feat(protocol): Separate proof verification to a standalone, deployed contract

[adaki2004]

Base branch of this introduced multi-prover possibilities.
This one outsourced proof verification into a separate, deployed contract.

Gas comparison:

Base: (42.074 gwei)

This one (47.418 gwei)

IMPORTANT NOTE

Code to calculate the public instance below stayed in LibProving.

// Put together the input for proof and signature verification
        uint256[9] memory inputs;
...

        bytes32 instance;
        assembly {
            instance := keccak256(inputs, mul(32, 9))
        }

I decided to leave it there, because:

1. tested a version where i pass the Evidence towards the verifier contract and calculate it there, but it adds additional data (overhead) which costs roughly +1K gas.
2. In case there is an additional protocol upgrade which changes the Evidence we need to upgrade this new Verifier anyways as well..

Only issue I see with this is: there will be a completely new proof method which will require only some portion of the Evidence so would be useful having that extra data at the verifier contract.

With current plans (ZK, SGX and Failsafe signature overwrite) i see it a no issue, but who knows, maybe worth to pass the whole Evidence data ?
Please let me know what you think @dantaik @Brechtpd

[dantaik]

We should not pass in the resolver as this contract shall be a resolver itself.

[adaki2004]

Well, yes, so I did it on purpose (until there is no setter for AddressManager and wanted to use the 'common' one). Will change tomorrow when addressing the PR findings.

[dantaik]

What if you change calldata to memory? Will the cost be lower?

[adaki2004]

No, calldata is much cheaper.

[dantaik]

Should remove resolver as it is implementation specific.

[adaki2004]

Referred to this in the prev. point.

[dantaik]

rename the file to IProofVerifier.sol

[dantaik]

Rename to ProofVerifier? (and the filename)

[dantaik]

TaikoProofToggleMask not used at all.

[adaki2004]

Indeed, here not, but we need to have it for toggle mask setter during upgrades. If you referred to this line exaclty then sure, i'll delete it, thanks!

[dantaik]

Why do we need the code in a library?

[adaki2004]

Not necessary, just given the fact it's 3 lines and highly related to the ProofVerifier code (so during uprages, this is how we can manage setting the mask) i thought fine setting here. Let me know and i can put it to a different file.

[dantaik]

rename to verifyProofs?

[dantaik]

@adaki2004 Lets talk about it tomorrow. But i feel like this current code can only express AND logic, not the OR logic.

[adaki2004]

This is true however:

• 1. This scenario is covered by an option to (over)write the correct fork choice so a 'SuperProver' is still available.
• 2. Is somewhat Brecht's answer here answering your question ?
• 3. If you mean 'in general' I'd say - the current implementation of this is indeed does not implement an OR relationship, but this is the beauty of this separation. We do not need to handle things just now, it lives as a standalone deployment and in case we need to OR / AND, we can very easily adjust it.

[Brechtpd]

Suggested change

	function verifyProofs(
	bytes32 instance,
	TaikoData.TypedProof[] calldata blockProofs,
	AddressResolver resolver
	) external;
	function verifyProof(bytes32 instance, bytes calldata proof) external;

What do you think of this API? This way we don't have any dependencies and the proof can really be whatever, and proofs don't have to confirm to TypedProof which may not always fit.

EDIT: Updated to still have the instance separate. I would say not to pass in the AddressResolver, I think addresses accessed by the verifier should not be set on the protocol AddressResolver, they should store their own data.

[Brechtpd]

Maybe we should simply remove the mask? A verifier just always hard-codes the logic that needs to be followed. If this logic changes, a different verifier contract should be deployed.

Well, it is maybe useful for testing still, so this could be the testnet verifier contract or something like that. But on mainnet, probably just want to keep it as simple as possible.

[adaki2004]

Well, makes things more difficult with testing (multi prover vs. exisitng ZK only proofs).
So, i'd just leave it for now - we shall keep it in mind - but since harmless even on mainnet i'd just handle it with low prio - and change it close to mainnet. (?)

[dantaik]

@adaki2004 , as mentioned #13791 (comment), I now perfer not splitting verification logics into their own contracts.

[adaki2004]

@adaki2004 , as mentioned #13791 (comment), I now perfer not splitting verification logics into their own contracts.

Yes, i got it.

[adaki2004]

Closing for now!