Technical Deep Dive
Halo2's architecture is a masterclass in cryptographic engineering. At its heart is the Halo protocol, which achieves recursive proof composition without a trusted setup by leveraging an inner product argument (IPA) for polynomial commitments. Unlike Groth16, which requires a one-time trusted setup per circuit, Halo2 uses transparent setup: the prover and verifier only need the statement and the circuit description. This eliminates the risk of a compromised setup ceremony—a vulnerability that has plagued projects like Zcash and Filecoin.
The library implements Plonkish arithmetization, an extension of the PLONK protocol. In PLONK, circuits are represented as a single polynomial equality constraint system. Halo2 generalizes this by allowing custom gates and lookup arguments. A custom gate is a user-defined polynomial constraint that operates on a fixed set of wires (e.g., a constraint for elliptic curve point addition). Lookups allow proving that a tuple of values belongs to a precomputed table, which is critical for efficient range checks or SHA-256 hashing. This flexibility is why Halo2 is the proving system of choice for ZK-EVMs: EVM opcodes like `ADD`, `MUL`, or `SLOAD` can be encoded as custom gates, while memory and storage accesses can be handled via lookups.
Recursive proof composition is where Halo2 truly shines. A single Halo2 proof can verify another Halo2 proof inside itself. This is achieved by implementing the verifier's algorithm as a Halo2 circuit. The inner product argument for polynomial commitments is particularly amenable to recursion because its verifier is lightweight—it only requires a few scalar multiplications and hash computations. The result is a constant-sized proof (around 1 KB) regardless of the depth of recursion. This enables proof aggregation for rollups: instead of submitting thousands of individual transaction proofs to L1, a rollup can recursively combine them into one proof, drastically reducing gas costs.
Performance benchmarks reveal the trade-offs. Halo2 is slower than Groth16 for single-prover scenarios but excels in recursion and flexibility.
| Proving System | Proving Time (1M gates) | Proof Size | Trusted Setup Required | Recursion Support |
|---|---|---|---|---|
| Groth16 | ~5 seconds | 192 bytes | Yes | No (native) |
| PLONK (standard) | ~20 seconds | ~1 KB | No (transparent) | Limited |
| Halo2 | ~30 seconds | ~1 KB | No | Native, efficient |
| Circom + Groth16 | ~8 seconds | 192 bytes | Yes | No |
Data Takeaway: Halo2 trades a 6x slowdown in proving time compared to Groth16 for the elimination of trusted setup and native recursion. For applications like ZK-EVMs, where the circuit is complex and recursion is essential, this trade-off is acceptable. For simple single-proof applications (e.g., private payments), Groth16 remains faster.
The library is written in Rust and relies on the `halo2_proofs` crate. The GitHub repository at `privacy-scaling-explorations/halo2` is the main fork, with 247 stars and daily commits. A notable sub-project is `halo2_gadgets`, which provides reusable circuit components (e.g., SHA-256, elliptic curve operations). The `halo2_curves` crate handles elliptic curve arithmetic, supporting BLS12-381 and BN254. Developers interested in the internals should examine the `circuit.rs` and `plonk.rs` files, which define the core constraint system and prover.
Key Players & Case Studies
Halo2's development is driven by the Privacy-Ethereum group (formerly the Privacy-Scaling-Explorations team at the Ethereum Foundation). Key contributors include Ying Tong, Koh Wei Jie, and John David Pressman, who have authored the majority of commits. The project is distinct from the original Halo implementation in Zcash, though it shares lineage with Sean Bowe's work.
Case Study 1: Scroll – Scroll, a zkEVM-based Layer 2, uses Halo2 as its proving backend. Scroll's architecture consists of a zkEVM circuit that proves EVM execution traces. The team chose Halo2 over alternatives like Gnark or Circom because of its Plonkish arithmetization, which allows them to efficiently encode the EVM's opcode-based state machine. Scroll's testnet has processed over 1 million transactions, with Halo2 proofs averaging 1.2 KB and a proving time of ~45 seconds per block. The team has publicly stated that Halo2's lack of documentation was a major hurdle, requiring them to build internal tooling.
Case Study 2: Polygon zkEVM – Polygon's zkEVM initially used a custom PLONK implementation but later migrated to a Halo2-based proving system for its mainnet beta. The migration was motivated by Halo2's superior recursion support, which Polygon uses to aggregate batch proofs. Polygon's team has contributed several optimizations back to Halo2, including faster multi-scalar multiplication (MSM) using CUDA kernels.
Case Study 3: Taiko – Taiko, a fully decentralized zkRollup, uses Halo2 for its proving layer. Taiko's unique approach is to use multiple provers to generate proofs in parallel, then recursively combine them. Halo2's recursion is critical here, as it allows Taiko to merge proofs from different provers without a central coordinator.
Comparison of ZK Proving Backends:
| Project | Proving System | Status | Key Metric |
|---|---|---|---|
| Scroll | Halo2 | Testnet | 1M+ txs, 1.2 KB proof |
| Polygon zkEVM | Halo2 (custom fork) | Mainnet Beta | 5M+ txs, 2.5 sec block time |
| Taiko | Halo2 | Testnet | 500K+ txs, parallel proving |
| zkSync Era | Boojum (custom PLONK) | Mainnet | 10M+ txs, 0.5 sec block time |
| StarkNet | STARK (Cairo) | Mainnet | 100M+ txs, 10 min finality |
Data Takeaway: Halo2 dominates among zkEVM projects that prioritize transparency and recursion. However, zkSync's Boojum (a custom PLONK variant) achieves faster proving times by using a different polynomial commitment scheme (FRI-based). The choice of proving system is a strategic trade-off between speed, trust assumptions, and flexibility.
Industry Impact & Market Dynamics
Halo2's rise is part of a broader shift toward transparent zero-knowledge proofs. The market for ZK-proof infrastructure is projected to grow from $500 million in 2024 to $5 billion by 2028, driven by Layer 2 scaling, privacy-preserving DeFi, and decentralized identity. Halo2 is uniquely positioned to capture the ZK-EVM segment, which is the most competitive area in Ethereum scaling.
The elimination of trusted setup has direct business implications. Projects no longer need to coordinate multi-party computation ceremonies, which can take months and cost millions in security audits. This lowers the barrier to entry for new rollups. For example, a startup can fork Halo2, customize the circuit, and launch a testnet without needing a trusted setup ceremony—a process that previously required the involvement of the Ethereum Foundation or a consortium of validators.
Market Share Estimates (2025 Q1):
| Proving System | Estimated Market Share (ZK-Rollups) | Key Adopters |
|---|---|---|
| Halo2 | 25% | Scroll, Polygon, Taiko |
| Boojum (zkSync) | 20% | zkSync Era |
| STARK (Cairo) | 30% | StarkNet, dYdX |
| Groth16 (Circom) | 15% | Aztec, Loopring |
| Other | 10% | Various |
Data Takeaway: Halo2 holds a significant but not dominant share. STARKs lead due to their quantum resistance and simpler arithmetic, but Halo2's smaller proof size (1 KB vs. 100 KB for STARKs) makes it more attractive for on-chain verification. As Ethereum gas costs remain high, the proof size advantage will become more critical.
Funding in the ZK space has been aggressive. Scroll raised $80 million in Series B, Polygon zkEVM is backed by Polygon's $1.5 billion treasury, and Taiko raised $22 million. All three have committed engineering resources to Halo2. This creates a virtuous cycle: more usage leads to more contributions, which improves documentation and performance.
Risks, Limitations & Open Questions
1. Documentation and Developer Experience. The most immediate risk is the steep learning curve. Halo2's official documentation is a 100-page book that covers the math but provides few practical examples. The API has changed multiple times, breaking backward compatibility. This limits the pool of developers to those with a PhD in cryptography or years of Rust experience. By contrast, Circom has a high-level language and a large library of pre-built circuits, while Gnark (Go) offers a more ergonomic API.
2. Proving Time. Halo2's proving time is 3-6x slower than Groth16 for circuits of similar size. For high-throughput applications like a DEX processing thousands of trades per second, this could become a bottleneck. Optimizations like GPU acceleration (CUDA) are being explored but are not yet production-ready.
3. Security Audits. Halo2 has not undergone a formal security audit as a standalone library. While the underlying Halo protocol is peer-reviewed, the implementation may contain bugs. The Scroll team has conducted internal audits, but there is no public report. This is a concern for projects handling significant value.
4. Centralization of Provers. Recursive proof composition requires powerful hardware. Currently, only a handful of entities (e.g., Scroll, Polygon) can generate Halo2 proofs efficiently. This could lead to a centralized proving market, undermining the decentralization ethos of Ethereum.
5. Quantum Resistance. Halo2 relies on the discrete logarithm assumption (via inner product arguments). Quantum computers could break this, rendering all Halo2 proofs invalid. STARKs, which rely on hash functions, are quantum-resistant. This is a long-term risk but one that investors and developers should consider.
AINews Verdict & Predictions
Halo2 is the most important zero-knowledge proving system that most developers have never heard of. Its combination of transparent setup, flexible arithmetization, and efficient recursion makes it the ideal engine for ZK-EVMs, which are the future of Ethereum scaling. However, the project is at a critical juncture.
Prediction 1: Documentation will be the deciding factor. If the Privacy-Ethereum community invests in a comprehensive tutorial series, a high-level DSL (domain-specific language) for circuit writing, and a stable API, Halo2 will become the default proving system for new rollups. If not, it will remain a niche tool for cryptographers, and projects will migrate to more user-friendly alternatives like Gnark or Circom.
Prediction 2: GPU acceleration will unlock mainstream adoption. Within 12 months, we expect a production-ready CUDA backend for Halo2 that reduces proving time by 10x. This will make it competitive with Groth16 for single-proof applications, expanding its use beyond ZK-EVMs to private DeFi and identity.
Prediction 3: A major security audit will occur in 2025. The combined market cap of projects using Halo2 (Scroll, Polygon zkEVM, Taiko) exceeds $10 billion. The pressure for a formal audit is mounting. We predict that the Ethereum Foundation will fund a third-party audit by Q3 2025, which will either validate the implementation or uncover critical bugs.
What to watch: The next release of Halo2 (version 0.3.0) is expected to include a stable API and a new lookup argument called "CQ" (customizable quotient). If this release also includes a tutorial for building a simple ZK-EVM, it will signal that the team is serious about adoption. If not, the project risks becoming a footnote in the history of zero-knowledge cryptography.