This article was first published on The Bit Journal.
The Ethereum Foundation has announced a new turn from performance optimization to a “security first” approach.
Just recently, the foundation released a comprehensive three-phase plan outlined for zkEVM teams to meet provable security standards centralized at the 128-bit level by the end of 2026.
This roadmap centers around robust formal verification, standard tooling, and formal soundness arguments used to ensure zkEVM architectures are secure and resilient.
Why Does Security Matter Now?
Ethereum’s path to integrating zero-knowledge proofs and zkEVM architectures has seen remarkable performance in 2025.
zkEVM teams achieved a 45x reduction in proved costs by going from minutes to seconds for proving time, which enables around 99% of blocks within ten seconds on the target hardware.
These improvements set zkEVMs as engines for scaling and privacy inside the Ethereum universe. But for all this technical progress, the foundation was aware that security remains the elephant in the room, noting that many of zkEVM’s implementations continue to rely on unproven mathematical assumptions which recent research has called into question.

The foundation shared that no system would be secure with only performance success with no cryptographic security proof; as forged proofs could compromise systems by permitting unsanctioned token minting or state control.
It is this harsh reality that has informed the security as a first-class pillar of Ethereum’s roadmap to 2026.
The Three-Phase Security Roadmap Explained
This is a sequence of stages that will take zkEVM and related proof systems to the next level of cryptographic soundness. There will be three stages in the roadmap:
First, by February 2026, all zkEVM Projects participating must integrate their proof system components with soundcalc, a security estimation tool that uniformly computes statistically guaranteeable soundness across ecosystems.
This stage makes sure that security estimates are pegged to a common benchmark rather than whatever numbers the projects decide.
The second stage, teams must achieve at least 100-bit post-quantum proof security by May 2026, according to SoundCalc metrics. At this point, proof sizes should not exceed 600 kB and developers need to give sufficiently small, public specifications of their recursion architectures, the layered proof structures wherein zkEVM validation is rooted.
The last stage of the road map, targeted before the end of 2026, calls for full-fledged 128-bit provable security with proofs limited to total sizes smaller than 300 kb and proven soundness justifying the recursion choice.
This target is in line with commonly accepted security boundaries in cryptography for enduring systems immune to plausible attack vectors.
These stages form a disciplined roadmap to eventual mainnet readiness for evidence systems that can safely be used at scale throughout Ethereum’s ecosystem, especially in situations where security breaches would have systemic implications.
Formal Verification and Provable Security Standards
Moving to the Ethereum security roadmap is more than a checklist of targets. It is a dedication to formal verification, proving that how a system is implemented matches its specifications precisely.
Provable security at a 128-bit level implies that the chance of an adversary succeeding in creating a valid proof is now so low (according to current cryptanalytic understanding).
This is the level of security that has been deemed appropriate by governments and industry standardization bodies for systems responsible for protecting high value assets.
With the recent advances on recursive proof architectures, with techniques such as compact polynomial commitment (e.g., WHIR) and optimized recursion topology, these benchmarks have become engineeringly realistic according to the foundation’s announcement.

Adopting provable security as a standard also responds to concerns raised by previous research that there were gaps in the assumptions of the many STARK- and SNARK-based constructions.
By embedding soundness and proof size limitations in the protocol, Ethereum attempts to fill these holes, to avoid conjectures for which a new break-through in cryptanalysis might imply their falseness.
Conclusion
The Ethereum Security Roadmap for 2026 points to a notable focus for one of the world’s most high-profile blockchain networks.
With a roadmap to realize 128 bits of security for zkEVMs (starting with unified estimates and terminating in fully verified soundproof proof systems), the Ethereum Foundation is redefining its strategic goals.
This move emphasizes long term security and formal verification which lines up technical development with already existing trust by institutions and regulation.
Glossary
zkEVM (Zero-Knowledge Ethereum Virtual Machine): A variant of the Ethereum virtual machine, which uses zero-knowledge proofs for off-chain validation of computations with on-chain correctness.
Provable security / cryptanalysis resistance: A cryptographic guarantee that a system can be mathematically proven to be secure against determined attack vectors, typically stated in “bit” security levels (e.g., 128-bit).
Formal verification: It is a mathematical technique used to verify that the system complies precisely with its stated requirements and that it does not contain any unintended security weaknesses.
Proof-Recursive Architecture: Architecture having the layered form in which a proof refers to another proof, for achieving efficient validation at high security levels.
Proving time: The amount of time that a proof can generate for a block ( or transaction) and its impact on throughput and scalability.
Frequently Asked Questions About Ethereum Security Roadmap
Why is Ethereum choosing security over speed now?
After several improvements in zkEVM proving times performance, the Ethereum Foundation realized the need to ground security assumptions to prevent potential vulnerabilities.
What does 128-bit security mean?
128-bit security refers to a level of cryptography in which the odds of an attacker successfully cracking the code are vanishingly small, less than one in 2^128, meeting widely accepted benchmarks for long-term security.
What is the Ethereum security roadmap in three phases?
It consists of the following three stages: introduction of a unified security tool by February 2026, attainment of 100-bit security by May 2026 and realization of full 128-bit provable security with formal proofs towards the end of the year.
What does this mean for developers and users?
On one hand, developers may need to modify proof systems in order to obtain standardized security guarantees, on the other hand users get increased confidence with respect protocol soundness and robustness.
Does this mean Ethereum will lag further behind in scaling?
Although some of these require stronger proof design for security, they increase trust and long-term protocol stability so do not truly restrict more general scaling paths.
References
CryptoSlate
MEXC
cryptobriefing

