Verify commitment inside of a circuit

[wuwuz]

Hi, what's the common practice of verifying the correctness of a commitment with gnark?
One way I know is to directly use the mimc hash as the one-way function but iirc the security analysis is not well-founded.

I checked api.Compiler.Commit() but don't quite follow how it's used.

What I want will be pretty similar to proving the knowledge of a pre-image of a hash function:
Given a message z, the witness contains c = commit (z; r) with some witness randomness r
The circuit checks that c is the right commitment of the witness message z and randomness r.
AssertEq(c, commit(z; r))

[Tabaie]

What is your use case? If we narrow down the set of possible commitment schemes that way we can look at which ones are easier to verify with gnark.

[wuwuz]

We are doing an experimental implementation of a finance-related MPC protocol (just want to have some demo for research demo, not a serious industrial product)
Right now we are ok with any commitment scheme that is computationally hiding and binding.
E.g., Pederson / Hash-based schemes are fine for us.

[Tabaie]

Do you need the commitment before your SNARK proof generation or would it be okay to obtain it from the SNARK? If the latter, you may be able to use api.Commit.

[wuwuz]

We need the commitment to be generated before the snark proof generation.

[Tabaie]

api.Commit introduces a notion of time into a SNARK. Namely, the values of many variables can be computed after the commitment value is given. Would that be useful for your application?