[Discussion] Optimistic contribution

[CarlBeek]

As a means of speeding up contributions, the participant could contribute optimistically:

1. Participant assumes the transcript they receive from the coordinator is honest (doesn't' have any low-order elements mixed into any of the points)
2. Participant mixes in their randomness & uploads updated transcript to coordinator
3. Participant software only now does subgroup checks
4. Participant attests to their contribution on twitter etc iff checks pass

This means the rate at which participants can contribute is limited by the powers of tau multiplications alone.

[djrtwo]

how expensive are the subgroup checks in relation to the tau multiplications?

[CarlBeek]

This depends on how the subgroup checks are implemented under the hood. There are 3 options:

1. Naïve multiplication - This is the easy way to implement the checks, just multiply each point by r, but this can be slow due to the size of r. Libraries that implement this method will likely spend say 60% of their time performing these checks.
2. Endomorphism - The zcash people came up with a new faster method for subgroup checks that uses a clever endomorphism. In this case, the checks are fast enough that IMO, this optimistic idea isn't worth it.
3. Pairings - @kevaundray had the idea of using pairings to perform this check they are only defined over the subgroup as input. I really don't like this idea as it relies on unspecified behavior of the pairing function to catch a point not in the subgroup.

[CarlBeek]

This is now left up to participant implementers. If they are using the SDK defined in these specs, they are welcome to make use of this optimization as the contribute() and checkContribution() interfaces are distinct.