The zkEVM ecosystem spent a year sprinting on latency. Proving time for an Ethereum block collapsed from 16 minutes to 16 seconds, charges dropped 45-fold, and taking part zkVMs now present ninety 9% of mainnet blocks in under 10 seconds heading within the correct route hardware.
The Ethereum Basis (EF) declared victory on Dec. 18: true-time proving works. The performance bottlenecks are cleared. Now the true work begins, because velocity with out soundness is a prison responsibility, no longer an asset, and the math under many STARK-basically based zkEVMs has been quietly breaking for months.
In July, the EF space a formal target for “true-time proving” that bundled latency, hardware, energy, openness and security: present no longer no longer up to ninety 9% of mainnet blocks within 10 seconds, on hardware that charges roughly $100,000 and runs within 10 kilowatts, with fully start-offer code, at 128-bit security, and with proof sizes at or below 300 kilobytes.
The Dec. 18 put up claims the ecosystem met the performance target, as measured on the EthProofs benchmarking space.
Real-time here is printed relative to the 12-2nd slot time and about 1.5 seconds for block propagation. The fashioned is truly “proofs are attractive quick ample that validators can examine them with out breaking liveness.”
The EF now pivots from throughput to soundness, and the pivot is blunt. Many STARK-basically based zkEVMs occupy relied on unproven mathematical conjectures to create advertised security stages.
Over the past months, some of these conjectures, notably the “proximity gap” assumptions fashioned in hash-basically based SNARK and STARK low-stage exams, had been mathematically broken, knocking down the efficient bit-security of parameter objects that depended on them.
The EF says the best acceptable endgame for L1 consume is “provable security,” no longer “security assuming conjecture X holds.”
They space 128-bit security as the target, aligning it with mainstream crypto standards our bodies and academic literature on prolonged-lived systems, as well to with true-world record computations that time to 128 bits is realistically out of reach for attackers.
The emphasis on soundness over velocity shows a qualitative inequity.
If somebody can forge a zkEVM proof, they may be able to mint arbitrary tokens or rewrite L1 reveal and create the system lie, no longer factual drain one contract.
That justifies what the EF calls a “non-negotiable” security margin for any L1 zkEVM.
Three-milestone roadmap
The put up lays out a spruce roadmap with three laborious stops. First, by the close of February 2026, every zkEVM team within the move plugs its proof system and circuits into “soundcalc,” an EF-maintained tool that computes security estimates in accordance with unique cryptanalytic bounds and the scheme’s parameters.
The yarn here is “fashioned ruler.” Rather then each team quoting their comprise bit security with bespoke assumptions, soundcalc becomes the canonical calculator and can merely furthermore be up up to now as contemporary assaults emerge.
2nd, “Glamsterdam” by the close of Could seemingly 2026 demands no longer no longer up to 100-bit provable security by strategy of soundcalc, final proofs at or below 600 kilobytes, and a compact public clarification of every team’s recursion architecture with a sketch of why it will seemingly be sound.
That quietly walks again the distinctive 128-bit requirement for early deployment and treats 100 bits as an intervening time target.
Third, “H-well-known particular person” by the close of 2026 is the fleshy bar: 128-bit provable security by soundcalc, proofs at or below 300 kilobytes, plus a formal security argument for the recursion topology. That’s where this becomes much less about engineering and more about formal systems and cryptographic proofs.
Technical levers
The EF parts to some concrete tools intended to create the 128-bit, sub-300-kilobyte target possible. They spotlight WHIR, a brand contemporary Reed-Solomon proximity test that doubles as a multilinear polynomial commitment scheme.
WHIR supplies transparent, put up-quantum security and produces proofs which would possibly be smaller and verification faster than these of older FRI-sort schemes at the same security stage.
Benchmarks at 128-bit security point to proofs roughly 1.95 instances smaller and verification a few instances faster than baseline constructions.
They reference “JaggedPCS,” a space of tactics for avoiding indecent padding when encoding traces as polynomials, which let provers steer clear of wasted work while soundless producing succinct commitments.
They mention “grinding,” which is brute-pressure browsing over protocol randomness to secure more moderately priced or smaller proofs while staying within soundness bounds, and “properly-structured recursion topology,” that come layered schemes in which many smaller proofs are aggregated into a single final proof with fastidiously argued soundness.
Exotic polynomial math and recursion tricks are being fashioned to shrink proofs backpedal after cranking security up to 128 bits.
Self reliant work admire Whirlaway uses WHIR to originate multilinear STARKs with improved effectivity, and more experimental polynomial-commitment constructions are being built from info-availability schemes.
The arithmetic is transferring quick, nevertheless it’s furthermore transferring far off from assumptions that regarded real six months ago.
What changes and the start questions
If proofs are consistently attractive within 10 seconds and preserve under 300 kilobytes, Ethereum can expand the gasoline limit with out forcing validators to re-create every transaction.
Validators would as a substitute examine a dinky proof, letting block capability develop while keeping dwelling-staking realistic. For that reason the EF’s earlier true-time put up tied latency and strength explicitly to “dwelling proving” budgets admire 10 kilowatts and sub-$100,000 rigs.
The combination of elephantine security margins and dinky proofs is what makes an “L1 zkEVM” a loyal settlement layer. If these proofs are each quick and provably 128-bit real, L2s and zk-rollups can reuse the same equipment by strategy of precompiles, and the admire between “rollup” and “L1 execution” becomes more of a configuration alternative than a rigid boundary.
Real-time proving is presently an off-chain benchmark, no longer an on-chain fact. The latency and worth numbers come from EthProofs’ curated hardware setups and workloads.
There would possibly be soundless a gap between that and thousands of self sufficient validators in point of fact working these provers at dwelling. The security yarn is in flux. The total reason soundcalc exists is that STARK and hash-basically based SNARK security parameters preserve transferring as conjectures are disproven.
Present results occupy redrawn the road between “definitely real,” “conjecturally real,” and “definitely unsafe” parameter regimes, that come this present day’s “100-bit” settings would possibly be revised again as contemporary assaults emerge.
It’s no longer certain whether all fundamental zkEVM teams will in point of fact hit 100-bit provable security by Could seemingly 2026 and 128-bit by December 2026 while staying under the proof-dimension caps, or whether some will quietly settle for decrease margins, count on heavier assumptions, or push verification off-chain for longer.
The toughest share would possibly furthermore merely no longer be math or GPUs, but formalizing and auditing the fleshy recursion architectures.
The EF admits that diversified zkEVMs in most cases create many circuits with gigantic “glue code” between them, and that documenting and proving soundness for these bespoke stacks is fundamental.
That opens a prolonged tail of work for projects admire Verified-zkEVM and formal verification frameworks, which would possibly be soundless early and uneven all the design in which by strategy of ecosystems.
A year ago, the demand become whether zkEVMs would possibly furthermore present quick ample. That demand is answered.
The contemporary demand is whether they may be able to present soundly ample, at a security stage that doesn’t count on conjectures that would possibly furthermore merely ruin the next day, with proofs sufficiently dinky to propagate all the design in which by strategy of Ethereum’s P2P community, and with recursion architectures formally verified ample to anchor a total bunch of billions of greenbacks.
The performance flee is over. The security move factual began.
