Try   HackMD

ZKHack Puzzles #1 Let's Hash it Out

https://zkhack.dev/events/puzzle1.html

  • private key
    sk
  • public key
    P=skG2
  • message
    m
  • message's blake2s hash
    hm=blake2s(m)
    ,
    hm
    is a scalar field element with
    256
    bits size.
  • according to WINDOW_SIZE = 1;NUM_WINDOWS = 256, CRH will generate
    256
    Points according to the rng. Let's use
    Q0,Q1,,Q255
    present them.
  • hash to curve
    H(hm)=hm[0]Q0+hm[1]Q1++hm[255]Q255
  • signature
    S=skH(hm)
  • e(S,G2)=e(H(hm),P)

There are

256 messages:
S0=hm0[0]skQ0+hm0[1]skQ1+hm0[2]skQ2++hm0[255]skQ255S1=hm1[0]skQ0+hm1[1]skQ1+hm1[2]skQ2++hm1[255]skQ255S2=hm2[0]skQ0+hm2[1]skQ1+hm2[2]skQ2++hm2[255]skQ255S255=hm255[0]skQ0+hm255[1]skQ1+hm255[2]skQ2++hm255[255]skQ255

[hm[0][0]hm[0][1]hm[0][2]hm[0][255]hm[1][0]hm[1][1]hm[1][2]hm[1][255]hm[2][0]hm[2][1]hm[2][2]hm[2][255]hm[255][0]hm[255][1]hm[255][2]hm[255][255]][skQ0skQ1skQ2skQ255]=[S0S1S2S255]

Let use

A represent the
hm
Matrix, use
Q
represent
skQi
Vectors:

AQ=SQ=A1S

and if we have a new message

m, we can get it's signature by
S=hmQ

I think it would be dangerous to

The problem is that when hash to curve, first hash to field then

fieldQ, will be dangerous.

Even though we know how to do it, there are still difficulties. In Rust, there are almost no libraries that can find the inverse of a matrix whose elements are in a finite field. I tried two linear algebra libraries, but they directly returned f32. In Sage, when multiplying a matrix by a vector, the data types of the matrix and vector are not allowed to be inconsistent:

sage solution.sage Traceback (most recent call last): File "/Users/flyq/workspace/github/flyq/zkhack-bls-pedersen/solution.sage.py", line 798, in <module> Q = m1.inverse() * S ~~~~~~~~~~~~~^~~ TypeError: can't multiply sequence by non-int of type 'sage.matrix.matrix_generic_dense.Matrix_generic_dense'

So, we need use sage to find out the

A1, then use Rust to get the
Q
vector and calculate the signature by
S=hmQ

we first used the sage code here to print the

A matrix's inverse(a_inv), then we need copy the a_inv's values to rust code and finish the solution.

Whole code: https://github.com/flyq/zkhack-bls-pedersen