State-of-the-art Elliptic Curve tooling and SNARKS verification for Cairo & Starknet πΊ.
Garaga enables efficient elliptic curve operations on Starknet. It achieves state of the art performance by
- using a dedicated builtin made by Starkware for emulated modular arithmetic
- using a suite of non-deterministic techniques for extension field multiplication, pairings, and multi scalar multiplication to reduce the number of steps to verify results.
Garaga currently supports:
- Scalar & Multi-scalar multiplication for any Weirstrass curve, including BN254, BLS12_381, SECP256/R1, and ED25519. You can add the one you need by specifying the curve parameters.
- Pairing operations for BN254 and BLS12_381.
- Groth16 smart contract verifiers generators for BN254 and BLS12_381.
- Noir smart contract verifiers generators for ultra keccak honk flavour.
Garaga consists of a Pythonic backend with Rust bindings and CairoZero / Cairo libraries.
- The Pythonic backend is here to define emulated modular arithmetic circuits that can be compiled to Cairo or Cairo1 code. It also handles witnesses generation for the non-deterministic computations, smart contract contract generation for a given proof system and elliptic curve, and calldata generation from a given proof.
- The CairoZero / Starknet interfaces are responsible for composing and calling the circuits, as well as adding all the extra logic needed to make the algorithms work (Fiat-Shamir heuristic, SNARKS verifiers algorithms, etc).
Currently, only Groth16 on BN254 and BLS12_381 is supported with automatic support for json files coming from SnarkJS and Gnark.
-
Create a new directory for you project, and bring the jsons files for verification key, proof file and public inputs inside it.
-
Install the garaga pip package with
pip install garaga. Python3.10 is mandatory and a virtual environment is recommended. Entergaragain your terminal to get started. -
Run the
garaga gencommand in your terminal to generate the code for the SNARK verifier given your verification key. -
Edit the generated smart contract to fit the needs of your dapp.
-
Create an environment file
.secretsfollowing the.secrets.templatefile in the root of this repository, containing the Starkner RPC url, your account address, and the private key. -
Run the
garaga declarecommand in your terminal to declare the smart contract on Starknet and obtain its class hash. Note that this is an expensive operation. -
Run the
garaga deploycommand in your terminal using the class hash obtained in the previous step to get the contract address. -
Run the
garaga verify-onchaincommand in your terminal using the contract address, the verification key, the proof and the public inputs to verify the proof against the SNARK verifier contract.
For more details, please refer to the documentation.
To get started with Garaga, you'll need to have some tools and dependencies installed. Here's everything you need:
Ensure you have the following installed:
- Python 3.10 - /!\ Make sure
python3.10is a valid command in your terminal. The core language used for development. Make sure you have the correct dependencies installed (in particular, GMP) for thefastecdsapython package. See here for linux and here for macos. - Scarb 2.12.0 - The Cairo package manager. Comes with Cairo inside. Requires Rust.
- pprof - A tool for visualization and analysis of profiling data. Requires Go.
- graphviz - Necessary for generating graphical representations of profiling data.
Once you have the prerequisites installed, clone the repository, and set up your development environment with the following command. Be sure to run this command from the root of the repository.
make setupAt this point, you should have everything you need to start developing with Garaga. Before proceeding, make sure to activate the virtual environment by running source venv/bin/activate.
π Click on any section below to expand and view detailed benchmark tables with test performance metrics.
Note: Click on the test name to view the profiling image. Resources shown in the table for contracts include extra costs due to the foundry logic. Check the profile file for more details.
contracts
βββ groth16_example_bls12_381_integrationtest::test_contract
| Test Name | Steps | Range Check | Range Check 96 | Poseidon | Add Mod | Mul Mod | Sierra Gas |
|---|---|---|---|---|---|---|---|
| test_verify_groth16_proof_bls12_381 | 353,527 | 10,972 | 90,280 | 586 | 7,506 | 10,868 | 49,754,798 |
βββ groth16_example_bn254_integrationtest::test_contract
| Test Name | Steps | Range Check | Range Check 96 | Poseidon | Add Mod | Mul Mod | Sierra Gas |
|---|---|---|---|---|---|---|---|
| test_verify_groth16_proof_bn254 | 228,557 | 9,785 | 67,149 | 509 | 5,401 | 8,754 | 34,080,559 |
βββ noir_ultra_keccak_honk_example_integrationtest::test_contract
| Test Name | Steps | Range Check | Range Check 96 | Bitwise | Poseidon | Add Mod | Mul Mod | Sierra Gas |
|---|---|---|---|---|---|---|---|---|
| test_verify_ultra_keccak_honk_proof | 1,213,031 | 65,539 | 412,656 | 3,180 | 461 | 45,756 | 43,585 | 187,929,077 |
βββ noir_ultra_keccak_zk_honk_example_integrationtest::test_contract
| Test Name | Steps | Range Check | Range Check 96 | Bitwise | Poseidon | Add Mod | Mul Mod | Sierra Gas |
|---|---|---|---|---|---|---|---|---|
| test_verify_ultra_keccak_zk_honk_proof | 1,306,049 | 70,398 | 451,651 | 3,476 | 461 | 49,914 | 47,993 | 203,546,067 |
βββ noir_ultra_starknet_honk_example_integrationtest::test_contract
| Test Name | Steps | Range Check | Range Check 96 | Poseidon | Add Mod | Mul Mod | Sierra Gas |
|---|---|---|---|---|---|---|---|
| test_verify_ultra_starknet_honk_proof | 1,127,871 | 61,433 | 412,522 | 992 | 45,742 | 43,569 | 177,512,050 |
βββ noir_ultra_starknet_zk_honk_example_integrationtest::test_contract
| Test Name | Steps | Range Check | Range Check 96 | Poseidon | Add Mod | Mul Mod | Sierra Gas |
|---|---|---|---|---|---|---|---|
| test_verify_ultra_starknet_zk_honk_proof | 1,221,360 | 66,173 | 451,576 | 1,044 | 49,911 | 47,987 | 193,032,648 |
βββ risc0_verifier_bn254_integrationtest::test_contract
| Test Name | Steps | Range Check | Range Check 96 | Bitwise | Poseidon | Add Mod | Mul Mod | Sierra Gas |
|---|---|---|---|---|---|---|---|---|
| test_verify_r0_groth16_proof_bn254 | 264,545 | 12,069 | 74,896 | 6,698 | 509 | 6,303 | 9,541 | 42,860,813 |
βββ sp1_verifier_bn254_integrationtest::test_contract
| Test Name | Steps | Range Check | Range Check 96 | Bitwise | Poseidon | Add Mod | Mul Mod | Sierra Gas |
|---|---|---|---|---|---|---|---|---|
| test_verify_sp1_groth16_proof_bn254 | 244,680 | 11,127 | 75,027 | 2,230 | 509 | 6,314 | 9,555 | 38,221,851 |
garaga
βββ apps
β βββ drand::tests
| Test Name | Steps | Range Check | Range Check 96 | Bitwise | Add Mod | Mul Mod | Sierra Gas |
|---|---|---|---|---|---|---|---|
| test_decrypt_at_round | 289,447 | 3,919 | 385,790 | 14,506 | 57,320 | 28,871 | 89,901,952 |
| test_hash_to_curve | 26,526 | 971 | 4,559 | 12,289 | 422 | 602 | 10,601,029 |
| test_hash_to_two_bls_felts | 23,557 | 900 | 74 | 12,289 | 2 | 8 | 9,592,623 |
| test_drand_quicknet_public_key | 12,861 | 68 | 14,864 | 0 | 1,490 | 1,674 | 3,477,040 |
| test_isogeny | 1,844 | 58 | 878 | 0 | 51 | 111 | 316,402 |
| test_map_to_curve | 647 | 11 | 264 | 0 | 6 | 39 | 105,190 |
β βββ noir
β β βββ honk_transcript::tests
| Test Name | Steps | Range Check | Bitwise | Poseidon | Sierra Gas |
|---|---|---|---|---|---|
| test_transcript_keccak | 71,084 | 5,035 | 3,180 | 1 | 9,315,281 |
| test_transcript_starknet | 19,758 | 1,103 | 0 | 532 | 2,314,222 |
β β βββ zk_honk_transcript::tests
| Test Name | Steps | Range Check | Bitwise | Poseidon | Sierra Gas |
|---|---|---|---|---|---|
| test_zk_transcript_keccak | 73,392 | 5,241 | 3,476 | 1 | 9,733,069 |
| test_zk_transcript_starknet | 21,173 | 1,185 | 0 | 584 | 2,486,994 |
β βββ risc0::risc0_utils_tests
| Test Name | Steps | Range Check | Bitwise | Sierra Gas |
|---|---|---|---|---|
| test_receipt_claim | 11,117 | 433 | 5,591 | 4,401,563 |
| test_output_digest | 4,424 | 171 | 2,230 | 1,754,460 |
β βββ sp1::tests
| Test Name | Steps | Range Check | Sierra Gas |
|---|---|---|---|
| test_convert_u32_to_u128 | 58 | 3 | 6,010 |
βββ crypto::mmr::tests
| Test Name | Steps | Range Check | Sierra Gas |
|---|---|---|---|
| test_trailing_ones | 441 | 51 | 47,670 |
βββ ec::ec_ops_g2::tests
| Test Name | Steps | Range Check | Range Check 96 | Add Mod | Mul Mod | Sierra Gas |
|---|---|---|---|---|---|---|
| test_ec_mul_g2 | 105,060 | 1,074 | 87,664 | 8,551 | 9,755 | 23,349,114 |
βββ hashes::poseidon_bn254::tests
| Test Name | Steps | Range Check | Range Check 96 | Add Mod | Mul Mod | Sierra Gas |
|---|---|---|---|---|---|---|
| test_run_poseidon_grumpkin_circuit_1 | 9,913 | 327 | 6,393 | 353 | 919 | 2,008,464 |
βββ tests
β βββ autogenerated
β β βββ ecdsa_tests
| Test Name | Steps | Range Check | Range Check 96 | Add Mod | Mul Mod | Sierra Gas |
|---|---|---|---|---|---|---|
| test_ecdsa_SECP256R1 | 14,099 | 1,072 | 20,022 | 2,367 | 2,184 | 4,469,718 |
| test_ecdsa_SECP256K1 | 18,723 | 2,082 | 15,629 | 1,810 | 1,592 | 4,271,132 |
β β βββ eddsa_tests
| Test Name | Steps | Range Check | Range Check 96 | Bitwise | Add Mod | Mul Mod | Sierra Gas |
|---|---|---|---|---|---|---|---|
| test_eddsa_32_64B | 88,025 | 13,786 | 20,762 | 3,288 | 2,412 | 2,276 | 14,776,560 |
| test_eddsa_16_32B | 52,391 | 7,643 | 20,840 | 1,656 | 2,418 | 2,284 | 9,842,274 |
| test_eddsa_0_0B | 51,814 | 7,549 | 20,865 | 1,656 | 2,419 | 2,286 | 9,780,832 |
β β βββ msm_tests
| Test Name | Steps | Range Check | Range Check 96 | Add Mod | Mul Mod | Sierra Gas |
|---|---|---|---|---|---|---|
| test_msm_SECP256R1_3P | 20,115 | 1,576 | 29,835 | 3,546 | 3,252 | 6,572,368 |
| test_msm_SECP256K1_3P | 26,954 | 3,087 | 23,194 | 2,707 | 2,359 | 6,257,800 |
| test_msm_SECP256R1_2P | 13,465 | 1,053 | 19,865 | 2,363 | 2,166 | 4,384,404 |
| test_msm_SECP256K1_2P | 17,919 | 2,061 | 15,369 | 1,799 | 1,564 | 4,155,260 |
| test_msm_SECP256R1_1P | 6,991 | 530 | 9,945 | 1,182 | 1,084 | 2,219,716 |
| test_msm_SECP256K1_1P | 9,221 | 1,037 | 7,697 | 900 | 783 | 2,105,654 |
β β βββ pairing_tests
| Test Name | Steps | Range Check | Range Check 96 | Poseidon | Add Mod | Mul Mod | Sierra Gas |
|---|---|---|---|---|---|---|---|
| test_BN254_mpcheck_3P_2F_with_extra_miller_loop_result | 59,916 | 472 | 59,008 | 509 | 4,469 | 7,922 | 15,391,765 |
| test_BLS12_381_mpcheck_3P_2F_with_extra_miller_loop_result | 54,316 | 356 | 44,885 | 586 | 3,482 | 5,791 | 12,556,430 |
| test_BN254_mpcheck_2P_2F | 47,930 | 393 | 33,047 | 460 | 1,731 | 4,665 | 10,112,792 |
| test_BLS12_381_mpcheck_2P_2F | 45,132 | 308 | 25,250 | 544 | 1,420 | 3,340 | 8,559,824 |
β β βββ schnorr_tests
| Test Name | Steps | Range Check | Range Check 96 | Add Mod | Mul Mod | Sierra Gas |
|---|---|---|---|---|---|---|
| test_schnorr_SECP256K1 | 18,321 | 2,082 | 15,512 | 1,808 | 1,580 | 4,216,672 |
β β βββ tower_pairing_tests
| Test Name | Steps | Range Check | Range Check 96 | Add Mod | Mul Mod | Sierra Gas |
|---|---|---|---|---|---|---|
| test_tower_pairing_BN254_3P | 268,869 | 474 | 626,255 | 94,555 | 50,514 | 114,248,466 |
| test_tower_pairing_BLS12_381_3P | 248,951 | 556 | 538,321 | 86,187 | 37,849 | 97,763,802 |
| test_tower_pairing_BN254_2P | 219,367 | 398 | 486,548 | 73,494 | 38,661 | 89,466,112 |
| test_tower_pairing_BLS12_381_2P | 207,121 | 493 | 422,516 | 67,911 | 28,926 | 77,498,340 |
| test_tower_pairing_BN254_1P | 169,865 | 322 | 346,841 | 52,433 | 26,808 | 64,683,758 |
| test_tower_pairing_BLS12_381_1P | 165,291 | 430 | 306,711 | 49,635 | 20,003 | 57,232,878 |
| test_tower_final_exp_BN254 | 120,363 | 246 | 207,134 | 31,372 | 14,955 | 39,901,404 |
| test_tower_final_exp_BLS12_381 | 123,509 | 367 | 190,906 | 31,359 | 11,080 | 36,972,216 |
β βββ calldata_tests
| Test Name | Steps | Range Check | Sierra Gas |
|---|---|---|---|
| test_deserialize_full_proof_with_hints_bls12_381 | 22,272 | 4,714 | 2,557,180 |
β βββ sha512_tests
| Test Name | Steps | Range Check | Bitwise | Sierra Gas |
|---|---|---|---|---|
| test_sha512_lorem_ipsum | 102,856 | 18,169 | 4,904 | 14,416,462 |
| test_size_zero | 37,579 | 6,404 | 1,640 | 5,162,300 |
| test_sha512_size_one | 37,564 | 6,403 | 1,640 | 5,160,730 |
βββ utils::neg_3::tests
| Test Name | Steps | Range Check | Sierra Gas |
|---|---|---|---|
| test_scalar_to_epns | 6,103 | 928 | 675,260 |
| test_scalar_to_epns_single | 1,940 | 297 | 214,790 |
π To regenerate these benchmarks: Run make profile-test from the project root.
We warmly welcome contributions and support from the community! Here's how you can help Garaga grow and improve:
- Spot a bug? Have a feature request? Check out our issues page to see if it's already been reported or to open a new issue.
- Interested in contributing? Please take a moment to read our contribution guidelines for details on how to get started. Your contributions make the open-source community an incredible place for learning, inspiration, and creation.
- Love Garaga? Give us a star on GitHub to show your support.
- Spread the word: Share your excitement about Garaga on social platforms like Twitter, Dev.to, Medium, or your personal blog.
- Join the conversation: Connect with us and other Garaga enthusiasts on our Telegram group.
Every contribution, whether it's code, feedback, or spreading the word, greatly benefits everyone and is deeply appreciated. Thank you for being a part of Garaga's journey!
Garaga follows good practices of security, but 100% security cannot be assured. Garaga is provided "as is" without any warranty. Use at your own risk.
For more information and to report security issues, please refer to our security documentation.
This project is licensed under the MIT license.
See LICENSE for more information.
- Huge props to tekkac and feltroidprime for their initial work on provable pairing-based cryptography in StarkNet.
- Credits to Nethermind for their initial work on optimized modular arithmetic.
- Herodotus for supporting this project.
- Gnark project and team, especially yelhousni for his amazing knowledge and support.
- OnlyDust and Starkware.
- Liam Eagen and Andrija Novakovic for their support and amazing research.
- Craig Costello, Pairing for beginners
- Y. El Housni, "Pairings in Rank-1 Constraint Systems," Cryptology ePrint Archive, Report 2022/1162, 2022. Available: https://eprint.iacr.org/2022/1162.
- feltroidprime. "Faster Extension Field multiplications for Emulated Pairing Circuits." HackMD, https://hackmd.io/@feltroidprime/B1eyHHXNT.
- Liam Eagen, "Zero Knowledge Proofs of Elliptic Curve Inner Products from Principal Divisors and Weil Reciprocity," Cryptology ePrint Archive, Report 2022/596, 2022. Available: https://eprint.iacr.org/2022/596
- Andrija Novakovic and Liam Eagen, "On Proving Pairings," Cryptology ePrint Archive, Paper 2024/640, 2024. Available: https://eprint.iacr.org/2024/640
- Liam Eagen, Youssef El Housni, Simon Masson, and Thomas Piellard, "Fast elliptic curve scalar multiplications in SN(T)ARK circuits," Cryptology ePrint Archive, Paper 2025/933, 2025. Available: https://eprint.iacr.org/2025/933
Note: This list is not exhaustive, and is not intended to be.
For a full list of all authors and contributors, see the contributors page.
Thanks goes to these wonderful people (emoji key):
This project follows the all-contributors specification. Contributions of any kind welcome!