Keccak-based MMR frontier (`agglayer::collections::mmr_frontier_keccak`)

[mmagician]

For the AggLayer bridge-out contract, we need a keccak-based Merkle accumulator which recomputes the root on each withdrawal request (i.e. when a B2AGG note is processed by the AggLayerBridgeOut contract).

The contract doesn't need to store the individual leaves: it only provides the latest "withdrawals root" of this Local Exit Tree. This means that the contract should only store the MMR frontier (up to depth-many elements, where depth = 32 for AggLayer) and the latest root.

These requirements are slightly different than the current std::collections::mmr interface. Particularly, for AggLayer integration we only need add and get_root procedures. Maybe the module name can be a bit different to indicate the adapted functionality, e.g., agglayer::collections::mmr_frontier_keccak:

• add would have the similar interface as the current std::collections::mmr::add, although it would accept down double words as input,
• get_root is a bit more involved and AFAICS we don't have an equivalent in the mmr collection (pack is a sequential hash?). (Q: should this be called compute_root instead, as it will perform a bunch of hashing?)

# ----------------------------------------------------------------------------
# Compute the **full Merkle root** for a target height H,
# treating all not-yet-appended leaves as zeros. This is different
# than folding peaks (std::collections::mmr::pack); here we return the root of the complete
# 2^H tree with the leftmost n leaves set and the remaining right
# leaves filled by canonical zero subtrees.
#
# Inputs:   [mmr_ptr, ...]
#   mmr_ptr  : pointer to MMR structure (similar to the current std::collections::mmr)
# Outputs:  [ROOT, ...]
#   ROOT     : Word (RPO digest) = Merkle root of the 2^H tree
#
# Notes:
#   - This result equals the root of a fixed-height, left-filled, zero-padded
#     binary Merkle tree.
# ----------------------------------------------------------------------------
pub proc get_root
    ...
end

Memory layout at mmr_ptr:

• mmr_ptr[0] : contains the number of leaves in the MMR
• mmr_ptr[1..4]: are padding and are ignored
• mmr_ptr[4..12], mmr_ptr[12..20] : contain the 1st MMR peak, 2nd MMR peak, etc. (double-words)

Internal details

For the implementation details: we need a list of zero-subtree hashes:

# const.Z_0 = zero hash at leaf level 0
# const.Z_1 = zero hash at leaf level
# ...

Not sure if constants are best, ideally we'd have a constants list we could index into.
But this can be mimicked by first loading all the constants into memory and then indexing appropriately when needed.

Usage

Then when appropriate, the AggLayerBridgeOut contract would call into this functionality like so:

const MMR_PTR = 42

pub proc bridge_asset_out
   ...
    push.MMR_PTR
    # => [mmr_ptr]

    <load the frontier from contract storage, save to memory at mmr_ptr>
    # => [mmr_ptr]
   
    <compute the leaf from B2AGG data>
    # => [INPUT_L_U32[8], INPUT_R_U32[8], mmr_ptr]
    
    # add the leaf to the MMR
    mmr_frontier_keccak::add
    # => [ ]

    <update the frontier in contract storage with the freshly re-computed frontier>
    
    # finally compute the root
    push.MMR_PTR
    # => [mmr_ptr]
    mmr_frontier_keccak::get_root
    # => [ROOT]
    
    <save the root to the appropriate storage slot>
end

[bobbinth]

I'm wondering if this needs to be in the VM or if we can define this functionality in the AggLayer contracts.

Also, depending on the algorithm, we may be able to operate on the storage directly (rather than loading it into memory first). I haven't thought it through completely, but for most updates, only a small part of the frontier needs to be touched.

Memory layout at mmr_ptr:

• mmr_ptr[0] : contains the number of leaves in the MMR
• mmr_ptr[1..4]: are padding and are ignored
• mmr_ptr[4..12], mmr_ptr[12..20] : contain the 1st MMR peak, 2nd MMR peak, etc. (double-words)

Could we not always encode the frontier as 33 hashes (path + root)? I actually haven't looked at the algorithm yet, but I wonder if we could just store it conceptually as an array of 66 words (2 words per hash). Ideally, we'd use a storage array for this, but since we don't have them yet, we could use a storage map.

If that's possible, then we'd only need the add procedure which would update the frontier (potentially directly in the storage) and recompute the root. get_root then becomes just reading a specific value for the storage map.

[mmagician]

Also, depending on the algorithm, we may be able to operate on the storage directly

Definitely - although IIUC, that would make the procedure not reusable in other contexts (e.g. when current frontier values don't come from storage; when storage is laid out differently; etc). I think it's useful to make it more generic, because most/all bridging solutions will end up using this data structure.

Could we not always encode the frontier as 33 hashes (path + root)?

Yes we totally could - I guess this just becomes a semantic difference of who calls what and when :)
I suggested the split between add and get_root because the former only touches the frontier, which is a structure associated with an MMR and as such, is oblivious to how the commitment to the MMR is computed. And since there are multiple ways to compute the commitment:

• sequentially hash the frontier (the current pack)
• treat the rest of the trees as canonically zero-valued leaves of a MT (the proposed get_root)

So mixing in commitment into where the frontier values are stored (and computed, with add) would force the users of the mmr_frontier_keccak collection to always use the root as the commitment of the tree - and they'd be forced to "waste" compute if they want to use pack instead. Maybe this is an artificial use case, but the separation between add & get_root is cleaner regardless, imo. Do you see any efficiency downsides to it?

I'm wondering if this needs to be in the VM or if we can define this functionality in the AggLayer contracts.

Good idea. We could expose this under a bridging library, for example (together with say, asset conversion procedure)

[bobbinth]

Also, depending on the algorithm, we may be able to operate on the storage directly

Definitely - although IIUC, that would make the procedure not reusable in other contexts (e.g. when current frontier values don't come from storage; when storage is laid out differently; etc). I think it's useful to make it more generic, because most/all bridging solutions will end up using this data structure.

We could still probably make this "generic enough" - for example, we assume that the data structure is fully contained within a storage map (and in the future, a storage array), and then we have generic data structure that just need to take a reference to the storage slot.

Having said this, I'm not against the in-memory implementation either - though, I'd like to understand the algorithm a bit more. If it turns out that there is much efficiency to be gained by not copying the data structure into memory every time, then it could inform our approach.

sequentially hash the frontier (the current pack)

I may be missing something, but my understanding of the LET structure is that there is no need to compute the sequential hash. The frontier should naturally commit to the root of the tree - but again, I may be very wrong here.

[mmagician]

LET structure is that there is no need to compute the sequential hash. The frontier should naturally commit to the root of the tree - but again, I may be very wrong here.

There is definitely no need to compute a sequential hash - I was using this as an example, and compared to our current MMR collection which uses sequential hash as the commitment.

And so the part about "naturally commit" to the root is less well defined. The frontier as such makes no assumptions about the unfilled parts of the tree, and as such, doesn't mandate how the commitment should be computed. It's up to us to define the canonical commitment. The most natural is indeed to treat the leaves as zeros and the intermediate nodes as hashes thereof.

But there's theoretically no reason the canonical commitment couldn't be the sequential commitment (current lib), or even a root but treating all leaves as one's instead of zero's, etc.

[mmagician]

If it turns out that there is much efficiency to be gained by not copying the data structure into memory every time, then it could inform our approach.

In my mind, the biggest advantage of computing over data in memory is the similarity to the current implementation which expects a memory pointer. So at least the add procedure would be very similar and, importantly, quick to implement.

[plafer]

Also we expect the MMR frontier to be quite small, right (i.e. probably 10-20 words or less)? In which case it should be more or less free to use memory (both from processing time & trace generation standpoints).

[mmagician]

The size of the frontier is the "effective" number of peaks, which corresponds to the number of "1"s in binary(number of leaves).
So the frontier can have up to 32 peaks x 2 words = 64 words.

Since the caller must know how many leaves are present at any given time, they can copy the appropriate number of peaks from slot storage to memory - rather than copying all the reserved peak slots.

Over the lifetime of the tree, the average number of peaks is half its maximum. But we expect never to fill the tree(?), and especially early on, the number of peaks will be small because number-of-leaves itself will be small.

[bobbinth]

And so the part about "naturally commit" to the root is less well defined. The frontier as such makes no assumptions about the unfilled parts of the tree, and as such, doesn't mandate how the commitment should be computed. It's up to us to define the canonical commitment. The most natural is indeed to treat the leaves as zeros and the intermediate nodes as hashes thereof.

Maybe it is worth actually specifying what the frontier is and what is the algorithm for updating it. For some reason, I assumed that the frontier is just a Merkle path to the most recently inserted leaf - but maybe that's not the case.

In terms of naming/code organization, I'd probably have something like agglayer::let module. This module would expose a procedure for updating the frontier - e.g., something like

#! Takes the address of the local exit tree frontier, updates it to represent the state of the tree
#! resulting from adding the provided node to it, and returns the root of the new LET
pub proc add_node(let_ptr: Address, node: Word) -> (root: Word)
    ...
end