diff --git a/CHANGELOG.md b/CHANGELOG.md
index af4b901376..985ca384d3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,9 +1,1321 @@
+
+## [v0.10.0] - 2024-04-22
+### Bench
+- large
+- don't inflate the decompressed size too much
+- proving works
+- 26KB
+- huffman decoding
+- awful
+
+### Bls12377
+- faster e6 MulBy01
+- test e6 MulBy01
+- test mul 01 by 01
+
+### Bls12381
+- faster e6 MulBy01
+
+### Bls24315
+- faster e12 MulBy01
+- test e12 MulBy01
+
+### Bn254
+- faster e6 MulBy01
+- test mul 01 by 01
+
+### Build
+- update compress to v0.2.3 ([#1032](https://github.com/consensys/gnark/issues/1032))
+- get gopter
+
+### Bw6761
+- faster e3 MulBy01
+- test mul 01 by 01
+
+### Chore
+- remove prints and all huffman code
+- comments/cleanup for lzss compression
+- update stats
+- remove committed profiles ([#1053](https://github.com/consensys/gnark/issues/1053))
+- adapt changes from native Fiat-Shamir transcript ([#974](https://github.com/consensys/gnark/issues/974))
+- go.sum
+- update stats
+- remove unused line eval init
+- use type alias
+- inline computation
+- fix linter errors
+- merge rough edges
+- update gnark-crypto
+- update gnark-crypto
+- gitignore
+- update stats
+- remove unused line init
+- remove unused code
+- set word size to 1
+- minor changes to benchmark
+- update gnark-crypto to latest
+- uncrowd the pr a bit more
+- cleanup documentation examples
+- avoid nonnative dereferences ([#861](https://github.com/consensys/gnark/issues/861))
+- better logging, remove code from data folder
+- update gnark-crypto to latest
+- clean up comments and prints
+- avoid dereferencing into existing Elements
+- remove prints
+- clean up test cases
+- improved analytics
+- **deps:** bump golang.org/x/crypto from 0.12.0 to 0.17.0 ([#973](https://github.com/consensys/gnark/issues/973))
+
+### Ci
+- don't run redundant release checks
+- run more tests when doing PR
+- remove github bot
+- make macOS and win do minimal tests only
+
+### Clean
+- rm solidity.tmpl
+
+### Doc
+- add docs to NewR1CS and NewSparseR1CS in system.go [#985](https://github.com/consensys/gnark/issues/985)
+
+### Docs
+- clean comments
+- add hint definition for native inputs
+- method doc native output
+- add comments
+- add subgroup check to doc_test.go
+- describe that hint inputs and outputs are init-ed ([#1003](https://github.com/consensys/gnark/issues/1003))
+- clean comments
+- update algebra documentations
+- GLV hint
+- define that addition is now unsafe
+- add method documentation
+- BestCompression vs BestSnarkDecomposition
+
+### FEAT
+- Add experimental support for Icicle GPU acceleration behind build tag ([#844](https://github.com/consensys/gnark/issues/844))
+
+### Feat
+- register hints in std/ also when have no circuit
+- change sign in comment
+- modified comment
+- expmod with variable modulus ([#1090](https://github.com/consensys/gnark/issues/1090))
+- moved claimed values of linearised polynomial out of the proof
+- re enable test bs12->bw6
+- code gen
+- implement glv for all curves
+- code gen
+- replaced precompiles opcode with constants
+- addition of precompiles as constants
+- used to compute offsets in state
+- used in template for proof offsetss
+- Groth16 Solidity contract with commitments ([#1063](https://github.com/consensys/gnark/issues/1063))
+- add secp256k1 curve default initializer ([#1086](https://github.com/consensys/gnark/issues/1086))
+- add range check selector retrieval ([#1066](https://github.com/consensys/gnark/issues/1066))
+- add MulNoReduce and Sum methods in field emulation ([#1072](https://github.com/consensys/gnark/issues/1072))
+- add non-native hint with native inputs
+- add non-native hint with native output
+- add non-native hint with native output
+- non-native sumcheck verifier ([#1042](https://github.com/consensys/gnark/issues/1042))
+- verify commitments in groth16 recursion verifier ([#1057](https://github.com/consensys/gnark/issues/1057))
+- add option for enforcing number of goroutines for the solver ([#1052](https://github.com/consensys/gnark/issues/1052))
+- stabilize anonymous hint function names ([#1054](https://github.com/consensys/gnark/issues/1054))
+- modified algebraic relation
+- G2 membership bls12-377
+- G1 membership bls12-377
+- curve/twist membership bls12-377
+- subgroup G1/G2 membership BW6-761
+- add PLONK in-circuit verifier ([#880](https://github.com/consensys/gnark/issues/880))
+- pairing precompile error handled
+- code gen
+- clean MarshalSolidity
+- fix unmarshalling solidity
+- use n-bit mux for switching PLONK verification keys ([#1017](https://github.com/consensys/gnark/issues/1017))
+- code gen plonk upgrade
+- adds plonk.SRSSize helper method ([#1012](https://github.com/consensys/gnark/issues/1012))
+- different PLONK circuit verification ([#1010](https://github.com/consensys/gnark/issues/1010))
+- renaming zhZeta
+- opening of h0, h1, h2 ok
+- using batch inversion
+- remove foldedHDigest
+- add quotient to the linearised polynomial
+- multiply s1, s2 by alpha
+- some todos and dead code ([#993](https://github.com/consensys/gnark/issues/993))
+- add WithUseSafe option
+- update compress version; failing test (resolved) ([#979](https://github.com/consensys/gnark/issues/979))
+- regenerate internal/stats
+- updated comment in fold_state
+- groth16 solidity use calldatacopy for commitments ([#1097](https://github.com/consensys/gnark/issues/1097))
+- plonk verifier options ([#1028](https://github.com/consensys/gnark/issues/1028))
+- if we don't compress we don't need the dict ([#929](https://github.com/consensys/gnark/issues/929))
+- exit when an error is encountered
+- exit when condition is not filled
+- make registries for gkr thread safe ([#920](https://github.com/consensys/gnark/issues/920))
+- cache lookup blueprint entries in solving phase ([#915](https://github.com/consensys/gnark/issues/915))
+- batched KZG ([#908](https://github.com/consensys/gnark/issues/908))
+- forceDivisibleBy
+- compile large circuit outside tests
+- Fiat-Shamir transcript using a short hash ([#900](https://github.com/consensys/gnark/issues/900))
+- snark decomp done, not yet tested
+- snark decompressor, all but eof logic done
+- offset, length and bytes tables
+- read lengths!
+- new stream
+- add multi symbol
+- started v2
+- r/w num, (un)marshal for stream
+- implement bit mode for short hash
+- use bitlength from parameters
+- bit-level alignment of compressed
+- marshalling G1 and Scalar on emulated curves, following gnark-crypto
+- add short-hash wrappers for recursion ([#884](https://github.com/consensys/gnark/issues/884))
+- native marshal (bls12, 24) consistent with gnark-crypto
+- marshal G1 ok on non emulated curves (bls12, 24)
+- pack/unpack functions
+- add fixed pairing for bw6-761
+- allow custom hash function in backends ([#873](https://github.com/consensys/gnark/issues/873))
+- more analytics
+- some analytics
+- add bw6 kzg
+- add bw6 emulated ScalarMul and ScalarMulBase
+- api.IsNonZero
+- huffman Decode
+- add bw6 fields
+- bzip2 (bzip would be better)
+- some experiments with huffman coding
+- preliminary snark decompressor impl
+- basic i/o funcs
+- small tests work with indeterminate length
+- basic lzss decompressor
+- new data set and huffman estimations
+- IsByteZero works
+- add naive bw6 miller loop
+- add bw6 final exp
+- **2-chain:** MSM of size 2
+- **emulated bw6 pairing:** optimal tate version working
+- **sw_bls12377:** Add DoubleFixedQPairing
+- **sw_bls24315:** Add DoubleFixedQPairing
+
+### Fix
+- test final exp without gnark-crypto hack
+- JointScalarMulBase without GLV (for ecdsa package)
+- fixed type
+- folded MSM scalar decomposition
+- emulated hint tests ([#1083](https://github.com/consensys/gnark/issues/1083))
+- edge cases in SM and JSM were inverted + comments
+- incorrect parameter
+- several typos in the documentation ([#943](https://github.com/consensys/gnark/issues/943))
+- remove duplicate error check
+- scs add/mul when recorded constraint is 0
+- organize std packages hints registrations ([#1043](https://github.com/consensys/gnark/issues/1043))
+- another occurence of G1 in SRS ([#1036](https://github.com/consensys/gnark/issues/1036))
+- use G1 generator from SRS ([#1035](https://github.com/consensys/gnark/issues/1035))
+- verifier works
+- fixed size slice
+- fixed formula in comments
+- AssertOnG1 BLS12-377
+- use subtraction with reduce in AssertIsEqual ([#1026](https://github.com/consensys/gnark/issues/1026))
+- plonk recursion without commitment
+- fixed compute_gamma_kzg
+- fixed offset opening at zeta-omega
+- Decompressor to return -1 when output doesn't fit ([#1022](https://github.com/consensys/gnark/issues/1022))
+- fixed typo
+- fixed verify_opening_linearised_polynomial
+- fixed proof size
+- fixed generator
+- fixed comment derive alpha
+- fixed MarshalSolidity
+- assign baseChallenge correctly while verifying gkr solution ([#1020](https://github.com/consensys/gnark/issues/1020))
+- verifier ok
+- add Placeholder for vk with fixed lines
+- remove shorthash override for same field ([#1008](https://github.com/consensys/gnark/issues/1008))
+- bw6 field emulation
+- works on small test case
+- "last byte" bug
+- typo
+- typo
+- typo
+- typo
+- rename ScalarMulGeneric to scalarMulGeneric in tests
+- swith points order in JointScalarMulBase
+- init lines before assigning
+- use eigenvalue and thirdroot pointers
+- stats
+- use Generic instead of GLV for ECMUL to handle edge-cases
+- remove debug panic from previous commit
+- ensure plonk verify check witness length ([#952](https://github.com/consensys/gnark/issues/952))
+- update stats
+- some bugs
+- groth16 verifier
+- ReadIntoStream
+- bn254 -> {{ toLower .Curve }}
+- test Expt remaned to ExpX0
+- compression works on the first 300b of calldata
+- missing wait on channel in plonk prover ([#926](https://github.com/consensys/gnark/issues/926))
+- minor test issues
+- bad merge. bad git!
+- use platform independent method for counting new multiplication overflow from result limb count ([#916](https://github.com/consensys/gnark/issues/916))
+- actually remove the go generate line
+- comment out go generate in suffixarray
+- groth16 recursion
+- non-native arithmetic autoreduction for division, inversion and sqrt ([#870](https://github.com/consensys/gnark/issues/870))
+- readIntoStream bug
+- simple table lookup works
+- test with backrefs
+- some minor bugs
+- use gt(arg, R_MOD_MINUS_ONE)
+- small packing test works
+- fuzzer bug
+- 18b offset - ave
+- snark errors
+- DoublePairFixedQ with different inputs
+- test MulBy014 and remove old MulBy034
+- make tests pass
+- update latest.stats
+- make builder private again
+- 1B addresses seem to work
+- trailing backref bug
+- plonk.SRSSize takes constraint.ConstraintSystem as input, not constraint.System
+- works on 2c2964. performance awful
+- remove outdated test
+- read bugs
+- ineffectual assignment to err
+- failed
+- presumption of long negative space of zeros
+- two symbols test
+- use M-twist (014) for emulated BW6 pairing
+- RLE bug
+- bug with negative indexes
+- bug with lone 0 in high indexes
+- all tests pass, except for 3c2943: too slow
+- all zeros tests pass
+- write to the output table
+- all "simple" tests pass
+- zerosAfterNonzero pass
+- can handle two consecutive backrefs
+- works on 3c2943 with symb 0
+- **2-chain:** last iteration of MSM of size 2
+- **2-chains:** varScalarMulG1 edge cases
+- **2-chains:** constScalarMulG1 edge cases
+- **2-chains:** ScalarMulG2 edge cases
+- **bw6:** fix Expt test
+- **bw6:** DecompressKarabina edge cases
+- **linter:** ineffectual assignment
+
+### Perf
+- add lazy match look ahead 1
+- adjustement
+- use logderiv map
+- prefer actual backrefs for RLE; better but still bad
+- replace dummy G by (0,1) in ScalarMul
+- dfa search; actually makes things worse
+- ite -> api.Select
+- naive emulated bw6 pairing working
+- huffman improvement
+- use less outputs (joint)
+- use less outputs from hints
+- optimize hint computation with corresponding output field
+- do not use multiplication for subscalar check
+- simplify the glv decomposition hint
+- emulated equality assertion ([#1064](https://github.com/consensys/gnark/issues/1064))
+- minor optims for plonk verifier
+- save some negs in ec arithmetic
+- big optim for JointScalarMulBase
+- reduce 1 lookup per backref
+- a few petty opts
+- do not store zero mul constraint
+- glv-base msm for bw6 (dirty)
+- a few little opts
+- custom constraint for inIDelta
+- custom constraint for advancing inI
+- custom constraint for copying
+- more small optim to jointScalarMulGLV
+- more optim to jointScalarMulGLV
+- "start at"
+- kzg gadget using DoubleFixedQPairing
+- make compress way faster
+- plonk verifier
+- binary search of longest backref
+- small optim replacing Sub by Add
+- one binary search only
+- fold H before big MSM
+- even better lookahead for lazy deflate
+- non-native multilinear polynomial evaluation ([#1087](https://github.com/consensys/gnark/issues/1087))
+- groth16 uses precomputed lines for all curves
+- mark the result of `builder.IsZero` as boolean to save constraints when used in future ([#977](https://github.com/consensys/gnark/issues/977))
+- smaller backrefs
+- faster compression by reducing search space
+- avoid some additions in jointScalarMulGLV
+- bw6 glv with smaller loop
+- small optim in jointScalarMulGLV
+- save 4 scs in lookup2 api
+- big optim for JointScalarMul and MSM
+- isolate trival add/mul by 0/1 in plonk verifier and kzg
+- rewrite Hayashida et al. hard part
+- non-native modular multiplication ([#749](https://github.com/consensys/gnark/issues/749))
+- implement unified addition in 2-chains
+- mutualize bit decomposition when same scalar used is ScalarMul
+- reduce mem alloc when init suffix array
+- use JointScalarMul in plonk recursion
+- bounded scalar multiplication ([#934](https://github.com/consensys/gnark/issues/934))
+- use G2 precomputed lines for Miller loop ([#930](https://github.com/consensys/gnark/issues/930))
+- replace sort.Search
+- don't use 0 as symbol delimiter
+- lookup blueprint compile time improvement ([#899](https://github.com/consensys/gnark/issues/899))
+- use new fixed-arg pairing in kzg
+- use new fixed-arg pairing in kzg (WIP)
+- **2-chain:** handle edge cases in varScalarMul
+- **2-chain:** optimize varScalarMul
+- **2-chain:** small scs optim to doubleAndAdd
+- **2-chain:** save 1 add in varScalarMul in G2
+- **2-chain:** optimize folded MSM
+- **2-chains:** small optim in varScalarMul and JointScalarMul
+- **2-chains:** apply fast path for constScalarMul edge cases
+- **2-chains:** save an addition per iteration in ScalarMul
+- **bls12-377:** implement a variant of Karabina cyclo square
+- **bls24:** optimize varScalarMul
+- **bn254:** mul lines 2-by-2 in fixed-arg pairing for KZG when bit=0
+- **bw6:** manually reducing E12 at some places yields better perf
+- **bw6:** lines-by-acc mul gives better results than line-by-line mul
+- **bw6:** implement a variant of Karabina cyclo square
+- **bw6:** use optimized DoublePairFixedQ in kzg
+- **bw6:** optimize final exponentiation
+- **bw6:** use more efficient addchains
+- **bw6-761:** save 1 ScalarMul in subgroup membership tests
+- **ecdsa:** use GLV in JointScalarMulBase
+- **ecmul:** use GLV with safe handling of edge cases in EVM ecmul
+- **ecrecover:** save 1 MulMod in ecrecover
+- **emulated:** huge optim scalarMulGLV
+- **emulated:** ScalarMulBase with GLV is better
+- **emulated:** save 1 add in scalarMulGLV
+- **emulated:** optimize GLV hint
+- **emulated:** big optim jointScalarMulGLV
+- **emulated:** big optim scalarMulGLV
+- **kzg:** remove folding and shrinked scalars options in MSM
+- **kzg:** use MSM instead of two SM in CheckOpeningProof
+- **plonkVerif:** manually reduce wrong-field elements here and there
+- **sw_emulated:** optimize jointScalarMulGeneric
+
+### Refac
+- compression modes
+- remove useless functions
+
+### Refactor
+- some refactoring
+- address PR review
+- compile 600KB
+- use safe version in precompile
+- merge safe implementation
+- ScalarMulSafe and ScalarMul
+- work on pointer values
+- use existing modulus value
+- use emulated pointer to avoid init when no GLV
+- make newG2Aff private
+- use line evaluation references for avoiding copies
+- hardcode glv values instead of exporting from gnark-crypto
+- remove SameScalarMul from interface
+- plonk.Setup takes kzg srs in canonical and lagrange form ([#953](https://github.com/consensys/gnark/issues/953))
+- reconcile with master
+- rename precompute to compute when done in-circuit
+- clean comments
+- algebra interface and pairing
+- use external compressor repo ([#942](https://github.com/consensys/gnark/issues/942))
+- consolidate emulated bw6-761 pairing with other curves
+- consolidate bw6-761 tower + fix GT exp tests
+- apply PR review suggestions
+- simplify hint overloading for api.Commit ([#919](https://github.com/consensys/gnark/issues/919))
+- re-introduce points in KZG verification key
+- kill backend.PLONK_FRI ([#1075](https://github.com/consensys/gnark/issues/1075))
+- use variable point in tests for precomputeLines
+- lzssv2 -> lzss
+- kill backend.PLONK_FRI
+- use lineEvaluation type instead of field elements
+- use emulated.FieldParams as type parameter to generic Curve and Pairing ([#901](https://github.com/consensys/gnark/issues/901))
+- bls24 also uses size 4 lines
+- lots of cleanup. one failing test remaining
+- keep one version + multi-pairing
+- get rid of lzssv1
+- no need for outAt
+- packing as stream feature
+- simplify packing
+- do not use internal objects
+- massive simplification of lzssv1 compression
+- consolidate pairing implementations
+- remove log heads
+- cleaning tests
+- **2-chain:** precomputed lines in pairing + KZG + plonk verifier
+- **2-chain bls24:** precomputed lines in pairing+KZG+plonk verifier
+- **2-chains:** use gnark-crytpo fixed-arg pairing
+- **2-chains:** remove Jacobian coordiantes code
+- **bls12-381:** precomputed lines embedded in G2Affine struct
+- **bn254:** precomputed lines embedded in G2Affine struct
+- **bw6:** remove some unnecessary computations
+- **bw6 pairing:** use MillerLoopOptAte in gnark-crypto for test
+- **bw6-761:** use revisited Ate pairing instead of Tate
+- **emulated:** use gnark-crytpo fixed-arg pairing
+- **kzg:** lazy precomputation of lines
+
+### Revert
+- kill IsNonZero
+- map.keys/values to be private as before
+- uncrowd the pr
+- remove TestCompressWithContext
+- strange uppercase
+- dfa search was counterproductive
+
+### Style
+- code cleaning
+- code cleaning
+- costmetics
+- remove prints
+- clean and document the code
+- remove redundant checks
+
+### Test
+- decompression works; must go about packing differently
+- plonk verifier with precomputed lines
+- add tests for all types of hints
+- update stats
+- add regression test for zero mul duplicate
+- compress_tests pass
+- keep test curve
+- pack
+- bypassing decompression works
+- updates fuzz test with new API
+- fuzz
+- actual calldata
+- 253-254-255 fails
+- trying to recreate the length bug
+- add testdata/ fuzzer dir
+- average batch
+- compression roundtrip passes w merged stream utils
+- marshal test
+- add scalar marshal+hash
+- add g1 marshal + hash test
+- add test case for not recording zero mul constraint
+- update stats
+- add emulated pairing circuits to stats ([#1031](https://github.com/consensys/gnark/issues/1031))
+- reactivate other for cmp
+- added BenchmarkAverageBatch
+- added average batch test case
+- bw6 emulated kzg
+- a couple
+- failing test for cs loading
+- single symbol test
+- add huffman estimated gains
+- decompression snark
+- twoBackrefsAfterNonzero fails
+- actually, 257zerosAfterNonzero fails
+- twoZerosAfterNonzero
+- zeroAfterNonzero added, fixed
+- more, failing "8zerosAfterNonzero"
+- more state machine tests. failing
+- print compressed file size
+- some logging
+- **bw6:** recude multi-pairing size in tests
+
+### Pull Requests
+- Merge pull request [#1044](https://github.com/consensys/gnark/issues/1044) from Consensys/feat/plonk_update
+- Merge pull request [#1085](https://github.com/consensys/gnark/issues/1085) from Consensys/perf/ec-arithmetic-2chain
+- Merge pull request [#1061](https://github.com/consensys/gnark/issues/1061) from Consensys/perf/ec-arithmetic
+- Merge pull request [#1080](https://github.com/consensys/gnark/issues/1080) from Consensys/feat/emulated-nativehint
+- Merge pull request [#1077](https://github.com/consensys/gnark/issues/1077) from shramee/faster-fq6-01
+- Merge pull request [#1076](https://github.com/consensys/gnark/issues/1076) from shramee/faster-fq6-01-01
+- Merge pull request [#1068](https://github.com/consensys/gnark/issues/1068) from Consensys/fix/recorded-scs
+- Merge pull request [#1030](https://github.com/consensys/gnark/issues/1030) from Consensys/feat/bw6-subgroupcheck
+- Merge pull request [#1049](https://github.com/consensys/gnark/issues/1049) from Consensys/perf/jointScalarMulGeneric
+- Merge pull request [#1023](https://github.com/consensys/gnark/issues/1023) from Consensys/fix/ec-edgecases
+- Merge pull request [#1016](https://github.com/consensys/gnark/issues/1016) from Consensys/perf/g16-circuit
+- Merge pull request [#976](https://github.com/consensys/gnark/issues/976) from Consensys/perf/ecmul-precompile
+- Merge pull request [#992](https://github.com/consensys/gnark/issues/992) from GoodDaisy/master
+- Merge pull request [#975](https://github.com/consensys/gnark/issues/975) from Consensys/perf/ecdsa
+- Merge pull request [#949](https://github.com/consensys/gnark/issues/949) from Consensys/perf/plonk-verifier
+- Merge pull request [#928](https://github.com/consensys/gnark/issues/928) from Consensys/feat/plonk_exit_if_error
+- Merge pull request [#933](https://github.com/consensys/gnark/issues/933) from Consensys/perf/karabina-cycloSq
+- Merge pull request [#931](https://github.com/consensys/gnark/issues/931) from Consensys/perf/bw6-finalExp
+- Merge pull request [#924](https://github.com/consensys/gnark/issues/924) from Consensys/feat/bypass-compression
+- Merge pull request [#891](https://github.com/consensys/gnark/issues/891) from Consensys/feat/marshal_g1_scalar
+- Merge pull request [#889](https://github.com/consensys/gnark/issues/889) from secure12/master
+- Merge pull request [#876](https://github.com/consensys/gnark/issues/876) from Consensys/feat/bw6761-fixed-pairing
+- Merge pull request [#878](https://github.com/consensys/gnark/issues/878) from Consensys/chore/example-cleanup
+- Merge pull request [#868](https://github.com/consensys/gnark/issues/868) from Consensys/fix/decompressKarabina
+- Merge pull request [#866](https://github.com/consensys/gnark/issues/866) from Consensys/feat/bw6761-kzg
+- Merge pull request [#846](https://github.com/consensys/gnark/issues/846) from Consensys/feat/bw6761-pairing
+
+
+
+## [v0.9.1] - 2023-10-16
+### Chore
+- go.mod tidy
+- update import paths
+- remove excessive comment
+
+### Ci
+- update mod download tpl for prettier errors
+- remove gotestfmt for push to master workflow
+- new attempt to fix push to master workflow
+- grmpf
+- use runner.os
+- fix ubuntu ref
+- fix push workflow
+- fix push workflow
+
+### Docs
+- add example docs
+- add example docs
+- add package documentation
+- add package documentation
+
+### Feat
+- add BLS12-381 and BLS24-315 support to Groth16 gadget
+- add one more type parameter for witness initialisation
+- add BLS12-381 and BLS24-315 support to KZG gadget
+- add Curve and Pairing compatiblity for BLS24-315
+- add placeholder generating functions
+- add default pairing and curve getter
+- add witness assignment function
+- add helper methods to native pairing
+- add generic Groth16 implementation
+- add MSM and GT equality to generic interfaces
+- add generic KZG polynomial commitment verification
+- add generic Curve and Pairing interfaces
+
+### Fix
+- cast bls12377 GT element coords to bw6 fr
+- fixed fold_state
+
+### Perf
+- a special case for mulacc ([#859](https://github.com/consensys/gnark/issues/859))
+
+### Refactor
+- remove typed KZG and Groth16 verifiers
+- rename KZG tests
+- use only KZG VK part
+- implement fully generic kzg verifier
+- use name type parameter types
+- add Scalar type alias
+- fix types
+- implement generic pairing and curve for bls12377
+- add Add to emulated SW
+
+### Test
+- rename subtests
+- add ValueOf tests
+- full generic groth16 verifier
+- implement inner circuit without commitment
+- implement recursion test
+- add generic groth16 test (broken)
+- add KZG test for BLS12377
+- update version tag ([#841](https://github.com/consensys/gnark/issues/841))
+
+### Pull Requests
+- Merge pull request [#840](https://github.com/consensys/gnark/issues/840) from Consensys/refactor/generic-kzg
+- Merge pull request [#820](https://github.com/consensys/gnark/issues/820) from Consensys/fix/fold_state
+
+
+
+## [v0.9.0] - 2023-09-19
+### Build
+- fix linter warning
+- update PR template and CI actions
+- generify bsb22 comm fs move
+
+### Ci
+- cosmetic change
+- remove ubuntu specifics from windows / macOS path
+- adjust test on non-ubuntu target
+- avoid running std/ test on macOS CI
+
+### Feat
+- add bounded comparator functions ([#530](https://github.com/consensys/gnark/issues/530))
+- add sha3 primitive ([#817](https://github.com/consensys/gnark/issues/817))
+
+### Fix
+- assert that the binary decomposition of a variable is less than the modulus ([#835](https://github.com/consensys/gnark/issues/835))
+- remove panic when iterating constraints
+- don't bind bsb22 comm to gamma
+- move bsb22 comm fs in plonk prover
+- fs bsb22 commitment fs right before needed
+- plonk must commit to Qcp
+
+### Perf
+- improve plonk prover memory footprint ([#815](https://github.com/consensys/gnark/issues/815))
+
+### Refactor
+- **pairing:** remove bls24 bench + remove bn254 duplicate line
+
+### Pull Requests
+- Merge pull request [#816](https://github.com/consensys/gnark/issues/816) from Consensys/perf/pairing-neg
+- Merge pull request [#812](https://github.com/consensys/gnark/issues/812) from Consensys/fix/plonk-bsb-challenge
+
+
+
+## [v0.9.0-alpha] - 2023-08-18
+### Bench
+- gkr inefficient
+- merkle tree
+
+### Build
+- update direct dependencies
+- go gen
+- generify the changes
+- generify bn254 changes
+- generify
+- some generification and remove commented code
+- generify plonk refactor
+- generify commitment hashing
+- generify batch verification
+- generify serialization fix
+- merge named hint PR
+- generify some
+- remove debugging modifications
+- generify bn254 changes
+- generify bn254 changes
+- update gnark-crypto dependency
+- update gnark-crypto dep
+- go generate
+- update ci script
+- update stats
+- go get gnark-crypto[@develop](https://github.com/develop)
+- generify hashing pi2
+- generify public var fix
+- generify verifier changes
+- generify prover changes
+- generify setup changes
+- go generate
+- generify verifier changes
+- generify prover changes
+- generify setup changes
+- generify constraint changes
+- generify mpcsetup for all curves
+- upgraded github.com/stretchr/testify v1.8.1 => v1.8.2
+- gnark-crypto[@develop](https://github.com/develop)
+- generify
+- generify bn254/gkr changes
+- reran go generate
+- make linter happy
+
+### Chore
+- update gnark-crypto dependency ([#790](https://github.com/consensys/gnark/issues/790))
+- make staticcheck happy
+- merge changes
+- more accurate field name, remove some dead code
+- rm deadcd, improve verifier mem, some docs
+- document hollow, remove in-house search
+- clean up tests
+- delete unnecessary test cases
+- go get gnark-crypto[@develop](https://github.com/develop)
+- point to gnark-crypto[@develop](https://github.com/develop)
+- git ignore go workspace ([#635](https://github.com/consensys/gnark/issues/635))
+- remove debug printing code
+- remove training wheels
+- update gnark-crypto dependency for exported towers
+- remove heavy profiling and compiling
+- some efforts from before christmas break
+
+### Ci
+- allow weak rng in marshaling tests
+- ensure linter runs on generated files + adjustements ([#677](https://github.com/consensys/gnark/issues/677))
+
+### Clean
+- removed dead code + double comments
+- removed dead code
+- even more deadcode
+- removed more dead code
+- removed dead code
+
+### Dep
+- newer gnark-crypto
+- gnark-crypto
+
+### Doc
+- explain commitment constraint
+- explain committed constraint
+
+### Docs
+- clarify some comments
+- fix select description in field emulation
+- GKR API
+- comment fixed pairing
+- point at infinity
+- better names and a link to hackMd
+- explain the optionality of f in AddSolverHint
+- typo
+- subgroup check in doc-example
+- comment about AddUnified
+- typo
+- godoc linking
+- explain that r1cs.NewBuilder returns frontend.Committer
+- update pr template
+- make long equation codeblock
+- correct comment
+- comment about subgroup membership
+- comment about subgroup membership
+- update version in README.md
+- make href in godoc
+- correct `WithNbDigits` description ([#522](https://github.com/consensys/gnark/issues/522))
+- add documentation to std/algebra packages
+- implement lookup2 comment
+- fix docs, make links
+- make documentation of weierstrass/ better
+- add comments to sw_emulated
+- add package documentation and example
+- **fixed-emulated-pairing:** add some comments
+
+### Feat
+- hint name options
+- use AssertIsOnG2 for ECPAIR precompile + comments
+- calldatacopy in compute_gamma_kzg
+- calldata ok
+- compute_commitment_linearised_polynomial calldata ok
+- fold_h calldata ok
+- verify_quotient_poly_eval_at_zeta calldata ok
+- pi contribution in calldata ok
+- sum_pi_wo_commit calldata ok
+- derive challenges calldata ok
+- sanity checks in calldata Ok
+- put function calls at the beginning of Verify
+- verifier in one assembly block
+- zeta to the n minus 1 extracted from compute_pi
+- one single assembly block ok
+- check_input_size in main block
+- challenges derivation in the main block
+- compute_pi in main assembly block ok
+- compute_pi assembly ok
+- hash_fr in assembly + removed Utils
+- staticcall fails -> revert immediately instead of updated state_success
+- zeta_power_n_minus_one save and reused in compute_pi
+- [PLONK_AUDIT_4-15] fixes 757
+- status of staticcalls are checked, fixes [#753](https://github.com/consensys/gnark/issues/753)
+- added plonk.ProvingKey WriteRawTo and UnsafeReadFrom ([#746](https://github.com/consensys/gnark/issues/746))
+- [PLONK_AUDIT_4-8] fixes [#743](https://github.com/consensys/gnark/issues/743)
+- [PLONK_AUDIT_4-4] fixes [#741](https://github.com/consensys/gnark/issues/741)
+- restored comments
+- [PLONK_AUDIT_4-9] fixes 738
+- "named gate"
+- [PLONK_AUDIT_4-11] fixes [#735](https://github.com/consensys/gnark/issues/735)
+- gkr-api for plonk
+- update plonk solidity template ([#729](https://github.com/consensys/gnark/issues/729))
+- added dummy setup part for g16 multi commit ([#725](https://github.com/consensys/gnark/issues/725))
+- implement add-only Joye scalarMul
+- groth16 commitmetInfo experiments
+- in-place-ish DivideByThresholdOrList
+- add sha2 primitive ([#689](https://github.com/consensys/gnark/issues/689))
+- commitment info in groth16.vk[bn254] serialization
+- commitment placeholder -> randomness
+- lazy line initialising
+- define precomputed lines only if initalising
+- filterHeap for unsorted lists
+- groth16 multicommit setup bn254, hopefully
+- batch pedersen poks
+- implement NIST P-256 and P-384 curves ([#697](https://github.com/consensys/gnark/issues/697))
+- differentiate ecrecover with strict and lax check for s ([#656](https://github.com/consensys/gnark/issues/656))
+- no commitments -> vanilla groth16
+- prover with no commitment act like vanilla groth16
+- reflect pedersen changes in bn254
+- emulated pairing 2-by-2 fixed circuit for EVM
+- verifier template ok
+- prover template ok
+- modification opening order kzg bn254
+- plonk provingkey marshaling with muticommits
+- introduce constraint blueprints. improve memory usage, enables custom gates and group of constraints ([#641](https://github.com/consensys/gnark/issues/641))
+- sr1cs multicommits
+- compilation side - plonk multicommits
+- described zpnmo parameter + reuse zpnmo in compute_alpha_square_lagrange_0 (forgot to push it)
+- use state instead of mload(0x40)
+- bn254 plonk multicommit backend
+- log-derivative vector lookups ([#620](https://github.com/consensys/gnark/issues/620))
+- multi-commits in constraint system data structures
+- add modular square root in field emulation ([#623](https://github.com/consensys/gnark/issues/623))
+- plonkVk.WriteRawTo
+- serialize minimal commitmentinfo with plonk vk
+- use Brier-Joye unified add for evm ecadd
+- experiments with solving
+- development done for bn254. to test and generify
+- "generic" top sort
+- simple compilation test passes
+- support more operations
+- codegen
+- yet more codegen
+- add n to 1 MUX and MAP ([#475](https://github.com/consensys/gnark/issues/475))
+- add EVM precompiles ([#488](https://github.com/consensys/gnark/issues/488))
+- add PairingCheck function
+- store api in pairing structs
+- add simple key value storage
+- embed key-value storage in R1CS and SCS
+- embed key-value storage in test engine
+- add gadget for enabling multiple commitments in-circuit ([#562](https://github.com/consensys/gnark/issues/562))
+- isZero in field emulation ([#609](https://github.com/consensys/gnark/issues/609))
+- range checks using log derivative, fixes [#581](https://github.com/consensys/gnark/issues/581) ([#583](https://github.com/consensys/gnark/issues/583))
+- implement commit for test engine
+- set default compression threshold ([#599](https://github.com/consensys/gnark/issues/599))
+- add IsOnCurve to sw_bn254/g2
+- add IsOnCurve to sw_emulated
+- add bls12-381 to std/algebra/emulated
+- blind commitment
+- add a partition selector ([#486](https://github.com/consensys/gnark/issues/486))
+- reintroduce hints for field emulation ([#547](https://github.com/consensys/gnark/issues/547))
+- some bsb22 proving in plonk
+- range check gadget ([#472](https://github.com/consensys/gnark/issues/472))
+- plonk frontend filter common cases of duplicate constraints ([#539](https://github.com/consensys/gnark/issues/539))
+- add calling hints to field emulation
+- commitment verification - plonk bn254
+- gnark/profile now filter frontend private method for clarity and return a tree as txt repr ([#538](https://github.com/consensys/gnark/issues/538))
+- BN254 pairing ([#411](https://github.com/consensys/gnark/issues/411))
+- compute table on init once
+- add defer to the Compiler interface ([#483](https://github.com/consensys/gnark/issues/483))
+- compilation, setup and commitment done; proof and verification next
+- update gnark version to v0.8.0
+- add equality assertion for GT elements
+- add BN254 pairing using field emulation
+- **fields_bn254:** add IsZero in extensions
+- **fields_bn254:** add Select in extensions
+- **fields_bn254:** add String helpers
+- **pairing:** check points are on curve and twist
+- **sw_bls12381:** add AssertIsOnG1 and AssertIsOnG2
+- **sw_bls12381:** G1 and G2 membership without hints
+- **sw_bn254:** add AssertIsOnG2
+- **sw_bn254:** G2 membership without hints
+- **sw_bn254:** endomorphism optims for G2 membership
+- **sw_emulated:** AddSafe for input points equal or not
+- **sw_emulated:** infinity as (0,0) edge-cases in UnifiedAdd
+- **sw_emulated:** infinity as (0,0) edge-cases in ScalarMul
+
+### Feat
+- Export multicommit ([#789](https://github.com/consensys/gnark/issues/789))
+
+### Fix
+- use jacobain double for test
+- fixed [#761](https://github.com/consensys/gnark/issues/761)
+- fixed kzg G1 srs in template :/
+- compute_kzg fixed calldata
+- update develop version ([#776](https://github.com/consensys/gnark/issues/776))
+- update circuits stats
+- do not accumulate terms with zero coefficient for addition ([#763](https://github.com/consensys/gnark/issues/763))
+- use AddUnified in ECRecover
+- create full-length slice for gkr value ([#751](https://github.com/consensys/gnark/issues/751))
+- removed deadcode
+- loop counter corrected fixes [#755](https://github.com/consensys/gnark/issues/755)
+- fixed pairing check (wait for 4-5 to check staticcall using dedicated function)
+- range checks for quotient + linearised polynomials openigns
+- plonk scs serialization issues ([#747](https://github.com/consensys/gnark/issues/747))
+- compute_pi takes the proof only when commit is called
+- Verify is public
+- fixed visibilities, changed library to contract
+- replace hints bn254
+- emulated ToBits ([#731](https://github.com/consensys/gnark/issues/731))
+- K -> Z
+- nil -> empty slice
+- the previous fix
+- bn254 multicommit proving keys
+- commitmentInfo serialization
+- committed commitment folding bug
+- groth16 tests pass
+- bellman test vk
+- make linter happy
+- randomize fake commitments
+- groth16 works. plonk fuzzer fails
+- remove unnecessary import
+- test double fixed pairing
+- commitment to commitment works
+- single commitments work again
+- attempt at commitment hint input filtering
+- two indep commitments work for bn254
+- using loop counter in lambda
+- single commits work for bn254
+- no commitments case for bn254
+- empty commitments vector
+- no private committed bug
+- groth16 commit verification error handling
+- gorth16 commit compile bug
+- re uploading solidity template
+- removed solidity folder
+- remove dead file
+- removed non used code
+- removed commented code
+- fixes [#672](https://github.com/consensys/gnark/issues/672)
+- fixed kzg serialisation on bn254
+- init elements in arrays and slices if have init hook ([#695](https://github.com/consensys/gnark/issues/695))
+- PI2 renaming in marshal
+- failing vk serialization test
+- newNamedHint bug
+- one commit works
+- claimed quotient
+- no commit test passes
+- prover no longer errors; unexpected quotient for 2-commit
+- Proving key serialization
+- proof serialization
+- fix race condition when compiling circuits in parallel ([#676](https://github.com/consensys/gnark/issues/676))
+- added missing cbor tags for BlueprintSparseR1CBool
+- register commitment func with new name
+- HasCommitment -> NbCommitments
+- multi-commit unsupported error messages
+- in case no commitment
+- private -> public
+- assert oddity of y coordinate from v instead of high bit ([#655](https://github.com/consensys/gnark/issues/655))
+- companion to pedersen breakup
+- field emulation subtract padding compute ([#603](https://github.com/consensys/gnark/issues/603))
+- add (0,0) case to curve membership
+- fixed double comments
+- fixes [#768](https://github.com/consensys/gnark/issues/768)
+- one omitted change
+- finalExp when element is 1 in torus
+- restore reference plonk circuit size
+- don't set comm to 0; it might be inverted
+- filter constants
+- use frontend.Committer properly
+- plonk.Commit race condition
+- remove an ineffectual assign in E6
+- update stats
+- marshaling tests - plonk
+- double blind commitment
+- add pi2 to fs - bn254
+- bsb22 in plonk with public vars
+- match latest backend changes in bw6-761
+- minor mistake in setup generification
+- make linter happy
+- disastrous typo
+- subtraction overflow computation bug ([#579](https://github.com/consensys/gnark/issues/579))
+- circuit-efficient Expt
+- open qcp commitment
+- qcp formats
+- computing t(X) requires lagrange coset input
+- handle nested Define signature in call stack for profile
+- pass canonical version of pi2 to computeLinearizedPolynomial
+- use mocked api.Commit also in Windows tests ([#560](https://github.com/consensys/gnark/issues/560))
+- fix [#516](https://github.com/consensys/gnark/issues/516) compiler detects api.AssertIsDifferent(x,x) with better error ([#552](https://github.com/consensys/gnark/issues/552))
+- do not pass limb width enforcement for consts in AssertIsEqual ([#550](https://github.com/consensys/gnark/issues/550))
+- append solver options to prover options in tests
+- fix profile example to not compare expected output with varying line numbers
+- allow unreplaced BSB22 commitment hint in solver ([#507](https://github.com/consensys/gnark/issues/507))
+- stable levelbuilder hint mapping ([#533](https://github.com/consensys/gnark/issues/533))
+- initialize new variable if field emulation multiplication check ([#534](https://github.com/consensys/gnark/issues/534))
+- handle stack traces with deferred function ([#521](https://github.com/consensys/gnark/issues/521))
+- update path to algebra/native/twistededwards
+- update path to algebra/native
+- update path to algebra/native
+- use sw_emulated instead of weierstrass
+- remove pairing_bn254
+- restrict constants in field emulation to width ([#518](https://github.com/consensys/gnark/issues/518))
+- closes [#509](https://github.com/consensys/gnark/issues/509) api did not handle AssertIsLessOrEqual with constant as first param ([#511](https://github.com/consensys/gnark/issues/511))
+- remove profiling
+- used keyed struct fields, silence linter
+- scs.MarkBoolean missing return w/ constant ([#491](https://github.com/consensys/gnark/issues/491))
+- allocate new variable in engine.MulAcc ([#482](https://github.com/consensys/gnark/issues/482))
+- update version ([#477](https://github.com/consensys/gnark/issues/477))
+- remove printfs
+- witness-related functions no longer return ptrs
+- reflect gkr changes in gnark-crypto
+- log correction
+- avoid overlogging
+- dumping error and solver test
+- solving bug - bn254
+- bn254 mem pool
+- a small bug and some new benchmarks
+- go mod tidy
+- mod tidy
+- no defineGkrHints for tinyfield and more
+- no gkr for tinyfield
+- minor stuff, some code generation
+- small mimc test
+- race condition
+- propagating gkrInfo
+- import cycle
+- solver works. prover doesn't. possibly deeper gkr issue
+- solving works on the simplest example
+- inconsistencies re assignments alignment
+- more `ToBigIntRegular` => `BigInt`
+- **add-only scalarMul:** handle 0-scalar and (0,0) edge-cases
+- **ecadd:** add y1+y2=0 edge case
+- **sw_bn254:** fix size of 2-naf table of the seed
+
+### Perf
+- ScalarMulBase for sw_bls12377 on G2
+- ELM03+Joye07 for emulated scalarMul
+- special E12 squaring in the second ML iteration
+- replace Add(Mul) by MulAdd
+- async parallel plonk pr read ([#748](https://github.com/consensys/gnark/issues/748))
+- add a generalized version of binary selection ([#636](https://github.com/consensys/gnark/issues/636))
+- use ScalarMulAddOnly is ecrecover and ecmul precompiles
+- use ScalarMulAddOnly is ecrecover and ecmul precompiles
+- add frontend.WithCompressThreshold in compile test opts
+- replace intSet by bitset
+- use cpt in topo sort
+- optimise one sub
+- factorize MultiLin.Evaluate hot loop
+- reflect new gc gkr opts and parallelize solving
+- ScalarMulBase with pre-computed points + use in ecdsa
+- use `api.Lookup2` for constructing 4 to 1 mux
+- use `api.Select` for 2 to 1 mux
+- ScalarMulBase for sw_bls12377
+- optimize final exp (Fuentes et al.)
+- save 1 Select at each iteration in the emulated scalar mul
+- reduce mem allocs in scs frontend ([#654](https://github.com/consensys/gnark/issues/654))
+- special E24 squaring in the second ML iteration
+- ScalarMulBase for sw_bls24315 G1/G2 + KZG in-circuit
+- plonk ccs serialization ([#557](https://github.com/consensys/gnark/issues/557))
+- **bls381-pairing:** optimize Frobenius and FrobeniusSquare
+- **bn254-pair:** MulByNonResidueInverse using hints
+- **bn254-pair:** optimize fields ops + cleaning
+- **bn254-pair:** optimize Halve using hints
+- **bn254-pair:** optimize FrobeniusSquare computations
+- **bn254-pair:** use hinted Div in tower instead of plain inv+mul
+- **bn254-pairing:** isolate i=63 in MillerLoop to save a doubleStep
+- **bn254-pairing:** test and optimize MultiMillerLoop
+- **bn254-pairing:** some missed small optims
+- **bn254-pairing:** Mul lines between them before mul by accumulator
+- **ecdsa:** JoinScalarMulBase avoids 0 edge-cases
+- **pairing-bn254:** optimize emulated pairing over BN254
+- **pairing-bn254:** optimize Miller loop (last line out of loop)
+- **pairing-bn254:** optimize doubleStep (mulByConst 3)
+- **pairings:** switch to no edge-cases when single pairing
+- **scalarMul:** saves computation in last two iterations
+- **scalarMulBase:** lookup2 for the first 2 bits
+- **sw_bn254:** use 2-NAF for fixed scalar Mul on G2
+- **sw_bn254:** optim of fixed scalar Mul on G2
+- **sw_bn254:** use addchain/doubleAndAdd for fixed scalar mul
+
+### Perf
+- Improve MultiLin.Eval number of constraints ([#788](https://github.com/consensys/gnark/issues/788))
+
+### Refactor
+- use select instead of lookup2
+- renaming as per robot overlords
+- inputs check are in a proper function
+- use gnark-crypto gate registries
+- apply suggested edits
+- compactify commitment tests ([#728](https://github.com/consensys/gnark/issues/728))
+- remove api from ScalarMulAddOnly arguments
+- reflect commitmentInfo changes in plonk
+- reflect changes in plonk prover
+- bn254 groth16 commitmentinfo
+- separate groth16 commitmentInfo experiments
+- do not pass api in pairing
+- FindInSlice use
+- make native precomputed lines private
+- remove profiler code
+- use c.CommitmentWireIndexes in Plonk backend
+- eliminate GetNbCommitments
+- groth16 and plonk tests to hollow circuits themselves
+- test utils to another file
+- emulation parameters ([#696](https://github.com/consensys/gnark/issues/696))
+- get the input length for pair lengths
+- end-to-end commitment tests
+- rename PI2
+- reuse dummy one
+- remove HintIds struct
+- NewNamedHint not taking hint function input
+- r1cs NewNamedHint not taking hint func
+- commitmentInfo array for groth16 bn254
+- commitmentInfo array in plonk setup
+- commitmentinfo array in plonk prover
+- get rid of CommittedAndCommitment
+- limit commitment info in groth16 ver
+- in method work with pointers instead of values
+- init b of twist once
+- use assertIsOnCurve from sw_emulated
+- init point at return
+- g2 gadget as pointer
+- init emulated constants once
+- make double, add, triple and doubleAndAdd private
+- remove DivSpecial
+- do not include committed wires indexes in plonk vk
+- more adapting to separated kzg srs
+- use separated kzg pk, vk
+- separate final exp into safe and unsafe
+- gkrAPI is no longer a frontend.API
+- rename ScalarMulAddOnly to ScalarMul and ditch old
+- remove duplicate test utils
+- do not pass api in towers
+- embed api and init emulation in tower
+- same bsb22 placeholder for groth16 and plonk
+- make E6 double public
+- remove dead code (Frobenius and GS cyclosq)
+- remove profiler in test
+- remove profiler in test
+- make lineEvaluation private
+- make all hints private
+- unify calling interfaces
+- made some util func private
+- expose all typed backends in gnark/backend (moved from internal/) ([#561](https://github.com/consensys/gnark/issues/561))
+- minor code cleaning
+- move utils in mpcsetup; limit api surface
+- setup -> mpcsetup
+- flatten mpc structure, idomify APIs
+- expose all typed backends in gnark/backend (moved from internal/)
+- compute lagrange basis from scratch
+- dont need nativemod in emulated hint unwrapper
+- solving and compilation in accordance with commitmentInfo struct changes
+- SparceCS.CommitmentConstraint instead of C; more "honest" constraints
+- take api.Commit to api.go
+- algebra into native (2-chain) and emulated
+- use generator from gnark-crypto to init points
+- make internal methods private
+- use generator from gnark-crypto to init points
+- rename methods for getting tables
+- lazy compute the base tables on init
+- plonk uses constraint/ and couple of fixes closes [#467](https://github.com/consensys/gnark/issues/467) ([#493](https://github.com/consensys/gnark/issues/493))
+- latest gnark-crypto, use FFT signature change with opts ([#485](https://github.com/consensys/gnark/issues/485))
+- make methods private
+- remove Commit from Compiler, make optional interface
+- some cleanup - bn254 only
+- hint-lite, has import cycle
+- use mostly no-ptr data. better information silos
+- improved, simplified solver; compiler to match
+- all in one package
+- MSM takes Montgomery only - Plonk
+- groth16 backend tests pass
+- no non-mont on bls12-377
+- **pairing-bn254:** remove dead code (fields_e2)
+- **pairing-bn254:** remove dead code (E2 Halve)
+- **pairing-bn254:** remove dead code
+
+### Refactor
+- std/algebra ([#526](https://github.com/consensys/gnark/issues/526))
+
+### Remove
+- unused func
+- some unused code
+
+### Revert
+- special case for empty slice
+- forced conversion
+- remove extra testing funcs
+- unexport cs.system
+- unnecessary stylistic change
+- unnecessary stylistic changes
+- bn254/gkr changes
+
+### Style
+- remove prints
+- remove comment
+- subscript group index
+- remove commented import
+- unused input -> _
+- correct some comments
+- fewer vars
+- remove unnecessary stylistic changes
+- academic style reference for documentation
+- rename addStepLineOnly to lineCompute
+- rename variables
+- apply suggested edits
+- public-value-defining constraints as -x + c = 0 for consistency
+- **fields_bn254:** clean hints
+- **pairing-bn254:** add comments
+- **pairing-bn254:** add comments
+
+### Test
+- product of pairings on bls12-381
+- print some linpoly arguments
+- more for bsb22 plonk
+- add failing test for round trip pk serialization
+- handle all cases in a single parametric circuit
+- proof is correct. verification failing
+- print solution
+- public values
+- don't parallelize
+- print commitment
+- pi is computed correctly
+- failing on parallel
+- JointScalarMulBase
+- use assertless sampling
+- use deep.Equal in Plonk roundtrip
+- fails. pointer issue
+- add bn254 and bl12381 test of AssertIsOnCurve
+- test bls12-381 in sw_emulated + comments
+- add safe final exp tests
+- test also unsafe final exp
+- multi commits in scs
+- added failing test for groth16 pk serialization round trip
+- added missing integration test for round trip serialization
+- remove profiling test
+- remove blindings and hashes, simplest no-commitment test that fails
+- added reference benchmark
+- ensure phase2 serialization is tested
+- solver error found
+- with dependency. err: inputs are modified
+- add emulated Fp12 tests
+- add emulated Fp6 tests
+- add emulated Fp2 tests
+- basic permutation tests passing
+- only the gkr solver
+- more instances
+- with dependency
+- "doubling" circuit passes
+- end-to-end: can't use test engine (for now)
+- **emulated:** ScalarMul with random scalars
+- **fields_bn254:** add remaing tests
+- **fields_bn254:** clean tests
+- **sw_emulated:** infinity as (0,0) edge-cases in ScalarMul
+
+### Pull Requests
+- Merge pull request [#814](https://github.com/consensys/gnark/issues/814) from Consensys/develop
+- Merge pull request [#804](https://github.com/consensys/gnark/issues/804) from Consensys/feat/revert_staticcall
+- Merge pull request [#796](https://github.com/consensys/gnark/issues/796) from Consensys/feat/calldata_pi_proof
+- Merge pull request [#795](https://github.com/consensys/gnark/issues/795) from Consensys/feat/clean_compute_pi
+- Merge pull request [#794](https://github.com/consensys/gnark/issues/794) from Consensys/feat/clean_hash_fr
+- Merge pull request [#792](https://github.com/consensys/gnark/issues/792) from Consensys/perf/solidity-cached-array-index
+- Merge pull request [#783](https://github.com/consensys/gnark/issues/783) from Consensys/perf/emulated-scalarMul
+- Merge pull request [#775](https://github.com/consensys/gnark/issues/775) from Consensys/fix/plonk_audit_4-23
+- Merge pull request [#772](https://github.com/consensys/gnark/issues/772) from Consensys/perf/pairing-add0
+- Merge pull request [#760](https://github.com/consensys/gnark/issues/760) from Consensys/perf/emulated-scalarMul
+- Merge pull request [#769](https://github.com/consensys/gnark/issues/769) from Consensys/fix/plonk_contract_i_768
+- Merge pull request [#762](https://github.com/consensys/gnark/issues/762) from Consensys/fix/i_761
+- Merge pull request [#758](https://github.com/consensys/gnark/issues/758) from Consensys/fix/plonk_audit_4-15
+- Merge pull request [#754](https://github.com/consensys/gnark/issues/754) from Consensys/fix/plonk_audit_4-5
+- Merge pull request [#756](https://github.com/consensys/gnark/issues/756) from Consensys/fix/plonk_audit_4-13
+- Merge pull request [#742](https://github.com/consensys/gnark/issues/742) from Consensys/fix/plonk_audit_4-4
+- Merge pull request [#744](https://github.com/consensys/gnark/issues/744) from Consensys/fix/plonk_audit_4-8
+- Merge pull request [#714](https://github.com/consensys/gnark/issues/714) from Consensys/perf/emulated-pairing
+- Merge pull request [#698](https://github.com/consensys/gnark/issues/698) from Consensys/evm/ecpair
+- Merge pull request [#726](https://github.com/consensys/gnark/issues/726) from Consensys/emulated/scalarMul
+- Merge pull request [#708](https://github.com/consensys/gnark/issues/708) from Consensys/feat/fixed-pairing
+- Merge pull request [#739](https://github.com/consensys/gnark/issues/739) from Consensys/fix/plonk_audit_4-9
+- Merge pull request [#736](https://github.com/consensys/gnark/issues/736) from Consensys/fix/plonk_audit_4-11
+- Merge pull request [#737](https://github.com/consensys/gnark/issues/737) from Consensys/feat/gkr-custom-gates
+- Merge pull request [#443](https://github.com/consensys/gnark/issues/443) from Consensys/feat/gkr-api
+- Merge pull request [#733](https://github.com/consensys/gnark/issues/733) from Consensys/refactor/gkr-notfrontend-api
+- Merge pull request [#723](https://github.com/consensys/gnark/issues/723) from ConsenSys/fix/serialization
+- Merge pull request [#702](https://github.com/consensys/gnark/issues/702) from ConsenSys/feat/g16-multicommits
+- Merge pull request [#712](https://github.com/consensys/gnark/issues/712) from ConsenSys/fix/plonk-commit0
+- Merge pull request [#707](https://github.com/consensys/gnark/issues/707) from ConsenSys/perf/scalarMul-2chain
+- Merge pull request [#706](https://github.com/consensys/gnark/issues/706) from ConsenSys/perf/scalarMul-2chain
+- Merge pull request [#694](https://github.com/consensys/gnark/issues/694) from ConsenSys/feat/change_opening_order_kzg
+- Merge pull request [#701](https://github.com/consensys/gnark/issues/701) from ConsenSys/fix/672
+- Merge pull request [#668](https://github.com/consensys/gnark/issues/668) from ConsenSys/feat/plonk-multicommit
+- Merge pull request [#666](https://github.com/consensys/gnark/issues/666) from ConsenSys/feat/hint-naming-options
+- Merge pull request [#661](https://github.com/consensys/gnark/issues/661) from ConsenSys/perf/ecdsa
+- Merge pull request [#629](https://github.com/consensys/gnark/issues/629) from ConsenSys/feat/emulated/subgroup-check
+- Merge pull request [#658](https://github.com/consensys/gnark/issues/658) from ConsenSys/perf/kzg-verify
+- Merge pull request [#632](https://github.com/consensys/gnark/issues/632) from ConsenSys/refactor/kzg-srs-breakup-companion
+- Merge pull request [#633](https://github.com/consensys/gnark/issues/633) from ConsenSys/plonk-commitment-info
+- Merge pull request [#631](https://github.com/consensys/gnark/issues/631) from ConsenSys/feat/AddSafe
+- Merge pull request [#625](https://github.com/consensys/gnark/issues/625) from aybehrouz/perf/mux
+- Merge pull request [#613](https://github.com/consensys/gnark/issues/613) from ConsenSys/fix-605
+- Merge pull request [#586](https://github.com/consensys/gnark/issues/586) from ConsenSys/406-bsb22-commitments-plonk
+- Merge pull request [#591](https://github.com/consensys/gnark/issues/591) from ConsenSys/feat/bls12-381-pairing
+- Merge pull request [#594](https://github.com/consensys/gnark/issues/594) from ConsenSys/perf/bn254-FinalExp
+- Merge pull request [#566](https://github.com/consensys/gnark/issues/566) from ConsenSys/perf/bn254-pairing
+- Merge pull request [#563](https://github.com/consensys/gnark/issues/563) from ConsenSys/stage/bnb/groth16setup
+- Merge pull request [#519](https://github.com/consensys/gnark/issues/519) from ConsenSys/refactor/remove-profiling
+- Merge pull request [#514](https://github.com/consensys/gnark/issues/514) from ConsenSys/refactor/weierstrass-scalarmulbase
+- Merge pull request [#506](https://github.com/consensys/gnark/issues/506) from ConsenSys/perf/kzg-in-circuit
+- Merge pull request [#497](https://github.com/consensys/gnark/issues/497) from ConsenSys/perf/ecdsa
+- Merge pull request [#503](https://github.com/consensys/gnark/issues/503) from ConsenSys/docs/emulated-select
+- Merge pull request [#481](https://github.com/consensys/gnark/issues/481) from ConsenSys/refactor/commit-interface
+- Merge pull request [#480](https://github.com/consensys/gnark/issues/480) from ConsenSys/feat/kvstore
+
+
## [v0.8.1] - 2023-07-11
### Chore
+- update CHANGELOG
- update version
- update gnark-crypto dependency
+### Pull Requests
+- Merge pull request [#771](https://github.com/consensys/gnark/issues/771) from Consensys/release/v0.8.1
+
## [v0.8.0] - 2023-02-14
@@ -1643,7 +2955,10 @@
- Merge pull request [#5](https://github.com/consensys/gnark/issues/5) from ConsenSys/go1.14_deps
-[Unreleased]: https://github.com/consensys/gnark/compare/v0.8.1...HEAD
+[v0.10.0]: https://github.com/consensys/gnark/compare/v0.9.1...v0.10.0
+[v0.9.1]: https://github.com/consensys/gnark/compare/v0.9.0...v0.9.1
+[v0.9.0]: https://github.com/consensys/gnark/compare/v0.9.0-alpha...v0.9.0
+[v0.9.0-alpha]: https://github.com/consensys/gnark/compare/v0.8.1...v0.9.0-alpha
[v0.8.1]: https://github.com/consensys/gnark/compare/v0.8.0...v0.8.1
[v0.8.0]: https://github.com/consensys/gnark/compare/v0.7.1...v0.8.0
[v0.7.1]: https://github.com/consensys/gnark/compare/v0.6.5...v0.7.1
diff --git a/README.md b/README.md
index 294be110f3..0b478b6e94 100644
--- a/README.md
+++ b/README.md
@@ -5,8 +5,11 @@
[![PkgGoDev](https://pkg.go.dev/badge/mod/github.com/consensys/gnark)](https://pkg.go.dev/mod/github.com/consensys/gnark)
[![Documentation Status](https://readthedocs.com/projects/pegasys-gnark/badge/)][`gnark` User Documentation] [![DOI](https://zenodo.org/badge/DOI/10.5281/zenodo.5819104.svg)](https://doi.org/10.5281/zenodo.5819104)
-`gnark` is a fast zk-SNARK library that offers a high-level API to design circuits. The library is open source and developed under the Apache 2.0 license
+`gnark` is a fast zk-SNARK library that offers a high-level API to design circuits. The library is open source and developed under the Apache 2.0 license.
+`gnark` uses [`gnark-crypto`] for the finite-field arithmetic and out-circuit implementation of cryptographic algorithms.
+
+`gnark` powers [`Linea zk-rollup`](https://linea.build). Include your project in the [known users](docs/KNOWN_USERS.md) section by opening a PR.
## Useful Links
@@ -24,11 +27,40 @@ To get started with `gnark` and write your first circuit, follow [these instruct
Checkout the [online playground][`gnark` Playground] to compile circuits and visualize constraint systems.
-## Warning
+## Security
+
+**`gnark` and [`gnark-crypto`] have been [extensively audited](#audits), but are provided as-is, we make no guarantees or warranties to its safety and reliability. In particular, `gnark` makes no security guarantees such as constant time implementation or side-channel attack resistance.**
+
+**To report a security bug, please refer to [`gnark` Security Policy](SECURITY.md).**
+
+Refer to [known security advisories](https://github.com/Consensys/gnark/security/advisories?state=published) for a list of known security issues.
+
+## Testing
-**`gnark` has been [partially audited](https://github.com/ConsenSys/gnark-crypto/blob/master/audit_oct2022.pdf) and is provided as-is, we make no guarantees or warranties to its safety and reliability. In particular, `gnark` makes no security guarantees such as constant time implementation or side-channel attack resistance.**
+`gnark` employs the following testing procedures:
+* unit testing - we test the primitives in unit tests
+* circuit testing - we test the circuit implementation against several targets:
+ - test engine - instead of running the full prover and verifier stack, we run the computations only to ensure the completeness of the circuits
+ - proof engines - we compile the circuits, run the setup, prove and verify using native implementation
+ - Solidity verifier - in addition to the previous, we verify the proofs in Solidity verifier. See [`gnark-solidity-checker`]
+* regression testing - we have implemented [tests for reported issues](internal/regression_tests) to avoid regressions
+* constraint count testing - we have implemented [circuit size tests](internal/stats) to avoid regressions
+* serialization testing - we check that [serialization round-trip is complete](io/roundtrip.go)
+* side-effect testing - we check that circuit [compilation is deterministic](test/assert.go)
+* fuzz testing:
+ - circuit input fuzzing - we provide random inputs to the circuit to cause solver error
+ - native input fuzzing - we provide random inputs to various native methods to cause errors. We have also stored initial fuzzing corpus for regression tests.
+ - circuit definition fuzzing - we cooperate with Consensys Diligence to fuzz the circuit definitions to find bugs in the `gnark` circuit compiler.
-`gnark` and `gnark-crypto` packages are optimized for 64bits architectures (x86 `amd64`) and tested on Unix (Linux / macOS).
+The tests are automatically run during every PR and merge commit. We run full test suite only for the Linux on `amd64` target, but run short tests both for Windows target (`amd64`) and macOS target (`arm64`).
+
+## Performance
+
+`gnark` and `gnark-crypto` packages are optimized for 64bits architectures (x86 `amd64`) using assembly operations. We have generic implementation of the same arithmetic algorithms for ARM backends (`arm64`). We do not implement vector operations.
+
+## Backwards compatibility
+
+`gnark` tries to be backwards compatible when possible, however we do not guarantee that serialized object formats are static over different versions of `gnark`. Particularly - we do not have versioning implemented in the serialized formats, so using files between different versions of gnark may lead to undefined behaviour or even crash the program.
## Issues
@@ -44,6 +76,17 @@ You can also get in touch directly: gnark@consensys.net
[Release Notes](CHANGELOG.md)
+## Audits
+
+* [Kudelski Security - October 2022 - gnark-crypto (contracted by Algorand Foundation)](audits/2022-10%20-%20Kudelski%20-%20gnark-crypto.pdf)
+* [Sigma Prime - May 2023 - gnark-crypto KZG (contracted by Ethereum Foundation)](audits/2024-05%20-%20Sigma%20Prime%20-%20kzg.pdf)
+* [Consensys Diligence - June 2023 - gnark PLONK Solidity verifier](https://consensys.io/diligence/audits/2023/06/linea-plonk-verifier/)
+* [LeastAuthority - August 2023 - gnark Groth16 Solidity verifier template (contracted by Worldcoin)](https://leastauthority.com/wp-content/uploads/2023/08/Worldcoin_Groth16_Verifier_in_EVM_Smart_Contract_Final_Audit_Report.pdf)
+* [OpenZeppelin - November 2023 - gnark PLONK Solidity verifier template](https://blog.openzeppelin.com/linea-verifier-audit-1)
+* [ZKSecurity.xyz - May 2024 - gnark standard library](audits/2024-05%20-%20zksecurity%20-%20gnark%20std.pdf)
+* [OpenZeppelin - June 2024 - gnark PLONK prover and verifier](https://blog.openzeppelin.com/linea-prover-audit)
+* [LeastAuthority - July 2024 - gnark general and GKR (initial report)](audits/2024-07%20-%20Least%20Authority%20-%20arithm%20and%20GKR.pdf)
+
## Proving schemes and curves
Refer to [Proving schemes and curves] for more details.
@@ -148,17 +191,17 @@ If you use `gnark` in your research a citation would be appreciated.
Please use the following BibTeX to cite the most recent release.
```bib
-@software{gnark-v0.9.0,
+@software{gnark-v0.10.0,
author = {Gautam Botrel and
Thomas Piellard and
Youssef El Housni and
Ivo Kubjas and
Arya Tabaie},
- title = {ConsenSys/gnark: v0.9.0},
- month = feb,
- year = 2023,
+ title = {ConsenSys/gnark: v0.10.0},
+ month = apr,
+ year = 2024,
publisher = {Zenodo},
- version = {v0.9.0},
+ version = {v0.10.0},
doi = {10.5281/zenodo.5819104},
url = {https://doi.org/10.5281/zenodo.5819104}
}
@@ -183,3 +226,5 @@ This project is licensed under the Apache 2 License - see the [LICENSE](LICENSE)
[Proving schemes and curves]: https://docs.gnark.consensys.net/Concepts/schemes_curves
[`gnark-announce`]: https://groups.google.com/g/gnark-announce
[@gnark_team]: https://twitter.com/gnark_team
+[`gnark-crypto`]: https://github.com/Consensys/gnark-crypto
+[`gnark-solidity-checker`]: https://github.com/Consensys/gnark-solidity-checker
\ No newline at end of file
diff --git a/audits/2022-10 - Kudelski - gnark-crypto.pdf b/audits/2022-10 - Kudelski - gnark-crypto.pdf
new file mode 100644
index 0000000000..c29c5ba46b
Binary files /dev/null and b/audits/2022-10 - Kudelski - gnark-crypto.pdf differ
diff --git a/audits/2024-05 - Sigma Prime - kzg.pdf b/audits/2024-05 - Sigma Prime - kzg.pdf
new file mode 100644
index 0000000000..2457b3754b
Binary files /dev/null and b/audits/2024-05 - Sigma Prime - kzg.pdf differ
diff --git a/audits/2024-05 - zksecurity - gnark std.pdf b/audits/2024-05 - zksecurity - gnark std.pdf
new file mode 100644
index 0000000000..594e47dd5c
Binary files /dev/null and b/audits/2024-05 - zksecurity - gnark std.pdf differ
diff --git a/audits/2024-07 - Least Authority - arithm and GKR.pdf b/audits/2024-07 - Least Authority - arithm and GKR.pdf
new file mode 100644
index 0000000000..515edf0119
Binary files /dev/null and b/audits/2024-07 - Least Authority - arithm and GKR.pdf differ
diff --git a/CITATION.bib b/docs/CITATION.bib
similarity index 68%
rename from CITATION.bib
rename to docs/CITATION.bib
index cd37a9b89a..51afca5ac2 100644
--- a/CITATION.bib
+++ b/docs/CITATION.bib
@@ -1,14 +1,14 @@
-@software{gnark-v0.7,
+@software{gnark-v0.10.0,
author = {Gautam Botrel and
Thomas Piellard and
Youssef El Housni and
Ivo Kubjas and
Arya Tabaie},
- title = {ConsenSys/gnark: v0.7.0},
- month = march,
- year = 2022,
+ title = {ConsenSys/gnark: v0.10.0},
+ month = apr,
+ year = 2024,
publisher = {Zenodo},
- version = {v0.7.0},
+ version = {v0.10.0},
doi = {10.5281/zenodo.5819104},
url = {https://doi.org/10.5281/zenodo.5819104}
}
\ No newline at end of file
diff --git a/docs/KNOWN_USERS.md b/docs/KNOWN_USERS.md
new file mode 100644
index 0000000000..307179d793
--- /dev/null
+++ b/docs/KNOWN_USERS.md
@@ -0,0 +1,3 @@
+# Known `gnark` users
+
+* [Linea](https://linea.build) - Ethereum L2 rollup based on ZKPs. gnark is used for precompile proving, Vortex proof recursive verification, 2-chain proof aggregation, proof compression to BN254 and PLONK Solidity verification. gnark-crypto is used for finite field arithmetic.
\ No newline at end of file