Hello,

The verification algorithm is already simple but I was thinking about some costly environments like blockchains having low block limits. This might be naïve thinking but I was wondering at possibility : normally the prover gives 3 elliptic curves points to the verifier A ; B ; C When public inputs are used C/the inputs vector is split.

But as a simplification part, why not completely ditch the C parts of the proof when public inputs are used ? That way, the verifier would have to compute 1 pairing in less for verifying the proof. I’m meaning e(C,verifying_key_part). It seems to me the requirement to pair with public inputs would still ensure the security of the system… Is it because skipping that pairing would allow to forge public inputs ? As far I understand, a malicious prover would still have to satisfy all constraints of the quadratic arithmetic program and thus would have to use public inputs satisfying constraints. Or is it because it would be impossible to rework the protocol to have the prover being able to produce proofs that verify ?

Or even maybe both of the assumptions above ? 2A01:E0A:401:A7C0:9CB:33F3:E8EB:8A5D (talk) 11:51, 29 September 2024 (UTC)[reply]