lean Ethereum

Today is a monumentous day for quantum computing and cryptography. Two breakthrough papers just landed (links in next tweet). Both papers improve Shor's algorithm, infamous for cracking RSA and elliptic curve cryptography. The two results compound, optimising separate layers of the quantum stack. The results are shocking. I expect a narrative shift and a further R&D boost toward post-quantum cryptography. The first paper is by Google Quantum AI. They tackle the (logical) Shor algorithm, tailoring it to crack Bitcoin and Ethereum signatures. The algorithm runs on ~1K logical qubits for the 256-bit elliptic curve secp256k1. Due to the low circuit depth, a fast superconducting computer would recover private keys in minutes. I'm grateful to have joined as a late paper co-author, in large part for the chance to interact with experts and the alpha gleaned from internal discussions. The second paper is by a stealthy startup called Oratomic, with ex-Google and prominent Caltech faculty. Their starting point is Google's improvements to the logical quantum circuit. They then apply improvements at the physical layer, with tricks specific to neutral atom quantum computers. The result estimates that 26,000 atomic qubits are sufficient to break 256-bit elliptic curve signatures. This would be roughly a 40x improvement in physical qubit count over previous state-of-the-art. On the flip side, a single Shor run would take ~10 days due to the relatively slow speed of neutral atoms. Below are my key takeaways. As a disclaimer, I am not a quantum expert. Time is needed for the results to be properly vetted. Based on my interactions with the team, I have faith the Google Quantum AI results are conservative. The Oratomic paper is much harder for me to assess, especially because of the use of more exotic qLDPC codes. I will take it with a grain of salt until the dust settles. → q-day: My confidence in q-day by 2032 has shot up significantly. IMO there's at least a 10% chance that by 2032 a quantum computer recovers a secp256k1 ECDSA private key from an exposed public key. While a cryptographically-relevant quantum computer (CRQC) before 2030 still feels unlikely, now is undoubtedly the time to start preparing. → censorship: The Google paper uses a zero-knowledge (ZK) proof to demonstrate the algorithm's existence without leaking actual optimisations. From now on, assume state-of-the-art algorithms will be censored. There may be self-censorship for moral or commercial reasons, or because of government pressure. A blackout in academic publications would be a tell-tale sign. → cracking time: A superconducting quantum computer, the type Google is building, could crack keys in minutes. This is because the optimised quantum circuit is just 100M Toffoli gates, which is surprisingly shallow. (Toffoli gates are hard because they require production of so-called "magic states".) Toffoli gates would consume ~10 microseconds on a superconducting platform, totalling ~1,000 sec of Shor runtime. → latency optimisations: Two latency optimisations bring key cracking time to single-digit minutes. The first parallelises computation across quantum devices. The second involves feeding the pubkey to the quantum computer mid-flight, after a generic setup phase. → fast- and slow-clock: At first approximation there are two families of quantum computers. The fast-clock flavour, which includes superconducting and photonic architectures, runs at roughly 100 kHz. The slow-clock flavour, which includes trapped ion and neutral atom architectures, runs roughly 1,000x slower (~100 Hz, or ~1 week to crack a single key). → qubit count: The size-optimised variant of the algorithm runs on 1,200 logical qubits. On a superconducting computer with surface code error correction that's roughly 500K physical qubits, a 400:1 physical-to-logical ratio. The surface code is conservative, assuming only four-way nearest-neighbour grid connectivity. It was demonstrated last year by Google on a real quantum computer. → future gains: Low-hanging fruit is still being picked, with at least one of the Google optimisations resulting from a surprisingly simple observation. Interestingly, AI was not (yet!) tasked to find optimisations. This was also the first time authors such as Craig Gidney attacked elliptic curves (as opposed to RSA). Shor logical qubit count could plausibly go under 1K soonish. → error correction: The physical-to-logical ratio for superconducting computers could go under 100:1. For superconducting computers that would be mean ~100K physical qubits for a CRQC, two orders of magnitude away from state of the art. Neutral atoms quantum computers are amenable to error correcting codes other than the surface code. While much slower to run, they can bring down the physical to logical qubit ratio closer to 10:1. → Bitcoin PoW: Commercially-viable Bitcoin PoW via Grover's algorithm is not happening any time soon. We're talking decades, possibly centuries away. This observation should help focus the discussion on ECDSA and Schnorr. (Side note: as unofficial Bitcoin security researcher, I still believe Bitcoin PoW is cooked due to the dwindling security budget.) → team quality: The folks at Google Quantum AI are the real deal. Craig Gidney (@CraigGidney) is arguably the world's top quantum circuit optimisooor. Just last year he squeezed 10x out of Shor for RSA, bringing the physical qubit count down from 10M to 1M. Special thanks to the Google team for patiently answering all my newb questions with detailed, fact-based answers. I was expecting some hype, but found none.

Wrapping up @nico_mnbl's series on the @zeroknowledgefm pod all about @leanEthereum ! Check out the full series over on our Youtube channel @zeroknowledgefm" target="_blank" rel="nofollow noopener">youtube.com/@zeroknowledge…

How do you actually formally verify the code underpinning Ethereum's future? In this episode (the finale of the @leanEthereum miniseries), @nico_mnbl sits down with Alex Hicks (@alexanderlhicks), lead of Protocol Snarkification at the @ethereumfndn, to break down formal verification from first principles. They cover: – What formal verification actually is and the trust boundaries between proof assistants, SMT solvers, and kernels – The full verification stack for RISC-V ZKVMs: from SAIL specs to constraint extraction to soundness proofs – Why writing constraints directly in Lean makes proofs 10–100x more ergonomic – How AI is now proving hard theorems in hours for $200 — and what that unlocks for the whole pipeline They also explore the boundaries problem, why specs can have bugs too, and the end goal of a full Lean stack that bypasses Rust and LLVM entirely. Listen to the full episode ------------------------------------------------------------ TIMECODES: 09:16 – What is formal verification? Proof assistants vs SMT solvers 18:33 – Formal verification of code: specs, semantics, and trust boundaries 29:30 – Formally verifying the Lean Ethereum stack: RISC-V ZKVMs in focus 33:02 – Extracting ZKVM constraints into Lean and proving soundness 36:35 – Writing constraints directly in Lean: 10–100x better proof ergonomics 44:02 – Proving Polishchuk–Spielman in 8 hours for $200 with AI 51:01 – The end goal: a full Lean stack bypassing Rust and LLVM

Ethereum is leading the way in quantum preparedness. To learn more, check out pq.ethereum.org - it's a beautiful website!

Today I had the opportunity to present Ethereum's post-quantum security strategy at the Institutional Ethereum Forum in NYC. 15 minutes to explain why every proof-of-stake blockchain faces the same signature aggregation problem — and what the EF is doing about it. We also launched pq.ethereum.org — a dedicated resource that brings together everything the PQ/Crypto teams have been working on: → How PQ impacts each protocol layer → The full PQ roadmap → Open resources — repos, specs, papers → FAQ — 14 questions we keep getting from institutions, now open-sourced → Interest form for the 2nd Annual PQ Research Retreat (Cambridge, Oct 2026) Huge thanks to @drakefjustin @tcoratger @asanso and the entire PQ team, the @leanEthereum client teams shipping devnets every week. Next week: Fort Mode in Cannes. pq.ethereum.org

Justin Drake joins Bankless. Q-Day is no longer a sci-fi thought experiment. We get into: - When quantum becomes a real crypto threat - Bitcoin’s hardest post-quantum tradeoffs - Ethereum’s roadmap to survive it - Why Justin thinks quantum is also an opportunity - What AI changes about the cryptography race 📅 Monday, March 23 w/ @drakefjustin

x.com/i/article/2034…

x.com/i/article/2034…