From 103f29f1eb3cc80332bdcd9467307fe0d96e6e43 Mon Sep 17 00:00:00 2001 From: Ivo Kubjas Date: Tue, 11 Jul 2023 17:02:11 +0200 Subject: [PATCH] chore: update CHANGELOG --- CHANGELOG.md | 1535 +++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 1406 insertions(+), 129 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a142c31e1..52a5d51bb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,53 +1,534 @@ - + +## [v0.9.2] - 2023-07-11 + +### Fix +- ECDSA HashToInt bytes-bits mismatch ([#428](https://github.com/ConsenSys/gnark-crypto/issues/428)) + + + +## [v0.9.1] - 2023-02-14 +### Build +- go generate +- weird staticcheck rule +- generify +- generify +- generify parallel .Complete +- generify fixes +- generify parallel computeGJ +- generify bn254 mimc changes +- remove G2Exist flag from curves config + +### Chore +- remove safeStack +- simpler dst for hash.WriteString +- staticcheck +- more ToBigIntRegular -> BigInt and another little thing +- ToBigIntRegular -> BigInt +- remove codegen temp files +- delete temp files +- setNbOutputs covered by topSort now +- remove two other topological sorts + +### Docs +- fix incorrect statement +- innerWork +- update DOI in README.md + +### Feat +- SliceToElementSlice to be generic +- some gkr; claim/subclaim in sumcheck seems untenable +- Merkle tree to panic upon hash write error +- pedersen_hash added to stark curve +- signing interface changes and bn254 impl +- add Vector support to ecc marshal encoder ([#336](https://github.com/ConsenSys/gnark-crypto/issues/336)) +- gkr.Circuit.MemoryRequirements +- can pass workers pool in +- parallel versions of computing gate inputs +- more "subtle" parallelization tools +- edDSA to write element by element +- hash.ToField compatible with hash.Hash +- generify parallel.Execute +- pre-hashed message in eddsa +- pre-hashed message in ecdsa +- thread-safe pool +- adds Vector in field package +- first sumcheck attempt. Need specialized fiatshamir +- more usable WriteString instead of "Decompose" +- generify Decomposition solution +- decomposing long challenge names bn254 +- generic sumcheck prover and verifier +- start ECDSA on secp256k1 +- generate fp with addchain stark-curve +- MSM and BatchScalarMul on secp256k1 +- ListHash +- generify MessageCounter fix +- generify gkr test vec gen fixes +- generify gkr fixes +- generify non-test vector gkr test changes +- generify gkr changes +- generify sumcheck changes +- small_rational to and from bytes +- generified gkr tests. test case generation still not working +- some test generification +- generify gkr.tmpl +- edDsa SignFr and VerifyFr +- nuke element.Bit() closes [#306](https://github.com/ConsenSys/gnark-crypto/issues/306) ([#331](https://github.com/ConsenSys/gnark-crypto/issues/331)) +- generic pool +- generify multi-fan-out input bugfix +- generified benchmark, parallelism and top sort +- add minimal implem of stark curve +- clean ups +- basic benchmarking +- test vector utils for all +- a first attempt at separate test vector utils +- parsing polynomials; more trouble than worth +- remove unused test hash entries +- gkr test vector codegen works for rationals +- autogen gkr tests +- code generation for poly.Text +- better polynomial.Text for bn254 +- small_rational to use big.Int underneath +- identity gate, 2 instances test on Q - prover side +- Load test circuit and test hash function +- sumcheck for rationals +- more smallrational features +- polynomial codegen to use simpler FieldDependency data structure +- all necessary functions for the polynomial package +- codegen for gkr +- neg, sub, equal, double +- codegen for sumcheck +- some experimental rational +- just a few lines +- gkr verifier +- Verify stub. shared claim mgmt structure. prover refactor to come +- gkr prover +- gkr sumcheck combine and computeGJ +- some gkr prover stuff +- three kinds of topological sort +- MORE ABSTRACTION 🥲 Evaluating the final claim may be hard +- **ecdsa:** use aes-ctr in signing randomness +- **templates:** ecdsa package for all curves + +### Fix +- static checks +- no repeated claims in FinalEvalProof +- mimc pow7 +- single multilin test works +- number of rounds for mimc +- sumcheck test +- parallelization bug +- remove mimc printfs +- WriteString returns no error now +- side-stepped thread-safe pool issue +- some debugging +- serialization of stark-curve points +- Multilin tests with toy input-independent hash work +- use ProveFinalEval, make member vars of proof public +- eddsa: separate field element and non-field-element hash inputs +- minor error +- eddsa to use WriteString +- align challenge name, prepending with zeros to avoid field overflow +- ecdsa on secp256k1 working +- merge with develop +- an attempt at input verification +- computeGJ works correctly for mul gate +- mul gate test passes +- package name +- correct field type +- generify the fix +- verifier input building bug +- more noRedundancy bugs +- noRedundancy bugs +- multi-counting outs to the same wire +- ignored errors in sumcheck.setupTranscript +- sumcheck "bad proof accepted" +- accepting bad proofs +- sumcheck claim test +- MessageCounter.Reset +- staticcheck +- uncomment gkr test vec gen +- gkr test-vec gen errors +- generify changes in small_rational maphashes +- fake hash consistency +- staticcheck +- some gkr test vec errors +- no hardcoded fr.Element in sumcheck test case gen +- gkr challenges for SmallRational +- sumcheck testcase gen compiles +- gkr test case generator compiles +- gkr_test files compile +- bn254 sumcheck tests pass +- fiatshamir to write bindings one by one +- single input two identity gates test fixed, but fails +- closes [#316](https://github.com/ConsenSys/gnark-crypto/issues/316) big int pool doesn't allow nil values +- no expectation of ins/outs lumped together in tests +- topological sort no longer group inputs and outputs +- reintroduce some deleted autogens +- generification +- bn254 seems correct. test vector reordering needed +- gofmt +- yoda, multi-fan-out input bug +- remove "enormousArray" hack, minimize unsafe.Pointer use +- free mallocs +- an "evaluate" missing the pool argument +- errors in rational sumcheck +- remove unreachable return +- writeKey quotation marks +- save new hash entries +- still inconsistency betw rational and bn254 +- snapshot for hash inconsistency error +- remove auto-generated test files +- test vec gen works +- manually edited main.go for gkr test vec gen +- snapshot: gkr test vector generation +- wrong type for wireAssignent +- minor ones +- rough edges for rationals +- some corrections for rationals +- restored hash elements incorrectly marked as unnecessary +- more staticcheck fixes +- better string search to make staticcheck happy +- no redeclaring "err" to make staticcheck happy +- all gkr tests pass +- no compile errors, rational cases pass +- setElement more consistent with SetInterface +- setElement method that would work on fr and rationals +- codegen for gkr test cases, compiles +- gkr tests on rationals pass +- no in-place operations +- id circuit verification passes +- fewer gkr test instances by default +- some codegen mistakes +- many instances of small circuits +- remove challengeSeed from sumcheck input +- **EdDSA:** enforce hash function as FS challenge +- **curves:** copy scalars in JointScalarMul +- **ecdsa:** avoid only 1 inverse in verify +- **secp256k1:** bound cRrange by 15 for MSM +- **secp256k1:** code generation for msm +- **stark-curve:** point encoder (a!=0) +- **stark-curve:** svdw hash-to-curve (coeff A!=0) +- **template:** entries var re-declared + +### Perf +- parallelize computeGJ more effectively +- parallel Fold +- step 2 Combine +- step 1, use the new pool for computeGJ and next +- minor adjustements to iop package ([#334](https://github.com/ConsenSys/gnark-crypto/issues/334)) +- mimc on bls12-377/fr uses x^17 as a permutation +- multilin.Fold without writing top part in memory +- parallel WireAssignment.Complete for bn254 +- simplify gkr pool +- workerPool in gkr +- reduced many memory leaks to two +- parallelism in computeGJ but faulty +- concurrency in computeGJ. to make pool maps thread-safe +- some rudimentary parallelism +- **ecdsa:** avoid 2 inverses in verify (affine scalarMul) +- **ecdsa:** no bigInt allocation + +### Refactor +- include secp256k1 in code generation +- move some routines from gkrVectors +- Pedersen hash on stark-curve +- remove Decompose entirely +- plookup.Table -> fr.Vector +- element imports field/pool and field/hash to avoid cycles +- remove dead code (FFT params for secp256k1) +- concile ecdsa and eddsa on signature interface +- smallRational out of gkr +- remove fr/ packages from secp256k1 +- generify most gkr test vector ops +- remove "proofEquals" from gkr test vgen +- remove subclaim class +- remove ToField interface +- get rid of ParsedTestCase +- include secp256k1 in code generation +- move all fake hashes to test_vector_utils +- cleaner sumcheck test-vec generation +- clean iop APIs + add Marshal methods ([#337](https://github.com/ConsenSys/gnark-crypto/issues/337)) +- gkr tests to work with fiatshamir.transcript +- remove unused file +- fixing gkr tests +- sumcheck and gkr to use fiatshamir package +- **ecdsa:** follows SEC 1 v-2 +- **ecdsa:** make public params exportable to gnark +- **ecdsa:** remove Params struct +- **ecdsa:** marshal + follow interface +- **ecdsa:** make hashToInt accessible for gnark + +### Revert +- deleted mimc.Write documentation +- Remove EdDSA SignNum and VerifyNum +- remove SignNum and VerifyNum +- mimc to take in multiple elements +- don't doubly hash finalEvalProof when an input wire is skipped +- roll back cgo in memory management + +### Style +- some simplification, remove some dead code +- remove unnecessary variable +- remove some dead code +- format +- rename rational_cases to test_vectors +- don't name unused variables +- improved comments -## [v0.8.0] - 2022-08-03 +### Test +- more debug output +- printfs in mimc +- mimc to write out its ins and outs +- a couple of benchmarks with some printfs +- add ecdsa benchmarks +- failing test +- replicate failure in small_rational +- MapHash consistency +- vector with 4 instances +- bigger instances +- add failing verification tests +- trilinear - single claim +- a simple test vector for sumcheck +- rational using big.Int is a failure +- mimc test fails, most likely due to overflow +- mimc; rational overflowing. TODO: Replace int64 with big.Int +- vectors: more +- some extra logging for 16M memory failure +- more tests, mimc circuit fails +- more usable message counter +- fundamental flaw found in computeGJ +- failing test for mul gate +- simplest possible test, two instances of an identity gate + +### Pull Requests +- Merge pull request [#342](https://github.com/ConsenSys/gnark-crypto/issues/342) from ConsenSys/develop +- Merge pull request [#308](https://github.com/ConsenSys/gnark-crypto/issues/308) from ConsenSys/304-field-agnostic-fiat-shamir-challenge-names +- Merge pull request [#319](https://github.com/ConsenSys/gnark-crypto/issues/319) from ConsenSys/perf/gkr +- Merge pull request [#328](https://github.com/ConsenSys/gnark-crypto/issues/328) from ConsenSys/perf/gkrpool +- Merge pull request [#333](https://github.com/ConsenSys/gnark-crypto/issues/333) from ConsenSys/fix/mimc-pow7 +- Merge pull request [#327](https://github.com/ConsenSys/gnark-crypto/issues/327) from ConsenSys/pedersen-hash +- Merge pull request [#320](https://github.com/ConsenSys/gnark-crypto/issues/320) from ConsenSys/fix/mimc-rounds +- Merge pull request [#312](https://github.com/ConsenSys/gnark-crypto/issues/312) from ConsenSys/signature/pre-hashed +- Merge pull request [#311](https://github.com/ConsenSys/gnark-crypto/issues/311) from ConsenSys/feat/element/vector +- Merge pull request [#310](https://github.com/ConsenSys/gnark-crypto/issues/310) from ConsenSys/feat/ecdsa +- Merge pull request [#298](https://github.com/ConsenSys/gnark-crypto/issues/298) from ConsenSys/secp256k1/MSM +- Merge pull request [#309](https://github.com/ConsenSys/gnark-crypto/issues/309) from ConsenSys/chore/tobigintregular-deprecated +- Merge pull request [#305](https://github.com/ConsenSys/gnark-crypto/issues/305) from ConsenSys/test/fiatshamir-mimc +- Merge pull request [#299](https://github.com/ConsenSys/gnark-crypto/issues/299) from ConsenSys/feat/stark-curve +- Merge pull request [#285](https://github.com/ConsenSys/gnark-crypto/issues/285) from ConsenSys/refac/gkr-fiatshamir +- Merge pull request [#259](https://github.com/ConsenSys/gnark-crypto/issues/259) from ConsenSys/bench/gkr + + + +## [v0.9.0] - 2023-01-05 +### Build +- re-ran gofmt with go1.19, updated ci to that -This version was partially audited by Kudelski Security for the Algorand Foundation. (TODO insert report link). -The scope of the audit covered `bn254` and `bls12-381` packages (including field arithmetic). +### Docs +- added audit.pdf and updated link in README ### Feat +- field.Hash ([#271](https://github.com/ConsenSys/gnark-crypto/issues/271)) +- add secp256k1 curve + +### Fix +- make BigInt a pointer receiver +- remove generated fr/pedersen package from secp256k1 +- rebase on develop +- no compressed marshall because no spare bit +- **secp256k1:** no partitionScalars because there is no spare bit + +### Fix +- typos ([#262](https://github.com/ConsenSys/gnark-crypto/issues/262)) + +### Perf +- **MSM:** save 4 mul in ext-Jac add +- **bn254:** faster subgroup membership + +### Refactor +- rebase on develop (field api) +- mark ToBigIntRegular as deprecated, introduce BigInt method ([#290](https://github.com/ConsenSys/gnark-crypto/issues/290)) +- clean code generation for endo-based computations ([#281](https://github.com/ConsenSys/gnark-crypto/issues/281)) +- **bn254:** remove unused variable (fixedCoeff) + +### Style +- typo + +### Pull Requests +- Merge pull request [#297](https://github.com/ConsenSys/gnark-crypto/issues/297) from ConsenSys/develop +- Merge pull request [#277](https://github.com/ConsenSys/gnark-crypto/issues/277) from ConsenSys/feat/secp256k1 +- Merge pull request [#251](https://github.com/ConsenSys/gnark-crypto/issues/251) from ConsenSys/perf/IsInSubGroup-BN +- Merge pull request [#250](https://github.com/ConsenSys/gnark-crypto/issues/250) from ConsenSys/docs/audit +- Merge pull request [#245](https://github.com/ConsenSys/gnark-crypto/issues/245) from ConsenSys/perf/extJac-add +- Merge pull request [#240](https://github.com/ConsenSys/gnark-crypto/issues/240) from ConsenSys/go1.19 + + +## [v0.8.0] - 2022-08-04 +### Build +- updated go.mod direct deps +- go mod tidy +- update bavard dep +- ran go generate after dev merge +- faster ci path ([#185](https://github.com/ConsenSys/gnark-crypto/issues/185)) +- increase CI timeout +- fix BatchInvert renaming in SSWU templates + +### Chore +- bls12-381 vectors: u +- fix some merge issues +- merge develop +- resolve conflicts with non-mont-params + +### Ci +- fix slack integration + adds golanglint-ci ([#184](https://github.com/ConsenSys/gnark-crypto/issues/184)) +- revert most of last commit +- use self hosted runners + +### Clean +- replace modulus generated by constants, add zero-alloc SetRandom ([#194](https://github.com/ConsenSys/gnark-crypto/issues/194)) +- remove uneeded x86 asm and files ([#192](https://github.com/ConsenSys/gnark-crypto/issues/192)) + +### Docs +- updated changelog for v0.8.0 +- polish readme.md with updated godoc subpackage links ([#235](https://github.com/ConsenSys/gnark-crypto/issues/235)) +- acknowledge that inv(0)==0 in comments as a convention ([#233](https://github.com/ConsenSys/gnark-crypto/issues/233)) +- correct some comments +- added note in pairing godoc - doesn't check inputs are in correct subgroup ([#231](https://github.com/ConsenSys/gnark-crypto/issues/231)) +- add security estimates of implemented curves in comments +- prepare v0.8.0 release notes +- added twitter handle and security policy links +- updated doi + +### Feat +- simplified low degree check +- lagrange polys, a couple of poly funcs +- eq folding, unify small and large interfaces +- addition of multiple rounds in fri +- some folding in bn254 +- supsub +- closes [#137](https://github.com/ConsenSys/gnark-crypto/issues/137) moves consensys/goff into field/goff ([#204](https://github.com/ConsenSys/gnark-crypto/issues/204)) +- tests used gopter for polynomials (bls377, no code gen yet) +- multilin for all fields - field/goldilocks (more efficient 1-limb modulus arith) ([#177](https://github.com/ConsenSys/gnark-crypto/issues/177)) +- fields in fri proofs are exported +- code gen for previous commit +- code gen for previous refactor - field/generator suppors 1-limb modulus ([#175](https://github.com/ConsenSys/gnark-crypto/issues/175)) -- field.SetRandom zero-alloc uniform sampling -- **E6/E12/E24:** GT torus-based batch compression/decompression +- simplification of the final evaluation check +- simplify deriveQueriesPositions +- removed polynomial package bls24315 +- removed polynomial package +- code gen +- simplified deriveQueriesPosition +- code gen for polynomials +- a few polynomial utility functions, separate multilin_tests +- regen polynomial +- addition of ID in proof of proximity (for FiatShamir) +- added finer grained error handling +- exposed Claimed value +- Open returns an error, addition of getter for rho +- code gen +- addition of opening tests +- addition of opening+verification +- merge develop +- code gen for previous fix +- code gen for kzg refactor +- added Fiat Shamir for the (folding) challenges in fri +- code gen for fri +- **E12:** GT torus-based compression/decompression +- **E12:** GT torus-based batch compression/decompression +- **E24:** GT torus-based batch compression/decompression +- **E6:** GT torus-based batch compression/decompression +- **fri:** added check of correctness between rounds, test OK - **fri:** modified challenge generation so it fits in a snark variable -- **fri:** added check of correctness between rounds +- **fri:** evaluation field is exported +- **fri:** removed unsused variable ### Fix - - Handle edge case in Karabina decompression ([#219](https://github.com/ConsenSys/gnark-crypto/issues/219)) + +### Fix - check nbTasks config when running msm, test all possible c-bit windows in when testing.Short not set) ([#226](https://github.com/ConsenSys/gnark-crypto/issues/226)) +- race condition with supportAdx relique in internal/fptower - element.SetString(_) returns error if invalid input instead of panic +- bavard dependency +- Torus compression exception case +- ToMont takes non-reference +- q in tests requires isogeny +- svdw parameters: z=1 not i - expand_msg_xmd copy bug, a few tests ([#201](https://github.com/ConsenSys/gnark-crypto/issues/201)) +- "e3" bug and change sign0 to the recent std specification - closes [#199](https://github.com/ConsenSys/gnark-crypto/issues/199). Correct bound in eddsa key gen template +- expand_msg_xmd copy bug, a few tests +- 8*Limbs could be too many bytes +- right length argument for ExpandMsgXmd +- remove supportAdx redundant test ([#186](https://github.com/ConsenSys/gnark-crypto/issues/186)) +- evaluation is an array instead of a slice +- twoInv defined in init, removed dead code, unexport nbRounds +- fixed unhandled errors +- fixed conflict +- fixed queries positions +- fixed wrong indexation generator inverse +- rebase on develop +- wrong size for Merkle path opening +- fixed unhandled error +- fixed condition written out of scope, tests with gopter OK +- fixed parity error +- fixed unhandled error +- fri test ok, need to clean and optimize +- TestDeriveQueriesPositions passes +- fixed failing tests (polynomial.go, bls12-381) +- dusted off polynomial.go (bls377, no code gen yet) ### Perf - - remove unecessary inverse in KZG-verify - faster GLV scalar decompostion -### Refactor & Docs - -- moved consensys/goff into field/goff ([#204](https://github.com/ConsenSys/gnark-crypto/issues/204)) +### Refactor +- fft is done in the main loop +- kzg uses DivideByXminusA from polynomial module +- ScalarMul -> ScalarMultiplication +- everything related to multilinear polynomials in the same file +- verbose names +- same codegen for sswu and svdw +- sswu and svdw in "define"s +- ScalarMulUnconverted -> ScalarMultiplicationAffine +- moved divByXminusa to polynomial.go +- BatchScalarMul -> BatchScalarMultiplication +- parameters passed in regular form +- lots of ffts removed +- polynomial -> []frElement in fri +- removed Commit function +- NewPolynomial -> New +- removed test DivPolyByXminusA from kzg, DivPolyBy -> DivBy +- sswuMap -> mapToCurve - clean comments in curves ([#193](https://github.com/ConsenSys/gnark-crypto/issues/193)) +- DivideByXMinusA returns a pointer +- **polynomial:** Copy() --> GetCopy() + +### Style - remove dead code ([#230](https://github.com/ConsenSys/gnark-crypto/issues/230)) +- inneficient -> inefficient - cosmetic changes ([#197](https://github.com/ConsenSys/gnark-crypto/issues/197)) -- replace modulus generated by constants, add zero-alloc SetRandom ([#194](https://github.com/ConsenSys/gnark-crypto/issues/194)) -- remove uneeded x86 asm and files ([#192](https://github.com/ConsenSys/gnark-crypto/issues/192)) -- polish readme.md with updated godoc subpackage links ([#235](https://github.com/ConsenSys/gnark-crypto/issues/235)) -- acknowledge that inv(0)==0 in comments as a convention ([#233](https://github.com/ConsenSys/gnark-crypto/issues/233)) -- added note in pairing godoc - doesn't check inputs are in correct subgroup ([#231](https://github.com/ConsenSys/gnark-crypto/issues/231)) -- add security estimates of implemented curves in comments +- use bytes package +- removed dead code +- fixed comment +- cleaned comments, removed dead code ### Test - +- cleanup - fix [#205](https://github.com/ConsenSys/gnark-crypto/issues/205) - msm bench with different bases ([#206](https://github.com/ConsenSys/gnark-crypto/issues/206)) -- vectors generated using +- bn254 hash to g2 +- vectors generated using https://github.com/armfazh/h2c-go-ref +- complete tests for bn254g1, not cross verified +- empty msg, q, q0, q1 +- added BitLen test +- reduce load on CI - **all curves:** compress/decompress pairing result ### Pull Requests - +- Merge pull request [#237](https://github.com/ConsenSys/gnark-crypto/issues/237) from ConsenSys/develop - Merge pull request [#232](https://github.com/ConsenSys/gnark-crypto/issues/232) from ConsenSys/docs/comments - Merge pull request [#229](https://github.com/ConsenSys/gnark-crypto/issues/229) from ConsenSys/update_deps - Merge pull request [#227](https://github.com/ConsenSys/gnark-crypto/issues/227) from ConsenSys/fix/element_setstring @@ -57,7 +538,9 @@ The scope of the audit covered `bn254` and `bls12-381` packages (including field - Merge pull request [#223](https://github.com/ConsenSys/gnark-crypto/issues/223) from ConsenSys/doc/security-estimates-curves - Merge pull request [#216](https://github.com/ConsenSys/gnark-crypto/issues/216) from ConsenSys/feat/poly - Merge pull request [#217](https://github.com/ConsenSys/gnark-crypto/issues/217) from ConsenSys/string-utils +- Merge pull request [#215](https://github.com/ConsenSys/gnark-crypto/issues/215) from ConsenSys/develop - Merge pull request [#213](https://github.com/ConsenSys/gnark-crypto/issues/213) from ConsenSys/perf/glv +- Merge pull request [#211](https://github.com/ConsenSys/gnark-crypto/issues/211) from ConsenSys/develop - Merge pull request [#129](https://github.com/ConsenSys/gnark-crypto/issues/129) from ConsenSys/feat/GT-compression - Merge pull request [#209](https://github.com/ConsenSys/gnark-crypto/issues/209) from ConsenSys/codegen/svdw-not-e4 - Merge pull request [#203](https://github.com/ConsenSys/gnark-crypto/issues/203) from ConsenSys/tests/bn254-vectors @@ -68,25 +551,93 @@ The scope of the audit covered `bn254` and `bls12-381` packages (including field -## [v0.7.0] - 2022-03-24 - +## [v0.7.0] - 2022-03-25 ### Build -- go.mod: go version upgrade 1.16 --> go1.17 -- mark test as Parallel. Check testing.Short() in most tests +- reran go generate +- rebase on develop +- rebase on develop +- add bw6-633 and bw6-756 to kzg constructor +- run go generate +- rebase branch on develop +- add bls12-378 to kzg and hash +- templates for bw6-756 +- templates for bw6-756 +- add bls12-378 to kzg and hash + +### Ci +- update workflows +- update ci workflows +- update github action workflows +- named workflows +- develop shorter ci workflow, master longer +- remove circleCI +- updated circleci to latest golang img +- updated github workflow to go 1.18 + +### Docs +- prepare changelog.md for v0.7.0 +- updated hyperelliptic links for twisted ed Add and MixedAdd +- updated DOI ### Feat +- sweet parameters for BLS12-377 G1 SSWU +- add bw6-756 (2-chain w/ bls12-378 GT-strong) +- SSWU for BLS12-378 (GT-strong) +- sweet parameters for BLS12-377 G2 SSWU (23-isogeny) +- sweet parameters for BW6-761 G2 SSWU +- added element.Uint64() method +- sweet parameters for BW6-633 G2 SSWU +- SSWU for BW6-756 (outter to GT-strong) +- add BLS12-378, a GT-strong SNARK-friendly inner curve +- added ecc/twistededwards/ID +- sweet parameters for BW6-633 G1 SSWU +- removed dead code in fft +- sweet parameters for BW6-761 G1 SSWU +- add BLS12-378, a GT-strong SNARK-friendly inner curve +- sweet parameters for BLS24-315 G1 SSWU - add bw6-756 (2-chain w/ bls12-378 GT-strong) -- adds SSWU (hash to curve) -- adds element.Uint64() method +- **bls12-378:** add companion twisted edwards to GT-strong BLS12-378 +- **bls12-378:** add companion twisted edwards to GT-strong BLS12-378 +- **bw6-756:** add companion twisted Edwards +- **bw6-756:** add companion twisted Edwards ### Fix -- element.IsUint64 coherence with other methods, convert from montgomery beforehands -- fft: corrected FrMultiplicativeGen value +- IsUint64 coherence with other methods, convert from montgomery beforehands +- twisted curve formulae for GT-strong embedded curve (a != -1) +- templating twistededwards for BW6-756 after PR[#160](https://github.com/ConsenSys/gnark-crypto/issues/160) +- templating twistededwards for BLS12-378 after PR[#160](https://github.com/ConsenSys/gnark-crypto/issues/160) +- run go generate on new curves +- add bls12-378 to signature package after change +- sswu gopter generators repeatable rng +- increment maxSignatures +- rebase after change +- changing Z to be the qnr instead of isogeny degree seems to work +- increment maxSignatures +- FrMultiplicativeGen overwritten +- **bls12-378:** set root of unity for FFT +- **bls12-378:** set root of unity for FFT +- **bw6-633:** typo FrMultiplicativeGen=13 +- **sswu:** specify CoordExtRoot for BLS12-377 ### Refactor -- twistededwards: curve generation (including bandersnatch) generated from the same template - move signature/ constructors to signature/eddsa - eddsa generated for all twisted ed curve, including bandersnatch +- twistededwards.go -> curve.go +- bandersnatch generated with endo +- generating bandersnatch without endo with same templates +- make twistededwards all template generated +- **sswu template:** NotOne is not always used +- **sswu template:** NotOne is not always used + +### Style +- correct comment in config file +- cleaned comments related to cosets + +### Test +- add few edge cases to test twistededwards + +### Tests +- mark test as Parallel. Check testing.Short() in most tests ### Pull Requests - Merge pull request [#171](https://github.com/ConsenSys/gnark-crypto/issues/171) from ConsenSys/test/twistedEdwards @@ -101,19 +652,129 @@ The scope of the audit covered `bn254` and `bls12-381` packages (including field - Merge pull request [#154](https://github.com/ConsenSys/gnark-crypto/issues/154) from ConsenSys/fix/fft-mulGen - Merge pull request [#153](https://github.com/ConsenSys/gnark-crypto/issues/153) from zhiqiangxu/opt_NewDomain - + ## [v0.6.1] - 2022-02-15 +### Build +- **templates:** fix G2 point template -### Feat +### Chore +- genericize c-time sswu +- removed the last sswu if +- remove second if, auto-gen removal of first if +- clean up mess regarding inv(0) conflict +- removed redundant function SetHex +- addressed all "small" feedback points +- remove unnecessary benchmarks, remove og equals, rename diff + +### Docs +- updated changelog.md for v0.6.1 +- updated bibtex citation key +- updated bibtex citation +- added DOI and bibtex citation in readme.md -- MiMC has no "seed" parameter and now uses Miyaguchi Preneel construction -- FFT cosets uses full two-adicity, Plookup, KZG and permutation modified accordingly +### Feat +- code gen +- adapted permutation argument to nrw kzg api +- check that the generator is of correct order +- kzg Verify function takes the opening point +- sqrtRatio for any field, needs tests +- precomputed values for q = 1 mod 8 +- bls12-381 g1 hash auto generated +- standardize sqrt +- move big int slicing to bavard +- generic isogeny map +- attempt to generate evaluate_poly +- bls12-381 HashToG1 works +- "generify" additional field operations +- BLS12-381 G1 isogeny (very inefficient) +- SqrtRatio. Non-qr case fails +- modified templates + fix plookup table +- adapted plookup using the new fft +- constant time Equal with tests and benchmarks +- mimc constants are exported +- deleted addchain +- modified fft templates +- generic coset on bn254, tests ok +- x64 assembly +- generic selection using bitwise operations - **twistededwards:** Extended coordinates (a=-1) (faster, not complete) + +### Fix +- code generation "oops" with `testPairElement` class name +- fixed fuzz fft +- restored addchain +- forgot to commit bls12377 modifs +- 1st if statement in sswu +- constant-time sqrtRatio +- some feedback addressed +- remove useless mulBy11 test, replace mulBy11 with mulByZ +- all sqrtRatio works +- sqrtRatio works for bls12-377 (p = 1 mod 8) +- some eval_poly debugging +- No isogeny func if no isogeny data +- Generic TestElement0Inverse error +- bls12-381 g1 encode to curve works +- first G1 isogeny test passes +- sqrtRatio for p = 3 mod 4 works +- extended coordinates complete but not unified +- fixed imports in code gen +- removed old addchain files +- fixed some ops in lookup vector +- fixed permutation proofs +- fixed fuzzer +- removed seed from Sum +- removed seed from mimc (fixes [#194](https://github.com/ConsenSys/gnark-crypto/issues/194)) +- clean, remove experimental second version of select +- delete autogen assembly +- delete unused assembly +- errors in reversion +- generate +- fixed review: m is modified locally and returned +- fixes [#126](https://github.com/ConsenSys/gnark-crypto/issues/126) the domain was not created correctly +- SetInterface returns error if input is nil +- fixed gosec +- mimc is compliant with ethereum +- twisted edwards templates +- **tEdwards:** cofactor ToMont() not FromMont() + +### Perf +- init constants in sync.Once in MiMC +- **bandersnatch:** extended coordinates - **bls24-315:** faster G2 membership test -### Pull Requests +### Refactor +- property based testing for SqrtRatio, move sgn0 to ecc package +- property based testing of IntToMont +- Move field related funcs to field.Field +- CurveInfo + +### Revert +- Inverse0 to have own PR +- no assemly + +### Style +- remove excessive logs +- rename `TempForHash` to `HashUtils` +- Cleanup and test vectors for for bls12-381 G1 +- cleanup +- Isogeny to be package-private +- removed addchain folders +- match function hierarchy: Select -> select_ -> _selectGeneric +- remove redundant check +### Test +- possible fix +- obnoxious verbosity +- include decimal in error msg +- for BigIntMatchUint64Slice with verbose error messages +- c1 value computed correctly. c2 is wrong +- extracting test data for iso-g1 from faz's implementation +- vectors form standard doc for existing ExpandMsgXmd implementation +- bench: add x=y cases +- match against generic implementation + +### Pull Requests - Merge pull request [#152](https://github.com/ConsenSys/gnark-crypto/issues/152) from ConsenSys/feat/clean_kzg - Merge pull request [#145](https://github.com/ConsenSys/gnark-crypto/issues/145) from ConsenSys/fix/fft_cosets - Merge pull request [#147](https://github.com/ConsenSys/gnark-crypto/issues/147) from ConsenSys/sswu-fp-generic-rebased @@ -125,36 +786,169 @@ The scope of the audit covered `bn254` and `bls12-381` packages (including field - Merge pull request [#110](https://github.com/ConsenSys/gnark-crypto/issues/110) from ConsenSys/feat/tEd-extended - Merge pull request [#123](https://github.com/ConsenSys/gnark-crypto/issues/123) from ConsenSys/perf/BLS24-G2-IsInSubGroup + +## [v0.6.0] - 2022-01-03 +### Build +- remove duplicate import in template +- add E8 and E24 types to bls24_315.go to export to gnark +- aiming for determinitic addchain generation on CI +- fix gosec unhandled errors +- tell CI to ignore non-deterministic addchain generated output +- gitignore generated addition chains +- run go mod tidy +- fix marshal template for bls24 + +### Chore +- generify 32bit fix +- staticcheck, correct commented formula for outer loop iterations +- Take out InverseOld +- generify semicompressed +- Not demanding 64bit arch. TODO: Test correctness on one +- mathfmt, change correctionFac from var to consts, cite Pornin +- Autogen all tests. TODO: bls12-377 fr loops +- signed/unsigned versions of SOS mont for comparison -## [v0.6.0] - 2021-12-22 +### Docs +- v0.6.0 draft release notes +- zkteam -> gnark +- update field IsUIint64 doc ### Feat - -- **plookup:** added plookup lookup proof -- **field:** generate optimized addition chains for Sqrt & Legendre exp functions -- **field:** added field.SetInt64, support for intX and uintX [#109](https://github.com/ConsenSys/gnark-crypto/issues/109) -- **field:** added UnmarshalJSON and MarshalJSON on fields -- **field:** added field.Text(base) to return field element string in a given base, like big.Int -- **field:** field.SetString now supports 0b 0o 0x prefixes (base 2, 8 and 16) +- addition of test with a tampered proof +- addition of permutation proof in lookup proof (table version) +- addition of proof of permutation +- added UnmarshalJSON and MarshalJSON on fields +- added field.Text(base) to return field element string in a given base, like big.Int +- field.SetString now supports 0b 0o 0x prefixes (base 2, 8 and 16) +- Autogen P20 +- ScalarMul-->mulWindowed, modified blinding of scalar in tests +- Three ways of dealing with signed numbers in montgomery reduction +- Signed mont-reduce +- code gen for integrating permutation proof +- Test for corrective factor consistency +- Naive GCD works +- addition of benchmark +- added field.SetInt64 +- added quick and dirty benchmarking script +- added support for intX and uintX fixes [#109](https://github.com/ConsenSys/gnark-crypto/issues/109) +- pre-compute addition chains for Sqrt and Legendre exp functions +- added addchain for all sqrt +- Naive GCD improved +- Full paper implemented, unknown bug +- Full paper implemented, tests passing +- **bls24:** experiment with Fp-Fp2-Fp4-Fp12-Fp24 tower - **kzg:** test tampered proofs whith quotient set to zero -- **bls24:** Fp-Fp2-Fp4-Fp12-Fp24 tower +- **plookup:** challenges are derived using Fiat Shamir +- **plookup:** addition of prover and verifier for tables +- **plookup:** proof generation +- **plookup:** addition of templates +- **plookup:** adding missing files in templates +- **plookup:** generated plookup for all curves +- **plookup:** addition of benchmark ### Fix - +- Optimization 3 works, but with many watches +- started adding the missing parts of the quotietn +- fixed bug for 64b +- 32bit compatible assertMatch for bn254/fp +- semi-compressed bn254/fp +- Update factor negation works +- fixed doc file +- number of iterations corrected. integration tests pass +- unbroke the tests +- ensure ecc.Info() is set +- fix neg template to actually use borrow value +- All bn254 tests pass but TestMonReduceNegFixed +- ecc.Info() returns lightweight field info, without calling the whole field generation including addchain generations - fixes [#104](https://github.com/ConsenSys/gnark-crypto/issues/104) code generation for saturated modulus like secp256k1 incorrect. added secp256k1 test +- fixed quotient computation +- fixed test generation +- fixed file generation +- removed error for invalid domain size in kzg +- Neg passes, lingering issues with test randomizer +- remove use of R15 for small moduli mul [#113](https://github.com/ConsenSys/gnark-crypto/issues/113) +- fixed doc generation +- template used file path for doc instead of file name +- fixed exp takes a value, not a pointer. also random field generation test don't generate addchains +- temporaries element in addition chain back to pointers, they will be on the stack anyway, simple template +- fixed exp template takes element name as parameter +- restored randomness generation via Fiat Shamir +- unused code (nSquare) +- computation of last piece of quotient ok +- Non-const t: Precomputation gives little speedup: 1511,1463,1551 +- Optimization 3 works, removed debugging code, down to 1879 ns/op +- init addchain cache only when needed +- full proof (without Fiat Shamir) passes +- **bls24:** fix Fp24 test +- **bn254:** correct Expt() addchain +- **plookup:** removed sortByT function, only sort.Sort() is called now +- **plookup:** computation of h0, hn ok +- **plookup:** fixed lookup vector: t must be ordered +- **plookup:** fixed wrong bound for completion of t and f +- **plookup:** computation of h is correct +- **plookup:** computation of Z ok ### Perf - -- field inverse is ~30-70% faster (implements Pornin's optimizations) +- Branch-free signed non-mont word multiplication +- Field element - Word multiplication implemented +- Replace mulWRegular with faster branched version +- partial rollback for bn254-fp +- Four update factor vars +- fewer helper variables +- Combined updates factor to be signed, next: fewer helper vars +- Field element - Word multiplication implemented +- signed sos ftw +- Batch each 2 u,v updates. Update factors correct result incorrect +- Inlined conversion factor manipulation +- Removed debug logic +- Linear comb w 1 MontRed instead of 2. Slow (debug logic inline) +- field inverse optimizations +- **Miller loops:** specialized mul by curve coeff - **bls12-381:** faster Miller loop (sparse-sparse mul) - **bls12-381:** faster final exp (faster expt) +- **bls24:** compute frobenius coefficients - **bn254:** better short addition chain for Expt() - **bn254:** addchain with max squares (weighting mul x2.6 cyclosq) +### Refactor +- SOS Montgomery Reduction +- **bn254:** G2 memebership test uses psi directly + +### Revert +- remove mathfmt (for now) + +### Style +- comments and proofs +- removed debug printing +- more expressive argument name for `approximate` +- comments +- all "//" to be followed with a space +- Compute number of iterations only in field.go only +- hardcoded values shall be consts +- broke inv +- comments +- minor changes +- Some commentary +- Hand-inlined rsh31, comments, single correction factor +- removed commented code used for debugging +- mathfmt +- code cleaning +- separated tables and vectors in two files, cleaned code +- Some more commentary +- **plookup:** changed naming for rows and columns +- **plookup:** removed all the printing -### Pull Requests +### Test +- BenchInverse to call InverseOld +- Autogen correction factor checking test +- Autogen Montgomery reduction tests +- added property test for addchain based fixed exp +- deterministic sqrt bench +- Consistency check on top +### Pull Requests +- Merge pull request [#121](https://github.com/ConsenSys/gnark-crypto/issues/121) from ConsenSys/perf/ML-doubling - Merge pull request [#111](https://github.com/ConsenSys/gnark-crypto/issues/111) from ConsenSys/field-intX-support - Merge pull request [#114](https://github.com/ConsenSys/gnark-crypto/issues/114) from ConsenSys/fix-dynamic-link - Merge pull request [#108](https://github.com/ConsenSys/gnark-crypto/issues/108) from ConsenSys/perf/bls12381-pairing @@ -166,50 +960,69 @@ The scope of the audit covered `bn254` and `bls12-381` packages (including field - Merge pull request [#99](https://github.com/ConsenSys/gnark-crypto/issues/99) from ConsenSys/feat-addchain-expt - - +## [v0.5.3] - 2021-11-03 +### Docs +- updated CHANGELOG.md for v0.5.3 -## [v0.5.3] - 2021-10-30 +### Feat +- subgroup check optional in decoder, parallel checks on slices +- added element.NewElement(v uint64) -### Feat, perf +### Fix +- **fp12:** compressed cyclotomic square (receiver == argument) -- all curves: subgroup check optional in decoder (default = true), and is done in parallel when unmarshalling slices of points [#96](https://github.com/ConsenSys/gnark-crypto/issues/96) -- **bn254:** faster G2 membership test [#95](https://github.com/ConsenSys/gnark-crypto/issues/95) -- added element.NewElement(v uint64) convenient API +### Perf +- **bn:** faster G2 membership test -### Fix +### Style +- cmp(zero) == -1 -> sign() == -1 -- **fp12:** compressed cyclotomic square (receiver == argument) +### Pull Requests +- Merge pull request [#96](https://github.com/ConsenSys/gnark-crypto/issues/96) from ConsenSys/perf-decode-raw-points +- Merge pull request [#95](https://github.com/ConsenSys/gnark-crypto/issues/95) from ConsenSys/perf/bn-g2-membership - ## [v0.5.2] - 2021-10-26 +### Build +- updated CHANGELOG.md for v0.5.2 +- updated code generation with Projective parameter in Point +- **templates:** homogenous projective coordinates for G1 (bw6) ### Feat - -- **bw6:** optimal Tate Miller loop with shared computations -- **bw6-761:** opt. ate with shared squares and shared doublings (alg.2) - add bandersnatch curve (twistedEdwards on bls12-381 with GLV) +- linked info returned by ecc.Info with internal curve config package +- added Bytes per field in ecc.info - added curveID.Info() which returns constants about a curve -- added element.Halve() +- moved element.Halve into templates +- **bw6:** optimal Tate Miller loop with shared computations +- **bw6-761:** opt. ate with shared squares and shared doublings (alg.2) ### Fix - +- halve with full-bits moduli - **all twistedEdwards:** fix Add() in projective coordinates (issue 89) +- **all twistedEdwards:** remove A as we assume A=-1 (issue 87) - **fiat-shamir:** added test to ensure len(challenge) > 0 ### Perf - +- Halve() directly on fp.Element +- **all curves:** Halve() directly on fp.Element - **bn:** multiply ML external lines 2 by 2 (+multi-ML bench) +- **wip:** Montgomery Rsh instead of mul by 1/2 ### Refactor - - **templates:** unify twistedEdwards package across curves -### Pull Requests +### Style +- correct comments +- factorize field info +- fiat-shamir clean up +- remove dead code (twoInv) +- **tEdwards:** keep jubjub package for backward-compatibility +- **tEdwards:** mulByA inside the package +### Pull Requests - Merge pull request [#93](https://github.com/ConsenSys/gnark-crypto/issues/93) from ConsenSys/bandersnatch - Merge pull request [#90](https://github.com/ConsenSys/gnark-crypto/issues/90) from ConsenSys/fix/tEdwards-addProj-issue89 - Merge pull request [#82](https://github.com/ConsenSys/gnark-crypto/issues/82) from ConsenSys/perf/bn254-ML @@ -217,19 +1030,24 @@ The scope of the audit covered `bn254` and `bls12-381` packages (including field - Merge pull request [#81](https://github.com/ConsenSys/gnark-crypto/issues/81) from ConsenSys/ML/DoubleStep-Halve - Merge pull request [#77](https://github.com/ConsenSys/gnark-crypto/issues/77) from ConsenSys/BW6 - + ## [v0.5.1] - 2021-09-21 +### Build +- remove unused code (nSquare Fp24) +- replace go get by go install in CI workflow +- make staticcheck happier +- updated circleCI golang image -### Pull Requests - -- Merge pull request [#76](https://github.com/ConsenSys/gnark-crypto/issues/76) from ConsenSys/msm-ones -- Merge pull request [#75](https://github.com/ConsenSys/gnark-crypto/issues/75) from ConsenSys/feat/karabina +### Docs +- updated CHANGELOG.md with v0.5.1 release +- highlight breaking change in twisted edwards and eddsa ### Feat - -- added element.IsUint64() +- reverted to non-asm field inverse - element.String() special path for uint64 and -uint64 values +- added x86 assembly impl for field.Inverse +- added element.IsUint64() - added element.Bit(..) to retrieve i-th bit in a field element - **Fp12:** implements the Karabina cyclotomic square in E12/E6 - **Fp24:** implements the Karabina cyclotomic square in E24/E8 @@ -238,51 +1056,175 @@ The scope of the audit covered `bn254` and `bls12-381` packages (including field - **e24:** implements batch decompression for karabina cyclo square - **experimental:** msm splits first chunk processing if scalar is on one word -### Perf +### Fix +- use low c bits only for small values in msm +### Perf - **bls12:** faster G2 membership (eprint 2021/1130 sec.4) - **bls12-377:** use asm MubBy5 as MulByNonResidue - **bls24:** mix Karabina+GS+BatchInvert for faster FinalExp (Expt) - **bw6-633:** fast GT-subgroup check - +### Pull Requests +- Merge pull request [#76](https://github.com/ConsenSys/gnark-crypto/issues/76) from ConsenSys/msm-ones +- Merge pull request [#75](https://github.com/ConsenSys/gnark-crypto/issues/75) from ConsenSys/feat/karabina -## [v0.5.0] - 2021-08-20 -### Breaking changes + +## [v0.5.0] - 2021-08-23 +### Build +- added pairing test to bls24-315 generation +- added fft code gen for bls24-315 +- update github workflow with go 1.17 +- use 1.17rc2 golang while waiting for circleCI image +- fix gosec unhandled errors warnings +- ran go genearte for kzg on bw6-633 +- fix gofuzz target for kzg +- prepare changelog for v0.5.0 +- re-ran go genearte +- go mod tidy +- add bls24-315 to fiat-shamir and to readme +- added ecc code gen for bls24-315 +- replace fr.Bytes in mimc blocksize +- added eddsa code gen for bls24-315 +- added twisted edward codegen for bls24-315 +- added mimc to code gen path for bls24-315 +- added kzg code generation for bls24-315 +- re-ran go:generate +- make staticcheck happier +- **bw6-633:** remove twistededwards until script finds coeff + +### Clean +- **kzg:** NewSRS returns error if size < 2 + +### Cleanup +- kzg.Scheme fft.Domain moved into methods that needs it only + +### Doc +- fix eddsa Bytes doc to indicate returned bytes slice is in compressed form -- twisted Edwards BN-companion in reduced form (a=-1): this affect `eddsa`. `v0.4.0` and `v0.5.0` keys and signatures are not compatible. +### Docs +- fix go report card link +- updated readme with go1.17 +- update ecc.md +- add bls24/bw6 to the implemented curves func and doc +- update readme with bw6-633 +- cosmetics and minor fixes +- added EdDSA godoc example +- added missing original copyright in merkletree pacakage + package doc +- most package now have a package level doc +- added fft package level doc +- formated and expanded package godoc for field elements ### Feat - -- adds new curve bls24-315 -- adds new curve bw6-633 -- adds kzg polynomial commitment scheme -- adds fiat shamir -- Element.SetInterface returns an error instead of panicking if unsupported type -- MultiExp now takes a nbTasks parameter and splits until we have nbTasks <= nbChunks +- added Reference benchamrk for continuous benchmarking. fixes [#54](https://github.com/ConsenSys/gnark-crypto/issues/54) +- added curve level go-fuzz fuzz function +- added ecc.utils.NextPowerOfTwo used in fft and kzg +- kzg Commit takes an optional CPUSemaphore +- MultiExp now takes a ecc.MultiExpConfig to set the CPUSemaphore and scalars repr - MultiExp returns error if len(points) != len(scalars) +- package doc is not mixed with code generation but inside a dedicated template for better formating and maintenance +- added Bytes() method on Digest (polynomial commitment) +- added ecc.Implemented() that returns list of curve fully implemented +- added code gen for modified fft +- init bw6-633 curve +- added Marshal() in field elements. Simplified interfaces in polynomial/ +- addition of kzg for bn254 +- kzg NewSRS takes alpha as big.Int +- kzg.SRS is a separate struct +- affine add, remove digest methods +- kzg is now strongly typed with the curve +- removed mock commitment +- added Clone() method on Digests +- addition of kzg for all curves + tests OK +- save allocation when possible when adding 2 polynomials - ecc encoder now handles []Element so gnark don't have to - ecc encoders uses binary.Write and binary.Read to support basic types -- added ecc.Implemented() that returns list of curve fully implemented -- added Reference bencharks for continuous benchmarking. fixes [#54](https://github.com/ConsenSys/gnark-crypto/issues/54) -- added curve level go-fuzz fuzz functions +- addition of methods GetClaimedValue(s) on opening proofs +- Add,Sub,ScalarMul ops added to Digest +- add new curve bls24-315 +- code gen corresponding to previous commit +- added mul_by_13 asm impl in field arithmetic +- Element.SetInterface returns an error instead of panicking if unsupported type +- added Fuzz pairing billinearity +- added kzg Fuzz test +- added Fuzz for fft with cosets +- added Fuzz() for fft pacakge +- addition of method Marshal for Kzg proofs +- addition of BatchVerifyMultiPoints in kzg +- added element_fuzz.go with build tag gofuzz to expose non-asm (generic) impl for fuzz testing +- kzg scheme serialization (bn254) +- code gen for kzg scheme serialization + tests +- helper to build a new kzg scheme for testing purpose +- tests for mock commitment (if claimed values are correct, etc) +- addition of test for claimed values (polynomial commitments) +- added subgroup check for proof and digests in kzg +- fixes [#38](https://github.com/ConsenSys/gnark-crypto/issues/38) - **all curves:** faster GT memebership +- **bw6:** GT membership +- **bw6-633:** add bw6-633 to hash and fiat-shamir +- **bw6-633:** add twisted edwards companion to bw6-633 +- **bw6-633:** optimized frobenius +- **ecc:** multiexp takes nbTasks as parameter instead of semaphore +- **fft:** addition of param to set precomputations in domain struct +- **kzg:** test polynomials of different sizes +- **kzg:** added /kzg with NewSRS(curveID) API for serialization purposes +- **kzg:** kzg objects implement io.ReaderFrom and io.WriterTo +- **kzg:** hash function is passed as parameter +- **kzg:** added optional nbTasks to pass through multiExp api - **twisted Edwards:** tests use gopter, no more hardcoded values -- **bls12-377:** change G2 generator (+Fp QNR) to match other libs -- **bls12-377:** change G1 generator to match other libs -- **bw6:** Pairing according to ABLR 2013/722 with Fp6/Fp3 ### Fix - -- use crypto/rand instead of math/rand in ecc/../utils.go -- fixes [#51](https://github.com/ConsenSys/gnark-crypto/issues/51) +- CommitmentScheme interface matches kzg and mockCommitment +- fixed staticchek +- fixes [#37](https://github.com/ConsenSys/gnark-crypto/issues/37) +- fixed some errors handling in transcript.go +- fixed unhandled errors (G104) +- fixed conflicts +- handled error pointed by gosec (Fiat Shamir) +- h function is reset after deriving a challenge +- kzg.dividePolyByXminusA doesn't need the fft domain +- fixed fft cosets, tests OK + code gen +- kzg srs size in benchmarks +- restored kzg +- removed old version of polynomials using interface in bw6-633 +- fixed Domain serialization +- kzg return type more homogeneous +- mock Digest ScalarMul didn't modify the caller +- fft with coset is now thread safe. style adjustements in code - e2 x86 asm incorrect offset when x is 0 - fixes [#49](https://github.com/ConsenSys/gnark-crypto/issues/49) +- proper error handling for polynomial commitments + code gen +- remove Code generated comments in bls24/internal which is not generated +- fixes [#51](https://github.com/ConsenSys/gnark-crypto/issues/51) +- use crypto/rand instead of math/rand in ecc/../utils.go +- kzg serilization test comparing address instead of value +- **all curves:** IsInSubGroup shouldn't test E12 elements but GT +- **bls12-377:** fix coefficients for Shallue-van de Woestijne hash-to-G2 +- **bls24-315:** E2 Mul + no template +- **bw6:** use crypto/rand instead of math/rand +- **bw6:** add GenBigInt and rename utils_test.go to utils.go +- **bw6:** use crypto/rand instead of math/rand +- **bw6-633:** fft +- **bw6-633:** fix final exp +- **bw6-633:** correct coefficients in SWU hash-to-curve +- **bw6-633:** clear cofactor and subgroup membership for G1 and G2 +- **bw6-633:** GLV when fr.Limbs is odd +- **kzg:** alpha generation is up to the caller when calling NewScheme +- **kzg:** incorrect poly size in Open +- **msm:** seems doing the inner msm sequentially with little available cpus is bad idea +- **template:** IsInSubGroup shouldn't test E12 elements but GT +- **template:** include GLV case when fr.Limbs is odd +- **template:** code generation for bw6-633 eddsa +- **template:** fix MapToCurve test +- **template:** cyclotomic suqare test +- **template:** Expt test to include negative seed +- **templates:** no psi for bw6 endomorphism test - **twisted Edwards:** fixed Neg(), and fixes [#57](https://github.com/ConsenSys/gnark-crypto/issues/57) ### Perf - +- minor perf improvments in bw6 tower +- minor serialization chaanges in kzg - **all curves:** twisted Edwards companions arithmetic with a=-1 - **bls12:** faster G2 clear cofactor - **bls12:** faster G2 subgroup checks --> psi^2=phi+1 @@ -295,89 +1237,424 @@ The scope of the audit covered `bn254` and `bls12-381` packages (including field - **bw6-633:** divide G1 cofactor formula by 4 - **bw6-633:** optimized hard part in final exp - **fft:** introduced flatten kernel for n==8 and asm impl for butterfly to minimze memory writes +- **kzg:** use syntetic division to divide by x-a +- **kzg:** dividePolyByXminusA parallelism +- **kzg:** dividePolyByXminusA uses precomputed domain twiddle +- **kzg:** merge both loop in divideXpoly into 1 +- **kzg:** Open will split the msm in 2 if numCpus > 16 +- **kzg:** perform polynomial evaluations in parallel inside batchOpen +- **kzg:** reuse memory for batchopen poly division +- **kzg:** added batch inversion in dividePolyByXminusA +- **kzg:** parallelize s = 1 / (x-a) +- **kzg:** remove useless fft in dividebyxminusa +- **kzg:** simplified dividePolyByXminusA, no need to shift ### Refactor - +- removed deprecated MulAssign, AddAssign and SubAssign apis +- moved crypto/* under / - ported accumulator/ and polynomial/ from gnark - moved fr/polynomial/kzg to fr/kzg -- removed deprecated MulAssign, AddAssign and SubAssign apis +- ported mock commitment scheme from gnark +- moved duplicated ecc/xxx/CPUSemaphore to ecc/ +- remove dead code in pairing +- BatchJacobianToAffineG1Affine -> BatchJacobianToAffineG1 - removed hash functions recorded in transcript.go -- moved crypto/* under / +- ./crypto/fiat-shamir --> ./fiat-shamir/ +- **bls12-377:** change G1 generator to match other libs +- **bls12-377:** change G2 generator (+Fp QNR) to match other libs +- **bls12-377:** remove unused sync.Pool in pairing +- **bw6:** Pairing according to ABLR 2013/722 with Fp6/Fp3 - **kzg:** Proof -> OpeningProof. BatchProofsSinglePoint -> BatchOpeningProof - **kzg:** removed Scheme, package level methods with SRS and domain as parameter -### Test +### Style +- replaced conditionals with template variable to return fuzzed element +- gopter generators are code generated and return values. siimplifies non-sense in templates +- cleaner error message in Element.SetInterface +- cosmetics +- code cleaning in kzg +- go fmt +- code cleaning in polynomial and kzgé +- clean comments +- ComputeChallenge error re-indent +- **fft:** use close(chan) +- **kzg:** cosmetics +- **kzg:** cosmetics -- added mulGeneric vs mul assembly on E2 +### Test +- added mulGeneric vs mul assembly on E2 in bn254 and bls12-381 +- bls24-315 added mulGeneric vs mulAsm E2 test +- **all curves:** test endomorphisms phi and psi - **curves:** use IsInSubGroup instead IsOnCurve MapToCurveG1Svdw test -- added e2.Neg test in code generation +- **template:** include bw6 in pairing_test.go - +### Tests +- added e2.Neg test in code generation -## [v0.4.0] - 2021-03-31 +### Pull Requests +- Merge pull request [#70](https://github.com/ConsenSys/gnark-crypto/issues/70) from ConsenSys/develop +- Merge pull request [#68](https://github.com/ConsenSys/gnark-crypto/issues/68) from ConsenSys/fft-cleanup +- Merge pull request [#64](https://github.com/ConsenSys/gnark-crypto/issues/64) from ConsenSys/feat/bw6-633 +- Merge pull request [#65](https://github.com/ConsenSys/gnark-crypto/issues/65) from ConsenSys/feat/kzgserialization +- Merge pull request [#63](https://github.com/ConsenSys/gnark-crypto/issues/63) from ConsenSys/feat/kzg_update +- Merge pull request [#61](https://github.com/ConsenSys/gnark-crypto/issues/61) from ConsenSys/feat/bls24-315 +- Merge pull request [#59](https://github.com/ConsenSys/gnark-crypto/issues/59) from ConsenSys/ci/fuzzandbench +- Merge pull request [#58](https://github.com/ConsenSys/gnark-crypto/issues/58) from ConsenSys/refactor/bw6-761-pairing +- Merge pull request [#55](https://github.com/ConsenSys/gnark-crypto/issues/55) from ConsenSys/feat/GT-membership +- Merge pull request [#48](https://github.com/ConsenSys/gnark-crypto/issues/48) from ConsenSys/feat/kzg +- Merge pull request [#50](https://github.com/ConsenSys/gnark-crypto/issues/50) from ConsenSys/fix/fft +- Merge pull request [#46](https://github.com/ConsenSys/gnark-crypto/issues/46) from ConsenSys/fix/domain_precompute +- Merge pull request [#45](https://github.com/ConsenSys/gnark-crypto/issues/45) from ConsenSys/hotfix/issue_36 +- Merge pull request [#44](https://github.com/ConsenSys/gnark-crypto/issues/44) from ConsenSys/feat/mul_by_13 +- Merge pull request [#42](https://github.com/ConsenSys/gnark-crypto/issues/42) from ConsenSys/feat/fiat_shamir +- Merge pull request [#41](https://github.com/ConsenSys/gnark-crypto/issues/41) from ConsenSys/docs/godoc -### Refactor -- gurvy -> gnark-crypto -- moved interop tests under github.com/consensys/gnark-tests -- bls381 -> bls12-381 -- bls377 -> bls12-377 -- bn256 -> bn254 -- migrated MiMC and EdDSA from gnark into gnark-crypto -- migrated gnark/backend/fft into gnark-crypto -- migrated goff packages into ./field/... -- cleaning internal/generator pattern + +## [v0.4.0] - 2021-03-31 +### Build +- updated go.mod +- updated CI and go.mod files +- updated to latest goff +- updated goff to fix incorrect min stack size +- fix slack notification +- added .gitlint file +- run on develop and master only +- test on more archs and targets +- faster path for testing.Short. remove some dead code +- make staticcheck happy, remove dead code +- added github action workflow, wip ### Ci - -- testing with go 1.15, go 1.16 on Windows, MacOS, Linux (+arch=32bits) +- install asmfmt before test step, now that goff field generation tests are included +- move dep install up +- ignore G204 rule in gosec (process lauched with var) +- testing pr on develop with go 1.15 and go 1.16 ### Docs - -- added ecc/ecc.md and field/field.md +- added changelog for v0.4.0 +- add ecc/ecc.md and field/field.md +- updated README.md +- updated package doc ### Feat - -- multiExp in full extended jacobian coordinates +- msm in full extJac +- use add extJac to sum buckets +- e2 bls381 asm mul clean +- e2 asm bls381 square clean +- bls381 e2 asm mul by non residue clean up +- first step in clobbered bp refactor. e2 asm: bn256 stable, bls381 wip +- use add extJac to sum buckets ### Fix - - handle case where numCPU < 4 in precomputeExpTable - incorrect comment and size returned in twistededwards SetBytes fixes [#34](https://github.com/ConsenSys/gnark-crypto/issues/34) +- add/dbl exJac +- add/dbl exJac - point.SetBytes can now be called concurently with same byte slice input - +### Perf +- delay coordinates conversion +- delay coordinates conversion -## [v0.3.8] - 2021-02-01 +### Refactor +- moved interop tests under github.com/consensys/gnark-tests +- cosmetics +- gurvy -> gnark-crypto +- bls381 -> bls12-381, bls377 -> bls12-377 +- curve -> ecc +- moved utils/ into curve/ +- e2_bn256 --> e2_bn254 +- moved gurvy.go into curve/curve.go +- renamed BN256 to BN254 +- moved curves under curve/ +- migrated gnark/polynomial under fr/ +- ported mimc and eddsa from gnark +- factorized parallelize function and moved asm/amd64 into tower package +- cleaning internal/generator pattern +- checkpoint +- migrated gnark/backend/fft into fft/ +- migrated goff packages into /field/... +- moved curves into /curve/... + +### Style +- consistent copyright holder and year +- remove some empty lines +- rename point bench functions +- refactor reduceAfterSub... to modReduce... +- rename point bench functions + +### Pull Requests +- Merge pull request [#35](https://github.com/ConsenSys/gnark-crypto/issues/35) from ConsenSys/refactor/monorepo +- Merge pull request [#33](https://github.com/ConsenSys/gnark-crypto/issues/33) from ConsenSys/msm/full-extJac +- Merge pull request [#32](https://github.com/ConsenSys/gnark-crypto/issues/32) from ConsenSys/fix/clobbered_bp -### Bls377 + +## [v0.3.8] - 2021-02-01 +### Bls377 - final exp hard part eprint 2020/875 - ML entirely on the twist (ABLR) +- ML entirely on the twist (ABLR) ### Bls381 - - final exp hard part eprint 2020/875 +- no precompute and go routines in pairing, wip +- ML entirely on the twist (ABLR) - ML entirely on the twist (ABLR) - change G1 and G2 generators for interop ### Bn256 - - inline lineEval() in MilleLoop - ML entirely on the twist (ABLR) - change G1 and G2 generators for interop ### Bw6 - -- add E6 and pairing tests +- add E6 tests - correct comments in FinalExp +- add pairing tests +- go fmt - fix bw6 pairing API to take slices of points and mutualize squares +- go fmt +- fix bw6 pairing API to take slices of points and mutualize squares + +### Bw761 - change G1 and G2 generators for interop +- PairingCheck API + ML bench +- PairingCheck API + ML bench -### Pull Requests +### Curves +- get rid of goroutines in ML +- g1/g2 template add proj to jac conversion +- get rid of goroutines in ML +- g1/g2 template add proj to jac conversion + +### Fp12 +- improved cyclotomicSquare +### Fp6 +- cyclotomic square in Expt() + +### TwistedEdwards +- addition of Marshal/Unmarshal+tests, addition of templates, modified GetEdwardsCurve to not expose order (in big.Int) + +### Pull Requests - Merge pull request [#29](https://github.com/ConsenSys/gnark-crypto/issues/29) from ConsenSys/youssef/bls12-finalExp - Merge pull request [#27](https://github.com/ConsenSys/gnark-crypto/issues/27) from ConsenSys/experimental/pairing - Merge pull request [#26](https://github.com/ConsenSys/gnark-crypto/issues/26) from ConsenSys/youssef/ML-ABLR - Merge pull request [#25](https://github.com/ConsenSys/gnark-crypto/issues/25) from ConsenSys/csquare -- Merge pull request [#23](https://github.com/ConsenSys/gnark-crypto/issues/23) from ConsenSys/youssef/bw6-API-pairing \ No newline at end of file +- Merge pull request [#23](https://github.com/ConsenSys/gnark-crypto/issues/23) from ConsenSys/youssef/bw6-API-pairing + + + +## [v0.3.7] - 2021-01-04 + + +## [v0.3.6] - 2020-12-22 +### Bls377 +- multiple MillerLoops + +### Bls381 +- PairingCheck func for eth precompile +- 1 MillerLoop func + error handling +- fix MillerLoop (negative seed -> conjugate) +- optimize the final exp hard part (alg2) +- added e2.Mul x86 asm impl. sort of. +- e2 --> added x86 asm impl for squaring +- reverted result.Conjugate in pairing to previous (correct) version +- fix build on non amd64 +- fix pairing interop test +- added asm impl for MulByNonResidue +- minor adjustements, wip +- minor adjustements, wip +- added bench in interop +- added failing interop test +- added scalar mul interop tests +- more interop test on GT serialization + +### Bls831 +- multiple MillerLoops error handling + +### Bn256 +- multiple miller loops + +### Bw761 +- added e6 Bytes() and SetBytes() + +### Circleci +- ignoring .s files when checking generate output + +### Feat +- **bls381:** generalize tripleML to xML +- **bls381:** factorize sq in 3 ML products + +### Fix +- substitute == by Equal in e12 +- substitute == by Equal in e12 + +### Marshal +- len slice of points encoded on uint32 instead of uint64. +- remove unecessary buffer allocatiosn in loop, added benchmark for e2.Sqrt +- added BytesRead and BytesWritten to Decoder and Encoder objects + +### MultiExp +- the function must be called from an affine point and return an affine poitn + +### Template +- pairing test + +### Templates +- Set func in g1/2 +- fix PairingCheck test +- pairing tests +- correct EFD URL in comments (g*p -> g1p) + +### Unmarshal +- now perfoms subgroup check when deserializing points + +### Wip +- added Bytes() and SetBytes() method on point with binary encoding and optional point compression + +### Pull Requests +- Merge pull request [#21](https://github.com/ConsenSys/gnark-crypto/issues/21) from ConsenSys/youssef/MillerLoops +- Merge pull request [#19](https://github.com/ConsenSys/gnark-crypto/issues/19) from ConsenSys/cleanup + + + +## [v0.3.5] - 2020-10-19 +### Bls377 +- re-exposing GT.MulByXXX methods needed by gnark standard library + + + +## [v0.3.4] - 2020-10-19 +### Curves +- curve coeff b is package private + +### Multiexp +- renamed MultiExpOpt to CPUSemaphore, and remove data race on the window size attribute. Made staticcheck and linter happy. + + + +## [v0.3.3] - 2020-09-23 + + +## [v0.3.0] - 2020-09-22 + + +## [v0.3.0-alpha] - 2020-09-15 +### BatchJacobianToAffine +- don't allocate new slice to store product, use affine storage space instead + +### Bn256 +- added test to ensure e2 mul and square assembly impl matches generic ones +- enabled inlined call to wrappers E2.Mul and E2.Square making G2 point addition 10% faster + +### Circleci +- test only main point ops on 32 bit path +- added -short option to tests to skip long or memory greedy tests + +### Curve +- added BatchJacobianToAffine using montgomery batch inversion for G1 elements. Skipping G2 on this one + +### Curves +- Generators() now return generators of the r-torsion group in Jacobian coordinates +- added Generators() getter on all curves. Added BatchScalarMultiplication method with test +- cleanup unused parameters for old scalar multiplication + +### MultiExpOptions +- takes a semaphore (channel) of cpu instead of number of cpus +- fix previous commit. + +### Multiexp +- PartitionScalars is now private. CPU semaphore has a lock that's release when all go routines are scheduled in the multiexp +- PartitionScalars now takes MultiExpOptions as optional argument too +- now optionally takes choice of c, max cpus to use, and indicates if scalars are already preprocessed +- code clean up. BatchScalarMultiplication now select window size depending on input length +- renamed ScalarsToDigit to PartitionScalars +- refactored ScalarsToDigit method so that duplicated code in multiExpcXX methods is largely reduced to allocating buckets on the stack +- remove c=20 as it timeouts test on circle ci for now +- api is now sync, like the rest of gx.go apis. +- less samples in generated tests, bw761 generates less multiExp variant of c +- added comments in code. still a lot (too much) template generated and duplicated code +- taking into account available CPUs. slightly better extended addition formula. moved multi exp tests into their own function +- wip, reverting to c divides 64 +- wip, added preprocessing of scalars to compute digits in the bucket method +- remove test of c18 that seems to timeout +- cosmetics and documentation +- clean up bucket method, with 30percent gain on bn256 G1. WIP + +### Pairing +- sender closes channel, not receiver + +### Points +- made p.Neg() inlinable + +### ScalarsToDigits +- reused method in BatchScalarMultiplication + +### UnsafeFromJacExtended +- cosmetic, doc update + + + +## [v0.2.0] - 2020-08-04 +### Bls381 +- removed multi exp garbage, cleaned the tests using gopter +- tests for the pairing use gopter, fixed String() on g1, g2 (thanks the templates again), implemented simple double and add for g1 and g2 using big.Int +- got rid of the curve structure + +### Circleci +- ensures that generated files are not hand modified +- ensures that generated files are not hand modified. +- new workflow with more insight on unit tests + +### Develop +- skip Expt tests for now because the testpoint is not in the cyclotomic subgroup +- merge refactor-api; resolve merge conflicts, TestE12Expt failing for some reason + +### WIP +- optimized Miller loop + +### Pull Requests +- Merge pull request [#11](https://github.com/ConsenSys/gnark-crypto/issues/11) from ConsenSys/refactor-cyclotomicsquare +- Merge pull request [#10](https://github.com/ConsenSys/gnark-crypto/issues/10) from ConsenSys/refactor-constants +- Merge pull request [#5](https://github.com/ConsenSys/gnark-crypto/issues/5) from ConsenSys/experimental-pairing-gen +- Merge pull request [#4](https://github.com/ConsenSys/gnark-crypto/issues/4) from ConsenSys/endomul-remove + + + +## [v0.1.1] - 2020-04-08 + + +## [v0.1.0] - 2020-04-07 +### Pull Requests +- Merge pull request [#2](https://github.com/ConsenSys/gnark-crypto/issues/2) from ConsenSys/develop + + + +## v0.0.1 - 2020-03-23 + +[v0.9.2]: https://github.com/ConsenSys/gnark-crypto/compare/v0.9.1...v0.9.2 +[v0.9.1]: https://github.com/ConsenSys/gnark-crypto/compare/v0.9.0...v0.9.1 +[v0.9.0]: https://github.com/ConsenSys/gnark-crypto/compare/v0.8.0...v0.9.0 +[v0.8.0]: https://github.com/ConsenSys/gnark-crypto/compare/v0.7.0...v0.8.0 +[v0.7.0]: https://github.com/ConsenSys/gnark-crypto/compare/v0.6.1...v0.7.0 +[v0.6.1]: https://github.com/ConsenSys/gnark-crypto/compare/v0.6.0...v0.6.1 +[v0.6.0]: https://github.com/ConsenSys/gnark-crypto/compare/v0.5.3...v0.6.0 +[v0.5.3]: https://github.com/ConsenSys/gnark-crypto/compare/v0.5.2...v0.5.3 +[v0.5.2]: https://github.com/ConsenSys/gnark-crypto/compare/v0.5.1...v0.5.2 +[v0.5.1]: https://github.com/ConsenSys/gnark-crypto/compare/v0.5.0...v0.5.1 +[v0.5.0]: https://github.com/ConsenSys/gnark-crypto/compare/v0.4.0...v0.5.0 +[v0.4.0]: https://github.com/ConsenSys/gnark-crypto/compare/v0.3.8...v0.4.0 +[v0.3.8]: https://github.com/ConsenSys/gnark-crypto/compare/v0.3.7...v0.3.8 +[v0.3.7]: https://github.com/ConsenSys/gnark-crypto/compare/v0.3.6...v0.3.7 +[v0.3.6]: https://github.com/ConsenSys/gnark-crypto/compare/v0.3.5...v0.3.6 +[v0.3.5]: https://github.com/ConsenSys/gnark-crypto/compare/v0.3.4...v0.3.5 +[v0.3.4]: https://github.com/ConsenSys/gnark-crypto/compare/v0.3.3...v0.3.4 +[v0.3.3]: https://github.com/ConsenSys/gnark-crypto/compare/v0.3.0...v0.3.3 +[v0.3.0]: https://github.com/ConsenSys/gnark-crypto/compare/v0.3.0-alpha...v0.3.0 +[v0.3.0-alpha]: https://github.com/ConsenSys/gnark-crypto/compare/v0.2.0...v0.3.0-alpha +[v0.2.0]: https://github.com/ConsenSys/gnark-crypto/compare/v0.1.1...v0.2.0 +[v0.1.1]: https://github.com/ConsenSys/gnark-crypto/compare/v0.1.0...v0.1.1 +[v0.1.0]: https://github.com/ConsenSys/gnark-crypto/compare/v0.0.1...v0.1.0