bn256: added ExportSolidity method

[gbotrel]

Fixes #12 .

This PR adds a ExportSolidity(w io.Writer) method to the groth16.VerifyingKey interface.
For curve != bn256, returns an error.

For bn256, it uses, as suggested by @weijiekoh an audited template (audit report here)

This is experimental and has not been thoroughly tested.

Usage:

r1cs, _ := frontend.Compile(gurvy.BN256, &circuit)
_, vk, _ := groth16.Setup(r1cs)
vk.ExportSolidity(os.Stdout)

Status: generated solidity code compiles (tested on https://remix.ethereum.org)

[crazybae]

The new ExportSolidity function will be very helpful and I will test soon. Thanks.
What do you think of making a helper function to convert the Proof into map[string]*big.Int (x, y coords of two G1 pts and one G2 pt)? It will be very useful to deliver the proof generated in a client to the contract.
Actually, gnark users cannot parse the proof in the internal package easily.
https://github.com/ConsenSys/gnark/blob/experimental/solidity/internal/backend/bn256/groth16/prove.go

[crazybae]

Hi.
I tested a toy example to zk-prove a secret of 'mimc + range' then unfortunately the solidity code (generated by ExportSolidity) made an error (op code errors) both in remix jvm and in kovan.
But when I used another solidity code template generated by zokrates and exchanged vk values generated by gnark, it worked.
The contract address is https://kovan.etherscan.io/address/0x5F523F6105011691C12917d1fB7D598983Ba692e#readContract
The test proof data for the contract verification(verifyTx) and Define impl are as follows:

[Proof]
----------------------------------------------
 Ar.X: 983259416932862941844449637982501883643126831528477718160293952837703473789 
 Ar.Y: 20416101617116772776678438277219369967285774304250126454802129761922457677830 
 Bs.X.A0: 110822863084179782461216073415180609776057607836087007121589849566371308208 
 Bs.X.A1: 16408494802401507882209604290020255117545218880414865186305179490604822784935 
 Bs.Y.A0: 7250549659849825974520853399543363255878684373031423697551813682313833816033 
 Bs.Y.A1: 14627415038730439746726243571647884057326491960572629012614624887217605387129 
 Krs.X: 11850388641559481663075067343909006626004595617026377054655800584040251656331 
 Krs.Y: 21145764255100211391245101635269927935055199921299991784254570440359342538438 
Given public values: hash = 10906697096806947297974147352748238404675588919340034644298376636334057353348


[Define impl]
const maximum uint64 = 1000
func (circuit *BidCircuit) Define(curveID gurvy.ID, cs *frontend.ConstraintSystem) error {
	// hash function
	mimc, _ := mimc.NewMiMC("seed", curveID)
	// specify constraints
	cs.AssertIsEqual(circuit.Hash, mimc.Hash(cs, circuit.PreImage))
	cs.AssertIsLessOrEqual(circuit.PreImage, maximum) //circuit.Maximum)
	return nil
}

[gbotrel]

@crazybae thanks for trying this feature :-) .
Did debug out the solidity, and added an integration test against geth SimulatedBackend.

We are trying hard not to expose internal/backend/, to simplify exposed APIs and ensure that "gadgets" / circuit code is developed, as much as possible using only interfaces exposed. This ought to facilitate portability of circuits, across curves or proving systems.

To convert a bn256/groth16.Proof to big.Int elements, you can see an example usage here, using existing serialization API.

May expose that piece in a cleaner API in upcoming versions.