Root Verifier Circuit

We use the notation of the Aztec Yellow Paper. In particular, $\text{BN254}$ is a curve defined over a finite field $\mathbb{F}_p$, $r$ is a prime on the order of $p$, and $\mathbb{G}_1$ is a subgroup of BN254 of order $r$.

Circuit Description

This is a standard PLONK circuit that verifies a TurboPLONK root rollup proof. At the time the root verifier circuit $C_{RV}$ is constructed, it is supplied a list $L_{vk}$ of TurboPLONK verification keys, one for each root rollup circuit that is to be verifiable by $C_{RV}$. Let $N_{vk}=L_{vk}$ denote the number of root rollup shapes that are accepted by the root verifier circuit.

Circuit Inputs: Summary

The inputs for the root verifier circuit have the form

$$\text{Root Verifier Inputs} = (\text{Public Inputs}, \text{Private Inputs}) \in \mathbb{F}_r^{17} \times \mathbb{F}_r^{16 + N_{vk} \cdot 120}.$$

Public Inputs

The root verifier receives $17$ public inputs. The first public input is a mod-$r$ SHA256 hash of broadcast data. This is, in fact, the same datum that appears as a public input to the root rollup circuit. The next 16 public inputs encode the recursion output of the root verifier circuit. This is the data of two points of $\mathbb{G}_1$. Each point consists of two $\mathbb{F}_p$ elements, which is in turn split into 4 68-bit limbs that are regarded as elements of $\mathbb{F}_r$.

Private Inputs

The root verifier has $16 + N_{vk}\cdot 120$ private inputs. Each verification key $k\in L_{vk}$ consists of 15 $\mathbb{G}_1$ elements (11 corresponding to constraint selectors, and 4 corresponding to permutation selectors), each one contributing 8 limbs in $\mathbb{F}_r$, leading to a total of $120 N_{vk}$ inputs. The remaining private inputs to the root verifier circuit are the 16 limbs in $\mathbb{F}_r$ that make up the recursive proof output of the root rollup circuit.

Circuit Logic

Then, when verifying a root rollup circuit $C_{RR}$, a the verification key $k$ of $C_{RR}$ is instantiated as a witness variable in the circuit $C_{RV}$, which imposes the constraint that $k$ lies in $L_{vk}$ using a Pedersen hash-like compress function. The remaining constraints defining this circuit are generated by the standard library's recursive verifier. These constraints are, roughly speaking, those described in the verifier's algorithm in the PLONK paper. More specifically, one should look at the VIP Edition of the paper, making minor changes to include a simplification proposed by Kev Wedderburn for smaller proof size (see IACR version 20210707:125953).