swasilyev

> Here is an implementation of the matter-labs team It looks identical to bellman/zexe. Are you sure it uses the described trick? Dusk PLONK [uses zexe](https://github.com/dusk-network/bls12_381/pull/1) implementation, so i doubt...

Re: decide if this should validate membership within the group? Could you please leave some backdoor to create an out-of-the-subgroup point. We use such point in a protocol to initialize...

The same applies to the bases in kzg10::PreparedCommitment

I think there is no issue with this encoding. I imagine that these values end up somewhere in libsnark and reversed binary string is the native representation for it. i2lebsp...

Can also remove "bitmask booleanity" constraint from this scheme, but impact on either prover or verifier is likely negligible.

Really what? Verifier knows the bitmask. It's booleanity can be assured by Rust type system.

There's an observation by @burdges or @AlistairStewart that if the curve is not prime order (has a cofactor), you can start summation from an element from outside the subgroup. Then...

Why don't we just deprecate this curve? Are there any project who haven't switched to BW-761? The BW one is strictly better, see https://eprint.iacr.org/2020/351.pdf, and is implemented here https://github.com/arkworks-rs/curves/tree/master/bw6_761

My point probably was that you don't always have the polynomial in the monomial form. I wanted to present Groth16 as an example but then realized that the division can...

So this pairing computation results in another target group element?