# Fooby halo2 notes ###### tags: `fooby` `adrian` see updated link: https://hackmd.io/fiaKvd0bR1min9d_gp9ARA The [original Halo paper](https://eprint.iacr.org/2019/1021) explains how the Bulletproofs/IPA commitment scheme can be used to speed up recursive SNARK verification. - Use IPA as PCS - Notice that IPA is a "split accumuluation scheme" (c.f. [Proof-Carrying Data from Accumulation Schemes](https://eprint.iacr.org/2020/499)) - Based on Sonic arithmetization, the precursor to PlonK. - The hard part of recursive verification is computing a final MSM inside a circuit over the non-native field - Using curve cycles, create a SNARK over a curve where the base field corresponds to the MSM's curve. - The circuit performing the MSM is really small, and doesn't do anything else. To my knowledge, there never really was any implementation of halo, and zcash went directly with halo2 which replaces the Sonic arithmetization with Plonkish. The implementation is largely focused on the arithmetization, enabling users to write highly specialized circuits. It's now the best way to write circuits for PlonKish arithmetization. ## Key developers **zcash** Original developers of halo2, have the most experience with designing circuit building architecture ([bellman](https://github.com/zkcrypto/bellman) for R1CS, previous work on [libsnark](https://github.com/scipr-lab/libsnark) _I think_). **Geometry** Mainly Ying Tong? **Scroll** Implement the zkEVM circuit **Axiom** halo2 verifier circuits