feat: Prepare protocol circuits for batch rollup

l1-contracts/src/core/Rollup.sol

@@ -166,6 +166,8 @@ contract Rollup is Leonidas, IRollup {
   /**
    * @notice  Submit a proof for a block in the pending chain
    *
+   * @dev     TODO(#7346): Verify root proofs rather than block root when batch rollups are integrated.
+   *
    * @dev     Will call `_progressState` to update the proven chain. Notice this have potentially
    *          unbounded gas consumption.
    *
@@ -184,13 +186,19 @@ contract Rollup is Leonidas, IRollup {
    *
    * @param  _header - The header of the block (should match the block in the pending chain)
    * @param  _archive - The archive root of the block (should match the block in the pending chain)
+   * @param  _proverId - The id of this block's prover
+   * _previousBlockHash - The poseidon hash of the previous block (should match the value in the previous archive tree)
+   * @param  _currentBlockHash - The poseidon hash of this block (should match the value in the new archive tree)
    * @param  _aggregationObject - The aggregation object for the proof
    * @param  _proof - The proof to verify
    */
-  function submitProof(
+  function submitBlockRootProof(
     bytes calldata _header,
     bytes32 _archive,
     bytes32 _proverId,
+    // TODO(#7246): Prev block hash unchecked for single blocks, should be checked for batch rollups. See block-building-helpers.ts for where to inject.
+    // bytes32 _previousBlockHash,
+    bytes32 _currentBlockHash,
     bytes calldata _aggregationObject,
     bytes calldata _proof
   ) external override(IRollup) {
@@ -213,23 +221,66 @@ contract Rollup is Leonidas, IRollup {
       revert Errors.Rollup__InvalidProposedArchive(expectedArchive, _archive);
     }
 
-    bytes32[] memory publicInputs =
-      new bytes32[](4 + Constants.HEADER_LENGTH + Constants.AGGREGATION_OBJECT_LENGTH);
-    // the archive tree root
-    publicInputs[0] = _archive;
+    // TODO(#7346): Currently verifying block root proofs until batch rollups fully integrated.
+    // Hence the below pub inputs are BlockRootOrBlockMergePublicInputs, which are larger than
+    // the planned set (RootRollupPublicInputs), for the interim.
+    // Public inputs are not fully verified (TODO(#7373))
+
+    bytes32[] memory publicInputs = new bytes32[](
+      Constants.BLOCK_ROOT_OR_BLOCK_MERGE_PUBLIC_INPUTS_LENGTH + Constants.AGGREGATION_OBJECT_LENGTH
+    );
+
+    // From block_root_or_block_merge_public_inputs.nr: BlockRootOrBlockMergePublicInputs.
+    // previous_archive.root: the previous archive tree root
+    publicInputs[0] = expectedLastArchive;
+    // previous_archive.next_available_leaf_index: the previous archive next available index
+    publicInputs[1] = bytes32(header.globalVariables.blockNumber);
+
+    // new_archive.root: the new archive tree root
+    publicInputs[2] = expectedArchive;
     // this is the _next_ available leaf in the archive tree
     // normally this should be equal to the block number (since leaves are 0-indexed and blocks 1-indexed)
     // but in yarn-project/merkle-tree/src/new_tree.ts we prefill the tree so that block N is in leaf N
-    publicInputs[1] = bytes32(header.globalVariables.blockNumber + 1);
-
-    publicInputs[2] = vkTreeRoot;
-
-    bytes32[] memory headerFields = HeaderLib.toFields(header);
-    for (uint256 i = 0; i < headerFields.length; i++) {
-      publicInputs[i + 3] = headerFields[i];
+    // new_archive.next_available_leaf_index: the new archive next available index
+    publicInputs[3] = bytes32(header.globalVariables.blockNumber + 1);
+
+    // TODO(#7346): Currently previous block hash is unchecked, but will be checked in batch rollup (block merge -> root).
+    // block-building-helpers.ts is injecting as 0 for now, replicating here.
+    // previous_block_hash: the block hash just preceding this block (will eventually become the end_block_hash of the prev batch)
+    publicInputs[4] = bytes32(0);
+
+    // TODO(#7346): Move archive membership proof to contract?
+    // verifyMembership(archivePath, _previousBlockHash, header.globalVariables.blockNumber - 1, expectedLastArchive)
+
+    // end_block_hash: the current block hash (will eventually become the hash of the final block proven in a batch)
+    publicInputs[5] = _currentBlockHash;
+
+    // TODO(#7346): Move archive membership proof to contract?
+    // Currently archive root is updated by adding the new block hash inside block-root circuit.
+    // verifyMembership(archivePath, _currentBlockHash, header.globalVariables.blockNumber, expectedArchive)
+
+    // For block root proof outputs, we have a block 'range' of just 1 block => start and end globals are the same
+    bytes32[] memory globalVariablesFields = HeaderLib.toFields(header.globalVariables);
+    for (uint256 i = 0; i < globalVariablesFields.length; i++) {
+      // start_global_variables
+      publicInputs[i + 6] = globalVariablesFields[i];
+      // end_global_variables
+      publicInputs[globalVariablesFields.length + i + 6] = globalVariablesFields[i];
     }
+    // out_hash: root of this block's l2 to l1 message tree (will eventually be root of roots)
+    publicInputs[24] = header.contentCommitment.outHash;
+
+    // For block root proof outputs, we have a single recipient-value fee payment pair,
+    // but the struct contains space for the max (32) => we keep 31*2=62 fields blank to represent it.
+    // fees: array of recipient-value pairs, for a single block just one entry (will eventually be filled and paid out here)
+    publicInputs[25] = bytes32(uint256(uint160(header.globalVariables.coinbase)));
+    publicInputs[26] = bytes32(header.totalFees);
+    // publicInputs[27] -> publicInputs[88] left blank for empty fee array entries
 
-    publicInputs[headerFields.length + 3] = _proverId;
+    // vk_tree_root
+    publicInputs[89] = vkTreeRoot;
+    // prover_id: id of current block range's prover
+    publicInputs[90] = _proverId;
 
     // the block proof is recursive, which means it comes with an aggregation object
     // this snippet copies it into the public inputs needed for verification
@@ -240,7 +291,7 @@ contract Rollup is Leonidas, IRollup {
       assembly {
         part := calldataload(add(_aggregationObject.offset, mul(i, 32)))
       }
-      publicInputs[i + 4 + Constants.HEADER_LENGTH] = part;
+      publicInputs[i + 91] = part;
     }
 
     if (!verifier.verify(_proof, publicInputs)) {
@@ -253,6 +304,162 @@ contract Rollup is Leonidas, IRollup {
 
     emit L2ProofVerified(header.globalVariables.blockNumber, _proverId);
   }
+  //  TODO(#7346): Commented out for now as stack too deep (unused until batch rollups integrated anyway).
+  //  /**
+  //  * @notice  Submit a proof for a range of blocks in the pending chain
+  //  *
+  //  * @dev     TODO(#7346): Currently unused - integrate when batch rollups are integrated.
+  //  *
+  //  * @dev     Will call `_progressState` to update the proven chain. Notice this have potentially
+  //  *          unbounded gas consumption.
+  //  *
+  //  * @dev     Will emit `L2ProofVerified` if the proof is valid
+  //  *
+  //  * @dev     Will throw if:
+  //  *          - The block number is past the pending chain
+  //  *          - The previous archive root does not match the archive root of the previous range's last block
+  //  *          - The new archive root does not match the archive root of the proposed range's last block
+  //  *          - The proof is invalid
+  //  *
+  //  * @dev     We provide the `_archive` and `_previousArchive` even if it could be read from storage itself because it allow for
+  //  *          better error messages. Without passing it, we would just have a proof verification failure.
+  //  *
+  //  * @dev     Following the `BlockLog` struct assumption
+  //  *
+  //  * @param  _previousArchive - The archive root of the last block in the previous proven range
+  //  * @param  _archive - The archive root of the last block in the range
+  //  * @param  _previousBlockHash - The poseidon hash of the last block in the previous proven range (should match the value in the previous archive tree)
+  //  * @param  _currentBlockHash - The poseidon hash of the last block in this range (should match the value in the new archive tree)
+  //  * @param  outHash - The root of roots of the blocks' l2 to l1 message tree
+  //  * @param  coinbases - The recipients of the fees for each block in the range (max 32)
+  //  * @param  fees - The fees to be paid for each block in the range (max 32)
+  //   * @param  _proverId - The id of this block's prover
+  //  * @param  _aggregationObject - The aggregation object for the proof
+  //  * @param  _proof - The proof to verify
+  //  */
+  // function submitRootProof(
+  //   bytes32 _previousArchive,
+  //   bytes32 _archive,
+  //   bytes32 _previousBlockHash,
+  //   bytes32 _currentBlockHash,
+  //   bytes32 outHash,
+  //   address[32] calldata coinbases,
+  //   uint256[32] calldata fees,
+  //   bytes32 _proverId,
+  //   bytes calldata _aggregationObject,
+  //   bytes calldata _proof
+  // ) external override(IRollup) {
+  //   // TODO(#7346): The below assumes that the range of blocks being proven is always the 'next' range,
+  //   // does not allow for any 'gaps'. Maybe we should allow gaps to avoid someone holding up the chain.
+  //   uint256 startBlockNumber = provenBlockCount + 1;
+  //   uint256 endBlockNumber = pendingBlockCount;
+
+  //   // TODO: For now, while this fn is unused, checking input prev and current archives against expected.
+  //   // It may be better to input block numbers and gather archives from there.
+  //   bytes32 expectedLastArchive = blocks[startBlockNumber - 1].archive;
+  //   bytes32 expectedArchive = blocks[endBlockNumber].archive;
+
+  //   // We do it this way to provide better error messages than passing along the storage values
+  //   // TODO(#4148) Proper genesis state. If the state is empty, we allow anything for now.
+  //   if (expectedLastArchive != bytes32(0) && _previousArchive != expectedLastArchive) {
+  //     revert Errors.Rollup__InvalidArchive(expectedLastArchive, _previousArchive);
+  //   }
+
+  //   // TODO: Below assumes the end state after proving this range of blocks cannot be 0, correct?
+  //   if (expectedArchive == bytes32(0)) {
+  //     revert Errors.Rollup__TryingToProveNonExistingBlock();
+  //   }
+
+  //   if (_archive != expectedArchive) {
+  //     revert Errors.Rollup__InvalidProposedArchive(expectedArchive, _archive);
+  //   }
+
+  //   // TODO(#7346): Add a constant with calculated len of RootRollupPublicInputs:
+  //   // Currently 64 for fees (32 * 2) + 4 for archives (2 * 2) + 6 for indiv. fields
+  //   // Public inputs are not fully verified (TODO(#7373))
+
+  //   bytes32[] memory publicInputs =
+  //     new bytes32[](74 + Constants.AGGREGATION_OBJECT_LENGTH);
+
+  //   // From root_rollup_public_inputs.nr RootRollupPublicInputs.
+  //   // previous_archive.root: the previous archive tree root
+  //   publicInputs[0] = expectedLastArchive;
+  //   // previous_archive.next_available_leaf_index: the previous archive next available index
+  //   publicInputs[1] = bytes32(startBlockNumber);
+
+  //   // end_archive.root: the new archive tree root
+  //   publicInputs[2] = expectedArchive;
+  //   // this is the _next_ available leaf in the archive tree
+  //   // normally this should be equal to the block number (since leaves are 0-indexed and blocks 1-indexed)
+  //   // but in yarn-project/merkle-tree/src/new_tree.ts we prefill the tree so that block N is in leaf N
+  //   // end_archive.next_available_leaf_index: the new archive next available index
+  //   publicInputs[3] = bytes32(endBlockNumber + 1);
+
+  //   // previous_block_hash: the block hash of block number startBlockNumber - 1
+  //   publicInputs[4] = _previousBlockHash;
+
+  //   // verifyMembership(archivePath, _previousBlockHash, startBlockNumber - 1, expectedLastArchive)
+
+  //   // end_timestamp: TODO: is this the correct timestamp for public inputs?
+  //   publicInputs[5] = bytes32(lastBlockTs);
+
+  //   // end_block_hash: the block hash of block number endBlockNumber
+  //   publicInputs[6] = _currentBlockHash;
+
+  //   // verifyMembership(archivePath, _currentBlockHash, endBlockNumber, expectedArchive)
+
+  //   // out_hash: the root of roots of each block's l2 to l1 message tree
+  //   publicInputs[7] = outHash;
+
+  //   // TODO(Miranda):
+  //   // Current outbox takes a single block's set of l2 to l1 messages where the outHash represents the root
+  //   // of a wonky tree, where each leaf is itself a small tree of each tx's l2 to l1 messages.
+  //   // For #7346 we need this outHash to represent multiple blocks' outHashes.
+  //   // OUTBOX.insert(
+  //   //   endBlockNumber, outHash, l2ToL1TreeMinHeight
+  //   // );
+
+  //   // fees: array of recipient-value pairs
+  //   for (uint256 i = 0; i < 32; i++) {
+  //     publicInputs[2*i + 8] = bytes32(uint256(uint160(coinbases[i])));
+  //     publicInputs[2*i + 9] = bytes32(fees[i]);
+  //     // TODO(#7346): Move payout of fees here from process()
+  //     // if (coinbases[i] != address(0) && fees[i] > 0) {
+  //     //   GAS_TOKEN.transfer(coinbases[i], fees[i]);
+  //     // }
+  //   }
+
+  //   // prover_id: id of current block range's prover
+  //   publicInputs[73] = _proverId;
+
+  //   for (uint256 i = 0; i < 74; i++) {
+  //     console.logBytes32(publicInputs[i]);
+  //   }
+
+  //   // the block proof is recursive, which means it comes with an aggregation object
+  //   // this snippet copies it into the public inputs needed for verification
+  //   // it also guards against empty _aggregationObject used with mocked proofs
+  //   uint256 aggregationLength = _aggregationObject.length / 32;
+  //   for (uint256 i = 0; i < Constants.AGGREGATION_OBJECT_LENGTH && i < aggregationLength; i++) {
+  //     bytes32 part;
+  //     assembly {
+  //       part := calldataload(add(_aggregationObject.offset, mul(i, 32)))
+  //     }
+  //     publicInputs[i + 74] = part;
+  //   }
+
+  //   if (!verifier.verify(_proof, publicInputs)) {
+  //     revert Errors.Rollup__InvalidProof();
+  //   }
+
+  //   for (uint256 i = startBlockNumber; i < endBlockNumber; i++) {
+  //     blocks[i].isProven = true;
+  //   }
+
+  //   _progressState();
+
+  //   emit L2ProofVerified(endBlockNumber, _proverId);
+  // }
 
   /**
    * @notice  Progresses the state of the proven chain as far as possible

l1-contracts/src/core/interfaces/IRollup.sol

@@ -9,13 +9,29 @@ interface IRollup {
 
   function process(bytes calldata _header, bytes32 _archive) external;
 
-  function submitProof(
+  function submitBlockRootProof(
     bytes calldata _header,
     bytes32 _archive,
     bytes32 _proverId,
+    // bytes32 _previousBlockHash,
+    bytes32 _currentBlockHash,
     bytes calldata _aggregationObject,
     bytes calldata _proof
   ) external;
 
+  // TODO(#7346): Integrate batch rollups
+  // function submitRootProof(
+  //   bytes32 _previousArchive,
+  //   bytes32 _archive,
+  //   bytes32 _previousBlockHash,
+  //   bytes32 _currentBlockHash,
+  //   bytes32 outHash,
+  //   address[32] calldata coinbases,
+  //   uint256[32] calldata fees,
+  //   bytes32 _proverId,
+  //   bytes calldata _aggregationObject,
+  //   bytes calldata _proof
+  // ) external;
+
   function setVerifier(address _verifier) external;
 }

l1-contracts/src/core/libraries/ConstantsGen.sol

@@ -90,7 +90,9 @@ library Constants {
   uint256 internal constant ROOT_PARITY_INDEX = 19;
   uint256 internal constant BASE_ROLLUP_INDEX = 20;
   uint256 internal constant MERGE_ROLLUP_INDEX = 21;
-  uint256 internal constant ROOT_ROLLUP_INDEX = 22;
+  uint256 internal constant BLOCK_ROOT_ROLLUP_INDEX = 22;
+  uint256 internal constant BLOCK_MERGE_ROLLUP_INDEX = 23;
+  uint256 internal constant ROOT_ROLLUP_INDEX = 24;
   uint256 internal constant FUNCTION_SELECTOR_NUM_BYTES = 4;
   uint256 internal constant ARGS_HASH_CHUNK_LENGTH = 16;
   uint256 internal constant ARGS_HASH_CHUNK_COUNT = 16;
@@ -193,6 +195,7 @@ library Constants {
   uint256 internal constant KERNEL_CIRCUIT_PUBLIC_INPUTS_LENGTH = 417;
   uint256 internal constant CONSTANT_ROLLUP_DATA_LENGTH = 12;
   uint256 internal constant BASE_OR_MERGE_PUBLIC_INPUTS_LENGTH = 29;
+  uint256 internal constant BLOCK_ROOT_OR_BLOCK_MERGE_PUBLIC_INPUTS_LENGTH = 91;
   uint256 internal constant GET_NOTES_ORACLE_RETURN_LENGTH = 674;
   uint256 internal constant NOTE_HASHES_NUM_BYTES_PER_BASE_ROLLUP = 2048;
   uint256 internal constant NULLIFIERS_NUM_BYTES_PER_BASE_ROLLUP = 2048;

l1-contracts/src/core/libraries/HeaderLib.sol

@@ -251,4 +251,33 @@ library HeaderLib {
 
     return fields;
   }
+
+  // TODO(#7346): Currently using the below to verify block root proofs until batch rollups fully integrated.
+  // Once integrated, remove the below fn (not used anywhere else).
+  function toFields(GlobalVariables memory _globalVariables)
+    internal
+    pure
+    returns (bytes32[] memory)
+  {
+    bytes32[] memory fields = new bytes32[](Constants.GLOBAL_VARIABLES_LENGTH);
+
+    fields[0] = bytes32(_globalVariables.chainId);
+    fields[1] = bytes32(_globalVariables.version);
+    fields[2] = bytes32(_globalVariables.blockNumber);
+    fields[3] = bytes32(_globalVariables.slotNumber);
+    fields[4] = bytes32(_globalVariables.timestamp);
+    fields[5] = bytes32(uint256(uint160(_globalVariables.coinbase)));
+    fields[6] = bytes32(_globalVariables.feeRecipient);
+    fields[7] = bytes32(_globalVariables.gasFees.feePerDaGas);
+    fields[8] = bytes32(_globalVariables.gasFees.feePerL2Gas);
+
+    // fail if the header structure has changed without updating this function
+    if (fields.length != Constants.GLOBAL_VARIABLES_LENGTH) {
+      // TODO(Miranda): Temporarily using this method and below error while block-root proofs are verified
+      // When we verify root proofs, this method can be removed => no need for separate named error
+      revert Errors.HeaderLib__InvalidHeaderSize(Constants.HEADER_LENGTH, fields.length);
+    }
+
+    return fields;
+  }
 }