Complete Trust-less Derivation for Zero-Knowledge Dispute Game

A ZK fault proof is a process that proves which of the first disagreeing execution results of L2 block is correct. This process allows a Challenger to submit zk-proof of the correct execution to rectify it if a Validator posts an incorrect execution result.

The Challenger should perform block-execution off-chain to prove this, as doing it on the EVM is inefficient, and attach a zk-proof to ensure the validity of the off-chain computations. Additionally, since the L2Batch data cannot be accessed on the EVM (although it exists on L1), the Challenger must prove the validity of the block-derivation process.

This document introduces a complete derivation process that can be verified solely with data, without relying on a trusted third party.

General Derivation (with Trusted RPC)

Since the corrupted block is identified through a dispute game, a derivation for just one block is sufficient.

For a random L2 block, $T$

Discover $O$ as a L1 origin block of $T$ specified from the L1AttributeTransaction(the first transaction)
Query $O$ to reconstruct L1 attribute transaction and all User deposit transactions.
Starting from L1 block $O$, move forward one block at a time to find the L2 batch that includes $T$.
1. Occasionally, batches will be found, but drop those that do not include $T$.
Reconstruct L2 transactions related to $T$ from the batch found in step 3.
All materials for $T$ will be fully acquired in L1.
1. L1 attribute transaction from step 2.
2. User deposit transactions from step 2.
3. L2 transactions from step 4.
Execute every transaction within $T$ to derive the state root of $T$.

Kona of Optimism and Zeth of Risc0 implement “General Derivation”, which does not verify the RPC responses. (Pros) This is the lighter than one described later, so it may be quickly proved with zk-scheme. However, (Cons) since the process lacks verification of data obtained externally(a.k.a., pre-images), an additional integrity check for this data must be performed.

Incomplete Trust-less Derivation

DerivationNoTrust.drawio.png

To recover L2 block $T$ without relying on a third party, checking integrity must be added to “General Derivation”. In the diagram above, check whether the hash of the previous data exists as a member of the next data at the point indicated by the orange arrow. If all integrity checks are possible, the execution result of $T$ is deterministic.

However, currently, the integrity check of L1 block $B$ is not possible on chain. In other words, $T$ could be restored with an incorrect transaction, potentially producing an incorrect state root if $B$ is forged.