@aztec/blob-lib 0.0.1-fake-c83136db25 → 0.0.1-fake-ceab37513c

package/src/blob_batching.ts

@@ -1,12 +1,14 @@
 import { AZTEC_MAX_EPOCH_DURATION, BLOBS_PER_BLOCK } from '@aztec/constants';
-import { poseidon2Hash, sha256ToField } from '@aztec/foundation/crypto';
-import { BLS12Fr, BLS12Point, Fr } from '@aztec/foundation/fields';
+import { poseidon2Hash, sha256, sha256ToField } from '@aztec/foundation/crypto';
+import { BLS12Field, BLS12Fr, BLS12Point, Fr } from '@aztec/foundation/fields';
+import { BufferReader, serializeToBuffer } from '@aztec/foundation/serialize';
 
-import { Blob } from './blob.js';
-import { computeBlobFieldsHashFromBlobs } from './blob_utils.js';
-import { BlobAccumulator, FinalBlobAccumulator, FinalBlobBatchingChallenges } from './circuit_types/index.js';
-import { computeEthVersionedBlobHash, hashNoirBigNumLimbs } from './hash.js';
-import { kzg } from './kzg_context.js';
+// Importing directly from 'c-kzg' does not work:
+import cKzg from 'c-kzg';
+
+import { Blob, VERSIONED_HASH_VERSION_KZG } from './blob.js';
+
+const { computeKzgProof, verifyKzgProof } = cKzg;
 
 /**
  * A class to create, manage, and prove batched EVM blobs.
@@ -32,19 +34,17 @@ export class BatchedBlob {
    *
    * @returns A batched blob.
    */
-  static async batch(blobs: Blob[][]): Promise<BatchedBlob> {
-    if (blobs.length > AZTEC_MAX_EPOCH_DURATION) {
+  static async batch(blobs: Blob[]): Promise<BatchedBlob> {
+    const numBlobs = blobs.length;
+    if (numBlobs > BLOBS_PER_BLOCK * AZTEC_MAX_EPOCH_DURATION) {
       throw new Error(
-        `Too many blocks sent to batch(). The maximum is ${AZTEC_MAX_EPOCH_DURATION}. Got ${blobs.length}.`,
+        `Too many blobs (${numBlobs}) sent to batch(). The maximum is ${BLOBS_PER_BLOCK * AZTEC_MAX_EPOCH_DURATION}.`,
       );
     }
-
     // Precalculate the values (z and gamma) and initialize the accumulator:
     let acc = await this.newAccumulator(blobs);
     // Now we can create a multi opening proof of all input blobs:
-    for (const blockBlobs of blobs) {
-      acc = await acc.accumulateBlobs(blockBlobs);
-    }
+    acc = await acc.accumulateBlobs(blobs);
     return await acc.finalize();
   }
 
@@ -53,7 +53,7 @@ export class BatchedBlob {
    * @dev MUST input all blobs to be broadcast. Does not work in multiple calls because z and gamma are calculated
    *      beforehand from ALL blobs.
    */
-  static async newAccumulator(blobs: Blob[][]): Promise<BatchedBlobAccumulator> {
+  static async newAccumulator(blobs: Blob[]): Promise<BatchedBlobAccumulator> {
     const finalBlobChallenges = await this.precomputeBatchedBlobChallenges(blobs);
     return BatchedBlobAccumulator.newWithChallenges(finalBlobChallenges);
   }
@@ -66,52 +66,54 @@ export class BatchedBlob {
    *    - used such that p_i(z) = y_i = Blob.evaluationY for all n blob polynomials p_i().
    *  - gamma = H(H(...H(H(y_0, y_1) y_2)..y_n), z)
    *    - used such that y = sum_i { gamma^i * y_i }, and C = sum_i { gamma^i * C_i }, for all blob evaluations y_i (see above) and commitments C_i.
-   *
-   * @param blobs - The blobs to precompute the challenges for. Each sub-array is the blobs for an L1 block.
    * @returns Challenges z and gamma.
    */
-  static async precomputeBatchedBlobChallenges(blobs: Blob[][]): Promise<FinalBlobBatchingChallenges> {
-    // Compute the final challenge z to evaluate the blobs.
-    let z: Fr | undefined;
-    for (const blockBlobs of blobs) {
-      // Compute the hash of all the fields in the block.
-      const blobFieldsHash = await computeBlobFieldsHashFromBlobs(blockBlobs);
-      for (const blob of blockBlobs) {
-        // Compute the challenge z for each blob and accumulate it.
-        const challengeZ = await blob.computeChallengeZ(blobFieldsHash);
-        if (!z) {
-          z = challengeZ;
-        } else {
-          z = await poseidon2Hash([z, challengeZ]);
-        }
-      }
-    }
-    if (!z) {
-      throw new Error('No blobs to precompute challenges for.');
+  static async precomputeBatchedBlobChallenges(blobs: Blob[]): Promise<FinalBlobBatchingChallenges> {
+    // We need to precompute the final challenge values to evaluate the blobs.
+    let z = blobs[0].challengeZ;
+    // We start at i = 1, because z is initialized as the first blob's challenge.
+    for (let i = 1; i < blobs.length; i++) {
+      z = await poseidon2Hash([z, blobs[i].challengeZ]);
     }
-
     // Now we have a shared challenge for all blobs, evaluate them...
-    const allBlobs = blobs.flat();
-    const proofObjects = allBlobs.map(b => b.evaluate(z));
-    const evaluations = await Promise.all(proofObjects.map(({ y }) => hashNoirBigNumLimbs(y)));
+    const proofObjects = blobs.map(b => computeKzgProof(b.data, z.toBuffer()));
+    const evaluations = proofObjects.map(([_, evaluation]) => BLS12Fr.fromBuffer(Buffer.from(evaluation)));
     // ...and find the challenge for the linear combination of blobs.
-    let gamma = evaluations[0];
+    let gamma = await hashNoirBigNumLimbs(evaluations[0]);
     // We start at i = 1, because gamma is initialized as the first blob's evaluation.
-    for (let i = 1; i < allBlobs.length; i++) {
-      gamma = await poseidon2Hash([gamma, evaluations[i]]);
+    for (let i = 1; i < blobs.length; i++) {
+      gamma = await poseidon2Hash([gamma, await hashNoirBigNumLimbs(evaluations[i])]);
     }
     gamma = await poseidon2Hash([gamma, z]);
 
     return new FinalBlobBatchingChallenges(z, BLS12Fr.fromBN254Fr(gamma));
   }
 
-  verify() {
-    return kzg.verifyKzgProof(this.commitment.compress(), this.z.toBuffer(), this.y.toBuffer(), this.q.compress());
+  static async precomputeEmptyBatchedBlobChallenges(): Promise<FinalBlobBatchingChallenges> {
+    const blobs = [await Blob.fromFields([])];
+    // We need to precompute the final challenge values to evaluate the blobs.
+    const z = blobs[0].challengeZ;
+    // Now we have a shared challenge for all blobs, evaluate them...
+    const proofObjects = blobs.map(b => computeKzgProof(b.data, z.toBuffer()));
+    const evaluations = proofObjects.map(([_, evaluation]) => BLS12Fr.fromBuffer(Buffer.from(evaluation)));
+    // ...and find the challenge for the linear combination of blobs.
+    let gamma = await hashNoirBigNumLimbs(evaluations[0]);
+    gamma = await poseidon2Hash([gamma, z]);
+
+    return new FinalBlobBatchingChallenges(z, BLS12Fr.fromBN254Fr(gamma));
   }
 
   // Returns ethereum's versioned blob hash, following kzg_to_versioned_hash: https://eips.ethereum.org/EIPS/eip-4844#helpers
   getEthVersionedBlobHash(): Buffer {
-    return computeEthVersionedBlobHash(this.commitment.compress());
+    const hash = sha256(this.commitment.compress());
+    hash[0] = VERSIONED_HASH_VERSION_KZG;
+    return hash;
+  }
+
+  static getEthVersionedBlobHash(commitment: Buffer): Buffer {
+    const hash = sha256(commitment);
+    hash[0] = VERSIONED_HASH_VERSION_KZG;
+    return hash;
   }
 
   /**
@@ -135,14 +137,49 @@ export class BatchedBlob {
     ]);
     return `0x${buf.toString('hex')}`;
   }
+}
+
+/**
+ * Final values z and gamma are injected into each block root circuit. We ensure they are correct by:
+ * - Checking equality in each block merge circuit and propagating up
+ * - Checking final z_acc == z in root circuit
+ * - Checking final gamma_acc == gamma in root circuit
+ *
+ *  - z = H(...H(H(z_0, z_1) z_2)..z_n)
+ *    - where z_i = H(H(fields of blob_i), C_i),
+ *    - used such that p_i(z) = y_i = Blob.evaluationY for all n blob polynomials p_i().
+ *  - gamma = H(H(...H(H(y_0, y_1) y_2)..y_n), z)
+ *    - used such that y = sum_i { gamma^i * y_i }, and C = sum_i { gamma^i * C_i }
+ *      for all blob evaluations y_i (see above) and commitments C_i.
+ *
+ * Iteratively calculated by BlobAccumulatorPublicInputs.accumulate() in nr. See also precomputeBatchedBlobChallenges() above.
+ */
+export class FinalBlobBatchingChallenges {
+  constructor(
+    public readonly z: Fr,
+    public readonly gamma: BLS12Fr,
+  ) {}
+
+  equals(other: FinalBlobBatchingChallenges) {
+    return this.z.equals(other.z) && this.gamma.equals(other.gamma);
+  }
+
+  static empty(): FinalBlobBatchingChallenges {
+    return new FinalBlobBatchingChallenges(Fr.ZERO, BLS12Fr.ZERO);
+  }
+
+  static fromBuffer(buffer: Buffer | BufferReader): FinalBlobBatchingChallenges {
+    const reader = BufferReader.asReader(buffer);
+    return new FinalBlobBatchingChallenges(Fr.fromBuffer(reader), reader.readObject(BLS12Fr));
+  }
 
-  toFinalBlobAccumulator() {
-    return new FinalBlobAccumulator(this.blobCommitmentsHash, this.z, this.y, this.commitment);
+  toBuffer() {
+    return serializeToBuffer(this.z, this.gamma);
   }
 }
 
 /**
- * See noir-projects/noir-protocol-circuits/crates/blob/src/abis/blob_accumulator.nr
+ * See noir-projects/noir-protocol-circuits/crates/blob/src/blob_batching_public_inputs.nr -> BlobAccumulatorPublicInputs
  */
 export class BatchedBlobAccumulator {
   constructor(
@@ -168,6 +205,39 @@ export class BatchedBlobAccumulator {
     public readonly finalBlobChallenges: FinalBlobBatchingChallenges,
   ) {}
 
+  /**
+   * Init the first accumulation state of the epoch.
+   * We assume the input blob has not been evaluated at z.
+   *
+   * First state of the accumulator:
+   * - v_acc := sha256(C_0)
+   * - z_acc := z_0
+   * - y_acc := gamma^0 * y_0 = y_0
+   * - c_acc := gamma^0 * c_0 = c_0
+   * - gamma_acc := poseidon2(y_0.limbs)
+   * - gamma^(i + 1) = gamma^1 = gamma // denoted gamma_pow_acc
+   *
+   * @returns An initial blob accumulator.
+   */
+  static async initialize(
+    blob: Blob,
+    finalBlobChallenges: FinalBlobBatchingChallenges,
+  ): Promise<BatchedBlobAccumulator> {
+    const [q, evaluation] = computeKzgProof(blob.data, finalBlobChallenges.z.toBuffer());
+    const firstY = BLS12Fr.fromBuffer(Buffer.from(evaluation));
+    // Here, i = 0, so:
+    return new BatchedBlobAccumulator(
+      sha256ToField([blob.commitment]), // blobCommitmentsHashAcc = sha256(C_0)
+      blob.challengeZ, // zAcc = z_0
+      firstY, // yAcc = gamma^0 * y_0 = 1 * y_0
+      BLS12Point.decompress(blob.commitment), // cAcc = gamma^0 * C_0 = 1 * C_0
+      BLS12Point.decompress(Buffer.from(q)), // qAcc = gamma^0 * Q_0 = 1 * Q_0
+      await hashNoirBigNumLimbs(firstY), // gammaAcc = poseidon2(y_0.limbs)
+      finalBlobChallenges.gamma, // gammaPow = gamma^(i + 1) = gamma^1 = gamma
+      finalBlobChallenges,
+    );
+  }
+
   /**
    * Create the empty accumulation state of the epoch.
    * @returns An empty blob accumulator with challenges.
@@ -190,40 +260,20 @@ export class BatchedBlobAccumulator {
    * We assume the input blob has not been evaluated at z.
    * @returns An updated blob accumulator.
    */
-  private async accumulate(blob: Blob, blobFieldsHash: Fr) {
-    const { proof, y: thisY } = blob.evaluate(this.finalBlobChallenges.z);
-    const thisC = BLS12Point.decompress(blob.commitment);
-    const thisQ = BLS12Point.decompress(proof);
-    const blobChallengeZ = await blob.computeChallengeZ(blobFieldsHash);
-
+  async accumulate(blob: Blob) {
     if (this.isEmptyState()) {
-      /**
-       * Init the first accumulation state of the epoch.
-       * - v_acc := sha256(C_0)
-       * - z_acc := z_0
-       * - y_acc := gamma^0 * y_0 = y_0
-       * - c_acc := gamma^0 * c_0 = c_0
-       * - gamma_acc := poseidon2(y_0.limbs)
-       * - gamma^(i + 1) = gamma^1 = gamma // denoted gamma_pow_acc
-       */
-      return new BatchedBlobAccumulator(
-        sha256ToField([blob.commitment]), // blobCommitmentsHashAcc = sha256(C_0)
-        blobChallengeZ, // zAcc = z_0
-        thisY, // yAcc = gamma^0 * y_0 = 1 * y_0
-        thisC, // cAcc = gamma^0 * C_0 = 1 * C_0
-        thisQ, // qAcc = gamma^0 * Q_0 = 1 * Q_0
-        await hashNoirBigNumLimbs(thisY), // gammaAcc = poseidon2(y_0.limbs)
-        this.finalBlobChallenges.gamma, // gammaPow = gamma^(i + 1) = gamma^1 = gamma
-        this.finalBlobChallenges,
-      );
+      return BatchedBlobAccumulator.initialize(blob, this.finalBlobChallenges);
     } else {
+      const [q, evaluation] = computeKzgProof(blob.data, this.finalBlobChallenges.z.toBuffer());
+      const thisY = BLS12Fr.fromBuffer(Buffer.from(evaluation));
+
       // Moving from i - 1 to i, so:
       return new BatchedBlobAccumulator(
         sha256ToField([this.blobCommitmentsHashAcc, blob.commitment]), // blobCommitmentsHashAcc := sha256(blobCommitmentsHashAcc, C_i)
-        await poseidon2Hash([this.zAcc, blobChallengeZ]), // zAcc := poseidon2(zAcc, z_i)
+        await poseidon2Hash([this.zAcc, blob.challengeZ]), // zAcc := poseidon2(zAcc, z_i)
         this.yAcc.add(thisY.mul(this.gammaPow)), // yAcc := yAcc + (gamma^i * y_i)
-        this.cAcc.add(thisC.mul(this.gammaPow)), // cAcc := cAcc + (gamma^i * C_i)
-        this.qAcc.add(thisQ.mul(this.gammaPow)), // qAcc := qAcc + (gamma^i * C_i)
+        this.cAcc.add(BLS12Point.decompress(blob.commitment).mul(this.gammaPow)), // cAcc := cAcc + (gamma^i * C_i)
+        this.qAcc.add(BLS12Point.decompress(Buffer.from(q)).mul(this.gammaPow)), // qAcc := qAcc + (gamma^i * C_i)
         await poseidon2Hash([this.gammaAcc, await hashNoirBigNumLimbs(thisY)]), // gammaAcc := poseidon2(gammaAcc, poseidon2(y_i.limbs))
         this.gammaPow.mul(this.finalBlobChallenges.gamma), // gammaPow = gamma^(i + 1) = gamma^i * final_gamma
         this.finalBlobChallenges,
@@ -234,23 +284,13 @@ export class BatchedBlobAccumulator {
   /**
    * Given blobs, accumulate all state.
    * We assume the input blobs have not been evaluated at z.
-   * @param blobs - The blobs to accumulate. They should be in the same L1 block.
    * @returns An updated blob accumulator.
    */
   async accumulateBlobs(blobs: Blob[]) {
-    if (blobs.length > BLOBS_PER_BLOCK) {
-      throw new Error(
-        `Too many blobs to accumulate. The maximum is ${BLOBS_PER_BLOCK} per block. Got ${blobs.length}.`,
-      );
-    }
-
-    // Compute the hash of all the fields in the block.
-    const blobFieldsHash = await computeBlobFieldsHashFromBlobs(blobs);
-
     // Initialize the acc to iterate over:
     let acc: BatchedBlobAccumulator = this.clone();
-    for (const blob of blobs) {
-      acc = await acc.accumulate(blob, blobFieldsHash);
+    for (let i = 0; i < blobs.length; i++) {
+      acc = await acc.accumulate(blobs[i]);
     }
     return acc;
   }
@@ -266,10 +306,9 @@ export class BatchedBlobAccumulator {
    * - c := c_acc (final commitment to be checked on L1)
    * - gamma := poseidon2(gamma_acc, z) (challenge for linear combination of y and C, above)
    *
-   * @param verifyProof - Whether to verify the KZG proof.
    * @returns A batched blob.
    */
-  async finalize(verifyProof = false): Promise<BatchedBlob> {
+  async finalize(): Promise<BatchedBlob> {
     // All values in acc are final, apart from gamma := poseidon2(gammaAcc, z):
     const calculatedGamma = await poseidon2Hash([this.gammaAcc, this.zAcc]);
     // Check final values:
@@ -283,14 +322,11 @@ export class BatchedBlobAccumulator {
         `Blob batching mismatch: accumulated gamma ${calculatedGamma} does not equal injected gamma ${this.finalBlobChallenges.gamma.toBN254Fr()}`,
       );
     }
-
-    const batchedBlob = new BatchedBlob(this.blobCommitmentsHashAcc, this.zAcc, this.yAcc, this.cAcc, this.qAcc);
-
-    if (verifyProof && !batchedBlob.verify()) {
+    if (!verifyKzgProof(this.cAcc.compress(), this.zAcc.toBuffer(), this.yAcc.toBuffer(), this.qAcc.compress())) {
       throw new Error(`KZG proof did not verify.`);
     }
 
-    return batchedBlob;
+    return new BatchedBlob(this.blobCommitmentsHashAcc, this.zAcc, this.yAcc, this.cAcc, this.qAcc);
   }
 
   isEmptyState() {
@@ -317,19 +353,11 @@ export class BatchedBlobAccumulator {
       FinalBlobBatchingChallenges.fromBuffer(this.finalBlobChallenges.toBuffer()),
     );
   }
+}
 
-  toBlobAccumulator() {
-    return new BlobAccumulator(
-      this.blobCommitmentsHashAcc,
-      this.zAcc,
-      this.yAcc,
-      this.cAcc,
-      this.gammaAcc,
-      this.gammaPow,
-    );
-  }
-
-  toFinalBlobAccumulator() {
-    return new FinalBlobAccumulator(this.blobCommitmentsHashAcc, this.zAcc, this.yAcc, this.cAcc);
-  }
+// To mimic the hash accumulation in the rollup circuits, here we hash
+// each u128 limb of the noir bignum struct representing the BLS field.
+async function hashNoirBigNumLimbs(field: BLS12Field): Promise<Fr> {
+  const num = field.toNoirBigNum();
+  return await poseidon2Hash(num.limbs.map(Fr.fromHexString));
 }

package/src/blob_batching_public_inputs.ts

@@ -0,0 +1,252 @@
+import { BLS12_FQ_LIMBS, BLS12_FR_LIMBS } from '@aztec/constants';
+import { BLS12Fq, BLS12Fr, BLS12Point, Fr } from '@aztec/foundation/fields';
+import { BufferReader, FieldReader, serializeToBuffer } from '@aztec/foundation/serialize';
+
+import { inspect } from 'util';
+
+import { Blob } from './blob.js';
+import { BatchedBlob, BatchedBlobAccumulator, FinalBlobBatchingChallenges } from './blob_batching.js';
+
+/**
+ * See nr BlobAccumulatorPublicInputs and ts BatchedBlobAccumulator for documentation.
+ */
+export class BlobAccumulatorPublicInputs {
+  constructor(
+    public blobCommitmentsHashAcc: Fr,
+    public zAcc: Fr,
+    public yAcc: BLS12Fr,
+    public cAcc: BLS12Point,
+    public gammaAcc: Fr,
+    public gammaPowAcc: BLS12Fr,
+  ) {}
+
+  static empty(): BlobAccumulatorPublicInputs {
+    return new BlobAccumulatorPublicInputs(Fr.ZERO, Fr.ZERO, BLS12Fr.ZERO, BLS12Point.ZERO, Fr.ZERO, BLS12Fr.ZERO);
+  }
+
+  equals(other: BlobAccumulatorPublicInputs) {
+    return (
+      this.blobCommitmentsHashAcc.equals(other.blobCommitmentsHashAcc) &&
+      this.zAcc.equals(other.zAcc) &&
+      this.yAcc.equals(other.yAcc) &&
+      this.cAcc.equals(other.cAcc) &&
+      this.gammaAcc.equals(other.gammaAcc) &&
+      this.gammaPowAcc.equals(other.gammaPowAcc)
+    );
+  }
+
+  static fromBuffer(buffer: Buffer | BufferReader): BlobAccumulatorPublicInputs {
+    const reader = BufferReader.asReader(buffer);
+    return new BlobAccumulatorPublicInputs(
+      Fr.fromBuffer(reader),
+      Fr.fromBuffer(reader),
+      BLS12Fr.fromBuffer(reader),
+      BLS12Point.fromBuffer(reader),
+      Fr.fromBuffer(reader),
+      BLS12Fr.fromBuffer(reader),
+    );
+  }
+
+  toBuffer() {
+    return serializeToBuffer(
+      this.blobCommitmentsHashAcc,
+      this.zAcc,
+      this.yAcc,
+      this.cAcc,
+      this.gammaAcc,
+      this.gammaPowAcc,
+    );
+  }
+
+  /**
+   * Given blobs, accumulate all public inputs state.
+   * We assume the input blobs have not been evaluated at z.
+   * NOTE: Does NOT accumulate non circuit values including Q. This exists to simulate/check exactly what the circuit is doing
+   * and is unsafe for other use. For that reason, a toBatchedBlobAccumulator does not exist. See evaluateBlobs() oracle for usage.
+   * @returns An updated blob accumulator.
+   */
+  async accumulateBlobs(blobs: Blob[], finalBlobChallenges: FinalBlobBatchingChallenges) {
+    let acc = new BatchedBlobAccumulator(
+      this.blobCommitmentsHashAcc,
+      this.zAcc,
+      this.yAcc,
+      this.cAcc,
+      BLS12Point.ZERO,
+      this.gammaAcc,
+      this.gammaPowAcc,
+      finalBlobChallenges,
+    );
+    acc = await acc.accumulateBlobs(blobs);
+    return new BlobAccumulatorPublicInputs(
+      acc.blobCommitmentsHashAcc,
+      acc.zAcc,
+      acc.yAcc,
+      acc.cAcc,
+      acc.gammaAcc,
+      acc.gammaPow,
+    );
+  }
+
+  toFields() {
+    return [
+      this.blobCommitmentsHashAcc,
+      this.zAcc,
+      ...this.yAcc.toNoirBigNum().limbs.map(Fr.fromString),
+      ...this.cAcc.x.toNoirBigNum().limbs.map(Fr.fromString),
+      ...this.cAcc.y.toNoirBigNum().limbs.map(Fr.fromString),
+      new Fr(this.cAcc.isInfinite),
+      this.gammaAcc,
+      ...this.gammaPowAcc.toNoirBigNum().limbs.map(Fr.fromString),
+    ];
+  }
+
+  static fromFields(fields: Fr[] | FieldReader): BlobAccumulatorPublicInputs {
+    const reader = FieldReader.asReader(fields);
+    return new BlobAccumulatorPublicInputs(
+      reader.readField(),
+      reader.readField(),
+      BLS12Fr.fromNoirBigNum({ limbs: reader.readFieldArray(BLS12_FR_LIMBS).map(f => f.toString()) }),
+      new BLS12Point(
+        BLS12Fq.fromNoirBigNum({ limbs: reader.readFieldArray(BLS12_FQ_LIMBS).map(f => f.toString()) }),
+        BLS12Fq.fromNoirBigNum({ limbs: reader.readFieldArray(BLS12_FQ_LIMBS).map(f => f.toString()) }),
+        reader.readBoolean(),
+      ),
+      reader.readField(),
+      BLS12Fr.fromNoirBigNum({ limbs: reader.readFieldArray(BLS12_FR_LIMBS).map(f => f.toString()) }),
+    );
+  }
+
+  /**
+   * Converts from an accumulator to a struct for the public inputs of our rollup circuits.
+   * @returns A BlobAccumulatorPublicInputs instance.
+   */
+  static fromBatchedBlobAccumulator(accumulator: BatchedBlobAccumulator) {
+    return new BlobAccumulatorPublicInputs(
+      accumulator.blobCommitmentsHashAcc,
+      accumulator.zAcc,
+      accumulator.yAcc,
+      accumulator.cAcc,
+      accumulator.gammaAcc,
+      accumulator.gammaPow,
+    );
+  }
+}
+
+/**
+ * See nr FinalBlobAccumulatorPublicInputs and ts BatchedBlobAccumulator for documentation.
+ */
+export class FinalBlobAccumulatorPublicInputs {
+  constructor(
+    public blobCommitmentsHash: Fr,
+    public z: Fr,
+    public y: BLS12Fr,
+    public c: BLS12Point,
+  ) {}
+
+  static empty(): FinalBlobAccumulatorPublicInputs {
+    return new FinalBlobAccumulatorPublicInputs(Fr.ZERO, Fr.ZERO, BLS12Fr.ZERO, BLS12Point.ZERO);
+  }
+
+  static fromBuffer(buffer: Buffer | BufferReader): FinalBlobAccumulatorPublicInputs {
+    const reader = BufferReader.asReader(buffer);
+    return new FinalBlobAccumulatorPublicInputs(
+      Fr.fromBuffer(reader),
+      Fr.fromBuffer(reader),
+      BLS12Fr.fromBuffer(reader),
+      BLS12Point.fromBuffer(reader),
+    );
+  }
+
+  toBuffer() {
+    return serializeToBuffer(this.blobCommitmentsHash, this.z, this.y, this.c);
+  }
+
+  static fromBatchedBlob(blob: BatchedBlob) {
+    return new FinalBlobAccumulatorPublicInputs(blob.blobCommitmentsHash, blob.z, blob.y, blob.commitment);
+  }
+
+  toFields() {
+    return [
+      this.blobCommitmentsHash,
+      this.z,
+      ...this.y.toNoirBigNum().limbs.map(Fr.fromString),
+      ...this.c.toBN254Fields(),
+    ];
+  }
+
+  // The below is used to send to L1 for proof verification
+  toString() {
+    // We prepend 32 bytes for the (unused) 'blobHash' slot. This is not read or required by getEpochProofPublicInputs() on L1, but
+    // is expected since we usually pass the full precompile inputs via verifyEpochRootProof() to getEpochProofPublicInputs() to ensure
+    // we use calldata rather than a slice in memory:
+    const buf = Buffer.concat([Buffer.alloc(32), this.z.toBuffer(), this.y.toBuffer(), this.c.compress()]);
+    return buf.toString('hex');
+  }
+
+  equals(other: FinalBlobAccumulatorPublicInputs) {
+    return (
+      this.blobCommitmentsHash.equals(other.blobCommitmentsHash) &&
+      this.z.equals(other.z) &&
+      this.y.equals(other.y) &&
+      this.c.equals(other.c)
+    );
+  }
+
+  // Creates a random instance. Used for testing only - will not prove/verify.
+  static random() {
+    return new FinalBlobAccumulatorPublicInputs(Fr.random(), Fr.random(), BLS12Fr.random(), BLS12Point.random());
+  }
+
+  // Warning: MUST be final accumulator state.
+  static fromBatchedBlobAccumulator(accumulator: BatchedBlobAccumulator) {
+    return new FinalBlobAccumulatorPublicInputs(
+      accumulator.blobCommitmentsHashAcc,
+      accumulator.zAcc,
+      accumulator.yAcc,
+      accumulator.cAcc,
+    );
+  }
+
+  [inspect.custom]() {
+    return `FinalBlobAccumulatorPublicInputs {
+      blobCommitmentsHash: ${inspect(this.blobCommitmentsHash)},
+      z: ${inspect(this.z)},
+      y: ${inspect(this.y)},
+      c: ${inspect(this.c)},
+    }`;
+  }
+}
+
+/**
+ * startBlobAccumulator: Accumulated opening proofs for all blobs before this block range.
+ * endBlobAccumulator: Accumulated opening proofs for all blobs after adding this block range.
+ * finalBlobChallenges:  Final values z and gamma, shared across the epoch.
+ */
+export class BlockBlobPublicInputs {
+  constructor(
+    public startBlobAccumulator: BlobAccumulatorPublicInputs,
+    public endBlobAccumulator: BlobAccumulatorPublicInputs,
+    public finalBlobChallenges: FinalBlobBatchingChallenges,
+  ) {}
+
+  static empty(): BlockBlobPublicInputs {
+    return new BlockBlobPublicInputs(
+      BlobAccumulatorPublicInputs.empty(),
+      BlobAccumulatorPublicInputs.empty(),
+      FinalBlobBatchingChallenges.empty(),
+    );
+  }
+
+  static fromBuffer(buffer: Buffer | BufferReader): BlockBlobPublicInputs {
+    const reader = BufferReader.asReader(buffer);
+    return new BlockBlobPublicInputs(
+      reader.readObject(BlobAccumulatorPublicInputs),
+      reader.readObject(BlobAccumulatorPublicInputs),
+      reader.readObject(FinalBlobBatchingChallenges),
+    );
+  }
+
+  toBuffer() {
+    return serializeToBuffer(this.startBlobAccumulator, this.endBlobAccumulator, this.finalBlobChallenges);
+  }
+}