|
| 1 | +Generating a proof for the valid processing of a single batch requires multiple inputs. |
| 2 | + |
| 3 | +In addition to the data from each transaction in the processed batch, other inputs are necessary to ensure the network's overall security. |
| 4 | + |
| 5 | +For example, some inputs need to be sent to the smart contract. |
| 6 | + |
| 7 | +Central to generation of proofs and their verification are the verifier smart contract and the prover, as well as their interaction. |
| 8 | + |
| 9 | +This document, therefore, explores what the prover transmits to the verifier smart contract and why. |
| 10 | + |
| 11 | +In the zkEVM context, the focus is on generating _succinct_[^1] proofs rather than privacy concerns. |
| 12 | + |
| 13 | +Consequently, L2 transactions and L2 state data are public. |
| 14 | + |
| 15 | +We therefore delve into the initial design of the proving system, which operates without private inputs. |
| 16 | + |
| 17 | +## Public inputs |
| 18 | + |
| 19 | +Recall that the prover generates a proof, and sends the proof and an array of public inputs, denoted by $\texttt{[publics]}$ to the smart contract. The figure below depicts this. |
| 20 | + |
| 21 | + |
| 22 | + |
| 23 | +The public inputs consist of the following data: |
| 24 | + |
| 25 | +- `batchData` which is the data of all the L2 transactions in the batch being proved. |
| 26 | + |
| 27 | +- `currentStateRoot` referring to the current L2 state root. |
| 28 | + |
| 29 | +- `proverAccount` which is the prover's account due to receive rewards. This account is attached to the proof so as to avoid successful plagiariasm of the proof. |
| 30 | + |
| 31 | +- `timestamp` specifies the time at which the proof was generated. |
| 32 | + |
| 33 | +- `forkId` is the current version of the L2 EVM being used. |
| 34 | + |
| 35 | +- `chainId` is the identifier of the chain for which the proof is being generated. The protocol is designed with the capability to host multiple layer 2 networks. |
| 36 | + |
| 37 | +The public output of this process is a new L2 state root, denoted by `newStateRoot`. |
| 38 | + |
| 39 | +The prover does not send all these public inputs to the L1 smart contract. Some inputs are already stored in the contract. These include: `currentStateRoot`, `forkId`, and `chainId`. |
| 40 | + |
| 41 | +The rest of the inputs need to be included in the `calldata` of the transaction sent to the L1’s smart contract. That is, `batchData`, `timestamp`, `newStateRoot`. |
| 42 | + |
| 43 | +Since the `proverAccount` is included in the L1 transaction’s signature, it need not be explicitly provided. |
| 44 | + |
| 45 | +Finally, the prover also sends the proof of correct execution of all L2 transactions within the batch. |
| 46 | + |
| 47 | + |
| 48 | +[^1]: The term [_succinct_](https://www.di.ens.fr/~nitulesc/files/Survey-SNARKs.pdf) refers to the size of the proof being very small compared to the size of the statement or the witness (i.e., the size of the computation itself). |
0 commit comments