The year of zkVM real-time proving: milestones, present and future

Introduction

Ethereum is a decentralized verifiable computer. The way in which we can achieve this verifiability is through re-execution of each computation, consensus and economic incentives. Nevertheless, this strategy suffers from one main drawback: all the nodes have to do the same work over and over again in order to verify computations, which results in a lot of lost computational power and limits throughput, hurting the scalability of the system. This could be solved by requiring nodes to use more powerful hardware, which in turn could affect decentralization in a negative way, impacting security, too. This is just the statement of the famous blockchain trilemma.

In this post we will analyze how zero-knowledge virtual machines (zkvm) and better engineering practices are allowing us to solve this problem, and what is the future roadmap for Ethereum together with zero-knowledge/validity proofs (zkp). If you want to know more about why Ethereum is important, and what type of products and use cases it has in the real world, check our article here.

Zero-knowledge/validity proofs (such as snarks [succinct, non-interactive arguments of knowledge) and starks [scalable, transparent arguments of knowledge] allow one party, the prover, to show that they computed correctly a given program with given inputs, such that:

1. The proof is much shorter than the whole information (witness) needed to check the correctness of the computation.
2. The verification time is much faster than re-executing the program.

Additionally, in some cases they may hide all the information about the witness, in which case they have the property of being zero-knowledge. The first two are useful when we want to prove a statement of the form: I took the current state of Ethereum, checked the validity of all the transactions, updated all the balances according to them and the new state is this one. This is an example where we compress a lot of computation, abstract the rest of the fine details of the transactions, but they know that we did that according to the rules. Another example is: I took 1000 signatures corresponding to these public keys and checked that they are all valid. This last example can be useful to aggregate a lot of signatures into a short proof, which can then be checked with minimal effort by a light client running on a smartphone.

The property of zero-knowledge is useful when we want to show something, without revealing sensitive information. For example, we would use it to prove that we are above legal age without disclosing our name or date of birth. Here, we do not necessarily care about having short proofs or fast verification, only that it does not leak other information and perhaps on how fast we can generate the proof. This was announced by Google as a new feature for their wallet.

Recently, Ethereum has announced its future technical roadmap under the umbrella of the memetic wrapper Lean Ethereum. There are two main initiatives, focusing on different aspects of Ethereum:

• Lean Execution or Beast mode
• Lean Consensus or Fort mode

What is at the heart of both constructions? Zero-knowledge proofs. Why are they used? Because we can delegate the heavy burden of computation to powerful devices and have weaker devices check everything, without the possibility of cheating. We can basically remove the cost of re-execution and compress heavily the computation and check that the results or updates are correct. Ethereum recently launched the initiative ethproofs to compare performance between zkvms, analyze real-time proving capabilities and other relevant metrics for the adoption of zkvms.

The road to real-time proving

Initially, using ZKP had a huge barrier of entry. To make computations verifiable, you had to express the computation as a set of algebraic equations that capture the relationships between the variables, how each of them is updated during the computation and ensure that the inputs and outputs are correctly enforced. This was the age of arithmetic circuits and, even though some tools were developed to make writing circuits easier (such as circom), you required expert knowledge to be able to write circuits and ensure that they are correct. The process, however, is very laborious and bug-prone. Moreover, every time you want to write a new program, you have to code a new circuit.

In 2021, Starkware introduced the Cairo-vm, a Turing-complete virtual machine to prove computations using starks (introduced in 2018). The core idea was to develop a set of algebraic equations that have to be enforced when running the CPU, described by the Cairo instruction set architecture (ISA), ensuring that the instructions are fetched from memory, read and decoded and executed correctly. Then, we could just prove any code written in the programming language Cairo by running the program over the virtual machine. This makes the work of building verifiable applications much easier: once you built and audited the CPU, you no longer need to worry about the cryptographic hard part, and just focus on developing your applications (using Cairo). The Cairo-vm, taking advantage of starks as the proof system, simplified writing these applications and offered good performance. It had some limitations, such as enforcing rigid computational traces or it was not easy to add specialized instructions for given operations, yet it showed that starks (based on hash functions and that is post-quantum secure) and virtual machines were the way to go. Miden also built their own virtual machine using Miden assembly, and extended the use of lookup arguments to a chiplet table, containing those operations frequently used that do not have an easy way of representing them directly with the ISA. Risc0 improved on the idea of the Cairo-vm by replacing the Cairo-ISA with RISC-V, introduced the BabyBear field (2³¹ - 2²⁷ + 1) and continuations in order to prove larger programs. Performance started improving, user experience began to get better and other projects started to join the zkvm race. At this point there was also a discussion between general-purpose zkvms and zkEVMs, and attempts to build zkvms that were fully compatible with the Ethereum virtual machine (EVM). 

We jump to 2025, the year where we finally achieved real-time proving. There were several teams building zkvms, with frequent improvements in performance and making them easier to run. Between 2021 and 2025 there were improvements in proof systems (logUp, cstarks, sumcheck optimized protocols, STIR, WHIR, binary fields, FRI-Binius, logUp-GKR, lasso, twist-and-shout) and tooling (such as Plonky3, powered by Polygon), but one question remained. Is it feasible to prove Ethereum blocks in less than 12s? Nearing the end of January, Justin Drake stated that he believed this was the year for real-time proving. On April 15th, ZKCloud announced that they were proving Ethereum blocks continuously at a cost of 0,5 - 2 USD using a 4090 GPU cluster and optimized pipelines. On May 20th, Succinct presented SP1 Hypercube and announced that they were proving 90% of Ethereum blocks in under 12 s, using over 100 GPUs. This proved that it was feasible to prove Ethereum blocks within a single slot time at a reasonable cost. Justin Drake announced that other teams, such as Brevis, OpenVM, Snarkify, Risc0, ZisK and ZKM were also about to achieve the milestone. The second EthProofs call on May 23rd had over 25 speakers to comment and celebrate the achievement.

On June 23rd, EthProofs announced that ZisK had the fastest trace execution, reaching 1.5 GHz using a custom x86 assembly via ahead-of-time compilation, more than one order of magnitude better than other projects. One day later, ZKsync announced that they could prove Ethereum blocks using one GPU in around 35 seconds using AirBender, their virtual machine using cSTARKs.

On July 10th, the Ethereum Foundation published a post on real-time proving and that the first step was having a zkEVM that could prove blocks in less than 12 s. This defined the foundation’s requirements for real-time proving:

1. Less than 10s for 99% of the blocks in the L1.
2. CAPEX less than 100.000 USD
3. Power consumption less than 10 kW.
4. Open-source code.
5. At least 128 bits of security.
6. Proof size less than 300 kB, with no trusted setups.

Something not stated at that time but which will be important for the future is that the proof system should be post-quantum secure. Another important point is that validators will start using ZK clients, and, when a supermajority of them uses these clients, we can increase the gas limit so that validators running reasonable hardware can just verify proofs, instead of re-executing. Once validators are checking execution proofs, those same proofs could be used to run the Execute Precompile for native rollups.

Justin Drake announced one day after the 10th anniversary of Ethereum the roadmap for Lean Ethereum, highlighting how Ethereum is going to manage the future threats and challenges, while delivering extreme performance and uncompromising security and decentralization. The strategy is simple but effective: be strong both on offense (execution) and defense (consensus). The consensus part involves changing elliptic curve-based BLS signatures for post-quantum secure hash-based signatures that can be efficiently aggregated using snarks. The execution part involves reaching 1 Gigagas on the L1 (at least 10k TPS), 1 Teragas on the L2s (millions of TPS), using real-time zkVMs for execution and data availability sampling.

October 25th Brevis announced that Pico Prism was proving Ethereum 99,6% of blocks in real-time using 64 RTX 5090 GPUs, with an average time of 6.9 seconds.

November 22nd featured EthProofs’ day, with a live demo comparing the performance involving several zkVMs. ZisK got the day with an amazing performance, while keeping everything fully open-source from the start. Using only 24 5090 GPUs, 99.74% of the blocks were proven under 12 seconds, with an average time of 6.56 seconds. Brevis team showed that their zkvm improved over 254 times in just one year! AirBender, OpenVM and SP1 Hypercube also displayed blazing performance.

As of December 2nd, proof costs have dropped to an average of 3.54 cents per proof, which is more than an order of magnitude lower than at the beginning of the year. Ethproofs is tracking the performance of 8 different zkVMs: 5 use RISC-V 32im ISA, 2 use RISC-V 64im ISA (ZisK uses ima) and 1 uses MIPS.

Present and future

We have seen that zkVMs improved their performance by at least two orders of magnitude since the previous year, greatly reducing the cost of generating zero-knowledge proofs. While we can continue to expect improvements in performance over the coming months, there are still other areas that still need to be addressed. One of them is security: we need simpler codebases which are easy to read and understand. We also need to use all the tooling that we can to ensure their correctness, including formal verification. The Ethereum Foundation is funding an initiative to build the tooling to spec and formally verify cryptographic core blocks (such as FRI) as well as the constraints for the RISC-V virtual machine, guaranteeing correctness, completeness and soundness. Another important part is ensuring redundancy in provers and clients: generate execution proofs from different clients using different zkVMs and demand that, for example, 3-out-of-5 proofs are valid. That way, even if there was a bug in a zkVM or client, it is unlikely that an attacker can find a correlated bug in another and the network stays up and safe. Of course, we need to ensure that there is diversity of proof systems, clients, compilers, so that there is no single point of failure.

If we want to reach the Gigagas frontier on the L1, we need to make execution clients more performant. Some of them currently reach 200 or more Mgas. But performance is not enough, we also need simplicity. That is why LambdaClass has been developing ethrex, an execution client written in Rust with a minimalistic codebase, which can also be used as an L2 client. Ethrex has improved consistently since we started the project, reaching nearly 400 Mgas, with a codebase that is at least 5 times smaller than others and has been designed with zkVMs in mind from the start. Thus, not only are we moving towards the goals set for the L1 in Ethereum, but we are also making it easy for businesses to launch their own applications on top of Ethereum as simple as launching a service in web2.

Quantum computers pose a significant threat to the current state of blockchains, relying heavily on elliptic curve-based signatures. The development of lean signatures for Ethereum, and using post-quantum secure proof systems is going to protect the future of Ethereum. The lean roadmap shows the stages of development for the signature scheme and the lean VM (a specialized virtual machine that handles signature aggregation). The Ethereum Foundation has been organizing meetings with different teams to accelerate the development of this new primitive, which could be useful for other blockchains or applications. Among them, there were meetings in Cannes, Cambridge and there plans for a new meeting soon in Cannes.

About a decade ago, when Ethereum started, zero-knowledge proofs were not widely known and only the first efficient constructions were under development. 7 years ago, we were struggling with coding circuits and dealing with trusted setups and performance was severely limited. 2020 saw an explosion in proof system constructions, though use and performance remained quite limited. It was only 4 years ago that we obtained Cairo-vm, the first provable virtual machine using a proof system that is post-quantum secure and does not require a trusted setup. Four years later, we have achieved real-time proving and ZK is going to be everywhere to make Ethereum the backbone of institutions over the internet. Are you sure you want to bet against Ethereum?