ZK Hack 4 <Gamma Ray></Gamma>

# ZK Hack 4 <Gamma Ray> ``` PROBLEM: Bob was deeply inspired by the Zcash design [1] for private transactions and had some pretty cool ideas on how to adapt it for his requirements. He was also inspired by the Mina design for the lightest blockchain and wanted to combine the two. In order to achieve that, Bob used the MNT6753 cycle of curves to enable efficient infinite recursion, and used elliptic curve public keys to authorize spends. He released a first version of the system to the world and Alice soon announced she was able to double spend by creating two different nullifiers for the same key... [1] https://zips.z.cash/protocol/protocol.pdf ``` ## Introduction The basic problem with the design is that the leaf node is loosely tied to the secret key or leaked key. We can first start with reading the code. Upon observing the code of the files we can figure somethings: - The secret value is used a private key to generate the public key and the nullifier value. - Nullifier = Poseiden Hash(leaked secret) - Here two curves are used in the implementation i.e MNT4BigFr and MNT6BigFr. - MNT4BigFr is used to read the inputs and then instantiate the circuit of Groth16. - MNT6BigFr's generator is used to calculate the public key from the leaked_secret value provided. - SNARK proof of Merkle path for leaf 2 is calculated and then verified. - If the user able to provide the correct secret key and correct nullifier he is considered genuine. ## Hack Logic By close observation we can make out that $$ leaf = Xcoordinate([leakedSecret].G)$$ This tells us that the secret key poducing two values for the public key $$ (x,y)=([leakedSecret_x].G, [leakedSecret_y].G) $$ [].G represents the scalar multiplication with generator G Now we know that if (x,y) are producing some leaf element, (x,-y) will also produce the leaf element and we can hack the protocol. The catch is that we dont the secret key or leaked secret related to (x,-y) and deriving the private key from public key is Discrete Log Hard Problem(DLHP). But if we know the private key for (x,y) then we also know that the private key for (x,-y) (which is just the missor image of the point) is negative of the original private key. But how? So general addition of points in EC: ![image](https://hackmd.io/_uploads/rJCudEKKT.png) Watch [this](https://www.google.com/search?q=P%2BQ%3D0+in+ellipcal+curve+points&sca_esv=600053872&tbm=vid&sxsrf=ACQVn0-LhzhE30YCiKwGYMq3jJ2_Xs5n8Q:1705751944883&source=lnms&sa=X&ved=2ahUKEwi8pf-V9euDAxVPTWwGHVdOBZoQ_AUoAnoECAEQBA&biw=986&bih=796&dpr=1.25#) to understand more. Ours is a special case ![image](https://hackmd.io/_uploads/SkMrUVFt6.png) So meaning the new point is the negation of old point. $$ P=-Q $$ One last issue that we need to tackle is the curves used. We know that inputs are read in MNT4BigFr and the circuits also expects MNT4BigFr values. But the generator point is in MNT6BigFr and the negation will require to take a mod in the base field of MNT6BigFr. This is because we dont have negative numbers in modular arithmatic and every negative number is represented in the range of [0, p-1] where p is the base field of the curve used. ## Solution in code ``` /* Enter your solution here */ //Idea: The leaf = x coordinate of the public key. The private key is the secret. nulliefier = hash(secret). SO we can take another point with same x-coordiate and -y cooordinate to get the same leaf. //read the leaked secret from the file in MNT6BigFr format and then take a negate of it to get the private key for (x,-y) let leaked_secret2: MNT6BigFr = from_file("./leaked_secret.bin"); //compute the inverse of the leaked secret as the private key for (x,-y) will be the negate of the private key for (x,y) let inverse_secret_hack = -leaked_secret2; let inverse_secret_hack_bigint = inverse_secret_hack.into_bigint(); //we need to convert the inverse secret to MNT4BigFr format for circuit input let secret_hack = MNT4BigFr::from(inverse_secret_hack_bigint); // let t = MNT6BigFr::from(-leaked_secret); let nullifier_hack = <LeafH as CRHScheme>::evaluate(&leaf_crh_params, vec![secret_hack]).unwrap(); // let nullifier_hack = MNT4BigFr::from(0); /* End of solution */ ``` Thanks for reading and please let me know if something is wrong. [Twitter](https://twitter.com/rishotics)