Originally from Bitcoin security researcher Justin Drake

Introduction: In March this year, Google's Quantum Research team published a paper stating that the resources required for future quantum computers to break elliptic curve cryptography securing cryptocurrencies are far fewer than previously believed, rapidly turning quantum computing's threat to cryptocurrencies into a focal point of international discussion. Interestingly, Google's research paper did not fully disclose the underlying circuit details; instead, after communicating with the U.S. government, it proved its estimates via zero-knowledge proofs (ZK). This has led, over the past several months, to numerous technical experts tirelessly attempting to reverse-engineer the original paper’s details.

On June 2, co-author of the Google quantum paper and Bitcoin security researcher Justin Drake posted that the probability of Q-Day occurring by 2032 is 50%, and 10% by 2030. (Odaily Note: Q-Day, or Quantum Day, refers to the day when quantum computers become powerful enough to break current mainstream global cryptographic systems.)

Below is the original content. Enjoy～

————————————

Today, the wild story around quantum computing grows increasingly surreal.

On March 31, Google Quantum AI released a milestone result on the application of Shor’s algorithm to elliptic curve cryptography. Strictly speaking, this paper is a bombshell: performance improvements are tenfold compared to prior state-of-the-art. As a headline-grabbing demonstration—and a warning shot aimed at the blockchain community—these optimizations were illustrated using secp256k1, the elliptic curve underpinning Bitcoin and Ethereum signatures.

But perhaps what stands out most isn’t the technology itself, but its societal impact. Rather than following standard academic protocols, they kept these optimizations confidential, hidden behind a zero-knowledge proof (ZK). Google’s article mentions “engagement with the U.S. government.” The ZK proof demonstrates algorithmic improvements without revealing any underlying details. Using a zero-knowledge proof for academic review—this is unprecedented!

As a co-author of Google’s paper, I witnessed firsthand some of the background surrounding this review. To be honest, there were many elements that made me deeply uneasy. While I believe the public has a right to know more, my channels for whistleblowing are limited. Nonetheless, one thing must be made clear: the Google team’s professionalism is exemplary—they deserve nothing but praise.

Reviews often backfire. The Streisand Effect—the phenomenon where attempts to suppress information only draw more attention—is playing out today. First, Google’s key optimizations have already been rediscovered by French researchers. Even more exciting is the launch of a collaborative challenge called “Shor-at-home” (compute Shor at home). The initiative’s website, ecdsa[.]fail, broke the world record for Shor’s algorithm within hours of launching.

Part One: Performance Improvement of 8.4%

Let’s start with this rediscovery. Just two months after Google’s paper was published, French quantum expert André Schrottenloher cracked the core secret optimization. His paper, “Optimized Point Addition Circuits for Elliptic Curve Discrete Logarithms,” went live on arXiv today. Congratulations to André—he beat several other experts who had also been intensely focused on this problem. Also publishing today, Craig Gidney, the world authority in Shor optimization, revealed that due to review pressure, he had waited a full year before disclosing this optimization.

Fascinatingly, André missed a few minor optimizations—some present in Google’s initial release, others discovered afterward. There is likely still substantial room for improvement in Shor’s algorithm, which is exactly the focus of the ecdsa[.]fail challenge. The verification program developed for the ZK proof serves a dual purpose: automatically filtering valid submissions. Dozens of incremental small and micro-optimizations are emerging continuously. As of this writing, results have surpassed Google’s circuit by 8.4% when measured by the product of logical qubits and Toffoli gates. Not bad!

The wave of “challenge-driven problem-solving” has gone much deeper than anyone anticipated. Over the past weeks, the effort has extended beyond André and other quantum experts. Behind the scenes, a small army of amateur enthusiasts has quietly joined in. Inspired by Karpathy-style autonomous research, they’ve applied AI to Shor’s algorithm. Ironically, the ZK proof’s verification program became an ideal reward function for AI. This modern research style has such a low barrier to entry it’s refreshing—multiple non-experts, including one teenager, have already found promising optimizations. If you’d like to join a Telegram group with other autonomous researchers, feel free to reach out to me.

Part Two: Neutral Atoms and Q-Day

The story doesn’t end with Google. On the same day Google announced their results, a secretive startup named Oratomic simultaneously published its own Shor paper. The paper caused a stir and eventually became the most-voted paper on scirate[.]com, a site ranking arXiv papers.

Oratomic’s claims are astonishing. Building on Google’s logical optimizations and applying physics-level optimizations tailored specifically for neutral atoms, they claim that only 10,000 physical qubits would be sufficient to run Shor’s algorithm on secp256k1—a number so low it seems almost unbelievable.

When Oratomic’s paper was first published, I knew almost nothing about neutral atoms, which sparked my curiosity. I dove headfirst into the technology, spending hundreds of hours researching. I became obsessed—watching every YouTube video I could find and consulting with numerous experts.

My conclusion: this technology is very, very real. Even Google has recently decided to establish a neutral atom laboratory, shifting significantly from superconducting qubits. If you care about Q-Day—the day when quantum computers break the first practical cryptographic system in active use—neutral atoms are worth your attention. I shared part of my understanding of Shor and neutral atoms in a 30-minute talk at the ZKProof cryptography conference; you can find it on YouTube by searching “zkproof neutral atom”.

An interesting observation about these two breakthrough papers: neither Google nor Oratomic mention what their results imply for Q-Day. No timeline—zero—complete silence. Given that the entire purpose of white-hat quantum cryptanalysis is to inform Q-Day projections and help the public make sound decisions, this omission is particularly puzzling.

Therefore, please allow me to attempt to partially fill this silence, as Scott Aaronson did in his blog post on April 29. Based on everything I know—including some information I cannot publicly disclose—I now estimate a 50% probability of Q-Day occurring before 2032, and 10% before 2030.

By the way, here’s a fun anecdote: the U.S. government has its own date—2035. This date originated from the NSA and was later adopted by NIST, setting the deadline when all U.S. government branches must discontinue use of quantum-vulnerable cryptographic systems. Put bluntly: looking back, that date is a joke and should be completely disregarded. I don’t believe NIST will avoid being forced to move it forward by several years.

Part Three: Post-Quantum Cryptography

There is ample reason to raise the alarm today—but do not panic. Rushing prematurely into immature post-quantum cryptography is disaster. In my view, a good target date for migration is 2029, roughly three and a half years away. Notably, 2029 is also the date selected by Google, Cloudflare, and the Ethereum Foundation.

Recently, most of my time has been dedicated to securely migrating Ethereum to post-quantum cryptography within the broader framework of “Lean Ethereum.” Much work remains. We need to remove and replace BLS signatures at the consensus layer, replace KZG commitments at the data layer, and replace ECDSA signatures at the execution layer.

The plan to achieve this goal is exhilarating—it’s built on hash-based cryptography. Within the Ethereum Foundation, we’ve developed a Swiss Army knife called leanVM (github[.]com/leanEthereum/leanVM), powered by hash-based SNARKs. Thanks to truly exceptional work by Emile, Thomas, and others, performance risks have been eliminated. In terms of security, leanVM is a gem—an ultra-minimal zkVM designed for end-to-end formal verification and maximum safety.

Want to help? There are two million-dollar initiatives. First, the Proximity Prize (proximityprize[.]org): solve a long-standing mathematical conjecture in coding theory to improve hash-based SNARKs—you’ll become a millionaire. Second, the Poseidon Initiative (poseidon-initiative[.]info), offering a $1 million bounty for breaking Poseidon, a hash function friendly to SNARKs.

Author: Qin Xiaofeng

Original Source: Odaily Planet Daily