v0.26.0

• [BREAKING] Extracted BackendReader, allowing LargeSmtForest<S> to work with read-only storage backends (#986).
• Optimized prover quotient evaluation by evaluating each AIR's quotient on its native coset (size n_j · D_j) and lifting per-AIR, instead of always on the global maximum coset; constraint division is fused into the constraint evaluation loop (#991).
• [BREAKING] Replaced the per-AIR witness/aux-builder proving model (AirInstance, AirWitness, AuxBuilder, prove_multi / verify_multi) with a MultiAir trait that owns its AIRs (each builds its own aux trace via LiftedAir::build_aux_trace), plus validated Statement / ProverStatement structs carried by ProverInstance / VerifierInstance. LiftedAir::reduced_aux_values and num_var_len_public_inputs are replaced by MultiAir::eval_external, which returns the cross-AIR external assertions as a flat list of extension-field values that must equal zero, fed by an aux_inputs slice whose schema each MultiAir owns and validates (#992).
• [BREAKING] Refactored miden-lifted-stark::domain around a uniform Coset trait shared by TwoAdicSubgroup and TwoAdicCoset, slimmed the LiftedDomain surface (drops dead getters, removes silently-dispatched points/bit_reversed_points/vanishing_at in favour of explicit trace_subgroup() / lde_coset() access), made LiftedDomain constructors fallible, moved selector logic onto LiftedDomain, and changed log_blowup to return u8 (#993).
• [BREAKING] Upgraded direct rand dependencies to 0.10, updating RNG trait bounds and removing direct rand_hc usage (#995).
• [BREAKING] Reorganized miden-lifted-stark internals: consolidated align, bitrev, horner, and packing helpers under a new util module; removed the legacy fri::* re-export facade (#1000).
• perf: fuse per-group accumulator and defer allocations (#1008).
• [BREAKING] Reduced LargeSmt<S> cache depth from 24 to 16 levels (#1011).
• [BREAKING] Implemented two-phase commit_mutations() / apply_mutations()-style API for LargeSmtForest (#1018).
• [BREAKING] Tightened the miden-lifted-stark public API surface: dropped the wide crate-root re-export list (callers now import from miden_lifted_stark::air and miden_lifted_stark::{lmcs, pcs, proof, prover, verifier} directly), demoted internal submodules to pub(crate)/pub(super), and folded the transcript module into proof (TranscriptChallenger / TranscriptData / TranscriptError are re-exported there). Renamed the proof artifact types — StarkProof → StarkProofData (wire artifact) and StarkTranscript → StarkProof (parsed view, built via StarkProof::from_data) — and *::from_verifier_channel → *::read_from_channel on the PCS sub-proofs. Dropped the panicking domain constructors (TwoAdicCoset::unshifted, LiftedDomain::{canonical, sub_domain}) in favour of the fallible try_* variants (#1020).
• [BREAKING] Added reusable preprocessed trace setup artifacts for Lifted STARKs: AIRs can declare fixed preprocessed columns, provers build and reuse a Preprocessed commitment bundle, and verifier instances receive the trusted preprocessed commitment (#1021).
• [BREAKING] Fixed RocksDB CLI safety, non-canonical serde input handling, and qualified WordWrapper derive paths (#1022).
• [BREAKING] Simplify LargeSmtForest backend API (#1030).
• [BREAKING] Made LargeSmt leaf/entry/inner node iterators fallible (#1032).

v0.25.1

• Fixed miden-lifted-stark builds when p3-maybe-rayon/parallel is enabled without miden-lifted-stark/parallel (#1023).

v0.25.0

• [BREAKING] Changed the serialization format of PartialSmt to be more compact on the wire (#957).
• [BREAKING] Changed SmtLeaf::hash to perform domain-separated hashing, reducing the risk of a collision with the hash of an inner node. (#962).
• [BREAKING] Extracted SmtStorageReader and SparseMerkleTreeReader, allowing LargeSmt<S> to work with read-only storage backends (#967).
• Added domain-separated hashing support for elements to AlgebraicSpoonge as hash_elements_in_domain(...) (#978).
• Added Signature::from_der() for EdDSA signatures (#979).
• Fixed SimpleSmt::set_subtree() to clear stale leaves and inner nodes in the replaced subtree region (#981).
• Fixed SliceReader bounds checking to reject overflowing read lengths (#987).

v0.24.0

• [BREAKING] Removed AlgebraicSponge::merge_with_int() method (#894).
• [BREAKING] Updated Poseidon2 instance to match Plonky3 one (#905).
• Added LargeSmtForest::add_lineages which provides an efficient means of adding multiple new lineages at once (#910).
• Added the ability to configure the sync-to-disk behavior of the persistent backend using its config (#912).
• [BREAKING] Removed WORD_SIZE_FELTS and WORD_SIZE_BYTES from miden-field in favor of Word::NUM_ELEMENTS and Word::SERIALIZED_SIZE, respectively. The values remain the same (#917).
• [BREAKING] Removed WORD_SIZE from miden-crypto in favor of Word::NUM_ELEMENTS. Clients will need to update references to the constant, but Word will already be in scope as it is re-exported from miden-crypto (#917).
• [BREAKING] Removed LexicographicWord as Word itself now implements the correct comparison behavior. Any place where the former is used should be able to seamlessly swap to the latter (#918).
• [BREAKING] Removed implementations of Deref and DerefMut for Felt (#919).
• Added Serializable and Deserializable instances for Arc<str> (#920).
• Optimized batch inversion to use per-chunk scratch space (#933).
• [BREAKING] Changed the signature of Felt::new to perform reduction, and raise an error if the input is invalid. Retained the old behavior as Felt::new_unchecked, as its usage may lead to incorrect results (#924).
• Optimized field operations for Goldilocks (#926).
• [BREAKING] Moved per-instance log trace heights from AirInstance into StarkProof; prove_multi / verify_multi now observe them into the Fiat-Shamir challenger internally (#956). Consumers on the temporary (log_trace_height, proof) serialization path must drop the wrapper and stop pre-observing the height, or it will be bound twice. StarkProof no longer exposes per-instance heights directly — parse the proof with StarkTranscript::from_proof to read them; num_traces() is available for the count.
• [BREAKING] prove_multi / verify_multi no longer require instances in ascending trace-height order; the prover sorts internally and the proof carries an air_order permutation (#941). InstanceShapes::from_trace_heights now sorts internally and embeds the AIR ordering. InstanceShapes::observe renamed to observe_heights. The NotAscending error variant is removed; InvalidAirOrder and AirOrderLengthMismatch are added. AirWitness now derives Clone + Copy. Callers must bind AIR configurations and air_order into the Fiat-Shamir challenger — see the prover module-level docs.
• [BREAKING] Split the SecretKey type for both ECDSA-k256 and EdDSA-25519 into SigningKey and KeyExchangeKey to help enforce better practices around key reuse. SecretKey is no longer available in the public API; all usages should be moved to one of the new key types (#965).
• Reduce repeated history scans in historical LargeSmtForest::open() queries (#971).

v0.22.6

What's Changed

• Added Signature::from_der() for ECDSA signatures over secp256k1 (#842).
• Added PublicKey::from_der() for ECDSA public keys over secp256k1 (#855).

v0.22.5

• Expose StorageError and SubtreeUpdate as prep. to externalize the LargeSmt RocksDB backend (#850).

v0.23.0

• Replaced Subtree internal storage with bitmask layout (#784).
• [BREAKING] PartialMmr::open() now returns Option<MmrProof> instead of Option<MmrPath> (#787).
• [BREAKING] Refactored BLAKE3 to use Digest<N> struct, added Digest192 type alias (#811).
• [BREAKING] Added validation to PartialMmr::from_parts() and Deserializable implementation, added from_parts_unchecked() for performance-critical code (#812).
• [BREAKING] Removed hashbrown dependency and hashmaps feature; Map/Set type aliases are now tied to the std feature (#813).
• [BREAKING] Renamed NodeIndex::value() to NodeIndex::position(), NodeIndex::is_value_odd() to NodeIndex::is_position_odd(), and LeafIndex::value() to LeafIndex::position() (#814).
• Fixed LargeSmtForest::truncate to remove emptied lineages from non_empty_histories (#818).
• [BREAKING] Fixed OOMs in Merkle/SMT deserialization (#820).
• Fixed SmtForest to remove nodes with zero reference count from store (#821).
• Cross-checked RPO test vectors against the Python reference implementation after state layout change (#822).
• Fixed tuple min_serialized_size() to exclude alignment padding, fixing BudgetedReader rejecting valid data (#827).
• Fixed possible panic in XChaCha::decrypt_bytes_with_associated_data and harden deserialization with fuzzing across 7 new targets (#836).
• Added Signature::from_der() for ECDSA signatures over secp256k1 (#842).
• [BREAKING] Added info context field to secret box, bind IES HKDF info to a stable context string, scheme identifier, and ephemeral public key bytes. (#843).
• Use read_from_bytes_with_budget() instead of read_from_bytes for deserialization from untrusted sources, setting the budget to the actual input byte slice length. (#846).
• [BREAKING] Removed PartialEq/Eq for AEAD SecretKey in non-test builds, fix various hygiene issues in dealing with secret keys (#849).
• Added PublicKey::from_der() for ECDSA public keys over secp256k1 (#855).
• [BREAKING] Fixed NodeIndex::to_scalar_index() overflow at depth 64 by returning Result<u64, MerkleError> (#865).
• [BREAKING] Removed RpoRandomCoin and RpxRandomCoin and introduced a Poseidon2-based RandomCoin (#871).
• Hardened MerkleStore deserialization and fuzz coverage (#878).
• [BREAKING] Upgraded Plonky3 from 0.4.2 to 0.5.0 and replaced p3-miden-air, p3-miden-fri, and p3-miden-prover with the unified p3-miden-lifted-stark crate. The stark module now re-exports the Lifted STARK proving system from p3-miden.

v0.22.4

• Make SmtLeaf::get_value public (#872).

v0.19.8

• Added PublicKey::from_der() for ECDSA public keys over secp256k1 (#855).

v0.19.7

• Exposed StorageError and SubtreeUpdate as prep. to externalize the LargeSmt RocksDB backend (#850).
• Fixed SmtStore corruption issue on insertion of empty tree roots (#853).