Halo2¶
Overview¶
Halo is a new zero-knowledge proof mechanism for Zcash that does not require a Trusted Setup process. For details, see the paper "Halo: Recursive Proof Composition without a Trusted Setup."
Halo2 was built by the ECC company on the foundation of Halo, upgraded with the PLONK algorithm to fully leverage PLONK's features such as custom gates and PLONKup, making zero-knowledge proof circuit development more efficient and convenient.
Core Technology¶
Recursive Proof Composition: The Halo paper describes a specific form of recursive proof composition. It extracts the Polynomial IOP described in the Sonic paper and replaces the pairing-based polynomial commitment scheme with one based on the inner product argument.
Pasta Curves: Halo2 uses Pasta curves (Pallas and Vesta) to implement a recursive zk-SNARKs proof system, providing a new zero-knowledge proof scheme that can achieve recursive proofs without a trusted setup.
PLONK Integration: Halo2 further optimized in the Polynomial IOP direction. PLONK was ultimately chosen because it supports more flexible circuit design.
Main Features¶
No Trusted Setup Required: This is one of the most important features of Halo/Halo2, eliminating the security risks and complexity of a trusted setup.
Recursive Proofs: Halo supports recursive proof composition, allowing multiple proofs to be combined into a single proof for proof aggregation.
Linear Verification Time: Unlike other new zk-SNARK constructions, Halo's verification time is linear (though later optimizations reduced this complexity).
Halo2 Improvements¶
Flexible Circuit Design: Through PLONK, Halo2 supports: - Custom gates - Lookups (lookup tables, PLONKup) - A more flexible constraint system
Optimized Performance: Compared to the original Halo, Halo2 has significantly improved proof generation speed and verification efficiency.
Application in Zcash Orchard¶
Orchard Upgrade: Zcash Orchard adopted the halo2 ZK (zero-knowledge proof) framework. The circuit portion is based on halo2 gadgets including sinsemilla, ecc, merkle, poseidon, and integrates multiple chips.
Component Integration: - Sinsemilla: Hash function - ECC: Elliptic curve operations - Merkle: Merkle tree proofs - Poseidon: Another hash function
Technical Advantages¶
- No Trusted Setup: Eliminates the greatest security concern
- Recursion-Friendly: Can efficiently prove proofs
- Universality: A single setup can be used for all circuits
- Progressive Improvement: Supports continuous protocol upgrades
Comparison with Other Schemes¶
| Feature | Halo2 | Groth16 | PLONK |
|---|---|---|---|
| Trusted Setup | Not required | Circuit-specific | Universal (one-time) |
| Proof Size | Medium | Very small | Small |
| Recursion | Natively supported | Difficult | Possible |
| Circuit Flexibility | High | Low | High |
Recommended Reading¶
Related Concepts¶
- Zcash
- Recursive Proofs
- PLONK
- Pasta Curves
- Inner Product Argument