But I’m seeing several implementation that randomize just δ thus leaving γ to the Generator point. Does this means in reality that the 2 G_2 points representing public inputs should just have unknown discrete logarithms relation in order to thwart any possible attack ? I fail to see how this could be unsafe.
For optimal security in Groth16, both γ and δ should be independently sampled in the trusted setup to avoid any known relationships that could weaken the system. Leaving γ as a fixed generator, while only randomizing δ, can introduce vulnerabilities by creating predictable structures. Independent sampling ensures there’s no exploitable relationship, maintaining the integrity of the zero-knowledge proof.
My problem is having a concrete attack that work based on this. I m in a field where no proofs means secure so without example I can t convince anyone. Zcash itself seems to behave in the way described in this post.
Jens Groth himself told me he wrote about randomnizing both only because it makes proving the security simpler.