The original text comes from Bitcoin security researcher Justin Drake
Translation|Odaily Planet Daily Qin Xiaofeng(@QinXiaofeng888)
Editor's note: In March of this year, Google's quantum research team published a research paper, stating that the resources required for future quantum computers to crack the elliptic curve cryptography protecting cryptocurrencies are far fewer than previously understood. The threat of quantum computing to cryptocurrencies quickly became the focus of discussion on social media. Interestingly, Google did not fully disclose the underlying circuit details in their research paper but proved their estimation results through zero-knowledge proofs (ZK) after communicating with the U.S. government. This has led many tech experts to tirelessly attempt to crack the details of Google's original paper over the past few months.
On June 2, co-author of the Google quantum paper and Bitcoin security researcher Justin Drake stated that the probability of Q-Day occurring by 2032 is 50%. By 2030, it is 10%.(Odaily note: Q-Day, or Quantum Day, refers to the day when quantum computers are powerful enough to crack current mainstream global encryption technologies.)
The following is the original content, translated by Odaily Planet Daily, Enjoy~
————————————
Today, the crazy quantum story has become more bizarre.
On March 31, the Google Quantum AI team released a milestone achievement regarding the application of Shor's algorithm to elliptic curve cryptography. Strictly speaking, this paper can be called a bombshell: performance improved dramatically by a factor of 10 over previously cutting-edge levels. As a gimmick and a wake-up call to the blockchain space, these optimizations were demonstrated using the secp256k1 elliptic curve—this is the elliptic curve that supports signatures for Bitcoin and Ethereum.
However, perhaps the most striking aspect of the paper lies not in the technology but in its societal impact. They did not follow standard academic procedures but kept these optimizations a secret, hidden behind a zero-knowledge proof (ZK). Google's article mentioned that they "had contact with the U.S. government." This ZK proof showcases the algorithm improvements without disclosing any details. Conducting academic peer review through zero-knowledge proofs is a first of its kind!
As a co-author of this Google paper, I witnessed some of the background surrounding this review. Frankly, there are many factors behind this that make me uncomfortable. I certainly believe the public deserves to know more, but my whistleblowing channels are limited. However, one thing I want to make clear is that the professionalism of the Google team is exemplary; they deserve nothing but praise.
Review often backfires. The Streisand effect, where attempts to cover something up instead draw more attention to it, is playing out today. First, Google’s key optimizations have been rediscovered by a Frenchman. Even more exciting is that a collaborative challenge called “Shor-at-home” has just been launched. The initiative's website is ecdsa[.]fail, and within hours of its launch, it reset the world record for Shor's algorithm.
Part One: Performance Improvement of 8.4%
Let’s talk about this rediscovery. Just two months after the Google paper was published, French quantum expert André Schrottenloher cracked this core secret optimization. His paper, “Optimized Point Addition Circuits for Elliptic Curve Discrete Logarithm,” was just published on arXiv. Congratulations to André for defeating several other experts who were equally captivated by this issue and competing for the breakthrough. In a blog post published today, world authority in Shor optimization Craig Gidney revealed that due to review pressure, he has personally held onto this optimization for a whole year.
Interestingly, André missed a small number of micro-optimizations, including some from Google's initial publication and others discovered later. There is likely still a lot of juice to squeeze from Shor’s algorithm, and that is precisely the focus of the ecdsa[.]fail challenge. The verification program developed for the ZK proof serves a dual purpose, automatically filtering valid submissions. Dozens of layered small and micro-optimizations continue to emerge. As of the time of writing, measured by the product of logical qubits and Toffoli gates, achievements have improved performance by 8.4% compared to Google’s circuit. Not bad!
This wave of "solution-priming" enthusiasm is deeper than anyone expected. Over the past few weeks, the developments have moved beyond André and the circle of other quantum experts. Behind the scenes, a small army of amateur enthusiasts has quietly gotten to work. Inspired by Karpathy-style self-research, they have applied AI to Shor's algorithm. Ironically, the verification program of that ZK proof has become an excellent reward function for AI. The low barrier of this modern research style has been refreshingly accessible, with several non-professionals, including a teenager, finding decent optimizations. If you want to join a Telegram group with other self-researchers, feel free to contact me.
Part Two: Neutral Atoms and Q-Day
The story doesn’t stop with Google. On the very same day that Google announced its results, a secret startup called Oratomic published its Shor paper, which caused a stir and ultimately became the most voted paper on scirate[.]com (a site that ranks arXiv papers).
Oratomic's claims are astonishing. They base their work on Google’s logical optimizations and apply physics layer optimizations tailored for neutral atoms, claiming that only 10,000 physical qubits are sufficient to run Shor's algorithm on secp256k1. This number is incredibly low.
When the Oratomic paper went live, I knew virtually nothing about neutral atoms, which piqued my interest and led me to investigate the technology. I dove into this for several hundred hours. I became somewhat obsessed, watching all the YouTube videos I could find and engaging with many experts.
My conclusion is that this technology is very, very real. Even Google has recently decided to build a neutral atom laboratory, shifting focus significantly from superconducting qubits. If you care about Q-Day (the day when quantum computers break the first operational encryption algorithms), neutral atoms are worth your attention. I shared some insights about Shor and neutral atoms in a 30-minute talk at the ZKProof cryptography conference; you can find it on YouTube by searching for “zkproof neutral atom.”
Regarding these two groundbreaking papers, there is an interesting observation: neither Google nor Oratomic mention what their results mean for Q-Day. There is no timeline—none—completely silent. Given that the entire significance of white-hat quantum cryptanalysis is to provide information for estimating Q-Day and to help the public make good decisions, this is particularly perplexing.
Therefore, please allow me to attempt to partially fill this silence, just as Scott Aaronson did in his April 29 blog post. Based on everything I know, including some terrifying information that cannot be disclosed, I now believe the probability of Q-Day occurring before 2032 is 50%. Before 2030, it is 10%.
By the way, a little anecdote: the U.S. government has its own date: 2035. This date comes from the National Security Agency, later adopted by NIST, at which point all branches of the U.S. government will be prohibited from using quantum-vulnerable cryptographic systems. To put it bluntly: in hindsight, that date is a joke and should be entirely ignored. I don't believe NIST can avoid being forced to move it up by several years.
Part Three: Post-Quantum Cryptography
There are plenty of reasons to sound the alarm today, but please do not panic. Rushing towards immature post-quantum cryptography would be disastrous. In my view, a good target date for migration is 2029, roughly three and a half years from now. 2029 is also the date chosen by Google, Cloudflare, and the Ethereum Foundation.
Recently, I've spent most of my time working on securely migrating Ethereum to post-quantum cryptography within the broader framework of "Lean Ethereum." There is much to be done. We need to remove and replace BLS signatures at the consensus layer, replace KZG commitments at the data layer, and replace ECDSA signatures at the execution layer.
The plan to achieve this goal is exciting and is based on hash cryptography. Within the Ethereum Foundation, we've built a Swiss Army knife called leanVM (github[.]com/leanEthereum/leanVM), driven by hash-based SNARK algorithms. Thanks to the truly exceptional work of Emile, Thomas, and others, its performance risks have been mitigated. In terms of security, leanVM is a treasure, a streamlined zkVM designed for end-to-end formal verification and extreme security.
Want to help? There are two million-dollar-level initiatives. First, the Proximity Prize (proximityprize[.]org). Solve a pending mathematical conjecture in coding theory to improve hash-based SNARKs, and you will become a millionaire. Second, the Poseidon Initiative (poseidon-initiative[.]info), offering a $1 million bounty for breaking Poseidon, a hash function friendly to SNARKs.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
