Ethereum Foundation refocuses to security over speed – sets strict 128-bit rule for 2026

The zkEVM ecosystem spent a yr sprinting on latency. Proving time for an Ethereum block collapsed from 16 minutes to 16 seconds, prices dropped 45-fold, and taking part zkVMs now show 99% of mainnet blocks in underneath 10 seconds on track {hardware}.

The Ethereum Foundation (EF) declared victory on Dec. 18: real-time proving works. The efficiency bottlenecks are cleared. Now the actual work begins, as a result of speed with out soundness is a legal responsibility, not an asset, and the maths underneath many STARK-based zkEVMs has been quietly breaking for months.

In July, the EF set a proper goal for “real-time proving” that bundled latency, {hardware}, vitality, openness and security: show at the very least 99% of mainnet blocks inside 10 seconds, on {hardware} that prices roughly $100,000 and runs inside 10 kilowatts, with totally open-source code, at 128-bit security, and with proof sizes at or under 300 kilobytes.

The Dec. 18 post claims the ecosystem met the efficiency goal, as measured on the EthProofs benchmarking website.

Real-time right here is outlined relative to the 12-second slot time and about 1.5 seconds for block propagation. The normal is basically “proofs are prepared quick sufficient that validators can confirm them with out breaking liveness.”

The EF now pivots from throughput to soundness, and the pivot is blunt. Many STARK-based zkEVMs have relied on unproven mathematical conjectures to obtain marketed security ranges.

Over the previous months, a few of these conjectures, particularly the “proximity hole” assumptions utilized in hash-based SNARK and STARK low-degree assessments, have been mathematically damaged, flattening the efficient bit-security of parameter sets that trusted them.

The EF says the one acceptable endgame for L1 use is “provable security,” not “security assuming conjecture X holds.”

They set 128-bit security because the goal, aligning it with mainstream crypto requirements our bodies and educational literature on long-lived techniques, in addition to with real-world document computations that present 128 bits is realistically out of attain for attackers.

The emphasis on soundness over speed displays a qualitative distinction.

If somebody can forge a zkEVM proof, they will mint arbitrary tokens or rewrite L1 state and make the system lie, not simply drain one contract.

That justifies what the EF calls a “non-negotiable” security margin for any L1 zkEVM.

Three-milestone roadmap

The submit lays out a clear roadmap with three laborious stops. First, by the tip of February 2026, each zkEVM workforce within the race plugs its proof system and circuits into “soundcalc,” an EF-maintained device that computes security estimates based mostly on present cryptanalytic bounds and the scheme’s parameters.

The story right here is “frequent ruler.” Instead of every workforce quoting their very own bit security with bespoke assumptions, soundcalc turns into the canonical calculator and may be up to date as new assaults emerge.

Second, “Glamsterdam” by the tip of May 2026 calls for at the very least 100-bit provable security through soundcalc, closing proofs at or under 600 kilobytes, and a compact public clarification of every workforce’s recursion structure with a sketch of why it must be sound.

That quietly walks again the unique 128-bit requirement for early deployment and treats 100 bits as an interim goal.

Third, “H-star” by the tip of 2026 is the total bar: 128-bit provable security by soundcalc, proofs at or under 300 kilobytes, plus a proper security argument for the recursion topology. That is the place this turns into much less about engineering and extra about formal strategies and cryptographic proofs.

Technical levers

The EF factors to a number of concrete instruments meant to make the 128-bit, sub-300-kilobyte goal possible. They spotlight WHIR, a brand new Reed-Solomon proximity check that doubles as a multilinear polynomial dedication scheme.

WHIR affords clear, post-quantum security and produces proofs which might be smaller and verification sooner than these of older FRI-style schemes on the identical security stage.

Benchmarks at 128-bit security present proofs roughly 1.95 occasions smaller and verification a number of occasions sooner than baseline constructions.

They reference “JaggedPCS,” a set of methods for avoiding extreme padding when encoding traces as polynomials, which let provers keep away from wasted work whereas nonetheless producing succinct commitments.

They point out “grinding,” which is brute-force looking out over protocol randomness to discover cheaper or smaller proofs whereas staying inside soundness bounds, and “well-structured recursion topology,” that means layered schemes wherein many smaller proofs are aggregated right into a single closing proof with fastidiously argued soundness.

Exotic polynomial math and recursion tips are getting used to shrink proofs again down after cranking security up to 128 bits.

Independent work like Whirlaway makes use of WHIR to construct multilinear STARKs with improved effectivity, and extra experimental polynomial-commitment constructions are being constructed from data-availability schemes.

The math is transferring quick, however it’s additionally transferring away from assumptions that appeared secure six months in the past.

What modifications and the open questions

If proofs are persistently prepared inside 10 seconds and keep underneath 300 kilobytes, Ethereum can enhance the fuel restrict with out forcing validators to re-execute each transaction.

Validators would as a substitute confirm a small proof, letting block capability develop whereas retaining home-staking sensible. This is why the EF’s earlier real-time submit tied latency and energy explicitly to “residence proving” budgets like 10 kilowatts and sub-$100,000 rigs.

The mixture of huge security margins and small proofs is what makes an “L1 zkEVM” a reputable settlement layer. If these proofs are each quick and provably 128-bit safe, L2s and zk-rollups can reuse the identical equipment through precompiles, and the excellence between “rollup” and “L1 execution” turns into extra of a configuration selection than a inflexible boundary.

Real-time proving is at present an off-chain benchmark, not an on-chain actuality. The latency and value numbers come from EthProofs’ curated {hardware} setups and workloads.

There remains to be a niche between that and hundreds of unbiased validators really working these provers at residence. The security story is in flux. The entire purpose soundcalc exists is that STARK and hash-based SNARK security parameters maintain transferring as conjectures are disproven.

Recent outcomes have redrawn the road between “undoubtedly secure,” “conjecturally secure,” and “undoubtedly unsafe” parameter regimes, that means right this moment’s “100-bit” settings could also be revised once more as new assaults emerge.

It’s not clear whether or not all main zkEVM groups will really hit 100-bit provable security by May 2026 and 128-bit by December 2026 whereas staying underneath the proof-size caps, or whether or not some will quietly settle for decrease margins, depend on heavier assumptions, or push verification off-chain for longer.

The hardest half will not be math or GPUs, however formalizing and auditing the total recursion architectures.

The EF admits that totally different zkEVMs typically compose many circuits with substantial “glue code” between them, and that documenting and proving soundness for these bespoke stacks is important.

That opens an extended tail of labor for initiatives like Verified-zkEVM and formal verification frameworks, that are nonetheless early and uneven throughout ecosystems.

A yr in the past, the query was whether or not zkEVMs may show quick sufficient. That query is answered.
The new query is whether or not they can show soundly sufficient, at a security stage that does not rely upon conjectures which will break tomorrow, with proofs sufficiently small to propagate throughout Ethereum’s P2P community, and with recursion architectures formally verified sufficient to anchor lots of of billions of {dollars}.

The efficiency dash is over. The security race simply began.

The submit Ethereum Foundation refocuses to security over speed – sets strict 128-bit rule for 2026 appeared first on CryptoSlate.