Announcing Halo: Recursive Proof Composition without a Trusted Setup

Shawn · September 10, 2019, 3:34pm

No trusted set up and scalability! Boom

source

azrael · September 10, 2019, 4:04pm

tenor

JKDC · September 10, 2019, 7:00pm

Any idea how long it will take to integrate it into Zcash? It might help us determine funding levels for the next 4 years.

Autotunafish · September 10, 2019, 11:24pm

(It is cool but I kinda liked the trusted setup, dont @ me)

sunhuachuang · September 11, 2019, 3:20am

cool work. follow it !

ChileBob · September 12, 2019, 8:54pm

So if I’ve understood this correctly, a new wallet wont need the blockchain, just a proof for its initial state.

No heavy download, fits on a phone, good to go almost immediatly. Holy cow!!

Edit: Hoping we get a ‘muggle version’ of the paper at some point, even if its just a list of ‘things it can enable’.

azrael · September 12, 2019, 8:53pm

Could you please link me what youre reading? I am no cryptography expert but I do have a batchelors in math and a masters in cs I might be able to handle it…

ChileBob · September 12, 2019, 8:57pm

Here y’go, you’ll know what an aneurysm feels like when you’re half way through - its heavy stuff.

azrael · September 12, 2019, 9:08pm

Thank you very much I probably wont be able to handle it since I havent been working in my field after finishing uni and that was like a little over 10 years ago, but Im optimistic by nature.

mistfpga · September 14, 2019, 4:45pm

Can someone explain the difference between Spartan and Halo please? Im not too sure.

https://eprint.iacr.org/2019/550

Okay, I am a bit better informed now. I thought this was separate work. from spartan, which I guess it kind of is. but it builds upon it. nice work.

nope read more. confused again. oh well.

ebfull · September 15, 2019, 10:19pm

Spartan is an example of a SNARK (in theory) though it has large constants so I’m unsure if it will work well in the recursive context. Halo is an attempt to take proving systems (Sonic built over the inner product argument, for example) that aren’t necessarily succinct but still achieve recursive proof composition with them.

boxalex · September 16, 2019, 2:21pm

I’am not that euphoric yet until there is some audit and/or it’s clear how security plays out with HALO…

…
In other words, the miners will be responsible for both the proof generation and verification of the final ZK-SNARK. This resembles the case where one plays the roles of both the player and judge in the field simultaneously. It is also not clear how the subsequent protocol (if there is any) built on Halo would attempt to resolve this issue. Neither the Coda team nor any existing academic work provides any security argument to justify this action. Bitcoin can legitimately claim its blockchain resists 51% attack. What’s the security level of the recursive proof framework when most of the miner computing power are dedicated to proof generation instead of verification? 1%? 0.1%? One cannot simply just trust the protocol developer without the support of any formal argument. I thought the whole point of blockchain is “in math we trust”?
…

str4d · September 16, 2019, 3:22pm

This post appears to misunderstand both the application of recursive validation, and the Coda blog post it is referencing. If the miners are the ones creating recursive chain proofs, then it should be obvious those proofs aren’t solely going to be verified by themselves:

If the recursive proofs are part of the consensus rules (forcing miners to create them), then they will be verified by other full nodes as well (necessarily, otherwise the chain they have can’t be valid).
If the recursive proofs are not part of the consensus rules (e.g. if they were only used for light client bandwidth improvements with an SPV-style security model), then there’s no difference between a miner generating these proofs, and some other entity (e.g. a wallet provider) doing so. And depending on what the recursive circuit covers, you could in fact have stronger security properties than SPV (because the proofs could themselves bundle in proofs that the block contents are valid).

Blazin8888 · September 25, 2019, 3:04pm

Are there scheduled plans yet for an audit? If so when will this occur?

str4d · September 25, 2019, 5:35pm

We’re a while away from audits; we are still in the R&D process, and there’s little point in auditing something we aren’t certain will be used. Halo is still in development (in particular, there are various optimisations being implemented), and there is so much progress being made in the field at the moment that there are likely to be useful improvements made over the coming months.

hud · May 14, 2020, 9:42am

Hey I’m just curious about current progress of Halo. Is there any roughly estimated timeline? I presume it would take several years at least for implementation of a totally trustless MPC in zcash main network?

Shawn · May 14, 2020, 1:42pm

I’m not sure of a specific timeline, I’m sure it will be a couple years to make such a significant change to the network. As I understand it essentially all Zcash would have to migrate, not an easy task.

In the meantime here is Halo news you may have missed: https://www.zeroknowledge.fm/123

joshs · May 14, 2020, 3:11pm

We’ll have a little bit of an update on the livestream next week.

daira · June 14, 2020, 5:45pm

Also there will be two ZK Study Clubs on Halo, one by Sean on the 18th of June, and one by me on the 25th of June, both at 17:00 UTC. Join the ZK Study Club Telegram group for more details

daira · July 16, 2020, 12:51pm

The YouTube videos (which also link to the GitHub repos and relevant papers) are here:

Sean’s session and slides.
My sessions: part 1, part 2, slides, and accompanying notes.