Several implementations only randomnize δ when using Groth16. Does this means sampling only 1 of γ or δ is enough to prevent forgeries?

According to page 17 from groth16, α ; β ; γ ; δ should be sampled by the trusted setup. This article describe an attack. But the attack described seems to only work when \gamma, \delta are equal. Nerveless it also states both values should be sampled and not just 1.

But I’m seeing several implementation that randomize just δ thus leaving γ to the Generator point. Does this means in reality that the 2 G_2 points representing public inputs should just have unknown discrete logarithms relation in order to thwart any possible attack ? I fail to see how this could be unsafe.

For optimal security in Groth16, both γ and δ should be independently sampled in the trusted setup to avoid any known relationships that could weaken the system. Leaving γ as a fixed generator, while only randomizing δ, can introduce vulnerabilities by creating predictable structures. Independent sampling ensures there’s no exploitable relationship, maintaining the integrity of the zero-knowledge proof.

My problem is having a concrete attack that work based on this. I m in a field where no proofs means secure so without example I can t convince anyone. Zcash itself seems to behave in the way described in this post.

Jens Groth himself told me he wrote about randomnizing both only because it makes proving the security simpler.