Hello, thanks for your question. Iâ€™m Daira, I designed the Pasta curves.

Modern zk proving systems are constructed from an â€śinformation-theoretic partâ€ť (which is statistically secure) and a â€ścryptographic partâ€ť. There are various ways to formalize this, but one way of describing the cryptographic part is as a â€śpolynomial commitment schemeâ€ť. This takes a polynomial as input, and produces a short value that commits to the polynomial. It also has a protocol that allows proving that an evaluation of the polynomial at a point is consistent with its commitment.

There are, roughly speaking, three families of polynomial commitment schemes used in deployed protocols (there are others that are so far too inefficient to deploy), based on:

- Inner products
- Pairings
- FRI (Fast Reedâ€“Solomon Interactive oracle proof of proximity)

So the short answer is that Halo (and Halo 2) use an inner-product polynomial commitment scheme, which doesnâ€™t need pairings.

Roughly speaking, if you have a cryptographic group with a pairing, then using the pairing on group elements allows you to check quadratic constraints (i.e. constraints that involve one level of multiplication) on the corresponding scalars, rather than only linear constraints.

An inner product argument allows you to construct a polynomial commitment scheme without needing to check quadratic constraints.

This has significant performance advantages, because of the smaller size of elliptic curves needed for inner product-based schemes vs. pairing-based schemes. Roughly speaking, for a 128-bit security level, an inner-product-based scheme requires ~256-bit curves, while a pairing-based scheme requires ~384-bit curves. Since the cost of curve arithmetic is roughly quadratic in the field size, the pairing-based schemes use ~2.25 times less efficient curve arithmetic. (This is for proof systems that donâ€™t support efficient recursion; for those that do, see below.)

The inner-product-based and FRI-based schemes do not require a trusted setup. (There also exist pairing-based schemes that donâ€™t require a trusted setup, but those arenâ€™t commonly used.) However, inner-product-based schemes come with the trade-off that you can only *fully* verify a proof in time proportional to the circuit size (rather than in time logarithmic or constant in the circuit size).

What the Halo technique allows you to do is to construct a recursive proof system in which you only pay this cost of full checking once for a graph of proofs. So the cost is linear, but in the size of one circuit, rather than the whole computation.

Itâ€™s possible to use the Halo technique with other polynomial commitment schemes, e.g. pairing or FRI-based ones. The reason why Halo (and Halo 2) itself doesnâ€™t do this is that, for circuits at the recursion threshold, itâ€™s less efficient because pairing-friendly elliptic curves are larger.

Specifically, for ~128-bit security,

- A curve 2-cycle in which neither curve is pairing-friendly, only needs to use ~256-bit fields.
- A curve 2-cycle in which only one curve is pairing-friendly, needs to use ~384-bit fields.
- A curve 2-cycle in which both curves are pairing-friendly needs at least 800-bit fields, probably more.

Please let me know if you have any further questions.