L1: Decentralization Tradeoffs 20:22 Provability, Power, Real-Time, Decentralization 24:43 L1 Security: Money, Key Uses 28:59 Lean Ethereum: SNARKs, Beast, Fort 36:32 SNARKs & zkVMs: What, Why 48:50 Execute→Verify: Validators & Lean Client 56:08 Builders, Provers, PBS, Fossil 1:08:49 Devconnect Demo, EthProofs, Roadmap Phases 1:31:06 Rollout, Gas Limits, Slots, Hardware 1:44:33 Home Provers: Power, Costs, Incentives/Penalties 1:54:38 Data Availability, Lean Consensus, Upgrades 2:04:22 Talent, Competition, Community, Closing

lowercase snarks Words like laser, scuba, radar began uppercase. LASER — Light Amplification by Stimulated Emission of Radiation SCUBA — Self-Contained Underwater Breathing Apparatus RADAR — RAdio Detection And Ranging When a technology matures and becomes reliable, trusted, commoditised, it earns the lowercase. Lean Ethereum is a bet on snarks, not Succinct Non-interactive ARguments of Knowledge. Post-quantum security. Provable soundness. End-to-end formal verification. Deep cryptanalysis. Real-time proving. zkVM programmability. Simplicity and elegance. All essential for the lowercase. All inevitable. Ethereum L1 has 10y uptime and $1T secured with hashes and signatures, our cryptographic workhorses. I believe in 100y uptime and $1Q secured with snarks, our cryptographic jet engines. * L1 scale — 10K TPS gigagas scale with real-time zkEVMs * L1 security — post-quantum security with snarked signatures * L1 privacy — Zcash-grade stealth with wormholes (eg EIP-7503) Shipping snarks is a cryptographic Manhattan Project, one the EF is investing tens of millions into: * verified-zkevm[.]org — formal verification * poseidon-initiative[.]info — deep cryptanalysis * ethproofs[.]org — real-time proving * proximityprize[.]org — provable soundness * zkevm.ethereum[.]foundation — enshrinement * pse[.]dev — privacy Step by step, the EF is evolving into a snark-first org: * cryptography team — driving soundness and cryptanalysis * snarkification team — driving formal verification * zkEVM team — driving protocol integration * Ethproofs team — driving real-time proving * PSE team — driving privacy * PQ consensus team — soon™ Believe in something magical. Believe in lowercase snarks.

"Having a blockchain that is so secure that nothing can break it, not a nation state, not a quantum computer, that is the dream that we have" Episode 9 of The Web3 Security Podcast with @jack__sanford and @drakefjustin, senior researcher at the @ethereumfndn, is now live!

🤯 real-time proving is here 🤯 Mainnet EVM blocks proven in under 1 Ethereum slot (12s). Goosebumps. Succinct proves every Ethereum L1 block: → 94% in <12s → 99% in <13s → 99.9% in <12s, soon™ Yesterday RISC Zero unveiled a $120K home GPU cluster—proofs expected in 9.25s. Brevis, OpenVM, Snarkify, ZisK, ZKM are weeks from joining the real-time club. Soon™ my validator will verify EVM blocks on a Rasberry Pi Pico—a $5 board that consumes <1W. I will ditch my EL client in favour of a zkEL. No 1 TB NVMe. Goodbye Geth, hello zkReth. Stateless and RAMless verification in milliseconds on a single CPU core. With real-time proving 1 gigagas/sec (10K TPS) is within reach, without compromising validator decentralisation. From now on expect regular gas limit bumps. 10% of stake is already voting for a 60M limit—your validators can too. Snarkifying mainnet turns Ethereum L1 into the first based and native rollup. Stage 2. Bug-free. Decentralised sequencing. No security council. No governance. The L1 will lead by example. This Friday we celebrate. Join us for Ethproofs call #2#, May 23 at 2pm UTC. 25 speakers, 2 hours of content. Calls are open—DM @corcoranwill for a calendar invite. We are witnessing history. Believe in something real. Believe in real-time proving.