This continues We Said Wait. The Wait Is Over.. The original post ended with a short note about a zero-knowledge proof. That note turned out to be the interesting part. Here is the whole story.
What Google did. A zero-knowledge proof (ZKP) lets one side convince another that a claim is true while revealing nothing beyond its truth. On March 31, Google’s Quantum AI group disclosed an optimized quantum circuit for elliptic-curve point addition. The circuit is the expensive inner loop of Shor’s algorithm against the elliptic-curve discrete log problem. They claimed a first-generation machine could break a 256-bit curve in as little as nine minutes. Instead of publishing the circuit, they published a proof attesting its cost: here is the result, without the method. Disclosing a capability without handing over the recipe is a new move. It is the reason this story is worth your time.
1. The story as it spread on X
On X it traveled as a clean, dramatic arc (thread by Charles Guillemet, @P3b7_). Google optimized Shor. The US government blocked the full paper, so Google shipped a zero-knowledge proof instead. Then someone opened a contest to recover the result with AI. A language model searched a huge space of quantum circuits, each one a candidate Shor optimization. It checks whether it beats the previous best. The clever bit: they used Google’s ZKP verifier as the reward function. No false positives, and the signal is very efficient. As the thread told it, the community matched Google’s result in under two days. Fifteen days later the models were already tens of percent past it.
Good story. It also compresses two very different events into one line. Pull them apart and the story gets more accurate, and more useful.
The thread that carried the story (Charles Guillemet, @P3b7_, 15 Jun 2026).
2. What Trail of Bits actually did
The part that grabbed headlines is that Trail of Bits “beat” Google’s proof. It was not a quantum result. They found memory-safety and logic bugs in Google’s Rust prover code and the SP1 zkVM guest. Then they forged a proof reporting better numbers than Google’s, including zero Toffoli gates. The exploit never touched a quantum circuit. It rode on an access_unchecked deserialization and a register-aliasing bug. Google patched the prover and published v2 of the paper; the scientific claims remain unaffected.
The lesson is the one Trail of Bits draws. A ZKP does not remove trust, it relocates it. You stop trusting “do the experts believe this” and start trusting the prover’s implementation, its compiler, and its proof system. That is an application-security surface, not a math guarantee.
3. What the community rebuilt from prior work
In parallel, and this is the genuinely impressive part, independent researchers reconstructed the actual optimization from public literature within days. AndrĂ© Schrottenloher’s point-addition paper leans on a space-efficient modular-inversion preprint by Luo et al. Both lean on results that are decades old: Proos-Zalka register sharing from 2003 and Kaliski’s inversion method. The “secret” circuit turned out to be reconstructible from prior art. A Shor-at-home style challenge then kept shaving the circuit down. Schrottenloher’s grounded numbers (roughly 6.5 to 10 percent fewer Toffoli gates with about 1.5 percent more qubits for secp256k1) are far more modest than the headline percentages. Those percentages mix the forged proof with real cryptanalysis and move depending on the metric. Treat the exact figures as informal.
ecdsa.fail, the Shor-at-home challenge tracking community circuits against the community. Live figure.
Where this leaves us
Nothing here changes the original conclusions. It sharpens them. None of this breaks TLS this year. You still need a cryptographically relevant quantum computer with a large qubit count, and it does not exist yet. What the episode confirms is the same thing the first post argued. The resource estimates keep falling, and now we also know they are easy to reproduce and hard to keep secret. The asymmetric clock is the one that is ticking. Prioritize ML-KEM for key exchange. Put ML-DSA and your HSM roadmap on the plan. Keep Harvest Now, Decrypt Later in your residual-risk model. Plan to the trend, not to this week’s number. As covered in the update to the original post, leave your symmetric ciphers alone: AES-128 is not where the risk lives.
References
- Original post: We Said Wait. The Wait Is Over.
- Google Research, Safeguarding cryptocurrency by disclosing quantum vulnerabilities responsibly
- Babbush et al., Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities, arXiv:2603.28846
- Trail of Bits, We beat Google’s zero-knowledge proof of quantum cryptanalysis
- Schrottenloher, Optimized Point Addition Circuits for Elliptic Curve Discrete Logarithms, arXiv:2606.02235
- Luo et al., Space-Efficient Quantum Algorithm for Elliptic Curve Discrete Logarithms, arXiv:2604.02311
- Proos & Zalka, Shor’s discrete logarithm quantum algorithm for elliptic curves, arXiv:quant-ph/0301141
- Roetteler et al., Quantum resource estimates for computing elliptic curve discrete logarithms (Kaliski inversion), arXiv:1706.06752
- Shor-at-home challenge, ecdsa.fail
- The X thread (Charles Guillemet, @P3b7_)

