Pratyush
commented
4 years ago This is now fixed in master, by default allocating both public and private inputs performs a subgroup check, with explicit opt-outs available as separate methods on the GroupVar trait.
AllocGadget implementation for twisted Edwards curve points always performs on-curve checks, but offers subgroup checks only for auxiliary inputs. So to do the subgroup check for a public input point one has to allocate a new point and check the equality that costs, say, 5 extra constraints. At the same time there's no way to allocate an input point without any checks, while there is "alloc_without_check" for aux inputs. And for short Weierstrass "alloc_input" doesn't do any checks.
Also there's no way to "inputize" (like in bellman) a point allocated by a gadget.