ZK Circuits for Axiom Queries
The ZK circuits underlying Axiom historic data queries.
Axiom proves in ZK that historic Ethereum on-chain data is committed to in block headers of the corresponding Ethereum block. In this page, we explain the structure of this commitment and how Axiom uses ZK circuits to prove it.
Account and Storage Proofs
Account and account storage data is committed to in an Ethereum block header via several Merkle-Patricia tries. Inclusion proofs for this data into the block header are provided by Ethereum light client proofs. For example, consider the value at storage slot slot
for address address
at block blockNumber
. The light client proof for this value is available from the eth_getProof
JSON-RPC call and consists of:
The block header at block
blockNumber
and in particular thestateRoot
.An account proof of Merkle-Patricia inclusion for the key-value pair
(keccak(address), rlp([nonce, balance, storageRoot, codeHash]))
of the RLP-encoded account data in the state trie rooted atstateRoot
.A storage proof of Merkle-Patricia inclusion for the key-value pair
(keccak(slot), rlp(slotValue))
of the storage slot data in the storage trie rooted atstorageRoot
.
Verifying this light client proof against a block hash blockHash
for block blockNumber
requires checking:
The block header is properly formatted, has Keccak hash
blockHash
, and containsstateRoot
.The state trie proof is properly formatted, has key
keccak(address)
, Keccak hashes of each node along the Merkle-Patricia inclusion proof match the appropriate field in the previous node, and has value containingstorageRoot
.A similar validity check for the Merkle-Patricia inclusion proof for the storage trie.
ZK Circuits for Account and Storage Proofs
Axiom verifies light client proofs in ZK using the open-source axiom-eth
ZK circuit library, which supports the following operations in ZK:
Parsing RLP serialization: Ethereum data is serialized in the Recursive Length Prefix (RLP) format. We support parsing of individual fields in RLP-serialized fields and arrays.
Merkle-Patricia trie inclusion: All Ethereum data is committed to in 16-ary Merkle-Patricia tries whose roots are in the block header. We support inclusion proofs into trie roots, which are used to prove inclusion into the account and storage tries.
Ethereum block header, account, and storage proofs: We enable proving fields in the block header, account, and account storage relative to a block hash. This includes:
Parsing block header fields in a block.
Proving the balance, nonce, storageRoot, and codeHash for an account.
Verifying lookups into an account's local storage mapping.
The end result of these are ZK circuits for block headers, accounts, and account storage, which prove validity of the block statements:
Assuming the block hash at
blockNumber
isblockHash
, the state root isstateRoot
.
the account statements:
Assuming the state root is
stateRoot
at a given block, the account value foraddress
is[nonce, balance, storageRoot, codeHash]
.
and storage statements:
Assuming the storage root for an account is
storageRoot
, the value of the storage atslot
isslotValue
.
Combining these circuits together gives ZK circuits for account and storage proofs.
Aggregating Proofs in Queries
To fulfill queries into Axiom with ZK proofs verified against Merkle mountain ranges cached in AxiomV1
, we put together ZK circuits for account and storage proofs from the previous section with ZK circuits verifying Merkle inclusion proofs into Merkle mountain ranges. For a query in the Axiom Query Format, we generate ZK proofs of:
Merkle inclusion proofs of each block hash in a Merkle mountain range in the format cached in
AxiomV1
.Proofs of the
stateRoot
in the block header committed to in each block hash.Account proofs for each queried account relative to its
stateRoot
which in particular establishes thestorageRoot
of the account.Storage proofs for each queried storage slot relative to its
storageRoot
.Consistency between the block hashes, state roots, and storage roots referenced in the four previous proofs.
We then use proof aggregation with the snark-verifier
library developed by the Privacy Scaling Explorations group at the Ethereum Foundation to aggregate these ZK proofs and verify them on-chain. See On-chain ZK Verifiers for a list of the deployed on-chain verifiers used in Axiom.
Last updated