3

Recently I am learning Rollups, and one thing makes me confused is that, Does the compressed transaction in a batch need the parameter nonce?

Here in on-chain-scaling-to-potentially-500-tx-sec-through-mass-tx-validation published in 2018, the vitalik says: To send money, the user should construct the data which includes a 2-byte parameter nonce to differ the transactions that are sent from the same user.

But, in An Incomplete Guide to Rollups published in 2021, the vitalik also says that:

In the rollup, we can omit the nonce entirely, beacause we just recover the nonce from the pre-state; if someone tries replaying a transaction with an earlier nonce, the signature would fail to verify, as the signature would be checked against data that contains the new higher nonce.

So they are absolutely conflict.

Assume that there is no parameter nonce in compressed transaction, my question is:

  1. How could we recover the nonce from the pre-state since there is no parameter nonce in the transaction?
  2. How could we defend a replaying attack?
Improve this question

1 Answer 1

Reset to default
1

The nonce is somehow "hidden" in the signature

Basically:

  • Signing: when you sign your transaction you sign it with a nonce.
  • Push to L1: the sequencer of the rollup checks if the nonce is correct, then removes the nonce and push the transaction without the nonce on the L1.
  • Verification: when other nodes want to verify that the post-state is correct, they take your transaction, get the nonce number associated with your account (it is a field in the pre-state), add this nonce to your transaction and verify that the signature match.
Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.