diff --git a/notes_nova.pdf b/notes_nova.pdf
index 367b3d6..00278ea 100644
Binary files a/notes_nova.pdf and b/notes_nova.pdf differ
diff --git a/notes_nova.tex b/notes_nova.tex
index b392858..d04104b 100644
--- a/notes_nova.tex
+++ b/notes_nova.tex
@@ -8,6 +8,33 @@
 \usepackage{hyperref}
 \usepackage{xcolor}
 
+\usepackage{pgf-umlsd} % diagrams
+% message between threads
+% Example:
+% \bloodymess[delay]{sender}{message content}{receiver}{DIR}{start note}{end note}
+\newcommand{\bloodymess}[7][0]{
+  \stepcounter{seqlevel}
+  \path
+  (#2)+(0,-\theseqlevel*\unitfactor-0.7*\unitfactor) node (mess from) {};
+  \addtocounter{seqlevel}{#1}
+  \path
+  (#4)+(0,-\theseqlevel*\unitfactor-0.7*\unitfactor) node (mess to) {};
+  \draw[->,>=angle 60] (mess from) -- (mess to) node[midway, above]
+  {#3};
+
+  \if R#5
+  \node (\detokenize{#3} from) at (mess from) {\llap{#6~}};
+  \node (\detokenize{#3} to) at (mess to) {\rlap{~#7}};
+  \else\if L#5
+  \node (\detokenize{#3} from) at (mess from) {\rlap{~#6}};
+  \node (\detokenize{#3} to) at (mess to) {\llap{#7~}};
+       \else
+       \node (\detokenize{#3} from) at (mess from) {#6};
+       \node (\detokenize{#3} to) at (mess to) {#7};
+       \fi
+  \fi
+}
+
 % prevent warnings of underfull \hbox:
 \usepackage{etoolbox}
 \apptocmd{\sloppy}{\hbadness 4000\relax}{}{}
@@ -41,7 +68,7 @@
 
 \tableofcontents
 
-\section{Folding Scheme for Committed Relaxed R1CS}
+\section{NIFS}
 
 \subsection{R1CS modification}
 
@@ -95,7 +122,7 @@ $(\overline{E}, u, \overline{W}, x)$, satisfyied by a witness $(E, r_E, W, r_W)$
 \end{align*}
 
 
-\subsection{Folding protocol}
+\subsection{Folding scheme for committed relaxed R1CS}
 
 V and P take two \emph{committed relaxed R1CS} instances
 \begin{align*}
@@ -133,11 +160,120 @@ Let $Z_1 = (W_1, x_1, u_1)$ and $Z_2 = (W_2, x_2, u_2)$.
 		\end{align*}
 \end{enumerate}
 
-P uses a zkSNARK showing that knows the valid witness $(E, r_E, W, r_W)$ for the committed relaxed R1CS without revealing its value.
-Then, via Fiat-Shamir transform we achieve non-interactivity.
+P will proof that knows the valid witness $(E, r_E, W, r_W)$ for the committed relaxed R1CS without revealing its value.
+
+\begin{center}
+	\begin{sequencediagram}
+		\newinst[1]{p}{Prover}
+		\newinst[3]{v}{Verifier}
+
+		\bloodymess[1]{p}{$\overline{T}$}{v}{R}{
+			\shortstack{
+				$T=A z_1 \circ B z_1 + A z_2 \circ B z_2 - u_1 C z_2 - u_2 C z_2$\\
+				$\overline{T}=Commit(T, r_T)$
+			}
+		}{
+			\shortstack{
+				$r \in^R \mathbb{F}_p$\\
+				$\overline{E} = \overline{E}_1 + r \overline{T} + r^2 \overline{E}_2$\\
+				$u= u_1 + r u_2$\\
+				$\overline{W} = \overline{W}_1 + r \overline{W}_2$\\
+				$\overline{x} = \overline{x}_1 + r \overline{x}_2$\\
+				$\varphi=(\overline{E}, u, \overline{W}, x)$
+			}
+		}
+		\bloodymess[1]{v}{$r$}{p}{L}{}{
+			\shortstack{
+				$E = E_1 + r T + r^2 E_2$\\
+				$u= u_1 + r u_2$\\
+				$W = W_1 + r W_2$\\
+				$r_{W} = r_{W_1} + r r_{W_2}$\\
+				$(E, r_E, W, r_W)$
+			}
+		}
+	\end{sequencediagram}
+\end{center}
+
+
+The previous protocol achieves non-interactivity via Fiat-Shamir transform, obtaining a \emph{Non-Interactive Folding Scheme for Committed Relaxed R1CS}.
+
+Note: the paper later uses $\mathsf{u}_i,~ \mathsf{U}_i$ for the two inputed $\varphi_1,~ \varphi_2$, and later $\mathsf{u}_{i+1}$ for the outputed $\varphi$. Also, the paper later uses $\mathsf{w},~ \mathsf{W}$ to refer to the witnesses of two folded instances (eg. $\mathsf{w}=(E, r_E, W, r_W)$).
+
+\section{Nova}
+IVC (Incremental Verifiable Computation) scheme for a non-interactive folding scheme.
+
+\subsection{IVC proofs}
+
+Allows prover to show $z_n = F^{(n)}(z_0)$, for some count $n$, initial input $z_0$, and output $z_n$.\\
+$F$: program function (polynomial-time computable)\\
+$F'$: augmented function, invokes $F$ and additionally performs fold-related stuff.
+
+\vspace{0.5cm}
+Two committed relaxed R1CS instances:\\
+$\mathsf{U}_i$: represents the correct execution of invocations $1, \ldots, i-1$ of $F'$\\
+$\mathsf{u}_i$: represents the correct execution of invocations $i$ of $F'$
+
+\paragraph{Simplified version of $F'$ for intuition}
+\vspace{0.5cm}
+$F'$ performs two tasks:
+\begin{enumerate}[i.]
+	\item execute a step of the incremental computation:
+		instance $\mathsf{u}_i$ contains $z_i$, used to output $z_{i+1}=F(z_i)$
+	\item invokes the verifier of the non-interactive folding scheme to fold the task of checking $\mathsf{u}_i$ and $\mathsf{U}_i$ into the task of checking a single instance $\mathsf{U}_{i+1}$
+\end{enumerate}
+
+\vspace{0.5cm}
+$F'$ proves that:
+\begin{enumerate}
+	\item $\exists ( (i, z_0, z_i, \mathsf{u}_i, \mathsf{U}_i), \mathsf{U}_{i+1}, \overline{T})$ such that
+	\begin{enumerate}[i.]
+		\item $\mathsf{u}_i.x = H(vk, i, z_0, z_i, \mathsf{U}_i)$
+		\item $h_{i+1} = H(vk, i+1, z_0, F(z_i), \mathsf{U}_{i+1})$
+		\item $\mathsf{U}_{i+1} = NIFS.V(vk, \mathsf{U}_i, \mathsf{u}_i, \overline{T})$
+	\end{enumerate}
+\item $F'$ outputs $h_{i+1}$
+\end{enumerate}
+
+
+$F'$ is described as follows:\\
+$F'(vk, \mathsf{U}_i, \mathsf{u}_i, (i, z_0, z_i), w_i, \overline{T}) \rightarrow x$:\\
+if $i=0$, output $H(vk, 1, z_0, F(z_0, w_i), \mathsf{u}_{\bot})$\\
+otherwise
+\begin{enumerate}
+	\item check $\mathsf{u}_i.x = H(vk, i, z_0, z_i, \mathsf{U}_i)$
+	\item check $(\mathsf{u}_i.\overline{E}, \mathsf{u}_i.u) = (\mathsf{u}_{\bot}.\overline{E}, 1)$
+	\item compute $\mathsf{U}_{i+1} \leftarrow NIFS.V(vk, U, u, \overline{T})$
+	\item output $H(vk, i+1, z_0, F(z_i, w_i), \mathsf{U}_{i+1})$
+\end{enumerate}
+
+% TODO add diagram
+
+\paragraph{IVC Proof}
+iteration $i+1$: prover runs $F'$ and computes $\mathsf{u}_{i+1},~ \mathsf{U}_{i+1}$, with corresponding witnesses $\mathsf{w}_{i+1},~ \mathsf{W}_{i+1}$.
+$(\mathsf{u}_{i+1},~ \mathsf{U}_{i+1})$ attest correctness of $i+1$ invocations of $F'$, the IVC proof is $\pi_{i+1} = ( (\mathsf{U}_{i+1}, \mathsf{W}_{i+1}), (\mathsf{u}_{i+1}, \mathsf{w}_{i+1}))$.
+
+
+\vspace{0.5cm}
+
+\underline{$P(pk, (i, z_0, z_i), \mathsf{w}_i, \pi_i) \rightarrow \pi_{i+1}$}:\\
+Parse $\pi_i = ( (\mathsf{U}_i, \mathsf{W}_i), (\mathsf{u}_i, \mathsf{w}_i))$, then
+\begin{enumerate}
+	\item if $i=0$: $(\mathsf{U}_{i+1}, \mathsf{W}_{i+1}, \overline{T}) \leftarrow (\mathsf{u}_{\perp}, \mathsf{w}_{\perp}, \mathsf{u}_{\perp}.{\overline{E}})$\\
+		otherwise: $(\mathsf{U}_{i+1}, \mathsf{W}_{i+1}, \overline{T}) \leftarrow NIFS.P(pk, (\mathsf{U}_i, \mathsf{W}_i), (\mathsf{u}_i, \mathsf{w}_i))$
+	\item compute $(\mathsf{u}_{i+1}, \mathsf{w}_{i+1}) \leftarrow trace(F', (vk, \mathsf{U}_i, \mathsf{u}_i, (i, z_0, z_i), \mathsf{w}_i, \overline{T}))$
+	\item output $\pi_{i+1} \leftarrow ((\mathsf{U}_{i+1}, \mathsf{W}_{i+1}), (\mathsf{u}_{i+1}, \mathsf{w}_{i+1}))$
+\end{enumerate}
+
+\underline{$V(vk, (i, z_0, z_i), \pi_i) \rightarrow \{0,1\}$}:
+if $i=0$: check that $z_i=z_0$\\
+otherwise, parse $\pi_i = ( (\mathsf{U}_i, \mathsf{W}_i), (\mathsf{u}_i, \mathsf{w}_i))$, then
+\begin{enumerate}
+	\item check $\mathsf{u}_i.x = H(vk, i, z_0, z_i, \mathsf{U}_i)$
+	\item check $(\mathsf{u}_i.{\overline{E}}, \mathsf{u}_i.u) = (\mathsf{u}_{\perp}.{\overline{E}}, 1)$
+	\item check that $\mathsf{W}_i,~ \mathsf{w}_i$ are satisfying witnesses to $\mathsf{U}_i,~ \mathsf{u}_i$ respectively
+\end{enumerate}
 
-\section{IVC proofs}
-\textbf{WIP}
+\paragraph{A zkSNARK of a Valid IVC Proof}
 
 
 \bibliography{paper-notes.bib}
diff --git a/notes_spartan.pdf b/notes_spartan.pdf
new file mode 100644
index 0000000..fe689f9
Binary files /dev/null and b/notes_spartan.pdf differ
diff --git a/notes_spartan.tex b/notes_spartan.tex
new file mode 100644
index 0000000..daa0b7a
--- /dev/null
+++ b/notes_spartan.tex
@@ -0,0 +1,206 @@
+\documentclass{article}
+\usepackage[utf8]{inputenc}
+\usepackage{amsfonts}
+\usepackage{amsthm}
+\usepackage{amsmath}
+\usepackage{mathtools}
+\usepackage{enumerate}
+\usepackage{hyperref}
+\usepackage{xcolor}
+\usepackage{pgf-umlsd} % diagrams
+\usepackage{centernot}
+
+
+% prevent warnings of underfull \hbox:
+\usepackage{etoolbox}
+\apptocmd{\sloppy}{\hbadness 4000\relax}{}{}
+
+\theoremstyle{definition}
+\newtheorem{definition}{Def}[section]
+\newtheorem{theorem}[definition]{Thm}
+
+% custom lemma environment to set custom numbers
+\newtheorem{innerlemma}{Lemma}
+\newenvironment{lemma}[1]
+{\renewcommand\theinnerlemma{#1}\innerlemma}
+{\endinnerlemma}
+
+
+\title{Notes on Spartan}
+\author{arnaucube}
+\date{April 2023}
+
+\begin{document}
+
+\maketitle
+
+\begin{abstract}
+	Notes taken while reading about Spartan \cite{cryptoeprint:2019/550}.
+
+	Usually while reading papers I take handwritten notes, this document contains some of them re-written to $LaTeX$.
+
+	The notes are not complete, don't include all the steps neither all the proofs.
+\end{abstract}
+
+\tableofcontents
+
+\section{Encoding R1CS instances as low-degree polynomials}
+\begin{definition}{R1CS}
+	$\exists w \in \mathbb{F}^{m - |io| - 1}$ such that $(A \cdot z) \circ (B \cdot z) = (C \cdot z)$, where $z=(io, 1, w)$.
+\end{definition}
+
+
+\textbf{Thm 4.1} $\forall$ R1CS instance $x = (\mathbb{F}, A, B, C, io, m, n)$, $\exists$ a degree-3 log m-variate polynomial $G$ such that $\sum_{x \in \{0,1\}^{log m}} G(x) = 0$.
+% \begin{theorem}{4.1} // TODO use theorem gadget
+%	$\forall$
+% \begin{end}
+\vspace{0.5cm}
+
+For a RCS instance $x$, let $s = \lceil log m \rceil$.
+
+We can view matrices $A, B, C \in \mathbb{F}^{m \times m}$ as functions $\{0,1\}^s \times \{0,1\}^s \rightarrow \mathbb{F}$.
+For a given witness $w$ to $x$, let $z=(io, 1, w)$.
+View $z$ as a function $\{0,1\}^s \rightarrow \mathbb{F}$, so any entry in $z$ can be accessed with a $s$-bit identifier.
+
+$$
+F_{io}(x)=
+$$
+$$
+\left( \sum_{y \in \{0,1\}^s} A(x, y) \cdot Z(y) \right) \cdot \left( \sum_{y \in \{0,1\}^s} B(x, y) \cdot Z(y) \right) - \left( \sum_{y \in \{0,1\}^s} C(x, y) \cdot Z(y) \right)
+$$
+
+\begin{lemma}{4.1}
+	$\forall x \in \{0,1\}^s,~ F_{io}(x)=0$ iff $Sat_{R1CS}(x,w)=1$.
+\end{lemma}
+
+$F_{io}(\cdot)$ is a function, not a polynomial, so it can not be used in the Sum-check protocol.
+
+consider its polynomial extension $\widetilde{F}_{io}(x): \mathbb{F}^s \rightarrow \mathbb{F}$,
+$$\widetilde{F}_{io}(x)=$$
+$$
+\left( \sum_{y \in \{0,1\}^s} \widetilde{A}(x, y) \cdot \widetilde{Z}(y) \right) \cdot \left( \sum_{y \in \{0,1\}^s} \widetilde{B}(x, y) \cdot \widetilde{Z}(y) \right) - \left( \sum_{y \in \{0,1\}^s} \widetilde{C}(x, y) \cdot \widetilde{Z}(y) \right)
+$$
+
+\begin{lemma}{4.2}
+	$\forall x \in \{0,1\}^s,~ \widetilde{F}_{io}(x)=0$ iff $Sat_{R1CS}(x, w)=1$.
+\end{lemma}
+
+(proof: $\forall x \in \{0,1\}^s,~ \widetilde{F}_{io}(x)=F_{io}(x)$, so, result follows from Lemma 4.1.) % TODO link to lemma
+
+\vspace{0.5cm}
+
+$\widetilde{F}_{io}(\cdot)$: low-degree multivariate polynomial over $\mathbb{F}$ in $s$ variables.
+Verifier can check if $\sum_{x \in \{0,1\}^s} \widetilde{F}_{io}(x)=0$ using the Sum-check protocol.
+
+But: $\sum_{x\in \{0,1\}^s} \widetilde{F}_{io}(x)=0 \centernot\Longleftrightarrow F_{io}(x)=0 \forall x \in \{0,1\}^s$.
+Bcs: the $2^s$ terms in the sum might cancel each other even when the individual terms are not zero.
+Solution: consider
+$$Q_{io}(t)= \sum_{x \in \{0,1\}^s} \widetilde{F}_{io}(x) \cdot \widetilde{eq}(t, x)$$
+where $\widetilde{eq}(t, x) = \prod_{i=1}^s (t_i \cdot x_i + (1- t_i) \cdot (1- x_i))$.
+
+Basically $Q_{io}(\cdot)$ is a multivariate polynomial such that
+$$Q_{io}(t) = \widetilde{F}_{io}(t) ~\forall t \in \{0,1\}^s$$
+thus, $Q_{io}(\cdot)$ is a zero-polynomial iff $\widetilde{F}_{io}(x)=0 ~\forall x\in \{0,1\}^s$.
+$\Longleftrightarrow$ iff $\widetilde{F}_{io}(\cdot)$ encodes a witness $w$ such that $Sat_{R1CS}(x, w)=1$.
+
+To check that $Q_{io}(\cdot)$ is a zero-polynomial: check $Q_{io}(\tau)=0,~ \tau \in^R \mathbb{F}^s$ (Schwartz-Zippel-DeMillo–Lipton lemma).
+
+\section{NIZKs with succint proofs for R1CS}
+
+From Thm 4.1: to check R1CS instance $(\mathbb{F}, A, B, C, io, m, n)$ V can check if
+$$\sum_{x \in \{0,1\}^s} G_{io, \tau} (r_x)$$
+where $r_x \in \mathbb{F}^s$.
+
+Recall: $G_{io, \tau}(x) = \widetilde{F}_{io}(x) \cdot \widetilde{eq}(\tau, x)$.
+
+To evaluate $\widetilde{F}_{io}(r_x)$, V needs to evaluate
+$$\forall y \in \{0,1\}^s: \widetilde{A}(r_x, y), \widetilde{B}(r_x, y), \widetilde{C}(r_x, y), \widetilde{Z}(y)$$
+evaluations of $\widetilde{Z}(y) ~\forall y \in \{0,1\}^s ~\Longleftrightarrow (io, 1, w)$.
+
+Solution: combination of 3 protocols:
+\begin{itemize}
+	\item Sum-check protocol
+	\item randomized mini protocol
+	\item polynomial commitment scheme
+\end{itemize}
+
+Observation: let $\widetilde{F}_{io}(r_x) = \bar{A}(r_x) \cdot \bar{B}(r_x) - \bar{C}(r_x)$, where
+$$\bar{A}(r_x) = \sum_{y \in \{0,1\}} \widetilde{A}(r_x, y) \cdot \widetilde{Z}(y)$$
+$$\bar{B}(r_x) = \sum_{y \in \{0,1\}} \widetilde{B}(r_x, y) \cdot \widetilde{Z}(y)$$
+$$\bar{C}(r_x) = \sum_{y \in \{0,1\}} \widetilde{C}(r_x, y) \cdot \widetilde{Z}(y)$$
+
+Prover makes 3 separate claims: $\bar{A}(r_x)=v_A,~ \bar{B}(r_x)=v_B,~ \bar{C}(r_x)=v_C$,
+then V evaluates:
+$$G_{io, \tau}(r_x) = (v_A \cdot v_B - v_C) \cdot \widetilde{eq}(r_x, \tau)$$
+which could be 3 sum-check protocol instances. Instead: combine 3 claims into a single claim:
+
+V samples $r_A, r_B, r_C \in^R \mathbb{F}$, and computes $c= r_A v_A + r_B v_B + r_C v_C$.
+V, P use sum-check protocol to check:
+$$r_A \cdot \bar{A}(r_x) + r_B \cdot \bar{B}(r_x) + r_C \cdot \bar{C}(r_x) == c$$
+
+
+Let $L(r_x) = r_A \cdot \bar{A}(r_x) +r_B \cdot \bar{B}(r_x) +r_C \cdot \bar{C}(r_x)$,
+
+\begin{align*}
+	L(r_x) &= \sum_{y \in \{0,1\}^s}
+	       r_A \cdot \widetilde{A}(r_x, y) \cdot \widetilde{Z}(y)
++ r_B \cdot \widetilde{B}(r_x, y) \cdot \widetilde{Z}(y)
++ r_C \cdot \widetilde{C}(r_x, y) \cdot \widetilde{Z}(y)\\
+	       &= \sum_{y \in \{0,1\}^s} M_{r_x}(y)
+\end{align*}
+
+$M_{r_x}(y)$ is a s-variate polynomial with deg $\leq 2$ in each variable ($\Longleftrightarrow \mu = s,~ l=2,~ T=c$).
+
+
+\begin{align*}
+M_{r_x}(r_y) &=
+r_A \cdot \widetilde{A}(r_x, r_y) \cdot \widetilde{Z}(r_y)
++ r_B \cdot \widetilde{B}(r_x, r_y) \cdot \widetilde{Z}(r_y)
++ r_C \cdot \widetilde{C}(r_x, r_y) \cdot \widetilde{Z}(r_y)\\
+	     &=
+	     (r_A \cdot \widetilde{A}(r_x, r_y)
++ r_B \cdot \widetilde{B}(r_x, r_y)
++ r_C \cdot \widetilde{C}(r_x, r_y)) \cdot \widetilde{Z}(r_y)\\
+\end{align*}
+
+only one term in $M_{r_x}(r_y)$ depends on prover's witness: $\widetilde{Z}(r_y)$
+
+P sends a commitment to $\widetilde{w}(\cdot)$ (= MLE of the witness $w$) to V before the first instance of the sum-check protocol.
+
+
+\subsection{Full protocol}
+
+\begin{itemize}
+	\item $pp \leftarrow Setup(1^{\lambda})$: invoke $pp \leftarrow PC.Setup(1^{\lambda}, log m)$; output $pp$
+	\item $b \leftarrow <P(w), V(r)>(\mathbb{F}, A,B,C, io, m, n)$:
+	\begin{enumerate}
+		\item P: $(C, S) \leftarrow PC.Commit(pp, \widetilde{w})$ and send $C$ to V
+		\item V: send $\tau \in^R \mathbb{F}^{log~m}$ to P
+		\item let $T_1=0,~ \mu_1=log~m,~ l_1=3$
+		\item V: set $r_x \in^R \mathbb{F}^{\mu_1}$
+		\item Sum-check 1. $e_x \leftarrow <P_{SC}(G_{io,\tau}), V_{SC}(r_x)>(\mu_1, l_1, T_1)$
+		\item P: compute $v_A=\overline{A}(r_x),~ v_B=\overline{B}(r_x),~ v_C=\overline{C}(r_x)$, send $(v_A, v_B, v_C)$ to V
+		\item V: abort with $b=0$ if $e_x \neq (v_A \cdot v_B - v_C)\cdot \widetilde{eq}(r_x, \tau)$
+		\item V: send $r_A, r_B, r_C \in^R \mathbb{F}$ to P
+		\item let $T_2 = r_A \cdot v_A + r_B \cdot v_B + r_C \cdot v_C,~ \mu_2=log~m,~ l_2=2$
+		\item V: set $r_y \in^R \mathbb{F}^{\mu_2}$
+		\item Sum-check 2. $e_y \leftarrow <P_{SC}(M_{r_x}), V_{SC}(r_y)>(\mu_2, l_2, T_2)$
+		\item P: $v \leftarrow \widetilde{w}(r_y[1..])$, send $v$ to V
+		\item $b_e \leftarrow <P_{PC.Eval}(\widetilde{w}, S), V_{PC.Eval}(r)>(pp,  C, r_y, v, \mu_2)$
+		\item V: abourt with $b=0$ if $b_e==0$
+		\item V: $v_z \leftarrow (1 - r_y[0]) \cdot \widetilde{w}(r_y [1..]) + r_y[0] \widetilde{(io, 1)} (r_y[1..])$
+		\item V: $v_1 \leftarrow \widetilde{A}(r_x, r_y),~ v_2 \leftarrow \widetilde{B}(r_x, r_y),~ v_3 \leftarrow \widetilde{C}(r_x, r_y)$
+		\item V: abort with $b=0$ if $e_y \neq (r_A v_1 + r_B v_2 + r_C v_3) \cdot v_z$
+		\item V: output $b=1$
+	\end{enumerate}
+\end{itemize}
+
+\vspace{2cm}
+\framebox{WIP: covered until sec.6}
+
+
+
+\bibliography{paper-notes.bib}
+\bibliographystyle{unsrt}
+
+\end{document}
diff --git a/paper-notes.bib b/paper-notes.bib
index 6827f61..0090122 100644
--- a/paper-notes.bib
+++ b/paper-notes.bib
@@ -100,3 +100,12 @@
       note = {\url{https://github.com/arnaucube/fri-commitment}},
       url = {https://github.com/arnaucube/fri-commitment}
 }
+
+@misc{cryptoeprint:2019/550,
+      author = {Srinath Setty},
+      title = {Spartan: Efficient and general-purpose zkSNARKs without trusted setup},
+      howpublished = {Cryptology ePrint Archive, Paper 2019/550},
+      year = {2019},
+      note = {\url{https://eprint.iacr.org/2019/550}},
+      url = {https://eprint.iacr.org/2019/550}
+}