The zkEVM ecosystem has spent a yr engaged on bettering latency. The time to show an Ethereum block has been lowered from 16 minutes to 16 seconds, the price has dropped by an element of 45, and taking part zkVMs can now show 99% of mainnet blocks on course {hardware} inside 10 seconds.
On December 18th, the Ethereum Basis (EF) declared victory in its real-time proof effort. Efficiency bottlenecks are eradicated. That is the place the true work begins. Unhealthy velocity is a legal responsibility relatively than an asset, as many STARK-based zkEVM calculations have been quietly damaged for months.
In July, EF set a proper aim for “real-time proof,” which brings collectively latency, {hardware}, vitality, openness, and safety. Which means proving not less than 99% of mainnet blocks in underneath 10 seconds, working inside 10 kilowatts on roughly $100,000 {hardware}, with utterly open supply code, 128-bit safety, and a proof dimension of lower than 300 kilobytes.
In a Dec. 18 put up, the ecosystem claims to have met its efficiency objectives as measured on the EthProofs benchmark website.
Actual time right here is outlined relative to a 12 second slot time and roughly 1.5 seconds of block propagation. This commonplace basically states that “proofs are ready rapidly sufficient that verifiers can confirm them with out compromising validity.”
EF is at present pivoting from throughput to well being, however that axis is slowing down. Many STARK-based zkEVMs have relied on unproven mathematical hypothesis to attain their marketed safety ranges.
Over the previous few months, a few of these assumptions, notably the “proximity hole” assumption utilized in hash-based SNARK and STARK low-order checks, have been damaged mathematically, destroying the efficient bit safety of the parameter units that relied on them.
EF states that the one acceptable finish aim for L1 utilization is “provable safety” relatively than “safety assuming that conjecture X holds.”
They set a aim of 128 bits of safety, according to calculations from mainstream cryptographic requirements our bodies, educational literature on long-lived techniques, and real-world data that present 128 bits is realistically out of attain for attackers.
Emphasizing soundness over velocity displays a qualitative distinction.
If somebody can forge a zkEVM proof, they can’t solely deplete a single contract, but in addition mint arbitrary tokens or rewrite the L1 state to deceive the system.
This justifies what EF calls a “non-negotiable” safety margin for L1 zkEVM.
Three milestone roadmap
This put up offers a transparent roadmap with three arduous stops. First, by the tip of February 2026, all zkEVM groups taking part within the race will join their proof techniques and circuits to “soundcalc,” an EF-managed instrument that calculates safety estimates primarily based on present cryptanalysis limits and scheme parameters.
The story right here is “Widespread Ruler”. As an alternative of every group quoting their very own little bit of safety primarily based on bespoke assumptions, soundcalc turns into a regular calculator that may be up to date as new assaults emerge.
Second, “gramsterdam” requires not less than 100 bits of provable safety by way of soundcalc, not more than 600 kilobytes of ultimate proof, and a compact public description of every group’s recursive structure and a sketch of why it must be sound, by the tip of Could 2026.
This quietly rescinds the unique 128-bit requirement for early adopters and treats 100-bit as an interim goal.
Third, “H Star” by the tip of 2026 is the proper commonplace. Formal safety dialogue of 128-bit provable safety, proofs underneath 300 kilobytes, and recursive topology with soundcalc. Now, this isn’t about engineering, however about formal strategies and cryptographic proofs.
technical lever
EF presents a number of particular instruments aimed toward making the 128-bit, sub-300 kilobyte aim achievable. They concentrate on WHIR, a brand new Reed-Solomon proximity check that additionally features as a multilinear polynomial dedication scheme.
WHIR offers clear post-quantum safety and produces proofs which might be smaller in dimension and quicker to confirm than older FRI-style schemes on the identical safety degree.
Benchmarks for 128-bit safety present that proofs are roughly 1.95 occasions smaller and verifications are a number of occasions quicker than baseline building.
They consult with “JaggedPCS”, a set of strategies to keep away from extreme padding when encoding traces as polynomials. This enables the prover to generate concise commitments whereas avoiding wasted work.
They point out “grinding,” which brute-forces the randomness of a protocol to search out low cost or small proofs whereas conserving it inside soundness, and “well-structured recursive topology,” which refers to layered schemes that mixture many small proofs right into a single ultimate proof with fastidiously argued soundness.
After rising the safety to 128 bits, uncommon polynomial calculations and recursion tips are used to scale back the proof.
Unbiased research equivalent to Whirlaway have used WHIR to assemble multilinear STARKs with improved effectivity, and extra experimental polynomial dedication constructions have been constructed from information availability schemes.
The calculations are progressing quickly, however we’re transferring away from assumptions that appeared protected six months in the past.
Modifications and open questions
If proofs are constantly prepared inside 10 seconds and keep underneath 300 kilobytes, Ethereum can improve the gasoline restrict with out forcing validators to re-execute each transaction.
Validators as an alternative confirm small items of proof, increasing block capability whereas conserving dwelling staking practical. For this reason EF’s earlier real-time put up explicitly tied latency and energy to “dwelling testing” budgets like 10 kilowatts and sub-$100,000 rigs.
The mixture of enormous safety margin and small proof makes “L1 zkEVM” a dependable cost layer. If these proofs are quick and 128-bit safe, L2 and zk-rollup can reuse the identical mechanism by way of precompilation, and the excellence between “rollup” and “L1 execution” turns into a compositional selection relatively than a tough boundary.
Actual-time proofs are at present an off-chain benchmark, not an on-chain actuality. Latency and price numbers are derived from EthProofs’ fastidiously chosen {hardware} setups and workloads.
There’s nonetheless a niche between the hundreds of unbiased verifiers truly working these provers at dwelling. The safety story is in flux. The rationale soundcalc exists is that STARK and hash-based SNARK safety parameters proceed to maneuver as conjectures are disproved.
Latest outcomes have redrawn the road between “undoubtedly protected,” “speculatively protected,” and “completely unsafe” parameter regimes. Which means that the present “100-bit” setting could also be revised once more as new assaults emerge.
It’s unclear whether or not all main zkEVM groups will truly attain 100 bits of provable safety by Could 2026 and 128 bits of provable safety by December 2026 with out exceeding the proof dimension restrict, or whether or not some groups will merely settle for decrease margins, depend on stricter assumptions, or extend verification off-chain.
Essentially the most tough half is probably not the maths or the GPU, however formalizing and auditing a totally recursive structure.
EF acknowledges that totally different zkEVMs typically represent many circuits with substantial “glue cords” in between, and it’s important to doc and show the integrity of those customized stacks.
This can require prolonged work on tasks equivalent to Verified-zkEVM and formal verification frameworks, that are nonetheless of their early levels and uneven throughout the ecosystem.
A yr in the past, the query was whether or not zkEVM may show quick sufficient. That query may be answered.
The brand new query is whether or not they are often confirmed soundly sufficient, with a proof sufficiently small to propagate throughout Ethereum’s P2P community, and with a recursive structure formally verified sufficient to lock in tons of of billions of {dollars}, with a degree of safety that does not depend on hypothesis which may break tomorrow.
The efficiency dash is over. The safety competitors has simply begun.