1. introduction

transactions proof Meeting ：

• Verify the signature of each transaction ;
• verification transactionsRoot Corresponding merkle patricia trie It just contains all the transactions （ No less ）;
• bring EVM proof It can be done by transaction table visit transactions data.

2. Transcation encoding

There are different transaction coding methods . In the first version zkEVM Only compatible will be supported EIP-155 Of Legacy transaction. The future will support Non-Legacy （EIP-2718）transactions.

2.1 Legacy Transaction encoding

Legacy type by ：

rlp([nonce, gasPrice, gas, to, value, data, sig_v, r, s])

• stay BIP-155 Before , To be signed hashed data by ：(nonce, gasprice, gas, to, value, data) with sig_v = {0,1} + 27
• stay EIP-155 after , To be signed hashed data by ：(nonce, gasprice, gas, to, value, data, chain_id, 0, 0) with sig_v = {0,1} + CHAIN_ID * 2 + 35

Among them {0,1} It means curve point $y$ Polarity of coordinates , The curve point Corresponding to secp256k1 The public key in the signing process .

2.2 Non-Legacy (EIP-2719) Transaction encoding

according to ：

• https://eips.ethereum.org/EIPS/eip-1559
• https://eips.ethereum.org/EIPS/eip-2718

Non-Legacy The type is ：

0x02 || rlp([chain_id, nonce, max_priority_fee_per_gas, max_fee_per_gas, gas, destination, amount, data, access_list, signature_y_parity, signature_r, signature_s])

To be signed hashed data by ： undetermined .

3. Circuit behaviour

Transactions proof Prove the corresponding in the circuit public inputs Yes ：

• chain_id
• transactionsRoot

Each transaction is defined by the following parameters ：

• (nonce, gas_price, gas, to, value, data, sig_v, sig_r, sig_s)

Which can be used as public inputs The parameters are ：

• (nonce, gas_price, gas, to, value, data, from)

Transactions proof The verification logic of the proof circuit is ：

• 1）txSignData: bytes = rlp([nonce, gas_price, gas, to, value, data, chain_id, 0, 0])
• 2）txSignHash: word = keccak(txSignData)
• 3）sig_parity: {0, 1} = sig_v - 35 - chain_id / 2
• 4）ecdsa_recover(txSignHash, sig_parity, sig_r, sig_s) = pubKey Or equivalent to verify(txSignHash, sig_r, sig_s, pubKey) = true
• 5）fromAddress = keccak(pubKey)[-20:]

among ：

• The first 1） For transaction parameters in step rlp The coding will be customized rlp encoding gadget To achieve , To distinguish （ differ ）MPT circuit Used in rlp encoding.
• The first 2） The message to be signed in step keccak hash Validation will be done using keccak circuit. The tx circuit A separate correspondence will be implemented keccak Of lookup table（ Use RLC take rlp encoded transaction Class to step up a single value Inside ）.
• The first 3） In the step, the public key will be recovered according to the message to be signed and the signature ECDSA circuit. The tx circuit Will implement a corresponding ECDSA Of lookup table.
• The first 5） The public key in step keccak hash Validation will be done using keccak circuit. The tx circuit Will implement a corresponding keccak Of lookup table.

According to the above information , To build the TxTable：

among ：

• Gas = gas
• GasTipCap = 0
• GasFeeCap = 0
• CallerAddress = fromAddress
• CalleeAddress = to
• IsCreate = 1 if to is None else 0
• CallDataLength = len(data)
• CallData[KaTeX parse error: Can't use function '\]' in math mode at position 10: ByteIndex\̲]̲ = data\[ByteIndex]

Reference material

[1] zkEVM-specs Transactions proof