ZKHack Puzzles #1 Let's Hash it Out

private key
$s k$
public key
$P = s k \cdot G_{2}$
message
$m$
message's blake2s hash
$h_{m} = blake2s (m)$ ,
$h_{m}$ is a scalar field element with
$256$ bits size.
according to WINDOW_SIZE = 1;NUM_WINDOWS = 256, CRH will generate
$256$ Points according to the rng. Let's use
$Q_{0}, Q_{1}, \dots, Q_{255}$ present them.
hash to curve
$H (h_{m}) = h_{m} [0] \cdot Q_{0} + h_{m} [1] \cdot Q_{1} + \dots + h_{m} [255] \cdot Q_{255}$
signature
$S = s k \cdot H (h_{m})$
$e (S, G_{2}) = e (H (h_{m}), P)$

There are

256

messages:

\begin{aligned} S_{0} & = h_{m 0} [0] \cdot s k \cdot Q_{0} + h_{m 0} [1] \cdot s k \cdot Q_{1} + h_{m 0} [2] \cdot s k \cdot Q_{2} + \dots + h_{m 0} [255] \cdot s k \cdot Q_{255} \\ S_{1} & = h_{m 1} [0] \cdot s k \cdot Q_{0} + h_{m 1} [1] \cdot s k \cdot Q_{1} + h_{m 1} [2] \cdot s k \cdot Q_{2} + \dots + h_{m 1} [255] \cdot s k \cdot Q_{255} \\ S_{2} & = h_{m 2} [0] \cdot s k \cdot Q_{0} + h_{m 2} [1] \cdot s k \cdot Q_{1} + h_{m 2} [2] \cdot s k \cdot Q_{2} + \dots + h_{m 2} [255] \cdot s k \cdot Q_{255} \\ \dots \\ S_{255} & = h_{m 255} [0] \cdot s k \cdot Q_{0} + h_{m 255} [1] \cdot s k \cdot Q_{1} + h_{m 255} [2] \cdot s k \cdot Q_{2} + \dots + h_{m 255} [255] \cdot s k \cdot Q_{255} \end{aligned}

[\begin{matrix} h_{m} [0] [0] & h_{m} [0] [1] & h_{m} [0] [2] & \dots & h_{m} [0] [255] \\ h_{m} [1] [0] & h_{m} [1] [1] & h_{m} [1] [2] & \dots & h_{m} [1] [255] \\ h_{m} [2] [0] & h_{m} [2] [1] & h_{m} [2] [2] & \dots & h_{m} [2] [255] \\ \dots \\ h_{m} [255] [0] & h_{m} [255] [1] & h_{m} [255] [2] & \dots & h_{m} [255] [255] \end{matrix}] [\begin{matrix} s k \cdot Q_{0} \\ s k \cdot Q_{1} \\ s k \cdot Q_{2} \\ \dots \\ s k \cdot Q_{255} \end{matrix}] = [\begin{matrix} S_{0} \\ S_{1} \\ S_{2} \\ \dots \\ S_{255} \end{matrix}]

Let use

A

represent the

h_{m}

Matrix, use

Q

represent

s k \cdot Q_{i}

Vectors:

A \cdot Q = S ⟹ Q = A^{- 1} \cdot S

and if we have a new message

m^{'}

, we can get it's signature by

S^{'} = h_{m}^{'} \cdot Q

I think it would be dangerous to

The problem is that when hash to curve, first hash to field then

field * Q

, will be dangerous.

Even though we know how to do it, there are still difficulties. In Rust, there are almost no libraries that can find the inverse of a matrix whose elements are in a finite field. I tried two linear algebra libraries, but they directly returned f32. In Sage, when multiplying a matrix by a vector, the data types of the matrix and vector are not allowed to be inconsistent:






sage solution.sage
Traceback (most recent call last):
  File "/Users/flyq/workspace/github/flyq/zkhack-bls-pedersen/solution.sage.py", line 798, in <module>
    Q = m1.inverse() * S
        ~~~~~~~~~~~~~^~~
TypeError: can't multiply sequence by non-int of type 'sage.matrix.matrix_generic_dense.Matrix_generic_dense'

So, we need use sage to find out the

A^{- 1}

, then use Rust to get the

Q

vector and calculate the signature by

S^{'} = h_{m}^{'} \cdot Q

we first used the sage code here to print the

A

matrix's inverse(a_inv), then we need copy the a_inv's values to rust code and finish the solution.

Whole code: https://github.com/flyq/zkhack-bls-pedersen

ZKHack Puzzles #1 Let's Hash it Out

Read more

Rust-Verkle [in progress]

LeRobot by hand

Inner Product Argument

What is the KZG PCS