The zkEVM ecosystem has spent a 12 months engaged on enhancing latency. The time to show an Ethereum block has been lowered from 16 minutes to 16 seconds, the associated fee has dropped by an element of 45, and collaborating zkVMs can now show 99% of mainnet blocks on the right track {hardware} inside 10 seconds.
On December 18th, the Ethereum Basis (EF) declared victory in its real-time proof effort. Efficiency bottlenecks are eradicated. That is the place the true work begins. Unhealthy velocity is a legal responsibility relatively than an asset, as many STARK-based zkEVM calculations have been quietly damaged for months.
In July, EF set a proper purpose for “real-time proof,” which brings collectively latency, {hardware}, power, openness, and safety. Meaning proving no less than 99% of mainnet blocks in underneath 10 seconds, operating inside 10 kilowatts on roughly $100,000 {hardware}, with fully open supply code, 128-bit safety, and a proof dimension of lower than 300 kilobytes.
In a Dec. 18 submit, the ecosystem claims to have met its efficiency objectives as measured on the EthProofs benchmark website.
Actual time right here is outlined relative to a 12 second slot time and roughly 1.5 seconds of block propagation. This normal primarily states that “proofs are ready shortly sufficient that verifiers can confirm them with out compromising validity.”
EF is presently pivoting from throughput to well being, however that axis is slowing down. Many STARK-based zkEVMs have relied on unproven mathematical hypothesis to attain their marketed safety ranges.
Over the previous few months, a few of these assumptions, significantly the “proximity hole” assumption utilized in hash-based SNARK and STARK low-order exams, have been damaged mathematically, destroying the efficient bit safety of the parameter units that relied on them.
EF states that the one acceptable finish purpose for L1 utilization is “provable safety” relatively than “safety assuming that conjecture X holds.”
They set a purpose of 128 bits of safety, in step with calculations from mainstream cryptographic requirements our bodies, educational literature on long-lived programs, and real-world data that present 128 bits is realistically out of attain for attackers.
Emphasizing soundness over velocity displays a qualitative distinction.
If somebody can forge a zkEVM proof, they cannot solely deplete a single contract, but additionally mint arbitrary tokens or rewrite the L1 state to mislead the system.
This justifies what EF calls a “non-negotiable” safety margin for L1 zkEVM.
Three milestone roadmap
This submit supplies a transparent roadmap with three onerous stops. First, by the top of February 2026, all zkEVM groups collaborating within the race will join their proof programs and circuits to “soundcalc,” an EF-managed software that calculates safety estimates based mostly on present cryptanalysis limits and scheme parameters.
The story right here is “Widespread Ruler”. As an alternative of every workforce quoting their very own little bit of safety based mostly on bespoke assumptions, soundcalc turns into a normal calculator that may be up to date as new assaults emerge.
Second, “gramsterdam” requires no less than 100 bits of provable safety by way of soundcalc, not more than 600 kilobytes of ultimate proof, and a compact public description of every workforce’s recursive structure and a sketch of why it needs to be sound, by the top of Might 2026.
This quietly rescinds the unique 128-bit requirement for early adopters and treats 100-bit as an interim goal.
Third, “H Star” by the top of 2026 is the proper normal. Formal safety dialogue of 128-bit provable safety, proofs underneath 300 kilobytes, and recursive topology with soundcalc. Now, this isn’t about engineering, however about formal strategies and cryptographic proofs.
technical lever
EF presents a number of particular instruments aimed toward making the 128-bit, sub-300 kilobyte purpose achievable. They give attention to WHIR, a brand new Reed-Solomon proximity check that additionally features as a multilinear polynomial dedication scheme.
WHIR supplies clear post-quantum safety and produces proofs which can be smaller in dimension and sooner to confirm than older FRI-style schemes on the identical safety stage.
Benchmarks for 128-bit safety present that proofs are roughly 1.95 occasions smaller and verifications are a number of occasions sooner than baseline building.
They seek advice from “JaggedPCS”, a set of methods to keep away from extreme padding when encoding traces as polynomials. This enables the prover to generate concise commitments whereas avoiding wasted work.
They point out “grinding,” which brute-forces the randomness of a protocol to seek out low cost or small proofs whereas preserving it inside soundness, and “well-structured recursive topology,” which refers to layered schemes that mixture many small proofs right into a single closing proof with rigorously argued soundness.
After growing the safety to 128 bits, uncommon polynomial calculations and recursion tips are used to cut back the proof.
Unbiased research comparable to Whirlaway have used WHIR to assemble multilinear STARKs with improved effectivity, and extra experimental polynomial dedication buildings have been constructed from knowledge availability schemes.
The calculations are progressing quickly, however we’re shifting away from assumptions that appeared secure six months in the past.
Adjustments and open questions
If proofs are constantly prepared inside 10 seconds and keep underneath 300 kilobytes, Ethereum can improve the gasoline restrict with out forcing validators to re-execute each transaction.
Validators as an alternative confirm small items of proof, increasing block capability whereas preserving residence staking real looking. That is why EF’s earlier real-time submit explicitly tied latency and energy to “residence testing” budgets like 10 kilowatts and sub-$100,000 rigs.
The mixture of huge safety margin and small proof makes “L1 zkEVM” a dependable cost layer. If these proofs are quick and 128-bit safe, L2 and zk-rollup can reuse the identical mechanism by way of precompilation, and the excellence between “rollup” and “L1 execution” turns into a compositional alternative relatively than a tough boundary.
Actual-time proofs are presently an off-chain benchmark, not an on-chain actuality. Latency and price numbers are derived from EthProofs’ rigorously chosen {hardware} setups and workloads.
There’s nonetheless a spot between the 1000’s of unbiased verifiers really operating these provers at residence. The safety story is in flux. The explanation soundcalc exists is that STARK and hash-based SNARK safety parameters proceed to maneuver as conjectures are disproved.
Latest outcomes have redrawn the road between “positively secure,” “speculatively secure,” and “completely unsafe” parameter regimes. Which means the present “100-bit” setting could also be revised once more as new assaults emerge.
It’s unclear whether or not all main zkEVM groups will really attain 100 bits of provable safety by Might 2026 and 128 bits of provable safety by December 2026 with out exceeding the proof dimension restrict, or whether or not some groups will merely settle for decrease margins, depend on stricter assumptions, or lengthen verification off-chain.
Essentially the most troublesome half is probably not the mathematics or the GPU, however formalizing and auditing a totally recursive structure.
EF acknowledges that completely different zkEVMs usually represent many circuits with substantial “glue cords” in between, and it’s important to doc and show the integrity of those customized stacks.
This can require prolonged work on tasks comparable to Verified-zkEVM and formal verification frameworks, that are nonetheless of their early phases and uneven throughout the ecosystem.
A 12 months in the past, the query was whether or not zkEVM may show quick sufficient. That query may be answered.
The brand new query is whether or not they are often confirmed soundly sufficient, with a proof sufficiently small to propagate throughout Ethereum’s P2P community, and with a recursive structure formally verified sufficient to lock in a whole lot of billions of {dollars}, with a stage of safety that does not depend on hypothesis which may break tomorrow.
The efficiency dash is over. The safety competitors has simply begun.
