Trail of Bits says it “beat” Google’s zero-knowledge proof — but not with quantum magic

April 17, 2026
aisecurityhardwareopen-source
Side view of concentrated African American pupil standing near whiteboard in classroom and solving math examples during lesson at school
Photo by Katerina Holmes on Pexels

What happened

Trail of Bits published a blog post claiming they produced a zero-knowledge proof that outperforms Google’s recent zk proof of a quantum-optimized circuit used to estimate the cost of breaking elliptic-curve keys. It has been reported that their proof verifies against Google’s unpatched verifier and uses the same verification key, and that Trail of Bits released the code they used to produce the proof. No new quantum algorithm here — just a very awkward engineering moment.

How they did it

According to Trail of Bits, the improvement wasn’t algorithmic but adversarial: they allegedly exploited multiple subtle memory-safety and logic vulnerabilities in Google’s Rust prover code. The company says the result is cryptographically indistinguishable from a genuine proof that would stem from circuit-level optimizations. Google, it has been reported, patched the prover; the company says the scientific claims about quantum cost estimates remain valid.

The numbers

Trail of Bits published concrete figures to make the point. Where Google reported ~17 million total operations, Trail of Bits’ forged proof claims 8.3 million; qubit counts drop to about 1,164 versus Google’s reported 1,425/1,175; and, strikingly, they report a Toffoli count of 0 compared with Google’s millions. If accurate, those numbers are eye-popping — and they underscore why a verifier bug can be as consequential as a math mistake.

Why this matters

This isn’t just a bruise on Google’s ego. It’s a wake-up call about the attack surface introduced by composing cryptography with systems software: zkVMs, compilers, prover runtimes — all potential targets. Zero-knowledge proofs are hot right now (hello, Ethereum and privacy-preserving tooling), but security is only as strong as the code that implements them. So who watches the verifiers? In short: expect more audits, more patches, and more theater — and maybe fewer breathless headlines equating a verified proof with an unassailable scientific breakthrough.

Sources: blog.trailofbits.com, Lobsters