Try   HackMD

Benchmarking pairing-friendly elliptic curves libraries

last benchmark update: 29/01/21

There are several pairing-friendly elliptic curves libraries used in zero-knowledge proofs (ZKP) projects. Typically, the most important elliptic curve operations in ZKP schemes are "multi scalar multiplication" (MSM) and "pairing product" (PP). This writeup is a try to benchmark and compare the building blocks of these operations in two different architechtures.
In fact, since MSM and PP are size-dependant, we focus on timings of mixed addition in G1/G2, doubling in G1/G2, Miller loop and Final exponentiation.

The libraries are written in different languages with different software and mathematical optimizations, and with more or less assembly code.

The target curves are: BN254, BLS12-381, BLS12-377 and BW6-761.

The chosen libraries are:

library benchmarked curves original authors programming language license zkp/blockahin project
gnark-crypto BN254, BLS12-381, BLS12-377, BW6-761 Consensys Go Apache-2.0 gnark
kilic/<curve> BN254, BLS12-381, BLS12-377, BW6-761 Onur Kilic Go Apache-2.0 Geth (BLS12-381)
geth/crypto/<curve> BN254, BLS12-381 go-ethereum Go LGPL-3.0 Geth
arkworks-rs/curves
(fromerly zexe)		 BN254, BLS12-381, BLS12-377, BW6-761 arkworks-rs Rust* MIT/Apache-2.0 Celo, Aleo (BLS12-377, BW6-761)
celo-org/zexe
(based on arkworks)		 BW6-761 celo-org Rust** MIT/Apache-2.0 Celo (BW6-761)
zkcrypto/bls12_381 BLS12-381 zkcrypto Rust MIT/Apache-2.0 zcash, Dusk
mcl BN254, BLS12-381 MITSUNARI Shigeo C++ modified BSD-3-Clause loopring (BN254), DFINITY (BLS12-381)
blst BLS12-381 Supranational C Apache-2.0 filecoin
relic BLS12-381 Diego F. Aranha C Apache-2.0/LGPL-2.1 Chia
libff
(develop branch)		 BN254, BLS12-381 SCIPR Lab C++ MIT libsnark
zk-swap-libff
(based on libff)		 BLS12-377, BW6-761 EYBlockchain C++ MIT zk-swap-libsnark
constantine BN254, BLS12-381, BLS12-377 Mamy Ratsimbazafy Nim MIT/Apache-2.0

* assembly is disabled by default in arkworks-rs. To enable asm in benchmarks, e.g.: RUSTFLAGS="-C target -feature=+bmi2,+adx" cargo +nightly bench bls12_381::full_pairing --features asm.

** assembly is disabled by default in celo-org/zexe. To enable asm in benchmark on BW6-761curve: RUSTFLAGS="-C target-feature=+bmi2,+adx" cargo +nightly bench pairing --features "force_bw6_asm bw6_761"

BN254

benchmark on AWS z1d.3xlarge (3.4 GHz Intel Xeon)

with hyperthreading, turbo and frequency scaling disabled.

Pairing

↓library language Full pairing (ms) Miller loop (ms) Final exponentiation (ms)
mcl (BN_SNARK1) C++ 0.4765 0.2137 0.2628
gnark-crypto(bn254) Go 0.4890 0.2321 0.2569
constantine (BN254_Snarks) Nim 0.6471 0.2934 0.3424
kilic/bn254 Go 0.8454 0.3990 0.4464
arkworks(+asm) (bn254) Rust 1.0655 0.4597 0.6058
arkworks(bn254) Rust 1.1915 0.5265 0.6649
geth/cloudflare(bn256) Go 1.3013 0.4874 0.8139
libff(alt_bn128) C++ 2.1000 0.6500 1.4500
geth/google(bn256) Go 11.4304 4.1681 7.2622

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

(geth/google is discarded in this figure as it is too slow)

G1 mixed addition/doubling

↓library language Mixed addition (ns) doubling (ns)
mcl (BN_SNARK1) C++ 216 158
gnark-crypto(bn254) Go 231 143
constantine (BN254_Snarks) Nim 237 151
arkworks(bn254) Rust 315 228
kilic/bn254 Go 413 205
geth/cloudflare(bn256) Go 472 253
libff(alt_bn128) C++ 4236 2800
geth/google(bn256) Go 8196 4102
arkworks(+asm) (bn254) Rust ^ ^
^ benchmarking arkworks group madd/double with assembly feature enabled seems to output wrong timings.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

(geth/google and libff are discarded in this figure as they are too slow)

G2 mixed addition/doubling

↓library language Mixed addition (ns) doubling (ns)
mcl (BN_SNARK1) C++ 594 374
gnark-crypto(bn254) Go 605 362
constantine (BN254_Snarks) Nim 1035 481
arkworks(bn254) Rust 1192 732
kilic/bn254 Go 1378 593
geth/cloudflare(bn256) Go 1738 732
libff(alt_bn128) C++ 6508 4533
geth/google(bn256) Go 19549 9370
arkworks(+asm) (bn254) Rust ^ ^
^ benchmarking arkworks group madd/double with assembly feature enabled seems to output wrong timings.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

(geth/google and libff are discarded in this figure as they are too slow)

benchmark on AWS c5a.2xlarge (2.7 GHz AMD EPYC 7R32)

with hyperthreading, turbo and frequency scaling disabled.

Pairing

↓library language Full pairing (ms) Miller loop (ms) Final exponentiation (ms)
gnark-crypto (bn254) Go 0.5889 0.2795 0.3094
mcl(BN_SNARK1) C++ 0.6085 0.3375 0.2710
constantine (BN254_Snarks) Nim 0.9029 0.4100 0.4772
kilic/bn254 Go 1.0362 0.5063 0.5299
arkworks(+asm) (bn254) Rust 1.3271 0.5583 0.7688
arkworks(bn254) Rust 1.3834 0.6201 0.7633
geth/cloudflare(bn256) Go 1.4720 0.5569 0.9150
libff(alt_bn128) C++ 2.800 1.300 1.500
geth/google(bn256) Go 13.3843 4.7476 8.63662

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

(geth/google is discarded in this figure as it is too slow)

G1 mixed addition/doubling

↓library language Mixed addition (ns) doubling (ns)
mcl (BN_SNARK1) C++ 264 209
gnark-crypto(bn254) Go 294 173
constantine (BN254_Snarks) Nim 349 224
arkworks(bn254) Rust 380 297
kilic/bn254 Go 495 258
geth/cloudflare(bn256) Go 514 290
arkworks(+asm) (bn254) Rust ^ ^
^ benchmarking arkworks group madd/double with assembly feature enabled seems to output wrong timings.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

(geth/google and libff are discarded in this figure as they are too slow)

G2 mixed addition/doubling

↓library language Mixed addition (ns) doubling (ns)
gnark-crypto(bn254) Go 696 425
mcl (BN_SNARK1) C++ 735 461
arkworks(bn254) Rust 1259 820
constantine (BN254_Snarks) Nim 1454 691
kilic/bn254 Go 1736 781
geth/cloudflare(bn256) Go 1912 841
arkworks(+asm) (bn254) Rust ^ ^
^ benchmarking arkworks group madd/double with assembly feature enabled seems to output wrong timings.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

(geth/google and libff are discarded in this figure as they are too slow)

BLS12-381

benchmark on AWS z1d.3xlarge (3.4 GHz Intel Xeon)

with hyperthreading, turbo and frequency scaling disabled.

Pairing

↓library language Full pairing (ms) Miller loop (ms) Final exponentiation (ms)
blst (BLS12-381) C 0.6116 0.2642 0.3474
mcl (BLS12-381) C++ 0.6794 0.2864 0.3930
gnark-crypto(bls12-381) Go 0.7078 0.3320 0.3758
kilic/bls12-381 Go 0.8594 0.3690 0.4903
constantine (BLS12_381) Nim 0.9062 0.3561 0.5210
relic (gmp-pbc-bls381 preset) C 1.3149 0.5780 0.7369
arkworks(+asm) (bls12_381) Rust 1.3271 0.5583 0.7688
geth/bls12381(bls12381, based on kilic) Go 1.3494 1.5528 0.7965
zkcrypto/bls12_381 Rust 1.5886 0.4971 1.0914
arkworks(bls12_381) Rust 1.6218 0.6931 0.9287
libff(bls12_381) C++ 3.9000 1.5000 2.4000

G1 mixed addition/doubling

↓library language Mixed addition (ns) doubling (ns)
gnark-crypto(bls12-381) Go 387 245
constantine (BLS12_381) Nim 416 269
mcl (BLS12-381) C++ 421 309
blst (BLS12-381) C 474 287
kilic/bls12-381 Go 558 282
arkworks(bls12_381) Rust 672 414
zkcrypto/bls12_381 Rust 787 565
geth/bls12381(bls12381, based on kilic) Go 789 383
relic (gmp-pbc-bls381 preset) C 938 674
libff(bls12_381) C++ 4183 3001
arkworks(+asm) (bls12_381) Rust ^ ^
^ benchmarking arkworks group madd/double with assembly feature enabled seems to output wrong timings.


(libff is discarded in this figure as it is too slow)

G2 mixed addition/doubling

↓library language Mixed addition (ns) doubling (ns)
gnark-crypto(bls12-381) Go 1123 681
mcl (BLS12-381) C++ 1164 728
blst (BLS12-381) C 1293 674
constantine (BLS12_381) Nim 1535 781
kilic/bls12-381 Go 1846 791
relic (gmp-pbc-bls381 preset) C 2126 1465
arkworks(bls12_381) Rust 2143 1302
geth/bls12381(bls12381, based on kilic) Go 2537 1052
zkcrypto/bls12_381 Rust 3071 2022
libff(bls12_381) C++ 7728 5361
arkworks(+asm) (bls12_381) Rust ^ ^
^ benchmarking arkworks group madd/double with assembly feature enabled seems to output wrong timings.


(libff is discarded in this figure as it is too slow)

benchmark on AWS c5a.2xlarge (2.7 GHz AMD EPYC 7R32)

with hyperthreading, turbo and frequency scaling disabled.

Pairing

↓library language Full pairing (ms) Miller loop (ms) Final exponentiation (ms)
blst (BLS12-381) C 0.7474 0.3230 0.4253
mcl (BLS12-381) C++ 0.8437 0.3508 0.4929
gnark-crypto(bls12-381) Go 0.8742 0.4188 0.4554
kilic/bls12-381 Go 1.0757 0.4568 0.6189
constantine (BLS12_381) Nim 1.3542 0.5425 0.7657
relic (gmp-pbc-bls381 preset) C 1.5581 0.8760 0.6821
arkworks(+asm) (bls12_381) Rust 1.5815 0.6459 0.9356
geth/bls12381(bls12381, based on kilic) Go 1.6970 0.7044 0.9926
arkworks(bls12_381) Rust 1.8994 0.8014 1.0980
zkcrypto/bls12_381 Rust 1.9324 0.7978 1.1346
libff(bls12_381) C++ 4.6000 1.7000 2.9000

G1 mixed addition/doubling

↓library language Mixed addition (ns) doubling (ns)
gnark-crypto(bls12-381) Go 511 302
mcl (BLS12-381) C++ 544 401
blst (BLS12-381) C 623 345
kilic/bls12-381 Go 683 348
constantine (BLS12_381) Nim 692 438
arkworks(bls12_381) Rust 750 547
zkcrypto/bls12_381 Rust 933 691
geth/bls12381(bls12381, based on kilic) Go 973 463
relic (gmp-pbc-bls381 preset) C 1099 803
arkworks(+asm) (bls12_381) Rust ^ ^
^ benchmarking arkworks group madd/double with assembly feature enabled seems to output wrong timings.


(libff is discarded in this figure as it is too slow)

G2 mixed addition/doubling

↓library language Mixed addition (ns) doubling (ns)
gnark-crypto(bls12-381) Go 1410 847
mcl (BLS12-381) C++ 1489 904
blst (BLS12-381) C 1621 816
kilic/bls12-381 Go 2305 1003
arkworks(bls12_381) Rust 2412 1516
relic (gmp-pbc-bls381 preset) C 2515 1750
constantine (BLS12_381) Nim 2543 1261
geth/bls12381(bls12381, based on kilic) Go 2305 1003
zkcrypto/bls12_381 Rust 3543 2344
arkworks(+asm) (bls12_381) Rust ^ ^
^ benchmarking arkworks group madd/double with assembly feature enabled seems to output wrong timings.


(libff is discarded in this figure as it is too slow)

BLS12-377

benchmark on AWS z1d.3xlarge (3.4 GHz Intel Xeon)

with hyperthreading, turbo and frequency scaling disabled.

Pairing

↓library language Full pairing (ms) Miller loop (ms) Final exponentiation (ms)
gnark-crypto (bls12-377) Go 0.9184 0.4080 0.5104
kilic/bls12-377 Go 0.9935 0.4220 0.5715
constantine(BLS12_377) Nim 1.1160 0.4430 0.6467
arkworks(+asm)(bls12_377) Rust 1.5775 0.6550 0.9225
arkworks(bls12_377) Rust 1.8769 1.3463 1.0855
EYBlockchain/libff(bls12_377) C++ 3.8000 1.4000 2.4000

G1 mixed addition/doubling

↓library language Mixed addition (ns) doubling (ns)
gnark-crypto (bls12-377) Go 389 244
constantine(BLS12_377) Nim 396 269
kilic/bls12-377 Go 557 283
arkworks(bls12_377) Rust 767 410
EYBlockchain/libff(bls12_377) C++ 4136 3071
arkworks(+asm)(bls12_377) Rust ^ ^
^ benchmarking arkworks group madd/double with assembly feature enabled seems to output wrong timings.

G2 mixed addition/doubling

↓library language Mixed addition (ns) doubling (ns)
gnark-crypto (bls12-377) Go 1424 883
constantine(BLS12_377) Nim 1877 1104
kilic/bls12-377 Go 2109 909
arkworks(bls12_377) Rust 2723 1635
EYBlockchain/libff(bls12_377) C++ 7674 5284
arkworks(+asm)(bls12_377) Rust ^ ^
^ benchmarking arkworks group madd/double with assembly feature enabled seems to output wrong timings.

benchmark on AWS c5a.2xlarge (2.7 GHz AMD EPYC 7R32)

with hyperthreading, turbo and frequency scaling disabled.

Pairing

↓library language Full pairing (ms) Miller loop (ms) Final exponentiation (ms)
gnark-crypto (bls12-377) Go 1.1381 0.5104 0.6277
kilic/bls12-377 Go 1.2539 0.5245 0.7229
constantine(BLS12_377) Nim 1.6415 0.9398 0.65337
arkworks+asm(bls12_377) Rust 1.9030 0.7747 1.1283
arkworks(bls12_377) Rust 2.2305 0.9726 1.2579
EYBlockchain/libff(bls12_377) C++ 4.5000 1.6000 2.9000

G1 mixed addition/doubling

↓library language Mixed addition (ns) doubling (ns)
gnark-crypto (bls12-377) Go 487 301
constantine(BLS12_377) Nim 664 436
kilic/bls12-377 Go 682 344
arkworks(bls12_377) Rust 761 546
arkworks(+asm)(bls12_377) Rust ^ ^
^ benchmarking arkworks group madd/double with assembly feature enabled seems to output wrong timings.


(libff is discarded in this figure as it is too slow)

G2 mixed addition/doubling

↓library language Mixed addition (ns) doubling (ns)
gnark-crypto (bls12-377) Go 1770 1082
kilic/bls12-377 Go 2669 1164
constantine(BLS12_377) Nim 2843 1632
arkworks(bls12_377) Rust 3084 1908
arkworks(+asm)(bls12_377) Rust ^ ^
^ benchmarking arkworks group madd/double with assembly feature enabled seems to output wrong timings.


(libff is discarded in this figure as it is too slow)

BW6-761

benchmark on AWS z1d.3xlarge (3.4 GHz Intel Xeon)

with hyperthreading, turbo and frequency scaling disabled.

Pairing

↓library language Full pairing (ms) Miller loop (ms) Final exponentiation (ms)
kilic/bw6 Go 2.8905 1.7953 1.0952
gnark-crypto (bw6-761) Go 3.0681 1.9453 1.1228
celo-org/zexe (bw6_761) Rust 3.6068 1.8210 1.7768
arkworks+asm (bw6_761) Rust 4.9032 2.5087 2.3946
arkworks (bw6_761) Rust 5.5040 2.8590 2.6450
EY/libff (bw6_761) C++ 6.3000 3.5000 2.8000

G1/G2 mixed addition/doubling

↓library language Mixed addition (ns) doubling (ns)
gnark-crypto (bw6-761) Go 1410 862
celo-org/zexe (bw6_761) Rust 1404 945
arkworks+asm (bw6_761) Rust 1883 1213
kilic/bw6 Go 2101 9941
arkworks (bw6_761) Rust 2193 1420
EY/libff (bw6_761) C++ 7413 4683

benchmark on AWS c5a.2xlarge (2.7 GHz AMD EPYC 7R32)

with hyperthreading, turbo and frequency scaling disabled.

Pairing

↓library language Full pairing (ms) Miller loop (ms) Final exponentiation (ms)
kilic/bw6 Go 3.4712 2.2101 1.2611
gnark-crypto (bw6-761) Go 3.5284 2.0552 1.4731
celo-org/zexe (bw6_761) Rust 4.4603 2.2589 2.2014
arkworks+asm (bw6_761) Rust 6.2773 3.2008 3.0765
arkworks (bw6_761) Rust 6.8567 3.5297 3.3270
EY/libff (bw6_761) C++ 7.6000 4.2000 3.4000

G1/G2 mixed addition/doubling

↓library language Mixed addition (ns) doubling (ns)
celo-org/zexe (bw6_761) Rust 1698 1156
gnark-crypto (bw6-761) Go 1881 1150
arkworks+asm (bw6_761) Rust 2363 1591
kilic/bw6 Go 2525 1197
arkworks (bw6_761) Rust 2666 1788


(libff is discarded in this figure as it is too slow)

Conclusion

The libraries are implemented in different languages and some use more assembly code than others. Besides the different algorithmic and software optimizations used across, it should be noted also that some libraries target constant-time implementation for some operations making it de facto slower. However, it can be clear that consensys/gnark-crypto is one of the fastest pairing-friendly elliptic curve libraries to be used in zkp projects with different curves.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Author: Youssef El Housni.

I'm part of a research team at ConsenSys. If you are interested in our work (fast finite field arithmetic, elliptic curve pairings, and zero-knowledge proofs), give us a shout.

Last changed by 
gnark
We’re a research team @Consensys / Linea. We work on zero knowledge proof systems.
1
12
11001

Read more

What changes for BW6-761?

Authors: Youssef El Housni (ConsenSys, GRACE) and Aurore Guillevic (Inria, Aarhus University) Last year in [HG20], we introduced the BW6-761 curve which is a pairing-friendly curve that forms a 2-chain with BLS12-377 (previously introduced in ZEXE). That is, BW6-761 has a subgroup order $r$ precisely equal to the characteristic $q$ of the base field on which BLS12-377 is defined. In a recent work [HG21], we generalised the curve construction, the pairing formulas ($e : \mathbb{G}_1 \times \mathbb{G}_2 &#x2192; \mathbb{G}_T$) and the group operations to any BW6 curve defined on top of any BLS12 curve, forming a family of 2-chain pairing-friendly curves. We also investigated other possible 2-chain families, and much more (read the paper!). Since BW6-761 is already implemented in few projects (gnark-crypto, arkworks, EY/libff, kilic/bw6 and constantine) and is used in production (Celo, Aleo), natural questions arise: What changes for BW6-761 after this work? Is the new formulas backward-compatible with the current implementations? If not, does it worth switching? The new general construction where BW6-761 would fall, is coherent with the groups operations and pairing formulae found previously in [HG20]. However, we found new pairing algorithms that are faster. In this note, we try to shed light on the differences and the backward compatibilty. Pairing computation Given $P \in \mathbb{G}_1$ and $Q \in \mathbb{G}_2$, a pairing computation for BW6 is

Oct 12, 2022
Yet another curve, but THE curve for your KZG!

With my co-authors Aurore Guillevic and Diego F. Aranha, we published on ePrint mid-May a survey of elliptic curves for proof systems (ePrint 2022/586). Recently, there have been many tailored constructions of these curves that aim at efficiently implementing different kinds of proof systems. In that survey we provide the reader with a comprehensive view on existing work and revisit the contributions in terms of efficiency and security. We present an overview at three stages of the process: curves to instantiate a SNARK, curves to instantiate a recursive SNARK, and curves to express an elliptic-curve related statement. In this post, we are only interested in the first case. For pairing-based SNARKs, such as the circuit-specific Groth16 [1], bilinear pairings ($e:\mathbb{G}_1\times \mathbb{G}_2 \rightarrow \mathbb{G}_T$) are needed for the proof verification. For universal SNARKs, such as PLONK [2] or Marlin [3], a polynomial commitment scheme is needed. An example of an efficient one is the Kate-Zaverucha-Goldberg (KZG) scheme [4]. The verifier needs to verify some polynomial openings using bilinear pairings. So far, for both circuit-specific and universal constructions, the verification algorithms boil down mainly to pairing computations. However, the prover work is not the same. For Groth16, it is mainly multi-scalar-multiplications (MSM) in both $\mathbb{G}_1$ and $\mathbb{G}_2$ while for KZG-based schemes it is mainly MSMs in $\mathbb{G}_1$ only. In section 4 of the survey paper, we look at a particular family of pairing-friendly elliptic curves suitable for KZG. We derive algorithm 6 to tailor this family to the SNARK context. Note that KZG is also useful for other compelling applications such as Verkle trees for blockchain stateless clients. Pairing-friendly curves

Jun 14, 2022
BW6 over BLS12-381

Authors: Youssef El Housni (ConsenSys, GRACE) and Aurore Guillevic (inria) Following the recent work on FFT over non-smooth fields (ECFFT), it might be viable to instantiate a SNARK with an elliptic curve of non-smooth subgroup order. Particularly, one layer SNARK composition can be achieved with less constraints for the choice of curves. In this note we propose a 2-chain based on the widely used BL12-381 curve. The outer curve is a BW6 with a subgroup order 2-adicity equal to one. ECFFT For smooth finite fields $\mathbb{F_q}$ (i.e., when $q&#x2212;1$ factors into small primes) the Fast Fourier Transform (FFT) leads to the fastest known algebraic algorithms for many basic polynomial operations, such as multiplication, division, interpolation and multi-point evaluation. However, the same operations over fields with no smooth order root of unity suffer from an asymptotic slowdown. [In a recent work by Ben-Sasson, Carmon, Kopparty and Levit, called ECFFT, the authors proposed a new approach to fast algorithms for polynomial operations over all large finite fields.] The key idea is to replace the group of roots of unity with a set of points $L \subset F$ suitably related to a well-chosen elliptic curve group (the set $L$ itself is not a group). The key advantage of this approach is that elliptic curve groups can be of any size in the Hasse-Weil interval $[q+1\pm2\sqrt{q}]$ and thus can have subgroups of large, smooth order, which an FFT-like divide and conquer algorithm can exploit. (From the paper&apos;s abstract) 2-chains

Jun 2, 2022
PLONK

In this note we describe PLONK, a recent zero-knowledge proof system. The goal is to walk through the scheme step by step and explain the cryptographic primitives at play. Arithmetization The arithmetization a program consists in expressing a program as a sequence of constraint which have a simple mathematic form. There are lots of ways to do this, but in this post we will look at a variation of Rank 1 Constraint System (R1CS). Namely, the $i-th$ constraint binds variables $(w_i)$ by relations of this form: \begin{align} (q_L)iw{i_a}+(q_R)iw{i_b}+(q_M)iw{i_a}w_{i_b}+d_i=(q_c)iw{i_c} \end{align}

Dec 18, 2020
Read more from gnark
Published on HackMD