Paper 2020/1536

Halo Infinite: Recursive zk-SNARKs from any Additive Polynomial Commitment Scheme

Dan Boneh, Justin Drake, Ben Fisch, and Ariel Gabizon


Polynomial commitment schemes (PCS) have recently been in the spotlight for their key role in building SNARKs. A PCS provides the ability to commit to a polynomial over a finite field and prove its evaluation at points. A succinct PCS has commitment and evaluation proof size sublinear in the degree of the polynomial. An efficient PCS has sublinear proof verification. Any efficient and succinct PCS can be used to construct a SNARK with similar security and efficiency characteristics (in the random oracle model). Proof-carrying data (PCD) enables a set of parties to carry out an indefinitely long distributed computation where every step along the way is accompanied by a proof of correctness. It generalizes incrementally verifiable computation and can even be used to construct SNARKs. Until recently, however, the only known method for constructing PCD required expensive SNARK recursion. A system called Halo first demonstrated a new methodology for building PCD without SNARKs, exploiting an aggregation property of the Bulletproofs inner-product argument. The construction was heuristic because it makes non-black-box use of a concrete instantiation of the Fiat-Shamir transform. We expand upon this methodology to show that PCD can be (heuristically) built from any homomorphic polynomial commitment scheme (PCS), even if the PCS evaluation proofs are neither succinct nor efficient. In fact, the Halo methodology extends to any PCS that has an even more general property, namely the ability to aggregate linear combinations of commitments into a new succinct commitment that can later be opened to this linear combination. Our results thus imply new constructions of SNARKs and PCD that were not previously described in the literature and serve as a blueprint for future constructions as well.

Note: This paper expands on results in the manuscript and includes content from this prior manuscript in an appendix.

Available format(s)
Cryptographic protocols
Publication info
A major revision of an IACR publication in CRYPTO 2021
zero-knowledgeproof of knowledgeproof carrying dataSNARKspolynomial commitmentsverifiable computation
Contact author(s)
benafisch @ gmail com
2021-08-17: last of 2 revisions
2020-12-13: received
See all versions
Short URL
Creative Commons Attribution


      author = {Dan Boneh and Justin Drake and Ben Fisch and Ariel Gabizon},
      title = {Halo Infinite: Recursive zk-{SNARKs} from any Additive Polynomial Commitment Scheme},
      howpublished = {Cryptology ePrint Archive, Paper 2020/1536},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.