feat: Prepare protocol circuits for batch rollup

[MirandaWood]

First run at creating new rollup circuits for batch block proving (see this PR for details).

Please note the e2e tests will fail miserably as the circuits are not yet linked up to the sequencer/prover/L1! Pushing for visibility.

EDIT: Added support for verifying block-root proofs on L1. Though we don't currently have an L1 verifier (so tests would pass whatever public inputs we had), the method now accepts the new inputs until we have batch rollups integrated.

---

Changes complete:

• Rename root to block_root and change outputs
• Add block_merge circuit and associated types/structs
• Add new root circuit and associated types/structs (NB Github doesn't realise that old root -> block_root because of this new circuit, so the comparison is hard to read!)
• Added new tyes ^ to circuits.js and useful methods to bb-prover, circuit-types, and noir-protocol-circuits-types
• Made minor changes to prover-client (orchestrator.ts and block-building-helpers.ts) to use the new block_root public outputs
• Rollup.sol now verifies a block_root proof and stores blockHash

--
TODOs:

• When adding fees in a block_merge or root, merge fees with the same recipient - Miranda
• Edit publisher and L1 to accept a block_root proof with new public inputs (for testing, so e2es will pass) Complete!
• Teach the prover/sequencer to prove many blocks and submit a root proof - Miranda + Phil's team?
• Make final L1 changes to verify batch proofs - Complete! Currently not tested with real solidity verifier, but bb verifier passes

[MirandaWood]

Not mentioned in engineering-designs doc - added the vk tree root to check for allowed circuits in future.

[MirandaWood]

This file is mostly just a renamed version of current root_rollup_inputs, with these outputs as the main change.

[MirandaWood]

Removed this as it is a duplicate of the above test (cleaning up)

[MirandaWood]

Removed this code as it's unused and has been since I added this comment (March?)

[MirandaWood]

This file is just the old root_rollup_inputs renamed - the below tests/root_rollup_inputs is a new file.

[MirandaWood]

Unsure whether the new circuits should use this.wasmSimulator or this.simulationProvider? Used wasmSimulator to match with merge for now.

[spalladino]

Given block root rollup is similar to the old root rollup, and that one used wasm, I'd stick with that one. Eventually we should build a NAPI/FFI interface for the simulator as well as for bb...

[github-actions]

Changes to circuit sizes

Generated at commit: 26561e686ce4430fc0b8ed9ef40e18435aaf4595, compared to commit: dcfd12019fbe8e443c5d162876c960a7062164af

🧾 Summary (100% most significant diffs)

Program	ACIR opcodes (+/-)	%	Circuit size (+/-)	%
rollup_root	+17,444 ❌	+2344.62%	-1,309,633 ✅	-32.33%

---

Full diff report 👇

Program	ACIR opcodes (+/-)	%	Circuit size (+/-)	%
rollup_root	18,188 (+17,444)	+2344.62%	2,741,553 (-1,309,633)	-32.33%

[AztecBot]

Benchmark results

Metrics with a significant change:

• avm_simulation_time_ms (Token:transfer_public): 20.4 (-37%)

Detailed results

All benchmarks are run on txs on the Benchmarking contract on the repository. Each tx consists of a batch call to create_note and increment_balance, which guarantees that each tx has a private call, a nested private call, a public call, and a nested public call, as well as an emitted private note, an unencrypted log, and public storage read and write.

This benchmark source data is available in JSON format on S3 here.

Proof generation

Each column represents the number of threads used in proof generation.

Metric	1 threads	4 threads	16 threads	32 threads	64 threads
proof_construction_time_sha256_ms	5,771	1,565	717 (+1%)	777 (+2%)	779 (+1%)
proof_construction_time_sha256_30_ms	11,534	3,090	1,370 (-1%)	1,439	1,460 (-1%)
proof_construction_time_sha256_100_ms	44,158	11,834	5,415	5,489 (+2%)	5,646 (-1%)
proof_construction_time_poseidon_hash_ms	79.0	34.0	34.0	56.0 (-5%)	87.0 (-1%)
proof_construction_time_poseidon_hash_30_ms	1,534	424	202 (-1%)	233 (+1%)	267
proof_construction_time_poseidon_hash_100_ms	5,662	1,518	672 (-1%)	717 (-1%)	751

L2 block published to L1

Each column represents the number of txs on an L2 block published to L1.

Metric	4 txs	8 txs	16 txs
l1_rollup_calldata_size_in_bytes	4,356 (+1%)	7,876	14,884
l1_rollup_calldata_gas	50,196 (+1%)	92,902 (+1%)	178,120
l1_rollup_execution_gas	1,396,447 (+2%)	2,130,049 (+1%)	3,915,323 (+1%)
l2_block_processing_time_in_ms	241 (-2%)	441 (+2%)	799 (-2%)
l2_block_building_time_in_ms	8,929 (-2%)	17,434	34,821 (-1%)
l2_block_rollup_simulation_time_in_ms	8,928 (-2%)	17,434	34,821 (-1%)
l2_block_public_tx_process_time_in_ms	7,531 (-2%)	15,927	33,281 (-1%)

L2 chain processing

Each column represents the number of blocks on the L2 chain where each block has 8 txs.

Metric	3 blocks	5 blocks
node_history_sync_time_in_ms	2,973 (+2%)	3,825 (+3%)
node_database_size_in_bytes	12,669,008	16,691,280
pxe_database_size_in_bytes	16,254	26,813

Circuits stats

Stats on running time and I/O sizes collected for every kernel circuit run across all benchmarks.

Circuit	simulation_time_in_ms	witness_generation_time_in_ms	input_size_in_bytes	output_size_in_bytes	proving_time_in_ms
private-kernel-init	90.3 (+2%)	379 (-8%)	21,755	44,860	N/A
private-kernel-inner	167 (+1%)	687 (-2%)	72,566	45,007	N/A
private-kernel-reset-tiny	458 (-1%)	839 (-3%)	65,675	44,846	N/A
private-kernel-tail	195 (-1%)	156 (-1%)	50,686	52,257	N/A
base-parity	5.53 (-1%)	N/A	160	96.0	N/A
root-parity	35.0 (-1%)	N/A	73,948	96.0	N/A
base-rollup	2,739 (-1%)	N/A	189,136	664	N/A
block-root-rollup	40.9	N/A	58,205	2,448	N/A
public-kernel-setup	81.9 (-4%)	N/A	105,085	71,222	N/A
public-kernel-app-logic	95.0	N/A	104,911	71,222	N/A
public-kernel-tail	550 (-1%)	N/A	410,534	16,414	N/A
private-kernel-reset-small	455 (-1%)	N/A	66,341	45,629	N/A
private-kernel-tail-to-public	1,480 (+6%)	621 (-4%)	460,796	1,825	N/A
public-kernel-teardown	81.3 (-2%)	N/A	105,349	71,222	N/A
merge-rollup	20.0	N/A	38,174	664	N/A
undefined	N/A	N/A	N/A	N/A	80,947 (+2%)

Stats on running time collected for app circuits

Function	input_size_in_bytes	output_size_in_bytes	witness_generation_time_in_ms
ContractClassRegisterer:register	1,344	11,731	346 (+1%)
ContractInstanceDeployer:deploy	1,408	11,731	18.0 (-2%)
MultiCallEntrypoint:entrypoint	1,920	11,731	405
FeeJuice:deploy	1,376	11,731	396 (+2%)
SchnorrAccount:constructor	1,312	11,731	73.6 (-3%)
SchnorrAccount:entrypoint	2,304	11,731	414
Token:privately_mint_private_note	1,280	11,731	100 (-6%)
FPC:fee_entrypoint_public	1,344	11,731	27.6 (-6%)
Token:transfer	1,312	11,731	231 (-1%)
Benchmarking:create_note	1,344	11,731	89.0
SchnorrAccount:verify_private_authwit	1,280	11,731	27.3
Token:unshield	1,376	11,731	520
FPC:fee_entrypoint_private	1,376	11,731	705 (+2%)

AVM Simulation

Time to simulate various public functions in the AVM.

Function	time_ms	bytecode_size_in_bytes
FeeJuice:_increase_public_balance	56.7 (+1%)	7,739
FeeJuice:set_portal	9.79 (+1%)	2,354
Token:constructor	80.3 (+3%)	26,051
FPC:constructor	53.2 (-1%)	18,001
FeeJuice:mint_public	41.6 (+6%)	5,877
Token:mint_public	45.0 (-1%)	10,917
Token:assert_minter_and_mint	65.5 (-1%)	7,512
AuthRegistry:set_authorized	37.6 (-20%)	4,391
FPC:prepare_fee	221 (-4%)	7,043
Token:transfer_public	⚠️ 20.4 (-37%)	39,426
FPC:pay_refund	50.6 (-13%)	10,234
Benchmarking:increment_balance	930 (-1%)	6,563
Token:_increase_public_balance	40.4	8,433
FPC:pay_refund_with_shielded_rebate	65.1 (+2%)	10,783

Public DB Access

Time to access various public DBs.

Function	time_ms
get-nullifier-index	0.162 (+3%)

Tree insertion stats

The duration to insert a fixed batch of leaves into each tree type.

Metric	1 leaves	16 leaves	64 leaves	128 leaves	256 leaves	512 leaves	1024 leaves
batch_insert_into_append_only_tree_16_depth_ms	2.17 (-1%)	3.87	N/A	N/A	N/A	N/A	N/A
batch_insert_into_append_only_tree_16_depth_hash_count	16.8	31.7	N/A	N/A	N/A	N/A	N/A
batch_insert_into_append_only_tree_16_depth_hash_ms	0.112 (-1%)	0.109	N/A	N/A	N/A	N/A	N/A
batch_insert_into_append_only_tree_32_depth_ms	N/A	N/A	11.4 (-1%)	17.8 (-1%)	30.4 (-1%)	58.8	112 (-2%)
batch_insert_into_append_only_tree_32_depth_hash_count	N/A	N/A	95.9	159	287	543	1,055
batch_insert_into_append_only_tree_32_depth_hash_ms	N/A	N/A	0.110 (-1%)	0.103	0.0987 (-1%)	0.101	0.100 (-1%)
batch_insert_into_indexed_tree_20_depth_ms	N/A	N/A	14.4	25.2 (-3%)	43.5	82.7	160
batch_insert_into_indexed_tree_20_depth_hash_count	N/A	N/A	109	207	355	691	1,363
batch_insert_into_indexed_tree_20_depth_hash_ms	N/A	N/A	0.109	0.102 (-3%)	0.105	0.102	0.100
batch_insert_into_indexed_tree_40_depth_ms	N/A	N/A	16.3 (-1%)	N/A	N/A	N/A	N/A
batch_insert_into_indexed_tree_40_depth_hash_count	N/A	N/A	132	N/A	N/A	N/A	N/A
batch_insert_into_indexed_tree_40_depth_hash_ms	N/A	N/A	0.104 (-1%)	N/A	N/A	N/A	N/A

Miscellaneous

Transaction sizes based on how many contract classes are registered in the tx.

Metric	0 registered classes	1 registered classes
tx_size_in_bytes	64,779	668,997

Transaction size based on fee payment method

| Metric | |
| - | |

[spalladino]

Looks great!!

[spalladino]

Didn't know that Noir handled array equality, nice!

[spalladino]

Given block root rollup is similar to the old root rollup, and that one used wasm, I'd stick with that one. Eventually we should build a NAPI/FFI interface for the simulator as well as for bb...

[MirandaWood]

Added a first impl of verifyRootProof for future use, but couldn't compile the contract due to stack too deep error. We don't currently use it and don't have the full capabilities in ts/sol to use it anyway, so I commented it out. I can also remove it and add back in future so we have cleaner code!

[LHerskind]

How long do you expect it to be like this? I don't really like having a big bunch of uncommented code as it often end up just being distracting when reading through the code or something that is broken when one finally tries to un-comment it because things have changes and it have been standing still 🤷

[MirandaWood]

I agree - not sure on when. We will use it when batch rollups are fully integrated (the main part of the work will be editing the sequencer/orchestrator code, which is under Phil's team) after provernet is up. The logic follows from the other verify function pretty clearly so can remove for now for cleanliness.

[MirandaWood]

This is pretty messy (sorry) for a few reasons:

• As commented in a few places in the code, it would be a big change to extract and input the previousBlockHash for a block-root circuit (it's not used now, but required for batch rollups, but the prover doesn't 'know' yet about blocks that came before it AFAIK). For now, I've set it to 0 and it originates in block-building-helpers. When merge-root is used, it will check that left.end_block_hash == right.previous_block_hash. The very first previous_block_hash will be bubbled up to the final root where it will be checked on L1, but maybe the other checks (archive, block numbers, etc.) are sufficient?
• The plan (as in this doc) is to move archive membership to L1. In this PR, membership is assured as block hashes are added to the (pedersen) archive tree in the block-root circuit to find the new archive root, so for now adding a membership check would be an unnecessary and high gas cost change.

[LHerskind]

We are currently storing the archive in the BlockLog to support non-sequential proving, and as we needed it as input to the proof validation anyway.

If we are going the "TxObjects" direction (meeting Thursday) we won't have the archive at that point, and it will instead make sense for us to store the BlockHash as we need something to sign over for the committee anyway.

With that change, you don't need the membership check here as it would simply be reading the values and checking directly against those instead.

Shortterm, I think a fine approach to get the logic down would be to extend BlockLog with the hash, and then you can simple read those or perform the check similarly to the archive checks.

[MirandaWood]

Thanks for the suggestion, have added blockHash to BlockLog!

[MirandaWood]

This test is currently unused (it fails on master as it's not linked up to any Honk L1 verifier) - I changed it so yarn build didn't complain about incorrect inputs.

[LHerskind]

Adding a few comments just for the solidity part. I think we can solve some of it the "easy" way here (blockhashes) as we will need to deal with that as part of validator client and tx effects -> public call. So introducing a little early to avoid your membership checks seems worthwhile.

[LHerskind]

How long do you expect it to be like this? I don't really like having a big bunch of uncommented code as it often end up just being distracting when reading through the code or something that is broken when one finally tries to un-comment it because things have changes and it have been standing still 🤷

[LHerskind]

We are currently storing the archive in the BlockLog to support non-sequential proving, and as we needed it as input to the proof validation anyway.

If we are going the "TxObjects" direction (meeting Thursday) we won't have the archive at that point, and it will instead make sense for us to store the BlockHash as we need something to sign over for the committee anyway.

With that change, you don't need the membership check here as it would simply be reading the values and checking directly against those instead.

Shortterm, I think a fine approach to get the logic down would be to extend BlockLog with the hash, and then you can simple read those or perform the check similarly to the archive checks.

[spalladino]

Awesome work

[spalladino]

Heads up you'll need to tweak the SUPPORTED_SIGS in eth_log_handlers if you change this. We should derive those dynamically from the abi instead of hardcoding them, so we don't forget to update them whenever we change the Rollup.sol interface.

[MirandaWood]

Thanks, saved me lots of debugging time!

[spalladino]

I'd try to get this 6 into constants.sol, or at least into a constant in HeaderLib

[spalladino]

Actually, shouldn't it be 9?

[MirandaWood]

It starts at 6 because:

• PIs 0-5 are are the old archive, new archive, and block hash
• PIs 6-14 are the 'start global variables' (filled by publicInputs[i + 6] above)
• PIs 15-23 are the 'end global variables' (filled by publicInputs[globalVariablesFields.length +i+ 6] above)

Basically, we have one block rather than a range so the pair of global variables are the same. I'm just using one loop to append them both.
I was thinking rather than hardcode indices I could just use some offset and increment it with each push, to avoid any errors if anything changes?

[spalladino]

Ah got it, my bad!

[spalladino]

😢

[spalladino]

Given the current goal of reducing constraints, maybe it's best to not accumulate fees for the same recipient and just concatenate for now, until we build it the unconstrained way?

[spalladino]

Nah

[spalladino]

Hmm where are we validating that the timestamp of the first block in the epoch is greater than the timestamp of the last block in the previous epoch? Feels like I may have missed that in the design.

[spalladino]

Should we be rehydrating that previous header using the previousBlockhash inside the circuit to make that check?

[spalladino]

Actually, should we be rehydrating that header to make the assert_prev_block_rollups_follow_on_from_each_other check to ensure both epochs "glue" together correctly?

[MirandaWood]

Yep correct - we are not currently checking the timestamp of last block in prev epoch vs first block in new epoch. Imho assert_prev_block_rollups_follow_on_from_each_other wouldn't be the best place as there we are checking two groups of blocks that will end up in a single epoch together. Checking the 'first' timestamp would be wasted gates most of the time.
I think we could either:

• As you suggest, recreate the previous block's header using previousBlockhash inside the final root circuit and check there, or
• Check it on L1

I don't fully understand the new getTimestampForSlot code in Rollup.sol, but using that we can gather the start timestamp of the current epoch and the end timestamp of the previous without adding extra PIs.

[spalladino]

As you suggest, recreate the previous block's header using previousBlockhash inside the final root circuit and check there, or

I'd go with this one in order to save L1 gas. But we can push this for another PR, so this one doesn't keep growing.

[alexghr]

Orchestrator/prover changes look good to me 👍

[alexghr]

AAAhhh!

[alexghr]

Is it possible for the verification keys to be different?
LE: aaahhh.. wonky rollups?

[MirandaWood]

Yep exactly! Am leaving it to be flexible in case we want wonkiness from block-root up to root. If we always want a balanced tree (e.g. always 32 block roots per root), this can become one vk.

[alexghr]

Hm, do we need optional chaining here? The compiler should be able to infer that the merge data objects are defined based on the if statement above.

[MirandaWood]

Good point! Think it was leftover from copying to a new fn. Will remove the ?s

[LeilaWang]

Circuit-side looks good to me!