Halo

In this note we describe Halo, a recent zero-knowledge proof system. The goal is to walk through the scheme step by step and explain the cryptographic primitives at play.

We look at the problem of proving a very long sequence of statements.
For instance a blockchain-rollup operator needs to accumulate as many transactions as possible before providing a proof of correct execution of all those transactions to the blockchain. The proof has to be succint, verified in constant time (ideally) no matter the number of operations in the sequence.

Pedersen commitments

Halo relies mainly on the Pedersen commitment scheme, along with an opening technique borrowed from bullet proof (with a little modification from its original description).

Let

p \neq r

be prime numbers,

E (F_{p})

an elliptic curve defined over

F_{p}

such that

E

contains a group

E [r]

F_{p}

rational points of order

r

. Let

n << r

be an integer and

(G_{i})_{i \in [n]}

a list of points in

E [r]

.
Let

P = \sum_{i \in [n]} a_{i} X^{i} \in F_{r} [X]

a polynomial.
The Pedersen commitment to

P

{PC}_{P} = \sum_{i \in [n]} a_{i} G_{i}

Binding property: Suppose
$P = \sum_{i \in [n]} a_{i} X^{i}$ and
$Q = \sum_{i \in [n]} b_{i} X^{i}$ are
$2$ different polynomials, with
${PC}_{P} = {PC}_{Q}$ .
Since
$G_{1}, \dots, G_{n}$ are in a cyclic group they can be written as
$λ_{1} G, \dots, λ_{n} G$ where
$G$ is a generator and
$λ_{i}$ are in
$F_{r}$ .
${PC}_{P} = {PC}_{Q}$ implies that
$\sum_{i \in [n]} (a_{i} - b_{i}) λ_{i} G = O$ , so
$(a_{i} - b_{i})_{i \in [n]}$ is orthogonal to
$(λ_{i})_{i \in [n]}$ , therefore
$(a_{i} - b_{i})_{i \in [n]}$ belongs to an hyperplan of
$F_{r}^{n}$ . The probability that
$a - b$ is in this hyperplan by luck is
$r^{n - 1} / r^{n} = 1 / r$ .

Hiding property: The version that we described is not hiding. To be hiding
${PC}_{P}$ is masked by adding a random
$r R$ component R is a random point on the curve and
$r \in F_{r}$ is a random number. We stick to the non hiding version to not overload notations.

There is a way to open a Pedersen commitment (adapted from a more general technique in bulletproofs) which involves logarithmic (in the degree of the polynomial) communication complexity between a prover and a verifier.

We suppose that the degree of the committed polynomial is a power of

2

, equal to

2^{s}

a = (a_{1}, \dots, a_{n}) \in F_{r}^{n}

and

G = (G_{1}, \dots, G_{n}) \in E (F_{p}) [r]^{n}

are the coefficients of a polynomial and the points used for computing Pedersen commitments, we write

< a, G >

for

\sum_{i \in [n]} a_{i} G_{i}

We also add the subscript

L

and

R

to indicate that we take the left part or the right part (of size

n / 2

) of a list of elements.

Opening a Pedersen commitment

${PC}_{P}$ at
$x$

Let

x = (1, x, \dots, x^{n - 1})

Verifier sends
$x$ and a random point
$U \in E (F_{p}) [r]$ to the prover
The prover sends the purported value
$P (x) = y$ and the verifier computes
$K_{0} = PC (P) + y U$
loop for i from
$1$ to
$s$ :
The prover computes

$L_{i} =< a^{L}, G^{R} > + < a^{L}, x^{R} > U R_{i} =< a^{R}, G^{L} > + < a^{R}, x^{L} > U$
and send those to the verifier
the verifier sends a random
$u_{i} \in F_{r}$ to the prover
The prover sets

$a = u_{i} a^{L} + u_{i}^{- 1} a^{R} x = u_{i}^{- 1} x^{L} + u_{i} x^{R} G = u_{i}^{- 1} G^{L} + u_{i} G^{R}$
end loop
At the end of the loop,
$a^{'} = a$ and
$x^{'} = x$ are of size
$1$ , the prover sends them to the verifier.
The verifier sets
$h = Π_{i \in [s]} (u_{i}^{- 1} + u_{i} X^{2^{i} - 1})$ and computes:

$x^{'} = h (x) G^{'} = {PC}_{h} K^{'} = K_{0} + \sum_{i \in [s]} (u_{i}^{2} L_{i} + u_{i}^{- 2} R_{i})$
The verifier finally checks that
$a^{'} x^{'} U + a^{'} G^{'} = K^{'}$ . If the check holds, then the verifier concludes that
$y = \sum_{i \in [n]} a_{i} x^{i}$ .

Completeness: After receiving
$u_{1}$ , the prover will divide the size of the vectors
$G, x, a$ by
$2$ , by folding them like this:

$a^{'} = u_{1} a^{L} + u_{1}^{- 1} a^{R}$

$G^{'} = u_{1}^{- 1} G^{L} + u_{1} G^{R}$

$x^{'} = u_{1}^{- 1} x^{L} + u_{1} x^{R}$
Observe that

$< a^{'}, G^{'} > + < a^{'}, x^{'} > U = < u_{1} a^{L} + u_{1}^{- 1} a^{R}, u_{1}^{- 1} G^{L} + u_{1} G^{R} > + < u_{1} a^{L} + u_{1}^{- 1} a^{R}, u_{1}^{- 1} x^{L} + u_{1} x^{R} U >= u_{1}^{2} (< a^{L}, G^{R} > + < a^{L}, x^{R} > U) + u_{1}^{- 2} (< a^{R}, G^{L} > + < a^{R}, x^{L} > U) + K_{0} = u_{1}^{2} L_{1} + u_{1}^{- 2} R_{1} + K_{0}$

If the procedure stops here, the prover sends
$a^{'}$ , of size
$n / 2$ , to the verifier, the verifier folds
$G, x$ as the prover did and checks that

$K_{0} + u_{1}^{2} L_{1} + u_{1}^{- 2} R_{1} =< a^{'}, G^{'} > + < a^{'}, x^{'} > U$
The full procedure is a repetition of this step
$s$ times. The fully folded versions
$K^{'}, x^{'}, G^{'}$ of
$K_{0}$ ,
$x$ and
$G$ are respectively
$K_{0} + \sum_{i \in [s]} u_{i}^{2} L_{i} + u_{i}^{- 2} R_{i}$ ,
$h (x)$ , and
${PC}_{h}$ , where
$h = Π_{i \in [s]} (u_{i}^{- 1} + u_{i} X^{2^{i} - 1})$ .

Soundness: The soundness comes form the fact that
$L_{i}, R_{i}$ are sent prior to receiving the
$u_{i}$ .
If the claimed
$y$ is false, call this value
$y^{'}$ , the verifier starts with
$K_{0}^{'} =< a, G > + y^{'} U$ . To make the proof works, during the first round the prover sends
$L_{1}, R_{1}$ , computed correctly, and after receiving
$u_{1}$ , the prover hopes that
$K_{0}^{'} + u_{1}^{2} L_{1} + u_{1}^{- 2} R_{1} =< a^{'}, G^{'} > + < a^{'}, x^{'} > U$ , where
$a^{'}, G^{'}, x^{'}$ are the correct folded version of
$a, G, x$ . If this happens, the prover continues to send the correct
$L_{i}, R_{i}$ and he is saved since the folded commitments will coincide after this event. The probability of such a collision is
$1 / r$ , from the binding property of the Pedersen commitment. Since the prover can hope for such a collision at each round, he has
$k / r$ chances to win, which is close to none.

It is important to note that Pedersen commitments are homomorphic for

+

: we have

{PC}_{P_{1}} + {PC}_{P_{2}} = {PC}_{P_{1} + P_{2}}

This property allows a prover to prove a batch opening of several commitments at one point with one proof:

Let

({PC}_{P_{i}})_{i \in [l]}

a list of Pedersen commitments. To prove to a verifier that the commitments open to

(y_{i})_{i \in [l]}

ζ

The prover sends the commitments
$({PC}_{P_{i}})_{i \in [l]}$ and the values
$(P_{i} (ζ))_{i \in [l]}$ to the verifier
The verifier samples a random
$v$ , sends it to the prover
Prover and verifier engage the bullet proof opening argument to verify that
$\sum_{i \in [l]} v^{i} {PC}_{P_{i}}$ opens at
$\sum_{i \in [l]} v^{i} P_{i} (ζ)$

The completeness follows from the homomorphic property of the Pedersen commitment scheme. The soundness comes the fact that the commitments and purported values are sent prior to receiving
$v$ , so if one of the
$P_{i} (ζ)$ is wrong, the prover has
$k / r$ chances to win from the soundness proof of the bullet proof opening argument.

SNARK

A SNARK (Succint Non interactice Argument of Knowledge) allows a prover to convince a verifier that he knows

x

(private), such that

f (x) = y

, where

y

is public (think of

f

as a hash function for instance). The prover doesn't provide

x

, and verifying a proof is much cheaper than computing

f (x)

We will indifferentially use the term "circuit" or "constraint system".

We specify some useful notations:

The circuits are written in capital.
$Sat (_,_,_)$ is a boolean function checking satisfiability of a constraint system. It takes as parameters a circuit
$C$ , public input
$y$ and private input
$x$ and returns
$1$ or
$0$ according to whether or not
$C$ is satisfied when fed with
$x, y$ .
$P (_)$ is a proving function, which takes a list of
$Sat (_,_,_)$ funcions. It returns proof object
$π$ if
$Sat (C_{i}, y_{i}, x_{i}) = 1$ for all
$i$ , otherwise it fails.
$V (_,_)$ is a verifying function. It's a boolean function which takes a proof
$π$ and a public input
$y$ , it returns true or false according to whether or not the proof is valid
$H$ is a secure hash function

Example: if one has
$2$ circuits
$C_{1}, C_{2}$ , and associated public/private inputs
$(y_{1}, x_{1}), (y_{2}, x_{2})$ such that
$Sat (C_{i}, y_{i}, x_{i}) = 1$ . We create the proof attesting of this fact like this:
$π = P (Sat (C_{1}, y_{1}, x_{1}), Sat (C_{2}, y_{2}, x_{2}))$ . Verifying both claims is done by running
$V (π, y_{1} | | y_{2})$ .

We can now give an informal definition of what is meant by a SNARK in this post:

We suppose that a SNARK is a tuple

(Sat, P, V)

, with the following properties:

$P$ outputs a proof which is of fixed short size (say a few kB to fix ideas)
The memory for running
$Sat (C, y, x)$ is
$O (| y | + | x |)$
The memory and CPU time for running
$P ((Sat (C_{i}), y_{i}, x_{i})_{i})$ is
$O (\sum_{i} (| x_{i} | + | y_{i} |))$
The memory and CPU time for running
$V (π, y)$ is
$O (| y |)$ with a small constant
$P$ is bounded in memory and cannot process arbitrarily large computations

The third point means that

V

is cheap to run as long as there

| y |

is small.

For example, if

C

is a circuit, and we have associated public/private inputs

(y, x)

such that

Sat (C, y, x) = 1

. If

π = P (Sat (C, y, x)

, then checking

Sat (C, y, x) = 1

and

V (π, y) = 1

attest in both cases that

y, x

satisfies the circuit, but running

V (π, y)

takes a few seconds and is very cheap in memory, while checking

Sat (C, y, x)

may take a long computational time, but more importantly is extremely memory greedy.

Proof Carrying Data

Given a Snark as it was defined in the previous section, say we have a large set of circuits

(C_{i})_{i \in [n]}

with associated inputs

(x_{i}, y_{i})_{i \in [n]}

, and we want to output a proof that

Sat (C_{i}, y_{i}, x_{i}) = 1

for all

i

First attempt

The first solution is to feed

P

all the circuits at once and compute

P ((Sat ((C_{i}, y_{i}, x_{i})_{i \in [n]})

The issue is that

P

is bounded in memory, so brute-force proving all the statements at once will eventually exhaust the memory of

P

. Moreover the complexity (in time)

P

grows linearly with the cumulated number of constraints of all circuits

C_{i}

, so the time to compute a gigantic circuit needs a big computational power (typically it cannot be ran on a laptop).

Second attempt

We know that

V

is an algorithm that is cheap to implement. The idea is to express this algorithm as a r1cs, the language supported by our SNARKs, and see

Sat (V,_,_)

as a particular satisfiability problem (constraining

V

so that it returns

1

) to be fed to the prover algorithm

P

. If one has a proof

π

, and associated public input

y

such that

V (π, y)

returns

1

, then

P (Sat (V, π | | y,_)

(there are no private inputs) outputs a proof

π^{'}

attesting that

Sat (V, π, y) = 1

, otherwise said

π^{'}

is a proof attesting that a proof is correct.

An important observation is that

Sat (V,_,_)

does not take a lot of memory when fed to

P

by assumption, since

V

is cheap and

Sat

grows linearly in memory with the size of

V

Having observed this, the idea is to sequentially handle the circuits

(C_{i})_{i \in [n]}

to output a proof that

Sat (C_{i}, y_{i}, x_{i}) = 1

, and that the proof of the previous statement is correct. More precisely, if

π

is a proof of a previous statement, with associated public input

y

, then at step

i

, we run

P ((Sat (C_{i}, y_{i}, x_{i}), Sat (V, π | | y,_))

The new generated proof

π^{'}

attests that

Sat (C_{i}, y_{i}, x_{i}) = 1

and that

V (π, y) = 1

. So we have a way to build a proof that not only attests the validity of a circuit, but also attests recursively that all previous proofs are correct. It's an example of Proof Carrying Data (PCD) infrastructure. There are several different constructions of PCD, the most general one is that instead of having a sequence of circuits, we have an acyclic graph. Here we stick to the sequential version.

There is a last problem that arises when doing that. When accumulating proofs, the list of public inputs grows with the number of proofs. Here is an illustration of that, starting with

C_{0}

$π_{0} = P (Sat (C_{0}, y_{0}, x_{0})$ (there is no previous proof statement)
$π_{1} = P (Sat (C_{1}, y_{1}, x_{1}), Sat (V, π_{0} | | y_{0},_))$
$π_{2} = P (Sat (C_{2}, y_{2}, x_{2}), Sat (V, π_{1} | | y_{1} | | π_{0} | | y_{0},_))$
$π_{3} = P (Sat (C_{3}, y_{3}, x_{3}), Sat (V, π_{2} | | y_{2} | | π_{1} | | y_{1} | | π_{0} | | y_{0},_)$
…

We see that the number of public inputs increases at each step, for instance verifying

π_{3}

is done by running

V (π_{3}, y_{3} | | π_{2} | | y_{2} | | π_{1} | | y_{1} | | π_{0} | | y_{0})

Since the CPU time and memory consumption of

V

grow linearly with the size of the public input this will quickly become problematic. The solution to counter that is to hash all the public inputs

(π, y)

using

H

, and add a circuit checking that

H (π, y)

gives the expected hash result

h

h

becomes the public input and

π, y

become private inputs. We name this circuit

CH

for "Correct Hash", and

Sat (CH, y, x)

returns

1

H (x) = y

Here is the final construction:

$π_{0} = P (Sat (C_{0}, y_{0}, x_{0}))$ (there is no previous proof statement)
compute
$h_{0} = H (π_{0}, y_{0})$
$π_{1} = P (Sat (CH, h_{0}, π_{0} | | y_{0}), Sat (C_{1}, y_{1}, x_{1}), Sat (V = 1,_, π_{0} | | y_{0}))$
Hash the public inputs by computing
$h_{1} = H (π_{1}, h_{0}, y_{1})$
$π_{2} = P (Sat (CH, h_{1}, π_{1} | | h_{0} | | y_{1}), Sat (C_{2}, y_{2}, x_{2}), Sat (V = 1,_, π_{1} | | h_{0} | | y_{1}))$
Hash the public inputs by computing
$h_{2} = H (π_{2}, h_{1}, y_{2})$
$π_{3} = P (Sat (CH, h_{2}, π_{2} | | h_{1} | | y_{2}), Sat (C_{3}, y_{3}, x_{3}), Sat (V = 1,_, π_{2} | | h_{1} | | y_{2}))$
…

We see that after

π_{2}

, the number of public inputs does not increase anymore, this number only depends on the number of public inputs of the

i

-th circuit.

Instantiating Halo with PLONK

Halo is the application of the construction described in the previous section on a version of PLONK in which the Kate commitment scheme has been replaced by the Pedersen commitment scheme, along with the bullet-proof opening argument.

Let's recall roughly the workflow of PLONK between a prover and a verifier, where the proof is in fact a list of commitments:

Prover sends a PLONK proof
$({PC}_{P_{i}^{0}})_{i \in [l]}$ to the verifier
Verifier queries the values
$(P_{i}^{0} (ζ_{0}))_{i \in [l]}$ and performs various checks on them
Verifier samples
$v$ and checks a batch opening proof for
$\sum_{i \in [l]} v^{i} {PC}_{P_{i}^{0}}$ at
$ζ_{0}$ :
1. sample a random
  $u^{0} = (u_{1}^{0}, \dots, u_{k}^{0})$ , send them to the prover
2. compute
  $h_{0} (X) = \sum_{i \in [s]} (u_{i}^{0^{- 1}} + u_{i}^{0} X^{2^{i} - 1})$
3. evaluate
  $h_{0}$ at
  $ζ_{0}$
4. compute
  ${PC}_{h_{0}}$ (costly operation!)
5. perform consistancy checks between
  $h_{0} (ζ_{0})$ ,
  ${PC}_{h_{0}}$

For the construction described in the previous section to work, the verification procedure needs to be cheap (at most logarithmic in the size of the circuit).

The computation of

${PC}_{h}$ does not match this property, since the cost is linear in

n

To circumvent that, we outsource the computation of

{PC}_{h}

to the prover:

Prover sends a PLONK proof
$({PC}_{P_{i}^{0}})_{i \in [l]}$ to the verifier
Verifier queries the values
$(P_{i}^{0} (ζ_{0}))_{i \in [l]}$ and performs various checks on them
Verifier samples
$v$ and checks a batch opening proof for
$\sum_{i \in [l]} v^{i} {PC}_{P_{i}^{0}}$ at
$ζ_{0}$ :
1. sample a random
  $u^{0} = (u_{1}^{0}, \dots, u_{k}^{0})$ , send them to the prover
2. compute
  $h_{0} (X) = \sum_{i \in [s]} (u_{i}^{0^{- 1}} + u_{i}^{0} X^{2^{i} - 1})$
3. evaluate
  $h_{0}$ at
  $ζ_{0}$
Prover computes
${PC}_{h_{0}}$ and sends it to the verifier
4. verifier performs consistancy checks between
$h_{0} (ζ_{0})$ ,
${PC}_{h_{0}}$

The verifier now no longer has to compute

{PC}_{h_{0}}

, but the trade off is that for the final checks, he does not know if

{PC}_{h_{0}}

is correct!

To check that

{PC}_{h_{0}}

is correct, a solution would be to ask the prover to open it, but an opening proof yields another Pedersen commitment to compute from the verifier… But remember that we prove a sequence of circuit, and the prover's job is exactly to provide opening proofs. So this check is forwarded to the next proof, where

{PC}_{h_{0}}

and

u^{0}

become public inputs. The workflow between the prover and the verifier in the next proof becomes, at step

1

Proof at stage
$0$ is correct, up to the correctness of
${PC}_{h_{0}}$
Prover sends a new PLONK proof
$({PC}_{P_{i}^{1}})_{i \in [l]}$ to the verifier
Verifier queries the values
$(P_{i}^{1} (ζ_{1}))_{i \in [l]}$ and performs various checks on them
Verifier queries
$u^{0}$ from the previous proof and computes
$h_{0} (ζ_{1})$
Verifier samples
$v$ and checks a batch opening proof for
$\sum_{i \in [l]} v^{i} {PC}_{P_{i}^{1}} + v^{l + 1} {PC}_{h_{0}}$ at
$ζ_{1}$ :
1. sample a random
  $u^{1} = (u_{1}^{1}, \dots, u_{k}^{1})$ , send them to the prover
2. compute
  $h_{1} (X) = \sum_{i \in [s]} (u_{i}^{1^{- 1}} + u_{i}^{1} X^{2^{i} - 1})$
3. evaluate
  $h_{1}$ at
  $ζ_{1}$
Prover computes
${PC}_{h_{1}}$ and sends it to the verifier
4. verifier performs consistancy checks between
$h_{1} (ζ_{1})$ ,
${PC}_{h_{1}}$
${PC}_{h_{0}}$ is now validated, and the correctness of
$π_{0}$ is fully proven
$π_{1}$ is correct, up to the correctness of
${PC}_{h_{1}}$

The computations of

{PC}_{h_{i}}

are therefore forwarded from proofs to proofs. The soundness comes from the fact that the prover does not know

u^{i}

in advance, so if he sends a random

{PC}_{h_{i}}

he has very little chances to match the check of the opening proof.

With the construction from the previous section, and this forwarding system, one can obtain a chain of arbitray length of proofs, in which the verification of the

i

-th step guarantees that all the previous proofs were correct!

If we use Fiat-Shamir, we can write a compact version of the scheme:

Proof
$π_{0}$ is correct, up to the correctness of
${PC}_{h_{0}}$
Prover sends a new proof
$π_{1}$ :
1. $({PC}_{P_{i}^{1}}, P_{i}^{1} (ζ_{1}))_{i \in [l]}$
2. ${PC}_{h_{1}}$
3. A proof for the opening of
  $\sum_{i \in [l]} v^{i} {PC}_{P_{i}^{1}} + v^{l + 1} {PC}_{h_{0}}$
Verifier performs various checks on
$(P_{i}^{1} (ζ_{1}))_{i \in [l]}$
Verifier checks the batch opening proof, validating the correctness of
${PC}_{h_{0}}$ and therefore
$π_{0}$
$π_{1}$ is correct, up to the correctness of
${PC}_{h_{1}}$

Caveat

A circuit

C

in PLONK reasons about variables which live in a field

F_{r}

. If one wants to deal with variables in another field

F_{p}

, one needs to encode

F_{p}

arithemetic in a language where variables are in

F_{r}

, and it is extremely inefficient.

However, from the previous section, we saw that a proof

π

consists of:

$({PC}_{P_{i}}, P_{i} (ζ))_{i \in [l]}$ : it's a set of points on
$E (F_{p})$ plus some values on
$F_{r}$
${PC}_{h}$ : it's a point on
$E (F_{p})$
A proof for the opening of
$\sum_{i \in [l]} v^{i} {PC}_{P_{i}} + v^{l + 1} {PC}_{h}$ : a set of points on
$E (F_{p})$

So a proof

π

is splitted in

2

components

(π^{p}, π^{r})

living respectively in

F_{p}

and

F_{r}

And a the verifier's job consits of:

performing various checks on
$(P_{i} (ζ))_{i \in [l]}$ (
$F_{r}$ operations)
computing
$h (ζ)$ (
$F_{r}$ operations)
performing consistency checks between
$h (ζ)$ and a folded commitment (
$F_{p}$ operations)

V

is splitted in

2

components

(V^{p}, V^{r})

reasonning respectively in

F_{p}

and

F_{r}

So we see that writing

V

in a language which does not support

F_{p}

operations is problematic.

The solution is to find another curve

E^{'}

defined on

F_{r}

and which contains a group of order

p

, and bounce back and forth between the

2

curves, by carefully separating the proofs and verification circuits in their respective field.

Here is a description step by step of a full sequence, where we omit the inputs to not overload notations, and write

P (C)

for generating the proof of circuit

C

On
$F_{r}$
1. $P (C_{0}) \to π_{0} = (π_{0}^{r}, π_{0}^{p})$
2. $π_{0}^{r}$ is saved
3. $π_{0}$ attests that
  $C_{0}$ is satisfied, up to the correctness of a Pedersen commitment
On
$F_{p}$ :
1. $P (C_{1}, V^{p} (π_{0}^{p})) \to π_{1} = (π_{1}^{r}, π_{1}^{p})$
2. $π_{1}^{p}$ is saved
3. $π_{1}$ attests that
  $C_{1}$ is satisfied, up to the correctness of a Pedersen commitment
On
$F_{r}$ :
1. $P (C_{2}, V^{r} (π_{0}^{r}), V^{r} (π_{1}^{r})) \to π_{2} = (π_{2}^{r}, π_{2}^{p})$
2. $π_{2}^{r}$ is saved
3. $π_{2}$ attests that
  $C_{2}$ is satisfied, up to the correctness of a Pedersen commitment and that
  $π_{0}$ is correct
On
$F_{p}$ :
1. $P (C_{3}, V^{p} (π_{1}^{p}), V^{p} (π_{2}^{p})) \to π_{3} = (π_{3}^{r}, π_{3}^{p})$
2. $π_{3}^{p}$ is saved
3. $π_{3}$ attests that
  $C_{3}$ is satifsifed, up to the correctness of a Pedersen commitmtent and that
  $π_{1}$ iscorrect
$\dots$

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

Author: Thomas Piellard.

I'm part of a research team at ConsenSys. If you are interested in our work (fast finite field arithmetic, elliptic curve pairings, and zero-knowledge proofs), give us a shout.

Halo

Pedersen commitments

SNARK

Proof Carrying Data

First attempt

Second attempt

Instantiating Halo with PLONK

Caveat

Read more

What changes for BW6-761?

Yet another curve, but THE curve for your KZG!

BW6 over BLS12-381

Benchmarking pairing-friendly elliptic curves libraries