refactor: validate block header hash in circuits (#13094)

Previously: we computed the "end" block (header) hash in circuit and
output it along with the previous block hash from block root. The L1 was
supposed to check that the previous block hash was the same as the
previous block's end block hash. But we only did that for the first
block of the entire epoch, the rest of the proposed block hashes could
be anything.

Now:
- Remove block hashes on l1, as it is committed to by archive roots. And
nothing is looking up the block hash value on L1.
- Constrain the previous block hash in block root rollup circuit by
performing a membership check against the previous archive root.

Author: LeilaWang

l1-contracts/src/core/Rollup.sol

@@ -285,7 +285,7 @@ contract Rollup is IStaking, IValidatorSelection, IRollup, RollupCore {
    *
    * @param  _start - The start of the epoch (inclusive)
    * @param  _end - The end of the epoch (inclusive)
-   * @param  _args - Array of public inputs to the proof (previousArchive, endArchive, previousBlockHash, endBlockHash, endTimestamp, outHash, proverId)
+   * @param  _args - Array of public inputs to the proof (previousArchive, endArchive, endTimestamp, outHash, proverId)
    * @param  _fees - Array of recipient-value pairs with fees to be distributed for the epoch
    */
   function getEpochProofPublicInputs(

l1-contracts/src/core/interfaces/IRollup.sol

@@ -19,8 +19,6 @@ import {IERC20} from "@oz/token/ERC20/IERC20.sol";
 struct PublicInputArgs {
   bytes32 previousArchive;
   bytes32 endArchive;
-  bytes32 previousBlockHash; // @todo #8829 Not needed as public input, unconstrained on L1
-  bytes32 endBlockHash; // @todo #8829 Not needed as public input, unconstrained on L1
   Timestamp endTimestamp;
   bytes32 outHash;
   address proverId;
@@ -37,7 +35,6 @@ struct SubmitEpochRootProofArgs {
 
 struct BlockLog {
   bytes32 archive;
-  bytes32 blockHash;
   Slot slotNumber;
 }
 
@@ -71,7 +68,6 @@ struct GenesisState {
   bytes32 vkTreeRoot;
   bytes32 protocolContractTreeRoot;
   bytes32 genesisArchiveRoot;
-  bytes32 genesisBlockHash;
 }
 
 struct RollupConfigInput {

l1-contracts/src/core/libraries/ConstantsGen.sol

@@ -96,8 +96,6 @@ library Constants {
   uint256 internal constant PUBLIC_LOG_SIZE_IN_FIELDS = 14;
   uint256 internal constant PRIVATE_LOG_SIZE_IN_FIELDS = 18;
   uint256 internal constant AZTEC_MAX_EPOCH_DURATION = 48;
-  uint256 internal constant GENESIS_BLOCK_HASH =
-    20646204262468251631976884937192820660867507115079672078981654411421834866549;
   uint256 internal constant GENESIS_ARCHIVE_ROOT =
     1002640778211850180189505934749257244705296832326768971348723156503780793518;
   uint256 internal constant PUBLIC_DISPATCH_SELECTOR = 3578010381;
@@ -216,8 +214,8 @@ library Constants {
   uint256 internal constant PRIVATE_TO_ROLLUP_KERNEL_CIRCUIT_PUBLIC_INPUTS_LENGTH = 782;
   uint256 internal constant CONSTANT_ROLLUP_DATA_LENGTH = 13;
   uint256 internal constant BASE_OR_MERGE_PUBLIC_INPUTS_LENGTH = 52;
-  uint256 internal constant BLOCK_ROOT_OR_BLOCK_MERGE_PUBLIC_INPUTS_LENGTH = 986;
-  uint256 internal constant ROOT_ROLLUP_PUBLIC_INPUTS_LENGTH = 972;
+  uint256 internal constant BLOCK_ROOT_OR_BLOCK_MERGE_PUBLIC_INPUTS_LENGTH = 984;
+  uint256 internal constant ROOT_ROLLUP_PUBLIC_INPUTS_LENGTH = 970;
   uint256 internal constant GET_NOTES_ORACLE_RETURN_LENGTH = 674;
   uint256 internal constant NOTE_HASHES_NUM_BYTES_PER_BASE_ROLLUP = 2048;
   uint256 internal constant NULLIFIERS_NUM_BYTES_PER_BASE_ROLLUP = 2048;

l1-contracts/src/core/libraries/Errors.sol

@@ -51,12 +51,10 @@ library Errors {
   error Rollup__InsufficientBondAmount(uint256 minimum, uint256 provided); // 0xa165f276
   error Rollup__InsufficientFundsInEscrow(uint256 required, uint256 available); // 0xa165f276
   error Rollup__InvalidArchive(bytes32 expected, bytes32 actual); // 0xb682a40e
-  error Rollup__InvalidBlockHash(bytes32 expected, bytes32 actual);
   error Rollup__InvalidBlockNumber(uint256 expected, uint256 actual); // 0xe5edf847
   error Rollup__InvalidChainId(uint256 expected, uint256 actual); // 0x37b5bc12
   error Rollup__InvalidInHash(bytes32 expected, bytes32 actual); // 0xcd6f4233
   error Rollup__InvalidPreviousArchive(bytes32 expected, bytes32 actual); // 0xb682a40e
-  error Rollup__InvalidPreviousBlockHash(bytes32 expected, bytes32 actual);
   error Rollup__InvalidProof(); // 0xa5b2ba17
   error Rollup__InvalidProposedArchive(bytes32 expected, bytes32 actual); // 0x32532e73
   error Rollup__InvalidTimestamp(Timestamp expected, Timestamp actual); // 0x3132e895

l1-contracts/src/core/libraries/rollup/EpochProofLib.sol

@@ -68,12 +68,12 @@ library EpochProofLib {
    *          - The archive root of the header does not match the archive root of the proposed block
    *          - The proof is invalid
    *
-   * @dev     We provide the `_archive` and `_blockHash` even if it could be read from storage itself because it allow for
-   *          better error messages. Without passing it, we would just have a proof verification failure.
+   * @dev     We provide the `_archive` even if it could be read from storage itself because it allow for better error
+   *          messages. Without passing it, we would just have a proof verification failure.
    *
    * @param _args - The arguments to submit the epoch root proof:
    *          _epochSize - The size of the epoch (to be promoted to a constant)
-   *          _args - Array of public inputs to the proof (previousArchive, endArchive, previousBlockHash, endBlockHash, endTimestamp, outHash, proverId)
+   *          _args - Array of public inputs to the proof (previousArchive, endArchive, endTimestamp, outHash, proverId)
    *          _fees - Array of recipient-value pairs with fees to be distributed for the epoch
    *          _blobPublicInputs - The blob public inputs for the proof
    *          _proof - The proof to verify
@@ -104,7 +104,7 @@ library EpochProofLib {
    *
    * @param  _start - The start of the epoch (inclusive)
    * @param  _end - The end of the epoch (inclusive)
-   * @param  _args - Array of public inputs to the proof (previousArchive, endArchive, previousBlockHash, endBlockHash, endTimestamp, outHash, proverId)
+   * @param  _args - Array of public inputs to the proof (previousArchive, endArchive, endTimestamp, outHash, proverId)
    * @param  _fees - Array of recipient-value pairs with fees to be distributed for the epoch
    * @param _blobPublicInputs- The blob public inputs for the proof
    */
@@ -119,11 +119,9 @@ library EpochProofLib {
     // Args are defined as an array because Solidity complains with "stack too deep" otherwise
     // 0 bytes32 _previousArchive,
     // 1 bytes32 _endArchive,
-    // 2 bytes32 _previousBlockHash,
-    // 3 bytes32 _endBlockHash,
-    // 4 bytes32 _endTimestamp,
-    // 5 bytes32 _outHash,
-    // 6 bytes32 _proverId,
+    // 2 bytes32 _endTimestamp,
+    // 3 bytes32 _outHash,
+    // 4 bytes32 _proverId,
 
     // TODO(#7373): Public inputs are not fully verified
 
@@ -144,24 +142,6 @@ library EpochProofLib {
           Errors.Rollup__InvalidArchive(expectedEndArchive, _args.endArchive)
         );
       }
-
-      {
-        bytes32 expectedPreviousBlockHash = rollupStore.blocks[_start - 1].blockHash;
-        require(
-          expectedPreviousBlockHash == _args.previousBlockHash,
-          Errors.Rollup__InvalidPreviousBlockHash(
-            expectedPreviousBlockHash, _args.previousBlockHash
-          )
-        );
-      }
-
-      {
-        bytes32 expectedEndBlockHash = rollupStore.blocks[_end].blockHash;
-        require(
-          expectedEndBlockHash == _args.endBlockHash,
-          Errors.Rollup__InvalidBlockHash(expectedEndBlockHash, _args.endBlockHash)
-        );
-      }
     }
 
     bytes32[] memory publicInputs = new bytes32[](Constants.ROOT_ROLLUP_PUBLIC_INPUTS_LENGTH);
@@ -171,8 +151,6 @@ library EpochProofLib {
     // struct RootRollupPublicInputs {
     //   previous_archive: AppendOnlyTreeSnapshot,
     //   end_archive: AppendOnlyTreeSnapshot,
-    //   previous_block_hash: Field,
-    //   end_block_hash: Field,
     //   end_timestamp: u64,
     //   end_block_number: Field,
     //   out_hash: Field,
@@ -197,28 +175,22 @@ library EpochProofLib {
       // end_archive.next_available_leaf_index: the new archive next available index
       publicInputs[3] = bytes32(_end + 1);
 
-      // previous_block_hash: the block hash just preceding this epoch
-      publicInputs[4] = _args.previousBlockHash;
-
-      // end_block_hash: the last block hash in the epoch
-      publicInputs[5] = _args.endBlockHash;
-
       // end_timestamp: the timestamp of the last block in the epoch
-      publicInputs[6] = bytes32(Timestamp.unwrap(_args.endTimestamp));
+      publicInputs[4] = bytes32(Timestamp.unwrap(_args.endTimestamp));
 
       // end_block_number: last block number in the epoch
-      publicInputs[7] = bytes32(_end);
+      publicInputs[5] = bytes32(_end);
 
       // out_hash: root of this epoch's l2 to l1 message tree
-      publicInputs[8] = _args.outHash;
+      publicInputs[6] = _args.outHash;
     }
 
     uint256 feesLength = Constants.AZTEC_MAX_EPOCH_DURATION * 2;
     // fees[9 to (9+feesLength-1)]: array of recipient-value pairs
     for (uint256 i = 0; i < feesLength; i++) {
-      publicInputs[9 + i] = _fees[i];
+      publicInputs[7 + i] = _fees[i];
     }
-    uint256 offset = 9 + feesLength;
+    uint256 offset = 7 + feesLength;
 
     // vk_tree_root
     publicInputs[offset] = rollupStore.config.vkTreeRoot;

l1-contracts/src/core/libraries/rollup/ProposeLib.sol

@@ -23,7 +23,6 @@ import {STFLib} from "./STFLib.sol";
 
 struct ProposeArgs {
   bytes32 archive;
-  bytes32 blockHash;
   OracleInput oracleInput;
   bytes header;
   bytes32[] txHashes;
@@ -107,11 +106,8 @@ library ProposeLib {
     RollupStore storage rollupStore = STFLib.getStorage();
     uint256 blockNumber = ++rollupStore.tips.pendingBlockNumber;
 
-    rollupStore.blocks[blockNumber] = BlockLog({
-      archive: _args.archive,
-      blockHash: _args.blockHash,
-      slotNumber: header.globalVariables.slotNumber
-    });
+    rollupStore.blocks[blockNumber] =
+      BlockLog({archive: _args.archive, slotNumber: header.globalVariables.slotNumber});
 
     FeeLib.writeFeeHeader(
       blockNumber,

l1-contracts/src/core/libraries/rollup/STFLib.sol

@@ -22,11 +22,8 @@ library STFLib {
     rollupStore.config.vkTreeRoot = _genesisState.vkTreeRoot;
     rollupStore.config.protocolContractTreeRoot = _genesisState.protocolContractTreeRoot;
 
-    rollupStore.blocks[0] = BlockLog({
-      archive: _genesisState.genesisArchiveRoot,
-      blockHash: _genesisState.genesisBlockHash,
-      slotNumber: Slot.wrap(0)
-    });
+    rollupStore.blocks[0] =
+      BlockLog({archive: _genesisState.genesisArchiveRoot, slotNumber: Slot.wrap(0)});
   }
 
   function prune() internal {