The zkEVM ecosystem has spent a 12 months engaged on enhancing latency. The time to show an Ethereum block has been lowered from 16 minutes to 16 seconds, the associated fee has dropped by an element of 45, and collaborating zkVMs can now show 99% of mainnet blocks on course {hardware} inside 10 seconds.
On December 18th, the Ethereum Basis (EF) declared victory in its real-time proof effort. Efficiency bottlenecks are eradicated. That is the place the actual work begins. Unhealthy velocity is a legal responsibility somewhat than an asset, as many STARK-based zkEVM calculations have been quietly damaged for months.
In July, EF set a proper objective for “real-time proof,” which brings collectively latency, {hardware}, vitality, openness, and safety. Meaning proving at the very least 99% of mainnet blocks in underneath 10 seconds, working inside 10 kilowatts on roughly $100,000 {hardware}, with utterly open supply code, 128-bit safety, and a proof dimension of lower than 300 kilobytes.
In a Dec. 18 put up, the ecosystem claims to have met its efficiency targets as measured on the EthProofs benchmark website.
Actual time right here is outlined relative to a 12 second slot time and roughly 1.5 seconds of block propagation. This customary primarily states that “proofs are ready rapidly sufficient that verifiers can confirm them with out compromising validity.”
EF is at present pivoting from throughput to well being, however that axis is slowing down. Many STARK-based zkEVMs have relied on unproven mathematical hypothesis to attain their marketed safety ranges.
Over the previous few months, a few of these assumptions, significantly the “proximity hole” assumption utilized in hash-based SNARK and STARK low-order exams, have been damaged mathematically, destroying the efficient bit safety of the parameter units that relied on them.
EF states that the one acceptable finish objective for L1 utilization is “provable safety” somewhat than “safety assuming that conjecture X holds.”
They set a objective of 128 bits of safety, in line with calculations from mainstream cryptographic requirements our bodies, educational literature on long-lived programs, and real-world information that present 128 bits is realistically out of attain for attackers.
Emphasizing soundness over velocity displays a qualitative distinction.
If somebody can forge a zkEVM proof, they can’t solely deplete a single contract, but in addition mint arbitrary tokens or rewrite the L1 state to mislead the system.
This justifies what EF calls a “non-negotiable” safety margin for L1 zkEVM.
Three milestone roadmap
This put up gives a transparent roadmap with three exhausting stops. First, by the tip of February 2026, all zkEVM groups collaborating within the race will join their proof programs and circuits to “soundcalc,” an EF-managed device that calculates safety estimates based mostly on present cryptanalysis limits and scheme parameters.
The story right here is “Frequent Ruler”. As a substitute of every workforce quoting their very own little bit of safety based mostly on bespoke assumptions, soundcalc turns into a typical calculator that may be up to date as new assaults emerge.
Second, “gramsterdam” requires at the very least 100 bits of provable safety through soundcalc, not more than 600 kilobytes of ultimate proof, and a compact public description of every workforce’s recursive structure and a sketch of why it must be sound, by the tip of Could 2026.
This quietly rescinds the unique 128-bit requirement for early adopters and treats 100-bit as an interim goal.
Third, “H Star” by the tip of 2026 is the proper customary. Formal safety dialogue of 128-bit provable safety, proofs underneath 300 kilobytes, and recursive topology with soundcalc. Now, this isn’t about engineering, however about formal strategies and cryptographic proofs.
technical lever
EF presents a number of particular instruments geared toward making the 128-bit, sub-300 kilobyte objective achievable. They give attention to WHIR, a brand new Reed-Solomon proximity take a look at that additionally features as a multilinear polynomial dedication scheme.
WHIR gives clear post-quantum safety and produces proofs which might be smaller in dimension and quicker to confirm than older FRI-style schemes on the identical safety stage.
Benchmarks for 128-bit safety present that proofs are roughly 1.95 occasions smaller and verifications are a number of occasions quicker than baseline development.
They confer with “JaggedPCS”, a set of methods to keep away from extreme padding when encoding traces as polynomials. This enables the prover to generate concise commitments whereas avoiding wasted work.
They point out “grinding,” which brute-forces the randomness of a protocol to seek out low cost or small proofs whereas maintaining it inside soundness, and “well-structured recursive topology,” which refers to layered schemes that combination many small proofs right into a single closing proof with rigorously argued soundness.
After rising the safety to 128 bits, uncommon polynomial calculations and recursion methods are used to cut back the proof.
Impartial research similar to Whirlaway have used WHIR to assemble multilinear STARKs with improved effectivity, and extra experimental polynomial dedication buildings have been constructed from information availability schemes.
The calculations are progressing quickly, however we’re shifting away from assumptions that appeared secure six months in the past.
Modifications and open questions
If proofs are persistently prepared inside 10 seconds and keep underneath 300 kilobytes, Ethereum can enhance the gasoline restrict with out forcing validators to re-execute each transaction.
Validators as a substitute confirm small items of proof, increasing block capability whereas maintaining residence staking lifelike. Because of this EF’s earlier real-time put up explicitly tied latency and energy to “residence testing” budgets like 10 kilowatts and sub-$100,000 rigs.
The mixture of enormous safety margin and small proof makes “L1 zkEVM” a dependable fee layer. If these proofs are quick and 128-bit safe, L2 and zk-rollup can reuse the identical mechanism through precompilation, and the excellence between “rollup” and “L1 execution” turns into a compositional selection somewhat than a tough boundary.
Actual-time proofs are at present an off-chain benchmark, not an on-chain actuality. Latency and value numbers are derived from EthProofs’ rigorously chosen {hardware} setups and workloads.
There’s nonetheless a spot between the hundreds of unbiased verifiers really working these provers at residence. The safety story is in flux. The explanation soundcalc exists is that STARK and hash-based SNARK safety parameters proceed to maneuver as conjectures are disproved.
Current outcomes have redrawn the road between “positively secure,” “speculatively secure,” and “completely unsafe” parameter regimes. Which means that the present “100-bit” setting could also be revised once more as new assaults emerge.
It’s unclear whether or not all main zkEVM groups will really attain 100 bits of provable safety by Could 2026 and 128 bits of provable safety by December 2026 with out exceeding the proof dimension restrict, or whether or not some groups will merely settle for decrease margins, depend on stricter assumptions, or lengthen verification off-chain.
Probably the most tough half is probably not the mathematics or the GPU, however formalizing and auditing a totally recursive structure.
EF acknowledges that totally different zkEVMs typically represent many circuits with substantial “glue cords” in between, and it’s important to doc and show the integrity of those customized stacks.
It will require prolonged work on tasks similar to Verified-zkEVM and formal verification frameworks, that are nonetheless of their early levels and uneven throughout the ecosystem.
A 12 months in the past, the query was whether or not zkEVM might show quick sufficient. That query may be answered.
The brand new query is whether or not they are often confirmed soundly sufficient, with a proof sufficiently small to propagate throughout Ethereum’s P2P community, and with a recursive structure formally verified sufficient to lock in tons of of billions of {dollars}, with a stage of safety that does not depend on hypothesis which may break tomorrow.
The efficiency dash is over. The safety competitors has simply begun.
(Tag translation) Ethereum
