First remember Ethereum only allow to check if a set of pairings is equal to 1 in Fp ## For those who don’t know about Groth16 :By convention, public portions of the witness are the first ℓ elements of the vector [ For the verifier to test that those values were in fact used, verifier must carry out some of the computation that the prover was originally doing. Specifically, the prover computes : Sorry, but no MathJax on reddit Note that only the computation of The verifier computes the first ℓ terms of the sum: Sorry but no MathJax on reddit And the ᴇɪᴘ‒197 equation in the case of Ethereum on Fp ## Part 2 : Separating the public inputs from the private inputs with γ and δ## The first attack described in the tutorial I read and how it’s said to be prevented :The assumption in the equation above is that the prover is only using Ψ(ℓ+1) to Ψ For example, here is our current ᴇɪᴘ‒197 verification equation : Sorry but no MathJax on reddit If we expand the C term under the hood, we get the following : Sorry but no MathJax on reddit Suppose for example and without loss of generality that a=[1,2,3,4,5] and ℓ=3. In that case, the public part of the witness is [1,2,3] and the private part is [4,5]. The final equation after evaluating the witness vector would be as follows : Sorry but no MathJax on reddit However since the discrete logarithm between the public and private point in Sorry but no MathJax on reddit The equation above is valid, but the witness does not necessarily satisfy the original constraints. Therefore, we need to prevent the prover from using Ψ ## Introducing γ and δ :To avoid the problem above, the trusted setup introduces new scalars γ and δ to force Ψℓ+1 to Ψ Since the )τ(t) term is embedded in τ[C]₁, those terms also need to be divided by γ.Again, no MathJax on reddit The trusted setup publishes Maybe I could use text for that one ? The prover steps are the same as before and the verifier steps now include pairing by The ᴇɪᴘ‑197 with Groth16 as it’s expected to be ## The thing I’m not understanding :
Please compare with the last equation above and the first unmodified verifying equation submitted by /u/AbbreviationsGreen90 |