# KZG repo internal audit report **Repository:** [rust-eth-kzg](https://github.com/crate-crypto/rust-eth-kzg) This report summarizes the main improvements made during the internal audit of the KZG Ethereum repository. While this is not a formal audit report, it’s intended to give an organized and clear overview of the work done, grouped by theme, with representative pull requests (PRs). ## Observations ### Overview Overall the codebase is very well-documented. For further resources: * Reference implementation in Python: * EIP4844 → [https://github.com/ethereum/consensus-specs/blob/017a849/specs/deneb/polynomial-commitments.md](https://github.com/ethereum/consensus-specs/blob/017a849/specs/deneb/polynomial-commitments.md) * EIP7594 → [https://github.com/ethereum/consensus-specs/blob/13ac373/specs/\_features/eip7594/polynomial-commitments-sampling.md](https://github.com/ethereum/consensus-specs/blob/13ac373/specs/_features/eip7594/polynomial-commitments-sampling.md) * How KZG multi-reveal works → [https://eprint.iacr.org/2024/1362.pdf](https://eprint.iacr.org/2024/1362.pdf) (great figures to understand why blobs are in bit-reversed order) * Prover optimization of KZG multi-reveal → [https://github.com/crate-crypto/rust-eth-kzg/blob/master/papers/fk23.pdf](https://github.com/crate-crypto/rust-eth-kzg/blob/master/papers/fk23.pdf) ### Notes 1. `crates/cryptography/bls12_381/src/batch_addition.rs` This module handles batch addition of BLS12-381 points in fixed-base MSM. The `multi_batch_addition_binary_tree_stride` function speeds things up by amortizing the cost of inversion when computing slopes. * Caveat: It does **not** handle cases like `[.., (O, O), ..]` or `[.., (G, -G), ..]` (O = identity, G = random point), which could cause a batch inversion panic. * Caveat: It does **not** handle identity additions (affine coordinate of identity is undefined, result becomes garbage). However, these edge cases are negligible because this function is only used internally in fixed-base MSM. 2. `crates/cryptography/bls12_381/src/lincomb.rs` The `g1_lincomb` function is widely used by both prover and verifier. It filters out identity points before calling the underlying `blst` routines, so it is safe to assume it can be called with any valid point-scalar pairs. 3. `crates/cryptography/erasure_codes/src/reed_solomon.rs` This module handles recovery of the polynomial (monomial of bit-reversed blob) given partial Reed-Solomon code. Notably, the `recover_polynomial_coefficient_erasure_pattern` function will return `RSError::PolynomialHasInvalidLength` if the recovered polynomial doesn't match the expected degree. This can happen if some cells don’t belong to the same codeword (which could be avoided by verifying the KZG proof of the cell) or due to internal implementation errors. More details can be found in Thomas’s note. 4. `crates/eip4844` Unlike the reference implementation (which stays in Lagrange form to avoid FFTs but needs two slightly different quotient algorithms), this crate operates in monomial form and computes quotients by simple long division — simplifying complexity. The tradeoff: slightly slower performance in `compute_blob_kzg_proof`, `verify_blob_kzg_proof_batch`, and `verify_blob_kzg_proof`. But since these won’t be on the hot path post-EIP7594, this is considered an acceptable cost. 5. **Upgrade `rand` crate** → We aim to upgrade to version 0.9 (currently blocked by upstream dependency). * [Tracking PR #307](https://github.com/crate-crypto/rust-eth-kzg/pull/307) * [Upstream issue](https://github.com/zkcrypto/group/pull/63) 6. **Simplify booth encoding** → The `booth_encoding.rs` module works and passes fuzzing but remains dense and complex. Simplifying its logic would improve maintainability and clarity. * [Source code](https://github.com/crate-crypto/rust-eth-kzg/blob/master/crates/cryptography/bls12_381/src/booth_encoding.rs) ## Documentation We expanded documentation across the codebase — adding function-level docs, module-level explanations, and clearer examples. This improves developer experience by making the API easier to understand, especially for areas tied closely to Ethereum specs (EIPs) or mathematical background. For tricky or low-level parts of the implementation, inline comments now guide the reader through the logic or point them directly to external references. **Representative PRs:** [#390](https://github.com/crate-crypto/rust-eth-kzg/pull/390), [#364](https://github.com/crate-crypto/rust-eth-kzg/pull/364), [#325](https://github.com/crate-crypto/rust-eth-kzg/pull/325), [#387](https://github.com/crate-crypto/rust-eth-kzg/pull/387), [#343](https://github.com/crate-crypto/rust-eth-kzg/pull/343), ... ## Erasure codes guide We created a dedicated guide to explain the core concepts and mathematical foundations behind the erasure code module. This guide connects theory to implementation, giving examples and walk-through explanations that help both new contributors and users understand why things work the way they do. * [PR #382](https://github.com/crate-crypto/rust-eth-kzg/pull/382) * [Full guide](https://hackmd.io/@tcoratger/ryMqmigWee) ## Test coverage & fuzzing We greatly expanded unit tests, covering standard cases, edge cases (e.g., empty vectors, all-zero inputs), and introducing property-based fuzzing via the `proptest` crate. This helped us surface edge behaviors (such as a `saturating_sub` panic) and gave us confidence that the core algorithms behave robustly across unexpected inputs — even if no major bugs were found. **Representative PRs:** [#309](https://github.com/crate-crypto/rust-eth-kzg/pull/309), [#313](https://github.com/crate-crypto/rust-eth-kzg/pull/313), [#365](https://github.com/crate-crypto/rust-eth-kzg/pull/365), [#379](https://github.com/crate-crypto/rust-eth-kzg/pull/379), [#383](https://github.com/crate-crypto/rust-eth-kzg/pull/383), [#384](https://github.com/crate-crypto/rust-eth-kzg/pull/384), ... ## Clippy & code hygiene We enabled strong `clippy` linting to enforce Rust best practices and modern idioms. This led to many small improvements: marking functions as `const` when possible, removing unnecessary allocations, tightening type conversions, simplifying control flow, reducing boilerplate, etc. These changes improve both performance sometimes and long-term maintainability. **Representative PRs:** [#109](https://github.com/crate-crypto/rust-eth-kzg/pull/109), [#302](https://github.com/crate-crypto/rust-eth-kzg/pull/302), [#317](https://github.com/crate-crypto/rust-eth-kzg/pull/317), [#350](https://github.com/crate-crypto/rust-eth-kzg/pull/350), etc. ## Refactoring & cleanup Several sections of the code were refactored to reduce duplication, improve clarity, and make the logic more modular. While these PRs didn’t change behavior or fix bugs, they improved readability and made the codebase easier to work with for future improvements. **Representative PRs:** [#334](https://github.com/crate-crypto/rust-eth-kzg/pull/334), [#339](https://github.com/crate-crypto/rust-eth-kzg/pull/339), [#344](https://github.com/crate-crypto/rust-eth-kzg/pull/344), ... ## Serialization improvements Serialization routines (especially those tied to EIP-7594 and EIP-4844) were simplified using cleaner methods and fewer lines of code. We also expanded test coverage to ensure that serialization/deserialization remains stable, spec-compliant, and resistant to edge cases. **Representative PRs:** [#345](https://github.com/crate-crypto/rust-eth-kzg/pull/345), [#359](https://github.com/crate-crypto/rust-eth-kzg/pull/359), [#371](https://github.com/crate-crypto/rust-eth-kzg/pull/371), [#378](https://github.com/crate-crypto/rust-eth-kzg/pull/378) ## `PolyCoeff` wrapper The `PolyCoeff` type, originally just a type alias for `Vec<Scalar>`, was promoted to a proper struct. This makes it clearer to users when they are working with polynomial coefficients and gives us a central place to attach methods, improving ergonomics and reducing the risk of misuse. Additionally, some warnings have been added into the code documentation for use cases that are not provided for by this crate. * [PR #353](https://github.com/crate-crypto/rust-eth-kzg/pull/353) * [PR #391](https://github.com/crate-crypto/rust-eth-kzg/pull/391) ## FFT method unification We unified separate FFT routines (`fft_scalar_inplace`, `fft_g1_inplace`) under a single function, reducing code duplication and the risk of inconsistencies. * [PR #356](https://github.com/crate-crypto/rust-eth-kzg/pull/356) ## Bit-reversal optimizations The repo now uses well-known, efficient community implementations for `reverse_bits` and `reverse_bit_order` (inspired by Plonky3), ensuring consistency and avoiding re-inventing the wheel. * [PR #354](https://github.com/crate-crypto/rust-eth-kzg/pull/354) ## Reed-Solomon module polish Based on review feedback, we cleaned up the Reed-Solomon module by improving naming and adding clarifying comments. This helps ensure future contributors can follow the logic more easily. * [PR #351](https://github.com/crate-crypto/rust-eth-kzg/pull/351) ## Crate renaming We renamed several crates to simpler, clearer names, making the overall project structure easier to understand. * [PR #348](https://github.com/crate-crypto/rust-eth-kzg/pull/348) ## Specification links Where missing, we added links to relevant Ethereum specs, so developers can quickly cross-check implementation details. **Representative PRs:** [#341](https://github.com/crate-crypto/rust-eth-kzg/pull/341) ## Improved formatting rules We updated the repo’s formatting rules, especially around import ordering, to prevent unnecessary diffs and reduce the chance of merge conflicts in future PRs. * [PR #337](https://github.com/crate-crypto/rust-eth-kzg/pull/337) ## MSM vector length checks We added explicit length checks in `FixedBaseMSMPrecompWindow` to ensure that the number of scalars matches the number of points, preventing silent errors or panics. We did the same overall for msm methods. * [PR #335](https://github.com/crate-crypto/rust-eth-kzg/pull/335) ## Removal of hardcoded constants We eliminated hardcoded constants and replaced them with declared constants, making the source of values explicit and reducing the risk of accidental inconsistencies when changing them in the future. **Representative PRs:** [#385](https://github.com/crate-crypto/rust-eth-kzg/pull/385) ## Descriptive function naming We renamed several functions to make their purpose clearer just from their name, improving discoverability and readability. **Representative PRs:** [#381](https://github.com/crate-crypto/rust-eth-kzg/pull/381) ## Dependency cleanup We removed unused dependencies from `Cargo.toml` to streamline compilation and reduce unnecessary entries in the lockfile. * [PR #306](https://github.com/crate-crypto/rust-eth-kzg/pull/306) ## Add tracing We added the `tracing` dependency across key crates to enable lightweight instrumentation and runtime profiling. This allows developers to trace and analyze the performance of time-consuming functions, helping identify bottlenecks or optimization opportunities. * [PR #310](https://github.com/crate-crypto/rust-eth-kzg/pull/310) ## Full API for EIP-4844 specification We implemented and reviewed the complete API for the EIP-4844 specification, ensuring the crate exposes all necessary interfaces for polynomial commitments, KZG proofs, and related operations. * [PR #345](https://github.com/crate-crypto/rust-eth-kzg/pull/345) * [PR #363](https://github.com/crate-crypto/rust-eth-kzg/pull/363) ## Improvement over FFT We improved the FFT implementation by adopting a cache-aware radix-2 FFT algorithm from Plonky3, which optimizes memory access patterns and improves performance, especially in multithreaded execution. This change required precomputing twiddle factors in bit-reversed order, which doubles the memory needs of the `Domain` object. If needed, we can disable this optimization for verifier-side use where memory is more constrained. **Performance gains:** * **Multithreaded mode:** significant speedup, reducing total runtime for key operations like `compute_cells_and_kzg_proofs` by \~60% (from \~45 ms to \~17 ms). * **Single-threaded mode:** maintained performance, with slight improvements and no slowdowns. **Related PR:** * [PR #324](https://github.com/crate-crypto/rust-eth-kzg/pull/324)