constant-size commitments · single-point opening · one pairing

KZG — commit to any polynomial in 48 bytes; open at any point in 48 bytes more; verify in one pairing.

A pairing-based polynomial commitment scheme of Kate, Zaverucha, and Goldberg (2010). The commitment and the opening are each a single $G_1$ element regardless of polynomial degree — the cost is a one-time structured reference string with a secret nobody is allowed to remember.

48-byte commitments, one pairing per opening, on the SRS the Ethereum Foundation ceremony produced with ~141 000 contributors. PLONK commits to its witness, permutation, and quotient polynomials through this scheme; the deployment reuses the same ceremony output rather than running its own.

48 B
commitment
48 B
opening
1 pairing
verifier work
BLS12-381
curve
~141 000
SRS contributors

the shape

A polynomial, a commitment, an opening — three objects, one pairing.

Commit $f(X)$ as a single curve point. To open at any point $z$, hand over a quotient commitment and the claimed value $f(z)$. The verifier collapses the whole story to one pairing identity.

polynomial f(X) degree ≤ d coefficients in F_r[X] — witness side — SRS evaluation COMMITMENT [f]₁ one G₁ point 48 bytes · regardless of d binding · d-SBDH open at z OPENING AT z [q]₁ , f(z) quotient commitment + claimed value 48 B · 32 B VERIFY 1 pairing accept / reject
pairing identity at point z
$$e\bigl([q]_1,\ [\tau - z]_2\bigr)\ \overset{?}{=}\ e\bigl([f - f(z)]_1,\ [1]_2\bigr)$$
SRS
$\{[\tau^i]_1, [\tau^i]_2\}$ for $i=0..d$
The structured reference string. Built once via a multi-party ceremony; the secret $\tau$ must be erased by every contributor. One SRS suffices for every polynomial of degree ≤ d.
Commitment $[f]_1$
one $G_1$ point · 48 bytes
Binds the prover to $f(X)$ without revealing it. Binding under $d$-SBDH on BLS12-381; the size is independent of polynomial degree.
Opening $[q]_1 + f(z)$
one $G_1$ point + one $F_r$ element
Proves that $f(z)$ is the value of the committed polynomial at point $z$. Verified by a single pairing against the SRS in $G_2$.

Three primary objects. The polynomial lives in $F_r[X]$; commitments and openings live in $G_1$; the verifier's check lands in $G_T$ via one pairing. The same dot-colour convention runs through the rest of the page.

commit · open · verify — step through

Three moves, end to end.

From a polynomial to one pairing decision in three steps. Each step has one concrete object and one equation.

/ 03 ·

Soundness intuition. If a cheating committer tries to open $f$ at $z$ to a wrong value $y \neq f(z)$, they have to commit to a polynomial $q'(X)$ such that $f(X) - y = q'(X) \cdot (X - z)$ — but then $q'$ is not a polynomial (the divisibility fails). Binding rules out finding such a $q'$ under $d$-SBDH on BLS12-381.

parameters

Concrete numbers.

All values are fixed by the protocol definition or by the reused SRS. None are tunable knobs.

Curve
BLS12-381
Commitment size
48 bytes · $G_1$ point
Opening size
48 bytes · $G_1$ point
Verifier work
1 pairing + 1 MSM
Max polynomial degree
$2^{16}$ (largest tier) — well below the EF SRS cap
SRS source
Ethereum Foundation KZG Summoning Ceremony
Ceremony participation
~141 000 contributors
Setup model
universal updatable · one honest contributor suffices
SRS provenance pin
SHA-256 · locked into the verifying-key supply chain

wiring — setup, prover, verifier

One SRS, many circuits, one pairing.

The setup runs once and produces a structured reference string usable by every relation the deployment compiles to PLONK. The prover commits polynomials and batches openings off-chain. The on-chain verifier runs one pairing.

Setup · once, off-chain
Prover · per proof, off-chain
Verifier · per proof, on-chain
SRS
Reused ceremony SRS
Ethereum Foundation KZG Summoning Ceremony output, ~141 000 contributors. The deployment does not run its own ceremony.
trust model
One honest contributor suffices
Universal-updatable: every contributor adds randomness and erases their share. Trust survives as long as a single contributor in the full chain was honest.
SHA-256
Provenance pin
The SRS digest is SHA-256-pinned into the verifying-key supply chain — every verifying key references exactly the bytes the ceremony produced.
one SRS, many circuits The same SRS supports every relation the deployment compiles to PLONK. Adding a new relation does not require a new ceremony — the structural advantage versus per-circuit-MPC Groth16, where every circuit needs its own.
G₁ · MSM
Commit each PLONK polynomial
Wire $a(X), b(X), c(X)$, permutation $z(X)$, and quotient $t(X)$ — each becomes a 48-byte $G_1$ point via $[f]_1 = \sum_i f_i \cdot [\tau^i]_1$.
F_r
Compute the quotient
At the Fiat-Shamir challenge $\zeta$, the committer forms $q(X) = (f(X) - f(\zeta))/(X - \zeta)$ — well-defined precisely because $f(\zeta)$ is the evaluation.
G₁ · batched
Batched opening
All openings at $\zeta$ are combined into one quotient commitment $[q]_1$. A second opening at $\zeta\omega$ covers the permutation argument's shifted evaluation.
on-chain
Read proof & VK
The verifier reads the proof, reconstructs public-input commitments, and pulls the preprocessed selector commitments from the verifying key (which embeds the SRS).
G₁ · MSM
Aggregate the check
All commitments and Fiat-Shamir challenges reduce to two final $G_1$ elements via one multi-scalar multiplication.
G_T · pairing
One pairing decides
$e\bigl([q]_1,\ [\tau - z]_2\bigr) \overset{?}{=} e\bigl([f - f(z)]_1,\ [1]_2\bigr)$. The pairing returns the one bit of output the contract reads.

Setup and prover share the cool/blue lane tint — both live off-chain in $F_r$ and $G_1$. The verifier's lane is amber: warm, host-function-bound, the only thing the chain pays for.

security

Binding holds. The curve does not survive Shor.

Two assumptions, two horizons. The classical card is the working margin today; the post-quantum card is the load-bearing caveat — and the one any deployment must say out loud.

classical · holding
d-SBDH

Binding under the $d$-strong Bilinear Diffie–Hellman assumption on BLS12-381.

Given $\{[\tau^i]_1, [\tau^i]_2\}_{i=0..d}$, an adversary cannot produce $[1/(\tau - c)]_1$ for an adversary-chosen $c$. Hiding is information-theoretic in the trusted-setup model; knowledge soundness is in the algebraic group model.

  • $d$-SBDH is the standard assumption underlying KZG binding — same family as $q$-strong DH used elsewhere in pairing-based crypto.
  • AGM is a heuristic, not a standard-model proof — the same caveat as PLONK's overall knowledge-soundness argument.
  • The trusted-setup assumption shifts to a ceremony-level one-honest-contributor question, not a per-proof one. Every proof under the SRS inherits it.
post-quantum · broken under Shor
Shor

The SRS becomes a witness. Binding collapses; every commitment opens to anything.

KZG binding reduces to discrete log in $G_1$ on BLS12-381. A CRQC recovers $\tau$ from the SRS in polynomial time, after which a cheating committer can construct a valid opening of any commitment to any value. There is no graceful degradation.

  • The break is structural — the SRS itself becomes a full-knowledge witness for the adversary.
  • Mitigation is a commitment-scheme swap, not a parameter bump — see §7 for the PQ alternatives.
  • In a PQ-secure configuration KZG is replaced entirely, typically by FRI (hash-based) or a lattice-based scheme.
toxic waste
The secret $\tau$ is what one-honest-contributor guards. The Ethereum Foundation ceremony's ~141 000 participation is the structural advantage versus per-circuit-MPC Groth16, where every circuit needs its own ceremony. Universal-updatable means the SRS can be extended by new contributors without restarting, and trust survives as long as one contributor in the full chain was honest and erased their share.

kzg vs ipa vs fri

Three polynomial-commitment families. Three different trades.

Setup-trust on one axis. Verifier cost, proof size, and PQ stance on the others. KZG is the column this page highlights.

this page

KZG

pairing-based · universal updatable
Commitment size
48 B · constant
Opening size
48 B · constant
Verifier work
1 pairing + MSM
Setup
trusted · universal updatable
PQ stance
broken under Shor
Representative deployments
PLONK · KZG-based zkRollups

IPA / Bulletproofs

discrete-log based · transparent
Commitment size
O(1) · 32–48 B
Opening size
O(log n)
Verifier work
O(n)
Setup
transparent · no ceremony
PQ stance
broken under Shor
Representative deployments
Halo 2 · Monero range proofs

FRI

hash-based · transparent
Commitment size
Merkle root · 32 B
Opening size
O(log² n) · 10s of KB
Verifier work
hash-only
Setup
transparent · no ceremony
PQ stance
conjectured PQ-secure
Representative deployments
STARKs · Plonky3 (hash commitments)

KZG trades a one-time trusted setup for the smallest commitments and the cheapest verifier. IPA pays in verifier time to drop the trusted setup. FRI pays in proof size to be conjectured post-quantum secure.

references

Primary literature.

Four sources. The original KZG paper, the ceremony whose SRS the deployment reuses, the PLONK paper that consumes the commitments, and the curve construction underneath.