Similar to the storage slot value proof described in the previous section, transaction proof is also using the synced block header information stored on the destination chain as the ground truth. With this, one can prove the source chain's transaction information by proving the following parts:
- 1.validity of a block transaction root that matches the synced block header info;
- 2.validity of the transaction leaf hash that matches the transaction root.
This circuit is composed of two parts, including MPT calculation and block header calculation.
Public Inputs (can be used by on-chain app contracts):
LeafHashLeaf node (transaction leaf node) key of the transactions MPT.
BlockHashHash of the block which include this transaction.
BlockNumberNumber of the block which include this transaction.
BlockTimeTime of the block which include this transaction.
KeyThe key nibble of the transaction in MPT.
KeyLengthThe length of the key above.
RootHashTransaction MPT root hash.
KeyFragmentStartsThe index for each node in key nibbles.
NodeRlpNode value for each node in the merkle branch.
NodeRlpRoundIndexesNodeRlp keecak round number.
NodePathPrefixLengthLength for check node type in merkle branch.
NodeTypesMPT node type.
BlockFieldsNumBlock fields count.
BlockRoundIndexBlock hash keccak count from block rlp.
For example, if the transaction is the 133th transaction in this block, also means the transaction index is 133. The nibble key is 0x8185 (
33 --> 0x85 -- rlp --> 0x8185). You can find more detail from Merkle Patricia Trie doc.
The transaction root hash is one field of the block header RLP, which is used to calculate the block hash. The circuit first proves that the transaction root hash is included in the decoded block RLP, and then it computes the keccak hash of the block RLP to match the provided public input.
To prove the validity of the public input transaction leaf hash, the circuit uses the Merkel branch that includes the transaction leaf to compute the MPT root hash and verify that it matches the validated transaction root hash. Note that the circuit only validates the transaction leaf hash, leaving the validation of transaction RLP fields to the on-chain verifier contract.