One of the primary issues in the literature and in my personal experience with using Groth-Sahai beyond a black-box manner is that it's a non-trivial (and at times tedious) process to apply the many properties of bilinear group arithmetic and its equipped pairing to encode each equation into the desired (A * Y) (X * B) (X * Γ Y) = t form that is expected of a Groth-Sahai statement. Especially in situations where one must prove about the satisfiability of many different equations or with lots of unique / unstructured variables, this could become a laborious-- if not impossible-- process trying to even encode the Groth-Sahai statement properly for the API to accept it.

And so, I think it would be incredibly useful to have some sort of tool that, given a human-readable list of equations to be satisfied, restructures the different kinds of equations into a format that is amenable to Groth-Sahai, and also auto-generates the necessary equations that can be plugged directly into the API.

(n.b. this would likely be such a massive undertaking even IF I could figure out how to do it. And so, I'm pre-emptively marking it as wontfix. I have no idea if I'll even get here, but I'll keep the issue open in case I or anyone else reading this finds inspiration to work on this)

Pre-requisites: Issue #6 in groth-sahai-rs (potentially)

• [x] Implement a basic commit-and-prove function that a Groth16 verification equation is satisfied. The function should take as input n tuples of the form (Proof, VerifyingKey, prepared_pub_input) where each Proof is the tuple (A_p, B_p, C_p), and prepared_pub_input is the single G1 element Σ_{i=0}^{\ell [p]} a_i W_i where a_i \in Fr are the public inputs and W_i = gamma_abc_g1[i] from vks[i]: VerifyingKey. A single GS-compatible Groth16 verification equation has the following form:

e( C_0, - vks[0].delta_g2 ) * e( A_0, B_0 ) = e( vks[0].alpha_g1, vks[0].beta_g2 ) * e( prepared_pub_input[0], vks[0].gamma_g2 )

which, for Groth-Sahai, gets encoded as the following Equation struct fields:

Γ = [ 1, 0 ], A = [ 0 ], B = [ 0, - delta_g2 ] and t = e(alpha_g1, beta_g2) * e(prepared_pub_input, gamma_g2)

where the EquProof consists of X = [ A_0, C_0 ], Y = [ B_0 ].

• [x] Similarly, implement a basic verify function that takes the commitments to X and Y, together with n (EquProof, VerifyingKey, prepared_pub_input) as input, and re-interprets the n Equation as before to verify that GS' EquProof is a valid witness to the satisfiability of Groth16 verification equations.
• [ ] Optionally, compare benchmarks for separately proving about n individual commitments / equations (though having the commits specific to an individual equation is non-canonical for GS) vs. composing all n equations into a single GS proof

Similar to Issue #1, but with Groth-Sahai also treating some number a_0, ..., a_{k-1} of G16 public inputs as GS hidden variables, which supposedly links the n Groth16 proofs together in some fashion (agnostic to the operation of GS).

• [ ] Also passing this as input into the prove function and with prepared_pub_input being Σ_{i=k}^{\ell [0]} a_0,i W_0,i instead, by simple bilinear group arithmetic properties a single GS-compatible Groth16 verification equation would take the following form:

e( C_0, -vks[0].delta_g2 ) * e( S_0, -vks[0].gamma_g2 ) * e( A_0, B_0 ) = e( vks[0].alpha_g1, vks[0].beta_g2 ) * e( prepared_pub_input[0], vks[0].gamma_g2 )

where S_0 = Σ_{i=0}^{k-1} a_0,i W_0,i. For Groth-Sahai, gets encoded as the following Equation struct fields:

Γ = [ 1, 0, 0 ], A = [ 0 ], B = [ 0, - delta_g2, - gamma_g2 ] and t = e(alpha_g1, beta_g2) * e(prepared_pub_input, gamma_g2).

where the EquProof consists of X = [ A_0, C_0, S_0 ], Y = [ B_0 ].

• [ ] Similarly, implement a basic verify function that takes the commitments to X and Y, together with n (EquProof, VerifyingKey, prepared_pub_input) as input, and re-interprets the n Equation as before to verify that GS' EquProofis a valid witness to the satisfiability of linked Groth16 verification equations.