A table listing total operations, number of qubits, and Toffoli-gate count for Google's low-gate and low-qubit implementations, and Trail of Bits' implementation. The Trail of Bits implementation beats Google's on every metric.

Two weeks ago, Google published a paper proving in zero-knowledge that they had an efficient implementation of Shor's algorithm.

Today, Trail of Bits can prove that we have an even better implementation which beats Google's on all metrics! 🫢

blog.trailofbits.com/2026/04/17/w...

Yeah they got a bit of a roasting on scirate over that. Though their 10,000 qubit ECC is only 1000 days. I still didn't include it because (a) 1000 days already gets us to 2029; (b) by the time they finish a computation that long, I suspect another company could build a 26,000 qubit machine

A cluttered and complicated chart relating qubit counts to qubit error rates, comparing today's devices to cryptographic attacks.

Overdue quantum landscape update: sam-jaques.appspot.com/quantum_land...

A 2d chart can only say so much. tl;dr new results are still overhyped, but definitely worth taking seriously. This chart is based on surface codes and a big question now is whether new codes can be practical (=>useless chart)

Ah okay, like if I had an encoded circuit and wanted to measure the X value, I can do it just fine by measuring X on all physical qubits. And in any intro qc course it's explained that "measure-X" projects onto |+/-> (which Stim does!), but this assumption breaks for the code; we need state prep

If the "transversal" X measurement doesn't preserve the codespace, in what sense is it transversal?

What do you mean by "destroy the stabilizers"?

Hot take: IACR submission guidelines should eliminate appendices, bump the page limit to 70 pages, but have an earlier deadline for any paper longer than 30 pages

Real World Crypto 2026: Lessons from Teaching Applied Cryptography in Post-Crisis Lebanon YouTube video by Nadim Kobeissi

I was deeply humbled by the unbelievably positive reaction to my talk at Real World Crypto 2026 in Taipei about my experiences teaching applied cryptography in post-crisis Lebanon.

The full video for the talk is now available: www.youtube.com/watch?v=z_Hx...

Fernando is looking for a PhD student www.iacr.org/jobs/item/4164 Fernando is excellent, you should consider applying.

Cool! It looks like this parallelizes well, you say you can execute joint Pauli measurements. Does this work equally well if there is a lot of overlap in the support of the logical Paulis?

We don’t talk often enough about the Superman issue where, fed up with pedestrian deaths from car collisions, he sets out to try and destroy every car in the city.

Photo of a piece of cardboard with a hexagonal grid, rules handwritten on looseleaf, cardboard pieces, and a box of mini wheats labelled "Settlers of Catan"

Photo memory: a bootleg version of settlers of Catan I made from memory during summer fieldwork in 2012

How This Small City Built Light Rail For Cheap YouTube video by Oh The Urbanity!

I love my city youtu.be/uttoyAX4ntc?...

The impact of Alfred Menezes in cryptography is profound. Francisco RH and I are organizing an afternoon session in Latincrypt to celebrate Alfred's career:

menezesfest.info

If you're coming to Medellín, consider attending!

Nice! Now (to steal Luca's joke) it's only 11 more factors of 2 to go for SQISign to be faster than MLDSA?

Screenshot of comments in code. They say: Dear programmer: when I wrote this code, only God and I know how it worked. Now, only God knows it! Therefore, if you are trying to optimize this routine and it fails (most surely), please increase this counter as a warning for the next person. Total hours wasted here = 254

This is a valid signature for user i. Then when the adversary presents a forgery (w*,c*,z*) against user j, just subtract cr_j from z* and it's a forgery for your challenger. This works... but only because the public key was not hashed into the challenge! Very bad idea!

Your challenger's public key is xP, so all the users you simulate for the multi-user adv can use PK_i=(x+r_i)P for some random r_i. If the adversary requests a signature on m from user r_i, you can send m to your challenger and get (w,c,z)=(yP,H(w||m),y+cx). Set z'=z+cr_i and return (w,c,z').

Always bothers me when you lose the 1/N factor in a multi-user security proof. Was thinking about how to dodge it; consider this for Schnorr signatures: you are an active adversary against a single challenger, with access to a multi-user adversary.

Options for Phones at Protests Simply showing up to a protest leaves you susceptible to all sorts of surveillance, including cameras, drones, facial recognition, and more. There's not always a lot you can do about pernicious street...

I wrote a bit about options for phones at protests, explaining the benefits and drawbacks, and added some security tips at the end.

Ursula K. LeGuin on technology

I was way miscalibrated at the time and thought the extra Toffoli count would end up using more space in the end thanks to state distillation. Not sure how typical my perspective was

Important lesson in scientific celebrity culture nonetheless

I've been reading "Burdens of proof", which makes an interesting point on this: law wants to operate on a vastly longer time scale than most file formats, for good reason.

So we have an adversary that can decrypt c to a different message with a different key? They can just compute their own tag of this other key and message, hash it, and replace the "T" part of the ciphertext?

Reasonable! When I read the screenshot you took, I see a lot of technical terms I can't contextualize. How meaningful is a "2 star relationship"? I can't tell but an expert in the field could.

Then again, scientists asked for quotes can absolutely give a rushed take and get things wrong.

It's normal and good for journalists to talk to scientists in the same field but not associated to the research, as they can offer an informed but less biased take

My current model of agriculture is we generally optimize for high yield at low labour, and there's room for high-yield and sustainable if we accept high labour inputs. Is this a plausible and useful perspective?

Oh of course not, it would be a tourist attraction. Maybe a quirky hotel

Graph of physical qubits vs. year. There is a cluster of points in the middle, with 3 lines trying to extrapolate forward, but with wide error margins.

I wouldn't say steady: arxiv.org/abs/2009.05045 tries to extrapolate and the data looks really noisy. E.g., fig. 8. If we put today's devices on this, the best would maybe on the orange line