Very cool!
Can you please explain, in technical terms, how Halo or Halo 2 will be integrated into Zcash on the “as early as 2021” timescale? (cc @ebfull @daira)
We’ve seen how Halo can be used to verify PoW, but I haven’t seen anything about specifically how Halo would be used to verify transactions . Because Halo is not succinct (in the efficient-verifier sense), it’s not a drop-in replacement for existing zk-SNARKs like Groth16. If you just take Sapling and replace Groth16 with Halo, verification would be too slow.
Would you use some new higher-level protocols to exploit Halo’s amortized verification using recursive composition, to compensate for that? What do these protocols look like?
We do know that such protocols are possible in principle (because Coda takes that approach), but we also know that they’ve very difficult to engineer (again, from Coda’s experience, and others’). A big barrier is that a lot more of the transaction parsing and logic needs to be implemented “inside the circuit”, which is difficult to implement and audit.
Can you share your thoughts on this?
(Yes, the above just rephrases one of my flight plan questions from November 2019, which never got answered.)