Building Secure Foundations for an L1 zkEVM: Achieving 128-bit Provable Security
Explore the crucial next phase in zkEVM development that prioritizes provable security alongside performance. Learn about the Ethereum Foundation's strategic milestones aimed at achieving 128-bit security for Layer 1 zkEVMs, ensuring robustness for billions in assets.
Building Secure Foundations for an L1 zkEVM: Achieving 128-bit Provable Security
The zkEVM ecosystem has taken a remarkable journey over the past year, turning ambitious goals into reality by slashing proving latency from 16 minutes to just 16 seconds, and reducing associated costs dramatically. However, with the high-speed proving hurdle behind us, the focus now pivots to a challenge that’s even more critical: security.
From Performance Milestones to Security Imperatives
In July, the community defined a clear north-star for realtime proving. Fast forward nine months, and the progress has been astonishing — 99% of Ethereum blocks can now be proven within 10 seconds on target hardware. The performance sprint has laid a robust foundation, but security remains the elephant in the room.
This new phase is about building an L1 zkEVM that is not only fast but also mainnet-grade secure, capable of protecting hundreds of billions of dollars from sophisticated adversaries.
Why 128-Bit Provable Security Matters
Many current STARK-based zkEVM implementations rely on assumptions backed by unproven mathematical conjectures. Unfortunately, recent research has challenged these foundations, leading to significant security reductions — a system once thought to have 100-bit security could actually offer just 80 bits or less.
For those unfamiliar, 128-bit security is the widely accepted industry standard and is recommended by authoritative bodies like NIST. It corresponds to a computational workload so large that attacking such a system with today's or foreseeable technology is practically infeasible.
In the zkEVM context, security is not a theoretical concern but a practical necessity. If an attacker can forge zk proofs, they could manipulate the blockchain state arbitrarily — minting tokens, rewriting history, or stealing funds. This underlines why a solid, provable security guarantee at the 128-bit level is non-negotiable.
Navigating the Trade-Off: Security vs. Proof Size
Increasing security often means larger proofs, but proofs must remain compact to propagate efficiently across Ethereum’s peer-to-peer network. Striking the right balance is critical.
To guide this effort, the Ethereum Foundation has outlined three key milestones:
Milestone 1: Soundcalc Integration (Deadline: February 2026)
- Standardize security assessments with soundcalc, a tool estimating zkVM security using current cryptographic research
- zkEVM teams must integrate their proof system parameters with soundcalc for consistent evaluation
Milestone 2: Glamsterdam (Deadline: May 2026)
- Achieve provable security of at least 100 bits as per soundcalc
- Final zk proof sizes capped at 600 KiB
- Provide a compact description and a soundness sketch of the recursion architecture
Milestone 3: H-star (Deadline: December 2026)
- Reach 128-bit provable security measured via soundcalc
- Reduce final proof size to 300 KiB or less
- Deliver a formal security proof for the recursion architecture used
Leveraging Cryptographic Advances
Recent breakthroughs make these milestones achievable. Techniques like compact polynomial commitment schemes (e.g., WHIR), JaggedPCS, grinding methods, and carefully structured recursion topologies form the backbone for improving security without ballooning proof sizes.
Recursion deserves special attention since modern zkEVMs compose many circuits recursively, each with unique configurations. Documenting recursion's architecture and rigorously proving its soundness are vital steps toward establishing trust.
Stabilizing the Framework for Formal Verification
Locking down these security parameters now is strategic. Security is easier to assure on a stable target. Once zkEVM architectures solidify and security targets are achieved, formal verification efforts can progress effectively — verifying critical components, finalizing security proofs, and ensuring on-chain code matches formal specifications.
By the end of 2026, with the H-star milestone, the proof system layer is expected to be stable enough to support these verification efforts, laying the groundwork for future secure L1 zkEVM deployment.
The Road Ahead
Looking back, the community's initial focus was on improving proving speed. That challenge has been conquered impressively.
Now, the focus shifts toward fortifying the security foundations. To this end:
- An upcoming post scheduled for January will clarify and formalize the outlined milestones.
- A detailed technical deep dive on proof system techniques will follow, sharing insights on achieving the balance of security and proof size.
- The Ethproofs project will evolve to emphasize security alongside performance.
- The Ethereum Foundation cryptography team remains eager to collaborate, support, and drive this vital work.
Our journey continues. The sprint for speed is complete — now it's time to strengthen the foundations of trust that underpin L1 zkEVMs, protecting billions while preserving Ethereum's decentralization and scalability promises.
This post acknowledges the invaluable contributions from Arantxa Zapico, Benedikt Wagner, Dmitry Khovratovich of the EF cryptography team, and Ladislaus, Kev, Alex, and Marius for their thoughtful reviews and feedback.