soispoke.eth

FOCIL (EIP-7805) was just SFI'd and is the CL headliner for the Hegota fork. This means Ethereum has decided to prioritize a feature that improves censorship resistance, gives better inclusion guarantees to its users, and strengthens its position as the most credibly neutral network to build on. In today's world, it's remarkable that the Ethereum community can stand behind protocol upgrades that reinforce core cypherpunk values. It's truly unique, and I'm proud to be working on a technical and social project that stands for freedom and equal access. It's of course a meaningful step, but it's also only the beginning. Now is the time to show that cypherpunks can ship. Let's bring FOCIL to mainnet.

People are not ready for Ethereum privacy arc

Interop this year was outstanding. Extremely exciting to see Ethereum scaling, expect at least 2x-3x after Glamsterdam. Core devs were very, very busy and yet they also managed to make progress on FOCIL for Hegota. Ethereum goes hard.

Last week, Ethereum core contributors gathered in Svalbard for the Soldøgn interop: a week long event focused on hardening Glamsterdam implementations to scale Ethereum securely ☀️ Read the full recap, including their candidate post-fork gas limit, below:

Core devs are too conservative. Expect much more than 200 blog.ethereum.org/2026/05/02/sol…

Ethereum's staking ratio just passed 1/3 for the first time. Under the current issuance curve, it won't stop until nearly all ETH is staked and solo stakers are forced out. The window to fix this is closing - article "Ethereum’s Staking Ratio: The Tipping Point" linked below.

@decentrek @CPerezz19 Here’s a write up about 8141 <> FOCIL: ethereum-magicians.org/t/focil-native…

I agree with you that we should explicitly spell out how 8141 interacts with other protocol updates such as VOPS and FOCIL. What did you mean by "gas with USDC doesn't work" though? It does. Criticism for Pedro's site is also a bit unfair since there's a whole page about 8141's pending concerns.

God, come down and kill me if that's the single source of truth. 0 fucks given on any other protocol area this affects. Only shilling the goodies. It's good marketing sure. But protocol AS A WHOLE requires more thought and scrutiny than this IMO Btw, gas with USDC doesn' work

My self-sovereign / local / private / secure LLM setup, April 2026 vitalik.eth.limo/general/2026/0…

Today is a monumentous day for quantum computing and cryptography. Two breakthrough papers just landed (links in next tweet). Both papers improve Shor's algorithm, infamous for cracking RSA and elliptic curve cryptography. The two results compound, optimising separate layers of the quantum stack. The results are shocking. I expect a narrative shift and a further R&D boost toward post-quantum cryptography. The first paper is by Google Quantum AI. They tackle the (logical) Shor algorithm, tailoring it to crack Bitcoin and Ethereum signatures. The algorithm runs on ~1K logical qubits for the 256-bit elliptic curve secp256k1. Due to the low circuit depth, a fast superconducting computer would recover private keys in minutes. I'm grateful to have joined as a late paper co-author, in large part for the chance to interact with experts and the alpha gleaned from internal discussions. The second paper is by a stealthy startup called Oratomic, with ex-Google and prominent Caltech faculty. Their starting point is Google's improvements to the logical quantum circuit. They then apply improvements at the physical layer, with tricks specific to neutral atom quantum computers. The result estimates that 26,000 atomic qubits are sufficient to break 256-bit elliptic curve signatures. This would be roughly a 40x improvement in physical qubit count over previous state-of-the-art. On the flip side, a single Shor run would take ~10 days due to the relatively slow speed of neutral atoms. Below are my key takeaways. As a disclaimer, I am not a quantum expert. Time is needed for the results to be properly vetted. Based on my interactions with the team, I have faith the Google Quantum AI results are conservative. The Oratomic paper is much harder for me to assess, especially because of the use of more exotic qLDPC codes. I will take it with a grain of salt until the dust settles. → q-day: My confidence in q-day by 2032 has shot up significantly. IMO there's at least a 10% chance that by 2032 a quantum computer recovers a secp256k1 ECDSA private key from an exposed public key. While a cryptographically-relevant quantum computer (CRQC) before 2030 still feels unlikely, now is undoubtedly the time to start preparing. → censorship: The Google paper uses a zero-knowledge (ZK) proof to demonstrate the algorithm's existence without leaking actual optimisations. From now on, assume state-of-the-art algorithms will be censored. There may be self-censorship for moral or commercial reasons, or because of government pressure. A blackout in academic publications would be a tell-tale sign. → cracking time: A superconducting quantum computer, the type Google is building, could crack keys in minutes. This is because the optimised quantum circuit is just 100M Toffoli gates, which is surprisingly shallow. (Toffoli gates are hard because they require production of so-called "magic states".) Toffoli gates would consume ~10 microseconds on a superconducting platform, totalling ~1,000 sec of Shor runtime. → latency optimisations: Two latency optimisations bring key cracking time to single-digit minutes. The first parallelises computation across quantum devices. The second involves feeding the pubkey to the quantum computer mid-flight, after a generic setup phase. → fast- and slow-clock: At first approximation there are two families of quantum computers. The fast-clock flavour, which includes superconducting and photonic architectures, runs at roughly 100 kHz. The slow-clock flavour, which includes trapped ion and neutral atom architectures, runs roughly 1,000x slower (~100 Hz, or ~1 week to crack a single key). → qubit count: The size-optimised variant of the algorithm runs on 1,200 logical qubits. On a superconducting computer with surface code error correction that's roughly 500K physical qubits, a 400:1 physical-to-logical ratio. The surface code is conservative, assuming only four-way nearest-neighbour grid connectivity. It was demonstrated last year by Google on a real quantum computer. → future gains: Low-hanging fruit is still being picked, with at least one of the Google optimisations resulting from a surprisingly simple observation. Interestingly, AI was not (yet!) tasked to find optimisations. This was also the first time authors such as Craig Gidney attacked elliptic curves (as opposed to RSA). Shor logical qubit count could plausibly go under 1K soonish. → error correction: The physical-to-logical ratio for superconducting computers could go under 100:1. For superconducting computers that would be mean ~100K physical qubits for a CRQC, two orders of magnitude away from state of the art. Neutral atoms quantum computers are amenable to error correcting codes other than the surface code. While much slower to run, they can bring down the physical to logical qubit ratio closer to 10:1. → Bitcoin PoW: Commercially-viable Bitcoin PoW via Grover's algorithm is not happening any time soon. We're talking decades, possibly centuries away. This observation should help focus the discussion on ECDSA and Schnorr. (Side note: as unofficial Bitcoin security researcher, I still believe Bitcoin PoW is cooked due to the dwindling security budget.) → team quality: The folks at Google Quantum AI are the real deal. Craig Gidney (@CraigGidney) is arguably the world's top quantum circuit optimisooor. Just last year he squeezed 10x out of Shor for RSA, bringing the physical qubit count down from 10M to 1M. Special thanks to the Google team for patiently answering all my newb questions with detailed, fact-based answers. I was expecting some hype, but found none.

Welcome to the Ethereum Economic Zone (EEZ), a framework for synchronously composable rollups. What does that mean? One deployment. Shared liquidity. Single transactions across L1 & L2. Identity verified anywhere. Smart wallets connected everywhere. No additional trust assumptions. This means L2s that are as credibly neutral, economically aligned, and publicly governed as the base layer itself. EEZ furthers Ethereum as the leading decentralized economy.

New post on EthResear.ch! Unblocking faster finality with decoupled consensus By: - @fradamt 🔗 ethresear.ch/t/24527 Highlights: - Coupling block production and finality creates a fundamental tradeoff: smaller per-slot committees enable shorter slots but slow finality (because finality “accumulates” over more slots), while larger committees speed finality but increase slot time due to aggregation overhead. - Decoupling block production from finality can remove this tradeoff by running a small, rapidly rotating committee for availability/block production while running finality in parallel (outside the critical path), allowing both pipelines to be optimized independently. - Goldfish (a modification of LMD-GHOST) achieves committee-friendly, synchrony-optimal security by combining vote expiry (only last-slot votes count, preventing ex-ante reorgs from vote accumulation) with view-merge (freezing and merging views so honest committee members align on an honest proposer’s head under synchrony). - Goldfish’s ‘memorylessness’ improves reorg resistance under synchrony with changing committees, but makes it vulnerable to temporary asynchrony (late/missing honest votes can let an adversary swing fork-choice and cause deep reorgs). - A stabilization gadget (e.g., Majorum/RLMD-GHOST-style logic over the full validator set) can be layered to limit asynchrony damage to only the chain tip, and can be bundled with a finality gadget so the system gains both practical stability when finality can’t be reached and true finality when participation is high; additionally, Goldfish can support faster confirmations via a 3/4 committee threshold in an added confirmation phase. ELI5: Today, Ethereum’s consensus ties two things together: (1) making new blocks quickly and (2) locking them in as “final” so they can’t be undone. If you use a small group to vote each moment, blocks can be made faster—but finality takes longer. If you use a huge group, finality can be faster—but each block takes longer to make. This post proposes splitting the job into two parallel tracks: a small-committee track to keep blocks coming fast, and a separate finality track to finalize them. It introduces a block-production-friendly chain rule called Goldfish (which forgets old votes to prevent certain attacks) and then adds an extra ‘stabilization’ layer so short network problems don’t let an attacker rewrite lots of history.

Today I had the opportunity to present Ethereum's post-quantum security strategy at the Institutional Ethereum Forum in NYC. 15 minutes to explain why every proof-of-stake blockchain faces the same signature aggregation problem — and what the EF is doing about it. We also launched pq.ethereum.org — a dedicated resource that brings together everything the PQ/Crypto teams have been working on: → How PQ impacts each protocol layer → The full PQ roadmap → Open resources — repos, specs, papers → FAQ — 14 questions we keep getting from institutions, now open-sourced → Interest form for the 2nd Annual PQ Research Retreat (Cambridge, Oct 2026) Huge thanks to @drakefjustin @tcoratger @asanso and the entire PQ team, the @leanEthereum client teams shipping devnets every week. Next week: Fort Mode in Cannes. pq.ethereum.org

1/ How L1 and L2s can build the strongest possible Ethereum tldr: we should continue to lean into the unique capabilities of each layer, and make sure all users have a clear path to securely and seamlessly benefit from the core properties of Ethereum

@su1c1de ah I see, I guess the proof could expose a public input attesting "this fee note is worth at least X" without revealing the exact amount

@soispoke yes! but I think the paymaster would not be able to verify that the fee note contains enough funds to pay for the tx

Alice swaps privately on L1 tldr: Privacy protocol users today depend on broadcasters that can see, frontrun, and censor their transactions. In this thread we show how four future protocol upgrades can remove this dependency step by step. Native AA (EIP-8141) and 2D nonces let users self-submit with no off-chain infrastructure. Encrypted frame transactions hide swap parameters until after block ordering is committed. FOCIL guarantees inclusion as long as one honest includer can see the transaction pending in the public mempool. 👇🧵

so the paymaster doesn't need to see Alice's transaction at all: when Alice builds her ZK proof (the one that proves she owns a UTXO), that same proof also commits to creating a fee note for the paymaster inside the shielded pool. the only things visible to an outside observer should betthe paymaster's contract address and the gas parameters on the envelope, which are public regardless

nice thread and this sounds amazing however, one question remains: how will the paymaster get paid in a private transaction without unshielding and without leaking its private viewing key? for the paymaster to verify a private tx it must decrypt a note to see the payment. However, in this case it is probably fine for Alice to send a tx from an arbitrary account, as everything in shielded. in the swap case, the paymaster must be paid in public after the unshielding. this leaks the profits/balances of the paymaster. these are compromises one can live with and probably better than the current system, but still a compromise on privacy

Quick summary:

What Alice still needs to worry about IP exposure. When Alice first submits her transaction, her network peers see her IP. The wallet should route this initial submission through Tor or a mixnet so that her IP never touches the gossip network in the clear. None of the four protocol upgrades address this. Post-execution traces. After her block lands and the encrypted frame decrypts, the Uniswap swap is on-chain forever. An observer sees the trade happened. They do not know it was Alice, but repeated trades from the same shielded balance with recognizable patterns make behavioral fingerprinting possible. Even pre-execution, metadata like fee fields, gas amounts, key-releaser identity, and timing can help classify transactions. Removing this requires private execution state, which is not currently planned on L1 in the short term.