feat(protocol): Enable protocol to handle multiple proof types

[adaki2004]

Related to: #13731

• Code changes required to verify multiple proofs
• Code changes required to overwrite unverified fork choice
• Test changes of multiple proofs (ZKP & SGX) + overwrite unverified FK
• Adjust other tests to changes

[Brechtpd]

Looking good!

[Brechtpd]

Nice! Maybe a more clear name would be proofToggleMask or something.

[Brechtpd]

Suggested change

	if (index == 0 && ((config.proofTypeEnabled >> index) & 1) == 1) {
	if (((config.proofTypeEnabled >> index) & 1) == 1) {
	if (index == 0) {
	// ...
	} else if (index == 1) {
	// ...
	}

[Brechtpd]

The plan is still to abstract the actual implementations away in the verifier, or do you think a simple for loop with some ifs would also work? Seems okay to me like this, but I'm mostly concerned about the additional data needed for the different proof types, having a separate contract for each allows things to be very flexible with what a new proof type needs

[adaki2004]

Yep, agree, thanks for the remark! Outsourced to new files now.

[dantaik]

I think we can also use this library for non-sgx signers, so I suggested to change the name to LibVerifyTrusted

[dantaik]

rename to verifyProof?

[dantaik]

rename to verifyProof?

[dantaik]

How about we added a verifierType here?
uint16 proofType,

[dantaik]

Should we do something like this?

uint8 mask = config.proofToggleMask;

for (uint i = 0; i < blockProofs.length; i++) {
  TypedProof memory proof = blockProofs[i];
  uint8 bitMask = 1 << (proof.proofType - 1);
  require(mask & bitMask) != 0, "type_not_enabled_or_duplicated");
  _verifyTypedProof(proof);
  mask &= ~bitMask;
}
require(mask == 0, "not_all_requierd_proof_verified");

[dantaik]

I also suggest that the cooldown period is a value returned from _verifyTypedProof:

uint8 mask = config.proofToggleMask;
uint64 maxCoolDownPeriod;
for (uint i = 0; i < blockProofs.length; i++) {
  TypedProof memory proof = blockProofs[i];
  uint8 bitMask = 1 << (proof.proofType - 1);
  require(mask & bitMask) != 0, "type_not_enabled_or_duplicated");
  uint64 coolDownPeriod = _verifyTypedProof(proof);
  maxCoolDownPeriod = maxCoolDownPeriod.max(coolDownPeriod);
  mask &= ~bitMask;
}
require(mask == 0, "not_all_requierd_proof_verified");
fc.provenAt = uint64(block.timestamp +maxCoolDownPeriod );

[dantaik]

Inside, LibVerifyerSGX and LibVerifyingZKP, in the verify function, we also return a cooldown period. This allows for different cooldown period for different verifiers, then we just take the max.

[adaki2004]

Question to this cooldown period: Since this affects proofTime = provenAt - proposedAt and cooldown only delays verification, why should not we let the the LibVerifying.sol do this job and revert ?

[Brechtpd]

Inside, LibVerifyerSGX and LibVerifyingZKP, in the verify function, we also return a cooldown period. This allows for different cooldown period for different verifiers, then we just take the max.

Maybe min makes more sense otherwise adding a proof type can increase the cooldown, although cooldown period length will always a bit tricky and handwavy and not sure if something that can be decided per proof type.

Question to this cooldown period: Since this affects proofTime = provenAt - proposedAt and cooldown only delays verification, why should not we let the the LibVerifying.sol do this job and revert ?

What do you mean with revert?

[adaki2004]

What do you mean with revert?

Simply break/revert, not allow to be verified.

[dantaik]

BlockProof => TypedProof

[dantaik]

uint16?

[dantaik]

I think this PR still has a high level design issue: the proofToggleMask can only specify an AND logics, but not something like: *if a valid SGX proof is given, then ZKP is not necessary; *.

[dantaik]

Need to remvoe ""oracle_prover" and "system_prover" everywhere.

[adaki2004]

I think this PR still has a high level design issue: the proofToggleMask can only specify an AND logics, but not something like: *if a valid SGX proof is given, then ZKP is not necessary; *.

I guess this is a 'special proving scenario' only available if we explicitly set so (in the config). Then
if (proofToggleMask == type(uint16).max) could be one.
Let me know if it works with you. I guess if this is the only special scenario we want to do support (like the system_proof previously) this could work well.

[Brechtpd]

I think this PR still has a high level design issue: the proofToggleMask can only specify an AND logics, but not something like: *if a valid SGX proof is given, then ZKP is not necessary; *.

Could you give a scenario where we would use conditional logic like that? I saw this only really as an all proofs that are enabled are required thing.

I could see some benefit of the different proofs coming in at different times (like SGX proof first, which would set the cooldown period still pretty high, then a zkp proof that lowers it) but in practice I think probably doesn't really make a difference (we'll always want the zkp anyway, which is the slowest, and all of them being required all the time is best for security), and complicates things quite a bit like the fee payments.

We could still implement something like this in a verifier contract, the main protocol would would just require a single proof related to that verifier contract, but internally the verifier contract can do whatever it wants so could contain multiple sub-proofs with some special logic. This would actually be a pretty nice way to implement the testnet scenario where we want to skip some ZKP proofs, then there's no need to build this into the core protocol.

So maybe let's simplify the core protocol as much as possible and only let it support a single "proof" (as in some data and a verifier contract to call), then let the verifier contract handle the rest.

[adaki2004]

@Brechtpd @dantaik
Thinking out loud, shouldn't we branch off from current main - call it alpha4 - and then every protocol change could go there from now on ?

[Brechtpd]

Probably makes more sense to do the opposite which I think is what we already do, make a release for alpha-n, and keep working on main.

[adaki2004]

Will incorporate #13777 into this PR as well!

[adaki2004]

Put back this functionality into proveBlock()

[Brechtpd]

Hmmm why? The functionality of this is significantly different from proveBlock, which made proveBlock really complicated before.

[adaki2004]

Maybe have it static 2 proofs now - instead of a bitmap. Future updates will handle rest.

[davidtaikocha]

Shall we define keccak256("taiko") as a library constant to save some gas?

[adaki2004]

Yep, good one ! Thanks David.

[adaki2004]

@dantaik
Incorporated all the changes we discussed this morning.

(Latest commit changes):

• Get rid of toggle mask and restrict to ZKP + SGX (only in case it is enabled)
• Removed setForkChoice() function and incorporated the (Super Prover) into proveBlock() since sharing the same function signature/interface
• Added SGX enable flag
• Removed unnecessary vars (like proofType) because the static position in the array will determine if ZKP or SGX (we can save some gas here)
• Removed unused errors
• Removed irrelevant tests

Now we have 2 options to prove blocks.
A: ZKP + SGX (if enabled, or ZKP only in case we dont enable SGX) and those have to come together
B: There is a SuperProver which can write the proof

Gas comparison:
Old (but still with SGX): 36.805 gwei on average

New: 34.143 gwei

If I modify the code in a way that inline both the code of the LibVerifyZKP.verifyProof and LibVerifyTrusted.verifyProof we could save approx. 94gwei, but i thought does not worth the effort vs. maintenance (readability) later on.

[dantaik]

@adaki2004 given that our core protocol and tokenomics have changed a lot, shall we close this PR then re-implement the idea later?

[adaki2004]

Yes,im closing it (for now) without deletion.