Sovereign Sequencer v1: ensure only sovereign sequencer can sequence L2 blocks

[sveitser]

For the marketplace version this is handled by the marketplace. Only the designated builder can build blocks for the namespace and the rollup operator can operate the builder.

For the non-marketplace version there needs to be a way for external parties to verify that a transaction in the namespace is part of the canonical L2 chain because anyone can send transactions to the namespace.

One way to achieve this is by signing the payload of the Espresso transaction that the sovereign sequencer sends to the /submit endpoint.

I suggest that we work on this last for implementing the v1 changes because we can test everything else without it and there are some decisions to be made as to what key to use and how to distribute and rotate it. So if we're lucky by the time we would have to implement this we already went to v2.

If we do need to implement this I think it would make sense to re-use the wallet of the DataPoster for signing because it's also the entity that signs the batchers L1 transactions. We can potentially use the datasigner to sign our transaction bytes which is how nitro seems to sign messages it broadcasts between services.

https://github.com/EspressoSystems/nitro-espresso-integration/blob/ee9c8674a969758e57a187975b88ba56c54b8b69/util/signature/datasigner.go#L12

[sveitser]

I removed the quoted part below from the issue description because we found an issue with. Keeping it here for context.

After some discussion with @ImJeremyHe we may not need to do anything for this issue:

Jeremy He: In our e2e test, the sequencer sends the l2 messages to batch poster via the web socket Jeremy He: https://github.com/EspressoSystems/nitro-espresso-integration/blob/9f4ef0d81db571793ce92d9360d64d491aa347cc/broadcastclient/broadcastclient.go#L72-L73 There is a verify config here Jeremy He: https://github.com/EspressoSystems/nitro-espresso-integration/blob/9f4ef0d81db571793ce92d9360d64d491aa347cc/system_tests/espresso_e2e_test.go#L160-L161

So there is already an authenticated communication channel between nitro sequencer and batch poster. The batch poster could receive or compute the hash of the L2 message and query https://docs.espressosys.com/sequencer/api-reference/sequencer-api/availability-api#get-availability-transaction to know what Espresso Sequencer block contains the finalized transaction. If another entity were to send transactions to the namespace they would simply be ignored.

@ImJeremyHe @jbearer after some recent discussion regarding pre-confirmations I think we do actually need this again because we can't rely on signing in the broadcast channel between the nitro sequencer and batch-poster because other parties also need to be able to verify that the L2 message sent to Espresso was signed by the right entity.