Ethereum's Security Overhaul: The 128-Bit Rule and the Future of zkEVMs in 2026
For the past year, the Ethereum ecosystem has been laser-focused on improving the speed of zero-knowledge (zk) proofs, particularly within the realm of zkEVMs. Impressive gains were made – proving times for an Ethereum block plummeted from 16 minutes to a mere 16 seconds, costs decreased dramatically (a 45-fold reduction), and participating zkVMs now routinely prove 99% of mainnet blocks in under 10 seconds on target hardware. On December 18th, the Ethereum Foundation (EF) declared a significant victory: real-time proving is now achievable. However, this milestone isn't a finish line, but a pivotal shift in focus. Speed without robust security is a dangerous liability, and recent discoveries have revealed vulnerabilities in the mathematical foundations of many STARK-based zkEVMs. This article dives deep into the EF’s new security roadmap, the challenges ahead, and what it means for the future of Ethereum scaling.
The Shift from Speed to Soundness: Why Security Takes Center Stage
In July, the EF established a clear benchmark for “real-time proving,” encompassing latency, hardware requirements, energy consumption, openness, and, crucially, security. The target: prove at least 99% of mainnet blocks within 10 seconds, using hardware costing around $100,000 and consuming under 10 kilowatts of power, with fully open-source code, 128-bit security, and proof sizes capped at 300 kilobytes. The December 18th announcement confirmed the ecosystem had met the performance goals, as measured by the EthProofs benchmarking site.
“Real-time” in this context means proofs are generated quickly enough to allow validators to verify them without compromising the network’s liveness. But the EF’s recent pivot emphasizes that achieving this speed is only half the battle. The core concern now is soundness – ensuring the proofs are mathematically valid and cannot be forged. Many STARK-based zkEVMs have relied on unproven mathematical conjectures to achieve their advertised security levels, and these conjectures are now being challenged.
The Problem with Proximity Gaps and Hash-Based SNARKs
Over the past several months, critical assumptions underpinning the security of some zkEVMs have been mathematically disproven. Specifically, the “proximity gap” assumptions used in hash-based SNARK and STARK low-degree tests have been found to be flawed. This significantly reduces the effective bit-security of parameter sets that depend on these assumptions. The EF is adamant: the only acceptable path forward for Layer 1 (L1) use is “provable security,” not security contingent on unproven hypotheses.
The EF has set 128-bit security as the new standard, aligning with established cryptographic norms and academic research. This level of security is considered realistically unattainable for attackers with current computational resources. This emphasis on soundness over speed is paramount. A forged zkEVM proof could allow malicious actors to mint arbitrary tokens or rewrite L1 state, effectively compromising the entire system – a far more devastating outcome than simply draining a single contract.
The Three-Phase Roadmap to Secure zkEVMs
The EF has outlined a clear, three-stage roadmap with firm deadlines to ensure the development of secure zkEVMs:
- Phase 1: Soundcalc Integration (by February 2026): Every zkEVM team must integrate their proof system and circuits into “soundcalc,” an EF-maintained tool that calculates security estimates based on current cryptanalytic bounds and scheme parameters. This establishes a “common ruler” for evaluating security, eliminating subjective assessments and allowing for updates as new attacks emerge.
- Phase 2: Glamsterdam (by May 2026): Teams must demonstrate at least 100-bit provable security via soundcalc, generate final proofs under 600 kilobytes, and provide a clear explanation of their recursion architecture, justifying its soundness. This represents an interim target, acknowledging the difficulty of immediately achieving 128-bit security.
- Phase 3: H-star (by December 2026): The ultimate goal: 128-bit provable security via soundcalc, proofs under 300 kilobytes, and a formal security argument for the recursion topology. This phase demands rigorous formal methods and cryptographic proofs, moving beyond purely engineering solutions.
Technical Tools for Achieving 128-Bit Security
The EF is actively developing and promoting several tools to facilitate the achievement of the 128-bit, sub-300-kilobyte target:
- WHIR: A new Reed-Solomon proximity test that also functions as a multilinear polynomial commitment scheme. WHIR offers transparent, post-quantum security and generates smaller, faster-to-verify proofs compared to older FRI-style schemes. Benchmarks show proofs are roughly 1.95 times smaller and verification is significantly faster at 128-bit security.
- JaggedPCS: A set of techniques designed to minimize padding when encoding traces as polynomials, reducing wasted computational effort while maintaining succinct commitments.
- Grinding: A brute-force search for cheaper or smaller proofs within established soundness bounds.
- Well-Structured Recursion Topology: Layered schemes that aggregate many smaller proofs into a single final proof, with carefully argued soundness properties.
Independent projects like Whirlaway are also leveraging WHIR to build more efficient multilinear STARKs, and experimental polynomial-commitment constructions are being developed using data-availability schemes. The mathematical landscape is evolving rapidly, and assumptions that seemed secure just months ago are now being re-evaluated.
Implications for Ethereum and Layer-2 Scaling
If proofs can consistently be generated within 10 seconds and remain under 300 kilobytes, Ethereum can increase the gas limit without requiring validators to re-execute every transaction. Instead, validators would verify a small proof, enabling greater block capacity while maintaining realistic home-staking requirements. This is why the EF’s earlier real-time post explicitly linked latency and power consumption to “home proving” budgets like 10 kilowatts and sub-$100,000 rigs.
The combination of strong security margins and small proofs is what defines a credible “L1 zkEVM” settlement layer. If these proofs are both fast and provably 128-bit secure, Layer-2 solutions and zk-rollups can leverage the same infrastructure via precompiles, blurring the lines between “rollup” and “L1 execution.”
Remaining Challenges and Open Questions
Currently, real-time proving is an off-chain benchmark, not an on-chain reality. The latency and cost figures are based on EthProofs’ curated hardware setups and workloads. A gap remains between these benchmarks and the practical implementation of thousands of independent validators running these provers at home.
The security landscape is also dynamic. The existence of soundcalc underscores the fact that STARK and hash-based SNARK security parameters are constantly evolving as conjectures are disproven. Recent findings have redefined the boundaries between “definitely safe,” “conjecturally safe,” and “definitely unsafe” parameter regimes, meaning today’s “100-bit” settings may be revised again with new attacks.
It remains uncertain whether all major zkEVM teams will achieve 100-bit provable security by May 2026 and 128-bit by December 2026 while staying within the proof-size limits. Some teams may opt for lower security margins, rely on stronger assumptions, or offload verification to reduce computational burden.
Perhaps the most challenging aspect will be formalizing and auditing the complete recursion architectures. The EF acknowledges that different zkEVMs often combine numerous circuits with substantial “glue code,” and documenting and proving the soundness of these bespoke stacks is essential. This creates significant work for projects like Verified-zkEVM and formal verification frameworks, which are still in their early stages.
A year ago, the question was whether zkEVMs could prove fast enough. That question has been answered. The new question is whether they can prove soundly enough, at a security level that doesn't rely on potentially flawed conjectures, with proofs small enough to propagate across Ethereum’s P2P network, and with recursion architectures that are formally verified to safeguard hundreds of billions of dollars. The performance sprint is over; the security race has just begun.
Mentioned in this article: Ethereum, Ethereum Foundation