The ZK Soundness Crisis: Inside Trail of Bits’ Hack on Google's Quantum Proof

In late March 2026, Google’s Quantum AI group made a paradigm-shifting announcement: first-generation quantum computers could break standard elliptic curve cryptography (ECDLP) keys in as little as nine minutes. But because publishing the exact quantum circuit scripts would pose an immediate threat to the global internet, Google opted for a groundbreaking method of responsible disclosure. Instead of releasing the raw code, they used Succinct Labs’ SP1 zkVM to generate a Zero-Knowledge Proof (ZKP), proving they possessed the optimized circuit without revealing its design.

It was hailed as a milestone for privacy-first security. Then, Trail of Bits entered the chat.

Just over two weeks later, security researcher Keegan Ryan published a shocking post detailing how Trail of Bits had successfully "beaten" Google's proof on all performance metrics. The catch? They didn’t design a better quantum circuit. Instead, they hacked the zero-knowledge virtual machine's guest code, forging a mathematically impossible proof.

The "Soundness Trap" of zkVM Optimization

At the core of the exploit lies the fundamental reality of zkVMs: a ZK proof only attests that a specific program ran successfully. If that program contains a logical flaw or undefined behavior, the proof remains cryptographically valid, but the claim it makes is a lie.

To keep proof generation costs low inside the RISC-V-based SP1 environment, developers must optimize cycle counts. To achieve this, Google's simulator bypassed standard Rust safety bounds checks, using unsafe blocks and rkyv::access_unchecked to parse incoming circuit bytes.

By analyzing the unpatched guest code, Trail of Bits discovered a blueprint for exploitation:

• Unchecked Deserialization: By passing malformed circuit data into rkyv::access_unchecked, they forced the simulator outside of its intended boundaries.
• Register Aliasing: Manipulating operation types allowed them to bypass internal validation logic entirely.
• Counter Bypassing: They tricked the simulator into completely skipping the counting of Toffoli gates while maintaining the appearance of a successful execution.

Forging the Impossible

By bypassing the Toffoli gate counter and manipulating simulated register values, Trail of Bits generated a valid Groth16 proof using Google’s original verification key. The forged proof claimed an algorithm that solved ECDLP using exactly zero Toffoli gates. Mathematically, this is sheer fantasy—yet the zkVM verifier accepted it as absolute truth.

Google has since patched their verification code (releasing Version 2), and their core scientific claims remain unchallenged. However, this historic exploit serves as a massive wake-up call for the ZK tech sector. As zkVMs move from research labs into high-value production environments, developers must remember that prioritizing performance by cutting corners on memory safety can completely shatter the cryptographic security they set out to build.