That’s purely an issue of notation, not semantics. I was using the notation from Groth’s paper (which was convenient because [BKSV2020] also uses additive notation). Everything in my comment could be trivially rewritten multiplicatively.
(Actually, EIP 197 does use additive notation for the verification equation, it just writes \mathtt{log\_P1(a1)} in place of [\mathtt{a1}]_1.)
That is case b) in my comment.
Except it’s verified as multiplication inside it’s implementation used by more than 90% of nodes. To me it seems doing +1 is different from doing ×1. The difference between the 2 is that the pairing is fully nullified in the later case…
Hence why pairing that contains point at infinity are completely skipped as an optimization :
if a[i].p.IsInfinity() || b[i].p.IsInfinity() {
continue
}
Multiplicative vs additive is just notation. “+1” is exactly the same as doing x1, though in additive notation that’s usually written as +0.
Yep, but in my post the otpimal ate pairing of point at infinity is 1, not 0.
if a[i].p.IsInfinity() || b[i].p.IsInfinity() {
continue // omit that pairing
}
Yes. That doesn’t change anything. The pairing of point at infinity is the identity element of the extension prime field, whatever you write it as.
Ok. It’s possible to use a degenerate proof only if the original proof is truely genuine when there’s public inputs. But does that means it’s possible to verify the proof along it’s public inputs using only 3 pairings instead of 4 ?
I’m not saying this should be done of course.
It’s already clear from the verification equation that you don’t need four pairings, even before any optimizations. (Btw where were you getting the e(vk.alpha1, vk.alpha2) term from? That’s not in [Groth16].)
The number of operations needed for verification is given by Appendix B.2 of the Zcash protocol spec.
Let \ell be the number of public input elements. We neglect some cheap operations.
Non-batched verification of a single proof takes:
Batched verification of N proofs takes: