NIZK arguments for QAP GRO16 proof simulation

I’m studying how zero knowledge for quadratic arithmetic programs works (GRO16 page 17) and try do understand proof simulation part.

If I understood right, if malicious party knows 𝛼,𝛽,𝛿α,β,δ from setup it will be possible to construct 𝐴,𝐵,𝐶A,B,C that will satisfy verification equation.

Are there are any other combinations of setup parameters that can help to simulate a valid proof?

Also, I would be grateful for a useful link / or research work where proof simulation for QAP this can be described.

1 Like

Hey @vladyslavmunin, great to see that this is of interest to you.
Indeed, if one has a way of subverting some combination of the parameters in the setup phase, then then potentially fake proofs could be generated.

Specifically, if a malicious prover gets hold of the \gamma or of the \delta, then they could generate fake proofs. This is because they would be able to change the values of the v_i, w_i, u_i to make the expression divisible, where the verifier would not know what is the relation being proven on.

There are a couple of interesting works around this:

I can also recommend two blog posts:

Hope this helps and good luck!