v0.11.0

What's Changed

• build: update ci github action dependencies by @gbotrel in #369
• Eliminate 2 allocations per Pedersen call by @omerfirmak in #371
• Fix/fold kzg fs by @Tabaie in #377
• Add CopyWithFreshBuffer a function to copy the state by @AlexandreBelling in #370
• Refactor: final exponentiation in pairings by @yelhousni in #375
• Refactor: export endomorphisms by @yelhousni in #376
• fix(kzg): nb of digests in BatchVerifyMultiPoints should be nonzeo by @yelhousni in #374
• Precompute point multiplication results in pedersen by @omerfirmak in #380
• Refactor: do not export endomorphisms + Double in affine by @yelhousni in #382
• Refactor/break kzg srs by @Tabaie in #378
• Feat/encode uint64 slices by @Tabaie in #379
• refactor: break pedersen key into proving (committing) and verifying by @Tabaie in #384
• Perf: KZG verification in a single point by @yelhousni in #386
• make mapToCurve public to allow for custom cofactor clearing by @hussein-aitlahcen in #372
• feat: fix v computation in ECDSA signature by @ivokub in #385
• Update the limb decomposition of the SIS by @AlexandreBelling in #389
• fix: handle all bitmask in point deserialization

New Contributors

• @omerfirmak made their first contribution in #371
• @hussein-aitlahcen made their first contribution in #372

Full Changelog: v0.10.0...v0.11.0

v0.10.0

What's Changed

Fixes

• fix: invalid infinity point decoding throws error by @gbotrel in #363

New features / refactor

• feat: FFT signature now takes variadic options by @gbotrel in #345
• feat: add ECDSA public key recover from message, signature and recovery info by @ivokub in #347
• expose bn254 tower to gnark by @yelhousni in #354
• Export BW6-761 E3/E6 by @SherLzp in #359
• Expose BLS12-381 tower by @yelhousni in #360

Perf

• perf: sis tensor commitment by @gbotrel in #344
• Add support for parallelization in the tensor-commitment by @AlexandreBelling in #263
• Perf/tensor commitment by @AlexandreBelling in #341
• perf(stark-curve): no subgroup check on prime-order curve by @yelhousni in #349
• perf(bw6-756): optimize GT subgroup membership by @yelhousni in #351
• perf: optimize BLS24-317 final exp by @yelhousni in #356
• perf: tweaks in iop/ kzg/ packages by @gbotrel in #361
• perf & refactor: pairings by @yelhousni in #366

New Contributors

• @ivokub made their first contribution in #347
• @SherLzp made their first contribution in #359
• @jtraglia made their first contribution in #364

Full Changelog: v0.9.1...v0.10.0

v0.9.1

What's Changed

• Add STARK curve by @yelhousni in #299
• feat: Add ECDSA by @yelhousni in #310
• feat: introduce field.Vector by @gbotrel in #311
• fix: number of rounds for mimc by @yelhousni in #320
• nuke element.Bit() fixes #306 by @gbotrel in #331
• feat: iop arguments by @ThomasPiellard in #282
• fix: mimc pow7 by @Tabaie in #333
• perf: gkr improvements by @gbotrel in #328
• perf: gkr improvements by @Tabaie in #319
• field agnostic fiat shamir challenge names by @Tabaie in #308
• feat: add Vector support to ecc marshal encoder by @gbotrel in #336
• bn254 mimc test vector by @Tabaie in #323

Full Changelog: v0.9.0...v0.9.1

v0.9.0

What's Changed

New features

• GKR by @Tabaie in #243
• Efficiently verifiable Pedersen commitments by @Tabaie in #266
• secp256k1 curve by @yelhousni in #277
• element.SetBytesCanonical, element.BigEndian and element.LittleEndian by @gbotrel in #286

Performance

• MSM uses batch affine addition (up to 60% speedup 🎉 ) by @gbotrel in #261
• Faster G2 subgroup membership on BN254 by @yelhousni in #251
• arm64,purego: field arithmetic mul for arm64 and cleanup build tags by @gbotrel in #257

Refactor and cleanup

• Field package exposes Hash by @Tabaie in #271
• Remove internal/ dependencies in field generated code by @gbotrel in #287
• Removes FromMont and ToMont from field.Element api by @gbotrel in #288
• ToBigIntRegular is deprecated, introduce BigInt method by @gbotrel in #290

Fixes

• MiMC reasons with p-digits block by @ThomasPiellard in #265

Full Changelog: v0.8.0...v0.9.0

v0.8.0

[v0.8.0] - 2022-08-03

This version was partially audited by Kudelski Security for the Algorand Foundation. (TODO insert report link).
The scope of the audit covered bn254 and bls12-381 packages (including field arithmetic).

Feat

• field/goldilocks (more efficient 1-limb modulus arith) (#177)
• field/generator suppors 1-limb modulus (#175)
• field.SetRandom zero-alloc uniform sampling
• E6/E12/E24: GT torus-based batch compression/decompression
• fri: modified challenge generation so it fits in a snark variable
• fri: added check of correctness between rounds

Fix

• Handle edge case in Karabina decompression (#219)
• check nbTasks config when running msm, test all possible c-bit windows in when testing.Short not set) (#226)
• element.SetString(_) returns error if invalid input instead of panic
• expand_msg_xmd copy bug, a few tests (#201)
• closes #199. Correct bound in eddsa key gen template

Perf

• remove unecessary inverse in KZG-verify
• faster GLV scalar decompostion

Refactor & Docs

• moved consensys/goff into field/goff (#204)
• clean comments in curves (#193)
• remove dead code (#230)
• cosmetic changes (#197)
• replace modulus generated by constants, add zero-alloc SetRandom (#194)
• remove uneeded x86 asm and files (#192)
• polish readme.md with updated godoc subpackage links (#235)
• acknowledge that inv(0)==0 in comments as a convention (#233)
• added note in pairing godoc - doesn't check inputs are in correct subgroup (#231)
• add security estimates of implemented curves in comments

Test

• fix #205 - msm bench with different bases (#206)
• vectors generated using https://github.com/armfazh/h2c-go-ref
• all curves: compress/decompress pairing result

Pull Requests

• Merge pull request #232 from ConsenSys/docs/comments
• Merge pull request #229 from ConsenSys/update_deps
• Merge pull request #227 from ConsenSys/fix/element_setstring
• Merge pull request #228 from ConsenSys/fix/race/test
• Merge pull request #224 from ConsenSys/refactor/scalarmul
• Merge pull request #220 from ConsenSys/perf/kzg-verify
• Merge pull request #223 from ConsenSys/doc/security-estimates-curves
• Merge pull request #216 from ConsenSys/feat/poly
• Merge pull request #217 from ConsenSys/string-utils
• Merge pull request #213 from ConsenSys/perf/glv
• Merge pull request #129 from ConsenSys/feat/GT-compression
• Merge pull request #209 from ConsenSys/codegen/svdw-not-e4
• Merge pull request #203 from ConsenSys/tests/bn254-vectors
• Merge pull request #196 from ConsenSys/patch/hashToFpGeneric
• Merge pull request #202 from ConsenSys/gbotrel/issue199
• Merge pull request #200 from tyGavinZJU/develop
• Merge pull request #85 from ConsenSys/feat/fri

v0.6.1

[v0.6.1] - 2022-02-15

Feat

• MiMC has no "seed" parameter and now uses Miyaguchi Preneel construction
• FFT cosets uses full two-adicity, Plookup, KZG and permutation modified accordingly
• twistededwards: Extended coordinates (a=-1) (faster, not complete)
• bls24-315: faster G2 membership test

Pull Requests

• Merge pull request #152 from ConsenSys/feat/clean_kzg
• Merge pull request #145 from ConsenSys/fix/fft_cosets
• Merge pull request #147 from ConsenSys/sswu-fp-generic-rebased
• Merge pull request #146 from ConsenSys/perf-mimc-constants
• Merge pull request #144 from ConsenSys/constant-time-equals
• Merge pull request #125 from ConsenSys/fix/mimc_miyaguchipreneel
• Merge pull request #143 from ConsenSys/feat/cmov
• Merge pull request #140 from ConsenSys/inv(0)=0
• Merge pull request #110 from ConsenSys/feat/tEd-extended
• Merge pull request #123 from ConsenSys/perf/BLS24-G2-IsInSubGroup

v0.6.0

[v0.6.0] - 2021-12-22

Feat

• plookup: added plookup lookup proof
• field: generate optimized addition chains for Sqrt & Legendre exp functions
• field: added field.SetInt64, support for intX and uintX #109
• field: added UnmarshalJSON and MarshalJSON on fields
• field: added field.Text(base) to return field element string in a given base, like big.Int
• field: field.SetString now supports 0b 0o 0x prefixes (base 2, 8 and 16)
• kzg: test tampered proofs whith quotient set to zero
• bls24: Fp-Fp2-Fp4-Fp12-Fp24 tower

Fix

• fixes #104 code generation for saturated modulus like secp256k1 incorrect. added secp256k1 test

Perf

• field inverse is ~30-70% faster (implements Pornin's optimizations)
• bls12-381: faster Miller loop (sparse-sparse mul)
• bls12-381: faster final exp (faster expt)
• bn254: better short addition chain for Expt()
• bn254: addchain with max squares (weighting mul x2.6 cyclosq)

Pull Requests

• Merge pull request #111 from ConsenSys/field-intX-support
• Merge pull request #114 from ConsenSys/fix-dynamic-link
• Merge pull request #108 from ConsenSys/perf/bls12381-pairing
• Merge pull request #106 from ConsenSys/improvement/field-inv-pornin20
• Merge pull request #105 from ConsenSys/field-from-json
• Merge pull request #83 from ConsenSys/experiment/BLS24
• Merge pull request #102 from ConsenSys/feat/plookup
• Merge pull request #97 from ConsenSys/feat-addchain
• Merge pull request #99 from ConsenSys/feat-addchain-expt

v0.5.3

[v0.5.3] - 2021-10-30

Feat, perf

• all curves: subgroup check optional in decoder (default = true), and is done in parallel when unmarshalling slices of points #96
• bn254: faster G2 membership test #95
• added element.NewElement(v uint64) convenient API

Fix

• fp12: compressed cyclotomic square (receiver == argument)

v0.5.2

[v0.5.2] - 2021-10-26

Fix

• all twistedEdwards: fix Add() in projective coordinates (issue #89 )
• fiat-shamir: added test to ensure len(challenge) > 0

Feat

• bw6: optimal Tate Miller loop with shared computations
• bw6-761: opt. ate with shared squares and shared doublings (alg.2)
• add bandersnatch curve (twistedEdwards on bls12-381 with GLV)
• added curveID.Info() which returns constants about a curve
• added element.Halve()

Perf

• bn: multiply ML external lines 2 by 2 (+multi-ML bench)

Refactor

• templates: unify twistedEdwards package across curves

Pull Requests

• Merge pull request #93 from ConsenSys/bandersnatch
• Merge pull request #90 from ConsenSys/fix/tEdwards-addProj-issue89
• Merge pull request #82 from ConsenSys/perf/bn254-ML
• Merge pull request #88 from ConsenSys/issue-87/twistedEdwards
• Merge pull request #81 from ConsenSys/ML/DoubleStep-Halve
• Merge pull request #77 from ConsenSys/BW6

v0.5.1

[v0.5.1] - 2021-09-21

Pull Requests

• Merge pull request #76 from ConsenSys/msm-ones
• Merge pull request #75 from ConsenSys/feat/karabina

Feat

• added element.IsUint64()
• element.String() special path for uint64 and -uint64 values
• added element.Bit(..) to retrieve i-th bit in a field element
• Fp12: implements the Karabina cyclotomic square in E12/E6
• Fp24: implements the Karabina cyclotomic square in E24/E8
• Fp6: implements the Karabina cyclotomic square in E6/E3
• e12: implements batch decompression for karabina cyclo square
• e24: implements batch decompression for karabina cyclo square
• experimental: msm splits first chunk processing if scalar is on one word

Perf

• bls12: faster G2 membership (eprint 2021/1130 sec.4)
• bls12-377: use asm MubBy5 as MulByNonResidue
• bls24: mix Karabina+GS+BatchInvert for faster FinalExp (Expt)
• bw6-633: fast GT-subgroup check