> Trail of Bits were able to craft an input that beats Google's circuit and prove it... by virtue of a bug in the verifier: https://blog.trailofbits.com/2026/04/17/we-beat-googles-zero... Google patched the vuln and the original proof still stands, but this is a pretty strange path we seem to be walking down [...]
Hundreds of years ago, it was not unusual to publish an encrypted solution of some mathematical problem, in order to establish priority without disclosing the algorithm that was used.
Of course, at that time very simple encryption methods were used, for instance an anagram of the solution was published (i.e. encryption by letter transposition).
they really couldn't be shouting "mitigate now or never" any louder. I'm curious how they arrived at the efficiency improvements, but perhaps any mention of that would be similar to releasing the circuit.
They're closely related, ECC and RSA are both instances of the hidden subgroup problem.
It kinda does, it just uses them differently
The basis here is the discrete inverse logarithm in a specific group (elliptic curves over rationals or multiplicative group module n)
Note you could ask the same question about Shor's original paper: how did he show the algorithm works without running it? Running X just isn't the only way to analyze X.
This is the key point, what is the meaning of "zero knowledge" here? It seems that you need to know something about the implementation, even if it is not the full implementation. Compare this to a zero knowledge proof that you have, say, a factorization gadget, which works by you running the gadget on adversarial input, thus convincing the adversary that you can factor any of their integers. That discloses no implementation details of your factorization gadget, which can be an efficient classical algorithm, a quantum computer, or a phone line to God.
>On superconducting architectures with 10−3 physical error rates...
So still 1-2 orders of magnitude better than what we can achieve.
This is against a 256 bit elliptic curve. For some reason most people are stating the difficulty of using Shor's against 2048 bit RSA. Elliptic curves are easier to break with Shor's. I wonder how much of the optimization came from that fact alone...
... and the world could well have been unsafer. There is pretty strong reason not to release insights which could be used as an attack on public key cryptography. We already know the fix anyway, post quantum cryptography algorithms.
Sometimes scientific curiosity has to step back when it comes to potentially dangerous research. Scott Aaronson recently [1] compared this case to when scientists stopped publishing on nuclear fission research because the possibility of developing an atomic bomb became concrete:
> When I got an early heads-up about these results—especially the Google team’s choice to “publish” via a zero-knowledge proof—I thought of Frisch and Peierls, calculating how much U-235 was needed for a chain reaction in 1940, but not publishing it, even though the latest results on nuclear fission had been openly published just the year prior.
Only if you have a pre-commitment.
Doubt without evidence is just noise.
"God doesn't exist" is essentially incoherent. God is the perfect being, and if he didn't exist, he wouldn't be perfect.
I think the logical mistake is obvious.
Evidence that a hard problem is solvable, and information on solution characteristics, are a big help to others.
Even non-disclosure is just science-neutral, not anti-science.
Partial disclosures are common where disclosures involve risky things, or where a problem was solved as part of an economic concern. But there are non-conflicting opportunities to partially inform others.
People want AI to be able to do every good thing but no bad thing, which is impossible twice. First because false positives and false negatives trade against each other, so a general purpose AI which can do anything approximating all the good things is going to have the bias leaning heavily towards being able to do things in general and therefore being able to do many things that are bad. And second because "good" and "bad" aren't things that anybody can agree on and then some people will demand that it must do X while others demand that it not do X (e.g. "help the rebels win the war"), which means someone is inherently going to be unsatisfied and it's not a thing that can be sensibly regarded as everyone working towards a common goal.
It's like calling for a general halt to the production of military equipment. How do you expect that to actually happen?
It's a direct trade off. If you want it to do more "good" things you make it able to do more "bad" things.
> Of course you can't maximize all wishes because they often contradict each other, but there can be a reasonable trade-off. Some tradeoffs are clearly better than others.
The easy tradeoffs are the ones nobody disputes and everybody is already trying to do. There is no lobby for having it hallucinate more or give you ingredients that will combine to make poison when you ask for a tasty recipe.