The BN256 curve is not providing 128 bits of security

[cgrigis]

Security Code Review observation:

We want to highlight what is already mentioned in BN256's README.md file: "previously claimed to operate at a 128-bit security level. However recent improvements in attacks mean that is no longer true"

We recommend including a recommendation on what to use or maybe altogether replace the BN256 curve with the BLS12-381 curve that does not suffer from the recent cryptanalysis breakthroughs reducing the security level of BN256 to less than 128 bits.