Google’s Quantum Crypto Paper Tells You Quite a Lot
On Responsible Disclosure, Leaked Search Spaces, and Why Quantum Is an Asset Even More Than a Threat
Last week Google Quantum AI dropped a 57-page whitepaper that should be keeping every blockchain developer awake at night. The headline finding: Shor’s algorithm can break the 256-bit elliptic curve cryptography underpinning Bitcoin, Ethereum, and most of the crypto ecosystem using fewer than half a million physical qubits on a superconducting architecture. Their circuits could execute in about nine minutes--within Bitcoin’s average block time.
The online magazine beincrypto.com interviewed me on the topic and the headline they came up with was “ASI Alliance Can Rebuild Google’s Secret Quantum Circuit, CEO Ben Goertzel Says” – an angle that I wasn’t really expecting, though I did indeed say that to them, among a bunch of other things.
A number of people have asked me about this in the hours since the article was posted, so I thought I’d write something here to clarify a bit.
Basically: Google withholds the specific quantum circuit they discovered in the name of responsible disclosure, yet the paper itself constrains the search space so tightly that reproducing comparable circuits is well within reach for any serious quantum algorithms group. Including, I would say, our team at SingularityNET, even though quantum is not our main shtick.
Another point I made to the journalists who asked me about this is: The qubit counts that make these cryptographic attacks feasible are roughly the same qubit counts that make quantum-enhanced AI feasible. So regarding quantum computing, the threat and the capability will arrive on roughly the same time-scale, and if you’re only looking at the threat side, you’re missing half the picture--arguably the more important half.
What the Paper Reveals
Google’s ZK proof statements and the surrounding discussion disclose a remarkable amount of architectural detail--more, perhaps, than the authors fully appreciate. The circuits use kickmix architecture (classical reversible logic gates combined with measurement-based uncomputation and diagonal phase corrections), windowed arithmetic with a window size of 16, the standard Shor phase estimation structure with qubit-recycled Quantum Fourier Transform, and exactly 28 windowed point additions for 256-bit ECDLP. They’re using Montgomery’s trick for modular inversion batching, yoked surface codes for dense qubit storage, and reaction-limited execution.
The ZK proof statements go further, revealing exact resource counts per point addition subroutine: 2.7 million and 2.1 million non-Clifford gates for the two variants, on 1,175 and 1,425 logical qubits respectively. The asymptotic scaling is stated explicitly: approximately 4.5n qubits for n-bit ECDLP.
So what’s actually secret? The specific circuit implementation of the elliptic curve point addition--the internal wiring of how they compute the in-place addition using those ~2.1 million Toffoli gates on ~1,425 qubits. That’s the crown jewel. Everything else is disclosed.
The Search Space Is Narrower Than One Might Think
The key optimizations in elliptic curve point addition circuits involve a handful of well-understood design choices--modular arithmetic strategy (Montgomery vs Barrett reduction, addition chain optimizations for field multiplication), coordinate system selection (projective vs affine, which inversions to defer), and ancilla management (how aggressively to use measurement-based uncomputation to trade measurements for gate savings). These are not obscure research frontiers; they are textbook topics in quantum circuit optimization, well-mapped by the existing literature.
The prior work that Google is improving on--Litinski 2023, Häner et al. 2020, Gouzien et al. 2023, Chevignard et al. 2026--is entirely public and establishes the design space. Google’s contribution is roughly an order of magnitude improvement in spacetime volume over Litinski, achieved within this known design space. Chevignard et al. already achieved 1,100 logical qubits--fewer than Google’s low-qubit variant--at the cost of 100 billion+ Toffoli gates. So the qubit-efficient end of the tradeoff curve is already published. What Google solved is getting the gate count down from 100 billion to 70–90 million while staying near the 1,200–1,450 qubit range. (To connect the numbers: with 28 windowed point additions and ~2.7 million non-Clifford gates per addition, 2.7 million × 28 ≈ 75.6 million total gates, which lands right in that range.)
That’s impressive circuit engineering, but it’s an optimization within a known framework, not a fundamental algorithmic breakthrough. The paper tells you the target, the tools, and the constraints. Reverse-engineering the wiring from there is a bounded search problem.
Who Could Reproduce This?
By my best guess, a team of three to five quantum algorithms researchers with deep expertise in reversible arithmetic circuit synthesis, elliptic curve cryptography, and quantum error correction could plausibly reproduce circuits in the same ballpark--say within 2–3x of Google’s gate counts--within six to twelve months. The field is small enough that the highest levels of expertise in this precise subdomain are centered in perhaps ten to twenty groups worldwide: ETH Zurich, CWI Amsterdam, Microsoft Research, the French groups around Chevignard and Gouzien, Quantinuum’s theory team, various university labs. However, none of this knowledge is super secret lore, and teams like ours at SingularityNET with adjacent quantum computing expertise could handle this sort of work too, after a bit of getting up to speed.
Getting to exactly Google’s numbers is harder, because the last factors of optimization in reversible circuit synthesis come from clever ancilla scheduling, specific addition chain choices, and measurement-based uncomputation placement decisions that constitute a large combinatorial search--this is where automated circuit optimization tools and significant compute for design space exploration matter, and where Google’s resources give them an edge. But from a security perspective, “within 2x” versus “exact match” doesn’t change the picture. A circuit with 140 million Toffoli gates instead of 70 million still breaks your keys; it just takes 18 minutes instead of 9.
Our Team Could Do This
So what I said to beincrypto.com was that I feel our team at SingularityNET team could mount a credible effort to reproduce circuits of comparable efficiency – and we are not a group that anyone would normally associate with quantum cryptanalysis.
We have researchers with strong backgrounds in mathematical optimization, formal methods, and algorithmic complexity. We have one quantum AI expert, a couple team members with PhDs in particle physics, and a load of strong computer scientists many of whom studied physics in depth at some point in their lives. We have a small but active quantum AI research side-project, aimed mostly at exploring novel algorithms approaches at the toy scale on quantum computers currently available via API. We have extensive experience with large-scale automated search over combinatorial spaces-- with various novel algorithms precisely designed for this class of problem. We have the compute resources, through ASI:Cloud and our broader infrastructure partnerships, to run extensive circuit optimization campaigns – though to be clear, we aren’t wealthy enough to direct a lot of resources to this sort of problem just for the fun of it.
The point isn’t that SingularityNET is going to reverse-engineer Google’s circuit; we have a lot of other fish to fry, like building beneficial decentralized AGI capable of launching beneficial superintelligence, and so forth. The point is that if we could credibly do this, so could any well-funded national laboratory, defense contractor, or state-sponsored research group. China’s quantum computing program, which has published extensively on Shor’s algorithm implementations, certainly has the expertise. So do groups in France, the Netherlands, Israel, Singapore.
As an adjacent side-point, I would note that while our own R&D team is working hard toward AGI and superintelligence and making interesting research progress, so far we have not withheld any of our code for safety reasons, though we have discussed the possibility internally. Our position is that secrecy in this domain has very limited tactical value because of the clear routes to parallel discovery--keeping capabilities secret buys you at most a fairly short window. The idea that withholding the circuit diagrams provides meaningful security against determined adversaries is, I would say, way optimistic.
This isn’t a criticism of Google’s team--their instinct toward caution is correct, and the ZK proof approach makes total sense. But the crypto community should not interpret “responsible disclosure” as “the attack details are safely locked away.” They are locked behind a door that any competent team can pick, and the paper itself hands you the lockpicking tools.
The Real Barrier Isn’t the Circuit
Even if every quantum algorithms group on Earth had Google’s exact circuit files tomorrow, the attack still requires roughly 500,000 physical superconducting qubits with 10⁻³ error rates and a fast classical control system. That is a hardware engineering challenge measured in billions of dollars and years of fabrication iteration, not millions and months. The circuit is a necessary but far from sufficient condition for an actual attack.
Google’s own paper makes this point implicitly by noting the distinction between fast-clock architectures (superconducting, photonic, silicon) and slow-clock architectures (neutral atom, ion trap). The circuit doesn’t help you if you can’t run it fast enough. And nobody today has a half-million-qubit superconducting machine.
However, compute technology is advancing very quickly. The paper analyzes qubit requirements across multiple cryptographic standards, not just ECDLP, and the trend lines are sobering across the board. The paper’s Figure 3--showing the dramatic decade-long decline in physical qubit requirements for breaking RSA-2048--should give everyone pause. The finish line is moving toward us as fast as we’re moving toward it. And as the paper warns, the first indication that a cryptographically relevant quantum computer exists might not come from a press release--it might be detected on the blockchain itself.
The Qubit Coincidence
There is another highly relevant point that I have not seen anyone else in the crypto discourse seriously engage with: the qubit counts needed for useful quantum AI and the qubit counts needed for these cryptographic attacks are very concretely in the same ballpark.
Google’s crypto-cracking circuit requires around 1,200–1,450 logical qubits (realizable using 500K or so physical qubits on the architectures they are thinking about – waving hands around fairly freely). The kind of quantum logic network reasoning we’ve been designing for Hyperon’s PLN and ECAN subsystems--nontrivial quantum-enhanced probabilistic inference, the sort of thing that would actually give you qualitatively new AI capabilities rather than just marginal speedups--would do serious work with 5,000–10,000 logical qubits. That’s a gap of roughly 4–8x, not orders of magnitude. And if you use block-factorized designs--decomposing quantum computations across a network of classically connected quantum processors, which is the direction our architecture has been heading anyway for other reasons--you could quite possibly achieve meaningful quantum AI with individual nodes of 1,000–2,000 logical qubits. Which is essentially the same scale as the crypto-cracking circuit.
So basically: The hardware generation that can break your elliptic curve keys is the same hardware generation that can run quantum-enhanced reasoning engines. This is not a coincidence--both cryptographic attacks and quantum AI applications are bottlenecked by the same resources: coherent qubit counts, gate fidelity, and error correction overhead. Both demand circuits of nontrivial depth on a thousand-plus logical qubits. The difference is in what you do with those qubits--Shor’s algorithm to crack the discrete log problem, or quantum amplitude amplification and quantum walks over inference graphs to accelerate probabilistic reasoning.
And this means that if you’re a blockchain project whose entire quantum strategy is “swap in post-quantum crypto and hope for the best,” you are – oh let’s see, what would be the right metaphor? – let’s say: responding to the news your rival tribe has invented bronze and discovered gunpowder by rebuilding the fence around your village with bigger sticks!
Quantum as Opportunity
While quantum machines with thousands of logical qubits are a ways off, these issues are still pertinent to current software design decisions, at both the AI and the infrastructure level. Along these lines, at SingularityNET and the ASI Alliance we have been designing (our new AI-oriented L1 blockchain) ASI:Chain from the ground up to be strongly quantum-oriented …. and I want to be precise about what I mean by that, because it is a distinction that most of the crypto ecosystem has not yet grasped and it’s quite relevant to the current conversation about quantum and crypto and AI. Quantum-oriented does not mean quantum-resistant. Quantum-resistant means you’ve plugged in lattice-based or hash-based signature schemes and you’re hoping nobody finds efficient quantum attacks on those too. Quantum-oriented means you are architecting your system to actually leverage quantum computation as a resource--to run on quantum hardware, not just defend against it.
MeTTa, our smart contract language, incorporates quantum type systems--meaning that quantum states and operations are first-class citizens in the language’s type hierarchy, so that AI agents running on MeTTa can natively compose quantum subroutines into their reasoning pipelines rather than treating quantum computation as an external oracle call. We have worked out quantum versions of the core AI algorithms of our Hyperon AGI architecture --attention allocation, probabilistic logic, evolutionary learning. When quantum processors with 1,000–2,000 logical qubits become available--the same machines that could threaten classical crypto--our infrastructure is designed to harness them for reasoning, inference, and autonomous decision-making at speeds that classical systems cannot match. Quantum-enhanced smart contracts that can perform probabilistic reasoning over complex state spaces. Quantum-accelerated consensus mechanisms. Quantum machine learning integrated directly into on-chain decision-making. This is the future we’re building toward, and the qubit coincidence I described above means the timeline for that future is the same as the timeline for the cryptographic threat.
Making quantum-safe encryption truly efficient--on par with classical encryption performance--will likely require either new mathematical breakthroughs in post-quantum cryptographic schemes or custom hardware optimized for these operations. Our Hyperon AI system may itself contribute to the mathematical side of this problem, which has an elegant recursion to it: AI helping to discover the cryptography that protects the infrastructure that runs the AI. Whether that particular recursion actually plays out or not, the broader point stands--projects that understand quantum computing as a computational resource to be harnessed, rather than merely a threat to be survived, are the ones that will define the next era of decentralized intelligence.
What This Means for the ASI Alliance and the Broader Crypto Ecosystem
It is worth emphasizing for those who are not familar with our work at the ASI Alliance that the ASI:Chain is totally not EVM-compatible, nor is it based on legacy Bitcoin software structures. It is its own chain with its own architecture, built on a Rholang/RChain lineage with a totally new AI programming language called MeTTa as the smart contract language. We do not inherit Ethereum’s quantum vulnerabilities. The Google paper’s analysis of Ethereum’s five distinct vulnerability categories--Account, Admin, Code, Consensus, and Data Availability--is a roadmap of mistakes to avoid, and we have been avoiding them from day one because ASI:Chain’s encryption layer is modular. Quantum-safe cryptographic primitives can be plugged in without redesigning the reasoning infrastructure. The cost is computational overhead, which is a real engineering challenge but not an architectural one.
Smart contract platforms that rely on ECDLP-based precompiles, as Ethereum does, are building on a foundation with an expiration date. The “on-setup” attack category described in the paper--where a single quantum computation on fixed protocol parameters creates a reusable classical exploit--is the most insidious threat, and any system using KZG commitments or trusted-setup-based SNARKs should be migrating to hash-based alternatives (STARKs, FRI) immediately. Key rotation mechanisms are non-negotiable; Ethereum’s lack of expedient validator key rotation is a glaring weakness.
The broader ecosystem matters too, and this is where things get uncomfortable even for those of us who are building our own decentralized systems on more solid foundations. If Bitcoin or Ethereum suffer a quantum-driven crisis, the contagion effects on crypto markets would hit everyone, including ASI. Google models a 41% success rate for quantum on-spend attacks against Bitcoin’s ten-minute block window, and any attack success rate above single digits is deeply problematic for a store-of-value chain. Once rational actors believe there is a meaningful probability that a transaction can be reversed or an address drained during the confirmation window, the game-theoretic assurances that underpin Bitcoin’s security model collapse. The saving grace is that the hardware to execute this at scale does not yet exist, but the mathematical writing is on the wall, and the Bitcoin community’s lack of a coordinated upgrade path makes this a serious medium-term risk.
The paper’s analysis of Algorand, QRL, and Abelian as examples of successful PQC deployment is encouraging. The path is technically clear. What’s less clear is whether the broader crypto ecosystem has the political will to walk it before the window closes.
The Responsible Disclosure Dilemma
Beyond the specifics of quantum attacks on encryption, there’s a deeper philosophical issue here that resonates with themes I’ve been thinking about for years in the context of AGI safety. Google’s paper embodies a genuine tension: they want to warn the community loudly enough to motivate action, but quietly enough to avoid giving adversaries a head start. The ZK proof is an elegant attempt to resolve this tension cryptographically--proving you have the weapon without showing the blueprints.
And I think the ZK approach actually does satisfy the crypto community’s core epistemic standard, which is not “see everything” but “don’t take claims on faith.” A well-constructed ZKP lets you verify that someone has the capability without them handing you the exploit. That said, the community should demand that the proof itself is rigorously audited by independent cryptographers, and Google should expect skepticism until that happens. I do not think we need to see the circuit to believe the result, but we do need the ZKP to be examined by people who are not Google.
But information has a way of escaping containment--in AGI safety we talk about this in terms of the difficulty of boxing superintelligent systems. In quantum cryptanalysis the analog is simpler: the design space is finite, the prior literature maps most of it, and the paper itself provides enough constraints to turn an open research problem into a directed engineering effort. The default should be openness, because the security benefits of open review and decentralized scrutiny vastly outweigh the marginal risk reduction of secrecy in a world where parallel discovery is the norm. If something posed a specific, acute, short-term danger, we would hold it back--we are not ideologues about this. But the general case strongly favors disclosure.
Does the Quantum Threat Kill the Decentralization Thesis? (No!)
No, of course it doesn’t – but it raises the stakes enormously. If a centralized actor cracks dormant Bitcoin and captures hundreds of billions in assets, that is a massive centralizing force--no question. Over 1.7 million BTC in Satoshi-era P2PK wallets can never be migrated, and those coins are going to be cracked by someone eventually. The question is whether you want a legal framework around it or a lawless scramble. On principle, giving governments a legal pathway to crack private wallets sets a catastrophic precedent for digital property rights--the entire value proposition of crypto rests on the idea that your keys are your coins. I lean toward the position that dormant coins should remain inviolate as a matter of principle, and the ecosystem should price in their eventual vulnerability rather than invite government seizure regimes.
But the decentralization thesis was never premised on the idea that legacy cryptography would last forever. It is premised on the idea that open, distributed systems are more resilient, more innovative, and more aligned with human flourishing than centralized ones--and that has not changed. The quantum threat accelerates the timeline for crypto infrastructure to evolve, and it will punish projects that were not forward-looking. But projects that were designed with quantum computing as a first-class consideration--as a computational resource to harness, not just a threat to defend against--are positioned to come out stronger. The decentralization thesis survives if decentralized projects out-engineer centralized ones on the quantum transition – which is for sure the approach we’re taking in the ASI Alliance.
The Clock Is Running
The paper’s own conclusion is the one that matters: the crypto community should begin migration to post-quantum cryptography immediately, because the margin for error is narrowing and the timeline is uncertain. Whether the specific circuits leak, get independently rediscovered, or remain secret for another few years is, in the scheme of things, a second-order question. The first-order question is whether we’re building post-quantum systems fast enough.
But I’d add a corollary that Google’s paper doesn’t quite state: there is a further question of whether we’re building quantum-leveraging systems at all. The hardware generation that threatens classical cryptography is the same hardware generation that enables quantum AI. It seems very likely that the projects that understand this--that are engineering for quantum advantage, not just quantum survival--are the ones that will define the next era of decentralized intelligence. The ones that treated quantum as purely a defensive problem will find themselves with hardened walls and nothing interesting inside them.
I’ve been diggin so far into Quantum Mechanics, Entanglement, String Theories and applying it to the model of a Simulated a reality to form the blueprints of an Interdimensional craft that incorporates Aneutronic Plasma Fusion Energy Toroids within a complex piezoelectric crystal Mandaloy hull that is grown, not built, in a lab incorporating Magnesium/Bismuth(or germanium) Boron Hull, then 4-8 Nickle based alloy and other meta materials Ive detailed to keep the craft from decoupling from phasing dimensional space by folding the very source codes of reality that lay on a 2D surface of information.
9 missing or dead (now 17) connected to UFO/UAP technologies have disappeared and I used their documented contributions to the research they left behind from their compartmentalized services to the shadow governments to create a full on blueprint in their Honor! After this my full name on Google Analytics started pinging in researches in Israel, Iran, Russia & China, as well as known states in the U.S. involved with advanced intelligence and technology security services throughout Alaska, Arizona, New Mexico, Louisiana, South Carolina, Minnesota and New York where prior my name was not mentioned or searched at all. Just at particular locations at the same particular time the post went to effect. I’m trying to share this, the U.S. has this tech and have been running a multi decade long campaign to misdirect our fellow Americans going so far as to even give the Americans at the bottom of the pyramidal scheme of things a false basis of math and science that ideally will help you function through normalized social occupations but never profoundly progress above questions leading to our very reality and Zero Point Free Energy because the U.S. is ran by the Petro Dollar and since the elites conclude we exist within a simulated reality then they can destroy the ozone layer all they want for profit even though the programs data is a specific coded reality it still has the ability to fall apart with the models it was designed with. But enjoy my findings, I am finding out that a select group of elites might be preparing for some kind of event.
https://substack.com/@tyrwotanthule/note/c-236402145?r=82326e&utm_medium=ios&utm_source=notes-share-action
There’s something almost unsettling in how casually this reframes the whole situation.
What looks like a looming threat—cryptography breaking, systems failing—is treated as just one side of the same coin. The very machine that cracks the lock is also the one that builds entirely new doors.
It’s like discovering that the tool designed to pick your vault can also mint the next currency. The danger and the opportunity aren’t separate timelines—they arrive together, riding the same wave of capability.
And that’s the part most people miss. They prepare for defense, reinforce the walls, patch the system… while someone else is already asking what becomes possible once the walls no longer matter.