Credits: Dankrad’s post on verkle tries
Verkle Trees is one of the big change that is going to be included in the Ethereum protocol towards its push to weak statelessness. There are much better resources to understand the reasoning behind going for statelessness.
In a Verkle trie, inner nodes are $d$ary vector commitments to their children instead of hashes like a merkle trie. The root of a leaf is hash of the (key, value) pair, and root of an inner node is hash of the vector commitment. So, naively to prove value of a leaf, you only require $g_{d}n−1$ values.
 tree of some depth $d$
 to prove leaf node $x→y$
 need $(d−1)g_{d}n$ proofs/hashes to prove a leaf in case of merkle trees
 But for verkle tries, proofs are in terms of vector commitments i.e. $f(z_{i})=y_{i}$. Polynomial commitments most efficient and simple vector commitments
 thus require, $g_{d}n−1$ commitments and proofs
 each commitments would me in terms of a polynomial, $f_{i}(X)$ where commitment $C_{i}=[f_{i}(s)]_{1}$
 domain in terms of $ω$, i.e. $d$th root of unity.
But fortunately in case of polynomial commitments, instead of giving commitment and proof for each level, we can combine the proof and give a multiproof that convinces the verifier that value of a leaf node is indeed what we want to prove. Following is the steps of a scheme that generate multiproof using random evaluation.
Proof
Given $m$ commitments $C_{i}=[f_{i}(s)]_{1}$, prove evaluations $f_{i}(z_{i})=y_{i}$ where $z_{i}∈{ω_{i}}$ and $ω$ is a $d$th root of unity.

Generate $r←H(C_{0},…,C_{m−1},y_{0},…,y_{m−1},z_{0},…,z_{m−1})$

Prover encode all proofs in a polynomial $g(X)=r_{0}X−z_{0}f_{0}(X)−y_{0} +r_{1}X−z_{1}f_{1}(X)−y_{1} +…+r_{m−1}X−z_{m−1}f_{m−1}(X)−y_{m−1} $
Now, we just have to prove that $g(X)$ is indeed a valid polynomial (not a rational function). This can be done by committing to this polynomial $D$, evaluating it at a random point $t$ and verifier verifying it.

Prover create a commitment $D=[g(s)]_{1}$

evaluate $g(X)$ at point $t$, where $t←H(r,D)$
$g(t)=g_{1}(t)i=0∑m−1 r_{i}t−z_{i}f_{i}(t) −g_{2}(t)i=0∑m−1 r_{i}t−z_{i}y_{i} $

$y=g_{2}(t)$ can be computed by verifier as all the inputs are known

$h(X)=∑_{i=0}r_{i}t−z_{i}f_{i}(X) $ ⇒ $E=[h(s)]_{1}=∑_{i=0}t−z_{i}r_{i} C_{i}$ can also be computed by verifier

Prover gives the proof $π=[(h(s)−g(s)−y)/(s−t)]_{1}$

Verifier verifies via $e(E−D−[y]_{1},[1]_{2})=e(π,(s−t)_{2})$
This allows us to prove an arbitrary number of evaluations.
 Proof is also constant size (one commitment $D$, one number $t$, two proofs).
 $x_{i}$, $z_{i}$ values do not need to be explicitly provided
 Only leaves keys and values, and corresponding commitment to each level are required
 For $n=2_{30}$ and $d=2_{10}$, the average depth comes out to be $3$.
Design Goals
 Cheaper access to neighbouring code chunks and storage slots to prevent thrashing
 distribute data as evenly as possible in the tree
 Fast in SNARKs
 Forward compatible, i.e. interface should be pure (key, value) pair of 32 bytes.
Reasoning for Pedersen Commitments
Now, there are two commitment schemes that can be used for vector commitments.
 KZG Polynomial commitments
 Pedersen Vector commitments + IPA (Inner Product Arguments)
Ethereum has decided to go with Pedersen commitments citing following advantages:
 No trusted setup
 Everything can be done inside a SNARK as well
 Developed new curve (Bandersnatch) that “fits inside” BLS12_381 (outer field = curve order)
 Future proof for witness compression and zkrollups
Disadvantage: Not as efficient for proving a single witness. But this is not very important to us.
Changes in Tree Structure
Verkle Trees introduces a number of changes in the tree structure.
 Shifting from 20 bytes keys to 32 bytes
 tree width from hexary to 256
 vector commitments instead of hashes
 merge of account and storage tries
 gas changes