In series 2, we reviewed the architecture, design, and assembly instructions of TinyRAM, which is a convenient tool for expressing the provability of non-deterministic computations. This article focuses on zkp algorithm, the Halo principle, introduced by the Zcash R&D team in 2019. Among the zkp algorithms that are currently in use, existing problems include the need to layout a trust set up, such as Groth16, Plonk, etc.; or the proof size is way too large, such as Zk-snarks. Fractal is a recursive zkp protocol based on LDT technology, which fully satisfies the conciseness of zkp and is quantum-resistant. Although Halo is not concise enough, its recursive proof size remains around 3.5KiB, a much lower size compared to 120KiB (average proof size of Fractal's); moreover, Halo's simple one-step verification (linearly related to the circuit size) can be executed at the final step of recursive, attributing to the innovative Nested Amortization algorithm based on Accumulation schemes. The Arithmetization process and Sonic algorithm of Halo are based on the circuit design of R1CS, and then perform Polynomial IOP. However, it turns out that the Arithmetization process and Polynomial IOP scheme described in Plonk are more efficient; hence, based on the above changes, the Zcash team launched the Halo2 ZKP algorithm. Halo VS Halo2 A simple diagram can be used to show the process and similarities as well as differences of the above-listed two ZKP algorithms, as shown below: The Polynomial IOP technology in Sonic is applied by Halo to describe a Recursive Proof Composition algorithm, and the Inner Product argument technology in Bulletproof is also employed to replace the Polynomial Commitment Scheme in the algorithm, the replacement which eliminates the dependence on Trust Setup. Halo2 has been further optimized, mainly in the direction of Polynomial IOP. In recent years, researchers have discovered Polynomial IOP Scheme which is more efficient than Sonic, such as Marlin and Plonk. In comparison, Plonk was selected because it supports a more flexible circuit design. Halo2 Arithmetization In Halo, R1CS is applied to describe Circuit, and the mode is as follows: A * B = C qL * Xa + qR * Xb + qO * Xc + qM * XaXb + qC = 0 Plonk Arithmetization is used to represent Circuit in Halo2, and the mode is as follows: qL * Xa + qR * Xb + qO * Xc + qM * XaXb + qC = 0 Among all, q* is the selector polynomial. Different values represent different Gates, as shown in the following table:  Standard Plonk Arithmetization is made up of Add-rage and Multi-gate. In fact, we can also customize gates for actual application scenarios, such as Custom-gate. For instance, when needing to achieve constraint xc_i = xa_i xc_i-1(running product in the replacement argument), we can design it as follows: xb_i While Plonk Arithmetization can express it as: qL * Xa + qR * Xb + qO * Xc + qM * XaXb + qp * (Xc - XaXbXc(xw-1)) + qC = 0 Commitment Scheme Analogous to the Bulletproof algorithm, Halo2 adopts the Polynomial Commitment Scheme based on the Inner Product Argument and has made some optimization. Its calculation process can be shown as below: In short, the Inner Product Argument reduces the interaction complexity of Polynomial Commitment from O(n) to O(log(n)). Nonetheless, Verifier needs to perform one 0(n) level of operation for each Commitment proof, that is to calculate b and G. A new solution has been introduced in Halo2. For b calculations, it can be solved by using Laurent Polynomial, a special polynomial that can be calculated in the log time to get b; as for G, it is just available in the above-mentioned Polynomial Commitment based on the Inner Product Argument, but as mentioned earlier, each Commitment proof requires an O(n) level operation, so an Accumulation Scheme is proposed in Halo2. That is, the 0(n) level of operation is processed by Accumulate, and a plurality of proof verifying O(n) operation is accumulated on a proof. In the final part of Recursive, one calculation of O(n) is performed, so that multiple proofs amortize the time over one calculation time of an O(n). In Halo2, this process is defined as Nested Amortization. Recursive zk-snarks & Accumulation Scheme Halo2 applies Pasta curves: Pallas and Vesta to implement Recursive zk-snarks verification system. Mina also uses the cycle curves. Since Halo2 applies the Inner Product Argument, the complexity of Verify is O(n), which undermines the conciseness of Snarks. Hence, Halo2 proposes a new technology Nested Amortization, an aggregation technique. Details are as follows: Accumulation Scheme In the verification circuit, the operation of G is not implemented. The operation is O(n) while the Prover provides G and related calculation parameters as the witness of the circuit, that is, for the verification circuit, the G has been defaulted correctness, in fact, the correctness of G still needs a verifier to do, but this step can be aggregated, namely, the Accumulation Scheme is adopted; As mentioned in the first point, Verifier is still needed to verify the correctness of G, but we can accumulate multiple proof instances of G and its related parameters, and iterate to the last step, which is completed once by the verifier. The process actually completes the amortization of verification costs and is the core of Nested Amortization. Summary Halo2, which eliminates trust setup, is a recursive zk-snarks algorithm based on UltraPlonk Atithmetization technology and built on the Pasta curve. Many of Halo2's optimizations are worth of research and study, including the not-mentioned lookup (analogous to the Plookup protocol) friendly Pedersen-like hash algorithm and Sinsemilla. In the follow-up work, we will continue to study it and apply it to improve some viable work.

Zcash

Mina

Assembly

2022 - HackerNoon Contributor of the Year - Algorithms

2022 - HackerNoon Contributor of the Year - Architecture

2022 - HackerNoon Contributor of the Year - Blockchain

2022 - HackerNoon Contributor of the Year - Optimization

2022 - HackerNoon Contributor of the Year - Privacy

Nominated for 2022 - HackerNoon Contributor of the Year - Optimization

Nominated for 2022 - HackerNoon Contributor of the Year - Algorithms

Nominated for 2022 - HackerNoon Contributor of the Year - Privacy

Nominated for 2022 - HackerNoon Contributor of the Year - Architecture

Nominated for 2022 - HackerNoon Contributor of the Year - Blockchain

Too Long; Didn't Read

Halo Principle Explained

Halo Principle Explained

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

How Binius Reduces Computational Complexity with Towers of Binary Fields

AI Helps Developers Ship More Code—Not Always Better Code

Bybit Private Wealth Management Beat November Downtrend with Top Fund Delivering Close to 30% APR

AI Meeting Tools Are the Next Productivity War, Here’s Why TicNote Might Win

Kyrgyzstan Launches $50M Gold-Backed Payment Access To Modernize Cross-Border Payments

The Next Palantir Could Ignite in Tel Aviv — and It’s Built on Soft-Signal Intelligence, Not Surveil

How Binius Reduces Computational Complexity with Towers of Binary Fields

AI Helps Developers Ship More Code—Not Always Better Code

Bybit Private Wealth Management Beat November Downtrend with Top Fund Delivering Close to 30% APR

AI Meeting Tools Are the Next Productivity War, Here’s Why TicNote Might Win

Kyrgyzstan Launches $50M Gold-Backed Payment Access To Modernize Cross-Border Payments

The Next Palantir Could Ignite in Tel Aviv — and It’s Built on Soft-Signal Intelligence, Not Surveil

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps