need to hide running claim evaluation

[jkwoods]

simulation proof for zk wouldn't hold bc running claim has info about private document table, namely v is a linear combination of the document table.

[sga001]

Proposed solution: Prover from Nova will output H(v || s) for some secret s. Prover will then use a different zkSNARK that takes a public commitment g^vh^r as input, and proves that it knows a v and an s (passed as secret witnesses), such that it is the same v as the one in the commitment. At this point, the Verifier can trust g^v h^r, instead of computing it itself as we were doing before. It can then use this in the IPA protocol as before.

• [x] Add support to Nova to prove SNARKs directly
• [ ] Output H(v||s) instead of v, and keep track of both v and s so that they can be used with second SNARK
• [x] Construct a step circuit that computes assert!(d == H(v || s)). v is the entry at position 0 in W and d is public I/O.
• [x] Create a new commit-and-prove SNARK that works directly over g^v * h^r instead of v.

[jkwoods]

Custom circuit: consistency.rs.txt

Compiled with:

[dependencies]
nova-snark ={ git = "https://github.com/sga001/Nova"}
bellperson = { version = "0.24", default-features = false }
pasta_curves = { version = "0.5.2", features = ["repr-c", "serde"], package = "fil_pasta_curves" }
ff = "0.12.0"
neptune = "8.1.0"
generic-array = "0.14.4"

[jkwoods]

Circuit for sga nova on PR. TODO: circuit in rezk

[sga001]

Merged. Now it works. We are just missing the same circuit in Reef.

Since the changes I made to Consistency test to how you'll need to generate the commitment and pass it to cap_prove and cap_verify when we generate the proof of consistency.

[jkwoods]

• [x] change commitment generation w/cap

[ecmargo]

Finished. Currently on branch hiding_rc, @jkwoods will merge