ZK-Hack Puzzle #1 Writeup

Intro

A really cool event is ongoing now in the Zero-Knowledge community - the ZK-Hack (details: https://zkhack.dev). Every week a workshop about one of the ZK technologies being developed today is given (details). The first one, given on 26/10/2021 was an introductory workshop about the field of Zero Knowledge Proofs with a great historical introduction.
The event is ongoing for the following seven weeks, with each week a new puzzle is published after the workshop of that week is given.
In this post I'll share a write-up of the first puzzle (link) I was solving with Elichai and Shalev.

Let's Hash it Out

So before the puzzle we are given introductory material to two topics in cryptography:

We are also given a referral to the documentation of arkworks library.

The challenge is available on github, here.
First let's talk briefly on those two cryptographic topics.

BLS Signatures

BLS is a signature scheme, named after Boneh, Lynn and Shacham. It is based on pairings which is a unique algebraic construct based on bilinear maps. Before anyone panics I'll explain what that means.

Definition: Let
$G, G_{T}$ be two groups. A function
$e : G \times G \to G_{T}$ is a bilinear-map if:

For any scalar
$λ$ and for any
$a, b \in G$ and for
$c = e (a, b)$ we have:

$e (λ \cdot a, b) = e (a, λ \cdot b) = λ \cdot e (a, b) = λ \cdot c$

For any
$a_{1}, a_{2}, b \in G$ we have:

$e (a_{1} + a_{2}, b) = e (a_{1}, b) + e (a_{2}, b)$

For any
$b_{1}, b_{2}, a \in G$ we have:

$e (a, b_{1} + b_{2}) = e (a, b_{1}) + e (a, b_{2})$

In a sense, it just means a scalar can be moved freely between the any of the arguments or even out of the function evaluation to the output. If you're really interested how the magic happens I'd recommend reading about Weil-Pairings.

So the BLS signatures are signature schemes that provide the following the functions of KeyGen, Sign and Verify. Let's see how those are performed, please notice that BLS Signatures have multiple variants, I'll be discussing a simplified one that is sufficient to understand the problem.

Setup - Let

g

be a generator of group

G

of prime order

r

, and

e : G \times G \to G_{T}

a bilinear map.

KeyGen - Take a random scalar
$s k$ between 0 and
$r - 1$ . The private key will be
$s k$ , the public key,
$p k = s k \cdot g$ . Publish
$p k$ and keep
$s k$ secret.
Sign - Given a message
$m \in G$ the signature of the message is
$s k \cdot m$ .
Verify, given a message
$m$ and public key
$p k$ and signature
$σ$ verify that
$e (m, p k) = e (σ, g)$ . Notice that if
$σ = s k \cdot m$ and since
$p k = s k \cdot g$ then, following the bilinearity of
$e$ we get:

e (m, p k) = e (m, s k \cdot g) = e (s k \cdot m, g) = e (σ, g)

This is all nice but in real life scenarios our message to sign is an arbitrary stream of bits and not a group element. Can we find a way to map arbitrary bit-streams into group elements? The answer is yes, and is composed typically of two steps.

First, employing a cryptographically secure hash function to the message, reducing it to a constant size (e.g. 256 bits). One example of such function is blake2b.
Second, mapping the hash to a group element (typically an element on an elliptic-curve) using a "hash-to-curve" technique.

It is important that along the way we create as little bias as possible to retain the security of the signature scheme.

One such hash-to-curve technique Pedersen Hashes, which is our next subject.

Pedersen Hashes

As mentioned, using Pedersen Hashes we can map the output of a hash function to a group element. Since those groups are typically elliptic curve points, we will use "group element" and "curve point" interchangeably in this section.

So, the Pedersen hash scheme setup is based on a set of

n

group elements

g_{1}, . . ., g_{n}

, which we assume we don't know the discrete-log of each

g_{i}

with respect to any other

g_{j}

. In other words, for each pair

i, j

(

i \neq j

) we can't efficiently find a value

k

such that

g_{i}^{k} = g_{j}

Given an

n

-bit output of of a hash function

h = (b_{1}, . . ., b_{n})

(each

b_{i}

is a single bit), the value of the pedersen hash of

h

\sum_{i = 1}^{n} b_{i} \cdot g_{i}

. By that we get an element in the group.

The Challenge

In the challenge we are given 256 messages (

m_{1}, . . ., m_{256}

) and those messages' signatures

(s_{1}, . . ., s_{256})

signed by some unknown private key (

s k

) which its corresponding public-key is given as well (

p k

Each message is signed using the BLS signature scheme where messages are mapped to group elements by first employing a blake2s hash and then using pedersen hash on its output.
It's important to mention that the output of blake2s is 256-bits wide.
The group elements

g_{1}, . . ., g_{256}

are picked arbitrarily.
Notice that the prime size of the group in our challenge is

r = 0 x 73 e d a 753299 d 7 d 483339 d 80809 a 1 d 80553 b d a 402 f f f e 5 b f e f f f f f f f f 00000001

.
Therefore the private key is a number in

Z_{r}

(between

0

and

r - 1

We are told that these signatures were published and someone managed to sign some previously unsigned message, and we're asked how can this be done? The solution is in the form of signing ourselves our username as a proof to show we know how can this be done, this basically means that Existential-Unforgeability isn't a property of the signature scheme in this puzzle.

If you haven't tried yet tackling this challenge, I highly encourage you to do so, this is the best way to really understand what happens and to get a better grasp of the underlying concepts who take part in the challenge.

Either way, let's see how this can be solved. We begin with a few notations to make the solution simpler.

Notation

As for notation, we will denote the blake2s of a message

m_{j}

using

b (m_{j})

. We will also denote the

i^{t h}

bit of

b (m_{j})

using

b_{i} (m_{j})

. Therefore, the pedersen-hash of each message

m_{j}

is:

\sum_{i = 1}^{256} b_{i} (m_{j}) \cdot g_{i}

Thus, we can view each blake2s output

b (m)

as a column-vector of 1's and 0's:

b (m) = (\begin{matrix} b_{1} (m) \\ b_{2} (m) \\ ⋮ \\ b_{256} (m) \end{matrix})

So, we can also define basic arithmetic of blake2s hashes using vector arithmetics. For two message

m_{i}, m_{j}

we have:

b (m_{i}) + b (m_{j}) = (\begin{matrix} b_{1} (m_{i}) + b_{1} (m_{j}) \\ b_{2} (m_{i}) + b_{2} (m_{j}) \\ ⋮ \\ b_{256} (m_{i}) + b_{256} (m_{j}) \end{matrix})

Where addition is over

Z_{r}

(

r

is the size of the group

G

).
For a scalar

c \in Z_{r}

and for some message

m

we define the scalar multiplication

c \cdot b (m)

as:

c \cdot b (m) = (\begin{matrix} c \cdot b_{1} (m) \\ c \cdot b_{2} (m) \\ ⋮ \\ c \cdot b_{256} (m) \end{matrix})

The solution

The solution is based on the fact that the signature itself is linear. In the end of the day, we are signing (i.e. multiplying our private key by) a group elemenet. We'll show that the signature of the sum of two group elememts is the sum of the signatures. Let's see what does it mean:
If we take two messages

m_{1}, m_{2}

and blake2s them

b (m_{1}), b (m_{2})

their pedersen hashes are:

\begin{aligned} h_{1} & = \sum_{i = 1}^{256} b_{i} (m_{1}) \cdot g_{i} & h_{2} & = \sum_{i = 1}^{256} b_{i} (m_{2}) \cdot g_{i} \end{aligned}

Thus, their signatures

s_{1}, s_{2}

are:

\begin{aligned} s_{1} & = s k \cdot h_{1} & s_{2} & = s k \cdot h_{2} \end{aligned}

It's very easy to tell that the signature of

h_{1} + h_{2}

is:

s k \cdot (h_{1} + h_{2}) = s k \cdot h_{1} + s k \cdot h_{2} = s_{1} + s_{2}

Not only that, but the pedersen hashing is also linear!

Given the vector arithmetics defined previously for the blake2s outputs we can tell that first summing the blake2s outputs and then performing the pedersen hash transformations or first doing the pedersen transformation for each blake2s output and then adding the results yields the same output. In algebtraic terms it means that:

\sum_{i = 1}^{256} b_{i} (m_{1}) \cdot g_{i} + \sum_{i = 1}^{256} b_{i} (m_{2}) \cdot g_{i} = \sum_{i = 1}^{256} (b_{i} (m_{1}) + b_{i} (m_{2})) \cdot g_{i}

Ok, with these two linearity properties, we are ready to solve the puzzle!
We have message

m

we want to sign, we compute its blake2s hash

b (m)

.
If we are able to find constants

c_{1}, . . ., c_{256}

Z_{r}

such that:

\begin{aligned} (△) & b (m) = \sum_{i = 1}^{256} c_{i} \cdot b (m_{i}) \end{aligned}

Then we can generate signature

s_{m}

for

m

by following both linearity properties.

\begin{aligned} (◻) & s_{m} = \sum_{i = 1}^{256} c_{i} \cdot s_{i} \end{aligned}

Remember that

(△)

is a vector equation, holding for each entry in the vector

b (m)

. Which means that for all

j

b_{j} (m) = \sum_{i = 1}^{256} c_{i} \cdot b_{j} (m_{i})

Let's see why

(◻)

holds:

\begin{aligned} s_{m} & = s k \cdot \sum_{j = 1}^{256} b_{j} (m) \cdot g_{j} \\ = s k \cdot \sum_{j = 1}^{256} (\sum_{i = 1}^{256} c_{i} b_{j} (m_{i})) \cdot g_{j} \\ = s k \cdot \sum_{i = 1}^{256} (\sum_{j = 1}^{256} c_{i} b_{j} (m_{i}) \cdot g_{j}) \\ = \sum_{i = 1}^{256} c_{i} \underset{s_{i}}{\underset{⏟}{\cdot s_{k} (\sum_{j = 1}^{256} b_{j} (m_{i}) \cdot g_{j})}} \\ = \sum_{i = 1}^{256} c_{i} s_{i} \end{aligned}

Great, so now the only question is - how can we find those constants

c_{1}, . . ., c_{256}

?
Well, let's look at

(△)

again, as we already said this is a vector-equation, so it's actually a linear equation system with 256 linear equations (since the vectors are of size 256) and with 256 variables (

c_{1}, . . ., c_{256}

).
We can express this system of linear equations in matrix nontation:

A c = b

Such that the variable of the equation is:

c = (\begin{matrix} c_{1} \\ c_{2} \\ ⋮ \\ c_{256} \end{matrix})

The vector

b

is the bits of the blake hash of our target message

m

b = b (m) = (\begin{matrix} b_{1} (m) \\ b_{2} (m) \\ ⋮ \\ b_{256} (m) \end{matrix})

And the matrix

A

is the bits of the blake hash of all messages

m_{1}, . . ., m_{256}

. Each message has its own column:

A = (\begin{matrix} b_{1} (m_{1}) & b_{1} (m_{2}) & \dots & b_{1} (m_{256}) \\ b_{2} (m_{1}) & b_{2} (m_{2}) & \dots & b_{2} (m_{256}) \\ ⋮ & ⋮ & ⋱ & ⋮ \\ b_{256} (m_{1}) & b_{256} (m_{2}) & \dots & b_{256} (m_{256}) \end{matrix})

The solution to the equation is:

c = A^{- 1} b

Luckily enough, matrix

A

is invertible so can easily sign the message

m

following our previous equation:

s_{m} = \sum_{i = 1}^{256} c_{i} s_{i}

Code

In this section we give the basic tools we used to solve the problem in code. While the input data and the whole rust program is written in rust, we have written our solution in the sage programming language.
Sage is a mathematical-oriented programming language with many built-in tools for computation in the fields of algebra, statistics, combinatorics, graph theory and more. It may look similar to python to some readers.
We have also used some rust code to preprocess the input to the sage program and postprocess its output.

Input preprocessing

First we took the messages blake2s hashes from the rust file using the following functions:






























fn bytes_to_bits_string(bytes: &[u8]) -> String {
    let bits = bytes_to_bits(bytes);
    let mut s = String::with_capacity(bits.len());
    for bit in bits {
        if bit {
            s.push('1');
        } else {
            s.push('0');
        }
    }
    return s;
}

fn write_msgs_to_file(msgs: Vec<Vec<u8>>) {
    let mut file = File::create(format!(
        "bits_vecs-{}",
        (SystemTime::now().duration_since(UNIX_EPOCH))
            .unwrap()
            .as_millis()
    ))
    .unwrap();
    for msg in msgs {
        let blake = hash_to_curve(&msg).0;
        let string = bytes_to_bits_string(&blake);
        file.write_all(string.as_ref()).unwrap();
        file.write_all(b"\n").unwrap();
    }
}

The write_msgs_to_file function takes a vector of blake2b hashes of the input messages and writes each hash as a string of 0s and 1s representing the binary form of the hash.
Each hash is written in a separate line to the output file.
This file will be passed to our sage code.

Algebraic Processing in Sage

Our sage code is quite short and powerful.
First we read the input and parse it as a list of lists (therefore - a matrix) of 0s and 1s, each binary digit in its own cell of the matrix.







A = list()
# bits_vecs-1635288647752 was computed by the rust program, it contains a list of all the messages in bits represantion (after the blake2s hash)
with open("bits_vecs-1635288647752", 'r') as f:
    for line_index, line in enumerate(f):
        A.append(list())
        for bit_index in range(0, 256):
            A[line_index].append(int(line[bit_index]))

Next, we define

P

to be the order of the curve, so scalar that will later be multiplied by the generators in the Pedersen-has-to-curve scheme will be taken from the field

F = Z_{P}

defined right after.



# Curve Order
P = 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
F = FiniteField(P)

Next, we define the matrix GA to be simply the list-of-lists A we previously defined, where each entry (0/1) is considered as an element in field F. We transpose it because if you pay attention in the A matrix we defined in the previous section each column (and not row) should contain the bits of a hash of a specific message.
Finally, we compute GAinv which is the transpose of our matrix.

GA = Matrix(F, A)
GAT = GA.transpose()
GAinv = GAT.inverse()

Next, we computed the blake2s value of our message – this is our vector

b

from previous section where we will look at each bit as an element in

Z_{P}

. Finally, we have to compute

A^{- 1} \cdot b










```sage
# blake2s of ou
bitstring = '0111011010010000000111101110100010110110010100111011011011111111100110001010110001110000111111111100111001100110001001111101110110111011101000100110010110011111001111011010110111110011111111110100111011111011000110000011100101101000001110011101011100010000'
bits = [int(el) for el in bitstring]
gbits = vector(F, bits)
gsolution = GAinv * gbits
# Print the generator multipliers.
",".join(['Fq::from_str("'+str(el)+'").unwrap()' for el in gsolution])

The output we get is a vector

c

of elements from

Z_{P}

such that the signature for our message will be

\sum_{i = 1}^{256} c_{i} \cdot s_{i}

where

s_{i}

is the signature of the

i^{t h}

message. This part will be done in rust.

Final Postprocessing and Signature Generation

Our signature generation is also done using rust and is available here as the full code:

https://gist.github.com/elichai/7401f5423c2693960677ba4f8a9fab14#file-computing_the_sig-rs-L55

Here we'll give some explanation on snippets out of it.

First we define the selectors array, a very long array such that selectors[i] is the field element

c_{i}

we have obtained using our sage program.

















let selectors = [
    Fr::from_str(
        "27645015623588109382996024038763530282647599513403648261518408122004451823795",
    )
    .unwrap(),
    Fr::from_str(
        "23018579491472099737921523253639007115479688088731410213980168199642094036630",
    )
....
....
....
    .unwrap(),
    Fr::from_str(
       "6769691326408305518047502379958157439957827386631887324632648911856770263560",
    )
    .unwrap(),
];

Next, we multiply each selector[i] by

s_{i}

the signature of

i^{t h}

message (sigs[i]).
This is done using arkworks library.





let mut sum = G1Projective::zero();
for (i, num) in selectors.iter().enumerate() {
    let additive = sigs[i].into_projective().mul(num);
    sum += additive;
}

Next we make a curve element out of the sum


let affine = G1Affine::from(sum);

And we verify we actually got the correct signature.


verify(pk, msg, affine.clone());

Assuming we do, we output the signature so it is ready for submission and we're done!

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →




let mut sig = Vec::new();
affine.serialize(&mut sig).unwrap();
let sig_hex = hex::encode(sig);
println!("sig: {}", sig_hex);

Elichai Turkel

2021/10/27 13:38:12

pro

that? (Edited)

2021/10/27 13:49:49

can't efficiently

we can't efficiently find a value (Edited)

2021/10/27 13:50:45

Each message is signed using the [BLS signature scheme](https://githu

Maybe move this to after the next paragraph that talks about using blake2s? (Edited)

2021/10/27 13:57:26

Remember that $(\triangle)$ is a vector equation, holding for each entry in the vector $b(m)$. Which means that for all $j$: $$b_j(m) = \sum_{i=1}^{256} c_i \cdot b_j(m_i)$$

Maybe use (a) and (b)?, it confused me for a second and I thought you meant * = /codt (Edited)

Omer Shlomovits

2021/10/27 14:02:59

typo (Edited)

2021/10/27 14:03:41

these (Edited)

2021/10/27 14:04:48

We'll

ZK-Hack Puzzle #1 Writeup

Intro

Let's Hash it Out

BLS Signatures

Pedersen Hashes

The Challenge

Notation

The solution

Code

Input preprocessing

Algebraic Processing in Sage

Final Postprocessing and Signature Generation

Read more

Key Re-sharing

One *Single* Trick To Lose Your Coins

FFT over Finite Fields

Two-Party Schnorr

One Single Trick To Lose Your Coins