@aztec/blob-lib 4.0.0-nightly.20250907 → 4.0.0-nightly.20260107

package/src/blob_batching.ts

@@ -1,185 +1,19 @@
-import { AZTEC_MAX_EPOCH_DURATION, BLOBS_PER_BLOCK } from '@aztec/constants';
-import { poseidon2Hash, sha256, sha256ToField } from '@aztec/foundation/crypto';
-import { BLS12Field, BLS12Fr, BLS12Point, Fr } from '@aztec/foundation/fields';
-import { BufferReader, serializeToBuffer } from '@aztec/foundation/serialize';
+import { AZTEC_MAX_EPOCH_DURATION, BLOBS_PER_CHECKPOINT } from '@aztec/constants';
+import { poseidon2Hash } from '@aztec/foundation/crypto/poseidon';
+import { sha256ToField } from '@aztec/foundation/crypto/sha256';
+import { BLS12Fr, BLS12Point } from '@aztec/foundation/curves/bls12';
+import { Fr } from '@aztec/foundation/curves/bn254';
 
-// Importing directly from 'c-kzg' does not work:
-import cKzg from 'c-kzg';
-
-import { Blob, VERSIONED_HASH_VERSION_KZG } from './blob.js';
-
-const { computeKzgProof, verifyKzgProof } = cKzg;
+import { BatchedBlob } from './batched_blob.js';
+import { Blob } from './blob.js';
+import { getBlobsPerL1Block } from './blob_utils.js';
+import { BlobAccumulator, FinalBlobAccumulator, FinalBlobBatchingChallenges } from './circuit_types/index.js';
+import { computeBlobFieldsHash, hashNoirBigNumLimbs } from './hash.js';
+import { getKzg } from './kzg_context.js';
 
 /**
  * A class to create, manage, and prove batched EVM blobs.
- */
-export class BatchedBlob {
-  constructor(
-    /** Hash of Cs (to link to L1 blob hashes). */
-    public readonly blobCommitmentsHash: Fr,
-    /** Challenge point z such that p_i(z) = y_i. */
-    public readonly z: Fr,
-    /** Evaluation y, linear combination of all evaluations y_i = p_i(z) with gamma. */
-    public readonly y: BLS12Fr,
-    /** Commitment C, linear combination of all commitments C_i = [p_i] with gamma. */
-    public readonly commitment: BLS12Point,
-    /** KZG opening 'proof' Q (commitment to the quotient poly.), linear combination of all blob kzg 'proofs' Q_i with gamma. */
-    public readonly q: BLS12Point,
-  ) {}
-
-  /**
-   * Get the final batched opening proof from multiple blobs.
-   * @dev MUST input all blobs to be broadcast. Does not work in multiple calls because z and gamma are calculated
-   *      beforehand from ALL blobs.
-   *
-   * @returns A batched blob.
-   */
-  static async batch(blobs: Blob[]): Promise<BatchedBlob> {
-    const numBlobs = blobs.length;
-    if (numBlobs > BLOBS_PER_BLOCK * AZTEC_MAX_EPOCH_DURATION) {
-      throw new Error(
-        `Too many blobs (${numBlobs}) sent to batch(). The maximum is ${BLOBS_PER_BLOCK * AZTEC_MAX_EPOCH_DURATION}.`,
-      );
-    }
-    // Precalculate the values (z and gamma) and initialize the accumulator:
-    let acc = await this.newAccumulator(blobs);
-    // Now we can create a multi opening proof of all input blobs:
-    acc = await acc.accumulateBlobs(blobs);
-    return await acc.finalize();
-  }
-
-  /**
-   * Returns an empty BatchedBlobAccumulator with precomputed challenges from all blobs in the epoch.
-   * @dev MUST input all blobs to be broadcast. Does not work in multiple calls because z and gamma are calculated
-   *      beforehand from ALL blobs.
-   */
-  static async newAccumulator(blobs: Blob[]): Promise<BatchedBlobAccumulator> {
-    const finalBlobChallenges = await this.precomputeBatchedBlobChallenges(blobs);
-    return BatchedBlobAccumulator.newWithChallenges(finalBlobChallenges);
-  }
-
-  /**
-   * Gets the final challenges based on all blobs and their elements to perform a multi opening proof.
-   * Used in BatchedBlobAccumulator as 'finalZ' and finalGamma':
-   *  - z = H(...H(H(z_0, z_1) z_2)..z_n)
-   *    - where z_i = H(H(fields of blob_i), C_i) = Blob.challengeZ,
-   *    - used such that p_i(z) = y_i = Blob.evaluationY for all n blob polynomials p_i().
-   *  - gamma = H(H(...H(H(y_0, y_1) y_2)..y_n), z)
-   *    - used such that y = sum_i { gamma^i * y_i }, and C = sum_i { gamma^i * C_i }, for all blob evaluations y_i (see above) and commitments C_i.
-   * @returns Challenges z and gamma.
-   */
-  static async precomputeBatchedBlobChallenges(blobs: Blob[]): Promise<FinalBlobBatchingChallenges> {
-    // We need to precompute the final challenge values to evaluate the blobs.
-    let z = blobs[0].challengeZ;
-    // We start at i = 1, because z is initialized as the first blob's challenge.
-    for (let i = 1; i < blobs.length; i++) {
-      z = await poseidon2Hash([z, blobs[i].challengeZ]);
-    }
-    // Now we have a shared challenge for all blobs, evaluate them...
-    const proofObjects = blobs.map(b => computeKzgProof(b.data, z.toBuffer()));
-    const evaluations = proofObjects.map(([_, evaluation]) => BLS12Fr.fromBuffer(Buffer.from(evaluation)));
-    // ...and find the challenge for the linear combination of blobs.
-    let gamma = await hashNoirBigNumLimbs(evaluations[0]);
-    // We start at i = 1, because gamma is initialized as the first blob's evaluation.
-    for (let i = 1; i < blobs.length; i++) {
-      gamma = await poseidon2Hash([gamma, await hashNoirBigNumLimbs(evaluations[i])]);
-    }
-    gamma = await poseidon2Hash([gamma, z]);
-
-    return new FinalBlobBatchingChallenges(z, BLS12Fr.fromBN254Fr(gamma));
-  }
-
-  static async precomputeEmptyBatchedBlobChallenges(): Promise<FinalBlobBatchingChallenges> {
-    const blobs = [await Blob.fromFields([])];
-    // We need to precompute the final challenge values to evaluate the blobs.
-    const z = blobs[0].challengeZ;
-    // Now we have a shared challenge for all blobs, evaluate them...
-    const proofObjects = blobs.map(b => computeKzgProof(b.data, z.toBuffer()));
-    const evaluations = proofObjects.map(([_, evaluation]) => BLS12Fr.fromBuffer(Buffer.from(evaluation)));
-    // ...and find the challenge for the linear combination of blobs.
-    let gamma = await hashNoirBigNumLimbs(evaluations[0]);
-    gamma = await poseidon2Hash([gamma, z]);
-
-    return new FinalBlobBatchingChallenges(z, BLS12Fr.fromBN254Fr(gamma));
-  }
-
-  // Returns ethereum's versioned blob hash, following kzg_to_versioned_hash: https://eips.ethereum.org/EIPS/eip-4844#helpers
-  getEthVersionedBlobHash(): Buffer {
-    const hash = sha256(this.commitment.compress());
-    hash[0] = VERSIONED_HASH_VERSION_KZG;
-    return hash;
-  }
-
-  static getEthVersionedBlobHash(commitment: Buffer): Buffer {
-    const hash = sha256(commitment);
-    hash[0] = VERSIONED_HASH_VERSION_KZG;
-    return hash;
-  }
-
-  /**
-   * Returns a proof of opening of the blobs to verify on L1 using the point evaluation precompile:
-   *
-   * input[:32]     - versioned_hash
-   * input[32:64]   - z
-   * input[64:96]   - y
-   * input[96:144]  - commitment C
-   * input[144:192] - commitment Q (a 'proof' committing to the quotient polynomial q(X))
-   *
-   * See https://eips.ethereum.org/EIPS/eip-4844#point-evaluation-precompile
-   */
-  getEthBlobEvaluationInputs(): `0x${string}` {
-    const buf = Buffer.concat([
-      this.getEthVersionedBlobHash(),
-      this.z.toBuffer(),
-      this.y.toBuffer(),
-      this.commitment.compress(),
-      this.q.compress(),
-    ]);
-    return `0x${buf.toString('hex')}`;
-  }
-}
-
-/**
- * Final values z and gamma are injected into each block root circuit. We ensure they are correct by:
- * - Checking equality in each block merge circuit and propagating up
- * - Checking final z_acc == z in root circuit
- * - Checking final gamma_acc == gamma in root circuit
- *
- *  - z = H(...H(H(z_0, z_1) z_2)..z_n)
- *    - where z_i = H(H(fields of blob_i), C_i),
- *    - used such that p_i(z) = y_i = Blob.evaluationY for all n blob polynomials p_i().
- *  - gamma = H(H(...H(H(y_0, y_1) y_2)..y_n), z)
- *    - used such that y = sum_i { gamma^i * y_i }, and C = sum_i { gamma^i * C_i }
- *      for all blob evaluations y_i (see above) and commitments C_i.
- *
- * Iteratively calculated by BlobAccumulatorPublicInputs.accumulate() in nr. See also precomputeBatchedBlobChallenges() above.
- */
-export class FinalBlobBatchingChallenges {
-  constructor(
-    public readonly z: Fr,
-    public readonly gamma: BLS12Fr,
-  ) {}
-
-  equals(other: FinalBlobBatchingChallenges) {
-    return this.z.equals(other.z) && this.gamma.equals(other.gamma);
-  }
-
-  static empty(): FinalBlobBatchingChallenges {
-    return new FinalBlobBatchingChallenges(Fr.ZERO, BLS12Fr.ZERO);
-  }
-
-  static fromBuffer(buffer: Buffer | BufferReader): FinalBlobBatchingChallenges {
-    const reader = BufferReader.asReader(buffer);
-    return new FinalBlobBatchingChallenges(Fr.fromBuffer(reader), reader.readObject(BLS12Fr));
-  }
-
-  toBuffer() {
-    return serializeToBuffer(this.z, this.gamma);
-  }
-}
-
-/**
- * See noir-projects/noir-protocol-circuits/crates/blob/src/blob_batching_public_inputs.nr -> BlobAccumulatorPublicInputs
+ * See noir-projects/noir-protocol-circuits/crates/blob/src/abis/blob_accumulator.nr
  */
 export class BatchedBlobAccumulator {
   constructor(
@@ -205,39 +39,6 @@ export class BatchedBlobAccumulator {
     public readonly finalBlobChallenges: FinalBlobBatchingChallenges,
   ) {}
 
-  /**
-   * Init the first accumulation state of the epoch.
-   * We assume the input blob has not been evaluated at z.
-   *
-   * First state of the accumulator:
-   * - v_acc := sha256(C_0)
-   * - z_acc := z_0
-   * - y_acc := gamma^0 * y_0 = y_0
-   * - c_acc := gamma^0 * c_0 = c_0
-   * - gamma_acc := poseidon2(y_0.limbs)
-   * - gamma^(i + 1) = gamma^1 = gamma // denoted gamma_pow_acc
-   *
-   * @returns An initial blob accumulator.
-   */
-  static async initialize(
-    blob: Blob,
-    finalBlobChallenges: FinalBlobBatchingChallenges,
-  ): Promise<BatchedBlobAccumulator> {
-    const [q, evaluation] = computeKzgProof(blob.data, finalBlobChallenges.z.toBuffer());
-    const firstY = BLS12Fr.fromBuffer(Buffer.from(evaluation));
-    // Here, i = 0, so:
-    return new BatchedBlobAccumulator(
-      sha256ToField([blob.commitment]), // blobCommitmentsHashAcc = sha256(C_0)
-      blob.challengeZ, // zAcc = z_0
-      firstY, // yAcc = gamma^0 * y_0 = 1 * y_0
-      BLS12Point.decompress(blob.commitment), // cAcc = gamma^0 * C_0 = 1 * C_0
-      BLS12Point.decompress(Buffer.from(q)), // qAcc = gamma^0 * Q_0 = 1 * Q_0
-      await hashNoirBigNumLimbs(firstY), // gammaAcc = poseidon2(y_0.limbs)
-      finalBlobChallenges.gamma, // gammaPow = gamma^(i + 1) = gamma^1 = gamma
-      finalBlobChallenges,
-    );
-  }
-
   /**
    * Create the empty accumulation state of the epoch.
    * @returns An empty blob accumulator with challenges.
@@ -255,25 +56,128 @@ export class BatchedBlobAccumulator {
     );
   }
 
+  /**
+   * Returns an empty BatchedBlobAccumulator with precomputed challenges from all blobs in the epoch.
+   * @dev MUST input all blobs to be broadcast. Does not work in multiple calls because z and gamma are calculated
+   *      beforehand from ALL blobs.
+   */
+  static async fromBlobFields(blobFieldsPerCheckpoint: Fr[][]): Promise<BatchedBlobAccumulator> {
+    const finalBlobChallenges = await this.precomputeBatchedBlobChallenges(blobFieldsPerCheckpoint);
+    return BatchedBlobAccumulator.newWithChallenges(finalBlobChallenges);
+  }
+
+  /**
+   * Get the final batched opening proof from multiple blobs.
+   * @dev MUST input all blobs to be broadcast. Does not work in multiple calls because z and gamma are calculated
+   *      beforehand from ALL blobs.
+   *
+   * @returns A batched blob.
+   */
+  static async batch(blobFieldsPerCheckpoint: Fr[][], verifyProof = false): Promise<BatchedBlob> {
+    const numCheckpoints = blobFieldsPerCheckpoint.length;
+    if (numCheckpoints > AZTEC_MAX_EPOCH_DURATION) {
+      throw new Error(
+        `Too many checkpoints sent to batch(). The maximum is ${AZTEC_MAX_EPOCH_DURATION}. Got ${numCheckpoints}.`,
+      );
+    }
+
+    // Precalculate the values (z and gamma) and initialize the accumulator:
+    let acc = await this.fromBlobFields(blobFieldsPerCheckpoint);
+    // Now we can create a multi opening proof of all input blobs:
+    for (const blobFields of blobFieldsPerCheckpoint) {
+      acc = await acc.accumulateFields(blobFields);
+    }
+    return await acc.finalize(verifyProof);
+  }
+
+  /**
+   * Gets the final challenges based on all blobs and their elements to perform a multi opening proof.
+   * Used in BatchedBlobAccumulator as 'finalZ' and finalGamma':
+   *  - z = H(...H(H(z_0, z_1) z_2)..z_n)
+   *    - where z_i = H(H(fields of blob_i), C_i) = Blob.challengeZ,
+   *    - used such that p_i(z) = y_i = Blob.evaluationY for all n blob polynomials p_i().
+   *  - gamma = H(H(...H(H(y_0, y_1) y_2)..y_n), z)
+   *    - used such that y = sum_i { gamma^i * y_i }, and C = sum_i { gamma^i * C_i }, for all blob evaluations y_i (see above) and commitments C_i.
+   *
+   * @param blobs - The blobs to precompute the challenges for. Each sub-array is the blobs for an L1 block.
+   * @returns Challenges z and gamma.
+   */
+  static async precomputeBatchedBlobChallenges(blobFieldsPerCheckpoint: Fr[][]): Promise<FinalBlobBatchingChallenges> {
+    // Compute the final challenge z to evaluate the blobs.
+    let z: Fr | undefined;
+    const allBlobs = [];
+    for (const blobFields of blobFieldsPerCheckpoint) {
+      // Compute the hash of all the fields in the block.
+      const blobFieldsHash = await computeBlobFieldsHash(blobFields);
+      const blobs = getBlobsPerL1Block(blobFields);
+      for (const blob of blobs) {
+        // Compute the challenge z for each blob and accumulate it.
+        const challengeZ = await blob.computeChallengeZ(blobFieldsHash);
+        if (!z) {
+          z = challengeZ;
+        } else {
+          z = await poseidon2Hash([z, challengeZ]);
+        }
+      }
+      allBlobs.push(...blobs);
+    }
+    if (!z) {
+      throw new Error('No blobs to precompute challenges for.');
+    }
+
+    // Now we have a shared challenge for all blobs, evaluate them...
+    const proofObjects = allBlobs.map(b => b.evaluate(z));
+    const evaluations = await Promise.all(proofObjects.map(({ y }) => hashNoirBigNumLimbs(y)));
+    // ...and find the challenge for the linear combination of blobs.
+    let gamma = evaluations[0];
+    // We start at i = 1, because gamma is initialized as the first blob's evaluation.
+    for (let i = 1; i < allBlobs.length; i++) {
+      gamma = await poseidon2Hash([gamma, evaluations[i]]);
+    }
+    gamma = await poseidon2Hash([gamma, z]);
+
+    return new FinalBlobBatchingChallenges(z, BLS12Fr.fromBN254Fr(gamma));
+  }
+
   /**
    * Given blob i, accumulate all state.
    * We assume the input blob has not been evaluated at z.
    * @returns An updated blob accumulator.
    */
-  async accumulate(blob: Blob) {
+  async accumulateBlob(blob: Blob, blobFieldsHash: Fr) {
+    const { proof, y: thisY } = blob.evaluate(this.finalBlobChallenges.z);
+    const thisC = BLS12Point.decompress(blob.commitment);
+    const thisQ = BLS12Point.decompress(proof);
+    const blobChallengeZ = await blob.computeChallengeZ(blobFieldsHash);
+
     if (this.isEmptyState()) {
-      return BatchedBlobAccumulator.initialize(blob, this.finalBlobChallenges);
+      /**
+       * Init the first accumulation state of the epoch.
+       * - v_acc := sha256(C_0)
+       * - z_acc := z_0
+       * - y_acc := gamma^0 * y_0 = y_0
+       * - c_acc := gamma^0 * c_0 = c_0
+       * - gamma_acc := poseidon2(y_0.limbs)
+       * - gamma^(i + 1) = gamma^1 = gamma // denoted gamma_pow_acc
+       */
+      return new BatchedBlobAccumulator(
+        sha256ToField([blob.commitment]), // blobCommitmentsHashAcc = sha256(C_0)
+        blobChallengeZ, // zAcc = z_0
+        thisY, // yAcc = gamma^0 * y_0 = 1 * y_0
+        thisC, // cAcc = gamma^0 * C_0 = 1 * C_0
+        thisQ, // qAcc = gamma^0 * Q_0 = 1 * Q_0
+        await hashNoirBigNumLimbs(thisY), // gammaAcc = poseidon2(y_0.limbs)
+        this.finalBlobChallenges.gamma, // gammaPow = gamma^(i + 1) = gamma^1 = gamma
+        this.finalBlobChallenges,
+      );
     } else {
-      const [q, evaluation] = computeKzgProof(blob.data, this.finalBlobChallenges.z.toBuffer());
-      const thisY = BLS12Fr.fromBuffer(Buffer.from(evaluation));
-
       // Moving from i - 1 to i, so:
       return new BatchedBlobAccumulator(
         sha256ToField([this.blobCommitmentsHashAcc, blob.commitment]), // blobCommitmentsHashAcc := sha256(blobCommitmentsHashAcc, C_i)
-        await poseidon2Hash([this.zAcc, blob.challengeZ]), // zAcc := poseidon2(zAcc, z_i)
+        await poseidon2Hash([this.zAcc, blobChallengeZ]), // zAcc := poseidon2(zAcc, z_i)
         this.yAcc.add(thisY.mul(this.gammaPow)), // yAcc := yAcc + (gamma^i * y_i)
-        this.cAcc.add(BLS12Point.decompress(blob.commitment).mul(this.gammaPow)), // cAcc := cAcc + (gamma^i * C_i)
-        this.qAcc.add(BLS12Point.decompress(Buffer.from(q)).mul(this.gammaPow)), // qAcc := qAcc + (gamma^i * C_i)
+        this.cAcc.add(thisC.mul(this.gammaPow)), // cAcc := cAcc + (gamma^i * C_i)
+        this.qAcc.add(thisQ.mul(this.gammaPow)), // qAcc := qAcc + (gamma^i * C_i)
         await poseidon2Hash([this.gammaAcc, await hashNoirBigNumLimbs(thisY)]), // gammaAcc := poseidon2(gammaAcc, poseidon2(y_i.limbs))
         this.gammaPow.mul(this.finalBlobChallenges.gamma), // gammaPow = gamma^(i + 1) = gamma^i * final_gamma
         this.finalBlobChallenges,
@@ -284,13 +188,25 @@ export class BatchedBlobAccumulator {
   /**
    * Given blobs, accumulate all state.
    * We assume the input blobs have not been evaluated at z.
+   * @param blobFields - The blob fields of a checkpoint to accumulate.
    * @returns An updated blob accumulator.
    */
-  async accumulateBlobs(blobs: Blob[]) {
+  async accumulateFields(blobFields: Fr[]) {
+    const blobs = getBlobsPerL1Block(blobFields);
+
+    if (blobs.length > BLOBS_PER_CHECKPOINT) {
+      throw new Error(
+        `Too many blobs to accumulate. The maximum is ${BLOBS_PER_CHECKPOINT} per checkpoint. Got ${blobs.length}.`,
+      );
+    }
+
+    // Compute the hash of all the fields in the block.
+    const blobFieldsHash = await computeBlobFieldsHash(blobFields);
+
     // Initialize the acc to iterate over:
     let acc: BatchedBlobAccumulator = this.clone();
-    for (let i = 0; i < blobs.length; i++) {
-      acc = await acc.accumulate(blobs[i]);
+    for (const blob of blobs) {
+      acc = await acc.accumulateBlob(blob, blobFieldsHash);
     }
     return acc;
   }
@@ -306,9 +222,10 @@ export class BatchedBlobAccumulator {
    * - c := c_acc (final commitment to be checked on L1)
    * - gamma := poseidon2(gamma_acc, z) (challenge for linear combination of y and C, above)
    *
+   * @param verifyProof - Whether to verify the KZG proof.
    * @returns A batched blob.
    */
-  async finalize(): Promise<BatchedBlob> {
+  async finalize(verifyProof = false): Promise<BatchedBlob> {
     // All values in acc are final, apart from gamma := poseidon2(gammaAcc, z):
     const calculatedGamma = await poseidon2Hash([this.gammaAcc, this.zAcc]);
     // Check final values:
@@ -322,11 +239,23 @@ export class BatchedBlobAccumulator {
         `Blob batching mismatch: accumulated gamma ${calculatedGamma} does not equal injected gamma ${this.finalBlobChallenges.gamma.toBN254Fr()}`,
       );
     }
-    if (!verifyKzgProof(this.cAcc.compress(), this.zAcc.toBuffer(), this.yAcc.toBuffer(), this.qAcc.compress())) {
+
+    const batchedBlob = new BatchedBlob(this.blobCommitmentsHashAcc, this.zAcc, this.yAcc, this.cAcc, this.qAcc);
+
+    if (verifyProof && !this.verify()) {
       throw new Error(`KZG proof did not verify.`);
     }
 
-    return new BatchedBlob(this.blobCommitmentsHashAcc, this.zAcc, this.yAcc, this.cAcc, this.qAcc);
+    return batchedBlob;
+  }
+
+  verify() {
+    return getKzg().verifyKzgProof(
+      this.cAcc.compress(),
+      this.zAcc.toBuffer(),
+      this.yAcc.toBuffer(),
+      this.qAcc.compress(),
+    );
   }
 
   isEmptyState() {
@@ -353,11 +282,19 @@ export class BatchedBlobAccumulator {
       FinalBlobBatchingChallenges.fromBuffer(this.finalBlobChallenges.toBuffer()),
     );
   }
-}
 
-// To mimic the hash accumulation in the rollup circuits, here we hash
-// each u128 limb of the noir bignum struct representing the BLS field.
-async function hashNoirBigNumLimbs(field: BLS12Field): Promise<Fr> {
-  const num = field.toNoirBigNum();
-  return await poseidon2Hash(num.limbs.map(Fr.fromHexString));
+  toBlobAccumulator() {
+    return new BlobAccumulator(
+      this.blobCommitmentsHashAcc,
+      this.zAcc,
+      this.yAcc,
+      this.cAcc,
+      this.gammaAcc,
+      this.gammaPow,
+    );
+  }
+
+  toFinalBlobAccumulator() {
+    return new FinalBlobAccumulator(this.blobCommitmentsHashAcc, this.zAcc, this.yAcc, this.cAcc);
+  }
 }

package/src/blob_utils.ts

@@ -0,0 +1,82 @@
+import { FIELDS_PER_BLOB } from '@aztec/constants';
+import { BLS12Point } from '@aztec/foundation/curves/bls12';
+import { Fr } from '@aztec/foundation/curves/bn254';
+
+import type { BatchedBlob } from './batched_blob.js';
+import { Blob } from './blob.js';
+import { type CheckpointBlobData, decodeCheckpointBlobDataFromBuffer } from './encoding/index.js';
+import { computeBlobsHash, computeEthVersionedBlobHash } from './hash.js';
+
+/**
+ * @param blobs - The blobs to emit.
+ * @returns The blobs' compressed commitments in hex prefixed by the number of blobs. 1 byte for the prefix, 48 bytes
+ * per blob commitment.
+ * @dev Used for proposing blocks to validate injected blob commitments match real broadcast blobs.
+ */
+export function getPrefixedEthBlobCommitments(blobs: Blob[]): `0x${string}` {
+  // Prefix the number of blobs.
+  const lenBuf = Buffer.alloc(1);
+  lenBuf.writeUint8(blobs.length);
+
+  const blobBuf = Buffer.concat(blobs.map(blob => blob.commitment));
+
+  const buf = Buffer.concat([lenBuf, blobBuf]);
+  return `0x${buf.toString('hex')}`;
+}
+
+/**
+ * @param fields - Fields to broadcast in the blob(s)
+ * @returns As many blobs as required to broadcast the given fields to an L1 block.
+ *
+ * @throws If the number of fields does not match what's indicated by the checkpoint prefix.
+ */
+export function getBlobsPerL1Block(fields: Fr[]): Blob[] {
+  if (!fields.length) {
+    throw new Error('Cannot create blobs from empty fields.');
+  }
+
+  const numBlobs = Math.ceil(fields.length / FIELDS_PER_BLOB);
+  return Array.from({ length: numBlobs }, (_, i) =>
+    Blob.fromFields(fields.slice(i * FIELDS_PER_BLOB, (i + 1) * FIELDS_PER_BLOB)),
+  );
+}
+
+/**
+ * Get the encoded data from all blobs in the checkpoint.
+ * @param blobs - The blobs to read data from. Should be all the blobs for the L1 block proposing the checkpoint.
+ * @returns The encoded data of the checkpoint.
+ */
+export function decodeCheckpointBlobDataFromBlobs(blobs: Blob[]): CheckpointBlobData {
+  const buf = Buffer.concat(blobs.map(b => b.data));
+  return decodeCheckpointBlobDataFromBuffer(buf);
+}
+
+export function computeBlobsHashFromBlobs(blobs: Blob[]): Fr {
+  return computeBlobsHash(blobs.map(b => b.getEthVersionedBlobHash()));
+}
+
+export function getBlobCommitmentsFromBlobs(blobs: Blob[]): BLS12Point[] {
+  return blobs.map(b => BLS12Point.decompress(b.commitment));
+}
+
+/**
+ * Returns a proof of opening of the blobs to verify on L1 using the point evaluation precompile:
+ *
+ * input[:32]     - versioned_hash
+ * input[32:64]   - z
+ * input[64:96]   - y
+ * input[96:144]  - commitment C
+ * input[144:192] - commitment Q (a 'proof' committing to the quotient polynomial q(X))
+ *
+ * See https://eips.ethereum.org/EIPS/eip-4844#point-evaluation-precompile
+ */
+export function getEthBlobEvaluationInputs(batchedBlob: BatchedBlob): `0x${string}` {
+  const buf = Buffer.concat([
+    computeEthVersionedBlobHash(batchedBlob.commitment.compress()),
+    batchedBlob.z.toBuffer(),
+    batchedBlob.y.toBuffer(),
+    batchedBlob.commitment.compress(),
+    batchedBlob.q.compress(),
+  ]);
+  return `0x${buf.toString('hex')}`;
+}

package/src/circuit_types/blob_accumulator.ts

@@ -0,0 +1,96 @@
+import { BLS12_FQ_LIMBS, BLS12_FR_LIMBS } from '@aztec/constants';
+import { BLS12Fq, BLS12Fr, BLS12Point } from '@aztec/foundation/curves/bls12';
+import { Fr } from '@aztec/foundation/curves/bn254';
+import { BufferReader, FieldReader, serializeToBuffer } from '@aztec/foundation/serialize';
+
+/**
+ * See `noir-projects/noir-protocol-circuits/crates/blob/src/abis/blob_accumulator.nr` for documentation.
+ */
+export class BlobAccumulator {
+  constructor(
+    public blobCommitmentsHashAcc: Fr,
+    public zAcc: Fr,
+    public yAcc: BLS12Fr,
+    public cAcc: BLS12Point,
+    public gammaAcc: Fr,
+    public gammaPowAcc: BLS12Fr,
+  ) {}
+
+  static empty(): BlobAccumulator {
+    return new BlobAccumulator(Fr.ZERO, Fr.ZERO, BLS12Fr.ZERO, BLS12Point.ZERO, Fr.ZERO, BLS12Fr.ZERO);
+  }
+
+  equals(other: BlobAccumulator) {
+    return (
+      this.blobCommitmentsHashAcc.equals(other.blobCommitmentsHashAcc) &&
+      this.zAcc.equals(other.zAcc) &&
+      this.yAcc.equals(other.yAcc) &&
+      this.cAcc.equals(other.cAcc) &&
+      this.gammaAcc.equals(other.gammaAcc) &&
+      this.gammaPowAcc.equals(other.gammaPowAcc)
+    );
+  }
+
+  static fromBuffer(buffer: Buffer | BufferReader): BlobAccumulator {
+    const reader = BufferReader.asReader(buffer);
+    return new BlobAccumulator(
+      Fr.fromBuffer(reader),
+      Fr.fromBuffer(reader),
+      BLS12Fr.fromBuffer(reader),
+      BLS12Point.fromBuffer(reader),
+      Fr.fromBuffer(reader),
+      BLS12Fr.fromBuffer(reader),
+    );
+  }
+
+  toBuffer() {
+    return serializeToBuffer(
+      this.blobCommitmentsHashAcc,
+      this.zAcc,
+      this.yAcc,
+      this.cAcc,
+      this.gammaAcc,
+      this.gammaPowAcc,
+    );
+  }
+
+  toFields() {
+    return [
+      this.blobCommitmentsHashAcc,
+      this.zAcc,
+      ...this.yAcc.toNoirBigNum().limbs.map(Fr.fromString),
+      ...this.cAcc.x.toNoirBigNum().limbs.map(Fr.fromString),
+      ...this.cAcc.y.toNoirBigNum().limbs.map(Fr.fromString),
+      new Fr(this.cAcc.isInfinite),
+      this.gammaAcc,
+      ...this.gammaPowAcc.toNoirBigNum().limbs.map(Fr.fromString),
+    ];
+  }
+
+  static fromFields(fields: Fr[] | FieldReader): BlobAccumulator {
+    const reader = FieldReader.asReader(fields);
+    return new BlobAccumulator(
+      reader.readField(),
+      reader.readField(),
+      BLS12Fr.fromNoirBigNum({ limbs: reader.readFieldArray(BLS12_FR_LIMBS).map(f => f.toString()) }),
+      new BLS12Point(
+        BLS12Fq.fromNoirBigNum({ limbs: reader.readFieldArray(BLS12_FQ_LIMBS).map(f => f.toString()) }),
+        BLS12Fq.fromNoirBigNum({ limbs: reader.readFieldArray(BLS12_FQ_LIMBS).map(f => f.toString()) }),
+        reader.readBoolean(),
+      ),
+      reader.readField(),
+      BLS12Fr.fromNoirBigNum({ limbs: reader.readFieldArray(BLS12_FR_LIMBS).map(f => f.toString()) }),
+    );
+  }
+
+  static random() {
+    return new BlobAccumulator(
+      Fr.random(),
+      Fr.random(),
+      BLS12Fr.random(),
+      BLS12Point.random(),
+      Fr.random(),
+      BLS12Fr.random(),
+    );
+  }
+}