Secret-Bounties: Can we swap out the one-time-pad with Public-Key Crypto?

[tzaffi]

Apparently, there are ZK-SNARKS that implement public-key cryptography:

• RSA/ElGamal in Circom (Thanks to @kobigurk)
  • methinks this may be a signature scheme rather than encryption/decryption
• ECDSA in Circom (Thanks to @weije_eth)
  • Looks like generating witnesses from private ECDSA keys inside of a circuit is possible, but I don't know if these could also be used to decrypt a message inside of a circuit

With that in mind, can the Alice/Eve Secret-Bounties Protocol (cf. #7) be modified to be:

Can we Create an Algorand App or Logic Sig with the Following Properties?

1. Verifies that a secret is provided by the sender
2. The secret should be encrypted and private except to those who possess the encryption's decrypt key. In particular, this means that during the application's transaction, the secret cannot be decrypted in a way that is "plain to see".
3. The secret should be decryptable by the app's author directly from viewing the application's transaction (because they possess the encryption's secret key)

Can the following "solution" be implemented?

Alice possesses a public-private key pair (PK, SK). She wishes to learn a particular secret (eg “find a factor of the large number $n$"). She authors a ZK-SNARK circuit which internally uses SK to decrypt a public input and assert the special property of the plaintext (eg this will involve applying the decryption $D_{\rm{SK}}(p')$ to a provided input inside the circuit with $p'$ defined below)

1. Alice publishes the secret request and:

• her public key PK
• the ZK-SNARK's public parameters for generating a witness, constructing a proof and verifying the proof
• a smart contract $A$ which verifies the constructed proof and sends a reward to an address specified by the solver

2. A bounty hunter Eve knows a solution (eg she knows a non-trivial $p$ that factors $n$) and claims the bounty as follows:

• constructs the witness and proof using PK and the ZK-SNARK public parameters which Alice has published (eg this will involve applying the encryption $E_{\rm{PK}}(p) = p'$ to generate part of the witness)
• runs Alice's app $A$ on her private network providing the necessary inputs to ensure that the bounty would be paid
• calls Alice's app $A$ to claim the bounty

Since Eve has provided $p'$ as an input to $A$, Alice can easily analyze the application call transaction which paid the bounty and learn $p = D_{\rm{SK}}(p')$.