​

KZG Commitments

​

Overview

​

Why KZG for Ethereum?

• Succinct: 48-byte commitment for ~126 KB blob (4096 field elements)
• Binding: Cannot change blob after commitment
• Verifiable: Prove p(z) = y at any point
• Batch-friendly: Verify multiple proofs efficiently

​

Mathematical Foundation

​

Polynomial Commitments

p(x) = a₀ + a₁x + a₂x² + ... + a₄₀₉₅x⁴⁰⁹⁵

π = [(p(τ) - y)/(τ - z)]₁  (quotient polynomial in G1)

e(C - [y]₁, [1]₂) = e(π, [τ]₂ - [z]₂)

​

Trusted Setup

• 140,000+ participants (Ethereum KZG ceremony 2023)
• Safe if ANY participant destroyed their secret
• Powers of τ precomputed in G1 and G2

​

Implementation Details

import { KZG } from '@tevm/voltaire/crypto/KZG';

​

Quick Start

import { Kzg, Blob } from '@tevm/voltaire';

// Load trusted setup (once, required before operations)
Kzg.loadTrustedSetup();

// Create blob (131,072 bytes = 4096 field elements × 32 bytes)
const blob = Blob(131072);
// ... fill with rollup data

// Kzg.Commitment(blob) → 48-byte commitment
const commitment = Kzg.Commitment(blob);

// Kzg.Proof(blob, z) → proof at evaluation point
const z = randomFieldElement();
const { proof, y } = Kzg.Proof(blob, z);

// Kzg.verify(commitment, z, y, proof) → boolean
const valid = Kzg.verify(commitment, z, y, proof);

// Kzg.verifyBatch(blobs[], commitments[], proofs[]) → boolean
const batchValid = Kzg.verifyBatch(
  blobs, commitments, proofs
);

import { Kzg, Blob } from '@tevm/voltaire';
import * as ckzg from 'c-kzg';

// Load trusted setup (once)
Kzg.loadTrustedSetup();

// Create factories with c-kzg dependency injection
const Commitment = Kzg.CommitmentFactory({
  blobToKzgCommitment: ckzg.blobToKzgCommitment
});
const Proof = Kzg.ProofFactory({
  computeKzgProof: ckzg.computeKzgProof
});
const verify = Kzg.VerifyFactory({
  verifyKzgProof: ckzg.verifyKzgProof
});
const verifyBatch = Kzg.VerifyBatchFactory({
  verifyBlobKzgProofBatch: ckzg.verifyBlobKzgProofBatch
});

// Use factories
const blob = Blob(131072);
const commitment = Commitment(blob);
const z = randomFieldElement();
const { proof, y } = Proof(blob, z);
const valid = verify(commitment, z, y, proof);
const batchValid = verifyBatch(blobs, commitments, proofs);

​

Documentation

​

Core Operations

• Commitments - Creating KZG commitments from blobs
• Proofs - Opening proofs and evaluation verification
• Point Evaluation - EIP-4844 precompile 0x0a
• Trusted Setup - Ceremony, verification, security

​

Integration

• EIP-4844 - Blob transactions, gas pricing, lifecycle
• Usage Patterns - L2 integration, data availability sampling
• Test Vectors - Official EIP-4844 test cases
• Performance - Benchmarks, gas costs, optimizations

​

EIP-4844 Blob Transactions

​

Blob Format

interface Blob {
  length: 131072;  // Fixed size
  elements: FieldElement[4096];  // BLS12-381 Fr elements
}

​

Transaction Type

interface BlobTransaction {
  chainId: bigint;
  nonce: bigint;
  maxPriorityFeePerGas: bigint;
  maxFeePerGas: bigint;
  gasLimit: bigint;
  to: Address;
  value: bigint;
  data: Uint8Array;
  accessList: AccessList;
  
  maxFeePerBlobGas: bigint;  // New: blob gas pricing
  blobVersionedHashes: Hash[];  // New: KZG commitment hashes
  
  blobs: Blob[];  // Sidecar (not in tx hash)
  commitments: KZGCommitment[];  // Sidecar
  proofs: KZGProof[];  // Sidecar
}

​

Blob Lifecycle

1. Submission: Rollup creates blob transaction with KZG commitments
2. Inclusion: Block proposer includes in block
3. Verification: Nodes verify KZG proofs ensure commitment correctness
4. Availability: Blobs available for 18 days (commitments enable verification without full blob download)
5. Pruning: After 18 days, blobs deleted (commitments remain on-chain permanently)

​

Point Evaluation Precompile

// Precompile input (192 bytes)
interface PointEvaluationInput {
  versionedHash: Bytes32;  // 32 bytes
  z: Bytes32;              // 32 bytes (evaluation point)
  y: Bytes32;              // 32 bytes (claimed value)
  commitment: Bytes48;     // 48 bytes (KZG commitment)
  proof: Bytes48;          // 48 bytes (KZG proof)
}

// Returns: 64 bytes (success)
// Reverts if proof invalid

​

Implementation

• Location: lib/c-kzg-4844/
• Language: C (portable)
• Audits: Sigma Prime (2023), zkSecurity (2025)

• Safe FFI bindings
• Error handling
• Memory management

• Native: Full support via c-kzg-4844 C library
• WASM: NOT SUPPORTED - Returns error.NotSupported due to C library dependencies

​

Gas Economics

baseFeePerBlobGas adjusts based on blob usage

• Calldata: ~16 gas/byte × 131KB = 2.1M gas ($100-500)
• Blob: 50K gas per blob ($1-5)

​

Security

• Assumption: Safe if ≥1 participant destroyed their secret contribution
• Participants: 140,000+ in Ethereum KZG Ceremony (2023)
• Verification: Publicly verifiable transcript ensures ceremony correctness
• Risk: If all participants colluded, they could create false proofs. With 140,000+ participants, this is cryptographically impractical.

• Computationally infeasible to find collision
• Based on discrete log hardness in G1 (BLS12-381)

• Cannot forge proof for wrong evaluation value
• Pairing check guarantees correctness via bilinear map properties

​

Use Cases

• Post transaction data as blobs
• Fraud proofs reference blob data

• Post full transaction data
• Validity proofs verify state transition

• Light clients sample random points
• Verify via KZG proofs
• Ensure data availability without full download

​

Performance

• Blob to commitment: ~50 ms
• Compute proof: ~50 ms
• Verify proof: ~2 ms
• Verify blob proof batch: ~2 ms per blob

• Max 6 blobs per block
• Verification time: ~12 ms per block (6 blobs)

​

Related

• BLS12-381 - Underlying elliptic curve
• Precompiles: Point Evaluation - 0x0a implementation

​

References

• EIP-4844: Shard Blob Transactions
• KZG Ceremony
• c-kzg-4844 Library
• Proto-Danksharding FAQ