SI-RVP: off-chain bisection + a single-instruction Groth16 proof for optimistic-rollup dispute resolution

Layer 2
1

TL;DR

We built and measured a hybrid optimistic-rollup dispute protocol that keeps the 1-of-N permissionless trust model of Cannon but moves the bisection off-chain and replaces the on-chain MIPS leaf execution with a single-instruction Groth16 proof. On a Sepolia PoC the contested path is 4 core dispute transactions (~0.72M gas), plus the resolveDispute settlement (~0.11M) — 5 on-chain txs, ~0.83M total. That is roughly an order of magnitude below Cannon’s spec-based estimate for a fully-played on-chain game (≈10–15M gas; we did not re-measure Cannon).

What this does and does NOT shorten: we keep the 7-day challenge window as an availability buffer, so this is not a “47-minute withdrawal” claim. What collapses from days to ~tens of minutes is the adversarial-path dispute resolution once a challenge is opened — and even that ~47-min figure is not measured; it is a model projection dominated by L1 confirmation (details below). Gas is real; latency is a model.

This builds directly on the idea proposed here in ZK Fraud Proof with ZK State Channel (Mar 2024) — using a ZK state channel to settle optimistic-rollup disputes with an on-demand ZK proof — and on the related hybrid-bisection + single-step-ZK discussions (e.g. Almost Instant Interactive Fraud Proof … multi-step ZK verifier). To be upfront: the high-level idea is not ours — it is essentially the #19004 proposal. Our contribution is narrower — a worked end-to-end implementation, on-chain measurement, and a structural (non-game-theoretic) safety argument. We’d value the community’s view on whether that delta is meaningful given Cartesi Dave / OP Kailua, or whether it is mostly engineering.

The problem

The 7-day fraud-proof window is the part of OR finality that is intrinsic to the optimistic model (not a bridge property). Existing dispute machinery improves it by trading on-chain verification cost (Cannon, BoLD) or off-chain proving cost (Morph’s full-batch RVP) for shorter wall-clock; none reduces both at once.

Approach (4 pieces)

  1. Off-chain bisection. The ⌈log₂ T⌉-round binary search over the disputed MIPS trace runs as signed P2P messages between challenger and sequencer. Only the co-signed terminal commitment touches L1.
  2. Poseidon-aligned bisection commitment. Both off-chain hashing and the ZK circuit’s public inputs use Poseidon, so the on-chain keccak256(abi.encodePacked(preHash, postHash, step)) commitment binds the off-chain result to the verifier. (We hit a real bug here — see “what external verification caught” below.)
  3. Single-instruction Groth16 proof. Only the one disputed MIPS step is proven (relation R_mips over BN254). Verifier gas is constant in batch size.
  4. 1-of-N permissionless validator pool. Instance-level dispute is bilateral, but safety only needs some honest-and-active validator in the pool. Fallback to the optimistic path has closed form (1−h)^N.

What we measured (and what we did NOT)

  • Measured (Sepolia, single run — so treat as a point estimate, not a distribution): the 4 core dispute txs = 720,483 gas (initiate + bond + bisectionResult + submitProof); resolveDispute adds 105,267, so the full lifecycle is 5 on-chain txs ≈ 825,750 gas. submitProof (real Groth16 pairing check) = 279,930. Circuit: 16,857 R1CS constraints, single MIPS step. The Cannon baseline we compare against is a spec-based estimate (≈50K gas/move × a depth-73 game), not a re-measurement, so the “order of magnitude” framing is deliberate.
  • NOT measured — projected: the ~47-min end-to-end latency. It comes from the liveness bound evaluated with measured proof/P2P primitives plus an assumed mainnet-finality L1 confirmation (~10–12 min/tx). The PoC run actually landed its txs in consecutive Sepolia blocks (~12 s apart), which is a lower bound, not the projection input. So: gas is real, latency is a model.

What external verification caught (worth flagging)

While re-running the PoC to confirm reproducibility, we found that the on-chain commitment check indexed the Groth16 public signals as [0],[1], but snarkjs emits circuit outputs before public inputs, so the signal order is [valid, preHash, postHash] — the bisected hashes are at [1],[2]. Under the old indexing no valid proof could clear the commitment check. Fixed, redeployed, and a real proof now passes on-chain. We mention this because it’s the kind of silent failure (protocol collapses to the optimistic path with no on-chain signal) that end-to-end gas tests alone don’t catch.

Relation to prior work (where we expect pushback)

  • Cartesi Dave is the closest production-track design: bisection then a single validity proof at the leaf. Differences: Dave’s bisection is an on-chain tournament (we use an off-chain ZK state channel), and Dave proves a “fat” native-speed step of a RISC-V machine (we prove a single MIPS instruction).
  • OP Kailua / Boundless hybrid mode replaces the interactive game with a ZK fraud proof; different point in the design space (no single-instruction leaf).
  • BoLD keeps bisection on-chain (all-vs-all, O(N²) comms).
  • Morph RVP proves the entire challenged batch (prover cost scales with batch).

Honest question to the community: is the “off-chain bisection + single-instruction ZK leaf + ZK state channel” triple meaningfully novel given Dave’s trajectory, or is the delta mostly engineering?

Limitations we’re not hiding

  • Trusted setup is the deployment blocker. The PoC uses a single-party Groth16 setup for benchmarking; production needs an MPC ceremony (Powers of Tau + circuit Phase 2). This is the dominant reason we call it a research prototype.
  • MIPS-27 subset → a completeness gap, not just a coverage number. The executor implements 27 of ~50 Cannon opcodes (Branch/Jump/Syscall deferred). The consequence we want to be explicit about: if a dispute’s terminal instruction is an unimplemented opcode, the single-instruction proof cannot currently be produced — the protocol stays sound (it never finalizes a wrong root) but is incomplete on that path until the subset is extended. Per-step R1CS cost is invariant to opcode count and Branch/Jump/Syscall share existing constraint families, so closing this is engineering, not a new circuit primitive — but it is not done yet.
  • Independence in the fallback model. (1−h)^N assumes pairwise-independent validators; correlated infrastructure weakens it.

Feedback we’d value

  1. Is the single-instruction (vs fat-step) leaf a real advantage, or does Dave’s native-speed step dominate in practice once proving cost is included?
  2. Is a structural safety reduction (to Groth16 soundness + hash collision-resistance, no bond-vs-EV game theory) the right framing, or are we missing an incentive attack?
  3. For the off-chain ZK state channel: failure modes of the two-of-two co-signing under griefing beyond the timeout fallback?

Contracts / circuit / measurement artifacts are available on request (a public release is pending an IP clearance). We’re posting here to get the L2/ZK community’s read before committing to the production-track claims — pushback on the prior-work delta and the completeness gap above is exactly what we’re after.