Next-Gen CryptographyStateless EthereumEIP-6800Deep Dive

Verkle Trees — The Future of Blockchain State

Verkle Trees replace Merkle Patricia Tries in Ethereum and promise to shrink state proofs from 15KB down to 150 bytes — a 100× improvement. This guide explains the cryptographic magic behind them, why they matter, and how they compare to every other blockchain storage structure.

150 byte proofsPolynomial commitmentsStateless nodes possible256-way branchingPedersen commitments

🌿 1. What are Verkle Trees?

📖 Plain English:A Verkle Tree is a new kind of tree data structure that uses advanced mathematics (polynomial commitments) instead of hashing to build proofs. The result is that proofs which were 15KB in Ethereum's current tree shrink to about 150 bytes — a 100× reduction — while still being cryptographically secure.

💡

In a normal Merkle tree, to prove one item exists, you need to include every "sibling" hash along the path. In a tree with 16 branches per node, each node has 15 siblings — that's 15 × 32 bytes = 480 bytes just per node, times 15 nodes = 7KB+. A Verkle tree replaces those sibling hashes with a single small "commitment" that covers ALL children at once. That commitment is ~32-48 bytes — smaller than ONE sibling hash in the old system.

The Name: Verkle = Vector + Merkle

The term was coined by John Kuszmaul at MIT. "Vector commitment" is the cryptographic primitive used instead of hashing, and it's combined with the tree structure of a Merkle tree. The paper was published in 2018 and Ethereum researchers (Vitalik Buterin, Dankrad Feist, and others) began adapting it for Ethereum state in 2021.

Merkle Patricia Trie (today)

• Proof = sibling hashes
• 16-way branching
• Proof size grows with tree width
• 5-15KB per account proof

Verkle Tree (future)

• Proof = polynomial evaluation proof
• 256-way branching
• Proof size independent of tree width
• ~150-200 bytes per account proof

🔐 2. Hash Commitments vs Polynomial Commitments

📖 Plain English:Both hashing and polynomial commitments are ways to "commit" to a set of values — meaning you produce a short summary that proves you know the full data, and lets others verify individual items. The key difference is in what you need to provide as proof.

Hash Commitments (used in Merkle trees)

💡

A hash commitment works like a fingerprint of all children combined. To prove one child is genuine, you must provide all the other children's fingerprints (siblings) so the verifier can recompute the parent fingerprint. More children = more siblings = bigger proof.

hash-commitment.txt

1// HASH COMMITMENT (Merkle Tree)
2// Parent node commits to 16 children by hashing them all:
3parent_hash = Hash(child_0 | child_1 | ... | child_15)
4
5// To PROVE child_3 is genuine:
6// Verifier needs:
7//   - value of child_3
8//   - hashes of child_0, child_1, child_2, child_4, ... child_15
9//     (all 15 OTHER children)
10// Verifier computes:
11//   recomputed = Hash(c0 | c1 | c2 | CHILD_3 | c4 | ... | c15)
12//   check: recomputed == parent_hash
13
14// Cost: 15 × 32 bytes = 480 bytes of proof data PER NODE
15// With 15 nodes in path: 15 × 480 = 7,200 bytes minimum
16// Plus RLP encoding overhead: 10-15KB total

Polynomial Commitments (used in Verkle trees)

💡

A polynomial commitment works like a magic box that holds 256 values, but produces a single 32-byte "commitment" that proves all 256 values. To prove one specific value, you produce a single 32-byte "proof of evaluation" that proves "at position 42, the value is X" — without revealing any other values. This proof is the same size regardless of whether the tree has 16 or 256 children.

polynomial-commitment.txt

1// POLYNOMIAL COMMITMENT (Verkle Tree — IPA/KZG scheme)
2//
3// SETUP (mathematical):
4// Think of 256 children as points on a polynomial curve:
5//   f(0) = child_0, f(1) = child_1, ..., f(255) = child_255
6// The "commitment" C is a compact encoding of this polynomial:
7//   C = commit(f)  → 32-48 bytes regardless of f's size
8//
9// To PROVE child_42 is genuine:
10// Prover produces an "evaluation proof":
11//   π = prove(f, 42, f(42))  → 32-48 bytes
12//
13// Verifier checks:
14//   verify(C, 42, child_42, π)  → true/false
15//
16// CRITICAL: π is the SAME SIZE regardless of the number of children!
17// 256 children → same 32-48 byte proof as 2 children
18// No sibling data needed at all
19//
20// Full proof for an account:
21// depth × (commitment + evaluation_proof) = depth × ~64 bytes
22// For depth 8: 8 × 64 = 512 bytes
23// Compare: Merkle depth 15: 15 × 480 = 7,200 bytes

Why this is revolutionary

📐

Width-independent proofs

In Merkle trees, proof size grows linearly with the number of children. In Verkle, it doesn't. Going from 16-way to 256-way branching costs ZERO extra proof bytes — but makes the tree much shallower.

🎯

Aggregate proofs

One polynomial commitment can prove multiple leaves from the same node simultaneously. A single proof can cover an account's balance, nonce, storage, and code — all at once.

🔒

Same security

Polynomial commitments (specifically IPA or KZG) are proven cryptographically secure under the discrete logarithm assumption — the same foundation as Elliptic Curve signatures used in Bitcoin and Ethereum.

🧮 3. Pedersen Commitments — The Math Made Simple

📖 Plain English:Ethereum's Verkle Tree uses a specific type of polynomial commitment called a Pedersen commitment with an Inner Product Argument (IPA). "Pedersen" is a cryptographer's name. You don't need to understand the math to use Verkle trees, but understanding the intuition helps you see why they work.

The Core Idea — Hiding a Number in a Point

💡

Elliptic curves are mathematical objects where you can do special arithmetic. One property is that multiplying a point P by a secret number k gives you another point Q = k × P. But given only Q and P, you cannot figure out k — this is the "discrete logarithm problem" and it's computationally impossible to crack (with current computers). Pedersen commitments use this to "hide" values inside points.

pedersen-intuition.txt

1// PEDERSEN COMMITMENT — Intuition (not exact code)
2//
3// Setup: we have fixed public elliptic curve points:
4//   G_0, G_1, G_2, ..., G_255  (256 "basis points", public)
5//
6// To commit to 256 values [v_0, v_1, ..., v_255]:
7//   C = v_0 × G_0 + v_1 × G_1 + ... + v_255 × G_255
8//
9// C is a single elliptic curve point — 32-48 bytes
10// It "encodes" all 256 values cryptographically
11//
12// BINDING: You cannot change any v_i without changing C
13// HIDING: C alone reveals nothing about individual values
14//
15// To prove "v_42 = X":
16// The IPA (Inner Product Argument) protocol lets you prove:
17//   "C commits to a polynomial f where f(42) = X"
18//   in O(log n) rounds, producing a proof of size O(log n)
19//
20// For n=256: log(256) = 8 rounds → proof is ~8 × 32 bytes = 256 bytes
21// vs Merkle: 255 sibling hashes × 32 bytes = 8,160 bytes
22//
23// The ratio: 8,160 / 256 ≈ 32× smaller just from this one node
24// Across the whole tree: 100× smaller overall

IPA vs KZG — Two Flavours

What it is: A proof system that proves "these two vectors, when multiplied together element-by-element and summed, give this value." Used to prove polynomial evaluations.
Trusted setup: No trusted setup needed. Security relies only on the discrete log problem.
Proof size: O(log n) — for 256 children, this is ~8 group elements = ~256 bytes per node in the path.
Verification cost: O(log n) scalar multiplications — fast on modern CPUs.
Why Ethereum chose IPA over KZG for Verkle: No trusted setup ceremony required. Simpler security assumptions.

🌲 4. Verkle Tree Structure

📖 Plain English:The Verkle tree proposed for Ethereum uses 256-way branching (each node has up to 256 children) instead of the current 16-way branching. This dramatically reduces tree depth — from ~15-20 levels down to ~4-8 levels. Shallower tree = fewer nodes per proof = smaller proof.

Key Layout Change: EIP-6800 Address Space

verkle-key-layout.ts

1// EIP-6800 defines a new key structure for Verkle trees:
2// Key = 32 bytes = stem (31 bytes) + suffix (1 byte)
3//
4// STEM identifies an account:
5stem = keccak256(address)[0:31]   // first 31 bytes of address hash
6// All data for ONE account shares the SAME stem!
7//
8// SUFFIX identifies what type of data:
9// suffix = 0  → account version
10// suffix = 1  → account balance
11// suffix = 2  → account nonce
12// suffix = 3  → code hash
13// suffix = 4  → code size
14// suffix = 64-127 → code chunks (contract bytecode)
15// suffix = 128-255 → storage slots 0-127
16
17// This is a HUGE change from current MPT:
18// Current: account metadata and storage are in SEPARATE tries
19//   → account trie + storage trie = 2 separate proofs
20// Verkle: account metadata AND nearby storage are in the SAME tree
21//   → one proof covers balance + nonce + first 128 storage slots
22
23// Example: proving Alice's balance
24// Current Ethereum: prove path in account trie (15KB)
25// Verkle: prove stem=hash(alice)[0:31], suffix=1 (~150 bytes)

Tree Depth Comparison

Ethereum MPT (current)

Branching

16-way

Tree Depth

15-20 levels

Proof Nodes

~15-20 nodes

Proof Size

5-15 KB

1M accounts

~2M nodes in tree

Verkle Tree (proposed)

Branching

256-way

Tree Depth

3-5 levels

Proof Nodes

3-5 commitments

Proof Size

~150-300 bytes

1M accounts

~4K nodes in tree (!)

Substrate Patricia Trie

Branching

Flexible (2-16)

Tree Depth

Variable

Proof Nodes

~10-15 nodes

Proof Size

2-8 KB

1M accounts

varies

Cosmos IAVL

Branching

2 (binary)

Tree Depth

~20 levels (log₂ n)

Proof Nodes

~20 hashes

Proof Size

3-8 KB

1M accounts

~1M nodes

Why 256-way branching works with Verkle but not Merkle

💡

In a Merkle tree, increasing branching from 16 to 256 would make proofs 16× larger (15 siblings → 255 siblings). In a Verkle tree, the proof stays the same size regardless of branching. So Verkle lets you choose 256-way branching purely for the tree depth benefit — shallower tree, shorter path, fewer commitments in the proof. Win-win.

📦 5. Why Proofs are 100× Smaller

proof-size-breakdown.txt

1// ETHEREUM MPT PROOF (current):
2// Path depth: ~15 nodes
3// Each node proof:
4//   - 15 sibling hashes × 32 bytes = 480 bytes
5//   - RLP length prefixes: ~20 bytes
6//   - Node type tag: ~5 bytes
7// Per node: ~505 bytes × 15 nodes = 7,575 bytes
8// Plus leaf value (RLP-encoded account): ~100-200 bytes
9// Total: 7,700 - 15,000 bytes (7-15KB)
10//
11// ─────────────────────────────────────────────────────
12//
13// VERKLE TREE PROOF (proposed):
14// Path depth: ~4 nodes
15// Each node proof:
16//   - 1 Pedersen commitment C: 32 bytes
17//   - 1 IPA evaluation proof π: 8 × 32 bytes = 256 bytes
18//     (IPA rounds: log₂(256) = 8 rounds)
19// But! IPA proofs AGGREGATE across nodes:
20//   - Total proof for full path: ~576 bytes (non-aggregated)
21//   - With aggregation across multiple keys: ~150-200 bytes/key
22//
23// The magic of aggregation:
24// When proving 10 leaves from the same block:
25// MPT: 10 × 10KB = 100KB of proof data
26// Verkle: ~10 × 150 + shared_parts ≈ 2-3KB total
27// Ratio: 100KB → 2-3KB = 33-50× better with aggregation

Proof Size Visual

Bitcoin Merkle

Binary tree, simple sibling hashes~1KB

Verkle (aggregated)

Polynomial evaluation proof~150B-500B

Substrate Trie

Patricia proof, SCALE encoded2-8KB

Cosmos IAVL

Binary Merkle + SHA2563-8KB

Ethereum MPT

16-way + RLP + branch bloat5-15KB

Solana

No global state proofsN/A

Bar length is proportional to proof size. Smaller bar = better.

🚀 6. Stateless Clients — The Game Changer

📖 Plain English:Today, to run a full Ethereum node, you must store the entire state (~800GB and growing). With Verkle trees and stateless clients, a node could validate every block without storing ANY state — just the block itself (with embedded proofs).

💡

Today's Ethereum node: "I need to store 800GB so I can look up any account state when processing a block."

Stateless Ethereum node: "When you send me a block, include the 150-byte proofs for every account touched by that block. I'll verify the proofs against the state root in the block header. I don't need to store anything!"

How Stateless Validation Works

Block producer includes "witnesses"

When a validator creates a block, they also generate Verkle proofs (called "witnesses") for every piece of state touched during block execution — balances read, storage slots accessed, code executed.

Witnesses are tiny (150 bytes each)

With Verkle proofs, witnesses are so small that adding them to a block adds only ~100-300KB of overhead even for a densely-packed block with thousands of state accesses.

Other nodes verify without storage

A receiving node only needs the block header (with state root) and the witnesses. It verifies each witness against the state root. If all check out, the block is valid — no local state lookup needed.

State root provides the anchor

The state root (32 bytes in the block header) is the anchor of trust. Any Verkle proof for any state item can be verified against this root. The root itself is verified via consensus.

Impact on Decentralisation

💻

Run a node on a laptop

A stateless node needs only the latest block + its witnesses (~300KB). It could run on a phone or browser extension.

🌍

More validators = more decentralised

Today, running a full node requires 8TB+ storage and 32GB RAM. Stateless nodes change this to requiring nearly no persistent storage.

⚡

Faster sync

New nodes don't need to download and verify 800GB of state. They just get the latest state root and start validating blocks with their witnesses.

📋 7. EIP-6800: Ethereum's Verkle Migration

● EIP ProposalTarget: Ethereum "Glamsterdam" or later upgrade (2025-2026)

📖 Plain English:EIP-6800 is the formal proposal to migrate Ethereum's state from the current Merkle Patricia Trie to a Verkle Tree. It's one of the most complex changes ever proposed for Ethereum because it requires migrating 100M+ accounts and their storage without interrupting the chain.

Key Changes in EIP-6800

New state structure● EIP Proposal

All account data (balance, nonce, code, storage) is reorganised into Verkle tree key-value pairs using the stem+suffix scheme. Account data and first 128 storage slots share the same stem — enabling single-proof coverage.

EIP-4762: Gas repricing● EIP Proposal

SLOAD and SSTORE opcodes get new gas costs based on Verkle witness costs. Accessing a slot in the same stem as the account is cheaper (already covered by account witness) than accessing a distant storage slot.

Migration strategy: overlay● Research Phase

Rather than a big-bang migration, Ethereum will use an overlay approach. New writes go to the Verkle tree immediately. Old accounts are migrated lazily (when first accessed after the fork). Full migration expected over 1-2 years.

EIP-2935: Historical block hashes● EIP Proposal

Stores recent block hashes in the Verkle state to allow smart contracts to access them via witness proofs rather than hard-coded BLOCKHASH opcode.

The Migration Challenge

migration-challenge.txt

1// CHALLENGE: Migrating ~200M state objects without downtime
2//
3// Current Ethereum state (as of 2024):
4// - ~180M accounts (incl. contracts)
5// - ~100B+ storage slots (mainly in large contracts)
6// - MPT has ~1.5B+ nodes in LevelDB
7//
8// Naive migration: hash all accounts → build Verkle tree
9// Time estimate: several days of downtime
10// → Completely unacceptable
11//
12// ACTUAL PLAN: Lazy/Overlay Migration
13// Phase 1: At fork block, NEW writes go to Verkle tree
14//           Old state remains in MPT temporarily
15//           Dual tree maintained briefly
16//
17// Phase 2: When old MPT account is FIRST ACCESSED after fork:
18//           → Migrate it to Verkle tree
19//           → Delete from MPT
20//           → Record that it was migrated
21//
22// Phase 3: After 1-2 years, assume all accessed accounts migrated
23//           Background process migrates remaining rarely-used accounts
24//           MPT retired entirely
25//
26// Risk: During dual-tree period, nodes must maintain both structures
27// Memory and storage overhead: ~50% during transition

✍️ 8. Write Cost Analysis

📖 Plain English:Verkle trees are significantly better for proofs and stateless clients, but writes are more expensive computationally than simple hash-based trees. The polynomial commitment operations (elliptic curve math) are heavier than SHA256 or Blake2b. This is a known trade-off.

write-cost.txt

1// WRITE COST COMPARISON (approximate)
2
3// Per-node write operations:
4
5Ethereum MPT (current):
6  keccak256(node data)         → ~30ns per call
7  RLP encoding                 → ~50ns per node
8  Total per node write:        → ~80-120ns
9
10Verkle Tree (proposed):
11  Pedersen commitment update   → ~2-5μs per node
12    (elliptic curve scalar mul)
13  IPA proof generation (prover)→ ~50-200ms for full block witness
14  Total per node write:        → ~2-6μs (25-50× slower than keccak)
15
16Substrate Patricia:
17  Blake2b-256(node)            → ~20ns per call
18  SCALE encoding               → ~20ns per node
19  Total per node write:        → ~40-60ns
20
21// KEY MITIGATION:
22// Write path (commitment update) and proof path (witness gen) are SEPARATE:
23// - Commitment update happens at each block end (~2-6μs/node × depth)
24//   → Acceptable: 10,000 state changes × 4 nodes deep × 4μs = 160ms
25//   → Current MPT: 10,000 × 15 nodes × 0.1μs = 15ms
26//   → Verkle write: ~10× slower than MPT
27//
28// - Witness generation (for stateless): only done by BLOCK PROPOSERS
29//   → Other nodes just verify witnesses (very fast, ~few ms)
30//   → Block proposers have extra time to generate witnesses

Write Cost Comparison (lower bar = better)

Substrate Trie (Blake2b)Blake2b ~20ns/hash

Bitcoin Merkle (SHA256)SHA256 ~25ns/hash

Ethereum MPT (keccak)keccak256 ~30ns/hash

Cosmos IAVL (SHA256+rotations)SHA256 + rebalancing

Verkle Tree (elliptic curve)~2-5μs/EC scalar mul

Relative cost per node write operation. Verkle writes are slower but the shallower tree (4 vs 15 levels) partially compensates.

💡

Verkle writes being 25× slower per-operation sounds bad — but because the tree is 4-5× shallower, you do 3× fewer operations per state change. Net result: block state update is roughly 8-10× slower than today. This is a known trade-off accepted because the stateless client benefits are so significant for decentralisation.

📊 9. All Storage Structures Compared

Property	Verkle	ETH MPT	Substrate	Cosmos IAVL	Bitcoin	Solana
Branching	256	16	2-16	2	2	None
Tree depth	3-5	15-20	~10-15	~20	~20	N/A
Proof type	Poly. commit.	Hash chain	Hash chain	Hash chain	Hash chain	N/A
Proof size	~150B	5-15KB	2-8KB	3-8KB	~1KB	N/A
Write cost	High (EC ops)	Medium	Low	Medium-High	Low	Very Low
Read cost	Fast (shallow)	Slow	Fast	Medium	Fast	Fastest
Stateless node	✅ Planned	❌	❌	❌	❌	N/A
History	Same as ETH	Archive only	Archive only	Built-in	No	N/A
Self-balancing	No	No	No	AVL ✅	No	N/A
Node storage (full)	~200GB*	~800GB	~100GB	~800GB+	~10GB	~100GB
Hash function	Pedersen/IPA	keccak256	Blake2b	SHA256	SHA256	SHA256
Encoding	Custom	RLP	SCALE	Protobuf	Custom	Custom
Aggregated proofs	✅	❌	❌	❌	❌	N/A

* Estimated once stateless, post-migration. Current full node still ~800GB.

⚖️ 10. Trade-offs & Challenges

✅ Advantages of Verkle Trees

100× smaller proofs

150 bytes vs 15KB — transforms what's possible for light clients

Stateless validation

Nodes can validate without storing state

Aggregated proofs

One proof covers multiple keys in the same node — free for common patterns

Shallower tree

256-way branching → 3-5 levels vs 15-20 — fewer DB lookups

Better for ZK proofs

Polynomial commitments work natively with ZK-SNARKs — synergy with ZK-rollups

⚠️ Challenges & Trade-offs

Write cost ~8-10× higher

Elliptic curve scalar multiplication is slow. Block production gets more compute-intensive.

Complex migration

Migrating 200M+ accounts without downtime is a massive engineering challenge. Dual-tree period adds overhead.

Cryptographic complexity

Pedersen commitments + IPA are much harder to implement correctly than SHA256 hashing. More attack surface.

Prover time for witnesses

Block proposers must generate Verkle witnesses in <12s (Ethereum block time). Requires efficient proof generation.

Quantum vulnerability

Elliptic curve discrete log is broken by quantum computers. Whereas SHA256 is only weakened (not broken). Long-term concern.

Is Verkle coming to Substrate or Cosmos?

Substrate / Polkadot● Research Phase

No current plans. Polkadot uses BEEFY bridges for cross-chain light clients, which uses a different approach (BLS signatures + Merkle). Substrate's existing trie design is already quite efficient for its use case.

Cosmos SDK● Research Phase

There are discussions about moving from IAVL to SMT (Sparse Merkle Tree) first as an intermediate step. Verkle is further ahead on the roadmap. IBC requires proofs, so Cosmos is very interested in smaller proofs — but the migration complexity is daunting.

Ethereum● Planned

EIP-6800 is actively developed by core researchers. Expected in a major Ethereum upgrade around 2025-2026. This is the most concrete Verkle deployment plan in production blockchains.

⏳ 11. Ethereum Verkle Rollout Timeline

✓

2018Verkle Trees paper

John Kuszmaul publishes "Verkle Trie for Ethereum State" at MIT.

✓

2021Ethereum research begins

Vitalik Buterin, Dankrad Feist propose adapting Verkle trees for Ethereum state.

✓

2022EIP-6800 drafted

Formal EIP written describing the Verkle transition. Detailed key layout (stem+suffix) specified.

✓

2023Testnet implementations

First Verkle test networks launched. Go-ethereum and Besu implement Verkle state. Performance benchmarks collected.

✓

2024Kaustinen testnets

Multiple Kaustinen test networks deployed with Verkle state. Cross-client compatibility tested. EIP-4762 gas repricing finalised.

○

2025Target: Fusaka or later upgrade

Verkle targeted for inclusion in a major Ethereum upgrade. Migration tooling and overlay strategy finalised. EIP-6800 expected to be included.

○

2025-2026Lazy migration period

Overlay migration runs: new writes to Verkle, old state migrated on access. Dual tree maintained.

○

2026+Full Verkle state

MPT retired. All state in Verkle. Stateless clients become practical. Light clients on mobile become reliable.

🎯 12. Final Summary

The Core Innovation

Verkle trees replace the core primitive from hashing to polynomial commitments. This single change unlocks proof aggregation, width-independent proof sizes, and eventually stateless client operation. It's not just an optimisation — it's a foundational redesign that changes what kind of clients can participate in the Ethereum network.

Proof size reduction

5-15KB

~150B

100× improvement

Tree depth

15-20 levels

3-5 levels

4-5× improvement

Full node size (future)

~800GB

~stateless

∞× improvement

One-Line Summaries

Verkle Trees

Replace SHA256 hashing with elliptic curve polynomial commitments to make proofs 100× smaller and enable stateless clients — a foundational upgrade that trades higher write cost for dramatically better proof generation, enabling mobile light clients and more decentralised validation.

Ethereum MPT (today)

Secure and battle-tested but heavy — 16-way branching with RLP encoding means 15KB proofs and 800GB full nodes. The Verkle transition is Ethereum's answer to these limitations.

Substrate Trie

High-throughput and compact — structured keys with SCALE encoding give good write performance and 2-8KB proofs. A pragmatic choice that doesn't need Verkle's complexity for its cross-chain model (Polkadot BEEFY).

Cosmos IAVL

Immutable versioning enables IBC light clients natively — but write amplification, storage bloat, and pruning complexity are real costs. Potential future migration to SMT or Verkle is discussed but not planned.