feat(protocol): proof verification aggregation

[Brechtpd]

Proof aggregation minimizes the onchain costs for proof verification, which is very important for zk proof verfication. Without aggregation the onchain costs would be very expensive, with proof aggregation we mostly only pay the offchain proof generation cost which is already pretty cheap.

Currently this PR just outlines one easy way to get proof aggregation working with minimal changes.

raiko PR: taikoxyz/raiko#347

[openzeppelin-code]

feat(protocol): proof verification aggregation

Generated at commit: ee481eafa642d32e25185ddedc563343fa53893f

🚨 Report Summary

	Severity Level	Results
Contracts	Critical High Medium Low Note Total	2 2 0 8 42 54
Dependencies	Critical High Medium Low Note Total	0 0 0 0 0 0

---

For more details view the full report in OpenZeppelin Code Inspector

[dantaik]

Since the current SGX prover doesn't support multiple blocks, can we ensure the length of _ctx and _tran are both 1 for now so we can upgrade contracts ealier?

[Brechtpd]

The inputs into the verification are still changed so a bit tricky. If length is 1 we could use the old verification path, but then this would be a special case and proof aggregation on a single proof would not be valid. Seems easier if aggregation is always used even if there's only a single proof, otherwise we need multiple verification paths.

[adaki2004]

I have a compilation error, due to this outter verifyProof(), the verifier variable is not know. It is coming from the tier configuration itself (now, in our current design).

And also this yields into another problem, with an example:
The block tiers (and hence the tier verifiers) can be for example:
block nr. 102: SGX only
block nr. 103: SGX+RISC0
block nr. 104: SGX+SP1
block nr. 105: SGX only again

And thus, the verifier contract address itself differs from block to block. so aggregating multiple, continuous blocks and verify with one go, will only work (in the current design at least!) if we have the exact same logic (contract) to verify (so same tiers), otherwise no.

[dantaik]

I think you can only aggregate proofs for the same tier together, but the proofs may correspond to blocks that are not consecutive.

[adaki2004]

Yes, but then with ever 500-100th zk tier blocks in practice it will be useful for tee only. (At least for now.)

[Brechtpd]

I think I have now added the required checks to make sure only the same proofs can be aggregrated.

[0xjunger]

Is this aggregation between zk proofs(r0, sp1) inside Raiko? Or it’s mean compatibility with proof aggregation layers?

[Brechtpd]

Is this aggregation between zk proofs(r0, sp1) inside Raiko? Or it’s mean compatibility with proof aggregation layers?

It is aggregation of the same proof types within raiko (so a batch of SP1 proofs OR a batch of SGX proofs OR ...)

[Brechtpd]

Ok I will leave it here 🫡

[smtmfft]

not yet verified here??

[adaki2004]

Technically true only but:

• this is the only way to emit events per transition (one by one) since we are going thru the aggregated proofs.
• if something fails, the TXN reverted anyways

[Brechtpd]

Assumption indeed that all the proofs are verified correctly in some way afterwards.

[smtmfft]

Is this necessary? I mean as oldInstance is always recovered from signature, why we need explicit list oldInstance here?

[Brechtpd]

We need to have it available in the aggregation proof, because that's the address we need to verify against for the first block proof. We need to get it from somewhere to be able to correctly verify that proof, because we don't have it available anymore in the SGX instance itself (could be many blocks ago, and we only store the latest key pair in SGX).

[github-actions]

This PR is stale because it has been open for 45 days with no activity.