Ethereum Foundation refocuses to security over speed

The zkEVM ecosystem has been sprinting on latency for a 12 months. Proof time for an Ethereum block dropped from 16 minutes to 16 seconds, prices dropped 45x, and collaborating zkVMs now show 99% of mainnet blocks in lower than 10 seconds on track {hardware}.

The Ethereum Basis (EF) declared victory on December 18: real-time proof works. The efficiency bottlenecks have been resolved. Now the true work begins, as a result of pace with out robustness is a drawback, not an asset, and the mathematics below many STARK-based zkEVMs has been quietly breaking for months.

In July, the EF set a proper objective for “real-time proofing” that bundled latency, {hardware}, power, openness, and safety: show at the very least 99% of mainnet blocks in 10 seconds, on {hardware} costing about $100,000 and working inside 10 kilowatts, with totally open-source code, with 128-bit safety, and with proof sizes of 300 kilobytes or much less.

The December 18 message claims that the ecosystem has met its efficiency objective as measured by the EthProofs benchmarking web site.

Actual time is outlined right here relative to the slot time of 12 seconds and roughly 1.5 seconds for block propagation. The usual is actually: “proofs are prepared quick sufficient that validators can confirm them with out interrupting liveness.”

The EF is now turning from transit to solidity, and the spindle is blunt. Many STARK-based zkEVMs have relied on unproven mathematical conjectures to realize marketed safety ranges.

In latest months, a few of these conjectures, particularly the ‘proximity hole’ assumptions utilized in hash-based SNARK and STARK low-grade checks, have been mathematically debunked, overturning the efficient bit safety of parameter units that trusted them.

The EF says that the one acceptable endgame for L1 use is “demonstrable security,” not “security, assuming presumption X holds.”

They set 128-bit safety as a objective, aligning it with mainstream crypto requirements our bodies and tutorial literature on long-lived methods, in addition to real-world document calculations exhibiting that 128 bits is realistically out of attain for attackers.

The emphasis on solidity over pace displays a qualitative distinction.

If somebody can forge a zkEVM proof, he can mint random tokens or rewrite the L1 state and make the system lie, not simply empty one contract.

That justifies what the EF calls a “non-negotiable” security margin for every L1 zkEVM.

Roadmap with three milestones

The put up incorporates a transparent roadmap with three arduous stops. First, every zkEVM staff within the race on the finish of February 2026 will join its pilot system and circuits to ‘soundcalc’, an EF-maintained software that calculates safety estimates primarily based on present cryptanalytic limits and the scheme’s parameters.

The story right here is ‘widespread ruler’. As an alternative of every staff quoting their very own piece of safety with customized assumptions, soundcalc turns into the canonical calculator and might be up to date as new assaults emerge.

Second, “Glamsterdam” requires at the very least 100-bit provable safety through soundcalc, closing proofs at or under 600 kilobytes, and a compact public rationalization of every staff’s recursion structure by the top of Could 2026 with a top level view of why it needs to be sound.

This quietly rolls again the unique 128-bit requirement for early implementation and treats 100-bit as an intermediate objective.

Third, by the top of 2026, ‘H-star’ would be the full bar: 128-bit provable safety by soundcalc, proofs at or under 300 kilobytes, plus a proper safety argument for the recursion topology. That is the place it turns into much less about approach and extra about formal strategies and cryptographic proofs.

Technical levers

The EF factors to a number of concrete instruments supposed to make the objective of 128 bits and fewer than 300 kilobytes achievable. They spotlight WHIR, a brand new Reed-Solomon proximity check that doubles as a multilinear polynomial dedication scheme.

WHIR gives clear, post-quantum safety and produces proofs which can be smaller and extra rapidly verified than these of older FRI-like schemes on the identical safety degree.

Benchmarks on 128-bit safety present that proofs are roughly 1.95 occasions smaller and verification is a number of occasions quicker than baseline constructs.

They check with “JaggedPCS”, a set of methods to keep away from over-padding when encoding traces as polynomials, permitting provers to keep away from wasted work whereas nonetheless making concise commitments.

They point out “grinding,” which is the brute pressure search of arbitrary protocols to search out cheaper or smaller proofs whereas staying throughout the bounds of soundness, and “well-structured recursion topology,” which suggests layered schemes during which many smaller proofs are merged right into a single closing proof with fastidiously argued soundness.

Unique polynomial math and recursion tips are used to cut back proofs after safety has been elevated to 128 bits.

Impartial work equivalent to Whirlaway makes use of WHIR to construct multilinear STARKs with improved effectivity, and extra experimental buildings with polynomial commitments are being constructed primarily based on knowledge availability schemes.

The calculations are quick, but in addition deviate from the assumptions that regarded secure six months in the past.

What’s altering and the open questions

If proofs are constantly prepared inside 10 seconds and stay below 300 kilobytes, Ethereum can enhance the gasoline restrict with out forcing validators to redo each transaction.

Validators would as a substitute confirm a small proof, permitting block capability to develop whereas retaining the house strike reasonable. That is why EF’s earlier real-time put up explicitly linked latency and energy to “home-proven” budgets equivalent to 10 kilowatts and installations below $100,000.

The mixture of huge security margins and small proofs makes an “L1 zkEVM” a reputable settlement layer. If these proofs are each quick and provably 128-bit safe, L2s and zk rollups can reuse the identical equipment through precompiles, and the excellence between “rollup” and “L1 execution” turns into extra of a configuration alternative than a inflexible boundary.

Actual-time proof is at present an off-chain benchmark, not an on-chain actuality. The latency and value figures come from the {hardware} settings and workloads compiled by EthProofs.

There’s nonetheless a spot between that and the 1000’s of impartial validators who really run these provers at dwelling. The protection story is in flux. The entire purpose soundcalc exists is that STARK and hash-based SNARK safety parameters maintain evolving as suspicions are refuted.

Latest outcomes have redrawn the road between “completely safe,” “presumably safe” and “completely unsafe” parameter regimes, that means that the present “100-bit” settings could possibly be revised once more as new assaults emerge.

It is not clear whether or not all main zkEVM groups will really attain 100-bit provable safety by Could 2026 and 128-bit by December 2026, whereas staying under proof-size limits, or whether or not some will quietly settle for decrease margins, depend on heavier assumptions, or push verification off-chain for longer.

Associated studying

Ethereum strikes in direction of censorship-resistant scaling with zkEVM layer-1 shift

The shift from Ethereum to zkEVM goals to decentralize validation with ‘dwelling proving’, making block verification accessible to everybody.

July 11, 2025 · Oluwapelumi Adejumo

The toughest half is probably not the mathematics or GPUs, however formalizing and checking your entire recursion architectures.

The EF admits that numerous zkEVMs usually assemble many circuits with substantial ‘glue code’ between them, and that documenting and proving the soundness of these customized stacks is important.

That opens up a protracted line of labor for tasks like Verified-zkEVM and formal verification frameworks, that are nonetheless of their infancy and inconsistently distributed throughout ecosystems.

A 12 months in the past, the query was whether or not zkEVMs may show quick sufficient. That query is answered.
The brand new query is whether or not they can show strong sufficient, at a degree of safety that does not depend on presumptions that may be appropriate tomorrow, with proofs sufficiently small to unfold throughout Ethereum’s P2P community, and with recursion architectures formally verified sufficient to anchor tons of of billions of {dollars}.

The efficiency dash is over. The protection race has simply begun.