Halo2 is a zero-knowledge succinct non-interactive argument of knowledge (zk-SNARK) proving system that eliminates the need for a trusted setup, a major advancement in cryptographic protocols. It builds upon its predecessor, Halo, by introducing a novel polynomial commitment scheme and a more efficient proof recursion mechanism. This architecture allows for the creation of complex, scalable zero-knowledge proofs without the security risks and logistical overhead associated with a one-time trusted ceremony, making it a trustless and more secure foundation for privacy-preserving applications.
LABS
Glossary
Halo2
Halo2 is a zero-knowledge proof system, specifically a ZK-SNARK, that enables recursive proof composition without requiring a trusted setup, using polynomial commitments and inner product arguments.
Chainscore © 2026
definition
ZERO-KNOWLEDGE PROOF SYSTEM
What is Halo2?
Halo2 is a zero-knowledge proof system developed by the Electric Coin Company (ECC), the creators of Zcash, designed to enable efficient and scalable private transactions and general-purpose computation.
At its core, Halo2 utilizes a Plonkish arithmetization and a custom polynomial commitment scheme based on the Inner Product Argument (IPA). This combination allows developers to express computational statements as constraint systems over a finite field. The proving system is highly flexible, supporting custom gates and lookup arguments, which are essential for optimizing proofs of complex operations like hash functions or range checks. Its design prioritizes prover efficiency and recursive proof composition, enabling proofs to verify other proofs, a key technique for building scalable blockchains and rollups.
The primary application of Halo2 is within the Zcash blockchain, where it powers the Orchard shielded transaction protocol, providing strong cryptographic privacy for users. Beyond cryptocurrency, its framework is a foundational component for zk-rollups and zkEVMs, such as those explored by Scroll and Taiko, which aim to scale Ethereum by bundling transactions into succinct proofs. The system's library, often referred to as the halo2 proving system, is implemented in Rust and provides APIs for circuit developers to build custom zero-knowledge applications, from private smart contracts to verifiable machine learning models.
how-it-works
ZERO-KNOWLEDGE PROVING SYSTEM
How Halo2 Works
Halo2 is a zero-knowledge succinct non-interactive argument of knowledge (zk-SNARK) proving system developed by the Electric Coin Company, notable for its recursive proof composition and lack of a trusted setup.
At its core, Halo2 is a plonkish proving system, building upon the PLONK protocol's universal trusted setup. Its architecture is defined by a constraint system where a prover demonstrates they have performed a correct computation by generating a proof that all polynomial constraints are satisfied. The system's flexibility comes from its use of custom gates and lookup arguments, allowing developers to design highly efficient circuits for specific computations like cryptographic operations or state transitions.
A key innovation of Halo2 is its support for recursive proof composition without requiring a pairing-friendly elliptic curve. This is enabled by its inner product argument and a polynomial commitment scheme based on the IPA (Inner Product Argument) from Bulletproofs. Recursion allows proofs to verify other proofs, enabling scalable zk-rollups and infinite proof aggregation, which is critical for building L2 scaling solutions on blockchains like Ethereum.
The development workflow involves writing a circuit using a domain-specific language (DSL), such as the halo2_proofs library in Rust. Developers define advice columns, fixed columns, and instance columns to represent private inputs, constants, and public inputs/outputs, respectively. The prover then generates a proof by committing to these polynomials, and the verifier checks the proof against the public instances. This process ensures the computation is valid without revealing the private inputs.
Unlike earlier zk-SNARKs like Groth16, Halo2 employs a universal and updatable trusted setup, meaning a single ceremony can be used for all circuits, and the toxic waste can be safely removed by a sequence of participants. Its performance is characterized by fast proving times and small proof sizes, making it a foundational technology for projects like Zcash (for its shield pool) and various zkEVM implementations aiming to scale Ethereum with zero-knowledge cryptography.
key-features
ZK-SNARK PROVING SYSTEM
Key Features of Halo2
Halo2 is a zero-knowledge proof system developed by the Electric Coin Company, known for its modular design, high performance, and support for recursive proof composition without a trusted setup.
01
Recursive Proof Composition
Halo2 enables recursive proof composition, allowing proofs to verify other proofs, enabling incrementally verifiable computation (IVC). This is a core innovation that eliminates the need for a trusted setup.
- Key Benefit: Enables the creation of succinct blockchain clients (e.g., zkEVM rollups) where a single proof can attest to the validity of a long chain of transactions.
- Mechanism: Uses an accumulation scheme where a proof's verification is "folded" into an accumulator, which is later verified in a batch.
02
Plonkish Arithmetization
Halo2 uses a flexible Plonkish arithmetization, a generalization of the PLONK proving system's constraint system. This provides a powerful framework for expressing computational circuits.
- Core Components: Circuits are defined using gates (custom constraints) and lookup arguments (for efficient range checks and pre-computed tables).
- Advantage: Offers greater expressiveness and efficiency for complex operations (like cryptographic primitives in zkRollups) compared to simpler R1CS-based systems.
03
No Trusted Setup
A defining feature of Halo2 is its transparent setup, meaning it does not require a trusted setup ceremony. The public parameters needed to generate and verify proofs are generated from public randomness.
- Security Benefit: Removes a critical point of failure and potential backdoor, enhancing the system's decentralization and trustlessness.
- Contrast: Differs from systems like Groth16, which require a one-time, complex multi-party computation (MPC) ceremony to generate a common reference string (CRS).
04
Modular & Extensible Design
Halo2 is built with a modular architecture, separating the frontend (circuit design) from the backend (proof system). This allows for different proving schemes and polynomial commitment schemes to be plugged in.
- Frontend: Developers write circuits using high-level APIs (e.g., in Rust).
- Backend: Can utilize various polynomial commitment schemes like IPA (Inner Product Argument) or KZG (with a trusted setup).
- Result: Enables innovation and optimization in different layers of the stack independently.
05
Lookup Arguments & Custom Gates
Halo2 provides powerful tools for circuit optimization through lookup arguments and custom gates.
- Lookup Arguments: Allow a circuit to prove a value exists in a pre-defined table, making operations like range checks, XOR, or bitwise operations extremely efficient.
- Custom Gates: Enable designers to create specialized constraints tailored to their computation, reducing the overall number of constraints and improving prover performance. This is crucial for complex applications like zkEVMs.
06
Applications & Adoption
Halo2's performance and features have made it a foundational technology for major scaling and privacy projects.
- zkRollups: Powers zkSync Era and Polygon zkEVM, enabling high-throughput, low-cost L2 scaling with Ethereum security.
- Privacy: Used in Zcash for its next-generation shielded transactions.
- General ZK: Serves as the proving backend for various ZK application circuits and co-processors due to its flexibility and active developer ecosystem.
recursive-composition
ZKP TECHNIQUE
Recursive Proof Composition
A method for incrementally verifying and combining zero-knowledge proofs, enabling the creation of a single, compact proof for a long-running or complex computation.
Recursive proof composition is a cryptographic technique where one zero-knowledge proof verifies the correctness of another, creating a chain or tree of proofs that can be aggregated into a single, final proof. In the context of Halo2, this is implemented without requiring a trusted setup, using its polynomial commitment scheme and a recursive verifier circuit. The core idea is that the verification logic of a proof is itself encoded as a circuit; proving that this verification check passes becomes the next step in the recursive chain. This allows for incremental verifiability, where large computations are broken into smaller, provable chunks.
The Halo2 proving system achieves recursion efficiently through its use of the Inner Product Argument (IPA) and a technique called accumulation. Instead of verifying each proof from scratch, the verifier's work is offloaded into an accumulator, which collects the verification equations. A single, final proof is then generated to demonstrate that all accumulated equations are satisfied. This process drastically reduces the overall verification cost and proof size, as the final proof's size remains constant regardless of the number of composed sub-proofs. This is critical for scaling zk-rollups and building zkEVMs.
A primary application is in blockchain scalability, particularly for zk-rollups. Here, recursive composition allows a rollup to generate a single succinct proof that validates an entire batch of transactions, which can then be verified on-chain with minimal gas cost. It also enables infinite proof recursion or proof aggregation, where proofs from multiple provers or over long time periods can be merged. This creates a proof of proofs, providing a cryptographic guarantee for a vast history of state transitions without requiring the verifier to re-execute the entire chain of logic.
trustless-setup
HALO2
The Trustless (Transparent) Setup
An explanation of the cryptographic breakthrough that allows Halo2, a zero-knowledge proof system, to operate without a trusted setup ceremony.
In the context of zero-knowledge proof systems like Halo2, a trustless or transparent setup refers to a configuration that does not require a one-time trusted setup ceremony to generate initial cryptographic parameters, thereby eliminating a critical security assumption and potential single point of failure. Unlike systems that rely on a trusted setup—where a secret parameter must be generated and then securely destroyed—Halo2's transparent setup uses publicly verifiable, updatable parameters that anyone can generate and verify, ensuring no party ever possesses toxic waste that could compromise the system's security.
The core innovation enabling this is the accumulation scheme, a recursive proof composition technique that allows the prover to iteratively combine proofs without needing secret trapdoors. This mechanism, built upon the Inner Product Argument (IPA) and polynomial commitments, creates a chain of proofs where each step verifies the previous one. Consequently, the system's security relies solely on standard cryptographic assumptions, such as the hardness of the discrete logarithm problem, rather than on the correct execution of a secret ceremony. This makes the setup process updatable and universally composable.
This architectural choice has profound implications for decentralization and long-term security. Projects built with Halo2, such as the zcash blockchain, can launch without organizing a complex multi-party computation (MPC) ceremony, reducing coordination overhead and launch risk. Furthermore, the system's security is not anchored to a specific point in time; the proving and verification keys are generated from public randomness, and the protocol remains secure even if the initial parameters were somehow compromised, as they contain no secrets. This property is sometimes described as post-quantum secure in the sense that the setup itself does not introduce quantum-vulnerable secrets.
From a developer's perspective, the trustless setup simplifies the deployment and maintenance of zk-SNARK applications. There is no need to manage or audit a ceremony, and the verification key is succinct and constant-sized, regardless of the circuit complexity. This contrasts with other transparent systems like STARKs, which may have larger proof sizes. The Halo2 proving system, particularly in its PLONKish arithmetization form, thus provides a powerful and practical toolkit for creating scalable, private applications on public blockchains without foundational trust assumptions.
ecosystem-usage
HALO2
Ecosystem Usage & Implementations
Halo2, a zero-knowledge proof system developed by the Electric Coin Company, is a foundational cryptographic primitive enabling scalable and efficient privacy-preserving applications. Its adoption spans multiple blockchain ecosystems for its modularity and performance.
02
Plonkish Arithmetization
Halo2 employs a Plonkish arithmetization scheme, a generalization of the PLONK protocol. This provides a highly flexible framework for constructing custom constraint systems.
- Core Feature: Developers can define custom gates and lookup arguments tailored to their specific application logic.
- Advantage: This modularity makes it suitable for a wide range of circuits beyond simple payments, including decentralized exchanges and identity protocols.
03
Recursive Proof Composition
A defining feature of Halo2 is its native support for incrementally verifiable computation (IVC) and recursive proof composition. This allows a proof to verify the correctness of another proof.
- Mechanism: Enables the creation of a single, succinct proof that validates an entire chain of transactions or state updates.
- Use Case: Critical for building parallel provers and scaling blockchains without trusted setups, as demonstrated by the Mina Protocol's recursive architecture.
04
Lookup Arguments & Custom Gates
Halo2 introduced powerful lookup arguments (like the one used in Plookup) as a first-class primitive. This optimizes circuits where relations are best expressed as lookups in a pre-defined table.
- Application: Extremely efficient for operations like range checks, cryptographic primitives (e.g., SHA256), and memory access patterns.
- Impact: Significantly reduces the number of constraints and prover time for complex computations compared to traditional R1CS.
05
No Trusted Setup
Halo2 can be deployed with a transparent setup, meaning it requires no trusted ceremony or ongoing toxic waste disposal. This is achieved through its use of the Inner Product Argument (IPA) and bulletproofs-style techniques.
- Security Benefit: Eliminates a major trust assumption and potential single point of failure present in some other zk-SNARK systems.
- Trade-off: The transparent setup can result in larger proof sizes compared to trusted-setup SNARKs, though verification remains efficient.
06
Modular Backend Provers
The Halo2 stack is designed with modularity in mind, separating the frontend (circuit design) from the backend (proof system). Different proving backends can be plugged in.
- Common Backends: The KZG polynomial commitment scheme (with a trusted setup) is often used for performance. The IPA-based backend provides transparency.
- Ecosystem: This design has fostered a toolkit (like the halo2 crate in Rust) that multiple projects build upon, standardizing circuit development.
COMPARISON
Halo2 vs. Other ZK Proof Systems
A technical comparison of key features and trade-offs between Halo2 and other prominent zero-knowledge proof systems.
| Feature / Metric | Halo2 | zk-SNARKs (Groth16, etc.) | zk-STARKs |
|---|---|---|---|
Proof System Family | Polynomial IOP with Recursion | SNARK (Succinct Non-interactive ARgument of Knowledge) | STARK (Scalable Transparent ARgument of Knowledge) |
Trusted Setup | |||
Transparency | |||
Quantum Resistance | |||
Proof Size | ~1-10 KB | < 1 KB | ~45-200 KB |
Verification Speed | < 10 ms | < 10 ms | ~10-100 ms |
Primary Innovation | Recursive proof composition without trusted setup | Small, fast-to-verify proofs | Transparent and post-quantum secure proofs |
Common Use Case | Complex state transitions, rollup proving | Private transactions, simple logic verification | High-throughput, audit-friendly computations |
technical-components
HALO2
Core Technical Components
Halo2 is a zero-knowledge proof system developed by the Electric Coin Company (ECC) that enables efficient, recursive proof composition without a trusted setup.
01
Plonkish Arithmetization
Halo2 uses a Plonkish arithmetization to structure computational statements into a form suitable for zero-knowledge proofs. This involves creating a constraint system where the prover demonstrates that a set of polynomial equations is satisfied.
- Key innovation: It employs custom gates and lookup arguments to efficiently handle complex operations like elliptic curve cryptography and hash functions.
- Flexibility: Developers can define their own polynomial constraints, optimizing for their specific circuit's needs.
02
Recursive Proof Composition
A core feature of Halo2 is its native support for recursive proof composition. This allows one proof to verify the correctness of other proofs, enabling incremental verifiability and proof aggregation.
- Scalability: Enables the creation of a single, succinct proof for a long chain of transactions or state updates.
- No trusted setup: Unlike some recursive systems, Halo2's recursion does not require an additional trusted ceremony, maintaining its trust-minimized properties.
03
Polynomial Commitments
Halo2 relies on polynomial commitment schemes (PCS) as its cryptographic backbone. The prover commits to polynomials representing the circuit and later opens them at random points chosen by the verifier.
- Inner Product Argument: Originally used the Bulletproofs-style inner product argument, making it transparent (no trusted setup).
- KZG Alternatives: Can also be instantiated with KZG commitments for potentially better performance, though this introduces a trusted setup requirement.
04
Lookup Arguments
To handle operations inefficient to express as polynomial constraints, Halo2 introduced powerful lookup arguments. These allow a prover to show that a value from a witness column exists in a pre-defined lookup table.
- Efficiency: Dramatically reduces circuit size for operations like range checks, bitwise operations, and fixed-point arithmetic.
- Implementation: The Plookup protocol and its variants are integrated, enabling efficient proof generation for complex, non-arithmetic relations.
05
Implementation & zkEVM
Halo2 is implemented in Rust and has become a foundational library for major zero-knowledge projects. Its most prominent application is in building zkEVMs (Zero-Knowledge Ethereum Virtual Machines).
- zkSync Era: Uses a modified Halo2 stack for its zkRollup.
- Scroll: Built its zkEVM using Halo2 as the core proof system.
- Taiko: Also employs Halo2 for its Type 1 zkEVM proving.
06
Advantages Over Predecessors
Halo2 offers several key improvements over earlier ZK-SNARK systems like Groth16 and its predecessor, Halo.
- No trusted setup (in its default configuration).
- Recursion-friendly architecture by design.
- Highly flexible arithmetization for developer-defined circuits.
- Active proving time and memory usage can be more efficient for large, complex circuits compared to some older systems.
history-evolution
ZKP PROVING SYSTEM
Halo2
Halo2 is a zero-knowledge proof system developed by the Electric Coin Company (ECC), representing a major evolution in the scalability and efficiency of blockchain technology.
Halo2 is a zero-knowledge succinct non-interactive argument of knowledge (zk-SNARK) proving system that introduced recursive proof composition without requiring a trusted setup, building upon the innovations of its predecessor, Halo. Developed primarily for the Zcash blockchain, its core advancement is the use of a polynomial commitment scheme based on the Inner Product Argument (IPA), which allows for more efficient proof generation and verification compared to earlier pairing-based systems like Groth16. This design eliminates the need for a persistent toxic waste ceremony, making the system more trust-minimized and sustainable for long-running networks.
The architecture of Halo2 is built around a Plonkish arithmetization, a flexible method for translating computational statements into polynomial equations that a zero-knowledge proof can verify. This arithmetization supports custom gates and lookup arguments, enabling highly efficient circuits for complex operations like hashing and digital signatures. A key feature is recursion, where proofs can verify other proofs, enabling applications like incremental verification and rollup scalability. This allows blockchains to bundle thousands of transactions into a single, compact proof, dramatically increasing throughput.
Halo2's impact extends far beyond Zcash, forming the cryptographic foundation for major Layer 2 scaling solutions and zkEVM implementations. Its library, implemented in Rust, has been adopted and forked by projects like Scroll, Taiko, and Polygon zkEVM to build Ethereum-compatible rollups. The system's efficiency and active developer ecosystem have made it a leading choice for teams building general-purpose zk-rollups, cementing its role in the evolution of zero-knowledge cryptography from a niche privacy tool to a cornerstone of blockchain scalability.
HALO2
Frequently Asked Questions (FAQ)
Essential questions and answers about Halo2, the zero-knowledge proof system powering modern blockchain scaling and privacy.
Halo2 is a zero-knowledge proof system and a zk-SNARK construction developed by the Electric Coin Company (creators of Zcash) that enables one party to prove they know a secret or that a computation is correct without revealing the underlying data. It works by representing a computation as a Plonkish arithmetization, a flexible constraint system that maps program logic into polynomial equations over a finite field. A prover generates a proof by committing to these polynomials and creating a succinct argument that the constraints are satisfied, which a verifier can check efficiently. Its key innovation is the elimination of a trusted setup for certain applications through recursive proof composition and the use of inner product arguments.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall