The zkEVM ecosystem has spent a yr working to enhance latency. The time to show an Ethereum block has been decreased from 16 minutes to 16 seconds, the associated fee has dropped by an element of 45, and taking part zkVMs can now show 99% of mainnet blocks on course {hardware} inside 10 seconds.
On December 18th, the Ethereum Basis (EF) declared victory in its real-time proof effort. Efficiency bottlenecks are eradicated. That is the place the actual work begins. Unhealthy pace is a legal responsibility somewhat than an asset, as many STARK-based zkEVM calculations have been quietly damaged for months.
In July, EF set a proper aim for “real-time proof,” which brings collectively latency, {hardware}, power, openness, and safety. Which means proving no less than 99% of mainnet blocks in underneath 10 seconds, working inside 10 kilowatts on roughly $100,000 {hardware}, with utterly open supply code, 128-bit safety, and a proof measurement of lower than 300 kilobytes.
In a Dec. 18 publish, the ecosystem claims to have met its efficiency targets as measured on the EthProofs benchmark web site.
Actual time right here is outlined relative to a 12 second slot time and roughly 1.5 seconds of block propagation. This customary primarily states that “proofs are ready shortly sufficient that verifiers can confirm them with out compromising validity.”
EF is at present pivoting from throughput to well being, however that axis is slowing down. Many STARK-based zkEVMs have relied on unproven mathematical hypothesis to realize their marketed safety ranges.
Over the previous few months, a few of these assumptions, significantly the “proximity hole” assumption utilized in hash-based SNARK and STARK low-order assessments, have been damaged mathematically, destroying the efficient bit safety of the parameter units that relied on them.
EF states that the one acceptable finish aim for L1 utilization is “provable safety” somewhat than “safety assuming that conjecture X holds.”
They set a aim of 128 bits of safety, in keeping with calculations from mainstream cryptographic requirements our bodies, educational literature on long-lived techniques, and real-world information that present 128 bits is realistically out of attain for attackers.
Emphasizing soundness over pace displays a qualitative distinction.
If somebody can forge a zkEVM proof, they can’t solely deplete a single contract, but additionally mint arbitrary tokens or rewrite the L1 state to misinform the system.
This justifies what EF calls a “non-negotiable” safety margin for L1 zkEVM.
Three milestone roadmap
This publish offers a transparent roadmap with three arduous stops. First, by the tip of February 2026, all zkEVM groups taking part within the race will join their proof techniques and circuits to “soundcalc,” an EF-managed instrument that calculates safety estimates primarily based on present cryptanalysis limits and scheme parameters.
The story right here is “Widespread Ruler”. As an alternative of every workforce quoting their very own little bit of safety primarily based on bespoke assumptions, soundcalc turns into an ordinary calculator that may be up to date as new assaults emerge.
Second, “gramsterdam” requires no less than 100 bits of provable safety by way of soundcalc, not more than 600 kilobytes of ultimate proof, and a compact public description of every workforce's recursive structure and a sketch of why it must be sound, by the tip of Might 2026.
This quietly rescinds the unique 128-bit requirement for early adopters and treats 100-bit as an interim goal.
Third, “H Star” by the tip of 2026 is the right customary. Formal safety dialogue of 128-bit provable safety, proofs underneath 300 kilobytes, and recursive topology with soundcalc. Now, this isn’t about engineering, however about formal strategies and cryptographic proofs.
technical lever
EF presents a number of particular instruments geared toward making the 128-bit, sub-300 kilobyte aim achievable. They deal with WHIR, a brand new Reed-Solomon proximity check that additionally features as a multilinear polynomial dedication scheme.
WHIR offers clear post-quantum safety and produces proofs which are smaller in measurement and sooner to confirm than older FRI-style schemes on the similar safety degree.
Benchmarks for 128-bit safety present that proofs are roughly 1.95 occasions smaller and verifications are a number of occasions sooner than baseline development.
They discuss with “JaggedPCS”, a set of methods to keep away from extreme padding when encoding traces as polynomials. This permits the prover to generate concise commitments whereas avoiding wasted work.
They point out “grinding,” which brute-forces the randomness of a protocol to search out low-cost or small proofs whereas protecting it inside soundness, and “well-structured recursive topology,” which refers to layered schemes that mixture many small proofs right into a single ultimate proof with rigorously argued soundness.
After growing the safety to 128 bits, uncommon polynomial calculations and recursion tips are used to cut back the proof.
Impartial research equivalent to Whirlaway have used WHIR to assemble multilinear STARKs with improved effectivity, and extra experimental polynomial dedication constructions have been constructed from information availability schemes.
The calculations are progressing quickly, however we’re transferring away from assumptions that appeared protected six months in the past.
Adjustments and open questions
If proofs are persistently prepared inside 10 seconds and keep underneath 300 kilobytes, Ethereum can improve the fuel restrict with out forcing validators to re-execute each transaction.
Validators as an alternative confirm small items of proof, increasing block capability whereas protecting house staking real looking. Because of this EF's earlier real-time publish explicitly tied latency and energy to “house testing” budgets like 10 kilowatts and sub-$100,000 rigs.
The mix of huge safety margin and small proof makes “L1 zkEVM” a dependable fee layer. If these proofs are quick and 128-bit safe, L2 and zk-rollup can reuse the identical mechanism by way of precompilation, and the excellence between “rollup” and “L1 execution” turns into a compositional selection somewhat than a tough boundary.
Actual-time proofs are at present an off-chain benchmark, not an on-chain actuality. Latency and value numbers are derived from EthProofs' rigorously chosen {hardware} setups and workloads.
There’s nonetheless a niche between the 1000’s of unbiased verifiers really working these provers at house. The safety story is in flux. The rationale soundcalc exists is that STARK and hash-based SNARK safety parameters proceed to maneuver as conjectures are disproved.
Latest outcomes have redrawn the road between “undoubtedly protected,” “speculatively protected,” and “completely unsafe” parameter regimes. Because of this the present “100-bit” setting could also be revised once more as new assaults emerge.
It’s unclear whether or not all main zkEVM groups will really attain 100 bits of provable safety by Might 2026 and 128 bits of provable safety by December 2026 with out exceeding the proof measurement restrict, or whether or not some groups will merely settle for decrease margins, depend on stricter assumptions, or delay verification off-chain.
Essentially the most tough half might not be the mathematics or the GPU, however formalizing and auditing a totally recursive structure.
EF acknowledges that completely different zkEVMs typically represent many circuits with substantial “glue cords” in between, and it’s important to doc and show the integrity of those customized stacks.
It will require prolonged work on tasks equivalent to Verified-zkEVM and formal verification frameworks, that are nonetheless of their early phases and uneven throughout the ecosystem.
A yr in the past, the query was whether or not zkEVM might show quick sufficient. That query could be answered.
The brand new query is whether or not they are often confirmed soundly sufficient, with a proof sufficiently small to propagate throughout Ethereum's P2P community, and with a recursive structure formally verified sufficient to lock in lots of of billions of {dollars}, with a degree of safety that doesn't depend on hypothesis that may break tomorrow.
The efficiency dash is over. The safety competitors has simply begun.
(Tag translation) Ethereum
