Implement an efficient zero-knowledge-less variant of Groth16

[kobigurk]

When Groth16 is used for arguments without the need zero-knowledge, it's possible to save some calculations.

Specifically, as can be seen below, the term rB in C is not needed when r,s=0 (the random elements required for zero-knowledge). This means we don't need to calculate [B]_1, saving a large multiexp. It's still sound, as the verifier algorithm is the same.

An example of such an implementation can be seen in https://github.com/filecoin-project/bellman/pull/12/files.

Thanks to @arielgabizon for showing this to me a while ago!