First remember Ethereum only allow to check if a set of pairings is equal to 1 in Fp12 and not to compare equalities like in Zcash which is why the equations below are different and would worth downvotes on a cryptographic sub as a result… Otherwise I recognize this is more a mathematical problem but the place where I’m the most likely to find someone who do understand it remains on Ethereum as it’s partly cryptocurrency math specific.

For those who don’t know about Groth16 :

By convention, public portions of the witness are the first ℓ elements of the vector a. To make those elements public, the prover simply reveals them :

[a₁,a₂,…,aℓ]

For the verifier to test that those values were in fact used, verifier must carry out some of the computation that the prover was originally doing.

Specifically, the prover computes :

Sorry, but no MathJax on reddit

Note that only the computation of [C]₁ changed — the prover only uses the ai and Ψi terms ℓ+1 to m.

The verifier computes the first ℓ terms of the sum:

Sorry but no MathJax on reddit

And the ᴇɪᴘ‒197 equation in the case of Ethereum on Fp12 is : 1?=[A]₁∙[B]₂×[α]₁∙[β]₂×[X]₁∙G₂×[C]₁∙G₂

Part 2 : Separating the public inputs from the private inputs with γ and δ

The first attack described in the tutorial I read and how it’s said to be prevented :

The assumption in the equation above is that the prover is only using Ψ(ℓ+1) to Ψm to compute [C]₁, but nothing stops a dishonest prover from using Ψ₁ to Ψℓ to compute [C]₁, leading to a forged proof.

For example, here is our current ᴇɪᴘ‒197 verification equation :

Sorry but no MathJax on reddit

If we expand the C term under the hood, we get the following :

Sorry but no MathJax on reddit

Suppose for example and without loss of generality that a=[1,2,3,4,5] and ℓ=3. In that case, the public part of the witness is [1,2,3] and the private part is [4,5].

The final equation after evaluating the witness vector would be as follows :

Sorry but no MathJax on reddit

However since the discrete logarithm between the public and private point in G₂ is 1, nothing stops the prover from creating an valid portion of the public witness as [1,2,0] and moving the zeroed out public portion to the private part of the computation as follows :

Sorry but no MathJax on reddit

The equation above is valid, but the witness does not necessarily satisfy the original constraints.

Therefore, we need to prevent the prover from using Ψ₁ to Ψℓ as part of the computation of [C]₁.

Introducing γ and δ :

To avoid the problem above, the trusted setup introduces new scalars γ and δ to force Ψℓ+1 to Ψm to be separate from Ψ₁ to Ψℓ. To do this, the trusted setup divides (multiplies by the modular inverse) the private terms (that constitute [C]₁) by γ and the public terms (that constitute [X]₁, the sum the verifier computes) by δ.

Since the h(τ)t(τ) term is embedded in [C]₁, those terms also need to be divided by γ.

Again, no MathJax on reddit

The trusted setup publishes

Maybe I could use text for that one ?

The prover steps are the same as before and the verifier steps now include pairing by [γ]₂ and [δ]₂ to cancel out the denominators :

The ᴇɪᴘ‑197 with Groth16 as it’s expected to be

The thing I’m not understanding :

So it seems to me the description above is the attack is possible because the 2 G₂ points resulting from the witness input split for public inputs are equals and thus the discrete logarithm is know since it’s equal, In the other case why is it required to modify both the private and public terms ? How could proofs be still faked without knowing the discrete logarithms between δ and G₂ ? Why not just divide the private terms that constitute [C]₁ by δ and leave the public terms as is ? This would mean :

Please compare with the last equation above and the first unmodified verifying equation