v0.12.0

NB! This release fixes security advisory GHSA-cph5-3pgr-c82g (OOM on specially crafted inputs).

What's Changed

• chore: up gnark-crypto by @yelhousni in #1274
• test: add scalar mul to stats by @yelhousni in #1275
• feat: replace stats gob format with csv for easier diffs by @gbotrel in #1276
• build: modify workflows for new CI slack bot by @gbotrel in #1277
• docs: final audit report from LA by @ivokub in #1283
• added sudoku example for prover and verifier by @2pir2 in #1282
• feat constant 'randomness' - domain-size-independent vk by @Tabaie in #1269
• chore: lint generated files by @ivokub in #1289
• docs: update api doc following audit suggestions by @gbotrel in #1291
• fix: fix slice init length by @cuishuang in #1288
• fix: allow only v=0 or v=1 by @ivokub in #1293
• chore: Pedersen verification key reference field by @ivokub in #1295
• feat: update to latest gnark-crypto by @gbotrel in #1298
• fix: expmod precompile if modulus is 1 by @ivokub in #1294
• Feat: 4-dimensional fake GLV by @yelhousni in #1296
• fix: sanitize groth16 verification key reading by @ivokub in #1307
• docs: add input packing example by @ivokub in #1311
• chore: Replace fmt.Printf calls with warning logs by @wwared in #1305
• chore: fix some function names in comment by @wangjingcun in #1304
• fix: initialize public committed by @ivokub in #1317
• feat: direct multivariate polynomial evaluation in non-native by @ivokub in #1299
• Feat/poseidon2 by @ThomasPiellard in #1300
• final exponentiation: select optimisation by @shramee in #1328
• perf: fast path operations for small non-native values by @ivokub in #1326
• perf: BW6 pairing computation using non-native Eval by @ivokub in #1312
• fix bn254 solidity template by @simplexity-ckcclc in #1324
• perf: normalize the random linear combination in logderivarg by @kustosz in #1333
• perf: using non-native Eval for curve arithmetic by @yelhousni in #1331
• Pairing check optimisation by @shramee in #1335
• feat: add ripemd160 hash function with permutation by @ivokub in #1120
• doc: add audit report by @ivokub in #1342
• docs: less verbose Apache 2 header, latest bavard by @gbotrel in #1344
• fix: NNA quotient length computation edge cases by @ivokub in #1340
• build(deps): bump golang.org/x/crypto from 0.26.0 to 0.31.0 by @dependabot in #1346
• Perf: Pairing on BN254 using direct Fp12 extension and non-native Eval() by @yelhousni in #1339
• feat(bls12-381): pairing using direct Fp12 + non-native Eval() by @yelhousni in #1349
• Update ICICLE integration to use v3 ICICLE by @jeremyfelder in #1318
• chore: remove duplicate nil-check by @ivokub in #1355
• fix: avoid linking icicle dependent files when tag not provided by @ivokub in #1352
• perf: G1/2 membership using Eval by @yelhousni in #1356
• refactor: move poseidon2 to permutation package by @ivokub in #1353
• fix: tinyfield generation with updated gnark-crypto by @ivokub in #1358
• Feat: settable hasher for MiMC by @AlexandreBelling in #1345
• optim: avoid div in millerLoopAndFinalExpResult by @shramee in #1363
• fix: typos fixes by @ivokub in #1325
• Change copyright year to 2025 by @Tabaie in #1383
• Faster ecdsa across all curves by @shramee in #1384
• fix: do not return unused sign by @ivokub in #1385
• perf(emulated): small perf on doubleAndAdd by @yelhousni in #1386
• docs: Change copyright year to 2025 (not autogenerated) by @yelhousni in #1388
• perf(bn254): include G2 membership check in ML by @yelhousni in #1387
• Feat/plonk memory optim by @ThomasPiellard in #1395
• perf: PairingCheck for BN254, BLS12-381, BLS12-377 and BW6-761 by @yelhousni in #1365
• fix: add G2 membership check for constant points by @ivokub in #1397
• fix: stashed typo fixes for v0.12 by @ivokub in #1398
• release: v0.12.0 by @ivokub in #1399

New Contributors

• @2pir2 made their first contribution in #1282
• @cuishuang made their first contribution in #1288
• @wwared made their first contribution in #1305
• @simplexity-ckcclc made their first contribution in #1324
• @kustosz made their first contribution in #1333

Full Changelog: v0.11.0...v0.12.0

v0.11.0

NB! This releases fixes GHSA-9xcg-3q8v-7fq6 and GHSA-q3hw-3gm4-w5cr. Additionally, gnark has undergone several audits. We have implemented many performance improvements. See the full list of changes below!

Thanks for all the external and core contributors!

What's Changed

• style: remove old todos by @gbotrel in #1106
• docs: update TODOs by @ivokub in #1109
• feat: handle invalid signature failures in ECRecover precompile by @ivokub in #1101
• docs: update documentation for ecdsa and eddsa by @yelhousni in #1113
• Update README.md by @miles-six in #1118
• perf/feature: new serialization format for constraint systems by @gbotrel in #1119
• refactor: remove todos by @yelhousni in #1111
• test: add PLONK test for public input mapping by @ivokub in #1123
• perf,feat: groth16.ProvingKey implements BinaryDumper using gnark-crypto unsafe by @gbotrel in #1124
• Perf: revisiting field extensions in std/ by @yelhousni in #1110
• perf: direct Fp6 extension for BW6-761 by @yelhousni in #1126
• Feat: implement FixedLengthSum of sha2 by @liyue201 in #821
• fix: shift constraint indices by nb of public vars by @ivokub in #1128
• fix: non-native arithmetic with variable modulus various fixes by @ivokub in #1104
• Perf: Toom-3 for Fp6 in R1CS by @yelhousni in #1131
• test: check KZG batch verify returned error in test circuit by @ivokub in #1140
• Feat/option solidity by @ThomasPiellard in #1138
• Fix/neg factorial by @Tabaie in #1158
• fix: fixes #1157 ensures calls to AttachDebugInfo are surrounded with… by @gbotrel in #1160
• chore: make function comments match function names by @threehonor in #1163
• fix(uints): constrain valueOf by @bernard-wagner in #1139
• fix: fix #1149 by removing unused code by @gbotrel in #1164
• Make ExpMod work with parametric fields parameters by @AlexandreBelling in #1182
• fix(math/bitslice): fix partition upper part range check width by @ivokub in #1165
• perf(bls12-381): eliminate finalexp ~naively by @yelhousni in #1173
• perf: replace BW6-761 final exp by a class equivalence check by @yelhousni in #1155
• fix: groth16 solidity templates by @ivokub in #1187
• perf: replace BN254 final exp by a class equivalence check by @yelhousni in #1143
• Fix: Build on 32-bit arch would raise int overflow by @doutv in #1195
• Optimize AssertIsLessOrEqual api by @lightning-li in #1194
• fix: fix OR computation in case one input is constant and other variable by @ivokub in #1181
• Audit/final commit fixes by @ThomasPiellard in #1196
• Audit/final commit by @ThomasPiellard in #1191
• feat: use blake2 for variable hashcode by @ivokub in #1197
• docs: describe potential length extension attack when using MiMC in-circuit by @ivokub in #1198
• feat: add IsOnG2 for BN254 by @ivokub in #1204
• feat: capture O variable in gate for external range checker by @ivokub in #1211
• fix: use emulated arithmetic for GLV decomp by @ivokub in #1167
• fix: use consecutive powers instead of squaring by @ivokub in #1212
• fix: conditional check in non-native IsZero for applying optimization by @ivokub in #1145
• fix: avoid malicious hint in BN254 final exp check by @yelhousni in #1214
• feat: add BN254 final exponentiation check with output by @ivokub in #1209
• fix: remove unconstrained and unused variables by @ivokub in #1218
• refactor: separate the fixed circuits for ECPairing used in zkevm by @ivokub in #1217
• fix: variable modulus subtraction padding by @ivokub in #1200
• fix: strict ModReduce in emulated fields by @ivokub in #1224
• fix: edge case with PLONK backend when 1 constraint by @ivokub in #1226
• fixes #1227: api.AssertIsLessOrEqual incorrect behavior on R1CS with constant variable by @gbotrel in #1228
• perf: optimize class equivalence check for BLS12 final exp by @yelhousni in #1207
• fix: minimum 1 bit for constant binary decomposition by @gbotrel in #1229
• fix: branch with unchecked cast could panic at compile time by @gbotrel in #1234
• fix: fixes #1246 ensure cond is boolean in api.Select by @gbotrel in #1247
• bump gnark-crypto version and match interface changes by @Tabaie in #1251
• feat test engine friendly GKR by @Tabaie in #1253
• feat add random mask to groth16 commitment by @Tabaie in #1245
• refactor: utility methods into separate internal package for reuse in std library by @ivokub in #1258
• build: update runner and go version by @gbotrel in #1260
• fix: several external typo fixes by @ivokub in #1261
• perf(bn254): optimize Miller loop by @yelhousni in #1254
• chore: explicit IO methods in interfaces by @ivokub in #1266
• docs: update README by @ivokub in #1255
• feat: allow configurable hash-to-field function for Groth16 Solidity verifier by @ivokub in #1102
• release: v0.11.0 by @ivokub in #1272

New Contributors

• @miles-six made their first contribution in #1118
• @threehonor made their first contribution in #1163
• @doutv made their first contribution in #1195

Full Changelog: v0.10.0...v0.11.0

v0.10.0

What's Changed

TLDR;

Breaking changes

• PlonK was updated to latest paper version and is incompatible with previous gnark version
• gnark now supports efficient PlonK recursion with 2-chains (bls12-377 / bw6-761)
• Groth16 solidity verifier now supports commitments
• Addition of a "decompression" component in gnark/std
• Experimental GPU support
• Many performance improvements

---

• feat: BW6-761 emulated pairing by @yelhousni in #846
• Feat: BW6-761 KZG gadget by @yelhousni in #866
• Fix: edge cases in the Karabina cyclotomic square decompression by @yelhousni in #868
• chore: avoid nonnative dereferences by @ivokub in #861
• feat: allow custom hash function in backends by @ivokub in #873
• chore: cleanup documentation examples by @ivokub in #878
• Refactor(BW6-761): use revisited Ate pairing instead of Tate by @yelhousni in #876
• Fix sw_emulated test by @secure12 in #889
• feat: add short-hash wrappers for recursion by @ivokub in #884
• Feat/marshal g1 scalar by @ThomasPiellard in #891
• perf: lookup blueprint compile time improvement by @gbotrel in #899
• FEAT: Add experimental support for Icicle GPU acceleration behind build tag by @jeremyfelder in #844
• feat: Fiat-Shamir transcript using a short hash by @ivokub in #900
• refactor: use emulated.FieldParams as type parameter to generic Curve and Pairing by @ivokub in #901
• fix: non-native arithmetic autoreduction for division, inversion and sqrt by @ivokub in #870
• feat: batched KZG by @ivokub in #908
• fix: use platform independent method for counting new multiplication overflow from result limb count by @ivokub in #916
• feat: cache lookup blueprint entries in solving phase by @gbotrel in #915
• feat: make gkr hash registries private and threadsafe by @gbotrel in #920
• refactor: simplify hint overloading for api.Commit by @gbotrel in #919
• Perf/multisymbol 4bw by @Tabaie in #912
• fix: missing wait on channel in plonk prover by @gbotrel in #926
• Feat/bypass compression by @Tabaie in #924
• perf: if we don't compress, no need to index dict. by @gbotrel in #929
• Perf: optimize addition chains in BW6-761 final exponentiation by @yelhousni in #931
• Perf: variant of the Karabina cyclotomic squaring by @yelhousni in #933
• feat: add PLONK in-circuit verifier by @ivokub in #880
• perf: use G2 precomputed lines for Miller loop by @ivokub in #930
• perf: bounded scalar multiplication by @ivokub in #934
• Chore/compression v1 by @Tabaie in #940
• perf: non-native modular multiplication by @ivokub in #749
• fix: several typos in the documentation by @tudorpintea999 in #943
• feat: exit when condition is not filled by @ThomasPiellard in #928
• refactor: use external compressor repo by @Tabaie in #942
• fix: #951 plonk verifier checks witness length by @gbotrel in #952
• refactor: plonk.Setup takes kzg srs in canonical and lagrange form by @gbotrel in #953
• Perf: plonk verifier gadget by @yelhousni in #949
• Perf: KZG verify gadget by @yelhousni in #874
• Feat/plonk verifier batching by @ThomasPiellard in #960
• chore(deps): bump golang.org/x/crypto from 0.12.0 to 0.17.0 by @dependabot in #973
• perf(ecdsa): use GLV in JointScalarMulBase by @yelhousni in #975
• chore: adapt changes from native Fiat-Shamir transcript by @ivokub in #974
• perf,memory: lighter plonk ProvingKey (no trace) by @gbotrel in #957
• perf: mark the result of builder.IsZero as boolean to save constraints when used in future by @winderica in #977
• feat: update compress version; failing test by @gbotrel in #979
• fix: typos by @GoodDaisy in #992
• Feat/variable dict by @Tabaie in #989
• Fix std/recursion/plonk native and emulated examples by @wzmuda in #968
• feat: some todos and dead code by @yelhousni in #993
• fix IsZero bug in std/math/emulated/field_assert.go by @readygo67 in #1002
• perf(ecmul): use GLV with safe handling of edge cases in EVM ecmul by @yelhousni in #976
• fix: remove shorthash override for same field by @ivokub in #1008
• Refac/compress packing by @Tabaie in #1007
• feat: different PLONK circuit verification by @ivokub in #1010
• feat: adds plonk.SRSSize helper method by @gbotrel in #1012
• perf: groth16 verifier circuit uses precomputed lines for all curves by @yelhousni in #1016
• docs: describe that hint inputs and outputs are init-ed by @ivokub in #1003
• fix: assign baseChallenge correctly while verifying gkr solution by @ahmetyalp in #1020
• feat: use n-bit mux for switching PLONK verification keys by @ivokub in #1017
• fix: Decompressor to return -1 when output doesn't fit by @Tabaie in #1022
• Fix: edge cases in std/algebra elliptic curve arithmetic circuit (emulated and 2-chains) by @yelhousni in #1023
• fix: use subtraction with reduce in AssertIsEqual by @ivokub in #1026
• feat: plonk verifier options by @ivokub in #1028
• build: update compress to latest version by @gbotrel in #1032
• test: add emulated pairing circuits to stats by @yelhousni in #1031
• fix: use G1 generator from SRS by @ivokub in #1035
• fix: another occurence of G1 in SRS by @ivokub in #1036
• fix: organize std packages hints registrations by @ivokub in #1043
• perf(sw_emulated): optimize jointScalarMulGeneric by @yelhousni in #1049
• feat: subgroup G1/G2 membership BW6-761 and BLS12-377 by @yelhousni in #1030
• Refac/blob decompressor mirror by @Tabaie in #1047
• chore: remove committed profiles by @ivokub in #1053
• feat: stabilize anonymous hint function names by @ivokub in #1054
• feat: add option for enforcing number of goroutines for the solver by @ivokub in #1052
• feat: verify commitments in groth16 recursion verifier by @ahmetyalp in #1057
• feat: non-native sumcheck verifier by @ivokub in #1042
• fix: scs add/mul when recorded constraint is 0 by @yelhousni in #1068
• perf: emulated equality assertion by @ivokub in #1064
• refactor: kill backend.PLONK_FRI by @gbotrel in #1075
• Faster cubic 01 01 mul by @shramee in #1076
• Faster cubic 012 mul 01 by @shramee in #1077
• feat: add hint calling with either native inputs or outputs by @ivokub in #1080
• fix: emulated hint tests by @ivokub in #1083
• Perf: optimize EC arithmetic by @yelhousni in #1061
• feat: add MulNoReduce and Sum methods in field emulation by @ivokub in #1072
• Perf: optimize scalar multiplication for 2-chains by @yelhousni in #1085
• perf/fix: assume variable as zero constant when subtracting from itself by @ivokub in #1089
• feat: add range check selector retrieval by @ivokub in https://github.com/Consensys...

v0.9.1

What's Changed

Fixes

• fix plonk proof forgeability issue
• fix: fixed fold_state by @ThomasPiellard in #820
• perf, refactor: plonk prover by @gbotrel in #855
• fix typos by @xiaolou86 in #857
• perf: a special case for mulacc by @Tabaie in #859
• fix binary decomposition of 0 by @lightning-li in #853
• refactor: generic KZG and Groth16 verifier by @ivokub in #840

New Contributors

• @xiaolou86 made their first contribution in #857

Full Changelog: v0.9.0...v0.9.1

v0.9.0

What's Changed

Features

Core

• feat: Groth16 MPC setup by @HSG88 in #515
• feat: BSB22 commitments PlonK by @Tabaie in #586
• feat: add simple key-value store to the builders by @ivokub in #480
• refactor: define Committer interface for builders by @ivokub in #481
• feat: add defer to the Compiler interface by @ivokub in #483
• feat: PlonK frontend filter common cases of duplicate constraints by @gbotrel in #539
• perf: various performance improvements for PlonK prover by @gbotrel in #593
• feat, perf: introduce constraint blueprints. improve memory usage for constraint systems by @gbotrel in #641
• perf: reduce mem allocs in scs frontend by @gbotrel in #654
• feat: PlonK multicommit by @Tabaie in #668
• feat: Groth16 Multicommits by @Tabaie in #702
• feat: change opening order kzg by @ThomasPiellard in #694
• feat: adds GKR api by @Tabaie in #443
• feat: optimized PlonK solidity verifier for BN254 by @ThomasPiellard
• perf, feat: assert.CheckCircuit(...) by @gbotrel in #825
• Optimized BN254 Groth16 Solidity template with compressed proof support by @recmo in #810

Circuit

• feat: add a partition selector by @aybehrouz in #486
• feat: range checks using log derivative, fixes #581 by @ThomasPiellard in #583
• Add an n to 1 MUX and MAP by @aybehrouz in #475
• perf: in-circuit ECDSA on secp256k1 by @yelhousni in #497
• perf: KZG in circuit by @yelhousni in #506
• feat: BN254 pairing by @ivokub in #411
• feat: range check gadget by @ivokub in #472
• perf: emulated BN254 pairing by @yelhousni in #566
• feat: emulated BLS12-381 pairing by @yelhousni in #591
• feat: add gadget for enabling multiple commitments in-circuit by @ivokub in #562
• feat: add EVM precompiles by @ivokub in #488
• perf: use api.Select for 2 to 1 mux by @aybehrouz in #625
• feat: unified ECADD by @yelhousni in #631
• feat: log-derivative vector lookups by @ivokub in #620
• perf: KZG verification circuit in a single point by @yelhousni in #658
• feat: emulated subgroup check by @yelhousni in #629
• perf(ecdsa): JoinScalarMulBase avoids 0 edge-cases by @yelhousni in #661
• feat: differentiate ecrecover with strict and lax check for s by @ivokub in #656
• feat: implement NIST P-256 and P-384 curves by @ivokub in #697
• perf(2-chain/varScalarMul): use DoubleAndAdd to reduce #constraints by @yelhousni in #706
• perf(2-chain/varScalarMul): DoubleAndAdd to reduce #constraints BLS24 by @yelhousni in #707
• feat: add sha2 primitive by @ivokub in #689
• perf: add a generalized version of binary selection by @aybehrouz in #636
• feat: fixed-argument emulated pairing by @yelhousni in #708
• perf: Add-only emulated scalar multiplication by @yelhousni in #726
• feat: emulated pairing 2-by-2 fixed circuit for EVM by @yelhousni in #698
• perf: emulated pairing BN254 by @yelhousni in #714
• perf: ELM03+Joye07 for emulated scalarMul by @yelhousni in #760
• perf: special squaring for sparse elements in the pairing algorithm by @yelhousni in #772
• perf: Improve MultiLin.Eval number of constraints by @Tabaie in #788
• feat: add sha3 primitive by @NikitaMasych in #817
• feat: add bounded comparator functions by @aybehrouz in #530

Fixes

• fix: scs.MarkBoolean missing return w/ constant by @gbotrel in #491
• fix: closes #509 api did not handle AssertIsLessOrEqual with constant as first param by @gbotrel in #511
• fix: restrict constants in field emulation to width by @ivokub in #518
• fix: subtraction overflow computation bug by @ivokub in #579
• fix(emulated pairing): edge cases in torus-based final exp by @yelhousni in #613
• fix: serializeCommitment by @SherLzp in #651
• fix race condition when compiling circuits in parallel by @gbotrel in #676
• fix: emulated ToBits by @ivokub in #731
• fix: do not accumulate terms with zero coefficient for addition by @ivokub in #763
• fix: assert that the binary decomposition of a variable is less than the modulus by @ivokub in #835

Refactor

• refactor: PlonK uses constraint/ and couple of fixes closes #467 by @gbotrel in #493
• refactor: std/algebra by @yelhousni in #526
• refactor: expose all typed backends in gnark/backend (moved from internal/) by @gbotrel in #561
• refactor: based on #515 generify groth16 MPC setup for all curves, flatten packages+ refactor by @gbotrel in #563
• refactor: Minimize Commitment info in PlonK vk by @Tabaie in #633
• refactor: hint name options by @Tabaie in #666
• refactor, perf: 2-chains pairing + groth16 API by @yelhousni in #664

New Contributors

• @HSG88 made their first contribution in #515
• @NikitaMasych made their first contribution in #817
• @recmo made their first contribution in #810

Full Changelog: v0.8.1...v0.9.0

What's Changed

• fix: Plonk Fiat-Shamir Challenges with BSB22 by @Tabaie in #812
• Perf: save some negations in emulated pairings by @yelhousni in #816

v0.9.0-alpha

What's Changed

Features

Core

• feat: Groth16 MPC setup by @HSG88 in #515
• feat: BSB22 commitments PlonK by @Tabaie in #586
• feat: add simple key-value store to the builders by @ivokub in #480
• refactor: define Committer interface for builders by @ivokub in #481
• feat: add defer to the Compiler interface by @ivokub in #483
• feat: PlonK frontend filter common cases of duplicate constraints by @gbotrel in #539
• perf: various performance improvements for PlonK prover by @gbotrel in #593
• feat, perf: introduce constraint blueprints. improve memory usage for constraint systems by @gbotrel in #641
• perf: reduce mem allocs in scs frontend by @gbotrel in #654
• feat: PlonK multicommit by @Tabaie in #668
• feat: Groth16 Multicommits by @Tabaie in #702
• feat: change opening order kzg by @ThomasPiellard in #694
• feat: adds GKR api by @Tabaie in #443
• feat: optimized PlonK solidity verifier for BN254 by @ThomasPiellard

Circuit

• feat: add a partition selector by @aybehrouz in #486
• feat: range checks using log derivative, fixes #581 by @ThomasPiellard in #583
• Add an n to 1 MUX and MAP by @aybehrouz in #475
• perf: in-circuit ECDSA on secp256k1 by @yelhousni in #497
• perf: KZG in circuit by @yelhousni in #506
• feat: BN254 pairing by @ivokub in #411
• feat: range check gadget by @ivokub in #472
• perf: emulated BN254 pairing by @yelhousni in #566
• feat: emulated BLS12-381 pairing by @yelhousni in #591
• feat: add gadget for enabling multiple commitments in-circuit by @ivokub in #562
• feat: add EVM precompiles by @ivokub in #488
• perf: use api.Select for 2 to 1 mux by @aybehrouz in #625
• feat: unified ECADD by @yelhousni in #631
• feat: log-derivative vector lookups by @ivokub in #620
• perf: KZG verification circuit in a single point by @yelhousni in #658
• feat: emulated subgroup check by @yelhousni in #629
• perf(ecdsa): JoinScalarMulBase avoids 0 edge-cases by @yelhousni in #661
• feat: differentiate ecrecover with strict and lax check for s by @ivokub in #656
• feat: implement NIST P-256 and P-384 curves by @ivokub in #697
• perf(2-chain/varScalarMul): use DoubleAndAdd to reduce #constraints by @yelhousni in #706
• perf(2-chain/varScalarMul): DoubleAndAdd to reduce #constraints BLS24 by @yelhousni in #707
• feat: add sha2 primitive by @ivokub in #689
• perf: add a generalized version of binary selection by @aybehrouz in #636
• feat: fixed-argument emulated pairing by @yelhousni in #708
• perf: Add-only emulated scalar multiplication by @yelhousni in #726
• feat: emulated pairing 2-by-2 fixed circuit for EVM by @yelhousni in #698
• perf: emulated pairing BN254 by @yelhousni in #714
• perf: ELM03+Joye07 for emulated scalarMul by @yelhousni in #760
• perf: special squaring for sparse elements in the pairing algorithm by @yelhousni in #772
• perf: Improve MultiLin.Eval number of constraints by @Tabaie in #788

Fixes

• fix: scs.MarkBoolean missing return w/ constant by @gbotrel in #491
• fix: closes #509 api did not handle AssertIsLessOrEqual with constant as first param by @gbotrel in #511
• fix: restrict constants in field emulation to width by @ivokub in #518
• fix: subtraction overflow computation bug by @ivokub in #579
• fix(emulated pairing): edge cases in torus-based final exp by @yelhousni in #613
• fix: serializeCommitment by @SherLzp in #651
• fix race condition when compiling circuits in parallel by @gbotrel in #676
• fix: emulated ToBits by @ivokub in #731
• fix: do not accumulate terms with zero coefficient for addition by @ivokub in #763

Refactor

• refactor: PlonK uses constraint/ and couple of fixes closes #467 by @gbotrel in #493
• refactor: std/algebra by @yelhousni in #526
• refactor: expose all typed backends in gnark/backend (moved from internal/) by @gbotrel in #561
• refactor: based on #515 generify groth16 MPC setup for all curves, flatten packages+ refactor by @gbotrel in #563
• refactor: Minimize Commitment info in PlonK vk by @Tabaie in #633
• refactor: hint name options by @Tabaie in #666
• refactor, perf: 2-chains pairing + groth16 API by @yelhousni in #664

New Contributors

• @HSG88 made their first contribution in #515

Full Changelog: v0.8.1...v0.9.0-alpha

v0.8.1

Security

Update gnark-crypto dependency to include security fix.

What's Changed

• Fix the example in README.md by @aybehrouz in #478

Full Changelog: v0.8.0...v0.8.1

v0.8.0

What's Changed

New features

• Non-native field emulation by @ivokub in #302
• FRI proximity proofs by @ThomasPiellard in #321
• KZG verifier by @yelhousni in #307
• GKR by @Tabaie in #393 (API --> #443)
• ECDSA signature verification by @ivokub in #372
• keccak-f permutation function by @ivokub in #401
• Add support for BLS24-317 by @yelhousni in #310

Circuit API

• api.Commit() following BSB22 @Tabaie in #405
• api.MulAcc(..) by @gbotrel in #427

gnark tools

• gnark/profile outputs pprof compatible circuit profiling data by @gbotrel in #352

Performance

• Allocate less in test engine by @ivokub in #331
• Add debug.SymbolTable into constraint system for storage efficiency of debug info by @gbotrel in #421
• api.IsZero generate less constraints by @gbotrel in #356
• Optimize bn254/groth16 solidity verifier. by @citizen-stig in #376
• Compress linear expression by @ivokub in #418
• Add constraint package and improve memory management in frontend by @gbotrel in #412

Refactor & consolidate

• Clean up witness package, introduces clean witness.Witness interface by @gbotrel in #450
• Add cs.GetConstraint with examples, and pretty printer helpers by @gbotrel in #452
• Serialization header to CS and debug info to all constraints with -tags=debug by @gbotrel in #347
• Compile(ecc.ID) -> Compile(field *big.Int) by @gbotrel in #328
• std/math/nonnative -> std/math/emulated by @gbotrel in #345
• Kill api.Tag and api.Counter by @gbotrel in #353
• A field element is always in Montgomery form and big.Ints are always non-Mont by @Tabaie in #422
• Re-write PlonK backend to use gnark-crypto/iop by @ThomasPiellard in #451

Fixes

• Fix Or && Xor by @liyue201 in #355
• Fix/xor cst var plonk by @ThomasPiellard in #383
• Mark output of AND in R1CS as boolean by @ivokub in #459
• Handle recursive hints in level builder by @gbotrel in #441
• fix #442: use reflectwalk to walk through circuit structures without building a Schema by @gbotrel in #444
• MiMC on BLS12-377 / number of rounds by @yelhousni in #453
• Fix MiMC interface by @Tabaie in #454 #469

New Contributors

• @tinywell made their first contribution in #339
• @Tabaie made their first contribution in #362
• @omahs made their first contribution in #360
• @liyue201 made their first contribution in #355
• @citizen-stig made their first contribution in #376
• @aybehrouz made their first contribution in #470

Full Changelog: v0.7.1...v0.8.0

v0.7.0

[v0.7.0] - 2022-03-25

Build

• go.mod: go version upgrade 1.16 --> go1.17
• update to gnark-crpto v0.7.0

Feat

• adds gnark logger. closes #202
• added internal/stats package: measure number of constraints of circuit snippets for regression
• adds std/math/bits/ToNAF ToBinary ToTernary

Fix

• enables recursive hints solving #293 and
• move init() behind sync.Once. remove verbose option in stats binary
• fixes #266 by adding constant path in Lookup2 and Select
• incorrect handling of nbBits == 1 in api.ToBinary
• PlonK vulnerability: thanks to Trail Of Bits for finding this vulnerability and responsibly disclosing it

Perf

• restored frontend.WithCapacity option...
• plonk: IsConstant -> ConstantValue
• sw: no need for Lookup2 in constScalarMul
• remove offset shifts in plonk compile
• remove post-compile offset id in R1CS builder

Refactor

• frontend.Compile now takes a builder instead of backendID as parameter
• std/signature/eddsa Verify api now takes explicit hash and curve objects
• make nboutputs of a hint explicit at compile time
• std/pairing have more consistent apis
• remove StaticHint wrapper, log duplicate hints (#289)
• backend.WithOutput -> backend.WithCircuitLogger
• remove all internal circuits from stats, keep important snippets only
• frontend: split compiler, api and builder interface into interfaces
• remove IsBoolean from R1CS variables
• moved internal/compiled to frontend/compiled

Pull Requests

• Merge pull request #295 from ConsenSys/fix/test-println
• Merge pull request #294 from ConsenSys/fix/recursivehhints
• Merge pull request #291 from ConsenSys/refactor/std/pairing
• Merge pull request #281 from ConsenSys/feat/logger
• Merge pull request #280 from ConsenSys/simplify-r1cs-compile
• Merge pull request #279 from ConsenSys/feat/statistics
• Merge pull request #276 from ConsenSys/feat-math-bits
• Merge pull request #278 from ConsenSys/perf-constant-lookup2
• Merge pull request #272 from ConsenSys/refactor-hint
• Merge pull request #275 from ConsenSys/refactor-compiler-builder
• Merge pull request #271 from ConsenSys/refactor-compiled
• Merge pull request #267 from ConsenSys/perf/tEd-add
• Merge pull request #265 from ConsenSys/perf/SW-constScalarMul

v0.6.4

[v0.6.4] - 2022-02-15

Build

• update to gnark-crpto v0.6.1

Feat

• Constraint system solvers (Groth16 and PlonK) now run in parallel

Fix

• api.DivUnchecked with PlonK between 2 constants was incorrect

Perf

• EdDSA: std/algebra/twistededwards takes ~2K less constraints (Groth16). Bandersnatch benefits from same improvments.

Pull Requests

• Merge pull request #259 from ConsenSys/perf-parallel-solver
• Merge pull request #261 from ConsenSys/feat/kzg_updated
• Merge pull request #257 from ConsenSys/perf/EdDSA
• Merge pull request #253 from ConsenSys/feat/fft_cosets