@aztec/blob-lib 3.0.0-canary.a9708bd → 3.0.0-devnet.2

package/src/blob_batching.ts

@@ -1,14 +1,12 @@
 import { AZTEC_MAX_EPOCH_DURATION, BLOBS_PER_BLOCK } from '@aztec/constants';
-import { poseidon2Hash, sha256, sha256ToField } from '@aztec/foundation/crypto';
-import { BLS12Field, BLS12Fr, BLS12Point, Fr } from '@aztec/foundation/fields';
-import { BufferReader, serializeToBuffer } from '@aztec/foundation/serialize';
+import { poseidon2Hash, sha256ToField } from '@aztec/foundation/crypto';
+import { BLS12Fr, BLS12Point, Fr } from '@aztec/foundation/fields';
 
-// Importing directly from 'c-kzg' does not work:
-import cKzg from 'c-kzg';
-
-import { Blob, VERSIONED_HASH_VERSION_KZG } from './blob.js';
-
-const { computeKzgProof, verifyKzgProof } = cKzg;
+import { Blob } from './blob.js';
+import { computeBlobFieldsHashFromBlobs } from './blob_utils.js';
+import { BlobAccumulator, FinalBlobAccumulator, FinalBlobBatchingChallenges } from './circuit_types/index.js';
+import { computeEthVersionedBlobHash, hashNoirBigNumLimbs } from './hash.js';
+import { kzg } from './kzg_context.js';
 
 /**
  * A class to create, manage, and prove batched EVM blobs.
@@ -34,17 +32,19 @@ export class BatchedBlob {
    *
    * @returns A batched blob.
    */
-  static async batch(blobs: Blob[]): Promise<BatchedBlob> {
-    const numBlobs = blobs.length;
-    if (numBlobs > BLOBS_PER_BLOCK * AZTEC_MAX_EPOCH_DURATION) {
+  static async batch(blobs: Blob[][]): Promise<BatchedBlob> {
+    if (blobs.length > AZTEC_MAX_EPOCH_DURATION) {
       throw new Error(
-        `Too many blobs (${numBlobs}) sent to batch(). The maximum is ${BLOBS_PER_BLOCK * AZTEC_MAX_EPOCH_DURATION}.`,
+        `Too many blocks sent to batch(). The maximum is ${AZTEC_MAX_EPOCH_DURATION}. Got ${blobs.length}.`,
       );
     }
+
     // Precalculate the values (z and gamma) and initialize the accumulator:
     let acc = await this.newAccumulator(blobs);
     // Now we can create a multi opening proof of all input blobs:
-    acc = await acc.accumulateBlobs(blobs);
+    for (const blockBlobs of blobs) {
+      acc = await acc.accumulateBlobs(blockBlobs);
+    }
     return await acc.finalize();
   }
 
@@ -53,7 +53,7 @@ export class BatchedBlob {
    * @dev MUST input all blobs to be broadcast. Does not work in multiple calls because z and gamma are calculated
    *      beforehand from ALL blobs.
    */
-  static async newAccumulator(blobs: Blob[]): Promise<BatchedBlobAccumulator> {
+  static async newAccumulator(blobs: Blob[][]): Promise<BatchedBlobAccumulator> {
     const finalBlobChallenges = await this.precomputeBatchedBlobChallenges(blobs);
     return BatchedBlobAccumulator.newWithChallenges(finalBlobChallenges);
   }
@@ -66,54 +66,52 @@ export class BatchedBlob {
    *    - used such that p_i(z) = y_i = Blob.evaluationY for all n blob polynomials p_i().
    *  - gamma = H(H(...H(H(y_0, y_1) y_2)..y_n), z)
    *    - used such that y = sum_i { gamma^i * y_i }, and C = sum_i { gamma^i * C_i }, for all blob evaluations y_i (see above) and commitments C_i.
+   *
+   * @param blobs - The blobs to precompute the challenges for. Each sub-array is the blobs for an L1 block.
    * @returns Challenges z and gamma.
    */
-  static async precomputeBatchedBlobChallenges(blobs: Blob[]): Promise<FinalBlobBatchingChallenges> {
-    // We need to precompute the final challenge values to evaluate the blobs.
-    let z = blobs[0].challengeZ;
-    // We start at i = 1, because z is initialized as the first blob's challenge.
-    for (let i = 1; i < blobs.length; i++) {
-      z = await poseidon2Hash([z, blobs[i].challengeZ]);
+  static async precomputeBatchedBlobChallenges(blobs: Blob[][]): Promise<FinalBlobBatchingChallenges> {
+    // Compute the final challenge z to evaluate the blobs.
+    let z: Fr | undefined;
+    for (const blockBlobs of blobs) {
+      // Compute the hash of all the fields in the block.
+      const blobFieldsHash = await computeBlobFieldsHashFromBlobs(blockBlobs);
+      for (const blob of blockBlobs) {
+        // Compute the challenge z for each blob and accumulate it.
+        const challengeZ = await blob.computeChallengeZ(blobFieldsHash);
+        if (!z) {
+          z = challengeZ;
+        } else {
+          z = await poseidon2Hash([z, challengeZ]);
+        }
+      }
+    }
+    if (!z) {
+      throw new Error('No blobs to precompute challenges for.');
     }
+
     // Now we have a shared challenge for all blobs, evaluate them...
-    const proofObjects = blobs.map(b => computeKzgProof(b.data, z.toBuffer()));
-    const evaluations = proofObjects.map(([_, evaluation]) => BLS12Fr.fromBuffer(Buffer.from(evaluation)));
+    const allBlobs = blobs.flat();
+    const proofObjects = allBlobs.map(b => b.evaluate(z));
+    const evaluations = await Promise.all(proofObjects.map(({ y }) => hashNoirBigNumLimbs(y)));
     // ...and find the challenge for the linear combination of blobs.
-    let gamma = await hashNoirBigNumLimbs(evaluations[0]);
+    let gamma = evaluations[0];
     // We start at i = 1, because gamma is initialized as the first blob's evaluation.
-    for (let i = 1; i < blobs.length; i++) {
-      gamma = await poseidon2Hash([gamma, await hashNoirBigNumLimbs(evaluations[i])]);
+    for (let i = 1; i < allBlobs.length; i++) {
+      gamma = await poseidon2Hash([gamma, evaluations[i]]);
     }
     gamma = await poseidon2Hash([gamma, z]);
 
     return new FinalBlobBatchingChallenges(z, BLS12Fr.fromBN254Fr(gamma));
   }
 
-  static async precomputeEmptyBatchedBlobChallenges(): Promise<FinalBlobBatchingChallenges> {
-    const blobs = [await Blob.fromFields([])];
-    // We need to precompute the final challenge values to evaluate the blobs.
-    const z = blobs[0].challengeZ;
-    // Now we have a shared challenge for all blobs, evaluate them...
-    const proofObjects = blobs.map(b => computeKzgProof(b.data, z.toBuffer()));
-    const evaluations = proofObjects.map(([_, evaluation]) => BLS12Fr.fromBuffer(Buffer.from(evaluation)));
-    // ...and find the challenge for the linear combination of blobs.
-    let gamma = await hashNoirBigNumLimbs(evaluations[0]);
-    gamma = await poseidon2Hash([gamma, z]);
-
-    return new FinalBlobBatchingChallenges(z, BLS12Fr.fromBN254Fr(gamma));
+  verify() {
+    return kzg.verifyKzgProof(this.commitment.compress(), this.z.toBuffer(), this.y.toBuffer(), this.q.compress());
   }
 
   // Returns ethereum's versioned blob hash, following kzg_to_versioned_hash: https://eips.ethereum.org/EIPS/eip-4844#helpers
   getEthVersionedBlobHash(): Buffer {
-    const hash = sha256(this.commitment.compress());
-    hash[0] = VERSIONED_HASH_VERSION_KZG;
-    return hash;
-  }
-
-  static getEthVersionedBlobHash(commitment: Buffer): Buffer {
-    const hash = sha256(commitment);
-    hash[0] = VERSIONED_HASH_VERSION_KZG;
-    return hash;
+    return computeEthVersionedBlobHash(this.commitment.compress());
   }
 
   /**
@@ -137,49 +135,14 @@ export class BatchedBlob {
     ]);
     return `0x${buf.toString('hex')}`;
   }
-}
-
-/**
- * Final values z and gamma are injected into each block root circuit. We ensure they are correct by:
- * - Checking equality in each block merge circuit and propagating up
- * - Checking final z_acc == z in root circuit
- * - Checking final gamma_acc == gamma in root circuit
- *
- *  - z = H(...H(H(z_0, z_1) z_2)..z_n)
- *    - where z_i = H(H(fields of blob_i), C_i),
- *    - used such that p_i(z) = y_i = Blob.evaluationY for all n blob polynomials p_i().
- *  - gamma = H(H(...H(H(y_0, y_1) y_2)..y_n), z)
- *    - used such that y = sum_i { gamma^i * y_i }, and C = sum_i { gamma^i * C_i }
- *      for all blob evaluations y_i (see above) and commitments C_i.
- *
- * Iteratively calculated by BlobAccumulatorPublicInputs.accumulate() in nr. See also precomputeBatchedBlobChallenges() above.
- */
-export class FinalBlobBatchingChallenges {
-  constructor(
-    public readonly z: Fr,
-    public readonly gamma: BLS12Fr,
-  ) {}
-
-  equals(other: FinalBlobBatchingChallenges) {
-    return this.z.equals(other.z) && this.gamma.equals(other.gamma);
-  }
-
-  static empty(): FinalBlobBatchingChallenges {
-    return new FinalBlobBatchingChallenges(Fr.ZERO, BLS12Fr.ZERO);
-  }
-
-  static fromBuffer(buffer: Buffer | BufferReader): FinalBlobBatchingChallenges {
-    const reader = BufferReader.asReader(buffer);
-    return new FinalBlobBatchingChallenges(Fr.fromBuffer(reader), reader.readObject(BLS12Fr));
-  }
 
-  toBuffer() {
-    return serializeToBuffer(this.z, this.gamma);
+  toFinalBlobAccumulator() {
+    return new FinalBlobAccumulator(this.blobCommitmentsHash, this.z, this.y, this.commitment);
   }
 }
 
 /**
- * See noir-projects/noir-protocol-circuits/crates/blob/src/blob_batching_public_inputs.nr -> BlobAccumulatorPublicInputs
+ * See noir-projects/noir-protocol-circuits/crates/blob/src/abis/blob_accumulator.nr
  */
 export class BatchedBlobAccumulator {
   constructor(
@@ -205,39 +168,6 @@ export class BatchedBlobAccumulator {
     public readonly finalBlobChallenges: FinalBlobBatchingChallenges,
   ) {}
 
-  /**
-   * Init the first accumulation state of the epoch.
-   * We assume the input blob has not been evaluated at z.
-   *
-   * First state of the accumulator:
-   * - v_acc := sha256(C_0)
-   * - z_acc := z_0
-   * - y_acc := gamma^0 * y_0 = y_0
-   * - c_acc := gamma^0 * c_0 = c_0
-   * - gamma_acc := poseidon2(y_0.limbs)
-   * - gamma^(i + 1) = gamma^1 = gamma // denoted gamma_pow_acc
-   *
-   * @returns An initial blob accumulator.
-   */
-  static async initialize(
-    blob: Blob,
-    finalBlobChallenges: FinalBlobBatchingChallenges,
-  ): Promise<BatchedBlobAccumulator> {
-    const [q, evaluation] = computeKzgProof(blob.data, finalBlobChallenges.z.toBuffer());
-    const firstY = BLS12Fr.fromBuffer(Buffer.from(evaluation));
-    // Here, i = 0, so:
-    return new BatchedBlobAccumulator(
-      sha256ToField([blob.commitment]), // blobCommitmentsHashAcc = sha256(C_0)
-      blob.challengeZ, // zAcc = z_0
-      firstY, // yAcc = gamma^0 * y_0 = 1 * y_0
-      BLS12Point.decompress(blob.commitment), // cAcc = gamma^0 * C_0 = 1 * C_0
-      BLS12Point.decompress(Buffer.from(q)), // qAcc = gamma^0 * Q_0 = 1 * Q_0
-      await hashNoirBigNumLimbs(firstY), // gammaAcc = poseidon2(y_0.limbs)
-      finalBlobChallenges.gamma, // gammaPow = gamma^(i + 1) = gamma^1 = gamma
-      finalBlobChallenges,
-    );
-  }
-
   /**
    * Create the empty accumulation state of the epoch.
    * @returns An empty blob accumulator with challenges.
@@ -260,20 +190,40 @@ export class BatchedBlobAccumulator {
    * We assume the input blob has not been evaluated at z.
    * @returns An updated blob accumulator.
    */
-  async accumulate(blob: Blob) {
+  private async accumulate(blob: Blob, blobFieldsHash: Fr) {
+    const { proof, y: thisY } = blob.evaluate(this.finalBlobChallenges.z);
+    const thisC = BLS12Point.decompress(blob.commitment);
+    const thisQ = BLS12Point.decompress(proof);
+    const blobChallengeZ = await blob.computeChallengeZ(blobFieldsHash);
+
     if (this.isEmptyState()) {
-      return BatchedBlobAccumulator.initialize(blob, this.finalBlobChallenges);
+      /**
+       * Init the first accumulation state of the epoch.
+       * - v_acc := sha256(C_0)
+       * - z_acc := z_0
+       * - y_acc := gamma^0 * y_0 = y_0
+       * - c_acc := gamma^0 * c_0 = c_0
+       * - gamma_acc := poseidon2(y_0.limbs)
+       * - gamma^(i + 1) = gamma^1 = gamma // denoted gamma_pow_acc
+       */
+      return new BatchedBlobAccumulator(
+        sha256ToField([blob.commitment]), // blobCommitmentsHashAcc = sha256(C_0)
+        blobChallengeZ, // zAcc = z_0
+        thisY, // yAcc = gamma^0 * y_0 = 1 * y_0
+        thisC, // cAcc = gamma^0 * C_0 = 1 * C_0
+        thisQ, // qAcc = gamma^0 * Q_0 = 1 * Q_0
+        await hashNoirBigNumLimbs(thisY), // gammaAcc = poseidon2(y_0.limbs)
+        this.finalBlobChallenges.gamma, // gammaPow = gamma^(i + 1) = gamma^1 = gamma
+        this.finalBlobChallenges,
+      );
     } else {
-      const [q, evaluation] = computeKzgProof(blob.data, this.finalBlobChallenges.z.toBuffer());
-      const thisY = BLS12Fr.fromBuffer(Buffer.from(evaluation));
-
       // Moving from i - 1 to i, so:
       return new BatchedBlobAccumulator(
         sha256ToField([this.blobCommitmentsHashAcc, blob.commitment]), // blobCommitmentsHashAcc := sha256(blobCommitmentsHashAcc, C_i)
-        await poseidon2Hash([this.zAcc, blob.challengeZ]), // zAcc := poseidon2(zAcc, z_i)
+        await poseidon2Hash([this.zAcc, blobChallengeZ]), // zAcc := poseidon2(zAcc, z_i)
         this.yAcc.add(thisY.mul(this.gammaPow)), // yAcc := yAcc + (gamma^i * y_i)
-        this.cAcc.add(BLS12Point.decompress(blob.commitment).mul(this.gammaPow)), // cAcc := cAcc + (gamma^i * C_i)
-        this.qAcc.add(BLS12Point.decompress(Buffer.from(q)).mul(this.gammaPow)), // qAcc := qAcc + (gamma^i * C_i)
+        this.cAcc.add(thisC.mul(this.gammaPow)), // cAcc := cAcc + (gamma^i * C_i)
+        this.qAcc.add(thisQ.mul(this.gammaPow)), // qAcc := qAcc + (gamma^i * C_i)
         await poseidon2Hash([this.gammaAcc, await hashNoirBigNumLimbs(thisY)]), // gammaAcc := poseidon2(gammaAcc, poseidon2(y_i.limbs))
         this.gammaPow.mul(this.finalBlobChallenges.gamma), // gammaPow = gamma^(i + 1) = gamma^i * final_gamma
         this.finalBlobChallenges,
@@ -284,13 +234,23 @@ export class BatchedBlobAccumulator {
   /**
    * Given blobs, accumulate all state.
    * We assume the input blobs have not been evaluated at z.
+   * @param blobs - The blobs to accumulate. They should be in the same L1 block.
    * @returns An updated blob accumulator.
    */
   async accumulateBlobs(blobs: Blob[]) {
+    if (blobs.length > BLOBS_PER_BLOCK) {
+      throw new Error(
+        `Too many blobs to accumulate. The maximum is ${BLOBS_PER_BLOCK} per block. Got ${blobs.length}.`,
+      );
+    }
+
+    // Compute the hash of all the fields in the block.
+    const blobFieldsHash = await computeBlobFieldsHashFromBlobs(blobs);
+
     // Initialize the acc to iterate over:
     let acc: BatchedBlobAccumulator = this.clone();
-    for (let i = 0; i < blobs.length; i++) {
-      acc = await acc.accumulate(blobs[i]);
+    for (const blob of blobs) {
+      acc = await acc.accumulate(blob, blobFieldsHash);
     }
     return acc;
   }
@@ -306,9 +266,10 @@ export class BatchedBlobAccumulator {
    * - c := c_acc (final commitment to be checked on L1)
    * - gamma := poseidon2(gamma_acc, z) (challenge for linear combination of y and C, above)
    *
+   * @param verifyProof - Whether to verify the KZG proof.
    * @returns A batched blob.
    */
-  async finalize(): Promise<BatchedBlob> {
+  async finalize(verifyProof = false): Promise<BatchedBlob> {
     // All values in acc are final, apart from gamma := poseidon2(gammaAcc, z):
     const calculatedGamma = await poseidon2Hash([this.gammaAcc, this.zAcc]);
     // Check final values:
@@ -322,11 +283,14 @@ export class BatchedBlobAccumulator {
         `Blob batching mismatch: accumulated gamma ${calculatedGamma} does not equal injected gamma ${this.finalBlobChallenges.gamma.toBN254Fr()}`,
       );
     }
-    if (!verifyKzgProof(this.cAcc.compress(), this.zAcc.toBuffer(), this.yAcc.toBuffer(), this.qAcc.compress())) {
+
+    const batchedBlob = new BatchedBlob(this.blobCommitmentsHashAcc, this.zAcc, this.yAcc, this.cAcc, this.qAcc);
+
+    if (verifyProof && !batchedBlob.verify()) {
       throw new Error(`KZG proof did not verify.`);
     }
 
-    return new BatchedBlob(this.blobCommitmentsHashAcc, this.zAcc, this.yAcc, this.cAcc, this.qAcc);
+    return batchedBlob;
   }
 
   isEmptyState() {
@@ -353,11 +317,19 @@ export class BatchedBlobAccumulator {
       FinalBlobBatchingChallenges.fromBuffer(this.finalBlobChallenges.toBuffer()),
     );
   }
-}
 
-// To mimic the hash accumulation in the rollup circuits, here we hash
-// each u128 limb of the noir bignum struct representing the BLS field.
-async function hashNoirBigNumLimbs(field: BLS12Field): Promise<Fr> {
-  const num = field.toNoirBigNum();
-  return await poseidon2Hash(num.limbs.map(Fr.fromHexString));
+  toBlobAccumulator() {
+    return new BlobAccumulator(
+      this.blobCommitmentsHashAcc,
+      this.zAcc,
+      this.yAcc,
+      this.cAcc,
+      this.gammaAcc,
+      this.gammaPow,
+    );
+  }
+
+  toFinalBlobAccumulator() {
+    return new FinalBlobAccumulator(this.blobCommitmentsHashAcc, this.zAcc, this.yAcc, this.cAcc);
+  }
 }

package/src/blob_utils.ts

@@ -0,0 +1,71 @@
+import { FIELDS_PER_BLOB } from '@aztec/constants';
+import { BLS12Point, Fr } from '@aztec/foundation/fields';
+
+import { Blob } from './blob.js';
+import { deserializeEncodedBlobToFields } from './deserialize.js';
+import { computeBlobFieldsHash, computeBlobsHash } from './hash.js';
+
+/**
+ * @param blobs - The blobs to emit.
+ * @returns The blobs' compressed commitments in hex prefixed by the number of blobs. 1 byte for the prefix, 48 bytes
+ * per blob commitment.
+ * @dev Used for proposing blocks to validate injected blob commitments match real broadcast blobs.
+ */
+export function getPrefixedEthBlobCommitments(blobs: Blob[]): `0x${string}` {
+  // Prefix the number of blobs.
+  const lenBuf = Buffer.alloc(1);
+  lenBuf.writeUint8(blobs.length);
+
+  const blobBuf = Buffer.concat(blobs.map(blob => blob.commitment));
+
+  const buf = Buffer.concat([lenBuf, blobBuf]);
+  return `0x${buf.toString('hex')}`;
+}
+
+/**
+ * @param fields - Fields to broadcast in the blob(s)
+ * @returns As many blobs as required to broadcast the given fields to an L1 block.
+ *
+ * @throws If the number of fields does not match what's indicated by the checkpoint prefix.
+ */
+export function getBlobsPerL1Block(fields: Fr[]): Blob[] {
+  if (!fields.length) {
+    throw new Error('Cannot create blobs from empty fields.');
+  }
+
+  const numBlobs = Math.ceil(fields.length / FIELDS_PER_BLOB);
+  return Array.from({ length: numBlobs }, (_, i) =>
+    Blob.fromFields(fields.slice(i * FIELDS_PER_BLOB, (i + 1) * FIELDS_PER_BLOB)),
+  );
+}
+
+/**
+ * Get the fields from all blobs in the checkpoint. Ignoring the fields beyond the length specified by the
+ * checkpoint prefix (the first field).
+ *
+ * @param blobs - The blobs to read fields from. Should be all the blobs in the L1 block proposing the checkpoint.
+ * @param checkEncoding - Whether to check if the entire encoded blob fields are valid. If false, it will still check
+ * the checkpoint prefix and throw if there's not enough fields.
+ * @returns The fields added throughout the checkpoint.
+ */
+export function getBlobFieldsInCheckpoint(blobs: Blob[], checkEncoding = false): Fr[] {
+  return deserializeEncodedBlobToFields(Buffer.concat(blobs.map(b => b.data)), checkEncoding);
+}
+
+export async function computeBlobFieldsHashFromBlobs(blobs: Blob[]): Promise<Fr> {
+  const fields = blobs.map(b => b.toFields()).flat();
+  const numBlobFields = fields[0].toNumber();
+  if (numBlobFields > fields.length) {
+    throw new Error(`The prefix indicates ${numBlobFields} fields. Got ${fields.length}.`);
+  }
+
+  return await computeBlobFieldsHash(fields.slice(0, numBlobFields));
+}
+
+export function computeBlobsHashFromBlobs(blobs: Blob[]): Fr {
+  return computeBlobsHash(blobs.map(b => b.getEthVersionedBlobHash()));
+}
+
+export function getBlobCommitmentsFromBlobs(blobs: Blob[]): BLS12Point[] {
+  return blobs.map(b => BLS12Point.decompress(b.commitment));
+}

package/src/circuit_types/blob_accumulator.ts

@@ -0,0 +1,84 @@
+import { BLS12_FQ_LIMBS, BLS12_FR_LIMBS } from '@aztec/constants';
+import { BLS12Fq, BLS12Fr, BLS12Point, Fr } from '@aztec/foundation/fields';
+import { BufferReader, FieldReader, serializeToBuffer } from '@aztec/foundation/serialize';
+
+/**
+ * See `noir-projects/noir-protocol-circuits/crates/blob/src/abis/blob_accumulator.nr` for documentation.
+ */
+export class BlobAccumulator {
+  constructor(
+    public blobCommitmentsHashAcc: Fr,
+    public zAcc: Fr,
+    public yAcc: BLS12Fr,
+    public cAcc: BLS12Point,
+    public gammaAcc: Fr,
+    public gammaPowAcc: BLS12Fr,
+  ) {}
+
+  static empty(): BlobAccumulator {
+    return new BlobAccumulator(Fr.ZERO, Fr.ZERO, BLS12Fr.ZERO, BLS12Point.ZERO, Fr.ZERO, BLS12Fr.ZERO);
+  }
+
+  equals(other: BlobAccumulator) {
+    return (
+      this.blobCommitmentsHashAcc.equals(other.blobCommitmentsHashAcc) &&
+      this.zAcc.equals(other.zAcc) &&
+      this.yAcc.equals(other.yAcc) &&
+      this.cAcc.equals(other.cAcc) &&
+      this.gammaAcc.equals(other.gammaAcc) &&
+      this.gammaPowAcc.equals(other.gammaPowAcc)
+    );
+  }
+
+  static fromBuffer(buffer: Buffer | BufferReader): BlobAccumulator {
+    const reader = BufferReader.asReader(buffer);
+    return new BlobAccumulator(
+      Fr.fromBuffer(reader),
+      Fr.fromBuffer(reader),
+      BLS12Fr.fromBuffer(reader),
+      BLS12Point.fromBuffer(reader),
+      Fr.fromBuffer(reader),
+      BLS12Fr.fromBuffer(reader),
+    );
+  }
+
+  toBuffer() {
+    return serializeToBuffer(
+      this.blobCommitmentsHashAcc,
+      this.zAcc,
+      this.yAcc,
+      this.cAcc,
+      this.gammaAcc,
+      this.gammaPowAcc,
+    );
+  }
+
+  toFields() {
+    return [
+      this.blobCommitmentsHashAcc,
+      this.zAcc,
+      ...this.yAcc.toNoirBigNum().limbs.map(Fr.fromString),
+      ...this.cAcc.x.toNoirBigNum().limbs.map(Fr.fromString),
+      ...this.cAcc.y.toNoirBigNum().limbs.map(Fr.fromString),
+      new Fr(this.cAcc.isInfinite),
+      this.gammaAcc,
+      ...this.gammaPowAcc.toNoirBigNum().limbs.map(Fr.fromString),
+    ];
+  }
+
+  static fromFields(fields: Fr[] | FieldReader): BlobAccumulator {
+    const reader = FieldReader.asReader(fields);
+    return new BlobAccumulator(
+      reader.readField(),
+      reader.readField(),
+      BLS12Fr.fromNoirBigNum({ limbs: reader.readFieldArray(BLS12_FR_LIMBS).map(f => f.toString()) }),
+      new BLS12Point(
+        BLS12Fq.fromNoirBigNum({ limbs: reader.readFieldArray(BLS12_FQ_LIMBS).map(f => f.toString()) }),
+        BLS12Fq.fromNoirBigNum({ limbs: reader.readFieldArray(BLS12_FQ_LIMBS).map(f => f.toString()) }),
+        reader.readBoolean(),
+      ),
+      reader.readField(),
+      BLS12Fr.fromNoirBigNum({ limbs: reader.readFieldArray(BLS12_FR_LIMBS).map(f => f.toString()) }),
+    );
+  }
+}

package/src/circuit_types/final_blob_accumulator.ts

@@ -0,0 +1,75 @@
+import { BLS12Fr, BLS12Point, Fr } from '@aztec/foundation/fields';
+import { BufferReader, serializeToBuffer } from '@aztec/foundation/serialize';
+
+import { inspect } from 'util';
+
+/**
+ * See `noir-projects/noir-protocol-circuits/crates/blob/src/abis/final_blob_accumulator.nr` for documentation.
+ */
+export class FinalBlobAccumulator {
+  constructor(
+    public blobCommitmentsHash: Fr,
+    public z: Fr,
+    public y: BLS12Fr,
+    public c: BLS12Point,
+  ) {}
+
+  static empty(): FinalBlobAccumulator {
+    return new FinalBlobAccumulator(Fr.ZERO, Fr.ZERO, BLS12Fr.ZERO, BLS12Point.ZERO);
+  }
+
+  static fromBuffer(buffer: Buffer | BufferReader): FinalBlobAccumulator {
+    const reader = BufferReader.asReader(buffer);
+    return new FinalBlobAccumulator(
+      Fr.fromBuffer(reader),
+      Fr.fromBuffer(reader),
+      BLS12Fr.fromBuffer(reader),
+      BLS12Point.fromBuffer(reader),
+    );
+  }
+
+  toBuffer() {
+    return serializeToBuffer(this.blobCommitmentsHash, this.z, this.y, this.c);
+  }
+
+  toFields() {
+    return [
+      this.blobCommitmentsHash,
+      this.z,
+      ...this.y.toNoirBigNum().limbs.map(Fr.fromString),
+      ...this.c.toBN254Fields(),
+    ];
+  }
+
+  // The below is used to send to L1 for proof verification
+  toString() {
+    // We prepend 32 bytes for the (unused) 'blobHash' slot. This is not read or required by getEpochProofPublicInputs() on L1, but
+    // is expected since we usually pass the full precompile inputs via verifyEpochRootProof() to getEpochProofPublicInputs() to ensure
+    // we use calldata rather than a slice in memory:
+    const buf = Buffer.concat([Buffer.alloc(32), this.z.toBuffer(), this.y.toBuffer(), this.c.compress()]);
+    return buf.toString('hex');
+  }
+
+  equals(other: FinalBlobAccumulator) {
+    return (
+      this.blobCommitmentsHash.equals(other.blobCommitmentsHash) &&
+      this.z.equals(other.z) &&
+      this.y.equals(other.y) &&
+      this.c.equals(other.c)
+    );
+  }
+
+  // Creates a random instance. Used for testing only - will not prove/verify.
+  static random() {
+    return new FinalBlobAccumulator(Fr.random(), Fr.random(), BLS12Fr.random(), BLS12Point.random());
+  }
+
+  [inspect.custom]() {
+    return `FinalBlobAccumulator {
+      blobCommitmentsHash: ${inspect(this.blobCommitmentsHash)},
+      z: ${inspect(this.z)},
+      y: ${inspect(this.y)},
+      c: ${inspect(this.c)},
+    }`;
+  }
+}

package/src/circuit_types/final_blob_batching_challenges.ts

@@ -0,0 +1,29 @@
+import { BLS12Fr, Fr } from '@aztec/foundation/fields';
+import { BufferReader, serializeToBuffer } from '@aztec/foundation/serialize';
+
+/**
+ * See `noir-projects/noir-protocol-circuits/crates/blob/src/abis/final_blob_batching_challenges.nr` for documentation.
+ */
+export class FinalBlobBatchingChallenges {
+  constructor(
+    public readonly z: Fr,
+    public readonly gamma: BLS12Fr,
+  ) {}
+
+  equals(other: FinalBlobBatchingChallenges) {
+    return this.z.equals(other.z) && this.gamma.equals(other.gamma);
+  }
+
+  static empty(): FinalBlobBatchingChallenges {
+    return new FinalBlobBatchingChallenges(Fr.ZERO, BLS12Fr.ZERO);
+  }
+
+  static fromBuffer(buffer: Buffer | BufferReader): FinalBlobBatchingChallenges {
+    const reader = BufferReader.asReader(buffer);
+    return new FinalBlobBatchingChallenges(Fr.fromBuffer(reader), reader.readObject(BLS12Fr));
+  }
+
+  toBuffer() {
+    return serializeToBuffer(this.z, this.gamma);
+  }
+}

package/src/circuit_types/index.ts

@@ -0,0 +1,4 @@
+/// Types used in the protocol circuits.
+export * from './blob_accumulator.js';
+export * from './final_blob_accumulator.js';
+export * from './final_blob_batching_challenges.js';

package/src/deserialize.ts

@@ -0,0 +1,38 @@
+import { Fr } from '@aztec/foundation/fields';
+import { BufferReader } from '@aztec/foundation/serialize';
+
+import { checkBlobFieldsEncoding } from './encoding.js';
+import { BlobDeserializationError } from './errors.js';
+
+/**
+ * Deserializes a buffer into an array of field elements.
+ *
+ * This function returns the fields that were actually added in a checkpoint. The number of fields is specified by the
+ * first field.
+ *
+ * @param buf - The buffer to deserialize.
+ * @param checkEncoding - Whether to check if the encoding is correct. If false, it will still check the checkpoint
+ * prefix and throw if there's not enough fields.
+ * @returns An array of field elements.
+ */
+export function deserializeEncodedBlobToFields(buf: Uint8Array, checkEncoding = false): Fr[] {
+  const reader = BufferReader.asReader(buf);
+  const firstField = reader.readObject(Fr);
+
+  // Use toBigInt instead of toNumber so that we can catch it and throw a more descriptive error below if the first
+  // field is larger than a javascript integer.
+  const numFields = firstField.toBigInt();
+  const totalFieldsInBuffer = BigInt(buf.length / Fr.SIZE_IN_BYTES);
+  if (numFields > totalFieldsInBuffer) {
+    throw new BlobDeserializationError(`Failed to deserialize blob fields, this blob was likely not created by us`);
+  }
+
+  const numFieldsWithoutPrefix = Number(numFields) - 1;
+  const blobFields = [firstField].concat(reader.readArray(numFieldsWithoutPrefix, Fr));
+
+  if (checkEncoding && !checkBlobFieldsEncoding(blobFields)) {
+    throw new BlobDeserializationError(`Incorrect encoding of blob fields, this blob was likely not created by us`);
+  }
+
+  return blobFields;
+}