Crypto Gloss

Halo2

Definition:

Halo2 is a zero-knowledge proof system developed by Zcash (Electric Coin Company) that achieves recursion without a trusted setup — allowing a series of proofs to be chained where each step verifies the correctness of previous steps, accumulating into a single final proof that can be checked efficiently without any trusted parameters from a ceremony. Halo2 builds on the original Halo paper (2019) and uses an IPA (Inner Product Argument) polynomial commitment scheme based on discrete logarithm assumptions, making it transparent (no trusted setup) while remaining practical for real applications. Scroll uses Halo2 as its proof system; Zcash’s Orchard protocol also uses it.

Why Recursion Matters

The scaling insight: If you can prove “I correctly verified proof P” efficiently, you can chain proofs. Each new proof verifies the previous one plus some new computation. At the end of a chain of N operations, you have one proof that verifies all N steps — without generating an N-times-larger proof.

Without recursion: ZK-rollups must batch all transactions in a fixed window and prove the entire batch at once. Proof generation time scales with batch size.

With recursion: You can prove incrementally — generate a proof for a small batch, then prove “last batch was valid + these new transactions are valid” in another proof. The final proof is the same size regardless of how many batches were chained.

This is called IVC (Incrementally Verifiable Computation) and is the theoretical goal that Halo/Halo2 implemented practically.

Technical Architecture

Polynomial commitment: Halo2 uses the IPA (Inner Product Argument) scheme, which is based on the hardness of the discrete logarithm problem in elliptic curve groups — no pairings required. This eliminates the need for the trusted setup that pairing-based systems (like KZG in PLONK) require.

Accumulation scheme: Halo2’s core innovation is an accumulation scheme: instead of fully verifying a proof at each step (which requires expensive elliptic curve operations), the verifier accumulates checks into a running state. Only the final step requires full verification. This makes recursive proof chains efficient.

PLONKish arithmetization: Halo2 uses a variant of PLONK’s arithmetization (customizable constraint systems, lookup tables) — borrowing PLONK’s expressive programming model while replacing the polynomial commitment scheme with IPA.

Halo2 vs Other Systems

Feature Groth16 PLONK+KZG Halo2+IPA ZK-STARK
Trusted setup Circuit-specific Universal None None
Proof size Smallest Small Moderate Large
Recursion Complex Via aggregation Native Native
Quantum security No No No Plausible

Scroll’s Use of Halo2

Scroll is an Ethereum ZK-rollup that uses Halo2 as its proving backend for the zkEVM (zero-knowledge Ethereum Virtual Machine). Scroll chose Halo2 for:

  • No trusted setup requirement (transparency for users)
  • Elliptic curve compatibility with Ethereum’s existing curves (bn254)
  • Expressive lookup table support for EVM opcode circuits

Scroll’s zkEVM circuit is one of the most complex Halo2 applications built so far — proving the execution of arbitrary Ethereum transactions.

Zcash Orchard

Zcash’s Orchard protocol (the newest shielded pool, deployed 2021) uses Halo2 for its proving system, replacing the Groth16-based Sapling pool. Orchard proves shielded transactions without any trusted setup — a significant security improvement over earlier Zcash technology.

Limitations

  • Proof size: Larger than Groth16 or KZG-based PLONK for the same circuit due to the IPA scheme’s properties.
  • Verification cost: IPA verification is somewhat more expensive than KZG verification, affecting on-chain gas costs.
  • Ecosystem maturity: The Halo2 proving toolchain (primarily Zcash’s Rust implementation) is less widely adopted than PLONK tooling, meaning fewer developers are familiar with it.

Related Terms

Sources

Last updated: 2026-04