Stefano De Angelis

Upgrading Finality - Edition 1 Check out the plan for bringing fast finality to Ethereum. Hosted on the the brand new and shiny EF Protocol Consensus website 😁 Lots of good stuff there! consensus.ethereum.foundation/blog/upgrading…

Introducing Zinc+, where we tackle the problem of arithmetizing and proving computations unfriendly to finite fields. Examples: classic hashes, hash + signature, lattice ops., etc. We prove 7 SHA-256 compressions followed by the ECDSA MSM with:

Public chains. Private finance. Privacy is non-negotiable. See you in Napoli at @NapulETH ctrl/shift - 13-15 June

Announcing a summer school on the theory and practice of blockchain consensus, May 26-29 at @CUSEAS, hosted by @cu_eth_research. Confirmed speakers include @ittaia @siobhcroo @AndrewLewisPye @alberto_sonnino @TheWattenhofer @barnabemonnot @fradamt @_patrickogrady @jneu_net @maria__apo and more. Apply at forms.gle/NGxeJaS3HN5FSY…

@ittaia @commonwarexyz Blockchains will scale by proving once and verifying everywhere. Verifiability and data availability become first-class citizens.

> TL;DW do blockchains need to provide more than liveness and safety? TLDW: yes 😊 blockchains also need to provide validity. Censorship resistance is the hottest part of validity for efficient on chain markets rn, but there is much more ahead…

Post-quantum blobs on Ethereum. We introduce a distributed verification scheme for hash-based commitments, removing per-validator overhead while preserving trustless data availability. A step toward making Ethereum’s data layer scalable and quantum-resistant. @_deanstef at @EthCC in Cannes

Today is a monumentous day for quantum computing and cryptography. Two breakthrough papers just landed (links in next tweet). Both papers improve Shor's algorithm, infamous for cracking RSA and elliptic curve cryptography. The two results compound, optimising separate layers of the quantum stack. The results are shocking. I expect a narrative shift and a further R&D boost toward post-quantum cryptography. The first paper is by Google Quantum AI. They tackle the (logical) Shor algorithm, tailoring it to crack Bitcoin and Ethereum signatures. The algorithm runs on ~1K logical qubits for the 256-bit elliptic curve secp256k1. Due to the low circuit depth, a fast superconducting computer would recover private keys in minutes. I'm grateful to have joined as a late paper co-author, in large part for the chance to interact with experts and the alpha gleaned from internal discussions. The second paper is by a stealthy startup called Oratomic, with ex-Google and prominent Caltech faculty. Their starting point is Google's improvements to the logical quantum circuit. They then apply improvements at the physical layer, with tricks specific to neutral atom quantum computers. The result estimates that 26,000 atomic qubits are sufficient to break 256-bit elliptic curve signatures. This would be roughly a 40x improvement in physical qubit count over previous state-of-the-art. On the flip side, a single Shor run would take ~10 days due to the relatively slow speed of neutral atoms. Below are my key takeaways. As a disclaimer, I am not a quantum expert. Time is needed for the results to be properly vetted. Based on my interactions with the team, I have faith the Google Quantum AI results are conservative. The Oratomic paper is much harder for me to assess, especially because of the use of more exotic qLDPC codes. I will take it with a grain of salt until the dust settles. → q-day: My confidence in q-day by 2032 has shot up significantly. IMO there's at least a 10% chance that by 2032 a quantum computer recovers a secp256k1 ECDSA private key from an exposed public key. While a cryptographically-relevant quantum computer (CRQC) before 2030 still feels unlikely, now is undoubtedly the time to start preparing. → censorship: The Google paper uses a zero-knowledge (ZK) proof to demonstrate the algorithm's existence without leaking actual optimisations. From now on, assume state-of-the-art algorithms will be censored. There may be self-censorship for moral or commercial reasons, or because of government pressure. A blackout in academic publications would be a tell-tale sign. → cracking time: A superconducting quantum computer, the type Google is building, could crack keys in minutes. This is because the optimised quantum circuit is just 100M Toffoli gates, which is surprisingly shallow. (Toffoli gates are hard because they require production of so-called "magic states".) Toffoli gates would consume ~10 microseconds on a superconducting platform, totalling ~1,000 sec of Shor runtime. → latency optimisations: Two latency optimisations bring key cracking time to single-digit minutes. The first parallelises computation across quantum devices. The second involves feeding the pubkey to the quantum computer mid-flight, after a generic setup phase. → fast- and slow-clock: At first approximation there are two families of quantum computers. The fast-clock flavour, which includes superconducting and photonic architectures, runs at roughly 100 kHz. The slow-clock flavour, which includes trapped ion and neutral atom architectures, runs roughly 1,000x slower (~100 Hz, or ~1 week to crack a single key). → qubit count: The size-optimised variant of the algorithm runs on 1,200 logical qubits. On a superconducting computer with surface code error correction that's roughly 500K physical qubits, a 400:1 physical-to-logical ratio. The surface code is conservative, assuming only four-way nearest-neighbour grid connectivity. It was demonstrated last year by Google on a real quantum computer. → future gains: Low-hanging fruit is still being picked, with at least one of the Google optimisations resulting from a surprisingly simple observation. Interestingly, AI was not (yet!) tasked to find optimisations. This was also the first time authors such as Craig Gidney attacked elliptic curves (as opposed to RSA). Shor logical qubit count could plausibly go under 1K soonish. → error correction: The physical-to-logical ratio for superconducting computers could go under 100:1. For superconducting computers that would be mean ~100K physical qubits for a CRQC, two orders of magnitude away from state of the art. Neutral atoms quantum computers are amenable to error correcting codes other than the surface code. While much slower to run, they can bring down the physical to logical qubit ratio closer to 10:1. → Bitcoin PoW: Commercially-viable Bitcoin PoW via Grover's algorithm is not happening any time soon. We're talking decades, possibly centuries away. This observation should help focus the discussion on ECDSA and Schnorr. (Side note: as unofficial Bitcoin security researcher, I still believe Bitcoin PoW is cooked due to the dwindling security budget.) → team quality: The folks at Google Quantum AI are the real deal. Craig Gidney (@CraigGidney) is arguably the world's top quantum circuit optimisooor. Just last year he squeezed 10x out of Shor for RSA, bringing the physical qubit count down from 10M to 1M. Special thanks to the Google team for patiently answering all my newb questions with detailed, fact-based answers. I was expecting some hype, but found none.

PeerDAS uses KZG, which breaks under quantum assumptions. PQ blobs need hash-based DAS. FRI is a valid PCS alternative, but hard to bring onto the consensus path. I’ll cover tradeoffs and how distributed verification makes it practical. Hepburn Stage - April 2, 15:10

A big technical breakthrough in ZK: we've just successfully executed our first mainnet blocks with ZK-Nethermind on @ziskvm. This means the battle-tested @Nethermind EVM can be used in Ethereum’s ZK future. 1/2

Your AI agent comes on-chain. Every x402 payment they make gets posted on-chain. Your usage is doxxed. Your loved ones can’t look at you, you’re the laughing stock of the office, even your agent is embarrassed. That was then. Now? Come see EthCC, Burton Stage - April 1, 14:55

Today, several teams at the EF are launching pq.ethereum.org, a dedicated resource for Ethereum's post-quantum security effort. What started with early STARK-based signature aggregation research in 2018 has grown into a coordinated, multi-team effort, all open source. The Post-Quantum team and Cryptography teams, with help from the Protocol Architecture and Protocol Coordination teams, have been working on this body of work for 8+ years. At pq.ethereum.org you'll find: - How PQ impacts each protocol layer - The full PQ roadmap (strawmap.org) - Open resources: repos, specs, papers, EIPs - FAQ: 14 questions across 5 categories, written by the PQ team - A 6-part lean Ethereum interview series (@zeroknowledgefm) - Interest form for the 2nd Annual PQ Research Retreat (Cambridge, UK, Oct 2026) - 10+ client teams are already building and shipping devnets weekly through PQ Interop. All the work is public and all of it is open. pq.ethereum.org

Rekt Summit: @Lucianadeveth @Kecman_Peter @JulekSU EthCC: @duckdegen @tkstanczak @ConorMcMenamin9 @_deanstef

ZODA pushes encoding correctness to each light client, who must download lambda rows/cols We make correctness constant-size for clients (via attestations) by distributing the lambda proximity checks across the committee Scaling-wise, our approach amortizes DAS with many clients; ZODA repeats per client

@_deanstef If we compare with ZODA w.r.t. performance, what will it look like?

1/ Great podcast from @drakefjustin and @soubhik_deb on the future of Ethereum I was glad to hear Justin stressing the importance of post-quantum security for Ethereum blobs At Nethermind, we have been working on exactly this problem recently 🧵👇

@soubhik_deb The overhead of the proximity test is distributed across a committee of verifiers. Their checks compose into a global guarantee that DA verifiers can rely on (no need to carry proximity proofs), while still being able to challenge via lightweight sampling Preprint soon 👀

@_deanstef can you explain more on what “committee-based” means?

7/ If you want to learn how post-quantum blobs can be enabled with hashing-based DAS, come see my talk at EthCC x.com/EthCC/status/2…

6/ We implemented both FRIDA and our distributed extension, and built a preliminary benchmarking suite to evaluate their communication and computation overhead: github.com/NethermindEth/…