Owners: @Álvaro Castro-Castilla @Thomas Lavaur @Mehmet @David Rusu
<aside> 💡
Postponed: PoE turns out to be too expensive to be useful, we’ve postponed this for now and zones will put all data on chain.
</aside>
Zones (rollups) use the Base Layer for Data Availability. They send data as blobs. To the Base Layer, DA clients prove that the data is correctly encoded.
However, the data that is sent to DA is in no way bound to anything. Without any cryptographic proof, the data it's just that: arbitrary data. The objective is to prove that the data posted by the Zone to the Base Layer is the same one required for the state reconstruction: the witness of the ZK proof of state transition.
We need to prove that $B$ (the data in the blob) is the same as the data used for the state diff within the ZK STF (state transition function) proof:
$B = d_0, ..., d_{n-1}$
Generally we would want to do this directly with two separate commitments, and check their equality. Otherwise we would be defeating the purpose of using DA in first place, as the checker would need to have the data on both sides of the equation available to perform the check. The test then becomes $C = C^\prime$ with:
The equality of the commitments guarantees with sufficient security the equality of the two polynomials: $P_B = P_{d_0,…,d_{n-1}}$, ie the two encodings are equivalent, thus $B = d_0, ..., d_{n-1}$ holds true.
However, we face an important challenge: since the $C^\prime$ commitment is computed within the ZK environment, the calculation needs to be ZK-friendly to be practical. A polynomial commitment like KZG has two problems:
The protocol described here works around this limitation and allows proving the data equivalence without requiring the computation of a polynomial commitment within a ZK snark, allowing the use of much more efficient commitments.
The following protocol is an adaptation of the method used by Starknet.
Definitions: