KZG Polynomial Commitment

A KZG polynomial commitment (named for its creators Kate, Zaverucha, and Goldberg) is a cryptographic construction where a prover commits to a polynomial f(x) by publishing a single, constant-sized value, the commitment. This commitment is binding, meaning the prover cannot later claim they committed to a different polynomial. The scheme's power lies in its ability to generate succinct evaluation proofs: for any point z, the prover can create a short proof π that convinces a verifier that f(z) = y without revealing the entire polynomial. This property is known as evaluation binding.

The scheme operates over pairing-friendly elliptic curve groups. The commitment to polynomial f(x) is computed as C = f(τ) * G, where τ is a secret toxic waste value from a trusted setup ceremony and G is a generator point. To prove f(z) = y, the prover computes a quotient polynomial q(x) = (f(x) - y) / (x - z) and provides the commitment to q(x) as the proof π. The verifier checks a single elliptic curve pairing equation: e(C - y*G, G) = e(π, τ*G - z*G). This check is constant-time and does not require the verifier to know τ.

KZG commitments are deterministic and provide perfect completeness and computational soundness under cryptographic assumptions. Their key advantages are constant-sized commitments and proofs (e.g., 48 bytes for BLS12-381 curves) and aggregation-friendliness. Multiple evaluation proofs for the same polynomial can be efficiently combined into one, and commitments themselves can be linearly combined, enabling powerful applications like polynomial IOPs (Interactive Oracle Proofs) and vector commitments.

In blockchain systems, KZG is the foundation for Ethereum's proto-danksharding (EIP-4844), where it commits to data blobs. It enables efficient data availability sampling (DAS) because verifiers can check random samples of the data against the commitment. It is also central to many zk-SNARK and zk-STARK proof systems, verkle trees, and stateless clients. The primary drawback is the requirement for a trusted setup to generate the Structured Reference String (SRS) containing powers of τ, though ceremonies like Perpetual Powers of Tau aim to decentralize this trust.

Compared to other commitment schemes, KZG offers unique trade-offs. Unlike Merkle trees, which have logarithmic-sized proofs, KZG proofs are constant-sized. Unlike FRI (used in STARKs), KZG does not require a Fiat-Shamir transformation for non-interactivity and offers better concrete proof sizes for certain degrees. Its security relies on the t-Strong Diffie-Hellman (t-SDH) assumption in bilinear groups, making it theoretically vulnerable to quantum computers, unlike hash-based FRI.

The KZG acronym stands for Kate, Zaverucha, and Goldberg, the three cryptographers—Aniket Kate, Gregory M. Zaverucha, and Ian Goldberg—who first formalized the scheme in their seminal 2010 paper, 'Constant-Size Commitments to Polynomials and Their Applications'. This naming convention is common in cryptography, where fundamental constructions are often eponymously linked to their inventors, such as RSA (Rivest–Shamir–Adleman) or ECDSA (Elliptic Curve Digital Signature Algorithm). The second part of the term, Polynomial Commitment, precisely describes the scheme's function: a cryptographic commitment to a polynomial where the prover can later reveal evaluations of the polynomial at specific points, with proofs that are verified against the original, fixed commitment.

The intellectual origin of KZG commitments lies in the intersection of cryptographic commitment schemes and algebraic error-correcting codes. It builds upon earlier work in pairing-based cryptography and the use of bilinear maps (pairings) over elliptic curve groups. The key breakthrough was constructing a constant-sized commitment—a single group element—to a potentially very large polynomial, enabling efficient verification of evaluations without requiring the verifier to know the polynomial's full coefficients. This was a significant advancement over simpler commitment schemes like Merkle trees, which would produce proof sizes logarithmic in the polynomial's degree.

The development of KZG was initially motivated by applications in verifiable secret sharing and secure multiparty computation. However, its adoption exploded decades later within the blockchain ecosystem, particularly as the foundational cryptographic engine for Ethereum's proto-danksharding (EIP-4844) and Layer 2 scaling solutions. Its properties of constant-sized proofs and efficient batch verification made it uniquely suited for scaling blockchain data availability and constructing succinct non-interactive arguments of knowledge (SNARKs), cementing its status as a cornerstone of modern cryptographic engineering in decentralized systems.

A KZG polynomial commitment (named for its creators Kate, Zaverucha, and Goldberg) is a cryptographic scheme that allows a prover to commit to a polynomial and later generate a short, constant-sized proof that the polynomial evaluates to a specific value at a given point, without revealing the polynomial itself. This commitment acts as a succinct cryptographic fingerprint of the polynomial data. The scheme is binding, meaning the prover cannot later claim a different polynomial was committed, and hiding, meaning the commitment reveals no information about the polynomial's coefficients.

The scheme's power lies in its use of pairing-friendly elliptic curves and a trusted setup that generates a structured reference string (SRS). To commit to a polynomial f(x), the prover evaluates it within the exponent of an elliptic curve group using the SRS, producing the commitment C = g^{f(τ)}, where τ is a secret value discarded after the setup. To later prove that f(z) = y for a point z, the prover constructs a quotient polynomial q(x) = (f(x) - y) / (x - z) and provides an evaluation proof π = g^{q(τ)}. A verifier can check this proof using a single elliptic curve pairing operation, which is computationally efficient.

KZG commitments are deterministic and provide perfect completeness and computational soundness under cryptographic assumptions. Their key properties—constant-sized proofs and constant-time verification—make them ideal for scaling blockchains. For example, in data availability sampling, a node can verify that a specific piece of data belongs to a larger committed data block by checking a single KZG proof, without downloading the entire block. This is a cornerstone of Ethereum's proto-danksharding (EIP-4844) architecture.

The primary trade-off is the requirement for a trusted setup ceremony, where the secret τ must be generated and securely discarded. If compromised, an attacker could create fraudulent proofs. However, ceremonies like Perpetual Powers of Tau aim to mitigate this risk through multi-party computation. Alternatives like FRI (Fast Reed-Solomon IOP of Proximity) do not require trust but have larger proof sizes. KZG's balance of proof size and verification speed has made it the preferred choice for modern succinct cryptographic systems.