Unlocking zero-knowledge proofs for Cardano: the Halo2-Plutus verifier

In the rapidly evolving world of blockchain technology, zero-knowledge proofs (ZKPs) are a cornerstone for enhancing privacy, scalability, and security. The Halo2-Plutus verifier is an open-source project spearheaded by Input | Output Research (IOR) as part of an Intersect agreement driven by the Technical Steering Committee priorities. This tool bridges the advanced cryptographic capabilities of the Halo2 proof system with the Plutus smart contract platform (and its high-level language, Plinth) on Cardano.

This blog post explores the verifier’s purpose, functionality, and  potential to revolutionize decentralized applications (DApps) on Cardano, particularly for the Midnight-Cardano zk-bridge.

What is the Halo2-Plutus verifier?

The Halo2-Plutus verifier is an open-source repository designed to generate and verify ZKPs using Halo2 and integrate them into Plinth smart contracts on Cardano. 

Developed through a collaborative effort between the research and innovation teams, with significant contributions from applied cryptographers, the tool focuses on enabling on-chain Halo2 verification to support privacy-preserving DApps. Its primary goal is to support the Midnight-Cardano zk-bridge, although it also enables broader applications, such as membership proofs, range proofs, confidential transactions, and many more.

Key features include:

• Automated Plinth verifier generation: a verifier to generate Plinth verifier code from Halo2 circuit descriptions.
• Halo2 circuit for Ad-Hoc Threshold Multisignatures (ATMS): implementation of a Halo2 circuit for ATMS and its verification in a Plutus smart contract on Cardano.
• Multi-Scalar Multiplication (MSM) CIP contribution: a proposed Cardano Improvement Proposal (CIP) for MSM to optimize performance in cryptographic protocols. 

The repository, driven by a diverse team of prototyping engineers, applied cryptographers, architects, and formal methods experts, serves as a prototype to help developers envision the potential for privacy-focused DApps.

Origins and collaboration

This project is a collaborative effort between IOR, Intersect, and the Technical Steering Committee to advance Cardano’s interoperability and privacy capabilities. These outcomes were achieved under the RSnarks workstream in the IOR 2025 proposal. 

The collaboration between research and innovation was pivotal, with applied cryptographers playing a critical role in tackling the complexities of the proof systems. Their expertise was instrumental in adapting the optimal pairing check algorithm – originally developed for BN256 – to the BLS12-381 elliptic curve, a key outcome enabling efficient recursive proof verification on Cardano. The team’s close collaboration with the Midnight and Plutus teams ensured alignment with real-world needs, particularly for a zk-bridge.

Key contributions

• Halo2 proof generation:

  • The verifier utilizes Rust to generate Halo2 proofs for various operations, including digital signatures and recursive verifiers. Proofs are serialized into JSON files, and the corresponding verifier code is output as Haskell files compatible with Plinth. This enables off-chain computation with on-chain verification.

• ATMS Halo2 proof:

  • sidechains-zk repository 
  • The tool prototypes verification of the ATMS, a critical component in many applications, including the Midnight-Cardano zk-bridge

• Formal verification:

  • Efficient Foreign-Field Arithmetic in PLONK research paper 
  • The team used EasyCrypt to prove the soundness and completeness of the foreign-field arithmetic (FFA) algorithm. This work, publicly available on GitHub, enhances the efficiency of recursive proofs that require non-native operations in SNARK circuits.

• MSM CIP contribution:

  • CIP-133 – Plutus support for ulti-Scalar Multiplication over BLS12-381
  • The team proposed a CIP for MSM over BLS12-381, a computationally intensive operation critical to various cryptographic protocols, including cryptographic signatures, ZKPs, and elliptic-curve-based SNARK systems like Halo2. MSM is a bottleneck in both proof and verification algorithms, particularly in SNARKs, where large-scale MSMs dominate computational costs. By introducing an MSM built-in in Plutus, the CIP aims to significantly optimize the performance of Halo2-based protocols on Cardano, benefiting verifiers and provers alike. The CIP has been accepted and is under implementation by the Plutus team.

• Reproducible development environment:

  • plutus-halo2-verifier-gen repository
  • Powered by Nix for dependency management and Cabal for building/testing Plinth contracts, the verifier ensures a streamlined, reproducible workflow. 

Technical achievements and challenges

• Plinth verifier generation:

  • The tool automates the generation of the Halo2 verifier in Plinth from a circuit description provided by the Halo2 library in Rust. The tool utilizes the Handlebars library to populate Plinth Halo2 templates with circuit-specific logic.

• The tool has been applied to various circuits, including the verification of ATMS. It supports Halo2 lookup tables and custom gates. Results show that ATMS signatures can be efficiently verified on the Cardano mainnet, with the verifier fitting within the computational limits of a single Plutus script.

• Formal verification of FFA:

  • Using EasyCrypt, the team formally verified the FFA algorithm, proving soundness and completeness for multiplication gates and a novel MSM algorithm. This work ensures the reliability of non-native operations in Halo2 circuits.

• MSM CIP:

  • The team’s CIP for MSM over BLS12-381 proposes a built-in Plutus function to optimize verifier performance, significantly reducing computational costs for Halo2-based protocols.

Why is this prototype useful?

Although the Halo2-Plutus verifier is a prototype, it has the  potential to unlock transformative possibilities for Cardano:

• Privacy-preserving DApps: verify computations (eg, transaction amounts) without revealing sensitive data
• Scalability: offload complex computations off-chain while maintaining on-chain verification
• Interoperability: enable the Midnight-Cardano zk-bridge by verifying recursive proofs

• Versatile applicability:

  • DeFi: confidential transactions and collateral verification
  • Voting: private eligibility proofs for DAOs
  • Compliance: regulatory compliance with privacy

• Community impact: the open-source tool and MSM CIP empower developers to build advanced cryptographic solutions.

The community's voice helps to understand the value of this prototype better. Philip DiSarro, founder of Anastasia Labs and Midgard, says:

As someone building real-world infrastructure on Cardano, I’ve been closely following the progress of ZK tooling within the ecosystem – and the Halo2-Plutus verifier is a major step forward. Having an on-chain Plutus verifier for Halo2 proofs dramatically broadens the design space for privacy-preserving and scalable applications. We’ve explored integrating the verifier into Midgard, our optimistic rollup framework, as a way to enable fraud-proof compression and to enhance the user experience of cross layer 2 interactions. The codebase is thoughtfully structured, and it’s clear the IOG R&D team has put deep care into aligning the design with Cardano’s EUTXO model and Plutus constraints. I’m excited to see this project open-sourced. It sends a strong signal about where the ecosystem is heading and gives teams like ours the opportunity to build on top of solid, mission-critical foundations.

Potential use cases

• Midnight-Cardano zk-bridge: verify Midnight’s state on Cardano using recursive proofs
• Private voting: prove voter eligibility without exposing identities
• Confidential DeFi: validate transactions while keeping amounts private
• Supply chain: verify product attributes (eg, origin) without further disclosure. 

Conclusion

The Halo2-Plutus verifier, born from IOR’s collaboration with Intersect and guided by the Technical Steering Committee, is a game-changer for Cardano’s privacy and interoperability. With contributions from applied cryptographers, prototyping engineers, and formal methods experts, the tool demonstrates the feasibility of Halo2 proofs on Cardano, including recursive proofs for the Midnight zk-bridge. Despite challenges such as the high cost of verification, innovations like the MSM CIP and formal FFA verification pave the way for efficient and secure DApps.

Ready to explore? Clone the repository, dive into the code, and contribute to the future of privacy on Cardano!