A KZG commitment is a polynomial commitment scheme that allows a prover to commit to a polynomial and later open evaluations at specific points with constant-size proofs that are independent of the polynomial's degree. It relies on bilinear pairings over elliptic curve groups to achieve succinctness and homomorphic properties, enabling efficient proof aggregation and verification.
Glossary
KZG Commitment

What is KZG Commitment?
A polynomial commitment scheme based on bilinear pairings that produces constant-size commitments and evaluation proofs, commonly used in Ethereum's proto-danksharding.
The scheme requires a trusted setup ceremony to generate a structured reference string from a secret scalar that must be discarded. KZG commitments are foundational to Ethereum's EIP-4844 proto-danksharding, where they enable data availability sampling by committing to blob data as evaluations of a polynomial, allowing light clients to verify availability without downloading entire blobs.
Key Features
The KZG (Kate-Zaverucha-Goldberg) polynomial commitment scheme is a foundational cryptographic primitive enabling constant-size proofs for arbitrary data. Its unique properties make it the engine behind Ethereum's scalability roadmap.
Constant-Size Proofs
The defining property of a KZG commitment is that both the commitment to a polynomial and the evaluation proof are a single group element (e.g., 48 bytes), regardless of the polynomial's degree or the complexity of the data. This O(1) size is a massive improvement over Merkle trees, where proof size grows logarithmically with data size. This constant size enables highly efficient on-chain verification and minimal bandwidth usage.
Homomorphic Hiding & Binding
KZG relies on bilinear pairings over elliptic curves. The commitment C = g^P(s) is a single group element that binds the prover to a specific polynomial P without revealing it. The scheme is homomorphic: commitments to two polynomials can be added to get a commitment to their sum. This allows for elegant batch proofs, where a single proof can verify multiple evaluations simultaneously, drastically reducing verification overhead.
Ethereum Proto-Danksharding (EIP-4844)
KZG is the cryptographic backbone of EIP-4844, which introduces blob-carrying transactions. Rollups post compressed transaction data in blobs, and a KZG commitment to that data is stored on-chain. The consensus layer only verifies that the commitment is correct, not the data itself. This enables Data Availability Sampling (DAS), where light nodes probabilistically verify blob availability using KZG proofs without downloading the full blob.
Verkle Tree Integration
Beyond data sharding, KZG is used to build Verkle trees, a replacement for Merkle Patricia trees in Ethereum's state. A Verkle tree uses a vector commitment (a KZG commitment to a vector of values) at each node. This allows for extremely compact witnesses—the proof that a specific piece of state is correct. Verkle trees reduce witness sizes from kilobytes to under 200 bytes, enabling stateless clients that can validate blocks without storing the entire state.
Universal Batch Verification
A single KZG commitment can be opened at multiple points with a single, constant-size proof using multiproofs. Given a set of evaluation points (z_i, y_i), a prover can generate one proof that attests to all of them simultaneously. The verifier checks this single proof against the original commitment. This amortized verification is critical for scalability, allowing a single on-chain transaction to verify an entire block's worth of data availability proofs.
KZG vs. Other Polynomial Commitment Schemes
A technical comparison of KZG commitments against Inner Product Arguments (IPA) and Fast Reed-Solomon IOPP (FRI) across key dimensions relevant to verifiable compute pipelines and blockchain scalability.
| Feature | KZG | IPA (Inner Product Argument) | FRI (Fast Reed-Solomon IOPP) |
|---|---|---|---|
Proof Size | Constant (single group element) | Logarithmic O(log n) | Larger logarithmic O(log² n) |
Verifier Complexity | Constant O(1) | Linear O(n) | Logarithmic O(log n) |
Trusted Setup Required | |||
Post-Quantum Secure | |||
Cryptographic Assumption | Bilinear pairings | Discrete logarithm | Collision-resistant hash functions |
Commitment Size | Constant (32-48 bytes) | Logarithmic | Logarithmic |
Batch Proof Aggregation | Native and highly efficient | Requires additional techniques | Supported via Merkle tree structure |
Real-World Applications
KZG commitments are not just theoretical cryptography; they are the operational backbone of Ethereum's scalability roadmap and a growing suite of privacy-preserving and verifiable compute systems. Their constant-size proofs make them ideal for resource-constrained environments.
Verkle Trees for Statelessness
KZG commitments are the core mathematical primitive inside Verkle trees, which are designed to replace the Merkle Patricia trie in Ethereum's state data structure. A Verkle tree uses a vector commitment scheme to prove the values of sibling nodes in a single, compact proof.
- Efficiency: Unlike a Merkle tree, which requires providing all sibling nodes along a path (a large proof), a Verkle proof is constant-size.
- Goal: This enables stateless clients—validators that can verify blocks without storing the entire global state, dramatically lowering hardware requirements for network participation.
Zero-Knowledge Proof Composition
KZG serves as a fundamental building block in modern zk-SNARK proving systems, particularly those based on polynomial interactive oracle proofs (PIOPs) like PLONK and Marlin. The prover commits to the gate polynomials of an arithmetic circuit using a KZG commitment.
- Role: The verifier can query the committed polynomial at a random challenge point, and the prover provides a KZG evaluation proof to show the query was answered correctly.
- Result: This combination yields a universal and updatable structured reference string (SRS), meaning a single trusted setup can be used for any circuit up to a certain size.
Data Availability Sampling (DAS)
In full danksharding, the network must ensure that all blob data was actually published by a block proposer without requiring every node to download everything. KZG commitments enable efficient data availability sampling.
- Process: A node randomly samples a few positions of the blob. The proposer must return the data at those positions along with a KZG proof that the data matches the original commitment.
- Security: The polynomial nature of KZG ensures that if a sufficient fraction of the data is available, the entire blob can be reconstructed via erasure coding, and any attempt to withhold data is cryptographically detectable.
Verifiable Secret Sharing
KZG commitments provide a robust method for verifiable secret sharing (VSS). A dealer can commit to a polynomial whose constant term is a secret, then distribute evaluations of this polynomial to participants as shares.
- Verification: Each participant can independently verify that their received share is a correct evaluation of the committed polynomial using the KZG opening proof.
- Advantage: This eliminates the need for a trusted dealer and provides immediate, non-interactive verification of share correctness, which is essential for distributed key generation (DKG) protocols in threshold cryptography.
zk-Rollup Validity Proofs
Several zk-rollup projects utilize KZG-based proving systems to generate their validity proofs. The constant-size proof property is highly desirable for on-chain verification, where every byte of calldata incurs a cost.
- Implementation: A zk-rollup operator executes thousands of transactions off-chain, generates a proof of correct execution using a KZG-based SNARK, and posts only this tiny proof to the Layer 1 chain.
- Impact: This allows the Layer 1 smart contract to verify the integrity of a massive batch of transactions with a single, cheap, constant-time cryptographic check, inheriting the full security of the base layer.
Frequently Asked Questions
Explore the cryptographic mechanics, mathematical foundations, and practical applications of the KZG polynomial commitment scheme, a cornerstone of modern blockchain scalability and verifiable compute pipelines.
A KZG commitment is a polynomial commitment scheme that allows a prover to commit to a specific polynomial and later prove its evaluation at any point, with both the commitment and the proof being a single, constant-size elliptic curve group element. The scheme operates using bilinear pairings over elliptic curves, typically BLS12-381 or BN254. To commit to a polynomial f(x), the prover evaluates it at a secret, unknown value s (generated during a trusted setup ceremony) using the public parameters g^{s^i}, producing a single group element C = g^{f(s)}. To prove that f(a) = y, the prover computes a quotient polynomial q(x) = (f(x) - y) / (x - a) and provides the proof π = g^{q(s)}. The verifier checks the pairing equation e(C / g^y, g) = e(π, g^s / g^a). This constant-size proof is a defining property that distinguishes KZG from Merkle-tree-based commitments, which require logarithmic-size proofs.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
KZG commitments are a foundational primitive within the broader landscape of verifiable compute pipelines and blockchain scalability. The following concepts are essential for understanding how KZG fits into modern cryptographic architectures.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us