Definition
The KZG polynomial commitment, named after Kate, Zaverucha, and Goldberg, is a pairing-based scheme that commits to a polynomial with a single elliptic-curve point and proves its evaluation at any point with a single additional point. Both the commitment and each proof are constant-size regardless of the polynomial's degree, and verification requires only a pair of pairing checks. This combination of brevity and fast verification made KZG the workhorse commitment for production proof systems.
How it works
A one-time trusted setup produces a structured reference string: encrypted powers of a secret value tau that no one knows. The prover commits by evaluating the polynomial in the exponent against this string. To prove an evaluation, the prover supplies a quotient polynomial commitment, and the verifier confirms a divisibility relation using the bilinear pairing.
Tradeoffs and use
KZG's strength is unmatched compactness; its weakness is the trusted setup, since anyone who recovers tau could forge proofs. It also relies on pairings, so it is not quantum-resistant. KZG underpins data-availability sampling in Ethereum's blob transactions and the polynomial layer of widely used SNARKs.
KZG is one instance of the broader polynomial commitment scheme, and its security depends entirely on a properly run trusted setup ceremony.
In Simple Terms
The KZG polynomial commitment, named after Kate, Zaverucha, and Goldberg, is a pairing-based scheme that commits to a polynomial with a single elliptic-curve point and…