Inefficient serialization of ALT_BN128 r1cs proofs

[ebfull]

For us, ALT_BN128 r1cs proofs are 304 bytes in size, with point compression and binary serialization enabled.

[ebfull]

It's possible that we didn't have montgomery representations enabled.

[daira]

I'm confused as to why enabling Montgomery representations should change the proof size:

1. If I understand correctly, Montgomery form represents an element x of F_p as (xR mod p) for some power of two R. So a representative of this form is an integer in the range [0, p), just as if the field element were represented directly.
2. Why is using Montgomery representations visible at all in the proof format? I assumed we were only using them internally and converting to non-Montgomery form for the point encodings in proofs. (The cost of the conversion is essentially negligable compared to the cost of proving or verification for typical-sized circuits.) I've not heard of Montgomery form being used for external encodings before, since it's dependent on the word size which is typically not something you want to expose in a protocol spec.

[daira]

Oh, does this mean a Montgomery curve equation rather than a Montgomery field representation? I wish they were called something different.