A KZG commitment (Kate-Zaverucha-Goldberg commitment) is a cryptographic scheme that allows a prover to commit to a polynomial and later generate a succinct proof that the polynomial evaluates to a specific value at a given point. This proof, also known as a KZG proof or witness, can be verified by anyone who holds the commitment, without requiring the prover to reveal the entire polynomial. The scheme relies on pairing-based cryptography and trusted setup ceremonies to generate public parameters, which are critical for its security.
LABS
Glossary
KZG Commitment
A KZG commitment is a cryptographic proof, based on Kate-Zaverucha-Goldberg polynomial commitments, that allows for efficient verification of data availability and correctness in blockchain scaling schemes.
Chainscore © 2026
definition
CRYPTOGRAPHIC PRIMITIVE
What is a KZG Commitment?
A KZG commitment is a cryptographic proof that a polynomial has a specific value without revealing the polynomial itself, forming the core of modern data availability and scaling solutions like Ethereum's proto-danksharding.
The primary utility of a KZG commitment lies in its constant size and efficient verification. Unlike a Merkle proof, whose size grows logarithmically with the data, a KZG proof is a single group element (e.g., a 48-byte elliptic curve point). This makes it ideal for blockchain scaling, where it can prove that a specific piece of data, such as a blob of transaction data in Ethereum's EIP-4844 (proto-danksharding), is part of a larger committed dataset. Verifiers only need the commitment and the proof, enabling light clients to efficiently confirm data availability.
In practice, a KZG commitment scheme involves a trusted setup to generate a Structured Reference String (SRS). This ceremony produces public parameters that must be used to create and verify commitments; if the secret parameters used in the setup are compromised, an attacker could create fake proofs. Despite this requirement, KZG's properties—binding, hiding, and the ability to perform polynomial evaluations and linear combinations of commitments—make it a cornerstone for verifiable secret sharing, zero-knowledge proof systems, and data availability sampling protocols in layer-2 rollups.
how-it-works
CRYPTOGRAPHIC PRIMITIVE
How Does a KZG Commitment Work?
A KZG commitment is a cryptographic tool that allows one party to commit to a polynomial and later prove evaluations of that polynomial without revealing the polynomial itself, forming the foundation for modern scalable blockchain proofs.
A KZG commitment (named for its creators Kate, Zaverucha, and Goldberg) is a cryptographic scheme based on pairing-friendly elliptic curves. To commit to a polynomial f(x), a trusted setup ceremony generates a structured reference string (SRS) containing powers of a secret value τ (tau) hidden within elliptic curve points: [τ⁰]G, [τ¹]G, ..., [τᵈ]G. The commitment C is computed as C = f(τ)⋅G, a single elliptic curve point that acts as a succinct fingerprint for the entire polynomial. This commitment is binding (the committer cannot later change the polynomial) and hiding (the commitment reveals nothing about the polynomial's coefficients).
The power of KZG lies in its ability to generate evaluation proofs. If a verifier wants to check that f(u) = v for a specific point u, the prover computes a witness polynomial q(x) = (f(x) - v) / (x - u). The corresponding proof π is q(τ)⋅G, another single curve point. The verifier, who knows C, u, v, and π, can check the proof using a bilinear pairing e on the elliptic curve group. The verification equation e(C - [v]G, G) = e(π, [τ]G - [u]G) holds if and only if the evaluation is correct, requiring only constant-time work regardless of the polynomial's degree.
KZG commitments enable powerful cryptographic constructions. In Ethereum's EIP-4844 (proto-danksharding), they commit to large data blobs, allowing validators to verify data availability with tiny proofs. They are also fundamental to polynomial commitment schemes used in zero-knowledge rollups and succinct non-interactive arguments of knowledge (SNARKs). A critical requirement is the trusted setup for the SRS; if the secret τ is leaked, an attacker could generate fake commitments. This risk is mitigated through ceremonies like the Perpetual Powers of Tau, where multiple participants collaborate to generate the SRS, ensuring security if at least one participant was honest and destroyed their secret.
key-features
CRYPTOGRAPHIC PRIMITIVE
Key Features of KZG Commitments
KZG (Kate-Zaverucha-Goldberg) commitments are a core cryptographic tool enabling efficient polynomial commitment schemes, crucial for scaling blockchains through data availability proofs and zero-knowledge applications.
01
Constant-Sized Proofs
A KZG commitment produces a single, fixed-size cryptographic proof for an entire polynomial, regardless of its degree. This enables succinct verification where checking a single element of the committed data (e.g., a specific transaction in a data block) requires only this constant-sized proof and the evaluation point, not the entire dataset.
- Key Benefit: Enables scalable data availability sampling (DAS) in protocols like Ethereum's danksharding.
02
Trusted Setup Ceremony
KZG commitments require a one-time trusted setup to generate a Structured Reference String (SRS). This ceremony produces public parameters (proving and verification keys) that must be created securely, as compromise could allow forging false proofs.
- Mitigation: Use ceremonies with multi-party computation (MPC) where only one participant needs to be honest for security, as seen in Ethereum's KZG ceremony for EIP-4844.
03
Polynomial Commitment Scheme
At its core, KZG is a cryptographic commitment to a polynomial. A prover commits to a polynomial f(x) by evaluating it at a secret point within the SRS, producing a short commitment. They can later generate a proof that f(z) = y for any point z, proving a specific piece of data is consistent with the committed whole.
- Foundation: This property is the bedrock for verifiable secret sharing and constructing zero-knowledge proofs.
04
Ethereum's Proto-Danksharding (EIP-4844)
KZG commitments are the backbone of EIP-4844, which introduces blob-carrying transactions. Each blob of data is committed to using a KZG commitment, allowing Layer 2 rollups to post cheap, verifiable data to Ethereum.
- Application: Enables data availability sampling (DAS) where light clients can verify data availability by checking small random samples against the KZG commitment.
05
Comparison to Merkle Trees
KZG commitments offer distinct advantages over traditional Merkle trees for certain scaling tasks:
- Proof Size: KZG proofs are constant-sized (~48 bytes), while Merkle proofs grow logarithmically with data size.
- Aggregation: Multiple KZG proofs can be efficiently aggregated into one.
- Trade-off: KZG requires a trusted setup; Merkle trees do not. Merkle trees remain superior for simple membership proofs.
06
Bilinear Pairings & Algebraic Structure
The security and functionality of KZG rely on cryptographic pairings on elliptic curve groups (e.g., BLS12-381). The scheme uses the algebraic property that e(g, h)^(x*y) = e(g^x, h^y), allowing the verifier to check polynomial evaluations using the commitment and proof without knowing the secret point.
- Core Operation: Enables the verification equation:
e(commitment, h) = e(proof, h^z) * e(g, h)^y.
ecosystem-usage
APPLICATIONS
Where Are KZG Commitments Used?
KZG polynomial commitments are a foundational cryptographic primitive enabling efficient data verification. Their primary use cases are in scaling solutions and data availability schemes.
02
Data Availability Sampling (DAS)
In modular blockchain architectures like Celestia and Ethereum's sharding roadmap, KZG commitments enable light clients and validators to perform Data Availability Sampling. By requesting random chunks of data and verifying them against the KZG commitment, nodes can probabilistically guarantee that an entire data block is available, which is essential for fraud proof and validity proof systems.
03
ZK-Rollup Validity Proofs
Zero-Knowledge Rollups (ZK-Rollups) like zkSync, StarkNet, and Polygon zkEVM use KZG commitments within their proof systems (e.g., PLONK). They commit to the execution trace or state transitions as a polynomial. The KZG commitment allows for the creation of a succinct SNARK or STARK proof that can be efficiently verified on-chain, ensuring computational integrity.
04
Verifiable Secret Sharing (VSS)
KZG commitments are used in Distributed Validator Technology (DVT) and threshold signature schemes. A dealer can commit to a secret polynomial whose constant term is a private key share. Distributing evaluations of this polynomial to participants, along with the KZG commitment, allows them to verify the correctness of their share without revealing the secret, enhancing security in multi-party computation (MPC).
05
Polynomial Interactive Oracle Proofs (IOPs)
KZG is a key building block for modern succinct non-interactive arguments of knowledge (SNARKs). Protocols like PLONK and Marlin use KZG commitments to create polynomial IOPs, where the prover commits to polynomials representing the computation. The verifier then queries these polynomials at random points, with the KZG commitment enabling efficient opening proofs.
06
Vector Commitments & Stateless Clients
KZG can function as an efficient vector commitment scheme. This property is explored for future stateless client designs in blockchains. A state root could be a KZG commitment to the vector of all account states, allowing witnesses (Merkle proofs) to be replaced with constant-sized polynomial evaluation proofs, drastically reducing verification data.
visual-explainer
CRYPTOGRAPHIC PRIMITIVE
KZG Commitment in Proto-Danksharding (EIP-4844)
A KZG (Kate-Zaverucha-Goldberg) commitment is a cryptographic scheme used to create a succinct, verifiable proof for a polynomial, forming the core data availability mechanism in Ethereum's Proto-Danksharding upgrade.
A KZG commitment is a constant-sized cryptographic fingerprint, or cryptographic commitment, that binds to a specific polynomial. In the context of EIP-4844 (Proto-Danksharding), this polynomial represents the data within a blob. The commitment is generated using a trusted setup ceremony, resulting in a structured reference string (SRS). Its key property is that it allows for efficient polynomial commitment schemes, enabling anyone to verify that a specific piece of data is part of the original blob by checking a small proof against the commitment, without needing the entire dataset.
The primary function of the KZG commitment within the Ethereum consensus layer is to guarantee data availability. When a validator posts a blob-carrying transaction, they provide the KZG commitment. Other network participants can then be cryptographically assured that the full blob data is published and can be reconstructed, which is essential for data availability sampling (DAS). This mechanism is far more efficient than requiring every node to download the entire multi-megabyte blob, enabling scalable layer 2 rollup data posting while keeping mainchain load manageable.
The technical workflow involves the blob provider (e.g., a rollup sequencer) encoding their data into a polynomial, creating the KZG commitment, and submitting it in a transaction. Ethereum consensus clients then verify the commitment's validity. For a node performing DAS, it can request random chunks of the blob and use the KZG commitment to cryptographically verify that each chunk is correct. This creates a high-probability guarantee that the entire blob is available, securing the network against data withholding attacks that could compromise rollup security.
security-considerations
KZG COMMITMENT
Security Considerations and Trust Assumptions
KZG (Kate-Zaverucha-Goldberg) commitments are a cryptographic primitive enabling efficient polynomial commitments, but their security relies on specific cryptographic assumptions and setup procedures.
01
Trusted Setup Ceremony
The security of a KZG commitment scheme depends on a one-time trusted setup to generate public parameters (the Structured Reference String or SRS). This process creates a secret value (the toxic waste) that must be securely deleted. If compromised, an adversary could create fraudulent proofs. Multi-party computation (MPC) ceremonies, like the one used for Ethereum's EIP-4844, mitigate this by requiring only one honest participant to keep the secret safe.
02
Cryptographic Assumptions
KZG security rests on the t-Strong Diffie-Hellman (t-SDH) assumption in pairing-friendly elliptic curve groups (e.g., BLS12-381). This is considered a standard cryptographic hardness assumption, similar to the discrete log problem. The scheme provides computational security, meaning forging a proof is infeasible as long as the underlying mathematical problem remains hard to solve. This is distinct from information-theoretic security models.
03
Binding vs. Hiding Properties
A KZG commitment is computationally binding and perfectly hiding.
- Binding: It is infeasible for a prover to find two different polynomials that evaluate to the same commitment.
- Hiding: The commitment reveals zero information about the committed polynomial's coefficients. These properties ensure data integrity and confidentiality, forming the basis for its use in data availability sampling and verkle trees.
04
Proof Forgery & Attack Vectors
The primary attack vector is a compromised trusted setup. Other theoretical risks include:
- Subgroup attacks: If the SRS is generated in an insecure cyclic group.
- Implementation bugs: In the pairing computation or polynomial arithmetic.
- Quantum vulnerability: Like most elliptic-curve cryptography, KZG is not quantum-resistant. A sufficiently powerful quantum computer could break the t-SDH assumption, necessitating a post-quantum alternative.
05
Comparison to Other Commitments
KZG offers distinct trust trade-offs compared to other schemes:
- vs. Merkle Trees: KZG provides constant-size proofs (O(1)) vs. logarithmic (O(log n)), but requires a trusted setup. Merkle trees are trustless but larger.
- vs. FRI (STARKs): FRI-based commitments are transparent (no trusted setup) but have larger proof sizes and are based on different cryptographic assumptions.
- vs. IPA (Bulletproofs): Inner Product Arguments are also transparent but generally have slower verification.
COMPARATIVE ANALYSIS
KZG vs. Other Commitment Schemes
A technical comparison of polynomial commitment schemes based on their cryptographic assumptions, proof sizes, and operational characteristics.
| Feature / Property | KZG Commitments | Merkle Trees | Inner Product Arguments (IPA) |
|---|---|---|---|
Cryptographic Assumption | Pairing-Friendly Elliptic Curves | Cryptographic Hash Function | Discrete Logarithm (in groups) |
Proof Size (Constant) | |||
Aggregation Support | |||
Opening Proof Size | 48 bytes | O(log n) | O(log n) |
Trusted Setup Required | |||
Verification Time | Constant (O(1)) | O(log n) | O(log n) |
Batch Verification | |||
Primary Use Case | Data Availability, zk-SNARKs | Simple Inclusion/Exclusion Proofs | Bulletproofs, Halo2 |
FAQ
Common Misconceptions About KZG Commitments
Clarifying frequent misunderstandings about the cryptographic primitive powering Ethereum's data availability layer and other scaling solutions.
A KZG commitment (Kate-Zaverucha-Goldberg) is a cryptographic proof that commits to a polynomial without revealing it, enabling efficient verification of evaluations. It works by a trusted setup generating a structured reference string (SRS) containing secret powers of a group element. The committer evaluates a polynomial at a secret point from the SRS to create a short commitment. Later, for any point, they can generate a witness or opening proof that a claimed polynomial value is correct relative to the commitment. The verifier checks this proof using only the commitment, the claimed value, and the public SRS, without needing the full polynomial data. This forms the basis for data availability sampling (DAS) in Ethereum danksharding, where the commitment acts as a succinct fingerprint for a large block of data.
CRYPTOGRAPHIC PRIMITIVES
Technical Deep Dive: The KZG Ceremony
A detailed exploration of the KZG polynomial commitment scheme, its role in modern blockchain scaling (like Ethereum's EIP-4844), and the trusted setup ceremony required for its deployment.
A KZG commitment (Kate-Zaverucha-Goldberg) is a cryptographic scheme that allows a prover to create a short, constant-sized commitment to a polynomial, which can later be used to generate proofs about the polynomial's evaluations at specific points without revealing the polynomial itself. It works by evaluating the polynomial at a secret, trusted point s and publishing the result g^{p(s)} as the commitment, where g is a generator of a cryptographic group. This enables efficient verification of claims like "the polynomial evaluates to y at point x" via a pairing check, forming the core of many succinct non-interactive arguments of knowledge (SNARKs) and data availability solutions like EIP-4844.
KZG COMMITMENTS
Frequently Asked Questions (FAQ)
KZG commitments are a foundational cryptographic primitive enabling scalable blockchain data verification. These questions address their core mechanics, applications, and trade-offs.
A KZG commitment (Kate-Zaverucha-Goldberg) is a cryptographic scheme that allows a prover to commit to a polynomial and later generate a succinct proof that the polynomial evaluates to a specific value at a given point, without revealing the full polynomial. It works by encoding the polynomial's coefficients as a Pedersen vector commitment in an elliptic curve group. The prover creates a commitment C = g^φ(τ), where φ(x) is the polynomial and τ is a secret value (the structured reference string or SRS). To prove evaluation y = φ(a), the prover computes a witness polynomial q(x) = (φ(x) - y) / (x - a) and provides a proof π = g^q(τ). A verifier with C, a, y, and π can check a simple pairing equation e(C / g^y, g) = e(π, g^τ / g^a) to confirm the evaluation is correct, relying on the security of the bilinear pairing and the trusted setup for the SRS.
further-reading
KZG COMMITMENT
Further Reading & Resources
Explore the mathematical foundations, practical implementations, and related cryptographic primitives that underpin KZG polynomial commitments.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall