Groth16 Recap
In this chapter, we’ll be looking at the internals of how Groth16’s CRS works, so it might be useful to very briefly describe how the system works. For another succinct resource on Groth16, see Kurt Pan’s Notes.
Constraint System
We work over a circuit taking $n$ inputs, which we write as $[z_{i}∈F∣i∈[n]]$. There is an index $s∈[n]$ such that the $[z_{i}∣i<s]$ are the public inputs, and the $[z_{i}∣i≥s]$ are the private inputs.
The constraints of our circuit are encoded as a list of polynomials $[u_{i},v_{i},w_{i}∈F[X]∣i∈[n]]$ of degree $d−1$, along with a polynomial $t(X)$, of degree $d$. The inputs satisfy the circuit when the following equation holds: $(i∑ z_{i}u_{i}(X))(i∑ z_{i}v_{i}(X))≡i∑ z_{i}w_{i}(X)modt(X)$ (Note that saying that $f(X)≡g(X)modt(X)$ is equivalent to saying that there exists an $h(X)$, of degree at most $d−2$, such that $f(X)−g(X)=h(X)t(X)$).
The goal of a proof is to prove knowledge of the $[z_{i}∣i≥s]$ satisfying these constraints, without revealing information about what their values might be.
CRS
The CRS involves generating private parameters, and then performing some calculations to derive public elements, which are then used for creating and verifying proofs. It’s important that these private parameters are destroyed after being used to derive the public parameters.
As a shorthand, we define the following polynomial: $p_{i}(X):=βu_{i}(X)+αv_{i}(X)+w_{i}(X)$ which gets used many times in the CRS itself.
The private parameters consist of randomly sampled scalars: $α,β,γ,δ,x$
The public parameters are then derived from these private ones, producing the following list of elements:

$[α]_{1},[β]_{1},[δ]_{1}$

$[x_{i}]_{1}(i∈[0,…,d−1])$

$[γ1 p_{i}(x)]_{1}(i<s)$

$[δ1 p_{i}(x)]_{1}(i≥s)$

$[δt(x) x_{i}]_{1}(i∈[0,…,d−2])$

$[β]_{2},[γ]_{2},[δ]_{2}$

$[x_{i}]_{2}(i∈[0,…,d−1])$
(Note that given $[ρ⋅x_{i}]_{σ}$ for $i$ up to a given degree $d$, we can then compute $[ρf(x)]_{σ}$, for any polynomial $f$ of degree up to $d$, since this element is a linear combination of these monomial elements. We write $ρf([x]_{σ})$ to denote this process.)
Proving and Verifying
Next we describe the proving and verification equations:
Proving
A proof $π$ consists of three group elements: $A,C∈G_{1}$, and $B∈G_{2}$.
The proof requires the generation of two fresh random scalars $r$ and $s$, which are then used to compute the following elements:

$A:=[α]_{1}+i∑ z_{i}⋅u_{i}([x]_{1})+r⋅[δ]_{1}$

$B:=[β]_{2}+i∑ z_{i}⋅v_{i}([x]_{2})+s⋅[δ]_{2}$

$B^:=[β]_{1}+i∑ z_{i}⋅v_{i}([x]_{1})+s⋅[δ]_{1}$

$C:=i≥s∑ z_{i}⋅[δ1 p_{i}(x)]_{1}+δt(x) h([x]_{1})+s⋅A+r⋅B^−rsδ$
Finally, the proof is returned as $(A,B,C)$.
Verification
Given a proof $π=(A,B,C)$, verification checks: $A⊙B=?[α]_{1}⊙[β]_{2}+i<s∑ z_{i}⋅[γ1 p_{i}(x)]_{1}⊙[γ]_{2}+C⊙[δ]_{2}$
Modified CRS
BGM17 (Section 6) proposed a slightly modified CRS, adding extra elements, in order to simplify the setup ceremony. They also proved that adding these elements did not affect the security (specifically, knowledge soundness) of the scheme.
The CRS becomes:

$[α]_{1},[β]_{1},[δ]_{1}$

$[x_{i}]_{1}(i∈[0,…,2d−2])$

$[αx_{i}]_{1}(i∈[0,…,d−1])$

$[βx_{i}]_{1}(i∈[0,…,d−1])$

$[δ1 p_{i}(x)]_{1}(i≥s)$

$[δt(x) x_{i}]_{1}(i∈[0,…,d−2])$

$[β]_{2},[δ]_{2}$

$[x_{i}]_{2}(i∈[0,…,d−1])$
The main change is that $γ$ has been removed, and that we now have access to higher degrees of $x_{i}$ in $G_{1}$, along with direct access to $αx_{i}$ and $βx_{i}$.