Recently the Anoma team posted benchmarks of zero-knowledge proofs. Zcash Halo is one of the zero-knowledge proofs being benchmarked, and we wanted to take an opportunity to share why Halo is even better than these initial benchmarks indicate.
Halo, if you’re not familiar, is a trustless, recursive zero-knowledge proof (ZKP) discovered by Sean Bowe at Electric Coin Co. and was implemented in Zcash earlier this year. It eliminates the trusted setup (that’s huge!) and allows greater scalability (also huge!).
Within the Anoma evaluation, a small task was posed for the proof: proving and verifying a 3×3 Sudoku puzzle solution. The results showed that Halo was very efficient. It generated proofs within this program in less than 1/10th of a second and verified proofs in around 3 milliseconds.
But when compared to other attributes of Halo, this efficiency might not even be what devs find most important when building out a ZKP tool. Halo stands out for three additional reasons:
- Trustlessness — no “trusted setup”
- Recursive — more about that superpower below
- Extremely well-engineered for security and performance
Let’s dive into what each of these mean:
Halo is Trustless
When Zcash launched in 2016, its zero-knowledge proofs required a setup phase to produce public parameters that allowed users to construct and verify private transactions.
As our friend Vitalik Buterin explains, “A trusted setup ceremony is a procedure that is done once to generate a piece of data that must then be used every time some cryptographic protocol is run. Generating this data requires some secret information; the ‘trust’ comes from the fact that some person or some group of people has to generate these secrets, use them to generate the data, and then publish the data and forget the secrets.”
After the setup phase, these secrets had to be destroyed to prevent counterfeiting of Zcash. (There’s a great Radiolab episode about the first Zcash trusted setup ceremony.)
But Halo has no trusted setup. Halo eliminates the risk of ceremony compromise, increasing confidence in the soundness of the entire system.
Eliminating trusted setup also allows for greater protocol agility. New zero-knowledge protocols can be designed and deployed without requiring another run of the complex and dangerous trusted setup ceremony.
Most of the current generation of zero-knowledge projects rely on trusted setup, because trusted-setup ZKPs are super efficient, and because efficient-enough trustless ZKPs (like Halo) hadn’t been developed yet when those projects started a few years ago.
We’re betting that eventually most of the world will switch to trustless ZKPs and trusted setups will become a footnote of history.
Halo is Recursive
Halo is recursive. That’s a technical term, but what it basically means is that it is scalable — you can use Halo to prove facts about arbitrarily complex programs and arbitrarily big data sets.
Halo’s recursive attributes allow for more scalable ZKP applications, and it’s also general purpose. This means that you can use Halo for any and all ZKP applications.
Halo supporting recursion also means that independent, mutually distrusting parties can cooperate to prove facts about their whole combined data set without sharing their private data with each other and without being vulnerable to the other participants cheating. That is a really interesting and never-before-seen capability. We’re looking forward to seeing what people do with it!
Historical note: Halo was the first zero-knowledge proof system ever discovered that is both trustless and recursive.
Halo is Secure and Efficient
We engineered Halo for industry-leading security and performance. Unlike other next-generation zero-knowledge proof systems, Halo 2 comes with a proof of its security. Writing a proof of security is a difficult and time-consuming process that most cryptographic engineers skip, but it gives greater assurance that the cryptography works as intended.
The flagship implementation of the Halo algorithm is maintained by the legendary cryptographic engineering team at The Electric Coin Co — the team whose pioneering work is the basis of more or less all zero-knowledge proof technology in use today.
Our Halo implementation has been audited by multiple independent experts, and it is live on Zcash mainnet, protecting Zcash users and ZEC holders.
Our Halo 2 implementation (an improved edition of Halo) is open-sourced under Apache/MIT, and is free to use. This means anyone can use it for any purpose without requiring our — or anyone’s — permission.
Here’s a list of the projects that are already using Halo:
Thanks for reading this short piece on Halo! If you’re a developer looking to use zero-knowledge proofs, you should consider using Zcash Halo as your first choice. Have any questions around Halo’s advantages? Join the conversation here.