 |
First keep in mind Ethereum solely enable to examine if a set of pairings is the same as 1 in Fp12 and to not examine equalities like in Zcash which is why the equations under are totally different and would price downvotes on a cryptographic sub because of this… In any other case I acknowledge that is extra a mathematical drawback however the place the place I’m the probably to seek out somebody who do perceive it stays on Ethereum because it’s partly cryptocurrency math particular. For individuals who don’t find out about Groth16 :By conference, public parts of the witness are the primary ℓ components of the vector a. To make these components public, the prover merely reveals them : [a₁,a₂,…,aℓ] For the verifier to check that these values have been in reality used, verifier should perform among the computation that the prover was initially doing. Particularly, the prover computes : Sorry, however no MathJax on reddit Notice that solely the computation of [C]₁ modified — the prover solely makes use of the ai and Ψi phrases ℓ+1 to m. The verifier computes the primary ℓ phrases of the sum: Sorry however no MathJax on reddit And the ᴇɪᴘ‒197 equation within the case of Ethereum on Fp12 is : 1?=[A]₁∙[B]₂×[α]₁∙[β]₂×[X]₁∙G₂×[C]₁∙G₂ Half 2 : Separating the general public inputs from the personal inputs with γ and δThe primary assault described within the tutorial I learn and the way it’s mentioned to be prevented :The idea within the equation above is that the prover is just utilizing Ψ(ℓ+1) to Ψm to compute [C]₁, however nothing stops a dishonest prover from utilizing Ψ₁ to Ψℓ to compute [C]₁, resulting in a cast proof. For instance, right here is our present ᴇɪᴘ‒197 verification equation : Sorry however no MathJax on reddit If we increase the C time period underneath the hood, we get the next : Sorry however no MathJax on reddit Suppose for instance and with out lack of generality {that a}=[1,2,3,4,5] and ℓ=3. In that case, the general public a part of the witness is [1,2,3] and the personal half is [4,5]. The ultimate equation after evaluating the witness vector can be as follows : Sorry however no MathJax on reddit Nevertheless for the reason that discrete logarithm between the private and non-private level in G₂ is 1, nothing stops the prover from creating an legitimate portion of the general public witness as [1,2,0] and shifting the zeroed out public portion to the personal a part of the computation as follows : Sorry however no MathJax on reddit The equation above is legitimate, however the witness doesn’t essentially fulfill the unique constraints. Due to this fact, we have to stop the prover from utilizing Ψ₁ to Ψℓ as a part of the computation of [C]₁. Introducing γ and δ :To keep away from the issue above, the trusted setup introduces new scalars γ and δ to drive Ψℓ+1 to Ψm to be separate from Ψ₁ to Ψℓ. To do that, the trusted setup divides (multiplies by the modular inverse) the personal phrases (that represent [C]₁) by γ and the general public phrases (that represent [X]₁, the sum the verifier computes) by δ. Because the h(τ)t(τ) time period is embedded in [C]₁, these phrases additionally should be divided by γ. Once more, no MathJax on reddit The trusted setup publishes Perhaps I may use textual content for that one ? The prover steps are the identical as earlier than and the verifier steps now embody pairing by [γ]₂ and [δ]₂ to cancel out the denominators : The ᴇɪᴘ‑197 with Groth16 because it’s anticipated to be The factor I’m not understanding :So it appears to me the outline above is the assault is feasible as a result of the two G₂ factors ensuing from the witness enter break up for public inputs are equals and thus the discrete logarithm is know because it’s equal, Within the different case why is it required to change each the personal and public phrases ? How may proofs be nonetheless faked with out understanding the discrete logarithms between δ and G₂ ? Please examine with the final equation above and the primary unmodified verifying equation submitted by /u/AbbreviationsGreen90 |
