1 Introduction

Since 2019, the ECC team has carried out relevant pre-research on the scalability of Zcash in 2021. The main research result is Halo , as a new type of zk-SNARK solution, which solves 2 main problems in Zcash :

Under the premise of ensuring performance, the trusted setup is removed;
An extensible framework that supports private digital payment.

For Halo's paper, see: " Recursive Proof Composition without a Trusted Setup ", also see my blog:

Halo on the basis of the constructed Halo2 - Rust language written by a high-performance zk-SNARK achieved, in this implementation, the trusted setup is eliminated while ensuring scalability of Zcash.

2. The technology behind Halo 2

2.1 Sonic

In 2019, Sean Bowe co-published the paper " Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updateable Structured Reference Strings ". In the Sonic protocol, the two main elements are: [With these two elements, Sonic can use a polynomial commtiment scheme to create zero-knowledge proofs for arbitrary calculations. 】

1) Polynomial commitment scheme [Improved in the Halo paper, and realized a polynomial commitment scheme based on inner product argument that supports aggregation. 】
2) Polynomial IOP [Improved in the papers of Marlin and Plonk, Plonk's improved Polynomial IOP has higher flexibility and better efficiency. 】

Among the current polynomial commitment schemes, the most efficient one is based on pairing groups that require trusted setup. Sonic is mainly concerned with the polynomial commitment scheme that requires trusted setup.

However, another branch is the polynomial commitment scheme based on inner product argument in Bulletproofs . In this scheme, there is no need for trusted setup and a relatively small proof size, but the cost is poor verification performance.

2.2 Halo-a polynomial commitment scheme based on inner product argument that supports aggregation

In the Halo paper, the polynomial commitment scheme based on inner product argument is introduced in detail, and an unprecedented aggregation technology is realized at the same time. With this aggregation technology, the verification time for a large number of independently created proofs is equivalent to the verification time for a single proof. Make it a better solution than Zcash's existing zk-SNARK.

The Halo paper describes a specific form of recursive proof composition, which strips out the Polynomial IOP described in the Sonic paper and replaces the pairing-based polynomial commitment with a polynomial commitment scheme based on inner product argument.

The so-called recursive proof composition refers to:

It is allowed to use one proof to prove the correctness of other proofs with almost unlimited upper limit;
可有效地压缩大量的计算（和信息）。
【Recursive proof composition holds the potential for compressing unlimited amounts of computation, creating auditable distributed systems, building highly scalable blockchains and protecting privacy for all of humanity. The concept is a proof that verifies the correctness of another instance of itself, allowing any amount of computational effort and data to produce a short proof that can be checked quickly.】

Recursive proof composition is a basic component of scalable Zcash, which not only supports horizontal network expansion, but also allows a small number of participants to trust the integrity of the rest of the network.

Before the Halo solution, to achieve recursive proof composition, a lot of computational overhead and trusted setup were required.
In Halo, the "nested amortization" technology is built on the basis of the aggregation technology mentioned above, so that:

A polynomial commitment scheme based on inner product argument can be used to achieve the corresponding recursive proof composition.
Significantly improved performance.
Avoid trusted setup.

Subsequently, in the 2020 paper " Proof-Carrying Data from Accumulation Schemes " , a group of scientists summarized the recursive proof composition technology in Halo as an "accumulation scheme" and conducted a safety certification. The new name "accumulation scheme" shows the actual working principle of the "nested amortization" technology in Halo—that is, by adding proofs to the "accumulator" (these proofs are related to the previous state of the accumulator), so that We can check whether all previous proofs are correct (by induction) by checking the current state of the accumulator.

2.3 Marlin and Plonk-Improved Polynomial IOP has higher flexibility and better efficiency

Although Halo implements a recursive proof composition without trusted setup, its running speed still cannot meet the requirements.

During the same period of Halo, many other teams discovered new Polynomial IOPs that are more efficient than Sonic, such as Marlin . Among these Polynomial IOP solutions, the most efficient is PLONK .

PLONK provides great flexibility for designing an efficient implementation based on the specific needs of the application. This feature of PLONK is essential for making a more efficient Halo version.

3. Halo VS Halo2

Insert picture description here
The biggest difference between Halo2 and Halo is that it replaces the Polynomial IOP in Sonic with the more efficient Polynomial IOP solution in Plonk.

That is, Halo uses the Sonic scheme to verify transactions, and Halo2 uses Plonk to verify transactions. The efficiency of Plonk is better than that of Sonic, and Plonk can represent more complicated circuits with fewer gates.

The new ideas behind Halo have been adopted by recursive SNARK projects such as Coda (Pickles) and Mir (Plonky).

Halo program code implementation: https://github.com/ebfull/halo
Code implementation of Halo2 scheme: https://github.com/zcash/halo2

4. The goal of Halo2

The goal of
Halo2 is to build something that conforms to community standards in order to access the Zcash protocol.

In the actual implementation process of Halo2, not only will the new ideas that emerged in the past years be adopted, but also the active optimization and new techniques discovered by the team during the process, some of which are working hard to form and improve the corresponding documents for publication to the community.

Halo2 has received the support of the Ethereum Foundation of US$120,000 and is fully developed by the ECC team. It is planned to remove the trusted setup in early 2021. At the same time, the support of the recursive proof in the future will lay the foundation for the scalability of Layer 1.

The process of realizing new frontier technologies is a long process. It includes scientific peer review, engineering, third-party security audits and testing to ensure safety. ECC has a record of safely deploying innovative technologies, and we know that this work requires collaboration. From open source Halo, to cooperation with the Ethereum Foundation, to research on future implementations, collaboration is the core of our work.

5. The meaning of Halo2

In the Sapling upgrade, Zcash's performance has been greatly improved, and third-party wallets and exchanges have used Zcash's shielded technology for the first time.

Since Zcash is forked from the Bitcoin code base, the underlying layer itself is not scalable.
With the help of Halo2 technology, circuit upgrades can be allowed without trusted setup, making Zcash's shielded protocol more flexible in future improvements, such as
supporting additional assets such as user-defined assets (UDAs).

At the same time, it is also beneficial to other projects or tokens that can also benefit from Zcash's feature of achieving privacy through encryption.

With the help of Halo2, the scalability of Zcash at the Layer 1 level can be unlocked.

Reference

[1] Zcash protocol specification
[2] Zcash Orchard feature design specification [Orchard is a feature proposal, not a network upgrade. Orchard is a feature proposal accompanying the upgrade of Zcash Canopy. ]
[3] Zcash Halo2 Design Manual
[4] ECC September 1, 2020 Blog ECC releases code for Halo 2
[5] ECC September 1, 2020 Blog Explaining Halo 2
[6] ECC January 8, 2021 Blog Bringing Halo 2 to Zcash

Introduction to the technology behind Zcash halo2