# Attacking a bad trusted setup This post presents a solution for the puzzle in the context of a trusted setup, a computation needed in most pairing-based zero-knowledge proof constructions. Trusted setups are data required for particular cryptographic schemes, computed by a third party that knows a trap-door for the scheme. These computations can sometimes be done using multiparty computation in order to remove this trusting issue. Zero-knowledge proofs are new cryptographic primitives very useful in blockchain applications. They became famous with a construction presented in [this paper](https://eprint.iacr.org/2016/260.pdf) (by Groth in 2016), requiring a one-time trusted setup. ## Groth16 trusted setup <!--trusted setup--> The Groth construction is based on the discrete logarithm problem in different groups. The trusted setup is composed of elements from two groups $\mathbb G_1$ and $\mathbb G_2$. We use the additive notation, and we denote $G_1$, $G_2$ the two generators of the two groups. The trusted setup of a Groth 16 proof (of size $n$) is a set of $4n-1$ elements of $\mathbb G_1$, plus $n$ elements of $\mathbb G_2$. More precisely, a third party generates the following elements using his own secret scalar $s$ and two scalars $\alpha$ and $\beta$: * $G_1, [s]G_1, \dots, [s^{2n-2}]G_1$, * $[\alpha]G_1, [\alpha s]G_1, \dots, [\alpha s^{n-1}]G_1$, * $[\beta]G_1, [\beta s]G_1, \dots, [\beta s^{n-1}]G_1$, * $G_2, [s]G_2, \dots, [s^{n-1}]G_2$. Although there is a trust factor involved in generating the secret, the resulting proving and verification keys can be used to produce a proof that is succinct, where its size and the verification running time are independent of the statement size. Many alternatives prevent this third party issue. For example, the trusted setup computation can be shared between many participants so that no one knows the final secret. In a setting where an attacker would know the secret $s$, he could forge a proof easily, as explained in [this blog post](https://kobi.one/2018/07/16/creating-fake-zksnarks-proofs.html) written by Kobi Gurkan. In the following sections, we explore one aspect of the security of the trusted setup generation. Specifically, we aim to recover the secret $s$ when some of the elements used, such as $G_1$, $G_2$ are not properly generated / chosen. ### Security <!--Security fo the groups considered--> The two groups are chosen so that the discrete logarithm problem is hard. It means that given $Q \in \mathbb G_1$ (resp. $\mathbb G_2$), it is hard to find $x$ such that $Q = [x]G_1$ (resp. $Q = [x]G_2$). In practice, Groth instantiates his scheme using elliptic curves, where the best algorithm that solves the DLP has an exponential complexity in the size of the group considered. This construction requires manipulating particular curves called pairing-friendly curves, threatened by other algorithms for solving the discrete logarithm problem. In order to reach a security level $\lambda$, we require $\mathbb G_1$ and $\mathbb G_2$ to be roughly of $2\lambda$-bit prime order $r$. For example, $\log_2(r) = 256$ reaches the 128-bit security level. If the secret scalar ($x$ above) is known to be smaller, it affects the security. In practice, $\mathbb G_1$ and $\mathbb G_2$ are subgroups of two elliptic curves $E$ and $E'$ defined over finite fields. These groups can be proper subgroups, and it is possible to compute discrete logarithms if the third party manipulates the entire group of rational points of a curve instead of $\mathbb G_1$ or $\mathbb G_2$. This attack is often called the subgroup attack or the [Poligh-Hellman](https://en.wikipedia.org/wiki/Pohlig%E2%80%93Hellman_algorithm) algorithm. ### Subgroup attack <!--Subgroup attack--> Suppose that we have a group generated by $P$ (denoted $\langle P\rangle$), of order $r_1r_2$ where $r_1$ and $r_2$ are prime integers. Finding the discrete logarithm $x$ of $Q = [x]P$ can be computed as follows: 1. Compute $Q_1 = [r_2]Q$, a point of order $r_1$. 2. Solve the DLP in $\langle P_1 \rangle$ where $P_1 = [r_2]P$. In other words, find $x_1$ such that $Q_1 = [x_1]P_1$. 3. Compute $Q_2 = [r_1]Q$, a point of order $r_2$. 4. Solve the DLP in $\langle P_2 \rangle$ where $P_2 = [r_1]P$. In other words, find $x_2$ such that $Q_2 = [x_2]P_2$. 5. Recover the discrete logarithm $x$ using the Chinese Remainder Theorem: $x = u_1r_1x_2 + u_2r_2x_1$ where $u_1$ and $u_2$ satisfy $u_1r_1+u_2r_2 = 1$. This method can be generalized with all the small factors of the curve group order. In practice, it happens that the curves have a small cofactor. Hence, even if the DLP is hard in $\mathbb G_1$, the information of $s$ modulo the cofactor gives information that can help to recover the value of $s$. Particularly in the case of a trusted setup, one can apply this method in the two curves and recover $s$ entirely if it has been badly chosen. ## Solving the puzzle <!--Solving the zkhack puzzle--> The puzzle data is a trusted setup on the BLS12-381 curve, meaning that the first elements are points defined with two $\mathbb F_p$ elements (where $\log_2(p) = 381$), and the 32 last points are defined over $\mathbb F_{p^2}$ and corresponds to the twist of the BLS12-381 curve. Hence, they are much larger, as we can see [here](https://github.com/kobigurk/zkhack-puzzles/blob/master/trusted-setup/src/data.rs#L133). The secret is known to be smaller than expected, namely an integer of $128$ bits instead of $256$. Hence, it reduces the security to at most $64$ bits. Using [SageMath](https://www.sagemath.org/), we are going to compute the secret $s$ in few seconds by manipulating the generators of $\mathbb G_1$ and $\mathbb G_2$ of composite order. The first step of the attack is to define the curves involved in the trusted setup. ### The curves The curves we consider here are: * An ellptic curve $E$ defined by $y^2 = x^3+4$ over $\mathbb F_p$ for a specific $p$ of $381$ bits, also called the BLS12-381 curve. The 127 first points of the data are [here](https://github.com/kobigurk/zkhack-puzzles/blob/master/trusted-setup/src/data.rs#L326) defined over $E$. * An elliptic curve $E_2$ closely related to $E$, defined by $y^2 = x^3+4+4u$ over $\mathbb F_{p^2} = \mathbb F_p[u]/(u^2+1)$. The 32 last points of the data [here](https://github.com/kobigurk/zkhack-puzzles/blob/master/trusted-setup/src/data.rs#L326) are defined over $E_2$. The following code lets us defined $E$ and $E_2$: ```python p = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab r = 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001 Fp = GF(p) E = EllipticCurve([Fp(0), Fp(4)]) assert E.order() % r == 0 cof = E.order()//r FpT.<T> = Fp[] Fp2.<u> = GF(p**2, modulus=T**2+1) E2 = EllipticCurve([Fp2(0), Fp2([4,4])]) assert E2.order() % r == 0 cof2 = (E2.order()//r) ``` ### Information using $G_1$ From the bytes of the data, [this rust code](https://github.com/kobigurk/zkhack-puzzles-guide/blob/master/trusted-setup-guide/src/bin/for-sagemaths-trusted-setup.rs) lets us obtain: ```python3 g1_trusted_setup = [ E(0x0F99F411A5F6C484EC5CAD7B9F9C0F01A3D2BB73759BB95567F1FE4910331D32B95ED87E36681230273C9A6677BE3A69, 0x12978C5E13A226B039CE22A0F4961D329747F0B78350988DAB4C1263455C826418A667CA97AC55576228FC7AA77D33E5), E(0x16C2385B2093CC3EDBC0F2257E8F23E98E775F8F6628767E5F4FC0E495285B95B1505F487102FE083E65DC8E9E3A9181, 0x0F4B73F63C6FD1F924EAE2982426FC94FBD03FCEE12D9FB01BAF52BE1246A14C53C152D64ED312494A2BC32C4A3E7F9A), E(0x15847FE37FBC3E3395111251208A5EC9217EDDD5280CE0D9CAB356EFA0DDB07B4F4BD34226EF11DCF24A8CA2D069AC9A, 0x10DA563477393233A9F536B4AB18ED3590F05D7435D926464277232DA2043EC10EE33922C0690F8B5E493A6CAEE47C45), E(0x03BB6E3E41A0DA95295D92E476C8A4AF61BF4F230F5CD8522362390AF20F00B7CD2D2B0FFEF98A5CC00760B8B36C60AB, 0x0EE54B6F5ACA7AE250930EB7673A93CDFD77BF55599D662FEF07F22DD6633D22E767B79F6366A5D1B260758C88323350), E(0x050371F20BF7FD6343443EBE854C1E556C0075EC5A0903984712B2A0DE85EBE6297E53B61D2C6DEC5B65A855CB3A5995, 0x1373DB17DCF0957F2AFA92AFE672F7EE76D52D3F8078316C6812807AA334CA8BB4553F4520B2E0BF53C6573EAEF02737), E(0x04DE49B106421CE7F202540CCC9105738AE3AE10D85C0E37DAED84619C9D71A87D5A2178669F7366C50421491A2ED88C, 0x032554DEE799B45410E615EE321C577C761EF2B4E5823D924C3F1CECA3EFA567CC01C51CF1E1B329C2D7981628B50BE5), E(0x0F02D12B3640D6FB8DED34DD183A899D4A43055C52F3B763248A390551EEA7CC89421AE2D54FCF3EB87F65526ACED402, 0x0A05EF533D6CD9A1FD16646CF9835983B9E977C0A739397AFBCBE881FF9ABB5EEBDF9852D7ECEDE0A367ADC5823778DF), E(0x01CBA25122FB5A73C69287230950E4650D0A86B45816B3B09E765725C5C38391505B235492A33791FD47DF841554C7DC, 0x19A638FDB127857982D2CD9284DB04188E427346CA9C45D4316B476F4501DC995F29F1DC79702A74C3A9E8B2D8F818B4), E(0x098B9663666CB89BA3F72361F7BC4CB415E8C8236B467F97C32CD23A1AB13D8B0CB7A9D615D08755865C4D59D2C1529B, 0x004E95AD1BB1BAEB3D76BC9B2D36A42A5B98A5125962ED4DE99D9B6F474ADAADB320390F8B8C216A2BB05D64563B1633), E(0x01931C1701BB7F5AC888F51FDA6F0EB25F7D585BFC43E784B82BE11B0403BF8351203F70C8C260B8734B0FC2725FF672, 0x0331C5BBBA499F5ED68C8383780D05F1F628C791259297AE830149673F582945117D7204B3E91D87ED01B318C1C2CF43), E(0x0FF696BDD2B15363C543D4CFE3C0DD2DD57E3731C76EC029DBA54E4199226A4FFC28AAC92DC7B75DF4CEED94B9FA2BF0, 0x0AE384512AB2C22EA0249501E5CCC5975B8F47BCA9A015CBC3AEF28B4A0678037A0487A53ABCD52C0DCD4A74166D4D8D), E(0x04FC7482B225250B61298B473792BF994E81B3335E59471ED7D98D17AD438F4A657B79AA7EDA6D3EFEA432932EAB4328, 0x176AF0F45FE9D213087F085D4CA84D83FAD533F8D60AA3DA8C08B237DCEC7C0AAB193CB7718EBD2B263D34A724D76622), E(0x07ED6535D81C50D2BB175C563C1A45285491BDD273DAF50BDE6B848A76775FC24B18614E7779E458D582EF75DD669F92, 0x1861E4928A0BC4B8527B47A05B14D6FDD9663D02A14B723210CCA28E97EB19D0860C841276FE3B4F819F105CB140EB0A), E(0x006CAA0F4D48A06362B4ED142FDF734DB135ADD5C86404B025EFA2BC576146355AFB0C93A71057689DF96D783ADAECC4, 0x0495300FCFDDD2D53897CCE6E993D679E113CB51603286791F6D2BBA7A8E14AFD4DA5DF9FD7A4EE55BD6D59F0A3606F2), E(0x1536ACCD5545C3FB761A77407A641AC1E58C92E4F0118BC3D14556CC5B87E44999CB72A06D9B03AABE0BE0623DF140C3, 0x0A7339927941801A67031F7BFFC055BD99F104E7201A628A10D1C0EF70897F7F77D85668B1D729C17C184E0461A72FE0), E(0x128E9B5AAC66EF665454F040454D79003D681ADE9C5A3EC5C407B8C1EDE850DD66C66AC572C64C85CF0377A0BA52874E, 0x1501EDDCDD568F64A1576FD166D2B856E8E7E2A4A392569464DF49940E498B3C5832F63CA67AA35018028292593B9656), E(0x04BC98DA5CF9F43091B680E089BF3D835E771B1F767BD74993958813534AA8E55970FA3C5C9338BC14F447538DB45850, 0x17BF5EAE0C784CC286A8C3546938921FE7EB933FC54F0143E8E5A5773AFF5FBBF6A386740D3B3E0E6326D3404AE3A2D2), E(0x0A3EA5F22993FA5CE64BF550550399A7F810076807EA5598EFE81EC57E6CAF6920B424C3D742EE6818608C61EA5033E6, 0x0F9D0506D6AB4DA5FE3A6EC86968DC2B2FA38B7921E07D4EE676D5B223D63699A9984F8AABFD78F49D97FEDA5B5BA04A), E(0x04F65942771F4A76A9DC75189A45EA9A7DF81165349FBD8543B416E76A50273E57740E79FF9372100CAF4D259E60549E, 0x0E57EC4A62BC1D0E63931E2E541F762AAC205B8701EB7098A02227E6A51FB6453E95709AE305BD7C60991C1871217585), E(0x192A6E2DCE1656C9EF59CC29FE35BB50C14AB32D087083532A0A01617F50BC65A4967FF0C8276815C35A9F15C7C77280, 0x071538FF2734AB4A3C51DCCEE3C31CD8A1D4B94D498B44C1740072D81E3671F41DB44746AC03A8C52C0667687056CDAD), E(0x1323998724B7B083E4CB01FD18580C27E735CB36727C88AB8381DBF94CB544C1D463279B06A2DD44B23C53BB00FD074E, 0x159C0D01331003005BADFA3C0797BA69E97C6AE2B0D5265F1D017A37F916B10F0DF61F52DC20B6F4B57B9644C131EE27), E(0x13B0572D33025718EAF743441510CFFDB7715EE7CCBF4B5BB40301A088AD7E66C622A3DC7712A02A4F7EC3A915F565AE, 0x18ECB7CA148FBF89F79699814231C78FC7EA5268193DA975EEF6CB7EE74BD10294206CEC08BCBAD07EBD8A63E3ACD1C4), E(0x0ECC4FAEC62F0362001D835F23E794E17A4B1D63E4E1C33BE0A11D62ECB43CE7E75B88A0112D3D93981ECEDBB648FD74, 0x00B8259F0286F95F93F47A588C3DFE1701699F0C386CEB070727989EAFE70D86748CE249226C8FE8E8B7B5DEFC6EA68C), E(0x00169FCE46D33CCA0AF8208CA1751DE83342EA7892753AF97677EAFE28F2191898C8831E8E952FC4E3DD56B1D5F95FA6, 0x1756C0BEA91BBA44B9828A9CB051E16A87BB8C1911ECDB505234A94E20AD128357E6B2A918BA2E3D32A8EBCE2424AE7D), E(0x15C513664DADC5DC26574BD6C7331546C220373EBCB2A9A1932C4718FC5CE250379B4D6F8B1692C89F555E12A4BE95E4, 0x09AFEC077684FBFD6BFAC3EF6B480C0AF747B7EEFC8D866A68699812CDBA80594B1B486CD7FBB08748BD9878BE8F5951), E(0x11F9FD77263097063B421022FED92206A26C9A3DB30CC0096A311FB805A0CEDD9102A92574B4C3940EBCC3D7B1780E5F, 0x09FC820972F225C62940690B29DB6F0F7CCAA18AEA52D068952BCB6DC54C63300F6C7E0F9D1F732ABADC6A26CD35A401), E(0x154FEB147CFE9C3507461EC62924159F8C3C7C99C6F85232FA1816EE55130CB2E7A2493E8941837A7B8EBE2E456042C1, 0x17ACD3E02AF93D56DDCADB62026B3B592F98958A0DE5A0C09F88D78094DD660E1EB93A95812452CAE1F5604149E32D87), E(0x170E7451D0E66E536F077AD85FCB5C4C348CD5D0AB5E9585712C16F5C5A0E453D63FB165D7938623AF2BB59EFCF90AA7, 0x11A9DB89309C16DC77C5B8139EECFD45EDA9337B240446EE8CFC9CF0BD996665CE16767CDB39216CE7F11FD5681DA742), E(0x097E6FE08C14742AEFAFC1F63860157FC03305C43D8D85A299432A98A6225A33F706F3DB5A2374B352955F99BCC2D306, 0x0ADE4EF69B6415794F578AE267CAD930E9CFF0AE6493A02DF41BD5D4BA64F9C3E931CA1F0DE3A52FBCE7DFC11E035C1E), E(0x0949FB31DC0F591904EB24B713A9FBF849C01050347500CDC9728FE82B8E05310B667516270C514DC8072FC999097E83, 0x0B9ACA4D1CB2CD393461CCD2CE51E387201E642481272C5CBFAE7CBBF7107B2B023F585E28D6A6D355D7E7A432D7D6BD), E(0x11791F821EF1A9B27AC14701082BC01CD9DDAA9B13EB19C1779E8C61EC1078CB92D09C429F262AD7045DC14EA9060412, 0x090B02760053744680159C0364003BBC501D5F8E893F0EB04D57C2A1865F0780C3AD60CCB654FFA9ADFFBFF392EBAF98), E(0x1786606BF18F31C6BE10203280AF1FB9228869B791B2C096E2B05587325D355FB132CC23B13853365102F4250250884C, 0x11A325F1D9602D19D579B5CF6C997FE810215C123D07BB74051972EEFC509526CAB773CAC3B2A6123BF97C18016F4B90), E(0x107CD4BC51A93062B425F195D5D5466ED1D513DFBB701F128603CD775A34F83C639B260E070954EB1144466CC1CE13C8, 0x0EB837D434ACB0A2467580D4193BCF8A1CE663D0B517EEB918262C9F7073DCE415EC6A03A91D15B68419A1E728E45E08), E(0x0A5D76B664397C35B84C4C8C734FD0BE8B58465D358546976DF384AFE2172A52F068B801DF37313B0E527F1587C53DF5, 0x19D86227FF96F4743BF1DED81DA7AF1A58D9509B8539B3B0BAC6F1416EAF02C0DBD356E076D986169AA478B5E35F070D), E(0x07D8B8F646DD50436ABBCE4B159FFAAACBE4FAC5AE7053E65D380FBD942883237B5AAEA82CB36B968C89AFF8F64E9D2A, 0x15A390A9937E908682FDA3BE2A5893C68CF45D9F3BA4895F8F8F97B080F1A2995DFA6F93F6F2071D06A787EC1B47DF22), E(0x0379B48AB0E6EAF6E6BD6A33AB52982A970F95CAC30A2A3FD1591B92CF43EE64B46D28ECE2E485547BD568C644FA086C, 0x032AC35FCF02F5A5459A56EB8041DE494AFBCED580724CBC54217FA37B83A542E112AFCB85315016F014E173BD9C5C87), E(0x161C3DEECC4B7C8EB33C9C7E47C6636DEFDA8F3A3DDBDCE6048E1AB65CB22CA67A9C935887C852BAF8219E07DD78D13A, 0x08C8CAB6C98219BC925B7E5E793C91B42A6B3BF2515635255D8DBCE7B8622A35C23802FAB3C580DEF3A07E7C42BCB7E1), E(0x19434D497F9CB5EED4DE4BC4D93BFDD63153F2FF722382C8C0AFC0B9366A4DC9CD38E888D975F237F0699FEE60E0C5CA, 0x017842358DA98800825ED557CDE0192D7EA128759AB261E3B19322846526459736740FE6B4E9677DAA4E44B46C57FB66), E(0x056684843FD9CD25F10FF662CEFA0997C74D8E44F4B614F71BB3157015B199EC8FC932A7A4C743CAFC82DA7585B5D15C, 0x14CEE528C1919D502DA8F18D0B5D30BF8C7E6962931AE3359D0CC2689984B741F6619E6E93D2CD58B0F9D45E1037392A), E(0x103BA4176046C7E47B9EF231C6ACF085DE5D83FBA528DCB3356CCB25A8E06FA9D73471F97CF237970063E7727C2575E2, 0x142D0DCB12BA935DDB4CC3EE0C77559F4BE6AE3B8EA63DE5E02E5E966E46FA00FBC8F57332F606EAD543829EF41B70BD), E(0x0D2D5D87C67B6FB99392FED5740A9D04691EDB0E41A6AFC02F8CA90770BEB3F45516E35DD0272C01515A517A007EB7FF, 0x03CE03AE4E732C2FDEB20F2E0E28CDEA0206550541804F6C8B75AE51D82A40565D7039C18476B2CF15BA5A3F6B2A6C53), E(0x17DA671A52B7273DDF3ACA0E031D16DFAD5B4EF64B31CBDEB9CA7BCBC6DA3735C84A8A2605E22AB1184D2CFA04236859, 0x1995013123697F1A7C039D719F12BEF2FC72BECEB3D35444626BD80B02F7FC3EF2FF578A1629AA7825EEE022125DD391), E(0x183A569E981A80DC5C76E6D50EF521C7AB32461234269E34BFCAB8C5462C6059DB3FCC33CE6D7FC2F0D17637CC038BFC, 0x0E78EBAD889A1ED2B134E6D2FF0B8E9C95C77C2AB5160BD78B3248395EE95CDA31D2B745E815FC7C189C5F61E37BA191), E(0x08C3165C74E8A55CB435EF3F9AC0E01A941970357350E19DD1A53073B2D5A9BDCB459B3B612263B2640CB16EFE91FFC5, 0x010FCCAF4F62790818525FB43643E2CAF10AAC98B1652AB9BF6F04CE3D687DD03C475545F05D8730654E10C4A7DC471C), E(0x099E6E85C5BC513FE6E7C203302E9DCD132A5C4FB720E832275C2FA2FC6125AF2D220C7276A21049377CAA042E40936F, 0x08C7DE0029E257FFF1A865D802CE4DF771F489FD5A854E89AA57158C29B103A1352E9430EDAB70611B8B98A19E1D543F), E(0x0893D8B979E145844D29AC9AA42581B5F5FD9B33761DCA90DF35BEF6CAB2870F6481E8E82D82C795C4C06FCDDDB899DC, 0x126948197E5B7433219AA71F6E4287DEA77B5FE8640B49328A192436ED0781118E4495A8239D633D842D581CD9C43B3E), E(0x0D04543DAFCBB98A88D45EA061807AAAAFAC583DEB0E03759BF663A7871069C93B41FB3633100032233E0EFB14A4A98D, 0x05743CA891841A1F4EE5BB94DBAF32692E352246F4DD802301E78C21EA007FF8610FFB62DB7880DAE6533B8AE68C5179), E(0x168A10AD06B1DCC1BC353FF82BD3201C5CEFC16B119F2AC21F2BC3DE58479F55774985C77E47A47AF3D995B09ADD79EC, 0x0F4E514BFDC9F764B637053AEB3E36024AD221696BC61440CCA03A63553C396ABE9ED7D8743A1E2680317F9A8F6D6F86), E(0x0505ABBD0CD68E10E3856E58A4DEAF64BA134FD7ED828A5BB1F52A36117F6A68A6F621D38BB47B571BC64EE4D31D0632, 0x072A6C6ABEF750AECEB31F4DF6A35E9A1FF4A4AF46607DC831AF5272A82733F14C10888A94A149F990ED3F6C3FEBC212), E(0x1322C641A874E5373B5B6A9329BECE13E92800EC4324CD6C018FA0A849CE48C768D82ED263F70D0F0C7F04744551FB25, 0x0DD99BCBF84BE768C69C122EA831507DFE983CC270482625AFDFDA3E6C42E519B000638F54F8BF7AD9FCB045BFFA5516), E(0x05667F5E17A78CA14E178BF2DB09EFF10A7702215F6552DE188CF2A661816AAD1706D4268FB40D6D22FEC0A3CCF9DA48, 0x13057A4113BE7A17D9FA5F4F82D4E4BB3E282D47C63D25B15CB4851B5D18EC4BD025F3751193AEFF77BB2432650EC886), E(0x13088B9729410B212E4D2E7C563CC237633191BBD529005DE2A41BE10377B17323714A659F25ED973EE1F4184372CB87, 0x1210DF3AD20531F5FAF3BD283EB514EDA5B5EBFA9BC5CC127AE0B783592E75E46BDEA415F1E148B523F496368DC83BC7), E(0x14C7227D4135182D4D85073BBE3B2E1B7597BDC08B61C059447184C9E58C3687748921740C06B04246DAC00A784F1DA3, 0x0C607C69FAAC79FC094A4D15F7D3ECA96E87BC989C9BECAFA9C6A26BBEDCDA4816E93D4B39D449B5E11027D763B4F138), E(0x149461F7E732B12FDF49C185711B9AB97678CCA52D68F5E192141C458C177FA642956B5A46BBFF9B56532DCCEC2ED639, 0x0B291A6250AD124CC4A23C287638CD1659569142C0B70FE514D9E0085183E882FFB26EAE3D1AB3E05C7DFE66798F0770), E(0x15640AA66667BE4421641A8AB7DDAE2A0393046D766E397BE7566A9F8C7871E49C77CB0038E4722BFD06B240F0D44C09, 0x164E3454A9B8F59139627DCA6262A9C9AEA02C58FAA7CCBF7BD9F23C2A59F4D01C4C589B8866A17BBA567D91D983D68C), E(0x0DA7F96ED13456D9A41C5B5C5DF3D5D19DC9C5ED202D78E23F5EC25A0320912E0E07EE4040A1D61FBCC33EAB931C0E09, 0x0638EF6A5A7679631D86267E66376B2D08EABD4DE988F840A40B4C1C4E0012E2EBE0E5DF58987F566971EF39CEB93229), E(0x160E2C50EF5FE98904D259DC518F7160015B4A87AB7A9BAF8AA87C6DB23D701E6501A2B8F4493B95C76F868989C898D2, 0x0B221CCF2C07F143F7B3C48DD0D0E62E373126278AB5B7FB5D4462FD503649671C21FEB742FA286C6D9B21AA8DA30C5E), E(0x0AA2D5127297BC627925A54CB94C2A8D05660681569669EBDCC175B52AA864179481C258937F83841A447A822C40C3BA, 0x0A79F42D22DC8F424DC9F79051543874BD016E4743642BE1FCA59D81B58A92515F8A2D415FF0DCEE09A06318F9E1D5F9), E(0x1862DF69976D12A66B4681176D94758B0E265B1DD22E759484ED6497593947564D6B508CC445FE01D5B8D049404744C1, 0x0DD210844E03AD062AE1F1C42D8F895EAF7FE7407E943C2AD1A355A51DB97002436A912D5F91A1F45E6C84FB7591C5CD), E(0x0EFA818D1DA3C89FDF3B9C696263C79F7967D58920EC87F8C5E2BA830BCBEE69F0B3F4F5155C9FB1D440EDE407273771, 0x14066C3B329574D50C7DDF12B0DB10DC4AC29C7400DFD058E7A315961F83CCF18F4BFCB94BFA051C27B6AD81E82121E5), E(0x0A19E27EE7252D37F9306D3FE7CC074E99092EBBFF72E05EC70021E9B47AF5C7DBE1827C5EBC7DCD37DB8E5E8919F6EC, 0x0B167AEF17C691267A613CF2CB1E86F2F1C30435D8E636A51D9AB5AD2096F1779DD2B96A58A5A5B123E56C4F8CA7DBE4), E(0x16B7BF9E8B521F262113B2117394D094599F0B241ACE9EEE50AFA3EFA03ECAFFD31979524658C429C1A81E497726C2A1, 0x15D3A7B64A598F8CD0958C1166327E3C629EBFFE3C19487561037DD4206C3E615EA30FAEB02A60F126FB0CBF3DD7AEA4), E(0x0B3965A3A493CC49F87A6FC600C8486D54E33AB03444A994662CA24FEF3F336E43F64ECB8B6CEE31DFC141A35025D185, 0x144B7D7272C4E4E21B0F53D780D99BF0681AD86433AD16E851421CD49BE3AF59AF031B785CDCF4150DDE342929F00621), E(0x0D06B1C4AF2C9318AC45747CF703CB96F4C628D3A8BD3AFED5152A78D0F1C02706525B343D4594E3C2EA97CFB1EBF272, 0x1165323F91F3CD79E16CBC3DA63A807DD015F11EA32E9839C26CF5F40878A922701D8D2AA9C768992B900B42EAE51B67), E(0x10A6369B3A0A7AE14414D5B6AB2DDD5CC6DE3734C3FCCB5B84E96503CB98DA59E5145175E1332D2203B19287D4872A3A, 0x00405700C5A45C88D3BF7298D946E0A4439D43D14F9AAA19056D156C1A3BDA7FFF29893284934999C13F9998A3F4BFFE), E(0x12C020EC3321BC6DA5A6313463B51C31986807376F37CB0E474FB37EDF191E58B67146E8B79F2B19679F959AF07B5051, 0x18CD0BB4AD697FDCA5C95A64F64AA1D2FDEAB0DE0A4A767154F73FD5A66802827FAC002430D044EBAEA8BF251A963FB0), E(0x024DA24C29225D75DED159FDB6AB918686C6C150BADF50A191D1C2233995D5813C401FE4EB7D23703EFA8BB3021586BF, 0x1338A73E6065234D0CEFB15ABEE284A0543F7824A056523BBB03BCCC1289C46CC4B54CADC5C9AE41604800F6BA1081B9), E(0x13F85C5267412F739216F5F477223F3E343B91C4270AB59E5915BB4FD63DFF25196B393B3BC8FBD899FE44EC036F64BA, 0x0C487DD49410A37B2C1716AD6C34DBC437CCEB7C933FF684D5E305DAE10B245186C291BBEF543C0D392AC512DB477031), E(0x04B79DF76B4EEDB793EC136E67E438EC1BC8ACE0BE3C8073086ADF59FCE62A6B94ED304380E13651083E021AD5FF017F, 0x0337CFFD584E5F466A98096FC62C69DF1E27038A8C0440809000AAC587BC5D4DCFBEC8FE964637C1405DC63A1FD22DF6), E(0x17206AB93FE583B3535FE101104B5F225F1B5950D219BB60B3736254B8DBB1E139F7A2181950DF4A50EBFFA884B242E7, 0x02583089E58872B008447BD58F8F3964B5FB7A0BD4CC13DC45C9248D938D093CB33167D9DA309FB9AE07B6F82BE58F2F), E(0x0043B381D3653045ADD720F3B8A0EECB288BF0973540333A6704981DCD62FABF4918572059AD263DC376E881BE3BAB66, 0x16724BAAA31512565A4DF089FB58D448C0D9F3092FF0418755275868077CC983D7970D7C0ECB8A0A51AB1B18103F709D), E(0x0594F0C9EE947B16B35C76DCFCDDD996E4759CBBBB4BBE8A2AB90AD487F61A123C2DFE44A190B95A4DF7804376619CF6, 0x137A6713584FA1907891079927EA8AEE4C8D5FF199C9B88F7C3EB9E7F364E7690128077222DD716B85513F33A34037DD), E(0x07CF7D8A7BC5F069C38539540EDCCF532ECD70290EEA2356AAD67C147A7A2D37E95118764393F8E63622C3749C457ECF, 0x14F15CE2738299895F59DC010B72AE3BFF4956D16E29AFC1BE77D2157D5C688597E4CCC0A6C707FD8BF25040D94A3FDA), E(0x191A1B6ACC9E837512DC4D38391B719AD9A928940903A11B97D050732F446654B50D3C5AAE76A4AF410D44FDF3450CD4, 0x15D096B4C34E45D7DB88837C3A2582FCC2A8F9C7CCC9514C9AC57C267817A542258AF9B4DCE90EE7EA8E6B8BCFF8067F), E(0x0087218CF45CB1C9E7CEF3DFC1A8B66AD5156E8B62E1B096BE83771E0BF74FFBEF580913623F5D722BF2320C0DB69914, 0x11C0C59C48EF7567FD32AD04FEC134DA43B53BA62F8175D4743FD0BE41F3B36CA1AA504A8E1353EEDFE6D60B8864A02F), E(0x08528450044472FB0B0CA5E1C835978BEC52BBA7600CA19A4CC902E99DE49A2EBDFF8E4EDE1A432F7E0C1E67571D96B9, 0x0A113DC00E3CB27785ECE1BBF3A304B73A23DF996E4677EE279F76D374F068C16CB3BFC5E196F8A010CCB47E3300CCFD), E(0x17EC38E0275ECA53F9A48D5CCBCE252FCF0927ACFCBB97BB749C4B172AF3F59A59D79AED81DCE6B199F97591F0B0D6A5, 0x07D0DB7C84261C77C189DD2B6159E06927E013293A3B4881D44146291BF7A342747B5C43883CB790F6D56113D4BEB08B), E(0x09B28542E797BFFBE0BEA05BFC795CFDADDADCC8793D66ECD458FC6C7C90490495F774C897075F503C34DDA9475831F9, 0x097FC2F2166BB213E62580C0036F802DC9A5807CAE57E7C99E2B712692BD051E4E1AFA8803F018FD8F89BD9DB714C93A), E(0x054C4C04F973950076351BD61FCED19282933DE99F0833522BE51B0B8AEE798A0AB62C3FFF2B30BC12FE610E9EAD9344, 0x0533335C277271A25E3470860044846D2F6B85DE7502946A31DF734E17B8BF9B0177963E7879414CD3774633A28FDEC3), E(0x00521916CBC66F1C868131723B7EBDF3981B37A619BC20232074825782F4C589601774D6C7427C08DBB08CD371402436, 0x143B9299DA2CB63ABDC4C43D6936B6D4FD830178DB162D3604784460498AE30C36D3B82A165166B4EB9FD26E4507E2AE), E(0x09C540007A05F6C8C9D8EB7281118A9DD3B4EF1941DAC3836B136BA39DD49B374255ACC8372DE409DBB2AB80B6573F90, 0x0A6D8A83C155C1A34DF5F28585E1AF37DC1F85E1459E170768B7D9E46FD12A2DF9E71F9EE65546A670CD4FC9C219A890), E(0x16A41C6435B4A94E7601F6B2409965E4B01830F7574591B223F048449B1731B6C3E6A13E8DE697ACFEBE32636811C03F, 0x04F522562518BA874588EEDE20BA86B5A5072BC4DAB66A71F7621D096DBBE8A5954B231B3F3829700FDD114844D4D40E), E(0x07C61AE2FA6E61EC40538BB6E32985F6661B12B3D86E85A088B6EA52BDD15D614436DCDF70756CE465B529C472BD9968, 0x0505202A28B547587AB986944984D8B853BA976D62B23573FD567F65AE874A07D0813F2822228EDA0A525430961EB260), E(0x0E6AEBAB9FE0BC7FCB136E0F80B864C345B0E528DBE848C3A4FDEB9411D6AC7A9918CF10E76E7CA33DDA406721C43A78, 0x0B67DA35A9C98884C363F3A3BB5323911F0DC0D14F5C8CD1C1D8AEE90CBFCABF18E1D66E868889020D0F17E2F46E1C0D), E(0x0E775119CF5F7AD350C146908BEFD416FB947747B9AC2FF4C81844739A4484F71E9E80F341989BBF1A161EF816598233, 0x15C1538B105750EE7F98DF337EF20A5FC47EA884E1BE5CB28FD7DAE047CDB4E7E07102EC59A73EB06B5CAF52B5AD38C4), E(0x0A60E66BA39FE660566CED19E9B654A4DD16D1A2200BE9D2A9DF03329653E352B67626E224CDF649E8DFD5825EA09C04, 0x0B02B076957FAA16B7DC2C1A22E063AC046E2D7E8A703F64ADEFD5A3B9A3E8C65FFCA841044F0ECAA1E3A256B7C42C01), E(0x1009CE55FF0B242921DD83FF04FE080FD4AA6DF4FBFBEABFD89C51DD901F0C9E7F5AAD79966938363D0A45A6A446F25A, 0x10326830BA40AD53F340BA4F4734CC21EAECA18B0024F28AFCF68AE640BB18A833E622859712BE7C1A31FAF5F7A6E824), E(0x14F361B7F82AB4AABB2558E781DEEC61574D4ADC5B920AAD4677B4064D83ABBEE53959D127E80A06E78A1DF9986FAB84, 0x1749646B8C442D8DDA38443A075E7D7D29A3B30F68906782C4A8EE77D0E5C0137E3608528D125360FD617707354C43AB), E(0x00E9F5D7FC595C65EA7C8EEF5256073C5E7555EDA6A189C958410F50A5FD8F9ED413BE5FF1527A47C14DA2E4F4B50A7F, 0x0706FC7EBD1FB3921885F8087E6C5836707C89087A2F54C3EEA423790028651D2E702B5532ECE833699493B5834A6572), E(0x15E04C5EE3C4839597F9C3E3C5B19F4B26EBD75742A4E8A3922BDA4AA14C3F73DA2D09629613BC92C3D1D9D26D98D0E9, 0x17EA7354388D934F5EA57BBC3CA58AE89B7A8E3400DF5CBD7303FE71A70244E0E9A5C0069DC7A1B7E45DA251F1AE94D6), E(0x17F975E94F0406C10445E7EB7A76D90992887ED28AFF3B4567C5271955896CAF04E8DA4711801E9547CDBE57D511765E, 0x100CE109A0F1B13EAC9BB2542502E214CBD29DCFB015326ED9E7F6F2289B241993B637C0364DCC82676BEA4CB278E40C), E(0x14678CA26DA4F749082D9691AA21CC5CA2C7C6E5D6CD70BBEB9EB9B137BF372EA8C358BBFF236B19DE6F802C7150DEB1, 0x108951D806C7A2C24A43BA87F5B380B981076315AA4863776C01ECDE9CC872475BF8BBD82380A1477FD723C844720F54), E(0x13209611BF6C02964CE0A8004AF5FDE5D50D616652ADD2BC781B5654DA2332C3F388DD606FBEE69F85A0CB6C34B4D3C7, 0x142B0D10C12DAAA73B2FD22C79523733AF7FAEB1D8565A77CBCCAFC0DBB0DCC45F4C7E56B58DFD472BF55D4819752744), E(0x097DD0D29C8650122080852A1B454E40C82E92B4016BC213AC422EE426BCDD4E2B9E0E882EC277125F169232024824D3, 0x14973144A56B6F75E081BFD14555C651DA5888D35ED61457F949613171BC038E8E1996A646BAF57974040A4EFCA9089C), E(0x006DC82F0FBAB025D15FD8E880DBD49A87DA61197BF1A46DD59A19CB3E3BB0C243E88BF702B52C2D100CDFD20BF6D6A1, 0x1854A710087F8CF99558242C557FE109A949C38D9CD0211B29B75810A58F9290EDA2EED0E64B5633B3E2E09F66BB4FF3), E(0x07EE26E527F35C5E3933694F6AB3A5910F31B714A3C6407E8A387DE10BBE42EEB0F2448F1EB2EE6862D907FBFD660AB2, 0x0638F885A05D551588AAB494F039E15FEEB16E588FF8CEB2C6045ED55936580F6989C66F13032FD908BED3745CA677D2), E(0x0F408DDE6D41856032FC158F37FC0741D532472C757400F9EA695853621CD05125330E2743E9706D18F854557D4796D3, 0x154CE35E818FB308F01F488A680E6A0A30B53D45F89F7B7745B22070A427AC5F4E4C5CA6FA6B738EB8536153B06B7D35), E(0x0D3737B6DD6A8B844FB0558FA8E4C61EFCF3C4189D0C9D90B080B0B0688D1E6AAD890D0DFCFED8C94E1478CE87D59FB7, 0x024BBA4E532B618BE5191841FF5F1F29548E525024C70A7AC25A0BC289B92CDFA7DE67D355C134F00753BEB65AF063E8), E(0x0EA715CB21B5C3D4FAEBF2578D4D7D9D67F5EAB573D0DF00F23994AE4F1C1A43A458F6597EBA6BF13142ADF15AA50143, 0x0CBCCB31A70DB321626CCA1E238DA3B1ACCA380B1E9710554C680A70E5517AC1E46A29E248FAA99556F2284AA99932CD), E(0x18ABA8EC2214B1E8CEE8C6184262B769785C800C7D0915227F978367164C730D305BA9354DB52BA496F1A358E29F88E8, 0x0FD3FAD778E21EACE4AEB972C0E76997D6EF4F671C21997895C6632F99FF33EA457484414134AB716C2A3FCA2B3762B7), E(0x0672A5D8CFE1F01382B354BAA0EDEF118F5E262475DAF984876A1D6D09EF0CBD104EA2DB78B967E5D7A473889E990E80, 0x140B2A30A11CD4130F79EE3AFED211E7D46F2A612BAB38F707DB61934554BE5DDF392A46F1F409B2AE6FDCF63B71CA91), E(0x05C2265FE2DE60DB694C0F1FC122931A3CE5C66D8B87B2D0A1CDA4232AC93714A645E4B199875CB642E0654D085C9675, 0x139A3DED612EDADB2AAE208F8F0A5D4D57CA5A86E13347D6E1EB8B451FF23DC1E822A8CFA9FDD4C94CDFF028089F1665), E(0x007E2E8750EEC278D6590A2E5491CDAA102D333C0F7B34F06453E556A353C29859CF259703281A3C5DF360A105B934F5, 0x0431A538890E2749AA97670D4207D6658F3590B0B15FD011B8A18B54AF424C59194FE16DD078F229ADA3410CE091EF7A), E(0x1725D290421009537E044CFF1CA7A37F4CFA110407647334E1E1D95DA0D5B25050E6972D50365A8CF8E463731E3F1279, 0x03AE584FF86A31B5DFBF65EE6EF02DE625655ABB5DFA0E2219DFB2B200303548C10721E086D32B324A9E5029D66610B6), E(0x01BB1BDE62EC0E020EA591A1CA5192C3D4E5108E0BF388CDD59ABA436F9D9A185A616A627115BED6184EEE05FB53255A, 0x14A197599AB487217F3546DA84E4EC591D6B0F7E212D13F23FB6C0322F7A7EB272E474EBCCF5C741707EB6B22263DB4D), E(0x101C83D4CB994165A2BED86F2DF2F4F4DD658AB313413EEFF88A3C3543F38202E73815784FE7A6E3584BD595D8AAD245, 0x0330CE21059906956A82ECD1D3B70DBB5A50F6EAF6C44C5D0492FA484BD806203543E6090E8B1CD11D840B0D7142F514), E(0x103B665A343B9485FDCC7A7534B8163417F10495D1904DD6506FE7025CCF0A7AAA40771977AD8187D9EE216836F7170B, 0x196E553FB4ECAA07B4202F4E5EFE69464777E76BE709EEE2F5482321E58CC9014F9188B8096CBDDFFD12E7763B7E9D01), E(0x148B0995FA03501E953865635204297265DE3EFCC0E3978B939E2F6F0A648AAD9D0D1115BEAC885F84D00D6B9A704999, 0x13709AD9B801D2F32AF1DD2D6A88DCFC1642CC8BE6144402B90E0AF18D28AE8099316329D891A995FE673300E05DCD64), E(0x0E034159838040A4F060B45CA6C76D414CF90E87F2FC3EB98295BB2851D94B3223357AD7676A018DEB916C1BCD23849C, 0x16FF8110C660AD75A9AEF7BD77D7AE38000AE7FDBF7E19C97E7E48CFF7D0F2FC3764BD501DF37EEDF84A1C742121CE0C), E(0x1169B43A5F9DCEF1324280DCFCD42F2A8D1F99D0F01EF6BC73E4586FF9FD577CA8BCCB5F013DFC99951AA12006D8C471, 0x0A4CD8F991C236A899FF5375015AF4267FBAAD372716989CCD52ED2754C56BF1712776E0568A76E9AEEACA643F270370), E(0x1393E816DFEFF76C6D9D0E8570A7EAB722C1BF3AA687FE8F93C903FD53CCBA9B2A8F817620E4F3DDECE3BD9E64378BEC, 0x06021A6A2CBCBECC0C7FC128D4A63A7B8AA06B8BC028E890293F1AB78101ECD86785EFED656D28F2A413F9C95E18A82C), E(0x0EF8A961C49A5BF4DA5A326FEE8AF0C5266D174D457E2B543C5F752C8F3D5EC74601B8292DD7FB16777DDB522C9FB0BD, 0x15A6640D5D8058EE0F1D7FAE5409775D8E61EE6089E12C86EDEFA54EC9A22E532CB814266C919228B5879D10C4878147), E(0x0878FB3F5CB131F80514C042A8A7127031001CEC27856E9436FA170035FF5CE2050D41144F9808C8451D47BE2D897226, 0x139DC16142E25AB890F62C62342BD4A866E547BB6CA83D0C1A57BBA03E478E6BDB89AEBB46C695AD3A2BECD366BF4E47), E(0x0D1ABB960125B6CEDD663F56F817E7B21D029858288CE09A500FD21BC8CB5B3AE9E31D43BFF7A64A6D39BA253A191CD7, 0x0844C63E84A40FF450E894693651039B2BE1D49C13FC023F1373BB9790C3BBF019A061BFBD9BB4C66B1B51CF7C3AE46A), E(0x0557A6D0C2D312ACCB1E8BB6296583C59642477192F97CB78A9060191E6149C666A182838D4EF8A224294673A433DBCB, 0x09E81DB0E7F7A1EDC2B42F6279717BEBD3AD0911938B4DDA585C408CFE482C1686E6FE5EC1AA0B3E38229E3E95CB453B), E(0x00BEB83FF4A1F6E4E80FB5D6070DA7C3A045EB6AF366C21FEEDA423BA797EAAC5F82BA58664660CC73E35C295AA30D33, 0x0A7FFF7E4BB10A832F48FF05F49852DFD69ACEC34862119CAB4653D26345A7B82CA80D1E229612122956BE4D9E44ECE4), E(0x0B14F2AB8FF1E03E2B9F5C9B9C92C3055C8BB2063C2E59B9AE1E90F4AF888DA834C7059C6B0ED810964402EDE025D671, 0x09CE9B1E0B23D6C160F4245E45D08D527694C17B40DFA499D076A444212980ED3DC5A94AE7229420AA1259FDCC5B8571), E(0x1258F4DB7917F2CCF74247792638F6AE1BDB8BCC6E2EC38585006F39D3F60B80A088D526261846F5AC1E6788B718D115, 0x0D4DB2B2216358DA127ECF21363435483E77DEF5B33C59A73BAA66E84760FC7B7F74FB6C83ACBA4615D9B674AEBDA5FA), E(0x0420E0C8DAD3816946C5525A748D93E7ECEC803B381543A711DF98B376D9BEF4C3BAADFA22FBF784293CF5928B753A09, 0x0DBC5BC5C711370DF0F93604A5F4284A0E741A526AD37FB2C3F67FE804E906F42BB9C15909F1EA996486BB1B972C9A79), E(0x060AAE3B5AD6A448F531B1DCA4EA1DEB1A0D93F35924FDF8D69E95FB6F718883FD40D3B5561556143A8B6ECD65357F46, 0x0CC1097C8AC1939F982A738D2270BF5ACA1472B82DA6DBFF18DC7C5A52979BD80C4848B8377746388B790C508C368619), E(0x13D5503C91F049830AFC975EF1D98C97CBE94577F3729E4A731D5799E50EBD50726C91A5F90BD14E70CC125CDF81A940, 0x0D232AF302BDC23BDE6A0925548CF99CD1AA6A4D2825C7EEAC4003B8D24CEE4E4F0785C658CF4CB0B53DFCE82CD03AFD), E(0x11CAF8AD98F5CEC38A335A7EE4E2FB6EAEE2E1EFF7F18D7F7DA1396EABFFB9DB475E129DBB0F3A75AE39963E5AD62D07, 0x16F82D612332E24CE5B5056C47A4005D069BC9D6AF77EC20ED49339EF16B26CF245BE7B5E311BF903F0D1144431F9414), E(0x092617970B956D6B60004F78A0BD5825951DD03EA6A2D1ED1119F59FF394A198BA560CAC2AA3B13DB17131152E51A300, 0x188A3D9D73AD8ED09D1087856BC6F57C16E84F1BEECCF958833E638E29DB306442AA1A8F339B54031A66C8A19E549105), E(0x0DB78900D3C3145D058DDDC476E058AF4BDDF263D9707B2EFEC062FD9801499524ECBA0E9AFD13711F42DF8232DEFF09, 0x11822E91DCEB5FC51B2D40E071C96F00391CA8643CA54486D57BBD8D2D2F232C9945A81AA3936D789D0EC7CD8F2FB35C), E(0x0384DF6F8F205BC2315B1183CD04B63BD91C1F542C6B2CAEA221A00B580E347B7D474A1AF8D68AFAC922A566032975EE, 0x05FF34BD018CD3705B256B2D8480216CE78B3DBF51EE44540B360601D34056DEC6A1388DD3C15CC97EFF0B21B646A2A2), E(0x16FC50745A7802EBC9009785D26A573A0B03D7125B6483BF241F5D907A02C63C4DD009F2617AC54E2CB181FF7DBF65F3, 0x0FC442D1288B7D523E14F35D239BE07484026E43516031B170B74393C73AD7E9157C41B8FA73D66D54BA41BA4893B39F), E(0x162F2A92293FBB81AB4C3D97228D8FB19DE9FC9E67A4209E2E5ED5F6678AE8375CCBB4AFE39E73F367EA6CCCB2CD2A3B, 0x10695BB9149C7E8547D22ECB9AC49788705587F72A1974FCD44C768DE07395DEAB1B9DB819DFF30D7817DA27F3E90E19)] g2_trusted_setup = [E2(0x1173F10AD9F2DBEE8B6C0BB2624B05D72EEC87925F5C3633E2C000E699A580B842D3F35AF1BE77517C86AEBCA1130AE4+u*0x0434043A97DA28EF7100AE559167FC613F057B85451476ABABB27CFF0238A32831A0B4D14BA83C4F97247C8AC339841F,0x0BEBEC70446CB91BB3D4DC5C8412915E99D612D8807C950AB06BC41583F528FDA9F42EC0FE7CD2991638187EF44258D3+u*0x19528E3B5C90C73A7092BB9AFDC73F86C838F551CCD9DBBA5CC6244CF76AB3372193DBE5B62383FAAE728728D4C1E649),E2(0x165830F15309C878BFE6DD55697860B8823C1AFBDADCC2EF3CD52B56D4956C05A099D52FE4545816830C525F5484A5FA+u*0x179E34EB67D9D2DD32B224CDBA57D4BB7CF562B4A3E33382E88F33882D91663B14738B6772BF53A24653CE1DD2BFE2FA,0x150598FC4225B44437EC604204BE06A2040FD295A28230B789214B1B12BF9C9DAE6F3759447FD195E92E2B42E03B5006+u*0x12E23B19E117418C568D4FF05B7824E5B54673C3C08D8BCD6D8D107955287A2B075100A51C81EBA44BF5A1ABAD4764A8),E2(0x0757BCF9A20CAF77E9AC702C077543270FBF7CEDCD079BCF01A02DD030FFEA9D3EB7736FEF799A1EB26D716B920E5A80+u*0x01A8EB72CEAAD2A808890C986524DC4656D4D581EDB23F4BA6072E57FF864F9C959A6411A9561B4A60CDF4CE06E9A7FF,0x159D24B398C84E4DDA182B8C9912E729938A0AF44A1FD40BF19F308BA1261D3686FCA92F6085847C293FF604B24B84DC+u*0x17950075D42A20E1F364BE222D415BA3C15BE65795D5C50814639D84887C83EED925E01967D737D6797E644024A0FABC),E2(0x19AB6009181844141960B4D6B972187369DA1B99F5A77230807C55C4ED902DA0F17565130675895629477F0CA83B34D8+u*0x1746D2B6D21B4C01225F756C9588878D3FA254A883ADCFC2F62EC5F4E77D0D606E9E63AB706F6C48FB221D7B9A7C8290,0x19C871923A73A2DC1F3B5893ED5A265E0D4C9A65E577858624C61ABDAEAC407FF3410F70179F2555D97530714C5C7426+u*0x01FBF0D1062A6389C53AB0A5D0E17CAAADCEBA6BE091011198A1244D4F7500964427F4F596991482F1E70639AA36A7DD),E2(0x001104611CF4B3F613E5D53148121BA4C265634B7B287E2F600DBF4523D9816AAE53C12A52F7F36E83B1B09CF242E037+u*0x0400D4E47B77FCC04F8C7ED6B4A427D9CF9A4A268EB4E5940642BE2BFFA0FB9E4168DA7B03ABB19F06358BDA048012B6,0x0ED0B676034E2EC26184F9EF55C581CAFA138B2263A25CCE2C2049FA2B5879A5126E0DDF684A0165ACF7341B23734259+u*0x061E0B4B32BBF222C56B1A851ABB53139EC54030897E6AE1E90245221808AFD076757FF168D178349AC29470BB837E51),E2(0x11A7A5452C5F1EF266C8F35435207434005B8906E3AB35EFC6F58B3D13146614D073BB6DB3CC9C9F65DAB3D613C222D9+u*0x117AEF2196D2CB8ECA1A9228989C5273026C3DF0ED8B9906E5334B2C214FCB8AF7273ED63315CAB9C8F42738042DD11F,0x02EDD9909E813D9D200208EAD4CFB66BE1A3174374EB7B8CBDA21909ABDD94B466BA7C1C1641ED5887A0290EEE855A1D+u*0x081EC9EE5AE888E45E1630FEA94753B4523595F66AE723CD9EC575E444EE0EC93BE4F5E0C7ADE334B870DE0D62956443),E2(0x10D5CCBF087DF2965AFE0AAAE14B889EAD26B22780844372E144501BA00DBBB76B3C8104E44866758CD4ADE5BA27EEE3+u*0x026B31332BACCDE191377BFC3E30E17E668C796E00E1B8A6C4D97574A4AE5867982481EE055EC9620FDD0FBD3105340A,0x04ADCCD8BDCD319A36B33DF7236F685196536449B7B9E271F6905232B64850536E6BD2F7F7D95CF705EF66EC07F2AC74+u*0x008120638E9D2C311D481008E2876F0C37BBFF31AF60AE48A98EE79720593DE46D71DB1A32BCC876AD739717E0745328),E2(0x11C7B0DC2682467942C4A59B6ECA69E3CF06ECD1C3C01926E2E13550AE8126C86B5DE4ED3D730A0569938AD69B2D16D2+u*0x13DDBF47F898505BA76F074B8605FDC995CA5FF650E32DD995DCFAF03338CFD83052C233AC46D7DF4C8C2D056E138D84,0x0C62CD2CF5C98EFF342164F7DA525CF3E4C4D30FD9957316E5D71D3296360D670AEBD3DC456DEC31A4A1CE18A05356D0+u*0x0F35E1E232A16483A132D6D85A0D3F60BB6306C4E712491AFB9DCFB358B7AA12154652F5452301ADD421C7492F94DA4E),E2(0x059F283FA13F25561D2F47EC7889962F0269D860FBC03FE7ED9708CC54610D274BA0B25BCDBCCB730872B71D7B52CC49+u*0x00DB9091FF231309206CBF52CEF15A7CE07DC3DF8D847D9F4E4B5BFC6589DCBC9A178A64AD5CB697DEB2C2A0C25F8B4D,0x118B3A5C9133B2B4925B42433B884C704C3C60F0F3C1777FE3BBB7B80933545C46512AB09B4AE9EE2BED9E9ED7A15041+u*0x138953A403C36FA8213C4A7D16D8210126B46ED468161FE21BE7043342324399C77C354D49C6B691E89A1AAE66C60DB5),E2(0x198CEB383DCB2FE67DEADB435663A60BFB2D356FC6686B2D0B08CD3B40F1C8F342F3F982CA398DCA337EE5A71395C7C3+u*0x119B30598033A1DA04EAB179F0044C22A4EA31AA8462EBC14FB431B3A97DD8B5F336729FE3B319ADAC64BB6F0333FB3C,0x0B9D065102CFC479EC83DCD1A9545B51172EF9C23D1F5C3AB10A549041F245817E0E0ECF10BCE6C72D13521CE5A96F80+u*0x08B6A4C487B83B5B09E4E96A2F49559BEEE9A9BC2D9B38BA2621491FC6127CEFC763944A8DFE765062CD0CA333D788D0),E2(0x09F1E4E5B4293EC594B51D20145E5BFAAF5C456CECCEBBF72461448BFD2771EEDFCC1EE68DC7F874C90BFC3533DBA8FB+u*0x0C66BD7EEACAE990AA081D0BCAE65A5AC74A9A2908BE059118FBC8EBA136B78AF168BA25755E1984EAEBF55AD2C9D4EB,0x153165C4535E50E021E5DC1495887561DCE6F79BFBF7767E25CAD32C8F105AE9909447B07B195FFD99C7B4EF0CA92BBB+u*0x00124464EDF31C003D26631A6D8A53B03B952C1F9060D5EE2950D87E1A3772E69E1BD62AB8C376B53A690E3D1447BE13),E2(0x0DE07AC3412C6A3A78AC94D5D4350E574B69D07766612B2C77F8FAE2DE4AEAFC8BF182B6B07B1F1D13D5B5F73CE2D76E+u*0x15E89CD44BCC2079B7F31D5F315A0F8ACD1B54AB0A18C921B0FB07B7635BAB0F70A278A30B20011A7771050A3C34DECE,0x0F213CEC785073EA46DD92FE392C77AD0E41FB2074BCB3654A870C1E20A90F0E84FDA2BDB83B852CC0F1AB3DD44ECFF8+u*0x04419BABD97A81A438D9672617A11C603AE5908EBE3A2FD657C6332967091261F727297C06692C94AC67BDE274D66245),E2(0x11AB07D277F6D723DD1644FEA7B12619472FC306009AE2DF579DB77C74421E9195E6870EABB0F08045132C0C8C74C42F+u*0x020C6E632C3B9B90EC98889EA9EB43EF797C25004E17DA42D44CF383D9BB07741056F7B656FF210C299B9247EBDFF628,0x0D166CFCEE93F228C38C52DFE059FCAA16BD0621ED2DF36D4FCAA58B4D201EE9285138E3FFCD6BC9E4EC1DDC0034727D+u*0x0FBBFF2C2C018C661CD99709C19D79D9886EE4F5508790BA5F10C2B7DA85C74CAD516257EC7A0EAFEB57F12E57D16593),E2(0x18693AAB7D5AB15A01D5B70C01A73E70B3C64D1BABBF099E7A6CC0EF1B165694CB84240F3476C0D94216E4B3F6D4B716+u*0x004F37EF2C505C0D27C54F7E43C76311796FA1E684E389D167E9DB3C8E5CFC693A709D75EE283C4F58ED361D5F261CFF,0x0BDA2E8EAB2D0513C00CB73689C589C525F648EAF2BDD02E14675FB1F7F330FF3BA8CE6A8BBC5B569D7551D3A9173923+u*0x0B2A60DBAC47C43ABD5C12BC07A9819DA688AEF552E44DD168B269155C4B99043831F096EE20723903F4427203A293D3),E2(0x122D956CB11AE10247661B8133C3CE32B117B6614D34CB94151714EB5F88DE88052315F40791C176B59953C22FA4A951+u*0x196325EAC6FB86C9C75E710C17EBD7F5EAB77E6DE9DAD425F01DE46E9BBD346C521A3F2C5DAB3AF75367AB1F5EE98DB0,0x07064EE33F8CF2EE283BF0DFED67BD21B20180EAAD8BA05129B20E8149EDCAC0B6956C862611C90269E338B0DBD6D38A+u*0x0103B978AC9F1B8C2B74815666CFA3F704A866247F38DC5D3147255B243529749AC24D56956F429F88B99BC184F144BB),E2(0x0D65E0060F14BA03603EE2F63BAAB7459CEB8AED28400D6F64AA2EC737877B43CD53A7539A6F5249CD304E410AEA8BF8+u*0x190829452E5A76279FEEB7EF36B7EC7BD80B6EA8BF3EC5CBFED0AD9F4418DC2387554024E456E8797672729491F48264,0x0AC7EA9090B03A086B8F2D17BB5B9C6AE63B7A09795E5E7D19277809FD629AD1CCBAE487B1CD7A78E738AD0A0FB99BEA+u*0x15432BB9A4B3EA279E259BFB796314E58C40EFA07CE6B530953B58938068A170C39FC47CA6FB896684A5F262B79384AA),E2(0x01D94FD984A993ABED57BF1D64B91264CB7E995BF87E2A0404BDEC3B23EC3E4B1DCC3916BDD895D88823398D1FB2DBA0+u*0x19982D1400EC7F354221D1FD8D8C6905BC6F6BD1BAC85D8685A37B0FD4E48DE4070D68D01C4F4541F6A7BE75B919D5E3,0x0951DCD7B42DE5779DBC38417428BAE4E3B71D682183C4196FD83CE71A49CEAF43CB50CDA432472703241E5918544A17+u*0x0B8B93E09B00F82545D54CA7036EA523D7A138650872E0F43A5DF48FD1DCBFD6AFAD5A67248102F5903352B1B657E094),E2(0x19688F7B4B293F9596D0A4AF517457AB85FD82B072D9281D45A421D4D1E9BE872D192FECD0072BD88617C2192B00933C+u*0x0893715754201C8E31AF7A8BBE452221916AA1DADF97BDD6CF07D3D3EF838B5CF80926BF8774E3379C3C0117CF2E174A,0x18083C8E19AFE49150875B5E79E635540A79A97F42BE89D8639A287D172E358B2524CED7873B6A2264648E73BC191C8D+u*0x08465CFA76C9433E17C99A7E92F12E20A79C2B055461F29EEA1281DB96B3ADA9A1D9D069F052D7C0D7576C5B5606C741),E2(0x027E0B27949BF79B41D252C8A0E81A25A24AC26DB30EE24403BE37D78BE663DD53B853CC6D2D919633DE1B282FD51F24+u*0x029FEC772BDEC04BA298C818BBA34C2C45447A67E9C9B5BFC70063D504BC3BE3E16577BB4EBAF6017975941A0A62C1D8,0x09D8FA7D5971C2A824BE6BDB22EE80AC07E4138CC0E97FE9F0A669EFE41C50970EABD86B78BE531377EE0F7D8F8202E2+u*0x086DCAD874D417C86387E6C8636AB640AA6A9EB5F0D4BC9BC95A9240BF7568A637D4EF46F154C5351B2C5C82AEE02E36),E2(0x08599FD5931A9439DE6BDD8EC596B572090316AE12360621F349E2684BCC6674532D57EFCC2905E534D346740BFEA7EF+u*0x080C7CF4DC1ABCF0F8ED49F691647B3F95C28BCCF2A1EE171AE615C25511BC1D0855BBE657509FD3C0CE038624FDD40A,0x016E4AE47719F11E6E5AA8B7DE1C4DF7381F55A9377D769131E986D227AAEEE45282B80D46CAAE3016461BC946FFA74D+u*0x0B0883DF9D148C60224FBC64E25283F02A1E2D7A4C9715FE50AF329B8BFFFC2782F792A5BFF11600AC64672D9FA67530),E2(0x08BA644114A378F70F1E63FB1FF16375BF5919F9BD85E3C0C6142E36D25DE38687971070B63ED5AA04CE9C6734B79C01+u*0x01EC373780D426C5EF390667887BFC6179D90DF48F3CE37E799D90BFD83611BB16054972EE439B18DAE55546FAADB59B,0x150AE40E1DE47979D70BA6B01FC40F43815DD87DD5686575722623B4F18EAF6D970DFD08C53E09265344C26C1B14D3DE+u*0x1239B193EC9A27D6A4866E3F7208FB7809D812BC7194E83ABD41C5AA32502E335BA2E183F659FFCF9F4268E761A32305),E2(0x002E6CB496873941388E21B1D26B7AC9096CF0D3A1D90DD1166398C742E3A3782D924AFBA4DA62F4EB08EBFF42296B1C+u*0x0E706F448569C218C768751851885F358D0F3A9A8BB96CA029EFB25149F5D667C3B0E18AE3F187E1CBB49499ABD9726B,0x154CFD17DA6DBD134AC4E73C1E62D47C8E8BA060D534765B16D0AB250A0C8DE8AD7C14B89FDB8581F1280DDF6E39AAD0+u*0x01C86A71A8C652DAB2D4EEB970A81CF4DCD5D273E4AD953672471DA6F83FF2FF51EFA397424293DA05FC447F9F45106C),E2(0x07A5ABFCFCFD2A84B01E7C2CE9EA0A371A56350B9C5409291B33DD78E256AB399093F03841FE56CD11CFB2B3C5FBD882+u*0x17F5C7F8E168BF6CFE240CCF502F95B416096FA3DCEE37BFC790C38B51E3A85EC16C57F37AB81AB85B6BA670A3A91DFA,0x086B46E4CB90ADC615F17E8C436EE16CD9A382834E42EFBDBA9A3E8D12CC00721625F30C712DBEAF071CB2A0A34B2E5D+u*0x0EB41AF6886EF91F215C8D8C3B545DA70052F30F0297CAD1F0FEBFA0D875B6989B9069A96D03E2A44FC1D6FB84079183),E2(0x10D84C438CF4E661A1604C804B1244792BE4D2BFB69BE16FB396BCF5EA0986CBFFEF91FE267C0261B053E4733E524B84+u*0x18374012747EBEFF5D585F3B0D387838079E1FE2FBB9A9C98864AEB670FB2B9DFB2A8690294A13B3C4FE761AB6BAD1B1,0x0DBDA9397FDB5472B3409CFF14A60A2A6641261A4BA0AF074CE86676A4D0206D20E798D4206EB7A3768682D3BB9C555F+u*0x1000B4B4B2EA62F943BF052DBF26A9E4BA7D1E387CC6B4A32B43CE207787D80D0565C52C5C4229F50939E6BCE409995E),E2(0x000FCE32BF07C0D8D344A3DD6EAE148D217148F4121E5B778ECC724A56CA9B547A6A12284A773A8EC22D2E639C339ACA+u*0x14F7A3065318EB10217559B0F641B82BB4B10617CB78331D6DF2ADF7F17085A8C0C61C03A289A64FC3DE8DC10B70F30B,0x005FDD303765A05A9B3B350EAAB59558FCCAEA9F56D13AF9534070AA5638443D91759418146759359DEE00D22A655C28+u*0x0F7050263B08E74F9FF4C71EF88DFA0E51F5EFA867438E7588E5B3DF1A704FE7EC1C4D3E88C9DDF85906042C2D1F0D13),E2(0x19700C28716631B2D2BB6543BFD6632AAE3B71BF5BDDD6E207A99302E0034FB12AA9F780FE6F0339326223C3B5981A15+u*0x0DDE0C46CF32499BB07FB3EB15EA24E7667E0CE78D0DEFBB8CD99C5D6EAA4CB50006EC5B621EE19CA6AA1084461B836A,0x162AA49971F3359A697F55008353F5A0A9249FE896FFB2DACA39C1D521FD2FD9E540357648BF77C842F3922A8E789953+u*0x122C3F5C8C3B314D5E6B9C69CF90CC0545535D45674044800D1C1EC6576DCA1B5128662508D2F152928F00F3DDE7EF3B),E2(0x10E93C129756887ABA97579E7BF047821C40A00AE2A1E056AA45CD7731F6CD78BB7F80758B9E5960A7080B998901057C+u*0x0A5FD8E33C11FA72F5D938C724942CF1F469F3C52A7FAA7A8193C901B118CA12A1B31DCA0A301EF3C867F92D17DD74F3,0x0ADB50B1436679422B06305D3E26D08704CC612ABDF9D75D499054EA9DBCE8257802C490DB58B59CC421C685134177C1+u*0x0C189E481473056DF3C73F181A09D0115A27E38590ACB8B73F3D6D7A59B69E2F9F7BAAC1377D78B6B7236EF7E1788D6F),E2(0x0AD1E315AAC878255CB966F47B316A0FC4D7BA2339B0CC4A4DE8C454DD52BCD71296681D40947FEE827A58C0C9CC0B5D+u*0x02E7E8B4BDBB4C7535160D7FD6A3A39DE78E7D635094722A8D3B5D44EFA4B5A93A723B28EAD7F76726C2452C0999F38D,0x14193583CDE18DA0D2F2F262F88B11AE3E06366B5E0EE91F1F924C1F1FF04513E632F8B351A51968998F12C9C5D092FC+u*0x112772145C6C64627F6441BCC901B9AB6066F120AA6B49DFABAAF0B14249B0D7DA877FBB9B39969891F5C571BE9F6FF2),E2(0x155C0BD3920975D4244D77E06CB4AECE302F16FA48C6DEE54E061D9E786ECCE317C86699D3931A6CFD799E58550423B7+u*0x06B909394B35F9196F156B27E41120214F6520E3B9413FCAC45260941B0F4C160CCA437FFAF374FCF564986BEC7079AA,0x0CDB50A668B41C754719B695C764EE4625C7F9C5BE700ADE298EA9B815EBB1F42195DD3F1A725AE184B7FC678CE2E366+u*0x12D183F401FAF7A6C51B01E7BC0C03760786E7F4CAEBCF92DDC0B49BDF01F36B5B0AC20491FDC15C7496EB771A1B7D30),E2(0x0810A6CDD125C9025DFA558A76E7A1A2F230E5BD9568C412399AC3D48A78A6704ADFECEB9F39C6C8599529693D95109C+u*0x027DAF00CA8E528C2115D7A4F969F215B88B230E253001A620C4626B6978692DBCDF0F77FAFF58534FF1F418E631C4C3,0x032D348283F4565B7B90AA0BAE1B52021F58E3B24DA251335CC1D0F8B9921FCCA949494A4300E4938FECD01DB310993A+u*0x17DF717A14C681524ED2B420EF7F8E92E6214F24C73AB811A1C4FFB70B4E9DDEFFFBBD47DE878982674AD7CA3F20BFA6),E2(0x16B59E523EC72B48DF033312E33E75A7E75A1BBA8C1F5DAFEFC5D4317BBADA9CD384B7DF2278E2448153775E9F2F25C1+u*0x091D06838D318345E6768CA6281BC406C96197D7FB3777E49325E6F89A8A4BC6D6C2399DB2795E174FAA97BA101E67BC,0x04B54CFB462AEEA25C566DAFF4E7E564DE83C1E2EF9A344986E375D55B03D38DCA880C69404D20C82666A45C27F34CFE+u*0x13072893B0D8E98B941900B8CB0B06152B978DC99EB4043FE559FA79B364DCA2C6618A5CBB4772F88191F953A46A573B),E2(0x0BF275DF09FBF21FA4DCC3F3B6DF4BC44DF1BDB28B4ACE87F247B9E35E5126E1B061FEACF9B639FAE35E05386FAAFEA8+u*0x0E1939CFED18E0DE97F98E17018C126600960CCCCB804A466F5623015B61D0114AA3753E919A08B24C7611D6B194EDF8,0x154127D1F3AF0AE24397FAEDFD1E7F67DA9178B85701D175B285133B143D8F82AB8905880F361A3ADCBA95EADEDFB561+u*0x0DACB99D4BB805D2ABC3C1BF3D3684ECD006951E8D84EB1439AAEC5548AC5FBCF9DFDE7890AA247A2BC8A5F95351E91C)] ``` From these points, one can already see that $G_1$ is not of order $r$: ```python sage: print(g1_trusted_setup[0].order().factor()) 3 * 11 * 10177 * 859267 * 52437899 * 52435875175126190479447740508185965837690552500527637822603658699938581184513 ``` The last prime factor is $r$, and we can already compute the secret $s$ modulo $3 \cdot 11 \cdot 10177 \cdot 859267 \cdot 52437899$ using `g1_trusted_setup[0]` and `g1_trusted_setup[1]`. In roughly five seconds on a laptop, we obtain $s \equiv 2335387132884273659 \bmod 15132376222941642753$ (see [here](https://github.com/kobigurk/zkhack-puzzles-guide/blob/master/trusted-setup-guide/src/solve.sage#L60) for the details). ### Information using $G_2$ In order to get more information on $s$, we look at $E_2$. Computing the order of `g2_trusted_setup[0]` is more expensive because the order of $E_2$ has a large prime factor: ```python sage: print(cof2.factor()) 13^2 * 23^2 * 2713 * 11953 * 262069 * 402096035359507321594726366720466575392706800671181159425656785868777272553337714697862511267018014931937703598282857976535744623203249 ``` We easily obtain that `g2_trusted_setup[0]` is of order $13\cdot 23\cdot 2713\cdot 11953\cdot 262069\cdot r' \cdot r$ with $\log_2(r') = 448$. Hence, we can compute the discrete logarithm of `g2_trusted_setup[1]` modulo the five first small prime factors. We finally obtain that $s \equiv 712318409117070 \bmod 2541052003438559$ (again, see [here](https://github.com/kobigurk/zkhack-puzzles-guide/blob/master/trusted-setup-guide/src/solve.sage#L60) for details). ### Recovering the whole secret From these two pieces of information, we obtain using the Chinese Remainder Theorem that $s \equiv$ 0x113b7b26971d7ade78fd8777ba35d mod 0x767d66d83219344facd1815e44fdf. We can recover the last 15 last bits of $s$ using a brute force: ```python s = 0x113b7b26971d7ade78fd8777ba35d N = 0x767d66d83219344facd1815e44fdf K = 0 while true: if (s+K*N)*g1_trusted_setup[0] == g1_trusted_setup[1]: break K+=1 secret = s+K*N ``` This last algorithm computes the secret in less than 30 seconds. ```python sage: print(hex(s)) 0x56787654567876541234321012343210 ``` ## Conclusion In this blog post, we presented the Groth16 trusted setup together with some security considerations. The related puzzle instantiates a setup where the points $G_1$ and $G_2$ generate larger groups than $\mathbb G_1$ and $\mathbb G_2$. We use this issue in order to recover information on the secret. A final brute-force algorithm lets us recover the secret scalar entirely, because this latter was only a 128-bit integer. In order to prevent these issues, the secret needs to be $256$-bit long. Moreover, there are criterions in order to check whether if $G_1$ and $G_2$ are in the right subgroups. To do so, one can check that $[r]G_1 = [r]G_2 = 0$. In the case of these particular curves, faster algorithms (see [here](https://eprint.iacr.org/2021/1130.pdf)) lead to more efficient subgroup checks. For the BLS12-381 curve, one could have checked it using the `is_in_correct_subgroup_assuming_on_curve()` function (see [here](0x767d66d83219344facd1815e44fdf) and [here](0x767d66d83219344facd1815e44fdf)).
Last changed by  
simonmasson
393
Published on HackMD