The zkEVM ecosystem has spent a yr working to enhance latency. The time to show an Ethereum block has been diminished from 16 minutes to 16 seconds, the fee has dropped by an element of 45, and collaborating zkVMs can now show 99% of mainnet blocks on the right track {hardware} inside 10 seconds.
On December 18th, the Ethereum Basis (EF) declared victory in its real-time proof effort. Efficiency bottlenecks are eradicated. That is the place the actual work begins. Unhealthy velocity is a legal responsibility reasonably than an asset, as many STARK-based zkEVM calculations have been quietly damaged for months.
In July, EF set a proper objective for “real-time proof,” which brings collectively latency, {hardware}, power, openness, and safety. Meaning proving not less than 99% of mainnet blocks in below 10 seconds, operating inside 10 kilowatts on roughly $100,000 {hardware}, with fully open supply code, 128-bit safety, and a proof dimension of lower than 300 kilobytes.
In a Dec. 18 submit, the ecosystem claims to have met its efficiency targets as measured on the EthProofs benchmark website.
Actual time right here is outlined relative to a 12 second slot time and roughly 1.5 seconds of block propagation. This customary primarily states that “proofs are ready shortly sufficient that verifiers can confirm them with out compromising validity.”
EF is at present pivoting from throughput to well being, however that axis is slowing down. Many STARK-based zkEVMs have relied on unproven mathematical hypothesis to realize their marketed safety ranges.
Over the previous few months, a few of these assumptions, significantly the “proximity hole” assumption utilized in hash-based SNARK and STARK low-order checks, have been damaged mathematically, destroying the efficient bit safety of the parameter units that relied on them.
EF states that the one acceptable finish objective for L1 utilization is “provable safety” reasonably than “safety assuming that conjecture X holds.”
They set a objective of 128 bits of safety, in keeping with calculations from mainstream cryptographic requirements our bodies, educational literature on long-lived techniques, and real-world data that present 128 bits is realistically out of attain for attackers.
Emphasizing soundness over velocity displays a qualitative distinction.
If somebody can forge a zkEVM proof, they cannot solely deplete a single contract, but in addition mint arbitrary tokens or rewrite the L1 state to misinform the system.
This justifies what EF calls a “non-negotiable” safety margin for L1 zkEVM.
Three milestone roadmap
This submit offers a transparent roadmap with three exhausting stops. First, by the top of February 2026, all zkEVM groups collaborating within the race will join their proof techniques and circuits to “soundcalc,” an EF-managed instrument that calculates safety estimates based mostly on present cryptanalysis limits and scheme parameters.
The story right here is “Frequent Ruler”. As a substitute of every staff quoting their very own little bit of safety based mostly on bespoke assumptions, soundcalc turns into a normal calculator that may be up to date as new assaults emerge.
Second, “gramsterdam” requires not less than 100 bits of provable safety through soundcalc, not more than 600 kilobytes of ultimate proof, and a compact public description of every staff’s recursive structure and a sketch of why it ought to be sound, by the top of Could 2026.
This quietly rescinds the unique 128-bit requirement for early adopters and treats 100-bit as an interim goal.
Third, “H Star” by the top of 2026 is the proper customary. Formal safety dialogue of 128-bit provable safety, proofs below 300 kilobytes, and recursive topology with soundcalc. Now, this isn’t about engineering, however about formal strategies and cryptographic proofs.
technical lever
EF presents a number of particular instruments geared toward making the 128-bit, sub-300 kilobyte objective achievable. They concentrate on WHIR, a brand new Reed-Solomon proximity take a look at that additionally capabilities as a multilinear polynomial dedication scheme.
WHIR offers clear post-quantum safety and produces proofs which might be smaller in dimension and quicker to confirm than older FRI-style schemes on the identical safety degree.
Benchmarks for 128-bit safety present that proofs are roughly 1.95 instances smaller and verifications are a number of instances quicker than baseline building.
They confer with “JaggedPCS”, a set of strategies to keep away from extreme padding when encoding traces as polynomials. This permits the prover to generate concise commitments whereas avoiding wasted work.
They point out “grinding,” which brute-forces the randomness of a protocol to seek out low cost or small proofs whereas preserving it inside soundness, and “well-structured recursive topology,” which refers to layered schemes that mixture many small proofs right into a single closing proof with rigorously argued soundness.
After rising the safety to 128 bits, uncommon polynomial calculations and recursion tips are used to cut back the proof.
Impartial research reminiscent of Whirlaway have used WHIR to assemble multilinear STARKs with improved effectivity, and extra experimental polynomial dedication buildings have been constructed from knowledge availability schemes.
The calculations are progressing quickly, however we’re shifting away from assumptions that appeared secure six months in the past.
Modifications and open questions
If proofs are constantly prepared inside 10 seconds and keep below 300 kilobytes, Ethereum can improve the gasoline restrict with out forcing validators to re-execute each transaction.
Validators as a substitute confirm small items of proof, increasing block capability whereas preserving house staking lifelike. For this reason EF’s earlier real-time submit explicitly tied latency and energy to “house testing” budgets like 10 kilowatts and sub-$100,000 rigs.
The mixture of enormous safety margin and small proof makes “L1 zkEVM” a dependable cost layer. If these proofs are quick and 128-bit safe, L2 and zk-rollup can reuse the identical mechanism through precompilation, and the excellence between “rollup” and “L1 execution” turns into a compositional selection reasonably than a tough boundary.
Actual-time proofs are at present an off-chain benchmark, not an on-chain actuality. Latency and price numbers are derived from EthProofs’ rigorously chosen {hardware} setups and workloads.
There may be nonetheless a niche between the hundreds of impartial verifiers really operating these provers at house. The safety story is in flux. The explanation soundcalc exists is that STARK and hash-based SNARK safety parameters proceed to maneuver as conjectures are disproved.
Current outcomes have redrawn the road between “positively secure,” “speculatively secure,” and “completely unsafe” parameter regimes. Which means that the present “100-bit” setting could also be revised once more as new assaults emerge.
It’s unclear whether or not all main zkEVM groups will really attain 100 bits of provable safety by Could 2026 and 128 bits of provable safety by December 2026 with out exceeding the proof dimension restrict, or whether or not some groups will merely settle for decrease margins, depend on stricter assumptions, or lengthen verification off-chain.
Essentially the most tough half might not be the mathematics or the GPU, however formalizing and auditing a completely recursive structure.
EF acknowledges that totally different zkEVMs typically represent many circuits with substantial “glue cords” in between, and it’s important to doc and show the integrity of those customized stacks.
This may require prolonged work on initiatives reminiscent of Verified-zkEVM and formal verification frameworks, that are nonetheless of their early levels and uneven throughout the ecosystem.
A yr in the past, the query was whether or not zkEVM might show quick sufficient. That query might be answered.
The brand new query is whether or not they are often confirmed soundly sufficient, with a proof sufficiently small to propagate throughout Ethereum’s P2P community, and with a recursive structure formally verified sufficient to lock in a whole lot of billions of {dollars}, with a degree of safety that does not depend on hypothesis that may break tomorrow.
The efficiency dash is over. The safety competitors has simply begun.
