When using Groth16, is it really needed to change both G₂ points of the public & private inputs in the trusted setup for avoiding public input forgery ?
First remember ᴇɪᴘ‒197 only allow to check if a set of pairings is equal to 1 in Fp^(12) and not to compare equalities like in Zcash which is why the equations below are different and would worth downvotes on a cryptographic sub as a result…
# For those who don’t know about Groth16 :
By convention, public portions of the witness are the first ℓ elements of the vector **a**. To make those elements public, the prover simply reveals them :
\[*a₁*,*a₂*,…,*a*ℓ\]
For the verifier to test that those values were in fact used, verifier must carry out some of the computation that the prover was originally doing.
Specifically, the prover computes :
[Sorry, but no MathJax on reddit](https://preview.redd.it/pqdtempzezsd1.png?width=536&format=png&auto=webp&s=a2d7fe92e26b9b8bab9961ae693dc8176c663d6f)
Note that only the computation of **\[C\]₁** changed -- the prover only uses the **a**i and Ψ*i* terms ℓ+1 to **m**.
The verifier computes the first ℓ terms of the sum :
[Sorry but no MathJax on reddit](https://preview.redd.it/f0gz8tjrfzsd1.png?width=279&format=png&auto=webp&s=55b2f75d4cb2f4473865f085c1e9146db3d390f1)
And the ᴇɪᴘ‒197 equation in the case of Ethereum on Fp^(12) is : 1?=\[*A*\]₁∙\[*B*\]₂×\[*α*\]₁∙\[*β*\]₂×\[*X*\]₁∙*G₂*×\[*C*\]₁∙*G*₂
# [Part 2 : Separating the public inputs from the private inputs with γ and δ](https://www.rareskills.io/post/groth16)
# The first attack [described in the tutorial I read](https://www.rareskills.io/post/groth16) and how it’s said to be prevented :
The assumption in the equation above is that the prover is only using Ψ(ℓ+1) to Ψ*m* to compute **\[C\]₁**, but nothing stops a dishonest prover from using Ψ**₁** to Ψℓ to compute **\[C\]₁**, leading to a forged proof.
For example, here is our current ᴇɪᴘ‒197 verification equation :
[Sorry but no MathJax on reddit](https://preview.redd.it/676myt4ckzsd1.png?width=639&format=png&auto=webp&s=56d7cc9cab9a3ff25bb694d27ac4478677a0fbd8)
If we expand the C term under the hood, we get the following :
[Sorry but no MathJax on reddit](https://preview.redd.it/hizdviiblzsd1.png?width=906&format=png&auto=webp&s=8cf492ad7210dcbebdc1676fbdb1c2f57422d191)
Suppose for example and without loss of generality that a=\[1,2,3,4,5\] and ℓ=3. In that case, the public part of the witness is \[1,2,3\] and the private part is \[4,5\].
The final equation after evaluating the witness vector would be as follows :
[Sorry but no MathJax on reddit](https://preview.redd.it/53rakghanzsd1.png?width=963&format=png&auto=webp&s=f1bbc018b64cc369762ef66360066cecb50a5314)
However since the discrete logarithm between the public and private point in ***G₂*** is 1, nothing stops the prover from creating an valid portion of the public witness as \[1,2,0\] and moving the zeroed out public portion to the private part of the computation as follows :
[Sorry but no MathJax on reddit](https://preview.redd.it/2723fvcbqzsd1.png?width=837&format=png&auto=webp&s=cc5a504fc6951399e84d8929ded37a2d9cc9f483)
The equation above is valid, but the witness does not necessarily satisfy the original constraints.
Therefore, we need to prevent the prover from using Ψ**₁** to Ψℓ as part of the computation of **\[C\]₁**.
# Introducing γ and δ :
To avoid the problem above, the trusted setup introduces new scalars γ and δ to force Ψℓ+1 to Ψ*m* to be separate from Ψ**₁** to Ψℓ. To do this, the trusted setup divides (multiplies by the modular inverse) the private terms (that constitute **\[C\]₁**) by γ and the public terms (that constitute **\[X\]₁**, the sum the verifier computes) by δ.
Since the ***h***(***τ***)***t***(***τ***) term is embedded in **\[C\]₁**, those terms also need to be divided by γ.
[Again, no MathJax on reddit](https://preview.redd.it/ua70vela30td1.png?width=613&format=png&auto=webp&s=f45e24b58202d9ae03c5ccf6ca405c6183374dfc)
The trusted setup publishes
[Maybe I could use text for that one ?](https://preview.redd.it/2bsy3r0v40td1.png?width=608&format=png&auto=webp&s=0a4dd6ab12361f5dc520de114de9a0cc83630685)
The prover steps are the same as before and the verifier steps now include pairing by **\[*****γ*****\]₂** and **\[δ\]₂** to cancel out the denominators :
[The ᴇɪᴘ‑197 with Groth16 as it’s expected to be](https://preview.redd.it/jciw7eg470td1.png?width=934&format=png&auto=webp&s=bba29c817295b1a07401a435481ba6fc83f9f766)
# The thing I’m not understanding :
*So it seems to me the description above is the attack is possible because the 2* ***G₂*** *points resulting from the witness input split for public inputs are equals and thus the discrete logarithm is know since it’s equal,* ***In the other case why is it required to modify both the private and public terms ? How could proofs be still faked without knowing the discrete logarithms between*** **δ** ***and G₂ ?***
**Why not just divide the private terms that constitute \[C\]₁** ***by*** **δ** ***and leave the public terms as is*** *? This would mean :*
[Please compare with the last equation above and the first unmodified verifying equation](https://preview.redd.it/3wlfidxr70td1.png?width=946&format=png&auto=webp&s=afcb4d2dc0bb78d378b28fa14971d40bc7febd21)