ZK Verification of the State Transition Function

Table of Contents

ZK Verification Design

We verify the state transition function using a zkVM built using OpenVM. OpenVM enables on-chain verification of an implementation of the keystore state transition function written in Rust using additional intrinsics implemented as VM extensions in OpenVM.

The ZK verification proof has the following public inputs and outputs:

  • bytes32 oldStateRoot: The old state root before the state transition function is applied.
  • bytes32 oldWithdrawalsRoot: The old withdrawal root before the state transition function is applied.
  • uint256 oldSequencerBatchIndex: The index of the most recent sequencer batch included in oldStateRoot and oldWithdrawalsRoot.
  • uint256 oldL1BatchIndex: The index of the most recent L1 batch included in oldStateRoot and oldWithdrawalsRoot.
  • bytes32 targetSequencerBatchCommitment: The final sequencer batch commitment included in the updated L1 data being processed in the state transition function.
  • bytes32 targetL1BatchCommitment: The final L1 batch commitment included in the updated L1 data being processed in the state transition function.
  • bytes32 newStateRoot: The new state root after the state transition function is applied.
  • bytes32 newWithdrawalsRoot: The new withdrawal root after the state transition function is applied.
  • address rewardAddress: The address to which the prover reward is given.

The ZK verification proof verifies the following version of the state transition function:

Applying the state transition function to rollup data committed to in targetSequencerBatchCommitment and targetL1BatchCommitment and the rollup state committed to in oldStateRoot and oldWithdrawalRoot based on sequencer batches up to index oldSequencerBatchIndex and L1 batches up to index oldL1BatchIndex results in the rollup state committed to in newStateRoot and newWithdrawalRoot.

Reading L1 state

For certain operations within the state transition function, it is necessary to read variables from the L1 state, such as gas and blob fee data. While a sequencer can directly query an L1 node for this data for preconfirmations, verifying the STF in ZK requires a root of trust for the L1 state which commits to the desired data. We use the beacon block root as this root of trust, as it commits to all L1 state back to the Capella hard fork.

Open-Source Dependencies

The ZK verification of the state transition function is done using OpenVM, a performant and modular zkVM framework built for customization and extensibility. OpenVM is open-source and developed by contributors including Axiom, Scroll, and other individuals. It uses the following open-source dependencies:

  • Plonky3: A modular toolkit for building ZK proof systems. It was developed by Polygon Zero and has been audited.
  • halo2: A widely used elliptic curve based ZK proof system, which is deployed in production by teams including Axiom, Scroll, and Taiko. This also uses the following open-source libraries built on top of halo2:
    • halo2-lib: A core library for halo2 circuits developed by Axiom. This library is audited and used across the ZK ecosystem, including in production by Axiom and Scroll.
    • snark-verifier: A core library for proof aggregation in halo2 developed by Privacy & Scaling Explorations (PSE) and modified by Axiom. This library is audited and used across the ZK ecosystem, including in production by Axiom, Scroll, and Taiko.