feat: Delayed signature verification during block proposals

Implements AztecProtocol/engineering-designs#69

Author: spalladino

l1-contracts/src/core/Rollup.sol

@@ -113,12 +113,12 @@ contract Rollup is IStaking, IValidatorSelection, IRollup, RollupCore {
     ExtRollupLib.validateHeader(
       ValidateHeaderArgs({
         header: _header,
-        attestations: _attestations,
         digest: _digest,
         manaBaseFee: getManaBaseFeeAt(currentTime, true),
         blobsHashesCommitment: _blobsHash,
         flags: _flags
-      })
+      }),
+      _attestations
     );
   }
 
@@ -365,6 +365,8 @@ contract Rollup is IStaking, IValidatorSelection, IRollup, RollupCore {
       archive: rollupStore.archives[_blockNumber],
       headerHash: tempBlockLog.headerHash,
       blobCommitmentsHash: tempBlockLog.blobCommitmentsHash,
+      attestationsHash: tempBlockLog.attestationsHash,
+      payloadDigest: tempBlockLog.payloadDigest,
       slotNumber: tempBlockLog.slotNumber,
       feeHeader: tempBlockLog.feeHeader
     });

l1-contracts/src/core/RollupCore.sol

@@ -250,6 +250,23 @@ contract RollupCore is
     ExtRollupLib.propose(_args, _attestations, _blobInput, checkBlob);
   }
 
+  function invalidateBadAttestation(
+    uint256 _blockNumber,
+    CommitteeAttestations memory _attestations,
+    address[] memory _committee,
+    uint256 _invalidIndex
+  ) external {
+    ExtRollupLib2.invalidateBadAttestation(_blockNumber, _attestations, _committee, _invalidIndex);
+  }
+
+  function invalidateInsufficientAttestations(
+    uint256 _blockNumber,
+    CommitteeAttestations memory _attestations,
+    address[] memory _committee
+  ) external {
+    ExtRollupLib2.invalidateInsufficientAttestations(_blockNumber, _attestations, _committee);
+  }
+
   function setupEpoch() public override(IValidatorSelectionCore) {
     ExtRollupLib2.setupEpoch();
   }

l1-contracts/src/core/interfaces/IRollup.sol

@@ -36,18 +36,17 @@ struct SubmitEpochRootProofArgs {
   uint256 end; // inclusive
   PublicInputArgs args;
   bytes32[] fees;
+  CommitteeAttestations attestations; // attestations for the last block in epoch
   bytes blobInputs;
   bytes proof;
 }
 
 /**
  * @notice Struct for storing flags for block header validation
  * @param ignoreDA - True will ignore DA check, otherwise checks
- * @param ignoreSignature - True will ignore the signatures, otherwise checks
  */
 struct BlockHeaderValidationFlags {
   bool ignoreDA;
-  bool ignoreSignatures;
 }
 
 struct GenesisState {
@@ -98,6 +97,7 @@ interface IRollupCore {
     uint256 indexed blockNumber, bytes32 indexed archive, bytes32[] versionedBlobHashes
   );
   event L2ProofVerified(uint256 indexed blockNumber, address indexed proverId);
+  event BlockInvalidated(uint256 indexed blockNumber);
   event RewardConfigUpdated(RewardConfig rewardConfig);
   event ManaTargetUpdated(uint256 indexed manaTarget);
   event PrunedPending(uint256 provenBlockNumber, uint256 pendingBlockNumber);
@@ -124,6 +124,19 @@ interface IRollupCore {
 
   function submitEpochRootProof(SubmitEpochRootProofArgs calldata _args) external;
 
+  function invalidateBadAttestation(
+    uint256 _blockNumber,
+    CommitteeAttestations memory _attestations,
+    address[] memory _committee,
+    uint256 _invalidIndex
+  ) external;
+
+  function invalidateInsufficientAttestations(
+    uint256 _blockNumber,
+    CommitteeAttestations memory _attestations,
+    address[] memory _committee
+  ) external;
+
   function setRewardConfig(RewardConfig memory _config) external;
   function updateManaTarget(uint256 _manaTarget) external;
 

l1-contracts/src/core/libraries/Errors.sol

@@ -56,6 +56,10 @@ library Errors {
   error Rollup__InvalidProof(); // 0xa5b2ba17
   error Rollup__InvalidProposedArchive(bytes32 expected, bytes32 actual); // 0x32532e73
   error Rollup__InvalidTimestamp(Timestamp expected, Timestamp actual); // 0x3132e895
+  error Rollup__InvalidAttestations();
+  error Rollup__AttestationsAreValid();
+  error Rollup__BlockAlreadyProven();
+  error Rollup__BlockNotInPendingChain();
   error Rollup__InvalidBlobHash(bytes32 expected, bytes32 actual); // 0x13031e6a
   error Rollup__InvalidBlobProof(bytes32 blobHash); // 0x5ca17bef
   error Rollup__NoEpochToProve(); // 0xcbaa3951
@@ -102,6 +106,7 @@ library Errors {
   error ValidatorSelection__InsufficientAttestations(uint256 minimumNeeded, uint256 provided); // 0xaf47297f
   error ValidatorSelection__InvalidCommitteeCommitment(bytes32 reconstructed, bytes32 expected); // 0xca8d5954
   error ValidatorSelection__InsufficientCommitteeSize(uint256 actual, uint256 expected); // 0x98673597
+  error ValidatorSelection__ProposerIndexTooLarge(uint256 index);
 
   // Staking
   error Staking__AlreadyQueued(address _attester);

l1-contracts/src/core/libraries/compressed-data/BlockLog.sol

@@ -15,26 +15,34 @@ import {Slot} from "@aztec/shared/libraries/TimeMath.sol";
  * @param archive - Archive tree root of the block
  * @param headerHash - Hash of the proposed block header
  * @param blobCommitmentsHash - H(...H(H(commitment_0), commitment_1).... commitment_n) - used to validate we are using the same blob commitments on L1 and in the rollup circuit
+ * @param attestationsHash - Hash of the attestations for this block
+ * @param payloadDigest - Digest of the proposal payload that was attested to
  * @param slotNumber - This block's slot
  */
 struct BlockLog {
   bytes32 archive;
   bytes32 headerHash;
   bytes32 blobCommitmentsHash;
+  bytes32 attestationsHash;
+  bytes32 payloadDigest;
   Slot slotNumber;
   FeeHeader feeHeader;
 }
 
 struct TempBlockLog {
   bytes32 headerHash;
   bytes32 blobCommitmentsHash;
+  bytes32 attestationsHash;
+  bytes32 payloadDigest;
   Slot slotNumber;
   FeeHeader feeHeader;
 }
 
 struct CompressedTempBlockLog {
   bytes32 headerHash;
   bytes32 blobCommitmentsHash;
+  bytes32 attestationsHash;
+  bytes32 payloadDigest;
   CompressedSlot slotNumber;
   CompressedFeeHeader feeHeader;
 }
@@ -53,6 +61,8 @@ library CompressedTempBlockLogLib {
     return CompressedTempBlockLog({
       headerHash: _blockLog.headerHash,
       blobCommitmentsHash: _blockLog.blobCommitmentsHash,
+      attestationsHash: _blockLog.attestationsHash,
+      payloadDigest: _blockLog.payloadDigest,
       slotNumber: _blockLog.slotNumber.compress(),
       feeHeader: _blockLog.feeHeader.compress()
     });
@@ -66,6 +76,8 @@ library CompressedTempBlockLogLib {
     return TempBlockLog({
       headerHash: _compressedBlockLog.headerHash,
       blobCommitmentsHash: _compressedBlockLog.blobCommitmentsHash,
+      attestationsHash: _compressedBlockLog.attestationsHash,
+      payloadDigest: _compressedBlockLog.payloadDigest,
       slotNumber: _compressedBlockLog.slotNumber.decompress(),
       feeHeader: _compressedBlockLog.feeHeader.decompress()
     });

l1-contracts/src/core/libraries/rollup/EpochProofLib.sol

@@ -6,16 +6,20 @@ import {
   SubmitEpochRootProofArgs,
   PublicInputArgs,
   IRollupCore,
-  RollupStore
+  RollupStore,
+  BlockHeaderValidationFlags
 } from "@aztec/core/interfaces/IRollup.sol";
 import {ChainTipsLib, CompressedChainTips} from "@aztec/core/libraries/compressed-data/Tips.sol";
+import {TempBlockLog} from "@aztec/core/libraries/compressed-data/BlockLog.sol";
 import {Constants} from "@aztec/core/libraries/ConstantsGen.sol";
 import {Errors} from "@aztec/core/libraries/Errors.sol";
 import {BlobLib} from "@aztec/core/libraries/rollup/BlobLib.sol";
 import {CompressedFeeHeader, FeeHeaderLib} from "@aztec/core/libraries/rollup/FeeLib.sol";
 import {RewardLib} from "@aztec/core/libraries/rollup/RewardLib.sol";
 import {STFLib} from "@aztec/core/libraries/rollup/STFLib.sol";
+import {ValidatorSelectionLib} from "@aztec/core/libraries/rollup/ValidatorSelectionLib.sol";
 import {Timestamp, Slot, Epoch, TimeLib} from "@aztec/core/libraries/TimeLib.sol";
+import {CommitteeAttestations, SignatureLib} from "@aztec/shared/libraries/SignatureLib.sol";
 import {Math} from "@oz/utils/math/Math.sol";
 import {SafeCast} from "@oz/utils/math/SafeCast.sol";
 
@@ -26,6 +30,7 @@ library EpochProofLib {
   using FeeHeaderLib for CompressedFeeHeader;
   using SafeCast for uint256;
   using ChainTipsLib for CompressedChainTips;
+  using SignatureLib for CommitteeAttestations;
 
   // This is a temporary struct to avoid stack too deep errors
   struct BlobVarsTemp {
@@ -65,6 +70,9 @@ library EpochProofLib {
 
     Epoch endEpoch = assertAcceptable(_args.start, _args.end);
 
+    // Verify attestations for the last block in the epoch
+    verifyLastBlockAttestations(_args.end, _args.attestations);
+
     require(verifyEpochRootProof(_args), Errors.Rollup__InvalidProof());
 
     RollupStore storage rollupStore = STFLib.getStorage();
@@ -286,4 +294,32 @@ library EpochProofLib {
   function addressToField(address _a) private pure returns (bytes32) {
     return bytes32(uint256(uint160(_a)));
   }
+
+  /**
+   * @notice Verifies the attestations for the last block in the epoch
+   * @param _endBlockNumber The last block number in the epoch
+   * @param _attestations The attestations to verify
+   */
+  function verifyLastBlockAttestations(
+    uint256 _endBlockNumber,
+    CommitteeAttestations memory _attestations
+  ) private {
+    // Get the stored attestation hash and payload digest for the last block
+    TempBlockLog memory blockLog = STFLib.getTempBlockLog(_endBlockNumber);
+
+    // Verify that the provided attestations match the stored hash
+    bytes32 providedAttestationsHash = keccak256(abi.encode(_attestations));
+    require(
+      providedAttestationsHash == blockLog.attestationsHash, Errors.Rollup__InvalidAttestations()
+    );
+
+    // Get the slot and epoch for the last block
+    Slot slot = blockLog.slotNumber;
+    Epoch epoch = STFLib.getEpochForBlock(_endBlockNumber);
+
+    // Only verify attestations if they are not empty (for testing compatibility)
+    if (!_attestations.isEmpty()) {
+      ValidatorSelectionLib.verify(slot, epoch, _attestations, blockLog.payloadDigest);
+    }
+  }
 }

l1-contracts/src/core/libraries/rollup/ExtRollupLib.sol

@@ -4,24 +4,45 @@
 pragma solidity >=0.8.27;
 
 import {SubmitEpochRootProofArgs, PublicInputArgs} from "@aztec/core/interfaces/IRollup.sol";
-import {Timestamp, TimeLib} from "@aztec/core/libraries/TimeLib.sol";
+import {TempBlockLog} from "@aztec/core/libraries/compressed-data/BlockLog.sol";
+import {STFLib} from "@aztec/core/libraries/rollup/STFLib.sol";
+import {Timestamp, TimeLib, Slot, Epoch} from "@aztec/core/libraries/TimeLib.sol";
 import {BlobLib} from "./BlobLib.sol";
 import {EpochProofLib} from "./EpochProofLib.sol";
+import {InvalidateLib} from "./InvalidateLib.sol";
+import {SignatureLib} from "@aztec/shared/libraries/SignatureLib.sol";
 import {
-  ProposeLib, ProposeArgs, CommitteeAttestations, ValidateHeaderArgs
+  ProposeLib,
+  ProposeArgs,
+  CommitteeAttestations,
+  ValidateHeaderArgs,
+  ValidatorSelectionLib
 } from "./ProposeLib.sol";
 
 // We are using this library such that we can more easily "link" just a larger external library
 // instead of a few smaller ones.
 library ExtRollupLib {
   using TimeLib for Timestamp;
+  using TimeLib for Slot;
+  using SignatureLib for CommitteeAttestations;
 
   function submitEpochRootProof(SubmitEpochRootProofArgs calldata _args) external {
     EpochProofLib.submitEpochRootProof(_args);
   }
 
-  function validateHeader(ValidateHeaderArgs calldata _args) external {
+  function validateHeader(
+    ValidateHeaderArgs calldata _args,
+    CommitteeAttestations calldata _attestations
+  ) external {
     ProposeLib.validateHeader(_args);
+    if (_attestations.isEmpty()) {
+      return; // No attestations to validate
+    }
+
+    Slot slot = _args.header.slotNumber;
+    Epoch epoch = slot.epochFromSlot();
+    ValidatorSelectionLib.verify(slot, epoch, _attestations, _args.digest);
+    ValidatorSelectionLib.verifyProposer(slot, _attestations, _args.digest);
   }
 
   function propose(

l1-contracts/src/core/libraries/rollup/ExtRollupLib2.sol

@@ -6,7 +6,9 @@ pragma solidity >=0.8.27;
 import {Epoch, Slot, Timestamp, TimeLib} from "@aztec/core/libraries/TimeLib.sol";
 import {StakingQueueConfig} from "@aztec/core/libraries/compressed-data/StakingQueueConfig.sol";
 import {StakingLib} from "./StakingLib.sol";
+import {InvalidateLib} from "./InvalidateLib.sol";
 import {ValidatorSelectionLib} from "./ValidatorSelectionLib.sol";
+import {CommitteeAttestations} from "@aztec/shared/libraries/SignatureLib.sol";
 import {
   RewardBooster,
   RewardBoostConfig,
@@ -78,12 +80,29 @@ library ExtRollupLib2 {
     StakingLib.updateStakingQueueConfig(_config);
   }
 
+  function invalidateBadAttestation(
+    uint256 _blockNumber,
+    CommitteeAttestations memory _attestations,
+    address[] memory _committee,
+    uint256 _invalidIndex
+  ) external {
+    InvalidateLib.invalidateBadAttestation(_blockNumber, _attestations, _committee, _invalidIndex);
+  }
+
+  function invalidateInsufficientAttestations(
+    uint256 _blockNumber,
+    CommitteeAttestations memory _attestations,
+    address[] memory _committee
+  ) external {
+    InvalidateLib.invalidateInsufficientAttestations(_blockNumber, _attestations, _committee);
+  }
+
   function getCommitteeAt(Epoch _epoch) external returns (address[] memory) {
     return ValidatorSelectionLib.getCommitteeAt(_epoch);
   }
 
-  function getProposerAt(Slot _slot) external returns (address) {
-    return ValidatorSelectionLib.getProposerAt(_slot);
+  function getProposerAt(Slot _slot) external returns (address proposer) {
+    (proposer,) = ValidatorSelectionLib.getProposerAt(_slot);
   }
 
   function getCommitteeCommitmentAt(Epoch _epoch) external returns (bytes32, uint256) {