v0.10.0

What's Changed

TLDR;

Breaking changes

• PlonK was updated to latest paper version and is incompatible with previous gnark version
• gnark now supports efficient PlonK recursion with 2-chains (bls12-377 / bw6-761)
• Groth16 solidity verifier now supports commitments
• Addition of a "decompression" component in gnark/std
• Experimental GPU support
• Many performance improvements

---

• feat: BW6-761 emulated pairing by @yelhousni in #846
• Feat: BW6-761 KZG gadget by @yelhousni in #866
• Fix: edge cases in the Karabina cyclotomic square decompression by @yelhousni in #868
• chore: avoid nonnative dereferences by @ivokub in #861
• feat: allow custom hash function in backends by @ivokub in #873
• chore: cleanup documentation examples by @ivokub in #878
• Refactor(BW6-761): use revisited Ate pairing instead of Tate by @yelhousni in #876
• Fix sw_emulated test by @secure12 in #889
• feat: add short-hash wrappers for recursion by @ivokub in #884
• Feat/marshal g1 scalar by @ThomasPiellard in #891
• perf: lookup blueprint compile time improvement by @gbotrel in #899
• FEAT: Add experimental support for Icicle GPU acceleration behind build tag by @jeremyfelder in #844
• feat: Fiat-Shamir transcript using a short hash by @ivokub in #900
• refactor: use emulated.FieldParams as type parameter to generic Curve and Pairing by @ivokub in #901
• fix: non-native arithmetic autoreduction for division, inversion and sqrt by @ivokub in #870
• feat: batched KZG by @ivokub in #908
• fix: use platform independent method for counting new multiplication overflow from result limb count by @ivokub in #916
• feat: cache lookup blueprint entries in solving phase by @gbotrel in #915
• feat: make gkr hash registries private and threadsafe by @gbotrel in #920
• refactor: simplify hint overloading for api.Commit by @gbotrel in #919
• Perf/multisymbol 4bw by @Tabaie in #912
• fix: missing wait on channel in plonk prover by @gbotrel in #926
• Feat/bypass compression by @Tabaie in #924
• perf: if we don't compress, no need to index dict. by @gbotrel in #929
• Perf: optimize addition chains in BW6-761 final exponentiation by @yelhousni in #931
• Perf: variant of the Karabina cyclotomic squaring by @yelhousni in #933
• feat: add PLONK in-circuit verifier by @ivokub in #880
• perf: use G2 precomputed lines for Miller loop by @ivokub in #930
• perf: bounded scalar multiplication by @ivokub in #934
• Chore/compression v1 by @Tabaie in #940
• perf: non-native modular multiplication by @ivokub in #749
• fix: several typos in the documentation by @tudorpintea999 in #943
• feat: exit when condition is not filled by @ThomasPiellard in #928
• refactor: use external compressor repo by @Tabaie in #942
• fix: #951 plonk verifier checks witness length by @gbotrel in #952
• refactor: plonk.Setup takes kzg srs in canonical and lagrange form by @gbotrel in #953
• Perf: plonk verifier gadget by @yelhousni in #949
• Perf: KZG verify gadget by @yelhousni in #874
• Feat/plonk verifier batching by @ThomasPiellard in #960
• chore(deps): bump golang.org/x/crypto from 0.12.0 to 0.17.0 by @dependabot in #973
• perf(ecdsa): use GLV in JointScalarMulBase by @yelhousni in #975
• chore: adapt changes from native Fiat-Shamir transcript by @ivokub in #974
• perf,memory: lighter plonk ProvingKey (no trace) by @gbotrel in #957
• perf: mark the result of builder.IsZero as boolean to save constraints when used in future by @winderica in #977
• feat: update compress version; failing test by @gbotrel in #979
• fix: typos by @GoodDaisy in #992
• Feat/variable dict by @Tabaie in #989
• Fix std/recursion/plonk native and emulated examples by @wzmuda in #968
• feat: some todos and dead code by @yelhousni in #993
• fix IsZero bug in std/math/emulated/field_assert.go by @readygo67 in #1002
• perf(ecmul): use GLV with safe handling of edge cases in EVM ecmul by @yelhousni in #976
• fix: remove shorthash override for same field by @ivokub in #1008
• Refac/compress packing by @Tabaie in #1007
• feat: different PLONK circuit verification by @ivokub in #1010
• feat: adds plonk.SRSSize helper method by @gbotrel in #1012
• perf: groth16 verifier circuit uses precomputed lines for all curves by @yelhousni in #1016
• docs: describe that hint inputs and outputs are init-ed by @ivokub in #1003
• fix: assign baseChallenge correctly while verifying gkr solution by @ahmetyalp in #1020
• feat: use n-bit mux for switching PLONK verification keys by @ivokub in #1017
• fix: Decompressor to return -1 when output doesn't fit by @Tabaie in #1022
• Fix: edge cases in std/algebra elliptic curve arithmetic circuit (emulated and 2-chains) by @yelhousni in #1023
• fix: use subtraction with reduce in AssertIsEqual by @ivokub in #1026
• feat: plonk verifier options by @ivokub in #1028
• build: update compress to latest version by @gbotrel in #1032
• test: add emulated pairing circuits to stats by @yelhousni in #1031
• fix: use G1 generator from SRS by @ivokub in #1035
• fix: another occurence of G1 in SRS by @ivokub in #1036
• fix: organize std packages hints registrations by @ivokub in #1043
• perf(sw_emulated): optimize jointScalarMulGeneric by @yelhousni in #1049
• feat: subgroup G1/G2 membership BW6-761 and BLS12-377 by @yelhousni in #1030
• Refac/blob decompressor mirror by @Tabaie in #1047
• chore: remove committed profiles by @ivokub in #1053
• feat: stabilize anonymous hint function names by @ivokub in #1054
• feat: add option for enforcing number of goroutines for the solver by @ivokub in #1052
• feat: verify commitments in groth16 recursion verifier by @ahmetyalp in #1057
• feat: non-native sumcheck verifier by @ivokub in #1042
• fix: scs add/mul when recorded constraint is 0 by @yelhousni in #1068
• perf: emulated equality assertion by @ivokub in #1064
• refactor: kill backend.PLONK_FRI by @gbotrel in #1075
• Faster cubic 01 01 mul by @shramee in #1076
• Faster cubic 012 mul 01 by @shramee in #1077
• feat: add hint calling with either native inputs or outputs by @ivokub in #1080
• fix: emulated hint tests by @ivokub in #1083
• Perf: optimize EC arithmetic by @yelhousni in #1061
• feat: add MulNoReduce and Sum methods in field emulation by @ivokub in #1072
• Perf: optimize scalar multiplication for 2-chains by @yelhousni in #1085
• perf/fix: assume variable as zero constant when subtracting from itself by @ivokub in #1089
• feat: add range check selector retrieval by @ivokub in https://github.com/Consensys...

v0.9.1

What's Changed

Fixes

• fix plonk proof forgeability issue
• fix: fixed fold_state by @ThomasPiellard in #820
• perf, refactor: plonk prover by @gbotrel in #855
• fix typos by @xiaolou86 in #857
• perf: a special case for mulacc by @Tabaie in #859
• fix binary decomposition of 0 by @lightning-li in #853
• refactor: generic KZG and Groth16 verifier by @ivokub in #840

New Contributors

• @xiaolou86 made their first contribution in #857

Full Changelog: v0.9.0...v0.9.1

v0.9.0

What's Changed

Features

Core

• feat: Groth16 MPC setup by @HSG88 in #515
• feat: BSB22 commitments PlonK by @Tabaie in #586
• feat: add simple key-value store to the builders by @ivokub in #480
• refactor: define Committer interface for builders by @ivokub in #481
• feat: add defer to the Compiler interface by @ivokub in #483
• feat: PlonK frontend filter common cases of duplicate constraints by @gbotrel in #539
• perf: various performance improvements for PlonK prover by @gbotrel in #593
• feat, perf: introduce constraint blueprints. improve memory usage for constraint systems by @gbotrel in #641
• perf: reduce mem allocs in scs frontend by @gbotrel in #654
• feat: PlonK multicommit by @Tabaie in #668
• feat: Groth16 Multicommits by @Tabaie in #702
• feat: change opening order kzg by @ThomasPiellard in #694
• feat: adds GKR api by @Tabaie in #443
• feat: optimized PlonK solidity verifier for BN254 by @ThomasPiellard
• perf, feat: assert.CheckCircuit(...) by @gbotrel in #825
• Optimized BN254 Groth16 Solidity template with compressed proof support by @recmo in #810

Circuit

• feat: add a partition selector by @aybehrouz in #486
• feat: range checks using log derivative, fixes #581 by @ThomasPiellard in #583
• Add an n to 1 MUX and MAP by @aybehrouz in #475
• perf: in-circuit ECDSA on secp256k1 by @yelhousni in #497
• perf: KZG in circuit by @yelhousni in #506
• feat: BN254 pairing by @ivokub in #411
• feat: range check gadget by @ivokub in #472
• perf: emulated BN254 pairing by @yelhousni in #566
• feat: emulated BLS12-381 pairing by @yelhousni in #591
• feat: add gadget for enabling multiple commitments in-circuit by @ivokub in #562
• feat: add EVM precompiles by @ivokub in #488
• perf: use api.Select for 2 to 1 mux by @aybehrouz in #625
• feat: unified ECADD by @yelhousni in #631
• feat: log-derivative vector lookups by @ivokub in #620
• perf: KZG verification circuit in a single point by @yelhousni in #658
• feat: emulated subgroup check by @yelhousni in #629
• perf(ecdsa): JoinScalarMulBase avoids 0 edge-cases by @yelhousni in #661
• feat: differentiate ecrecover with strict and lax check for s by @ivokub in #656
• feat: implement NIST P-256 and P-384 curves by @ivokub in #697
• perf(2-chain/varScalarMul): use DoubleAndAdd to reduce #constraints by @yelhousni in #706
• perf(2-chain/varScalarMul): DoubleAndAdd to reduce #constraints BLS24 by @yelhousni in #707
• feat: add sha2 primitive by @ivokub in #689
• perf: add a generalized version of binary selection by @aybehrouz in #636
• feat: fixed-argument emulated pairing by @yelhousni in #708
• perf: Add-only emulated scalar multiplication by @yelhousni in #726
• feat: emulated pairing 2-by-2 fixed circuit for EVM by @yelhousni in #698
• perf: emulated pairing BN254 by @yelhousni in #714
• perf: ELM03+Joye07 for emulated scalarMul by @yelhousni in #760
• perf: special squaring for sparse elements in the pairing algorithm by @yelhousni in #772
• perf: Improve MultiLin.Eval number of constraints by @Tabaie in #788
• feat: add sha3 primitive by @NikitaMasych in #817
• feat: add bounded comparator functions by @aybehrouz in #530

Fixes

• fix: scs.MarkBoolean missing return w/ constant by @gbotrel in #491
• fix: closes #509 api did not handle AssertIsLessOrEqual with constant as first param by @gbotrel in #511
• fix: restrict constants in field emulation to width by @ivokub in #518
• fix: subtraction overflow computation bug by @ivokub in #579
• fix(emulated pairing): edge cases in torus-based final exp by @yelhousni in #613
• fix: serializeCommitment by @SherLzp in #651
• fix race condition when compiling circuits in parallel by @gbotrel in #676
• fix: emulated ToBits by @ivokub in #731
• fix: do not accumulate terms with zero coefficient for addition by @ivokub in #763
• fix: assert that the binary decomposition of a variable is less than the modulus by @ivokub in #835

Refactor

• refactor: PlonK uses constraint/ and couple of fixes closes #467 by @gbotrel in #493
• refactor: std/algebra by @yelhousni in #526
• refactor: expose all typed backends in gnark/backend (moved from internal/) by @gbotrel in #561
• refactor: based on #515 generify groth16 MPC setup for all curves, flatten packages+ refactor by @gbotrel in #563
• refactor: Minimize Commitment info in PlonK vk by @Tabaie in #633
• refactor: hint name options by @Tabaie in #666
• refactor, perf: 2-chains pairing + groth16 API by @yelhousni in #664

New Contributors

• @HSG88 made their first contribution in #515
• @NikitaMasych made their first contribution in #817
• @recmo made their first contribution in #810

Full Changelog: v0.8.1...v0.9.0

What's Changed

• fix: Plonk Fiat-Shamir Challenges with BSB22 by @Tabaie in #812
• Perf: save some negations in emulated pairings by @yelhousni in #816

v0.9.0-alpha

What's Changed

Features

Core

• feat: Groth16 MPC setup by @HSG88 in #515
• feat: BSB22 commitments PlonK by @Tabaie in #586
• feat: add simple key-value store to the builders by @ivokub in #480
• refactor: define Committer interface for builders by @ivokub in #481
• feat: add defer to the Compiler interface by @ivokub in #483
• feat: PlonK frontend filter common cases of duplicate constraints by @gbotrel in #539
• perf: various performance improvements for PlonK prover by @gbotrel in #593
• feat, perf: introduce constraint blueprints. improve memory usage for constraint systems by @gbotrel in #641
• perf: reduce mem allocs in scs frontend by @gbotrel in #654
• feat: PlonK multicommit by @Tabaie in #668
• feat: Groth16 Multicommits by @Tabaie in #702
• feat: change opening order kzg by @ThomasPiellard in #694
• feat: adds GKR api by @Tabaie in #443
• feat: optimized PlonK solidity verifier for BN254 by @ThomasPiellard

Circuit

• feat: add a partition selector by @aybehrouz in #486
• feat: range checks using log derivative, fixes #581 by @ThomasPiellard in #583
• Add an n to 1 MUX and MAP by @aybehrouz in #475
• perf: in-circuit ECDSA on secp256k1 by @yelhousni in #497
• perf: KZG in circuit by @yelhousni in #506
• feat: BN254 pairing by @ivokub in #411
• feat: range check gadget by @ivokub in #472
• perf: emulated BN254 pairing by @yelhousni in #566
• feat: emulated BLS12-381 pairing by @yelhousni in #591
• feat: add gadget for enabling multiple commitments in-circuit by @ivokub in #562
• feat: add EVM precompiles by @ivokub in #488
• perf: use api.Select for 2 to 1 mux by @aybehrouz in #625
• feat: unified ECADD by @yelhousni in #631
• feat: log-derivative vector lookups by @ivokub in #620
• perf: KZG verification circuit in a single point by @yelhousni in #658
• feat: emulated subgroup check by @yelhousni in #629
• perf(ecdsa): JoinScalarMulBase avoids 0 edge-cases by @yelhousni in #661
• feat: differentiate ecrecover with strict and lax check for s by @ivokub in #656
• feat: implement NIST P-256 and P-384 curves by @ivokub in #697
• perf(2-chain/varScalarMul): use DoubleAndAdd to reduce #constraints by @yelhousni in #706
• perf(2-chain/varScalarMul): DoubleAndAdd to reduce #constraints BLS24 by @yelhousni in #707
• feat: add sha2 primitive by @ivokub in #689
• perf: add a generalized version of binary selection by @aybehrouz in #636
• feat: fixed-argument emulated pairing by @yelhousni in #708
• perf: Add-only emulated scalar multiplication by @yelhousni in #726
• feat: emulated pairing 2-by-2 fixed circuit for EVM by @yelhousni in #698
• perf: emulated pairing BN254 by @yelhousni in #714
• perf: ELM03+Joye07 for emulated scalarMul by @yelhousni in #760
• perf: special squaring for sparse elements in the pairing algorithm by @yelhousni in #772
• perf: Improve MultiLin.Eval number of constraints by @Tabaie in #788

Fixes

• fix: scs.MarkBoolean missing return w/ constant by @gbotrel in #491
• fix: closes #509 api did not handle AssertIsLessOrEqual with constant as first param by @gbotrel in #511
• fix: restrict constants in field emulation to width by @ivokub in #518
• fix: subtraction overflow computation bug by @ivokub in #579
• fix(emulated pairing): edge cases in torus-based final exp by @yelhousni in #613
• fix: serializeCommitment by @SherLzp in #651
• fix race condition when compiling circuits in parallel by @gbotrel in #676
• fix: emulated ToBits by @ivokub in #731
• fix: do not accumulate terms with zero coefficient for addition by @ivokub in #763

Refactor

• refactor: PlonK uses constraint/ and couple of fixes closes #467 by @gbotrel in #493
• refactor: std/algebra by @yelhousni in #526
• refactor: expose all typed backends in gnark/backend (moved from internal/) by @gbotrel in #561
• refactor: based on #515 generify groth16 MPC setup for all curves, flatten packages+ refactor by @gbotrel in #563
• refactor: Minimize Commitment info in PlonK vk by @Tabaie in #633
• refactor: hint name options by @Tabaie in #666
• refactor, perf: 2-chains pairing + groth16 API by @yelhousni in #664

New Contributors

• @HSG88 made their first contribution in #515

Full Changelog: v0.8.1...v0.9.0-alpha

v0.8.1

Security

Update gnark-crypto dependency to include security fix.

What's Changed

• Fix the example in README.md by @aybehrouz in #478

Full Changelog: v0.8.0...v0.8.1

v0.8.0

What's Changed

New features

• Non-native field emulation by @ivokub in #302
• FRI proximity proofs by @ThomasPiellard in #321
• KZG verifier by @yelhousni in #307
• GKR by @Tabaie in #393 (API --> #443)
• ECDSA signature verification by @ivokub in #372
• keccak-f permutation function by @ivokub in #401
• Add support for BLS24-317 by @yelhousni in #310

Circuit API

• api.Commit() following BSB22 @Tabaie in #405
• api.MulAcc(..) by @gbotrel in #427

gnark tools

• gnark/profile outputs pprof compatible circuit profiling data by @gbotrel in #352

Performance

• Allocate less in test engine by @ivokub in #331
• Add debug.SymbolTable into constraint system for storage efficiency of debug info by @gbotrel in #421
• api.IsZero generate less constraints by @gbotrel in #356
• Optimize bn254/groth16 solidity verifier. by @citizen-stig in #376
• Compress linear expression by @ivokub in #418
• Add constraint package and improve memory management in frontend by @gbotrel in #412

Refactor & consolidate

• Clean up witness package, introduces clean witness.Witness interface by @gbotrel in #450
• Add cs.GetConstraint with examples, and pretty printer helpers by @gbotrel in #452
• Serialization header to CS and debug info to all constraints with -tags=debug by @gbotrel in #347
• Compile(ecc.ID) -> Compile(field *big.Int) by @gbotrel in #328
• std/math/nonnative -> std/math/emulated by @gbotrel in #345
• Kill api.Tag and api.Counter by @gbotrel in #353
• A field element is always in Montgomery form and big.Ints are always non-Mont by @Tabaie in #422
• Re-write PlonK backend to use gnark-crypto/iop by @ThomasPiellard in #451

Fixes

• Fix Or && Xor by @liyue201 in #355
• Fix/xor cst var plonk by @ThomasPiellard in #383
• Mark output of AND in R1CS as boolean by @ivokub in #459
• Handle recursive hints in level builder by @gbotrel in #441
• fix #442: use reflectwalk to walk through circuit structures without building a Schema by @gbotrel in #444
• MiMC on BLS12-377 / number of rounds by @yelhousni in #453
• Fix MiMC interface by @Tabaie in #454 #469

New Contributors

• @tinywell made their first contribution in #339
• @Tabaie made their first contribution in #362
• @omahs made their first contribution in #360
• @liyue201 made their first contribution in #355
• @citizen-stig made their first contribution in #376
• @aybehrouz made their first contribution in #470

Full Changelog: v0.7.1...v0.8.0

v0.7.0

[v0.7.0] - 2022-03-25

Build

• go.mod: go version upgrade 1.16 --> go1.17
• update to gnark-crpto v0.7.0

Feat

• adds gnark logger. closes #202
• added internal/stats package: measure number of constraints of circuit snippets for regression
• adds std/math/bits/ToNAF ToBinary ToTernary

Fix

• enables recursive hints solving #293 and
• move init() behind sync.Once. remove verbose option in stats binary
• fixes #266 by adding constant path in Lookup2 and Select
• incorrect handling of nbBits == 1 in api.ToBinary
• PlonK vulnerability: thanks to Trail Of Bits for finding this vulnerability and responsibly disclosing it

Perf

• restored frontend.WithCapacity option...
• plonk: IsConstant -> ConstantValue
• sw: no need for Lookup2 in constScalarMul
• remove offset shifts in plonk compile
• remove post-compile offset id in R1CS builder

Refactor

• frontend.Compile now takes a builder instead of backendID as parameter
• std/signature/eddsa Verify api now takes explicit hash and curve objects
• make nboutputs of a hint explicit at compile time
• std/pairing have more consistent apis
• remove StaticHint wrapper, log duplicate hints (#289)
• backend.WithOutput -> backend.WithCircuitLogger
• remove all internal circuits from stats, keep important snippets only
• frontend: split compiler, api and builder interface into interfaces
• remove IsBoolean from R1CS variables
• moved internal/compiled to frontend/compiled

Pull Requests

• Merge pull request #295 from ConsenSys/fix/test-println
• Merge pull request #294 from ConsenSys/fix/recursivehhints
• Merge pull request #291 from ConsenSys/refactor/std/pairing
• Merge pull request #281 from ConsenSys/feat/logger
• Merge pull request #280 from ConsenSys/simplify-r1cs-compile
• Merge pull request #279 from ConsenSys/feat/statistics
• Merge pull request #276 from ConsenSys/feat-math-bits
• Merge pull request #278 from ConsenSys/perf-constant-lookup2
• Merge pull request #272 from ConsenSys/refactor-hint
• Merge pull request #275 from ConsenSys/refactor-compiler-builder
• Merge pull request #271 from ConsenSys/refactor-compiled
• Merge pull request #267 from ConsenSys/perf/tEd-add
• Merge pull request #265 from ConsenSys/perf/SW-constScalarMul

v0.6.4

[v0.6.4] - 2022-02-15

Build

• update to gnark-crpto v0.6.1

Feat

• Constraint system solvers (Groth16 and PlonK) now run in parallel

Fix

• api.DivUnchecked with PlonK between 2 constants was incorrect

Perf

• EdDSA: std/algebra/twistededwards takes ~2K less constraints (Groth16). Bandersnatch benefits from same improvments.

Pull Requests

• Merge pull request #259 from ConsenSys/perf-parallel-solver
• Merge pull request #261 from ConsenSys/feat/kzg_updated
• Merge pull request #257 from ConsenSys/perf/EdDSA
• Merge pull request #253 from ConsenSys/feat/fft_cosets

v0.6.3

[v0.6.3] - 2022-02-13

Feat

• MiMC changes: api doesn't take a "seed" parameter. MiMC impl matches Ethereum one.

Fix

• fixes #255 variable visibility inheritance regression
• counter was set with PLONK backend ID in R1CS
• R1CS Solver was incorrectly calling a "MulByCoeff" instead of "DivByCoeff" (no impact, coeff was always 1 or -1)
• SparseR1CS cbor unmarshal failed #247 for compiled.Term

Pull Requests

• Merge pull request #256 from ConsenSys/fix-bug-compile-visibility
• Merge pull request #249 from ConsenSys/perf-ccs-hint
• Merge pull request #248 from ConsenSys/perf-ccs-solver
• Merge pull request #247 from ConsenSys/fix/plonk_cbor

v0.6.2

[v0.6.2] - 2022-01-28

Build

• go version dependency bumped from 1.16 to 1.17

Feat

• added witness.MarshalJSON and witness.MarshalBinary
• added ccs.GetSchema() - the schema of a circuit is required for witness json (de)serialization
• added ccs.GetConstraints() - returns a list of human-readable constraints
• added ccs.IsSolved() - moved from groth16 / plonk to the CompiledConstraintSystem interface
• added witness.Public() to return Public part of the witness
• addition of Cmp in the circuit API

Refactor

• compiled.Visbility -> schema.Visibiility
• witness.WriteSequence -> schema.WriteSequence
• killed ReadAndProve and ReadAndVerify (plonk)
• killed ReadAndProve and ReadAndVerify (groth16)
• remove embbed struct tag for frontend.Variable fields

Docs

• backend: unify documentation for options
• frontend: unify docs for options
• test: unify documentation for options

Pull Requests

• Merge pull request #244 from ConsenSys/plonk-human-readable
• Merge pull request #237 from ConsenSys/ccs-get-constraints
• Merge pull request #233 from ConsenSys/feat/api_cmp
• Merge pull request #235 from ConsenSys/witness-public-api
• Merge pull request #232 from ConsenSys/cleanup-231-group-options
• Merge pull request #230 from ConsenSys/ccs-schema
• Merge pull request #229 from ConsenSys/ccs-issolved-api
• Merge pull request #228 from ConsenSys/witness-json
• Merge pull request #226 from ConsenSys/feat-circuit-schema
• Merge pull request #227 from ConsenSys/build-update-go1.17
• Merge pull request #222 from ConsenSys/perf/std-sw-glv