So, the operations which you can perform are:
-
(g^a + B^c)- multiply a point by a scalar and add it to the generator multiplied by a scalar, ifais zero, it acts just likeB^c -
(A^b + C^d)- multiply two points by two scalars and add them together, however you need to provide the results ofA^bandC^das ‘witnesses’ to verify the ecmul operations are correct, then you can add the two witness points together.
As I mention above, the first makes it possible to verify pedersen commitments using one ecrecover operation, or to verify ring signatures (not tagged/linkable ones though).
The second makes it possible to do lots more, e.g. linkable ring signatures, Schnorr signatures, aggregate MuSig etc. but you need to provide a witness point for anything you multiply on-chain to verify correctness.