UPA protocol specification

The application contract calls isProofVerified on the UpaVerifier contract, passing in the public inputs $\mathsf{PI}$, the circuit Id $\mathsf{circuitId}$, and a ProofReference (when required).

The UpaVerifier contract computes $\mathsf{proofId} = \mathsf{keccak}(\mathsf{circuitId}, \mathsf{PI})$ from the public inputs and then checks that ProofReference contains a valid Merkle proof that $\mathsf{proofId}$ belongs to a verified submission.

The UpaVerifier returns true if it has a record of a valid proof for $(\mathsf{circuitId}, \mathsf{proofId})$, and false otherwise.

Application contract computes an array of public inputs $[\mathsf{PI}_i]$ where the $i$-th entry corresponds to the $i$-th proof of a submission with $\mathsf{submissionId}$.

Application contract submits an array of tuples $[(\mathsf{circuitId}_i, \mathsf{PI}_i)]$ to the UPA contract.

The UPA contract computes the (unique) $\mathsf{submissionId}$ corresponding to the submitted array of circuit ids and public inputs.

The UPA contract returns 1 if it has verified the submission $\mathsf{submissionId}$ (i.e. it has verified all of the proofs within $\mathsf{submissionId}$), and 0 otherwise.

Before submitting proofs on-chain, the application developer submits a transaction calling the registerVK method to the UPA contract (through the IUpaProofReceiver interface), passing their verification key $\mathsf{VK}$.

The circuit's $\mathsf{circuitId}$ is computed as

where $\mathsf{DT}_\mathsf{circuitId}$ denotes a domain tag derived from a string describing the context, such as UPA Groth16 circuit id (See the Universal Batch Verifier specification for details.)

$\mathsf{VK}$ is stored on the contract (for censorship resistance) in a mapping indexed by $\mathsf{circuitId}$, and the aggregator is notified via an event. This $\mathsf{circuitId}$ will be used to reference the circuit for future operations.

The application client creates the parameters for its smart contract as normal, including one or more proofs $\pi_i$ and public inputs $\mathsf{PI}_i$. It then passes these, along with the relevant (pre-registered) circuit Ids $\mathsf{circuitId}_i$, to the submit method on the IUpaProofReceiver interface, paying the aggregation fee in ether:

computes $\mathsf{proofId}_i = \mathsf{keccak}(\mathsf{circuitId}_i, \mathsf{PI}_i)$ for $i = 0, \ldots, n-1$.

computes a proofDigest $\mathsf{proofDigest}$ for each proof, as $\mathsf{keccak}(\pi_i)$

computes the submission Id $\mathsf{submissionId}$ as the Merkle root of the list $(\mathsf{\mathsf{keccak}(proofId}_i))_{i=0}^{n-1}$ (padded as required to the nearest power of 2)

computes the digestRoot as the Merkle root of the list $(\mathsf{proofDigest}_i)_{i=0}^{n-1}$ (again padded as required to the nearest power of 2)

rejects the tx if an entry for $\mathsf{submissionId}$ already exists

assigns a $\mathsf{submissionIndex}$ to the submission (using a single incrementing counter)

assigns a $\mathsf{proofIndex}_i$ to each $(\pi_i, \mathsf{PI}_i)$ (using a single incrementing counter)

emits an event for each proof, including $(\mathsf{circuitId}_i, \pi_i, \mathsf{PI}_i, \mathsf{proofIndex}_i)$

updates the contract state to record the fact that a submission with id $\mathsf{submissionId}$ has been made, mapping it to digestRoot, $\mathsf{submissionIndex}$, $n$ and the block number at submission time.

NOTE: Proof data itself does not appear in the input data used to compute $\mathsf{proofId}$. This is because when the proof is verified by the application, the application does not have access to (and does not require) any proof data. The application is only verifying the existence of a valid proof for the given circuit and public inputs.

for each $\mathsf{proofId}$ in proofIds:

skips $\mathsf{proofId}$ if it corresponds to a dummy proof,

checks that $\mathsf{proofId}$ has been submitted to the contract, and that proofs appear in the aggregated batch in the order of submission (see below)

marks $\mathsf{proofId}$ as valid (see below)

if $\mathsf{proofId}$ is the last proof in a submission $\mathsf{submissionId}$, emit an event indicating that the submission $\mathsf{submissionId}$ has been verified

a dynamic array uint16[] numVerifiedInSubmission of counters, where the $i$-th entry corresponds to the number of proofs that have been verified (in order) of the submission with $\mathsf{submissionId} == i$

For each $\mathsf{proofId}$ in proofIds:

If $\mathsf{proofId}$ corresponds to a dummy proof, then the rest of the proofs in the batch are assumed to be dummy proofs. No more proofs from this batch will be marked as valid.

Attempt to lookup the submission data (see Proof Submission) for a submission with Id $\mathsf{keccak}(\mathsf{proofId})$. If such a submission exists:

The proof was submitted as a single-proof submission. The contract extracts the $\mathsf{submissionIndex}$ from the submission data and then checks that $\mathsf{submissionIndex}$ is greater than or equal tonextSubmissionIdxToVerify. If not reject the transaction.

The entry numVerifiedInSubmission[ $\mathsf{submissionIndex}$ ] should logically be 0 (this can be sanity checked by the contract). Set this entry to 1

Otherwise (if no submission data was found for $\mathsf{submissionId} = \mathsf{keccak}(\mathsf{proofId})$)

the proof is expected to be part of a multi-proof submission with $\mathsf{submissionIndex} \geq$ nextSubmissionIdxToVerify.

Note that if a previous aggregated proof verified some subset, but not all, of the entries in the submission, nextSubmissionIdxToVerify would still refer to the partially verified submission at this stage. In this case, numVerifiedInSubmission[ $\mathsf{submissionIndex}$ ] should contain the number of entries already verified.

the $\mathsf{submissionId}$ for the submission to be verified

Determine the number m of entries in proofIds, including the current $\mathsf{proofId}$, that belong to this submission, as follows:

Let numProofIdsRemaining be the number of entries (including $\mathsf{proofId}$) still unchecked in proofIds.

Look up the submission data for $\mathsf{submissionId}$, in particular $\mathsf{submissionIndex}$ and $n$.

Let numUnverifiedFromSubmission = $n$ - numVerifiedInSubmission[ $\mathsf{submissionIndex}$ ].

The number m of entries from proofIds to consider as part of $\mathsf{submissionId}$ is given by Min(numUnverifiedFromSubmission, numProofIdsRemaining).

Use the submission Id $\mathsf{submissionId}$ and the Merkle "interval" proof from the submission proof, to check that the hashes of the m next entries from proofIds (including $\mathsf{keccak}(\mathsf{proofId})$) indeed belong to the submission $\mathsf{submissionId}$. Reject the transaction if this check fails.

Increment the entry numVerifiedInSubmission[ $\mathsf{submissionIndex}$ ] by m, indicating that m additional proofs from the submission have been verified.

receives $\mathsf{proofId}$ or computes $\mathsf{proofId}$ from the public inputs

(using the ProofReference if necessary) confirms that $\mathsf{proofId}$ belongs to a submission $\mathsf{submissionId}$.

Checks if there was an on-chain submission for $\mathsf{submissionId}$, and if so reads the stored submission index $\mathsf{submissionIdx}$ and the total number of proofs numProofs contained in the submission $\mathsf{submissionId}$. If it finds that numVerifiedInSubmission[$\mathsf{submissionIdx}$] == numProofs then the submission $\mathsf{submissionId}$ was verified, and therefore so was the proof $\mathsf{proofId}$.

receives $\mathsf{submissionId}$ or computes $\mathsf{submissionId}$ from the public inputs

Looks up the number of proofs numProofsInSubmission in $\mathsf{submissionId}$ and then checks if numVerifiedInSubmission[$\mathsf{submissionIdx}$] = numProofsInSubmission.

A censorship event is considered to have occurred for a submission with Id $\mathsf{submissionId}$ (with submission index $\mathsf{submissionIndex}$, consisting of $n$ entries) if all of the following are satisfied:

a submission with Id $\mathsf{submissionId}$ has been made, and all proofs in the submission are valid for the corresponding public inputs and circuit Ids

some of the entries in $\mathsf{submissionId}$ remain unverified, namely

numVerifiedInSubmission[$\mathsf{submissionIndex}$] < $n$

one or more proofs from a submission with index greater than $\mathsf{submissionIndex}$ (the submission index of the submission with id $\mathsf{submissionId}$) have been included in an aggregated batch

namely, there exists $j > \mathsf{submissionIndex}$ s.t. numVerifiedInSubmission[$j$] > 0

the valid tuple $(\mathsf{circuitId}, \pi, \mathsf{PI})$, or circuitId, proof and publicInputs, the claimed next unverified entry in the submission

$\mathsf{submissionId}$ or submissionId

$j$ or laterSubmissionIdx

A Merkle proof that $\mathsf{proofId}_i$ (computed from $\mathsf{circuitId}_i$ and $\mathsf{PI}$ belongs to the submission (at the "next index" - see below)

A Merkle proof that $\pi_i$ belongs to the submission's proofDigest entry (at the "next index" - see below)

looks up the verification key $\mathsf{VK}$ using $\mathsf{circuitId}$ and performs the full proof verification for $(\mathsf{VK}, \pi, \mathsf{PI})$. The transaction is rejected if the proof is not valid or if the verification key hasn't been registered.

increments the stored count numVerifiedInSubmission[$\mathsf{submissionIndex}$]

checks the condition numVerifiedInSubmission[$\mathsf{submissionIndex}$] == n (where n is the number of proofs in the original submission $\mathsf{submissionId}$).

Note: proofDigest is used here to prevent malicious clients from submitting invalid proofs, forcing aggregators to skip their proofs, and then later providing valid proofs for the same public inputs. This would otherwise be an attack vector since $\mathsf{proofId}$ is not dependent on the proof data.

Batches of $n$ application proofs are verified in a batch verify circuit.

A keccak circuit computes all $\mathsf{circuitId}$s and $\mathsf{proofId}$s of application proofs appearing in the batch verify proof, along with a final digest (the keccak hash of these $\mathsf{proofId}$s, used to reduce the public input size of the outer circuit below).

A collection of $N$ batch verify proofs along with the keccak proof for their $\mathsf{circuitId}$s, $\mathsf{proofId}$s and final digest is verified in an outer circuit.

On-chain verification of an outer circuit proof thereby attests to the validity of $n \times N$ application proofs with given $\mathsf{proofId}$s.

$n$ - inner batch size. Application proofs per batch verify circuit.

$N$ - outer batch size. Number of batch-verify circuits per outer proof.

$L$ - the maximum number of public inputs for an application circuit.

$(\ell_i, \overline{\mathsf{VK}}_i, \overline{\mathsf{PI}}_i)_{i=1}^n$ where

$\mathsf{PI}_i = (x_{i,j})_{j=1}^{\ell_i}$ is the public inputs to the $i$-th proof

$\overline{\mathsf{PI}}_i = \mathsf{PI}_i | \{0\}_{j=\ell_i + 1}^{L}$ is $\mathsf{PI}_i$ after zero-padded to extend it to length $L$

$\overline{\mathsf{VK}}_i$ - application verification keys, each padded to length $L$

$(\pi_i)_{i=1}^n$ - application proofs

$\mathsf{PI}_i = \mathsf{truncate}(\ell_i, \overline{\mathsf{PI}}_i) | \{0\}_{j=\ell_i + 1}^{L}$

$\mathsf{Groth16.Verify}(\overline{\mathsf{VK}}_i, \pi_i, \overline{\mathsf{PI}}_i) = 1$ for $i=1,\ldots,n$

$\mathsf{truncate}(\ell, \overline{\mathsf{VK}})$ is the truncation of the size $L$ verification key $\overline{\mathsf{VK}}$ to a verification key of size $\ell$, and

$\mathsf{truncate}(\ell, \overline{\mathsf{PI}})$ is the truncation of the public inputs to an array of size $\ell$

Computes the $\mathsf{proofId}$ for each entry in each application proof in one or more verify circuit proofs.

$c^*, (\ell_i, \overline{\mathsf{VK}}_i, \mathsf{circuitId}_i, \overline{\mathsf{PI}}_i)_{i=1}^{n \times N}$ where

$\mathsf{PI}_i = (x_{i,j})_{j=1}^{\ell_i}$ is the public inputs to the $i$-th proof

$\overline{\mathsf{PI}}_i = \mathsf{PI}_i | \{0\}_{j=\ell_i + 1}^{L}$ is $\mathsf{PI}_i$ after zero-padded to extend it to length $L$

$\overline{\mathsf{VK}}_i$ - application verification keys, each padded to length $L$

$c^* = (c^*_1, c^*_2)$ (digest, which consists of 32 bytes and is represented by two field elements)

$c_i = \mathsf{keccak}(\mathsf{circuitId}_i || \mathsf{truncate}(\ell_i, \overline{\mathsf{PI}}_i))$

$c^* = \mathsf{keccak}(c_1 || c_2 || \ldots || c_{n \times N})$

$\mathsf{circuitId}_i = \mathsf{keccak}(\mathsf{truncate}(\ell_i, \overline{\mathsf{VK}}_i))$

This step aggregates $N$ batch verify proofs ${\pi_{\text{bv}}}^{(j)}, j = 1, \ldots N$ as well as a single corresponding Keccak proof $\pi_{keccak}$.

$c^*$ - final 32-byte public input digest, encoded as $(c_1, c_2) \in \mathbb{F}_r^2$

$(L, R) \in \mathbb{G}_1^2$ - overall KZG accumulator, encoded as 12 = 4 * \texttt{num_limbs} points of $\mathbb{F}_r$

$(\ell_{i,j}, \overline{\mathsf{VK}}_{i, j}, \overline{\mathsf{PI}}_{i,j}) \text{ for } i=1,\ldots, n, j=1, \ldots, N$: the number of public inputs, the padded verifying key, and padded public inputs for the $i$-th application proof in the $j$-th BV proof.

for $j=1, \ldots, N$ BV proofs

$\pi_{\mathsf{keccak}}$ the Keccak proof for the public inputs

$c^*$, and

$\{ (\ell_{i, j}, \overline{\mathsf{VK}}_{i, j}, \overline{\mathsf{PI}}_{i, j} \}_{\substack{i=1,\ldots, n \\ j=1,\ldots, N}}$$(\ell_{1,N}, \mathsf{circuitId}_{1,N}, \overline{\mathsf{PI}}_{1,N}), (\ell_{2,N}, \mathsf{circuitId}_{2,N}, \overline{\mathsf{PI}}_{2,N}), \ldots , (\ell_{n,N}, \mathsf{circuitId}_{n,N}, \overline{\mathsf{PI}}_{n,N}),$

All BV proofs are valid, and therefore there exist valid application proofs for each $\mathsf{PI}_{i,j}$: $\textsf{SNARK}_{\text{BV}}.\textsf{Verify} \left( \pi_{\text{bv}}^{(j)}, (\ell_{i,j}, \overline{\mathsf{VK}}_{i,j}, \overline{\mathsf{PI}}_{i,j})_{i=1}^n, \mathsf{VK}_{\text{BV}} \right)$ for $j=1,\ldots, N$

Keccak proof is valid, and therefore $c^*$ is the final digest for all application PIs and vk hashes: $\textsf{SNARK}_{\mathsf{keccak}}.\textsf{Verify} \left(\pi_\mathsf{keccak}, c^*,(\ell_{i,j}, \overline{\mathsf{VK}}_{i,j}, \overline{\mathsf{PI}}_{i,j})_{\substack{i=1,\ldots, n \\ j=1,\ldots, N}}, \mathsf{VK}_\mathsf{keccak} \right)=1$

"Succinct" Plonk verification ($\textsf{SuccinctVerify}$) namely "GWC Steps 1-11" using Shplonk, without final pairing, for random challenge scalar $r$:

$\begin{gathered} (L_j, R_j) = \textsf{SuccinctVerify} \left( \pi_{\text{bv}}^{(j)}, (\ell_{i,j}, \overline{\mathsf{VK}}_{i,j}, \overline{\mathsf{PI}}_{i,j})_{i=1}^n, \mathsf{VK}_{\text{BV}} \right) ~\text{ for } j=1,\ldots N \\ (L_{N+1}, R_{N+1}) = \textsf{SuccinctVerify} \left( \pi_\mathsf{keccak}, c^*,(\ell_{i,j}, \overline{\mathsf{VK}}_{i,j}, \overline{\mathsf{PI}}_{i,j})_{\substack{i=1,\ldots, n \\ j=1,\ldots, N}}, \mathsf{VK}_\mathsf{keccak} \right) \\ (L, R) = \sum_{j=1}^{N+1} r^j (L_j, R_j) \end{gathered}$

Verification: The EVM verifier does the following, given $(\pi_{\text{outer}}, L, R, c^*)$.

$(L_\text{outer}, R_\text{outer}) := \textsf{SuccinctVerify}(\mathsf{PI}_\text{outer}, L, R, c^*, \mathsf{VK}_\text{outer})$

$e(L + r' L_\text{outer}, [\tau]_2) \stackrel{?}{=} e(R + r' R_\text{outer}, [1]_2)$ for random challenge scalar $r'$

The same witness values $\overline{\mathsf{PI}}_{i,j}$ are used to verify $\pi_{\text{bv}}^{(j)}$ and $\pi_{\mathsf{keccak}}$, implying that $c^*$ is indeed the commitment to all application public inputs and circuit IDs.

The outer circuit does not include the pairing checks, therefore its statement is not that the BV/Keccak proofs are valid, but rather that they have been correctly accumulated into a single KZG accumulator $(L,R)$. Checking that $e(L + r' L_\text{outer}, [\tau]_2) \stackrel{?}{=} e(R + r' R_\text{outer}, [1]_2)$, for random scalar $r'$, therefore implies their validity.

[Batch verifier circuit] The Pedersen proof is verified: $e(\mathsf{comm}, h_1) e( \mathsf{pok}, h_2) = 1$, where

$h_1, h_2 \in \mathbb{G}_2$ is the Pedersen verification key (which is part of the corresponding app $\mathsf{VK}$).

$\mathsf{comm}$ is the Pedersen commitment point and $\mathsf{pok}$ the corresponding Pedersen proof of knowledge.

[Keccak circuit] The last public input is computed as the keccak hash of the commitment point: $\overline{PI}_{\ell + 1} = \mathsf{keccak}(\mathsf{comm})$. Note that this last public input is not used in the computation of the proof Id.$f(x) = x * e^{2 pi i \xi x}$

• Overview
• Protocol
• Circuit registration
• Application proof submission
• Aggregated proof submission
• Proof verification by the application
• Censorship resistance
• Collecting Aggregation Fees
• Circuit Statements