Maximus Maximalistus retweeted
At Eurocrypt, @JanBobolz presented our work “UC4Free! Existing Threshold Signatures are UC Secure” with @cryptulf and @akiratk0355. We show that threshold signatures proven game-based secure are actually secure in the universal composability (UC) setting. eprint.iacr.org/2026/911
1
5
16
959
Jun 2
Here's the deeper picture based on the primary sources referenced in Justin Drake’s thread.
1. Google Quantum AI Whitepaper (30 March 2026)
Title: Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities
Key claims:
Two highly optimised logical circuits for Shor on secp256k1:≤ 1,200 logical qubits 90 million Toffoli gates
≤ 1,450 logical qubits 70 million Toffoli gates
Physical implementation (surface code, 10⁻³ error rate): <500,000 physical qubits
Runtime: 18–23 minutes (reaction-limited)
They released a zero-knowledge proof (using SP1 zkVM Groth16) that verifies the circuit costs without revealing the actual circuits.
This is the paper Drake co-authored. The ZK proof approach is what triggered the secrecy controversy.
Bitcoin relevance (from the paper):
On-spend attacks on mempool transactions become feasible.
~2.3 million dormant BTC (inactive ≥5 years) are at risk once a CRQC exists.
P2PK (Satoshi-era) and P2TR outputs are particularly exposed.
2. Neutral-Atom Paper (same day – arXiv:2603.28627)
Title: Shor's algorithm is possible with as few as 10,000 reconfigurable atomic qubits
Authors: Madelyn Cain, Manuel Endres (Caltech), John Preskill, et al. (includes Oratomic team members)
Core claim:
Using neutral-atom hardware high-rate error-correcting codes optimised circuits, Shor on P-256 could be run with as few as 10,000 physical qubits.
With 26,000 physical qubits, discrete log on P-256 could take just a few days.
This is the paper that caused the biggest reaction alongside Google’s. Neutral atoms are highlighted as particularly promising because of reconfigurability (optical tweezers) and already-demonstrated arrays of >6,000 coherent qubits.
3. Independent Academic Breakthrough (EUROCRYPT 2026)
Paper: Reducing the Number of Qubits in Quantum Discrete Logarithms on Elliptic Curves Authors: Clémence Chevignard, Pierre-Alain Fouque, André Schrottenloher ePrint: 2026/280
Result:
Reduced logical qubit requirement for ECDLP from previous best (~2,124) down to ~1,098 logical qubits.
Trade-off: significantly higher gate count.
This matches what Drake described — Schrottenloher independently found a major optimisation around the same time Google was sitting on theirs.
4. The ecdsa.fail Crowdsourced Challenge
Google’s ZK verifier (built to prove the circuit costs) was repurposed into a public optimisation platform. Researchers and even non-experts can submit improved circuits and get automatic verification. Early results already show measurable gains beyond the original Google numbers. This is the “nerdsniping” element Drake mentioned.
Current State (as of early June 2026)
SourceLogical QubitsPhysical Qubits (est.)Timeline SignalGoogle (ZK proof)1,200–1,450<500k18–23 min runtimeSchrottenloher et al.~1,098—Lower space, higher gatesNeutral Atom (Oratomic/Caltech)—10k–26kFew days on P-256
Drake’s updated probabilities (10% by 2030, 50% by 2032) reflect the combination of:
Algorithmic improvements (Google Schrottenloher)
Hardware progress (neutral atoms looking especially strong)
Open, AI-assisted optimisation via the public challenge
Jun 2
Today a crazy quantum story just got wilder.
On March 31, the Google Quantum AI team published a landmark result on Shor's algorithm for elliptic curve cryptography. Technically, the paper was a bombshell: a dramatic 10x improvement over the state-of-the-art. As a stunt and wakeup call to the blockchain space, those optimisations were illustrated on secp256k1, the elliptic curve underlying Bitcoin and Ethereum signatures.
But perhaps the most striking part of the paper was sociological, not technical. Instead of following standard academic process, the optimisations were kept secret, hidden behind a zero-knowledge (ZK) proof. Google's accompanying blog post mentions they "engaged with the U.S. government". The ZK proof demonstrates the existence of algorithmic improvements without leaking details. Academic censorship with ZK, a historic first!
As a co-author of the Google paper I witnessed some of the context surrounding this censorship. To be honest, multiple aspects of that context don't sit well with me. As much as I believe the general public ought to know more, I am limited in my ability to whistleblow. Though let me be clear about one thing: the Google team's professionalism has been absolutely exemplary, and they deserve nothing but praise.
Censorship has a way of backfiring. The Streisand effect, where an attempt to bury something only draws more attention to it, is exactly what's unfolding today. First, Google's key optimisation has been rediscovered by the French. And in a thrilling turn of events, a collaborative Shor-at-home challenge just launched. The initiative, available at ecdsa[.]fail, breached a new Shor world record in a matter of hours.
Let's start with the rediscovery. Just two months after Google's paper, French quantum expert André Schrottenloher cracks the main secret optimisation. His paper, titled "Optimized Point Addition Circuits for Elliptic Curve Discrete Logarithms", landed on the arXiv today. Big congrats to André, who beat several other nerdsnipped experts to it. In a blog post also published today, Craig Gidney, the world expert on Shor optimisations, revealed that he'd been sitting on this very optimisation for a whole year under censorship pressure.
Interestingly, André missed a handful of minor optimisations, both from Google's original publication and from improvements found since. It's plausible there's still plenty of juice left to squeeze out of Shor, and this is exactly what the ecdsa[.]fail challenge is about. The verifier program developed for the ZK proof does double duty, automatically filtering for valid submissions. Dozens of compounding small and micro improvements are rolling in. As of the time of writing there's an 8.4% improvement to Google's circuit, as measured by the product of logical qubit count and Toffoli gate count. Nice!
The nerdsnipping ran deeper than anyone expected. Over the last few weeks it became clear it extended well beyond André and other quantum experts. Behind the scenes, a small army of amateurs quietly got to work. Inspired by Karpathy-style autoresearch, they turned AI on Shor. Ironically, the verifier program for the ZK proof makes an ideal reward function for AIs. The barrier to entry for this modern style of research is refreshingly low, with several non-experts, even a teenager, finding nice optimisations. Get in touch if you'd like to join a Telegram group with fellow autoresearchers :)
Part 2: neutral atoms and qday
The story doesn't end with Google. On the same day Google went public, a stealthy startup called Oratomic published its own Shor paper in a coordinated release. It made a splash, ultimately becoming the most upvoted paper on scirate[.]com, a website ranking arXiv papers.
Oratomic's claim was wild. By building on Google's logical optimisations and applying custom physical optimisations for neutral atoms, they claimed just 10K physical qubits were sufficient to run Shor's algorithm on secp256k1. That number is mind-bogglingly low.
Knowing essentially nothing about neutral atoms when Oratomic's paper landed, I was intrigued and decided to learn more about the tech. I fell straight down the rabbit hole and spent a couple hundred hours on the topic. I got a little obsessed and watched every YouTube video I could find and spoke to a bunch of experts.
My conclusion? The tech is real, very real. Even Google recently decided to start a neutral atom lab, a notable pivot from their sole focus on superconducting qubits. If you care about qday, i.e. the day a quantum computer will break the first piece of cryptography in production, neutral atoms demand your attention. I shared some of my learnings on Shor and neutral atoms in a 30min talk at the ZKProof cryptography conference. You can find it on YouTube by searching "zkproof neutral atom".
Here's an interesting observation about this duo of breakthrough papers: neither Google nor Oratomic say a word about what their results mean for qday. No timelines. Zero. Nada. That is especially baffling given that the whole point of whitehat quantum cryptanalysis is to inform qday estimations and help the general public make good decisions.
So let me attempt to partially fill the silence, similarly to what Scott Aaronson did in his April 29 post. Given everything I know, including scary non-public information, I now put the odds of qday by 2032 at 50%. 10% by 2030.
Anecdotally, the US government has its own date: 2035. Originating at the NSA and later adopted by NIST, it's when branches of the US government will be disallowed from using quantum-vulnerable cryptography. In plain language: with hindsight, that date is a joke and should be discounted entirely. I don't see how NIST avoids being forced to pull it forward by years.
Part 3: post-quantum cryptography
There are good reasons to sound the alarm today, but please do not panic. Rushing carelessly towards immature post-quantum cryptography is a recipe for disaster. IMO a good target date for migration is 2029, roughly 3.5 years out. 2029 happens to be the date selected by Google, Cloudflare, and the Ethereum Foundation.
These days most of my time goes to safely migrating Ethereum towards post-quantum cryptography as part of the broader lean Ethereum effort. There's a lot to do. We need to rip out and replace BLS signatures at the consensus layer, KZG commitments at the data layer, and ECDSA signatures at the execution layer.
The plan to get there is compelling, and is based on hash-based cryptography. Within the Ethereum Foundation we've developed a Swiss army knife called leanVM (github[.]com/leanEthereum/leanVM) powered by the magic of hash-based SNARKs. Thanks to truly exceptional work by Emile, Thomas, and others, its performance is derisked. Regarding security, leanVM is a jewel, a minimal zkVM crafted for end-to-end formal verification and maximum security.
Want to help? There are two $1M initiatives. First, the Proximity Prize (proximityprize[.]org). Solve a long-standing mathematical conjecture in coding theory, improve hash-based SNARKs, and go home a millionaire. Second, the Poseidon Initiative (poseidon-initiative[.]info), offers $1M for breaking Poseidon, the SNARK-friendly hash function.
1
398
Jun 2
✨ 2 very unique Mysten / Sui papers made it at the prestigious Science of Blockchain Conference (SBC 2026) this year, jointly coauthored with Stanford, IBM, and a16z:
“Partial Fraction Techniques for Cryptography” eprint.iacr.org/2025/2081, also presented at EuroCrypt ‘26. In the paper we developed key-value commitment schemes using the familiar product linearization property of fractions and dynamic threshold encryption using a novel linear independence of products property.
“Efficient Batch Threshold Encryption using Partial Fraction Techniques” eprint.iacr.org/2026/674, will also appear at CRYPTO ‘26. Our updated paper gets inspiration from, as well as outperforms many state-of-the-art solutions in this frenzied research topic.
Mysten Labs, Sui & Walrus continue to be an amazing place where abstract ideas turn into powerful tools
6
26
150
4,407
REFHE: Fully Homomorphic ALU(EUROCRYPT, 2026)
Brakerski主著
link.springer.com/chapter/10…
4
175
May 28
I had a great time presenting my paper "Post-Quantum Blockchains with Agility in Mind" at the Eurocrypt MAgiCS'26 workshop on cryptographic migration, in Rome.
The paper presents the CATX format that two of my co-authors (@shemnon and Ron Kahat) extended to an EIP-8197.
2
2
9
2,502
May 27
another Eurocrypt 2026 paper by Dinur (again, almost a year on eprint) that shows similar results.
Example 2: The best known integral attack on 6-round AES, is from Eurocrypt 2024 (which tells you something about the model in use), as I am a co-author, I am not going >>>
1
2
414
May 27
Example 1: the discussion on pairwise independence (that was done for AES-128 only, despite what the paper hints) - there is a recent (very lovely) Eurocrypt 2026 paper (avaialble on eprint for almost a year) by Beyne et al. that shows that 20 rounds are enough. There is >>>
1
3
516
Sharing is caring: the recordings of the #PQCSA workshop on Post-Quantum Cryptographic Protocols (#Eurocrypt 2026 affiliated event in Rome) are now freely available on our YouTube channel!
youtube.com/playlist?list=PL…
#postquantum #quantum
4
285
祝大家在Eurocrypt玩的开心。
我又精神胜利法了,和罗马同在👍😇😇
9
440
May 23
ZEN is built different from the privacy crew
XMR = mandatory privacy by default, untraceable everything. ZEC = optional shielded txs. DASH = coin mixing. ZEN = verifiable privacy with selective disclosure, layer-0 architecture for private dApps
the tech stack matters here. ZEN migrated to Base Q1 2026, activated first Confidential Compute Environment 20 days ago, joined Linux Foundation Decentralized last month. they're funding builders through Thrive grants and sponsoring Eurocrypt 2026. dev activity is there
Base native could absolutely be a catalyst. ~$12B TVL in Base ecosystem, AI agent infrastructure getting built out (WorkAgnt just demoed AI-to-AI commerce onchain), and Base is positioning for agentic economy
ZEN's privacy layer for AI apps on Base is the play. confidential compute Base's low fees institutional backing (Grayscale trust) creates real infrastructure for private DeFi and AI use cases that other privacy coins can't touch
compare that to NEAR which is AI-focused but not privacy-native, or XMR which is payments-only. ZEN is building the rails for private applications in a growing L2 ecosystem
6
6
20
7,057
May 21
We had a great time going to Eurocrypt, zkSummit and zkProof. Time to continue building
May 21
Rome was the center of cryptography these last two weeks. We attended zkSummit 14, zkProof, and Eurocrypt 2026 with @alignedlayer, @3miLabs, and the Center on Cryptography and Distributed Systems of the University of Buenos Aires (CCSD). Full recap on the blog.
1
2
5
399
May 21
Rome was the center of cryptography these last two weeks. We attended zkSummit 14, zkProof, and Eurocrypt 2026 with @alignedlayer, @3miLabs, and the Center on Cryptography and Distributed Systems of the University of Buenos Aires (CCSD). Full recap on the blog.
1
9
900
the papers we have published:
tiresias (asiacrypt 2024): eprint.iacr.org/2023/998
2PC-MPC v1: eprint.iacr.org/2024/253
2PC-MPC v2 (ACNS 2026): eprint.iacr.org/2025/297
Threshold FHE: eprint.iacr.org/2025/712
REFHE (eurocrypt 2026): eprint.iacr.org/2025/1449
3
23
408