Suyash Bagad
Cryptography Engineer
Rollup Architecture
Rollup Circuit
- Pedersen hash is used to commit to data
- In Aztec, we use it to hash data up a Merkle Tree
- For scalars \(a, b \in \mathbb{F}_r\) and uniformly chosen generators \(G, H \in \mathbb{G}_1\), we define
\(H_P(a, b) := aG + bH\)
- To support Pedersen hashes, we need a fixed-base scalar multiplication gate
- For a scalar \(a \in \mathbb{F}_r\), we wish to compute \(H_P(a) = aP\) for a generator \(P \in \mathbb{G}_1\)
- For this, we use the \(w\)NAF form of \(a \equiv \{a_i\}_{i \in \{0,1,\dots, 127\}}, \ a_i \in \{-3,-1,1,3\}\):
a = \sum_{i=0}^{127}a_i \cdot 4^{i} \implies H_P(a) := \sum_{i=0}^{127}a_i \cdot 4^{i}P
- Since \(a < r\), we must have \(a_{127}=1\) for any \(a \in \mathbb{F}_r\)
\(H_P(a) := (s + 4^{127})P + \sum_{i=0}^{126}a_i \cdot 4^{i}P\)
\(w\)NAF Form
- \(w\)NAF \(\equiv\) window non-adjacent form, \(w = \) window size
- Define \(w\)NAF form of \(a \in \mathbb{F}_r \ \equiv \ \{a_i\}_{i \in \{0,1,\dots, 127\}}, \ a_i \in \{-3,-1,1,3\}, \ w=2\):
a := \sum_{i=0}^{127}a_i \cdot 4^{i}
- Claim: For any \(a \in \mathbb{F}_r\), we must have \(a_{127}=1\).
\(\implies a_{\texttt{lower}} < 0 \le a < r < a_{\texttt{upper}}\)
- For example, the \(w\)NAF form of \(a=25\) would be:
\(a = 1\cdot 4^{127} + (-3)(4^{126} + \dots + 4^{2}) + 3\cdot 4^{1} + (-3)\cdot 4^{0}\)
\begin{aligned}
a_{\texttt{upper}} &= 3\cdot 4^{127} - 3(1 + 4 + 4^2 + \dots + 4^{126}) = 2^{255}+1 \\
a_{\texttt{lower}} &= (-1)\cdot 4^{127} + 3(1 + 4 + 4^2 + \dots + 4^{126}) = -1
\end{aligned}
\(a_{0}\)
\(a_{1}\)
\(a_{2}\)
\(a_{3}\)
\(a_{4}\)
\(a_{5}\)
\(a_{6}\)
\(a_{7}\)
\(a_{8}\)
\(a_{9}\)
\(a_{10}\)
\(a_{11}\)
\(a_{12}\)
\(a_{13}\)
\(a_{14}\)
\(a_{15}\)
\(a_{16}\)
\(a_{17}\)
\(a_{18}\)
\(a_{19}\)
\(a_{20}\)
\(a_{21}\)
\(a_{22}\)
\(a_{23}\)
\(a_{24}\)
\(a_{25}\)
\(a_{26}\)
\(a_{27}\)
\(a_{28}\)
\(a = \big(\underbrace{a_{\text{hi}}}_{128} \ \| \ \underbrace{a_{\text{lo}}}_{126}\big) \in \mathbb{F}_q\)
\(9\)
\(9\)
\(9\)
\(9\)
\(9\)
\(9\)
\(9\)
\(9\)
\(9\)
\(9\)
\(9\)
\(9\)
\(9\)
\(9\)
\(9\)
\(9\)
\(9\)
\(9\)
\(9\)
\(9\)
\(9\)
\(9\)
\(9\)
\(9\)
\(9\)
\(9\)
\(9\)
\(9\)
\(2\)
\(\overbrace{\qquad \qquad \ \ \ }^{G_0}\)
\(\overbrace{\qquad \qquad \ \ \ }^{G_1}\)
\(\overbrace{\qquad \qquad \ \ \ }^{G_2}\)
\(\overbrace{\qquad \qquad \ \ \ }^{G_3}\)
\(\overbrace{\qquad \qquad \ \ \ }^{G_4}\)
\(\overbrace{\qquad \qquad \ \ \ }^{G_5}\)
\(\overbrace{\qquad \qquad \ \ \ }^{G_6}\)
\(\overbrace{\qquad \qquad \ \ \ }^{H_0}\)
\(\overbrace{\qquad \qquad \ \ \ }^{H_1}\)
\(\overbrace{\qquad \qquad \ \ \ }^{H_2}\)
\(\overbrace{\qquad \qquad \ \ \ }^{H_3}\)
\(\overbrace{\qquad \qquad \ \ \ }^{H_4}\)
\(\overbrace{\qquad \qquad \ \ \ }^{H_5}\)
\(\overbrace{\qquad \qquad \ \ \ }^{H_6}\)
\(\overbrace{\ \ \ }^{H_7}\)
\begin{aligned}
H_P(a) := & \sum_{i=0}^{6} \left(\textcolor{orange}{a_{2i}}G_i + \textcolor{lightgreen}{a_{2i+1}}\lambda G_i\right) +
\sum_{i=0}^{6} \left(\textcolor{orange}{a_{14+2i}}H_i + \textcolor{lightgreen}{a_{14 + 2i + 1}}\lambda H_i\right) + \textcolor{orange}{a_{28}}H_7
\end{aligned}
\(\Pi_{r,1}\)
\(\Pi_{\text{root}}\)
\(\Pi_{r,2}\)
\(\Pi_{r,3}\)
\(\Pi_{r,4}\)
\(\pi_{1}\)
\(\pi_{2}\)
\(\pi_{3}\)
\(\pi_{4}\)
\(\pi_{5}\)
\(\pi_{6}\)
\(\pi_{7}\)
\(\pi_{8}\)
\(A\)
\(B\)
\(C\)
\(D\)
\(E\)
\(F\)
\(\text{root}\)
\(i=0\)
\(i=1\)
\(\Pi_{r,1}\)
\(\Pi_{\text{root}}\)
\(\Pi_{r,2}\)
\(\Pi_{r,3}\)
\(\Pi_{r,4}\)
\(\pi_{1} \ \ \pi_2 \ \ \pi_3 \ \ \pi_4 \ \ \pi_5 \ \ \pi_6 \ \ \pi_7 \ \ \pi_8\)
\(\pi_{1} \ \ \pi_2 \ \ \pi_3 \ \ \pi_4 \ \ \pi_5 \ \ \pi_6 \ \ \pi_7 \ \ \pi_8\)
\(\pi_{1} \ \ \pi_2 \ \ \pi_3 \ \ \pi_4 \ \ \pi_5 \ \ \pi_6 \ \ \pi_7 \ \ \pi_8\)
\(\pi_{1} \ \ \pi_2 \ \ \pi_3 \ \ \pi_4 \ \ \pi_5 \ \ \pi_6 \ \ \pi_7 \ \ \pi_8\)
\(A\)
\(F\)
\(N\)
\(i=0\)
\(i=1\)
\(i=2\)
\(i=3\)
\(0\)
\(1\)
\(2\)
\(3\)
\(4\)
\(5\)
\(6\)
\(7\)
\(8\)
\(9\)
\(10\)
\(11\)
\(12\)
\(13\)
\(14\)
\(15\)
\(0101\)
\(1101\)
\(1110\)
\(1010\)
\(i=0\)
\(i=1\)
\(0\)
\(1\)
\(2\)
\(3\)
root
A
B
C
D
E
F
\(A\)
\(F\)
\(N\)
\(i=0\)
\(i=1\)
\(i=2\)
\(i=3\)
\(0\)
\(1\)
\(2\)
\(3\)
\(4\)
\(5\)
\(6\)
\(7\)
\(8\)
\(9\)
\(10\)
\(11\)
\(12\)
\(13\)
\(14\)
\(15\)
\(1101\)
\(1010\)
\(r\)
\(h^3_0\)
\(5\)
\(h^2_0\)
\(\text{key}\)
\(\text{value}\)
\(h^3_1\)
\(h^3_0\)
\(N\)
\(h^3_1\)
\(\texttt{true}\)
\(h^2_1\)
\(0\)
\(A\)
\(\texttt{true}\)
\(5\)
\(F\)
\(\texttt{true}\)
\(h^2_0\)
\(h^2_1\)
\(\vec{h}(10)\)
\(0\)
\(1\)
\(2\)
\(3\)
\(A\)
\(F\)
\(N\)
\(i=0\)
\(i=1\)
\(i=2\)
\(i=3\)
\(0\)
\(1\)
\(2\)
\(3\)
\(4\)
\(5\)
\(6\)
\(7\)
\(8\)
\(9\)
\(10\)
\(11\)
\(12\)
\(13\)
\(14\)
\(15\)
\(1101\)
\(1010\)
\(r\)
\(h^3_0\)
\(5\)
\(h^2_0\)
\(\text{key}\)
\(\text{value}\)
\(h^3_1\)
\(h^3_0\)
\(N\)
\(h^3_1\)
\(\texttt{true}\)
\(h^2_1\)
\(0\)
\(A\)
\(\texttt{true}\)
\(5\)
\(F\)
\(\texttt{true}\)
\(h^2_0\)
\(h^2_1\)
\(\vec{h}(10)\)
\(0\)
\(1\)
\(2\)
\(3\)
\(h^3_0\)
\(h^3_1\)
\(A\)
\(F\)
\(N\)
\(i=0\)
\(i=1\)
\(i=2\)
\(i=3\)
\(0\)
\(1\)
\(2\)
\(3\)
\(4\)
\(5\)
\(6\)
\(7\)
\(8\)
\(9\)
\(10\)
\(11\)
\(12\)
\(13\)
\(14\)
\(15\)
\(1101\)
\(1010\)
\(r\)
\(h^3_0\)
\(5\)
\(h^2_0\)
\(\text{key}\)
\(\text{value}\)
\(h^3_1\)
\(h^3_0\)
\(N\)
\(h^3_1\)
\(\texttt{true}\)
\(h^2_1\)
\(0\)
\(A\)
\(\texttt{true}\)
\(5\)
\(F\)
\(\texttt{true}\)
\(h^2_0\)
\(h^2_1\)
\(\vec{h}(10)\)
\(0\)
\(1\)
\(2\)
\(3\)
\(h^3_0\)
\(h^3_1\)
\(A\)
\(F\)
\(N\)
\(i=0\)
\(i=1\)
\(i=2\)
\(i=3\)
\(0\)
\(1\)
\(2\)
\(3\)
\(4\)
\(5\)
\(6\)
\(7\)
\(8\)
\(9\)
\(10\)
\(11\)
\(12\)
\(13\)
\(14\)
\(15\)
\(1101\)
\(1010\)
\(r\)
\(h^3_0\)
\(5\)
\(h^2_0\)
\(\text{key}\)
\(\text{value}\)
\(h^3_1\)
\(h^3_0\)
\(N\)
\(h^3_1\)
\(\texttt{true}\)
\(h^2_1\)
\(0\)
\(A\)
\(\texttt{true}\)
\(5\)
\(F\)
\(\texttt{true}\)
\(h^2_0\)
\(h^2_1\)
\(\vec{h}(10)\)
\(0\)
\(1\)
\(2\)
\(3\)
\(h^3_0\)
\(h^3_1\)
\(\text{Common Height} = 2\)
\(z[2]\)
\(h^2_3\)
\(A\)
\(F\)
\(N\)
\(i=0\)
\(i=1\)
\(i=2\)
\(i=3\)
\(0\)
\(1\)
\(2\)
\(3\)
\(4\)
\(5\)
\(6\)
\(7\)
\(8\)
\(9\)
\(10\)
\(11\)
\(12\)
\(13\)
\(14\)
\(15\)
\(1101\)
\(1010\)
\(r\)
\(h^3_0\)
\(5\)
\(h^2_0\)
\(\text{key}\)
\(\text{value}\)
\(h^3_1\)
\(h^3_0\)
\(N\)
\(h^3_1\)
\(\texttt{true}\)
\(h^2_1\)
\(0\)
\(A\)
\(\texttt{true}\)
\(5\)
\(F\)
\(\texttt{true}\)
\(h^2_0\)
\(h^2_1\)
\(\vec{h}(10)\)
\(0\)
\(1\)
\(2\)
\(3\)
\(h^3_0\)
\(h^3_1\)
\(z[2]\)
\(h^2_3\)
\(A\)
\(F\)
\(N\)
\(i=0\)
\(i=1\)
\(i=2\)
\(i=3\)
\(0\)
\(1\)
\(2\)
\(3\)
\(4\)
\(5\)
\(6\)
\(7\)
\(8\)
\(9\)
\(10\)
\(11\)
\(12\)
\(13\)
\(14\)
\(15\)
\(1101\)
\(1010\)
\(r\)
\(h^3_0\)
\(5\)
\(h^2_0\)
\(\text{key}\)
\(\text{value}\)
\(h^3_1\)
\(h^3_0\)
\(N\)
\(h^3_1\)
\(\texttt{true}\)
\(h^2_1\)
\(0\)
\(A\)
\(\texttt{true}\)
\(5\)
\(F\)
\(\texttt{true}\)
\(h^2_0\)
\(h^2_1\)
\(\vec{h}(10)\)
\(0\)
\(1\)
\(2\)
\(3\)
\(h^3_0\)
\(h^3_1\)
\(z[2]\)
\(h^2_3\)
\(A\)
\(F\)
\(N\)
\(i=0\)
\(i=1\)
\(i=2\)
\(i=3\)
\(0\)
\(1\)
\(2\)
\(3\)
\(4\)
\(5\)
\(6\)
\(7\)
\(8\)
\(9\)
\(10\)
\(11\)
\(12\)
\(13\)
\(14\)
\(15\)
\(1101\)
\(1010\)
\(r\)
\(h^3_0\)
\(5\)
\(h^2_0\)
\(\text{key}\)
\(\text{value}\)
\(h^3_1\)
\(h^3_0\)
\(N\)
\(h^3_1\)
\(\texttt{true}\)
\(h^2_1\)
\(0\)
\(A\)
\(\texttt{true}\)
\(5\)
\(F\)
\(\texttt{true}\)
\(h^2_0\)
\(h^2_1\)
\(\vec{h}(10)\)
\(0\)
\(1\)
\(2\)
\(3\)
\(h^3_0\)
\(h^3_1\)
\(z[2]\)
\(h^2_3\)
\(z[1]\)
\(z[1]\)
\(A\)
\(F\)
\(N\)
\(i=0\)
\(i=1\)
\(i=2\)
\(i=3\)
\(0\)
\(1\)
\(2\)
\(3\)
\(4\)
\(5\)
\(6\)
\(7\)
\(8\)
\(9\)
\(10\)
\(11\)
\(12\)
\(13\)
\(14\)
\(15\)
\(1101\)
\(1010\)
\(r\)
\(h^3_0\)
\(5\)
\(h^2_0\)
\(\text{key}\)
\(\text{value}\)
\(h^3_1\)
\(h^3_0\)
\(N\)
\(h^3_1\)
\(\texttt{true}\)
\(h^2_1\)
\(0\)
\(A\)
\(\texttt{true}\)
\(5\)
\(F\)
\(\texttt{true}\)
\(h^2_0\)
\(h^2_1\)
\(\vec{h}(10)\)
\(0\)
\(1\)
\(2\)
\(3\)
\(h^3_0\)
\(h^3_1\)
\(z[2]\)
\(h^2_3\)
\(z[1]\)
\(z[1]\)
\(A\)
\(F\)
\(N\)
\(i=0\)
\(i=1\)
\(i=2\)
\(i=3\)
\(0\)
\(1\)
\(2\)
\(3\)
\(4\)
\(5\)
\(6\)
\(7\)
\(8\)
\(9\)
\(10\)
\(11\)
\(12\)
\(13\)
\(14\)
\(15\)
\(1101\)
\(1010\)
\(r\)
\(h^3_0\)
\(5\)
\(h^2_0\)
\(\text{key}\)
\(\text{value}\)
\(h^3_1\)
\(h^3_0\)
\(N\)
\(h^3_1\)
\(\texttt{true}\)
\(h^2_1\)
\(0\)
\(A\)
\(\texttt{true}\)
\(5\)
\(F\)
\(\texttt{true}\)
\(h^2_0\)
\(h^2_1\)
\(\vec{h}(10)\)
\(0\)
\(1\)
\(2\)
\(3\)
\(h^3_0\)
\(h^3_1\)
\(z[2]\)
\(h^2_3\)
\(z[1]\)
\(z[1]\)
\(A\)
\(F\)
\(N\)
\(i=0\)
\(i=1\)
\(i=2\)
\(i=3\)
\(0\)
\(1\)
\(2\)
\(3\)
\(4\)
\(5\)
\(6\)
\(7\)
\(8\)
\(9\)
\(10\)
\(11\)
\(12\)
\(13\)
\(14\)
\(15\)
\(1101\)
\(1010\)
\(r\)
\(h^3_0\)
\(5\)
\(h^2_0\)
\(\text{key}\)
\(\text{value}\)
\(h^3_1\)
\(h^3_0\)
\(N\)
\(h^3_1\)
\(\texttt{true}\)
\(h^2_1\)
\(0\)
\(A\)
\(\texttt{true}\)
\(5\)
\(F\)
\(\texttt{true}\)
\(h^2_0\)
\(h^2_1\)
\(\vec{h}(10)\)
\(0\)
\(1\)
\(2\)
\(3\)
\(h^3_0\)
\(h^3_1\)
\(z[2]\)
\(h^2_3\)
\(z[1]\)
\(z[1]\)
\(-1\)
\(-1\)
\(i=0\)
\(i=1\)
\(i=2\)
\(0\)
\(1\)
\(2\)
\(3\)
\(4\)
\(5\)
\(6\)
\(7\)
\(r\)
\(h^2_0\)
\(h^2_1\)
\(h^2_1\)
\(h^2_0\)
\(h^1_0\)
\(h^1_0\)
\(h^1_1\)
\(h^1_1\)
\(h^1_2\)
\(h^1_3\)
\(h^1_2\)
\(h^1_3\)
\(h^0_0\)
\(h^0_1\)
\(h^0_2\)
\(h^0_3\)
\(h^0_4\)
\(h^0_5\)
\(h^0_6\)
\(h^0_7\)
\(\text{key}\)
\(\text{value}\)
\(i=0\)
\(i=1\)
\(i=2\)
\(0\)
\(1\)
\(2\)
\(3\)
\(4\)
\(5\)
\(6\)
\(7\)
\(r\)
\(h^2_0\)
\(h^2_1\)
\(h^2_1\)
\(h^2_0\)
\(h^1_0\)
\(0\)
\(h^1_6\)
\(2\)
\(\text{key}\)
\(\text{value}\)
\(\texttt{true}\)
\(\texttt{true}\)
\(i=0\)
\(i=1\)
\(i=2\)
\(0\)
\(1\)
\(2\)
\(3\)
\(4\)
\(5\)
\(6\)
\(7\)
\(r\)
\(h^2_0\)
\(h^2_1\)
\(h^2_1\)
\(h^2_0\)
\(h^1_0\)
\(h^1_1\)
\(h^1_6\)
\(2\)
\(\text{key}\)
\(\text{value}\)
\(h^1_0\)
\(h^1_1\)
\(h^0_0\)
\(h^0_1\)
\(h^0_2\)
\(h^0_3\)
\(\texttt{true}\)
Rollup and Root Rollup Circuit
By Suyash Bagad
Rollup and Root Rollup Circuit
Rollup and Root Rollup Circuit Architecture.
- 52
