Implement GS over basic Groth16 verification

[jdwhite48]

Pre-requisites: Issue #6 in groth-sahai-rs (potentially)

• Implement a basic commit-and-prove function that a Groth16 verification equation is satisfied. The function should take as input n tuples of the form (Proof, VerifyingKey, prepared_pub_input) where each Proof is the tuple (A_p, B_p, C_p), and prepared_pub_input is the single G1 element Σ_{i=0}^{\ell [p]} a_i W_i where a_i \in Fr are the public inputs and W_i = gamma_abc_g1[i] from vks[i]: VerifyingKey. A single GS-compatible Groth16 verification equation has the following form:

e( C_0, - vks[0].delta_g2 ) * e( A_0, B_0 ) = e( vks[0].alpha_g1, vks[0].beta_g2 ) * e( prepared_pub_input[0], vks[0].gamma_g2 )

which, for Groth-Sahai, gets encoded as the following Equation struct fields:

Γ = [ 1, 0 ], A = [ 0 ], B = [ 0, - delta_g2 ] and t = e(alpha_g1, beta_g2) * e(prepared_pub_input, gamma_g2)

where the EquProof consists of X = [ A_0, C_0 ], Y = [ B_0 ].

• Similarly, implement a basic verify function that takes the commitments to X and Y, together with n (EquProof, VerifyingKey, prepared_pub_input) as input, and re-interprets the n Equation as before to verify that GS' EquProof is a valid witness to the satisfiability of Groth16 verification equations.
• Optionally, compare benchmarks for separately proving about n individual commitments / equations (though having the commits specific to an individual equation is non-canonical for GS) vs. composing all n equations into a single GS proof

[jdwhite48]

I'll open a new issue if I want to consider new optimizations in the wrapper