Attacking a bad trusted setup

This post presents a solution for the puzzle in the context of a trusted setup, a computation needed in most pairing-based zero-knowledge proof constructions. Trusted setups are data required for particular cryptographic schemes, computed by a third party that knows a trap-door for the scheme. These computations can sometimes be done using multiparty computation in order to remove this trusting issue.

Zero-knowledge proofs are new cryptographic primitives very useful in blockchain applications. They became famous with a construction presented in this paper (by Groth in 2016), requiring a one-time trusted setup.

Groth16 trusted setup

The Groth construction is based on the discrete logarithm problem in different groups. The trusted setup is composed of elements from two groups

G_{1}

and

G_{2}

. We use the additive notation, and we denote

G_{1}

G_{2}

the two generators of the two groups.

The trusted setup of a Groth 16 proof (of size

n

) is a set of

4 n - 1

elements of

G_{1}

, plus

n

elements of

G_{2}

. More precisely, a third party generates the following elements using his own secret scalar

s

and two scalars

α

and

β

$G_{1}, [s] G_{1}, \dots, [s^{2 n - 2}] G_{1}$ ,
$[α] G_{1}, [α s] G_{1}, \dots, [α s^{n - 1}] G_{1}$ ,
$[β] G_{1}, [β s] G_{1}, \dots, [β s^{n - 1}] G_{1}$ ,
$G_{2}, [s] G_{2}, \dots, [s^{n - 1}] G_{2}$ .

Although there is a trust factor involved in generating the secret, the resulting proving and verification keys can be used to produce a proof that is succinct, where its size and the verification running time are independent of the statement size. Many alternatives prevent this third party issue. For example, the trusted setup computation can be shared between many participants so that no one knows the final secret. In a setting where an attacker would know the secret

s

, he could forge a proof easily, as explained in this blog post written by Kobi Gurkan.

In the following sections, we explore one aspect of the security of the trusted setup generation. Specifically, we aim to recover the secret

s

when some of the elements used, such as

G_{1}

G_{2}

are not properly generated / chosen.

Security

The two groups are chosen so that the discrete logarithm problem is hard. It means that given

Q \in G_{1}

(resp.

G_{2}

), it is hard to find

x

such that

Q = [x] G_{1}

(resp.

Q = [x] G_{2}

).
In practice, Groth instantiates his scheme using elliptic curves, where the best algorithm that solves the DLP has an exponential complexity in the size of the group considered. This construction requires manipulating particular curves called pairing-friendly curves, threatened by other algorithms for solving the discrete logarithm problem.
In order to reach a security level

λ

, we require

G_{1}

and

G_{2}

to be roughly of

2 λ

-bit prime order

r

. For example,

\log_{2} (r) = 256

reaches the 128-bit security level. If the secret scalar (

x

above) is known to be smaller, it affects the security.

In practice,

G_{1}

and

G_{2}

are subgroups of two elliptic curves

E

and

E^{'}

defined over finite fields. These groups can be proper subgroups, and it is possible to compute discrete logarithms if the third party manipulates the entire group of rational points of a curve instead of

G_{1}

G_{2}

. This attack is often called the subgroup attack or the Poligh-Hellman algorithm.

Subgroup attack

Suppose that we have a group generated by

P

(denoted

⟨ P ⟩

), of order

r_{1} r_{2}

where

r_{1}

and

r_{2}

are prime integers. Finding the discrete logarithm

x

Q = [x] P

can be computed as follows:

Compute
$Q_{1} = [r_{2}] Q$ , a point of order
$r_{1}$ .
Solve the DLP in
$⟨ P_{1} ⟩$ where
$P_{1} = [r_{2}] P$ . In other words, find
$x_{1}$ such that
$Q_{1} = [x_{1}] P_{1}$ .
Compute
$Q_{2} = [r_{1}] Q$ , a point of order
$r_{2}$ .
Solve the DLP in
$⟨ P_{2} ⟩$ where
$P_{2} = [r_{1}] P$ . In other words, find
$x_{2}$ such that
$Q_{2} = [x_{2}] P_{2}$ .
Recover the discrete logarithm
$x$ using the Chinese Remainder Theorem:
$x = u_{1} r_{1} x_{2} + u_{2} r_{2} x_{1}$ where
$u_{1}$ and
$u_{2}$ satisfy
$u_{1} r_{1} + u_{2} r_{2} = 1$ .

This method can be generalized with all the small factors of the curve group order. In practice, it happens that the curves have a small cofactor. Hence, even if the DLP is hard in

G_{1}

, the information of

s

modulo the cofactor gives information that can help to recover the value of

s

. Particularly in the case of a trusted setup, one can apply this method in the two curves and recover

s

entirely if it has been badly chosen.

Solving the puzzle

The puzzle data is a trusted setup on the BLS12-381 curve, meaning that the first elements are points defined with two

F_{p}

elements (where

\log_{2} (p) = 381

), and the 32 last points are defined over

F_{p^{2}}

and corresponds to the twist of the BLS12-381 curve. Hence, they are much larger, as we can see here.
The secret is known to be smaller than expected, namely an integer of

128

bits instead of

256

. Hence, it reduces the security to at most

64

bits. Using SageMath, we are going to compute the secret

s

in few seconds by manipulating the generators of

G_{1}

and

G_{2}

of composite order. The first step of the attack is to define the curves involved in the trusted setup.

The curves

The curves we consider here are:

An ellptic curve
$E$ defined by
$y^{2} = x^{3} + 4$ over
$F_{p}$ for a specific
$p$ of
$381$ bits, also called the BLS12-381 curve. The 127 first points of the data are here defined over
$E$ .
An elliptic curve
$E_{2}$ closely related to
$E$ , defined by
$y^{2} = x^{3} + 4 + 4 u$ over
$F_{p^{2}} = F_{p} [u] / (u^{2} + 1)$ . The 32 last points of the data here are defined over
$E_{2}$ .

The following code lets us defined

E

and

E_{2}

p = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab
r = 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
Fp = GF(p)
E = EllipticCurve([Fp(0), Fp(4)])
assert E.order() % r == 0
cof = E.order()//r

FpT.<T> = Fp[]
Fp2.<u> = GF(p**2, modulus=T**2+1)
E2 = EllipticCurve([Fp2(0), Fp2([4,4])])
assert E2.order() % r == 0
cof2 = (E2.order()//r)

Information using
$G_{1}$

From the bytes of the data, this rust code lets us obtain:

g1_trusted_setup = [ E(0x0F99F411A5F6C484EC5CAD7B9F9C0F01A3D2BB73759BB95567F1FE4910331D32B95ED87E36681230273C9A6677BE3A69, 0x12978C5E13A226B039CE22A0F4961D329747F0B78350988DAB4C1263455C826418A667CA97AC55576228FC7AA77D33E5), E(0x16C2385B2093CC3EDBC0F2257E8F23E98E775F8F6628767E5F4FC0E495285B95B1505F487102FE083E65DC8E9E3A9181, 0x0F4B73F63C6FD1F924EAE2982426FC94FBD03FCEE12D9FB01BAF52BE1246A14C53C152D64ED312494A2BC32C4A3E7F9A), E(0x15847FE37FBC3E3395111251208A5EC9217EDDD5280CE0D9CAB356EFA0DDB07B4F4BD34226EF11DCF24A8CA2D069AC9A, 0x10DA563477393233A9F536B4AB18ED3590F05D7435D926464277232DA2043EC10EE33922C0690F8B5E493A6CAEE47C45), E(0x03BB6E3E41A0DA95295D92E476C8A4AF61BF4F230F5CD8522362390AF20F00B7CD2D2B0FFEF98A5CC00760B8B36C60AB, 0x0EE54B6F5ACA7AE250930EB7673A93CDFD77BF55599D662FEF07F22DD6633D22E767B79F6366A5D1B260758C88323350), E(0x050371F20BF7FD6343443EBE854C1E556C0075EC5A0903984712B2A0DE85EBE6297E53B61D2C6DEC5B65A855CB3A5995, 0x1373DB17DCF0957F2AFA92AFE672F7EE76D52D3F8078316C6812807AA334CA8BB4553F4520B2E0BF53C6573EAEF02737), E(0x04DE49B106421CE7F202540CCC9105738AE3AE10D85C0E37DAED84619C9D71A87D5A2178669F7366C50421491A2ED88C, 0x032554DEE799B45410E615EE321C577C761EF2B4E5823D924C3F1CECA3EFA567CC01C51CF1E1B329C2D7981628B50BE5), E(0x0F02D12B3640D6FB8DED34DD183A899D4A43055C52F3B763248A390551EEA7CC89421AE2D54FCF3EB87F65526ACED402, 0x0A05EF533D6CD9A1FD16646CF9835983B9E977C0A739397AFBCBE881FF9ABB5EEBDF9852D7ECEDE0A367ADC5823778DF), E(0x01CBA25122FB5A73C69287230950E4650D0A86B45816B3B09E765725C5C38391505B235492A33791FD47DF841554C7DC, 0x19A638FDB127857982D2CD9284DB04188E427346CA9C45D4316B476F4501DC995F29F1DC79702A74C3A9E8B2D8F818B4), E(0x098B9663666CB89BA3F72361F7BC4CB415E8C8236B467F97C32CD23A1AB13D8B0CB7A9D615D08755865C4D59D2C1529B, 0x004E95AD1BB1BAEB3D76BC9B2D36A42A5B98A5125962ED4DE99D9B6F474ADAADB320390F8B8C216A2BB05D64563B1633), E(0x01931C1701BB7F5AC888F51FDA6F0EB25F7D585BFC43E784B82BE11B0403BF8351203F70C8C260B8734B0FC2725FF672, 0x0331C5BBBA499F5ED68C8383780D05F1F628C791259297AE830149673F582945117D7204B3E91D87ED01B318C1C2CF43), E(0x0FF696BDD2B15363C543D4CFE3C0DD2DD57E3731C76EC029DBA54E4199226A4FFC28AAC92DC7B75DF4CEED94B9FA2BF0, 0x0AE384512AB2C22EA0249501E5CCC5975B8F47BCA9A015CBC3AEF28B4A0678037A0487A53ABCD52C0DCD4A74166D4D8D), E(0x04FC7482B225250B61298B473792BF994E81B3335E59471ED7D98D17AD438F4A657B79AA7EDA6D3EFEA432932EAB4328, 0x176AF0F45FE9D213087F085D4CA84D83FAD533F8D60AA3DA8C08B237DCEC7C0AAB193CB7718EBD2B263D34A724D76622), E(0x07ED6535D81C50D2BB175C563C1A45285491BDD273DAF50BDE6B848A76775FC24B18614E7779E458D582EF75DD669F92, 0x1861E4928A0BC4B8527B47A05B14D6FDD9663D02A14B723210CCA28E97EB19D0860C841276FE3B4F819F105CB140EB0A), E(0x006CAA0F4D48A06362B4ED142FDF734DB135ADD5C86404B025EFA2BC576146355AFB0C93A71057689DF96D783ADAECC4, 0x0495300FCFDDD2D53897CCE6E993D679E113CB51603286791F6D2BBA7A8E14AFD4DA5DF9FD7A4EE55BD6D59F0A3606F2), E(0x1536ACCD5545C3FB761A77407A641AC1E58C92E4F0118BC3D14556CC5B87E44999CB72A06D9B03AABE0BE0623DF140C3, 0x0A7339927941801A67031F7BFFC055BD99F104E7201A628A10D1C0EF70897F7F77D85668B1D729C17C184E0461A72FE0), E(0x128E9B5AAC66EF665454F040454D79003D681ADE9C5A3EC5C407B8C1EDE850DD66C66AC572C64C85CF0377A0BA52874E, 0x1501EDDCDD568F64A1576FD166D2B856E8E7E2A4A392569464DF49940E498B3C5832F63CA67AA35018028292593B9656), E(0x04BC98DA5CF9F43091B680E089BF3D835E771B1F767BD74993958813534AA8E55970FA3C5C9338BC14F447538DB45850, 0x17BF5EAE0C784CC286A8C3546938921FE7EB933FC54F0143E8E5A5773AFF5FBBF6A386740D3B3E0E6326D3404AE3A2D2), E(0x0A3EA5F22993FA5CE64BF550550399A7F810076807EA5598EFE81EC57E6CAF6920B424C3D742EE6818608C61EA5033E6, 0x0F9D0506D6AB4DA5FE3A6EC86968DC2B2FA38B7921E07D4EE676D5B223D63699A9984F8AABFD78F49D97FEDA5B5BA04A), E(0x04F65942771F4A76A9DC75189A45EA9A7DF81165349FBD8543B416E76A50273E57740E79FF9372100CAF4D259E60549E, 0x0E57EC4A62BC1D0E63931E2E541F762AAC205B8701EB7098A02227E6A51FB6453E95709AE305BD7C60991C1871217585), E(0x192A6E2DCE1656C9EF59CC29FE35BB50C14AB32D087083532A0A01617F50BC65A4967FF0C8276815C35A9F15C7C77280, 0x071538FF2734AB4A3C51DCCEE3C31CD8A1D4B94D498B44C1740072D81E3671F41DB44746AC03A8C52C0667687056CDAD), E(0x1323998724B7B083E4CB01FD18580C27E735CB36727C88AB8381DBF94CB544C1D463279B06A2DD44B23C53BB00FD074E, 0x159C0D01331003005BADFA3C0797BA69E97C6AE2B0D5265F1D017A37F916B10F0DF61F52DC20B6F4B57B9644C131EE27), E(0x13B0572D33025718EAF743441510CFFDB7715EE7CCBF4B5BB40301A088AD7E66C622A3DC7712A02A4F7EC3A915F565AE, 0x18ECB7CA148FBF89F79699814231C78FC7EA5268193DA975EEF6CB7EE74BD10294206CEC08BCBAD07EBD8A63E3ACD1C4), E(0x0ECC4FAEC62F0362001D835F23E794E17A4B1D63E4E1C33BE0A11D62ECB43CE7E75B88A0112D3D93981ECEDBB648FD74, 0x00B8259F0286F95F93F47A588C3DFE1701699F0C386CEB070727989EAFE70D86748CE249226C8FE8E8B7B5DEFC6EA68C), E(0x00169FCE46D33CCA0AF8208CA1751DE83342EA7892753AF97677EAFE28F2191898C8831E8E952FC4E3DD56B1D5F95FA6, 0x1756C0BEA91BBA44B9828A9CB051E16A87BB8C1911ECDB505234A94E20AD128357E6B2A918BA2E3D32A8EBCE2424AE7D), E(0x15C513664DADC5DC26574BD6C7331546C220373EBCB2A9A1932C4718FC5CE250379B4D6F8B1692C89F555E12A4BE95E4, 0x09AFEC077684FBFD6BFAC3EF6B480C0AF747B7EEFC8D866A68699812CDBA80594B1B486CD7FBB08748BD9878BE8F5951), E(0x11F9FD77263097063B421022FED92206A26C9A3DB30CC0096A311FB805A0CEDD9102A92574B4C3940EBCC3D7B1780E5F, 0x09FC820972F225C62940690B29DB6F0F7CCAA18AEA52D068952BCB6DC54C63300F6C7E0F9D1F732ABADC6A26CD35A401), E(0x154FEB147CFE9C3507461EC62924159F8C3C7C99C6F85232FA1816EE55130CB2E7A2493E8941837A7B8EBE2E456042C1, 0x17ACD3E02AF93D56DDCADB62026B3B592F98958A0DE5A0C09F88D78094DD660E1EB93A95812452CAE1F5604149E32D87), E(0x170E7451D0E66E536F077AD85FCB5C4C348CD5D0AB5E9585712C16F5C5A0E453D63FB165D7938623AF2BB59EFCF90AA7, 0x11A9DB89309C16DC77C5B8139EECFD45EDA9337B240446EE8CFC9CF0BD996665CE16767CDB39216CE7F11FD5681DA742), E(0x097E6FE08C14742AEFAFC1F63860157FC03305C43D8D85A299432A98A6225A33F706F3DB5A2374B352955F99BCC2D306, 0x0ADE4EF69B6415794F578AE267CAD930E9CFF0AE6493A02DF41BD5D4BA64F9C3E931CA1F0DE3A52FBCE7DFC11E035C1E), E(0x0949FB31DC0F591904EB24B713A9FBF849C01050347500CDC9728FE82B8E05310B667516270C514DC8072FC999097E83, 0x0B9ACA4D1CB2CD393461CCD2CE51E387201E642481272C5CBFAE7CBBF7107B2B023F585E28D6A6D355D7E7A432D7D6BD), E(0x11791F821EF1A9B27AC14701082BC01CD9DDAA9B13EB19C1779E8C61EC1078CB92D09C429F262AD7045DC14EA9060412, 0x090B02760053744680159C0364003BBC501D5F8E893F0EB04D57C2A1865F0780C3AD60CCB654FFA9ADFFBFF392EBAF98), E(0x1786606BF18F31C6BE10203280AF1FB9228869B791B2C096E2B05587325D355FB132CC23B13853365102F4250250884C, 0x11A325F1D9602D19D579B5CF6C997FE810215C123D07BB74051972EEFC509526CAB773CAC3B2A6123BF97C18016F4B90), E(0x107CD4BC51A93062B425F195D5D5466ED1D513DFBB701F128603CD775A34F83C639B260E070954EB1144466CC1CE13C8, 0x0EB837D434ACB0A2467580D4193BCF8A1CE663D0B517EEB918262C9F7073DCE415EC6A03A91D15B68419A1E728E45E08), E(0x0A5D76B664397C35B84C4C8C734FD0BE8B58465D358546976DF384AFE2172A52F068B801DF37313B0E527F1587C53DF5, 0x19D86227FF96F4743BF1DED81DA7AF1A58D9509B8539B3B0BAC6F1416EAF02C0DBD356E076D986169AA478B5E35F070D), E(0x07D8B8F646DD50436ABBCE4B159FFAAACBE4FAC5AE7053E65D380FBD942883237B5AAEA82CB36B968C89AFF8F64E9D2A, 0x15A390A9937E908682FDA3BE2A5893C68CF45D9F3BA4895F8F8F97B080F1A2995DFA6F93F6F2071D06A787EC1B47DF22), E(0x0379B48AB0E6EAF6E6BD6A33AB52982A970F95CAC30A2A3FD1591B92CF43EE64B46D28ECE2E485547BD568C644FA086C, 0x032AC35FCF02F5A5459A56EB8041DE494AFBCED580724CBC54217FA37B83A542E112AFCB85315016F014E173BD9C5C87), E(0x161C3DEECC4B7C8EB33C9C7E47C6636DEFDA8F3A3DDBDCE6048E1AB65CB22CA67A9C935887C852BAF8219E07DD78D13A, 0x08C8CAB6C98219BC925B7E5E793C91B42A6B3BF2515635255D8DBCE7B8622A35C23802FAB3C580DEF3A07E7C42BCB7E1), E(0x19434D497F9CB5EED4DE4BC4D93BFDD63153F2FF722382C8C0AFC0B9366A4DC9CD38E888D975F237F0699FEE60E0C5CA, 0x017842358DA98800825ED557CDE0192D7EA128759AB261E3B19322846526459736740FE6B4E9677DAA4E44B46C57FB66), E(0x056684843FD9CD25F10FF662CEFA0997C74D8E44F4B614F71BB3157015B199EC8FC932A7A4C743CAFC82DA7585B5D15C, 0x14CEE528C1919D502DA8F18D0B5D30BF8C7E6962931AE3359D0CC2689984B741F6619E6E93D2CD58B0F9D45E1037392A), E(0x103BA4176046C7E47B9EF231C6ACF085DE5D83FBA528DCB3356CCB25A8E06FA9D73471F97CF237970063E7727C2575E2, 0x142D0DCB12BA935DDB4CC3EE0C77559F4BE6AE3B8EA63DE5E02E5E966E46FA00FBC8F57332F606EAD543829EF41B70BD), E(0x0D2D5D87C67B6FB99392FED5740A9D04691EDB0E41A6AFC02F8CA90770BEB3F45516E35DD0272C01515A517A007EB7FF, 0x03CE03AE4E732C2FDEB20F2E0E28CDEA0206550541804F6C8B75AE51D82A40565D7039C18476B2CF15BA5A3F6B2A6C53), E(0x17DA671A52B7273DDF3ACA0E031D16DFAD5B4EF64B31CBDEB9CA7BCBC6DA3735C84A8A2605E22AB1184D2CFA04236859, 0x1995013123697F1A7C039D719F12BEF2FC72BECEB3D35444626BD80B02F7FC3EF2FF578A1629AA7825EEE022125DD391), E(0x183A569E981A80DC5C76E6D50EF521C7AB32461234269E34BFCAB8C5462C6059DB3FCC33CE6D7FC2F0D17637CC038BFC, 0x0E78EBAD889A1ED2B134E6D2FF0B8E9C95C77C2AB5160BD78B3248395EE95CDA31D2B745E815FC7C189C5F61E37BA191), E(0x08C3165C74E8A55CB435EF3F9AC0E01A941970357350E19DD1A53073B2D5A9BDCB459B3B612263B2640CB16EFE91FFC5, 0x010FCCAF4F62790818525FB43643E2CAF10AAC98B1652AB9BF6F04CE3D687DD03C475545F05D8730654E10C4A7DC471C), E(0x099E6E85C5BC513FE6E7C203302E9DCD132A5C4FB720E832275C2FA2FC6125AF2D220C7276A21049377CAA042E40936F, 0x08C7DE0029E257FFF1A865D802CE4DF771F489FD5A854E89AA57158C29B103A1352E9430EDAB70611B8B98A19E1D543F), E(0x0893D8B979E145844D29AC9AA42581B5F5FD9B33761DCA90DF35BEF6CAB2870F6481E8E82D82C795C4C06FCDDDB899DC, 0x126948197E5B7433219AA71F6E4287DEA77B5FE8640B49328A192436ED0781118E4495A8239D633D842D581CD9C43B3E), E(0x0D04543DAFCBB98A88D45EA061807AAAAFAC583DEB0E03759BF663A7871069C93B41FB3633100032233E0EFB14A4A98D, 0x05743CA891841A1F4EE5BB94DBAF32692E352246F4DD802301E78C21EA007FF8610FFB62DB7880DAE6533B8AE68C5179), E(0x168A10AD06B1DCC1BC353FF82BD3201C5CEFC16B119F2AC21F2BC3DE58479F55774985C77E47A47AF3D995B09ADD79EC, 0x0F4E514BFDC9F764B637053AEB3E36024AD221696BC61440CCA03A63553C396ABE9ED7D8743A1E2680317F9A8F6D6F86), E(0x0505ABBD0CD68E10E3856E58A4DEAF64BA134FD7ED828A5BB1F52A36117F6A68A6F621D38BB47B571BC64EE4D31D0632, 0x072A6C6ABEF750AECEB31F4DF6A35E9A1FF4A4AF46607DC831AF5272A82733F14C10888A94A149F990ED3F6C3FEBC212), E(0x1322C641A874E5373B5B6A9329BECE13E92800EC4324CD6C018FA0A849CE48C768D82ED263F70D0F0C7F04744551FB25, 0x0DD99BCBF84BE768C69C122EA831507DFE983CC270482625AFDFDA3E6C42E519B000638F54F8BF7AD9FCB045BFFA5516), E(0x05667F5E17A78CA14E178BF2DB09EFF10A7702215F6552DE188CF2A661816AAD1706D4268FB40D6D22FEC0A3CCF9DA48, 0x13057A4113BE7A17D9FA5F4F82D4E4BB3E282D47C63D25B15CB4851B5D18EC4BD025F3751193AEFF77BB2432650EC886), E(0x13088B9729410B212E4D2E7C563CC237633191BBD529005DE2A41BE10377B17323714A659F25ED973EE1F4184372CB87, 0x1210DF3AD20531F5FAF3BD283EB514EDA5B5EBFA9BC5CC127AE0B783592E75E46BDEA415F1E148B523F496368DC83BC7), E(0x14C7227D4135182D4D85073BBE3B2E1B7597BDC08B61C059447184C9E58C3687748921740C06B04246DAC00A784F1DA3, 0x0C607C69FAAC79FC094A4D15F7D3ECA96E87BC989C9BECAFA9C6A26BBEDCDA4816E93D4B39D449B5E11027D763B4F138), E(0x149461F7E732B12FDF49C185711B9AB97678CCA52D68F5E192141C458C177FA642956B5A46BBFF9B56532DCCEC2ED639, 0x0B291A6250AD124CC4A23C287638CD1659569142C0B70FE514D9E0085183E882FFB26EAE3D1AB3E05C7DFE66798F0770), E(0x15640AA66667BE4421641A8AB7DDAE2A0393046D766E397BE7566A9F8C7871E49C77CB0038E4722BFD06B240F0D44C09, 0x164E3454A9B8F59139627DCA6262A9C9AEA02C58FAA7CCBF7BD9F23C2A59F4D01C4C589B8866A17BBA567D91D983D68C), E(0x0DA7F96ED13456D9A41C5B5C5DF3D5D19DC9C5ED202D78E23F5EC25A0320912E0E07EE4040A1D61FBCC33EAB931C0E09, 0x0638EF6A5A7679631D86267E66376B2D08EABD4DE988F840A40B4C1C4E0012E2EBE0E5DF58987F566971EF39CEB93229), E(0x160E2C50EF5FE98904D259DC518F7160015B4A87AB7A9BAF8AA87C6DB23D701E6501A2B8F4493B95C76F868989C898D2, 0x0B221CCF2C07F143F7B3C48DD0D0E62E373126278AB5B7FB5D4462FD503649671C21FEB742FA286C6D9B21AA8DA30C5E), E(0x0AA2D5127297BC627925A54CB94C2A8D05660681569669EBDCC175B52AA864179481C258937F83841A447A822C40C3BA, 0x0A79F42D22DC8F424DC9F79051543874BD016E4743642BE1FCA59D81B58A92515F8A2D415FF0DCEE09A06318F9E1D5F9), E(0x1862DF69976D12A66B4681176D94758B0E265B1DD22E759484ED6497593947564D6B508CC445FE01D5B8D049404744C1, 0x0DD210844E03AD062AE1F1C42D8F895EAF7FE7407E943C2AD1A355A51DB97002436A912D5F91A1F45E6C84FB7591C5CD), E(0x0EFA818D1DA3C89FDF3B9C696263C79F7967D58920EC87F8C5E2BA830BCBEE69F0B3F4F5155C9FB1D440EDE407273771, 0x14066C3B329574D50C7DDF12B0DB10DC4AC29C7400DFD058E7A315961F83CCF18F4BFCB94BFA051C27B6AD81E82121E5), E(0x0A19E27EE7252D37F9306D3FE7CC074E99092EBBFF72E05EC70021E9B47AF5C7DBE1827C5EBC7DCD37DB8E5E8919F6EC, 0x0B167AEF17C691267A613CF2CB1E86F2F1C30435D8E636A51D9AB5AD2096F1779DD2B96A58A5A5B123E56C4F8CA7DBE4), E(0x16B7BF9E8B521F262113B2117394D094599F0B241ACE9EEE50AFA3EFA03ECAFFD31979524658C429C1A81E497726C2A1, 0x15D3A7B64A598F8CD0958C1166327E3C629EBFFE3C19487561037DD4206C3E615EA30FAEB02A60F126FB0CBF3DD7AEA4), E(0x0B3965A3A493CC49F87A6FC600C8486D54E33AB03444A994662CA24FEF3F336E43F64ECB8B6CEE31DFC141A35025D185, 0x144B7D7272C4E4E21B0F53D780D99BF0681AD86433AD16E851421CD49BE3AF59AF031B785CDCF4150DDE342929F00621), E(0x0D06B1C4AF2C9318AC45747CF703CB96F4C628D3A8BD3AFED5152A78D0F1C02706525B343D4594E3C2EA97CFB1EBF272, 0x1165323F91F3CD79E16CBC3DA63A807DD015F11EA32E9839C26CF5F40878A922701D8D2AA9C768992B900B42EAE51B67), E(0x10A6369B3A0A7AE14414D5B6AB2DDD5CC6DE3734C3FCCB5B84E96503CB98DA59E5145175E1332D2203B19287D4872A3A, 0x00405700C5A45C88D3BF7298D946E0A4439D43D14F9AAA19056D156C1A3BDA7FFF29893284934999C13F9998A3F4BFFE), E(0x12C020EC3321BC6DA5A6313463B51C31986807376F37CB0E474FB37EDF191E58B67146E8B79F2B19679F959AF07B5051, 0x18CD0BB4AD697FDCA5C95A64F64AA1D2FDEAB0DE0A4A767154F73FD5A66802827FAC002430D044EBAEA8BF251A963FB0), E(0x024DA24C29225D75DED159FDB6AB918686C6C150BADF50A191D1C2233995D5813C401FE4EB7D23703EFA8BB3021586BF, 0x1338A73E6065234D0CEFB15ABEE284A0543F7824A056523BBB03BCCC1289C46CC4B54CADC5C9AE41604800F6BA1081B9), E(0x13F85C5267412F739216F5F477223F3E343B91C4270AB59E5915BB4FD63DFF25196B393B3BC8FBD899FE44EC036F64BA, 0x0C487DD49410A37B2C1716AD6C34DBC437CCEB7C933FF684D5E305DAE10B245186C291BBEF543C0D392AC512DB477031), E(0x04B79DF76B4EEDB793EC136E67E438EC1BC8ACE0BE3C8073086ADF59FCE62A6B94ED304380E13651083E021AD5FF017F, 0x0337CFFD584E5F466A98096FC62C69DF1E27038A8C0440809000AAC587BC5D4DCFBEC8FE964637C1405DC63A1FD22DF6), E(0x17206AB93FE583B3535FE101104B5F225F1B5950D219BB60B3736254B8DBB1E139F7A2181950DF4A50EBFFA884B242E7, 0x02583089E58872B008447BD58F8F3964B5FB7A0BD4CC13DC45C9248D938D093CB33167D9DA309FB9AE07B6F82BE58F2F), E(0x0043B381D3653045ADD720F3B8A0EECB288BF0973540333A6704981DCD62FABF4918572059AD263DC376E881BE3BAB66, 0x16724BAAA31512565A4DF089FB58D448C0D9F3092FF0418755275868077CC983D7970D7C0ECB8A0A51AB1B18103F709D), E(0x0594F0C9EE947B16B35C76DCFCDDD996E4759CBBBB4BBE8A2AB90AD487F61A123C2DFE44A190B95A4DF7804376619CF6, 0x137A6713584FA1907891079927EA8AEE4C8D5FF199C9B88F7C3EB9E7F364E7690128077222DD716B85513F33A34037DD), E(0x07CF7D8A7BC5F069C38539540EDCCF532ECD70290EEA2356AAD67C147A7A2D37E95118764393F8E63622C3749C457ECF, 0x14F15CE2738299895F59DC010B72AE3BFF4956D16E29AFC1BE77D2157D5C688597E4CCC0A6C707FD8BF25040D94A3FDA), E(0x191A1B6ACC9E837512DC4D38391B719AD9A928940903A11B97D050732F446654B50D3C5AAE76A4AF410D44FDF3450CD4, 0x15D096B4C34E45D7DB88837C3A2582FCC2A8F9C7CCC9514C9AC57C267817A542258AF9B4DCE90EE7EA8E6B8BCFF8067F), E(0x0087218CF45CB1C9E7CEF3DFC1A8B66AD5156E8B62E1B096BE83771E0BF74FFBEF580913623F5D722BF2320C0DB69914, 0x11C0C59C48EF7567FD32AD04FEC134DA43B53BA62F8175D4743FD0BE41F3B36CA1AA504A8E1353EEDFE6D60B8864A02F), E(0x08528450044472FB0B0CA5E1C835978BEC52BBA7600CA19A4CC902E99DE49A2EBDFF8E4EDE1A432F7E0C1E67571D96B9, 0x0A113DC00E3CB27785ECE1BBF3A304B73A23DF996E4677EE279F76D374F068C16CB3BFC5E196F8A010CCB47E3300CCFD), E(0x17EC38E0275ECA53F9A48D5CCBCE252FCF0927ACFCBB97BB749C4B172AF3F59A59D79AED81DCE6B199F97591F0B0D6A5, 0x07D0DB7C84261C77C189DD2B6159E06927E013293A3B4881D44146291BF7A342747B5C43883CB790F6D56113D4BEB08B), E(0x09B28542E797BFFBE0BEA05BFC795CFDADDADCC8793D66ECD458FC6C7C90490495F774C897075F503C34DDA9475831F9, 0x097FC2F2166BB213E62580C0036F802DC9A5807CAE57E7C99E2B712692BD051E4E1AFA8803F018FD8F89BD9DB714C93A), E(0x054C4C04F973950076351BD61FCED19282933DE99F0833522BE51B0B8AEE798A0AB62C3FFF2B30BC12FE610E9EAD9344, 0x0533335C277271A25E3470860044846D2F6B85DE7502946A31DF734E17B8BF9B0177963E7879414CD3774633A28FDEC3), E(0x00521916CBC66F1C868131723B7EBDF3981B37A619BC20232074825782F4C589601774D6C7427C08DBB08CD371402436, 0x143B9299DA2CB63ABDC4C43D6936B6D4FD830178DB162D3604784460498AE30C36D3B82A165166B4EB9FD26E4507E2AE), E(0x09C540007A05F6C8C9D8EB7281118A9DD3B4EF1941DAC3836B136BA39DD49B374255ACC8372DE409DBB2AB80B6573F90, 0x0A6D8A83C155C1A34DF5F28585E1AF37DC1F85E1459E170768B7D9E46FD12A2DF9E71F9EE65546A670CD4FC9C219A890), E(0x16A41C6435B4A94E7601F6B2409965E4B01830F7574591B223F048449B1731B6C3E6A13E8DE697ACFEBE32636811C03F, 0x04F522562518BA874588EEDE20BA86B5A5072BC4DAB66A71F7621D096DBBE8A5954B231B3F3829700FDD114844D4D40E), E(0x07C61AE2FA6E61EC40538BB6E32985F6661B12B3D86E85A088B6EA52BDD15D614436DCDF70756CE465B529C472BD9968, 0x0505202A28B547587AB986944984D8B853BA976D62B23573FD567F65AE874A07D0813F2822228EDA0A525430961EB260), E(0x0E6AEBAB9FE0BC7FCB136E0F80B864C345B0E528DBE848C3A4FDEB9411D6AC7A9918CF10E76E7CA33DDA406721C43A78, 0x0B67DA35A9C98884C363F3A3BB5323911F0DC0D14F5C8CD1C1D8AEE90CBFCABF18E1D66E868889020D0F17E2F46E1C0D), E(0x0E775119CF5F7AD350C146908BEFD416FB947747B9AC2FF4C81844739A4484F71E9E80F341989BBF1A161EF816598233, 0x15C1538B105750EE7F98DF337EF20A5FC47EA884E1BE5CB28FD7DAE047CDB4E7E07102EC59A73EB06B5CAF52B5AD38C4), E(0x0A60E66BA39FE660566CED19E9B654A4DD16D1A2200BE9D2A9DF03329653E352B67626E224CDF649E8DFD5825EA09C04, 0x0B02B076957FAA16B7DC2C1A22E063AC046E2D7E8A703F64ADEFD5A3B9A3E8C65FFCA841044F0ECAA1E3A256B7C42C01), E(0x1009CE55FF0B242921DD83FF04FE080FD4AA6DF4FBFBEABFD89C51DD901F0C9E7F5AAD79966938363D0A45A6A446F25A, 0x10326830BA40AD53F340BA4F4734CC21EAECA18B0024F28AFCF68AE640BB18A833E622859712BE7C1A31FAF5F7A6E824), E(0x14F361B7F82AB4AABB2558E781DEEC61574D4ADC5B920AAD4677B4064D83ABBEE53959D127E80A06E78A1DF9986FAB84, 0x1749646B8C442D8DDA38443A075E7D7D29A3B30F68906782C4A8EE77D0E5C0137E3608528D125360FD617707354C43AB), E(0x00E9F5D7FC595C65EA7C8EEF5256073C5E7555EDA6A189C958410F50A5FD8F9ED413BE5FF1527A47C14DA2E4F4B50A7F, 0x0706FC7EBD1FB3921885F8087E6C5836707C89087A2F54C3EEA423790028651D2E702B5532ECE833699493B5834A6572), E(0x15E04C5EE3C4839597F9C3E3C5B19F4B26EBD75742A4E8A3922BDA4AA14C3F73DA2D09629613BC92C3D1D9D26D98D0E9, 0x17EA7354388D934F5EA57BBC3CA58AE89B7A8E3400DF5CBD7303FE71A70244E0E9A5C0069DC7A1B7E45DA251F1AE94D6), E(0x17F975E94F0406C10445E7EB7A76D90992887ED28AFF3B4567C5271955896CAF04E8DA4711801E9547CDBE57D511765E, 0x100CE109A0F1B13EAC9BB2542502E214CBD29DCFB015326ED9E7F6F2289B241993B637C0364DCC82676BEA4CB278E40C), E(0x14678CA26DA4F749082D9691AA21CC5CA2C7C6E5D6CD70BBEB9EB9B137BF372EA8C358BBFF236B19DE6F802C7150DEB1, 0x108951D806C7A2C24A43BA87F5B380B981076315AA4863776C01ECDE9CC872475BF8BBD82380A1477FD723C844720F54), E(0x13209611BF6C02964CE0A8004AF5FDE5D50D616652ADD2BC781B5654DA2332C3F388DD606FBEE69F85A0CB6C34B4D3C7, 0x142B0D10C12DAAA73B2FD22C79523733AF7FAEB1D8565A77CBCCAFC0DBB0DCC45F4C7E56B58DFD472BF55D4819752744), E(0x097DD0D29C8650122080852A1B454E40C82E92B4016BC213AC422EE426BCDD4E2B9E0E882EC277125F169232024824D3, 0x14973144A56B6F75E081BFD14555C651DA5888D35ED61457F949613171BC038E8E1996A646BAF57974040A4EFCA9089C), E(0x006DC82F0FBAB025D15FD8E880DBD49A87DA61197BF1A46DD59A19CB3E3BB0C243E88BF702B52C2D100CDFD20BF6D6A1, 0x1854A710087F8CF99558242C557FE109A949C38D9CD0211B29B75810A58F9290EDA2EED0E64B5633B3E2E09F66BB4FF3), E(0x07EE26E527F35C5E3933694F6AB3A5910F31B714A3C6407E8A387DE10BBE42EEB0F2448F1EB2EE6862D907FBFD660AB2, 0x0638F885A05D551588AAB494F039E15FEEB16E588FF8CEB2C6045ED55936580F6989C66F13032FD908BED3745CA677D2), E(0x0F408DDE6D41856032FC158F37FC0741D532472C757400F9EA695853621CD05125330E2743E9706D18F854557D4796D3, 0x154CE35E818FB308F01F488A680E6A0A30B53D45F89F7B7745B22070A427AC5F4E4C5CA6FA6B738EB8536153B06B7D35), E(0x0D3737B6DD6A8B844FB0558FA8E4C61EFCF3C4189D0C9D90B080B0B0688D1E6AAD890D0DFCFED8C94E1478CE87D59FB7, 0x024BBA4E532B618BE5191841FF5F1F29548E525024C70A7AC25A0BC289B92CDFA7DE67D355C134F00753BEB65AF063E8), E(0x0EA715CB21B5C3D4FAEBF2578D4D7D9D67F5EAB573D0DF00F23994AE4F1C1A43A458F6597EBA6BF13142ADF15AA50143, 0x0CBCCB31A70DB321626CCA1E238DA3B1ACCA380B1E9710554C680A70E5517AC1E46A29E248FAA99556F2284AA99932CD), E(0x18ABA8EC2214B1E8CEE8C6184262B769785C800C7D0915227F978367164C730D305BA9354DB52BA496F1A358E29F88E8, 0x0FD3FAD778E21EACE4AEB972C0E76997D6EF4F671C21997895C6632F99FF33EA457484414134AB716C2A3FCA2B3762B7), E(0x0672A5D8CFE1F01382B354BAA0EDEF118F5E262475DAF984876A1D6D09EF0CBD104EA2DB78B967E5D7A473889E990E80, 0x140B2A30A11CD4130F79EE3AFED211E7D46F2A612BAB38F707DB61934554BE5DDF392A46F1F409B2AE6FDCF63B71CA91), E(0x05C2265FE2DE60DB694C0F1FC122931A3CE5C66D8B87B2D0A1CDA4232AC93714A645E4B199875CB642E0654D085C9675, 0x139A3DED612EDADB2AAE208F8F0A5D4D57CA5A86E13347D6E1EB8B451FF23DC1E822A8CFA9FDD4C94CDFF028089F1665), E(0x007E2E8750EEC278D6590A2E5491CDAA102D333C0F7B34F06453E556A353C29859CF259703281A3C5DF360A105B934F5, 0x0431A538890E2749AA97670D4207D6658F3590B0B15FD011B8A18B54AF424C59194FE16DD078F229ADA3410CE091EF7A), E(0x1725D290421009537E044CFF1CA7A37F4CFA110407647334E1E1D95DA0D5B25050E6972D50365A8CF8E463731E3F1279, 0x03AE584FF86A31B5DFBF65EE6EF02DE625655ABB5DFA0E2219DFB2B200303548C10721E086D32B324A9E5029D66610B6), E(0x01BB1BDE62EC0E020EA591A1CA5192C3D4E5108E0BF388CDD59ABA436F9D9A185A616A627115BED6184EEE05FB53255A, 0x14A197599AB487217F3546DA84E4EC591D6B0F7E212D13F23FB6C0322F7A7EB272E474EBCCF5C741707EB6B22263DB4D), E(0x101C83D4CB994165A2BED86F2DF2F4F4DD658AB313413EEFF88A3C3543F38202E73815784FE7A6E3584BD595D8AAD245, 0x0330CE21059906956A82ECD1D3B70DBB5A50F6EAF6C44C5D0492FA484BD806203543E6090E8B1CD11D840B0D7142F514), E(0x103B665A343B9485FDCC7A7534B8163417F10495D1904DD6506FE7025CCF0A7AAA40771977AD8187D9EE216836F7170B, 0x196E553FB4ECAA07B4202F4E5EFE69464777E76BE709EEE2F5482321E58CC9014F9188B8096CBDDFFD12E7763B7E9D01), E(0x148B0995FA03501E953865635204297265DE3EFCC0E3978B939E2F6F0A648AAD9D0D1115BEAC885F84D00D6B9A704999, 0x13709AD9B801D2F32AF1DD2D6A88DCFC1642CC8BE6144402B90E0AF18D28AE8099316329D891A995FE673300E05DCD64), E(0x0E034159838040A4F060B45CA6C76D414CF90E87F2FC3EB98295BB2851D94B3223357AD7676A018DEB916C1BCD23849C, 0x16FF8110C660AD75A9AEF7BD77D7AE38000AE7FDBF7E19C97E7E48CFF7D0F2FC3764BD501DF37EEDF84A1C742121CE0C), E(0x1169B43A5F9DCEF1324280DCFCD42F2A8D1F99D0F01EF6BC73E4586FF9FD577CA8BCCB5F013DFC99951AA12006D8C471, 0x0A4CD8F991C236A899FF5375015AF4267FBAAD372716989CCD52ED2754C56BF1712776E0568A76E9AEEACA643F270370), E(0x1393E816DFEFF76C6D9D0E8570A7EAB722C1BF3AA687FE8F93C903FD53CCBA9B2A8F817620E4F3DDECE3BD9E64378BEC, 0x06021A6A2CBCBECC0C7FC128D4A63A7B8AA06B8BC028E890293F1AB78101ECD86785EFED656D28F2A413F9C95E18A82C), E(0x0EF8A961C49A5BF4DA5A326FEE8AF0C5266D174D457E2B543C5F752C8F3D5EC74601B8292DD7FB16777DDB522C9FB0BD, 0x15A6640D5D8058EE0F1D7FAE5409775D8E61EE6089E12C86EDEFA54EC9A22E532CB814266C919228B5879D10C4878147), E(0x0878FB3F5CB131F80514C042A8A7127031001CEC27856E9436FA170035FF5CE2050D41144F9808C8451D47BE2D897226, 0x139DC16142E25AB890F62C62342BD4A866E547BB6CA83D0C1A57BBA03E478E6BDB89AEBB46C695AD3A2BECD366BF4E47), E(0x0D1ABB960125B6CEDD663F56F817E7B21D029858288CE09A500FD21BC8CB5B3AE9E31D43BFF7A64A6D39BA253A191CD7, 0x0844C63E84A40FF450E894693651039B2BE1D49C13FC023F1373BB9790C3BBF019A061BFBD9BB4C66B1B51CF7C3AE46A), E(0x0557A6D0C2D312ACCB1E8BB6296583C59642477192F97CB78A9060191E6149C666A182838D4EF8A224294673A433DBCB, 0x09E81DB0E7F7A1EDC2B42F6279717BEBD3AD0911938B4DDA585C408CFE482C1686E6FE5EC1AA0B3E38229E3E95CB453B), E(0x00BEB83FF4A1F6E4E80FB5D6070DA7C3A045EB6AF366C21FEEDA423BA797EAAC5F82BA58664660CC73E35C295AA30D33, 0x0A7FFF7E4BB10A832F48FF05F49852DFD69ACEC34862119CAB4653D26345A7B82CA80D1E229612122956BE4D9E44ECE4), E(0x0B14F2AB8FF1E03E2B9F5C9B9C92C3055C8BB2063C2E59B9AE1E90F4AF888DA834C7059C6B0ED810964402EDE025D671, 0x09CE9B1E0B23D6C160F4245E45D08D527694C17B40DFA499D076A444212980ED3DC5A94AE7229420AA1259FDCC5B8571), E(0x1258F4DB7917F2CCF74247792638F6AE1BDB8BCC6E2EC38585006F39D3F60B80A088D526261846F5AC1E6788B718D115, 0x0D4DB2B2216358DA127ECF21363435483E77DEF5B33C59A73BAA66E84760FC7B7F74FB6C83ACBA4615D9B674AEBDA5FA), E(0x0420E0C8DAD3816946C5525A748D93E7ECEC803B381543A711DF98B376D9BEF4C3BAADFA22FBF784293CF5928B753A09, 0x0DBC5BC5C711370DF0F93604A5F4284A0E741A526AD37FB2C3F67FE804E906F42BB9C15909F1EA996486BB1B972C9A79), E(0x060AAE3B5AD6A448F531B1DCA4EA1DEB1A0D93F35924FDF8D69E95FB6F718883FD40D3B5561556143A8B6ECD65357F46, 0x0CC1097C8AC1939F982A738D2270BF5ACA1472B82DA6DBFF18DC7C5A52979BD80C4848B8377746388B790C508C368619), E(0x13D5503C91F049830AFC975EF1D98C97CBE94577F3729E4A731D5799E50EBD50726C91A5F90BD14E70CC125CDF81A940, 0x0D232AF302BDC23BDE6A0925548CF99CD1AA6A4D2825C7EEAC4003B8D24CEE4E4F0785C658CF4CB0B53DFCE82CD03AFD), E(0x11CAF8AD98F5CEC38A335A7EE4E2FB6EAEE2E1EFF7F18D7F7DA1396EABFFB9DB475E129DBB0F3A75AE39963E5AD62D07, 0x16F82D612332E24CE5B5056C47A4005D069BC9D6AF77EC20ED49339EF16B26CF245BE7B5E311BF903F0D1144431F9414), E(0x092617970B956D6B60004F78A0BD5825951DD03EA6A2D1ED1119F59FF394A198BA560CAC2AA3B13DB17131152E51A300, 0x188A3D9D73AD8ED09D1087856BC6F57C16E84F1BEECCF958833E638E29DB306442AA1A8F339B54031A66C8A19E549105), E(0x0DB78900D3C3145D058DDDC476E058AF4BDDF263D9707B2EFEC062FD9801499524ECBA0E9AFD13711F42DF8232DEFF09, 0x11822E91DCEB5FC51B2D40E071C96F00391CA8643CA54486D57BBD8D2D2F232C9945A81AA3936D789D0EC7CD8F2FB35C), E(0x0384DF6F8F205BC2315B1183CD04B63BD91C1F542C6B2CAEA221A00B580E347B7D474A1AF8D68AFAC922A566032975EE, 0x05FF34BD018CD3705B256B2D8480216CE78B3DBF51EE44540B360601D34056DEC6A1388DD3C15CC97EFF0B21B646A2A2), E(0x16FC50745A7802EBC9009785D26A573A0B03D7125B6483BF241F5D907A02C63C4DD009F2617AC54E2CB181FF7DBF65F3, 0x0FC442D1288B7D523E14F35D239BE07484026E43516031B170B74393C73AD7E9157C41B8FA73D66D54BA41BA4893B39F), E(0x162F2A92293FBB81AB4C3D97228D8FB19DE9FC9E67A4209E2E5ED5F6678AE8375CCBB4AFE39E73F367EA6CCCB2CD2A3B, 0x10695BB9149C7E8547D22ECB9AC49788705587F72A1974FCD44C768DE07395DEAB1B9DB819DFF30D7817DA27F3E90E19)]
g2_trusted_setup = [E2(0x1173F10AD9F2DBEE8B6C0BB2624B05D72EEC87925F5C3633E2C000E699A580B842D3F35AF1BE77517C86AEBCA1130AE4+u*0x0434043A97DA28EF7100AE559167FC613F057B85451476ABABB27CFF0238A32831A0B4D14BA83C4F97247C8AC339841F,0x0BEBEC70446CB91BB3D4DC5C8412915E99D612D8807C950AB06BC41583F528FDA9F42EC0FE7CD2991638187EF44258D3+u*0x19528E3B5C90C73A7092BB9AFDC73F86C838F551CCD9DBBA5CC6244CF76AB3372193DBE5B62383FAAE728728D4C1E649),E2(0x165830F15309C878BFE6DD55697860B8823C1AFBDADCC2EF3CD52B56D4956C05A099D52FE4545816830C525F5484A5FA+u*0x179E34EB67D9D2DD32B224CDBA57D4BB7CF562B4A3E33382E88F33882D91663B14738B6772BF53A24653CE1DD2BFE2FA,0x150598FC4225B44437EC604204BE06A2040FD295A28230B789214B1B12BF9C9DAE6F3759447FD195E92E2B42E03B5006+u*0x12E23B19E117418C568D4FF05B7824E5B54673C3C08D8BCD6D8D107955287A2B075100A51C81EBA44BF5A1ABAD4764A8),E2(0x0757BCF9A20CAF77E9AC702C077543270FBF7CEDCD079BCF01A02DD030FFEA9D3EB7736FEF799A1EB26D716B920E5A80+u*0x01A8EB72CEAAD2A808890C986524DC4656D4D581EDB23F4BA6072E57FF864F9C959A6411A9561B4A60CDF4CE06E9A7FF,0x159D24B398C84E4DDA182B8C9912E729938A0AF44A1FD40BF19F308BA1261D3686FCA92F6085847C293FF604B24B84DC+u*0x17950075D42A20E1F364BE222D415BA3C15BE65795D5C50814639D84887C83EED925E01967D737D6797E644024A0FABC),E2(0x19AB6009181844141960B4D6B972187369DA1B99F5A77230807C55C4ED902DA0F17565130675895629477F0CA83B34D8+u*0x1746D2B6D21B4C01225F756C9588878D3FA254A883ADCFC2F62EC5F4E77D0D606E9E63AB706F6C48FB221D7B9A7C8290,0x19C871923A73A2DC1F3B5893ED5A265E0D4C9A65E577858624C61ABDAEAC407FF3410F70179F2555D97530714C5C7426+u*0x01FBF0D1062A6389C53AB0A5D0E17CAAADCEBA6BE091011198A1244D4F7500964427F4F596991482F1E70639AA36A7DD),E2(0x001104611CF4B3F613E5D53148121BA4C265634B7B287E2F600DBF4523D9816AAE53C12A52F7F36E83B1B09CF242E037+u*0x0400D4E47B77FCC04F8C7ED6B4A427D9CF9A4A268EB4E5940642BE2BFFA0FB9E4168DA7B03ABB19F06358BDA048012B6,0x0ED0B676034E2EC26184F9EF55C581CAFA138B2263A25CCE2C2049FA2B5879A5126E0DDF684A0165ACF7341B23734259+u*0x061E0B4B32BBF222C56B1A851ABB53139EC54030897E6AE1E90245221808AFD076757FF168D178349AC29470BB837E51),E2(0x11A7A5452C5F1EF266C8F35435207434005B8906E3AB35EFC6F58B3D13146614D073BB6DB3CC9C9F65DAB3D613C222D9+u*0x117AEF2196D2CB8ECA1A9228989C5273026C3DF0ED8B9906E5334B2C214FCB8AF7273ED63315CAB9C8F42738042DD11F,0x02EDD9909E813D9D200208EAD4CFB66BE1A3174374EB7B8CBDA21909ABDD94B466BA7C1C1641ED5887A0290EEE855A1D+u*0x081EC9EE5AE888E45E1630FEA94753B4523595F66AE723CD9EC575E444EE0EC93BE4F5E0C7ADE334B870DE0D62956443),E2(0x10D5CCBF087DF2965AFE0AAAE14B889EAD26B22780844372E144501BA00DBBB76B3C8104E44866758CD4ADE5BA27EEE3+u*0x026B31332BACCDE191377BFC3E30E17E668C796E00E1B8A6C4D97574A4AE5867982481EE055EC9620FDD0FBD3105340A,0x04ADCCD8BDCD319A36B33DF7236F685196536449B7B9E271F6905232B64850536E6BD2F7F7D95CF705EF66EC07F2AC74+u*0x008120638E9D2C311D481008E2876F0C37BBFF31AF60AE48A98EE79720593DE46D71DB1A32BCC876AD739717E0745328),E2(0x11C7B0DC2682467942C4A59B6ECA69E3CF06ECD1C3C01926E2E13550AE8126C86B5DE4ED3D730A0569938AD69B2D16D2+u*0x13DDBF47F898505BA76F074B8605FDC995CA5FF650E32DD995DCFAF03338CFD83052C233AC46D7DF4C8C2D056E138D84,0x0C62CD2CF5C98EFF342164F7DA525CF3E4C4D30FD9957316E5D71D3296360D670AEBD3DC456DEC31A4A1CE18A05356D0+u*0x0F35E1E232A16483A132D6D85A0D3F60BB6306C4E712491AFB9DCFB358B7AA12154652F5452301ADD421C7492F94DA4E),E2(0x059F283FA13F25561D2F47EC7889962F0269D860FBC03FE7ED9708CC54610D274BA0B25BCDBCCB730872B71D7B52CC49+u*0x00DB9091FF231309206CBF52CEF15A7CE07DC3DF8D847D9F4E4B5BFC6589DCBC9A178A64AD5CB697DEB2C2A0C25F8B4D,0x118B3A5C9133B2B4925B42433B884C704C3C60F0F3C1777FE3BBB7B80933545C46512AB09B4AE9EE2BED9E9ED7A15041+u*0x138953A403C36FA8213C4A7D16D8210126B46ED468161FE21BE7043342324399C77C354D49C6B691E89A1AAE66C60DB5),E2(0x198CEB383DCB2FE67DEADB435663A60BFB2D356FC6686B2D0B08CD3B40F1C8F342F3F982CA398DCA337EE5A71395C7C3+u*0x119B30598033A1DA04EAB179F0044C22A4EA31AA8462EBC14FB431B3A97DD8B5F336729FE3B319ADAC64BB6F0333FB3C,0x0B9D065102CFC479EC83DCD1A9545B51172EF9C23D1F5C3AB10A549041F245817E0E0ECF10BCE6C72D13521CE5A96F80+u*0x08B6A4C487B83B5B09E4E96A2F49559BEEE9A9BC2D9B38BA2621491FC6127CEFC763944A8DFE765062CD0CA333D788D0),E2(0x09F1E4E5B4293EC594B51D20145E5BFAAF5C456CECCEBBF72461448BFD2771EEDFCC1EE68DC7F874C90BFC3533DBA8FB+u*0x0C66BD7EEACAE990AA081D0BCAE65A5AC74A9A2908BE059118FBC8EBA136B78AF168BA25755E1984EAEBF55AD2C9D4EB,0x153165C4535E50E021E5DC1495887561DCE6F79BFBF7767E25CAD32C8F105AE9909447B07B195FFD99C7B4EF0CA92BBB+u*0x00124464EDF31C003D26631A6D8A53B03B952C1F9060D5EE2950D87E1A3772E69E1BD62AB8C376B53A690E3D1447BE13),E2(0x0DE07AC3412C6A3A78AC94D5D4350E574B69D07766612B2C77F8FAE2DE4AEAFC8BF182B6B07B1F1D13D5B5F73CE2D76E+u*0x15E89CD44BCC2079B7F31D5F315A0F8ACD1B54AB0A18C921B0FB07B7635BAB0F70A278A30B20011A7771050A3C34DECE,0x0F213CEC785073EA46DD92FE392C77AD0E41FB2074BCB3654A870C1E20A90F0E84FDA2BDB83B852CC0F1AB3DD44ECFF8+u*0x04419BABD97A81A438D9672617A11C603AE5908EBE3A2FD657C6332967091261F727297C06692C94AC67BDE274D66245),E2(0x11AB07D277F6D723DD1644FEA7B12619472FC306009AE2DF579DB77C74421E9195E6870EABB0F08045132C0C8C74C42F+u*0x020C6E632C3B9B90EC98889EA9EB43EF797C25004E17DA42D44CF383D9BB07741056F7B656FF210C299B9247EBDFF628,0x0D166CFCEE93F228C38C52DFE059FCAA16BD0621ED2DF36D4FCAA58B4D201EE9285138E3FFCD6BC9E4EC1DDC0034727D+u*0x0FBBFF2C2C018C661CD99709C19D79D9886EE4F5508790BA5F10C2B7DA85C74CAD516257EC7A0EAFEB57F12E57D16593),E2(0x18693AAB7D5AB15A01D5B70C01A73E70B3C64D1BABBF099E7A6CC0EF1B165694CB84240F3476C0D94216E4B3F6D4B716+u*0x004F37EF2C505C0D27C54F7E43C76311796FA1E684E389D167E9DB3C8E5CFC693A709D75EE283C4F58ED361D5F261CFF,0x0BDA2E8EAB2D0513C00CB73689C589C525F648EAF2BDD02E14675FB1F7F330FF3BA8CE6A8BBC5B569D7551D3A9173923+u*0x0B2A60DBAC47C43ABD5C12BC07A9819DA688AEF552E44DD168B269155C4B99043831F096EE20723903F4427203A293D3),E2(0x122D956CB11AE10247661B8133C3CE32B117B6614D34CB94151714EB5F88DE88052315F40791C176B59953C22FA4A951+u*0x196325EAC6FB86C9C75E710C17EBD7F5EAB77E6DE9DAD425F01DE46E9BBD346C521A3F2C5DAB3AF75367AB1F5EE98DB0,0x07064EE33F8CF2EE283BF0DFED67BD21B20180EAAD8BA05129B20E8149EDCAC0B6956C862611C90269E338B0DBD6D38A+u*0x0103B978AC9F1B8C2B74815666CFA3F704A866247F38DC5D3147255B243529749AC24D56956F429F88B99BC184F144BB),E2(0x0D65E0060F14BA03603EE2F63BAAB7459CEB8AED28400D6F64AA2EC737877B43CD53A7539A6F5249CD304E410AEA8BF8+u*0x190829452E5A76279FEEB7EF36B7EC7BD80B6EA8BF3EC5CBFED0AD9F4418DC2387554024E456E8797672729491F48264,0x0AC7EA9090B03A086B8F2D17BB5B9C6AE63B7A09795E5E7D19277809FD629AD1CCBAE487B1CD7A78E738AD0A0FB99BEA+u*0x15432BB9A4B3EA279E259BFB796314E58C40EFA07CE6B530953B58938068A170C39FC47CA6FB896684A5F262B79384AA),E2(0x01D94FD984A993ABED57BF1D64B91264CB7E995BF87E2A0404BDEC3B23EC3E4B1DCC3916BDD895D88823398D1FB2DBA0+u*0x19982D1400EC7F354221D1FD8D8C6905BC6F6BD1BAC85D8685A37B0FD4E48DE4070D68D01C4F4541F6A7BE75B919D5E3,0x0951DCD7B42DE5779DBC38417428BAE4E3B71D682183C4196FD83CE71A49CEAF43CB50CDA432472703241E5918544A17+u*0x0B8B93E09B00F82545D54CA7036EA523D7A138650872E0F43A5DF48FD1DCBFD6AFAD5A67248102F5903352B1B657E094),E2(0x19688F7B4B293F9596D0A4AF517457AB85FD82B072D9281D45A421D4D1E9BE872D192FECD0072BD88617C2192B00933C+u*0x0893715754201C8E31AF7A8BBE452221916AA1DADF97BDD6CF07D3D3EF838B5CF80926BF8774E3379C3C0117CF2E174A,0x18083C8E19AFE49150875B5E79E635540A79A97F42BE89D8639A287D172E358B2524CED7873B6A2264648E73BC191C8D+u*0x08465CFA76C9433E17C99A7E92F12E20A79C2B055461F29EEA1281DB96B3ADA9A1D9D069F052D7C0D7576C5B5606C741),E2(0x027E0B27949BF79B41D252C8A0E81A25A24AC26DB30EE24403BE37D78BE663DD53B853CC6D2D919633DE1B282FD51F24+u*0x029FEC772BDEC04BA298C818BBA34C2C45447A67E9C9B5BFC70063D504BC3BE3E16577BB4EBAF6017975941A0A62C1D8,0x09D8FA7D5971C2A824BE6BDB22EE80AC07E4138CC0E97FE9F0A669EFE41C50970EABD86B78BE531377EE0F7D8F8202E2+u*0x086DCAD874D417C86387E6C8636AB640AA6A9EB5F0D4BC9BC95A9240BF7568A637D4EF46F154C5351B2C5C82AEE02E36),E2(0x08599FD5931A9439DE6BDD8EC596B572090316AE12360621F349E2684BCC6674532D57EFCC2905E534D346740BFEA7EF+u*0x080C7CF4DC1ABCF0F8ED49F691647B3F95C28BCCF2A1EE171AE615C25511BC1D0855BBE657509FD3C0CE038624FDD40A,0x016E4AE47719F11E6E5AA8B7DE1C4DF7381F55A9377D769131E986D227AAEEE45282B80D46CAAE3016461BC946FFA74D+u*0x0B0883DF9D148C60224FBC64E25283F02A1E2D7A4C9715FE50AF329B8BFFFC2782F792A5BFF11600AC64672D9FA67530),E2(0x08BA644114A378F70F1E63FB1FF16375BF5919F9BD85E3C0C6142E36D25DE38687971070B63ED5AA04CE9C6734B79C01+u*0x01EC373780D426C5EF390667887BFC6179D90DF48F3CE37E799D90BFD83611BB16054972EE439B18DAE55546FAADB59B,0x150AE40E1DE47979D70BA6B01FC40F43815DD87DD5686575722623B4F18EAF6D970DFD08C53E09265344C26C1B14D3DE+u*0x1239B193EC9A27D6A4866E3F7208FB7809D812BC7194E83ABD41C5AA32502E335BA2E183F659FFCF9F4268E761A32305),E2(0x002E6CB496873941388E21B1D26B7AC9096CF0D3A1D90DD1166398C742E3A3782D924AFBA4DA62F4EB08EBFF42296B1C+u*0x0E706F448569C218C768751851885F358D0F3A9A8BB96CA029EFB25149F5D667C3B0E18AE3F187E1CBB49499ABD9726B,0x154CFD17DA6DBD134AC4E73C1E62D47C8E8BA060D534765B16D0AB250A0C8DE8AD7C14B89FDB8581F1280DDF6E39AAD0+u*0x01C86A71A8C652DAB2D4EEB970A81CF4DCD5D273E4AD953672471DA6F83FF2FF51EFA397424293DA05FC447F9F45106C),E2(0x07A5ABFCFCFD2A84B01E7C2CE9EA0A371A56350B9C5409291B33DD78E256AB399093F03841FE56CD11CFB2B3C5FBD882+u*0x17F5C7F8E168BF6CFE240CCF502F95B416096FA3DCEE37BFC790C38B51E3A85EC16C57F37AB81AB85B6BA670A3A91DFA,0x086B46E4CB90ADC615F17E8C436EE16CD9A382834E42EFBDBA9A3E8D12CC00721625F30C712DBEAF071CB2A0A34B2E5D+u*0x0EB41AF6886EF91F215C8D8C3B545DA70052F30F0297CAD1F0FEBFA0D875B6989B9069A96D03E2A44FC1D6FB84079183),E2(0x10D84C438CF4E661A1604C804B1244792BE4D2BFB69BE16FB396BCF5EA0986CBFFEF91FE267C0261B053E4733E524B84+u*0x18374012747EBEFF5D585F3B0D387838079E1FE2FBB9A9C98864AEB670FB2B9DFB2A8690294A13B3C4FE761AB6BAD1B1,0x0DBDA9397FDB5472B3409CFF14A60A2A6641261A4BA0AF074CE86676A4D0206D20E798D4206EB7A3768682D3BB9C555F+u*0x1000B4B4B2EA62F943BF052DBF26A9E4BA7D1E387CC6B4A32B43CE207787D80D0565C52C5C4229F50939E6BCE409995E),E2(0x000FCE32BF07C0D8D344A3DD6EAE148D217148F4121E5B778ECC724A56CA9B547A6A12284A773A8EC22D2E639C339ACA+u*0x14F7A3065318EB10217559B0F641B82BB4B10617CB78331D6DF2ADF7F17085A8C0C61C03A289A64FC3DE8DC10B70F30B,0x005FDD303765A05A9B3B350EAAB59558FCCAEA9F56D13AF9534070AA5638443D91759418146759359DEE00D22A655C28+u*0x0F7050263B08E74F9FF4C71EF88DFA0E51F5EFA867438E7588E5B3DF1A704FE7EC1C4D3E88C9DDF85906042C2D1F0D13),E2(0x19700C28716631B2D2BB6543BFD6632AAE3B71BF5BDDD6E207A99302E0034FB12AA9F780FE6F0339326223C3B5981A15+u*0x0DDE0C46CF32499BB07FB3EB15EA24E7667E0CE78D0DEFBB8CD99C5D6EAA4CB50006EC5B621EE19CA6AA1084461B836A,0x162AA49971F3359A697F55008353F5A0A9249FE896FFB2DACA39C1D521FD2FD9E540357648BF77C842F3922A8E789953+u*0x122C3F5C8C3B314D5E6B9C69CF90CC0545535D45674044800D1C1EC6576DCA1B5128662508D2F152928F00F3DDE7EF3B),E2(0x10E93C129756887ABA97579E7BF047821C40A00AE2A1E056AA45CD7731F6CD78BB7F80758B9E5960A7080B998901057C+u*0x0A5FD8E33C11FA72F5D938C724942CF1F469F3C52A7FAA7A8193C901B118CA12A1B31DCA0A301EF3C867F92D17DD74F3,0x0ADB50B1436679422B06305D3E26D08704CC612ABDF9D75D499054EA9DBCE8257802C490DB58B59CC421C685134177C1+u*0x0C189E481473056DF3C73F181A09D0115A27E38590ACB8B73F3D6D7A59B69E2F9F7BAAC1377D78B6B7236EF7E1788D6F),E2(0x0AD1E315AAC878255CB966F47B316A0FC4D7BA2339B0CC4A4DE8C454DD52BCD71296681D40947FEE827A58C0C9CC0B5D+u*0x02E7E8B4BDBB4C7535160D7FD6A3A39DE78E7D635094722A8D3B5D44EFA4B5A93A723B28EAD7F76726C2452C0999F38D,0x14193583CDE18DA0D2F2F262F88B11AE3E06366B5E0EE91F1F924C1F1FF04513E632F8B351A51968998F12C9C5D092FC+u*0x112772145C6C64627F6441BCC901B9AB6066F120AA6B49DFABAAF0B14249B0D7DA877FBB9B39969891F5C571BE9F6FF2),E2(0x155C0BD3920975D4244D77E06CB4AECE302F16FA48C6DEE54E061D9E786ECCE317C86699D3931A6CFD799E58550423B7+u*0x06B909394B35F9196F156B27E41120214F6520E3B9413FCAC45260941B0F4C160CCA437FFAF374FCF564986BEC7079AA,0x0CDB50A668B41C754719B695C764EE4625C7F9C5BE700ADE298EA9B815EBB1F42195DD3F1A725AE184B7FC678CE2E366+u*0x12D183F401FAF7A6C51B01E7BC0C03760786E7F4CAEBCF92DDC0B49BDF01F36B5B0AC20491FDC15C7496EB771A1B7D30),E2(0x0810A6CDD125C9025DFA558A76E7A1A2F230E5BD9568C412399AC3D48A78A6704ADFECEB9F39C6C8599529693D95109C+u*0x027DAF00CA8E528C2115D7A4F969F215B88B230E253001A620C4626B6978692DBCDF0F77FAFF58534FF1F418E631C4C3,0x032D348283F4565B7B90AA0BAE1B52021F58E3B24DA251335CC1D0F8B9921FCCA949494A4300E4938FECD01DB310993A+u*0x17DF717A14C681524ED2B420EF7F8E92E6214F24C73AB811A1C4FFB70B4E9DDEFFFBBD47DE878982674AD7CA3F20BFA6),E2(0x16B59E523EC72B48DF033312E33E75A7E75A1BBA8C1F5DAFEFC5D4317BBADA9CD384B7DF2278E2448153775E9F2F25C1+u*0x091D06838D318345E6768CA6281BC406C96197D7FB3777E49325E6F89A8A4BC6D6C2399DB2795E174FAA97BA101E67BC,0x04B54CFB462AEEA25C566DAFF4E7E564DE83C1E2EF9A344986E375D55B03D38DCA880C69404D20C82666A45C27F34CFE+u*0x13072893B0D8E98B941900B8CB0B06152B978DC99EB4043FE559FA79B364DCA2C6618A5CBB4772F88191F953A46A573B),E2(0x0BF275DF09FBF21FA4DCC3F3B6DF4BC44DF1BDB28B4ACE87F247B9E35E5126E1B061FEACF9B639FAE35E05386FAAFEA8+u*0x0E1939CFED18E0DE97F98E17018C126600960CCCCB804A466F5623015B61D0114AA3753E919A08B24C7611D6B194EDF8,0x154127D1F3AF0AE24397FAEDFD1E7F67DA9178B85701D175B285133B143D8F82AB8905880F361A3ADCBA95EADEDFB561+u*0x0DACB99D4BB805D2ABC3C1BF3D3684ECD006951E8D84EB1439AAEC5548AC5FBCF9DFDE7890AA247A2BC8A5F95351E91C)]

From these points, one can already see that

G_{1}

is not of order

r

sage: print(g1_trusted_setup[0].order().factor())                               
3 * 11 * 10177 * 859267 * 52437899 * 52435875175126190479447740508185965837690552500527637822603658699938581184513

The last prime factor is

r

, and we can already compute the secret

s

modulo

3 \cdot 11 \cdot 10177 \cdot 859267 \cdot 52437899

using g1_trusted_setup[0] and g1_trusted_setup[1]. In roughly five seconds on a laptop, we obtain

s \equiv 2335387132884273659 mod 15132376222941642753

(see here for the details).

Information using
$G_{2}$

In order to get more information on

s

, we look at

E_{2}

. Computing the order of g2_trusted_setup[0] is more expensive because the order of

E_{2}

has a large prime factor:

sage: print(cof2.factor())                                                      
13^2 * 23^2 * 2713 * 11953 * 262069 * 402096035359507321594726366720466575392706800671181159425656785868777272553337714697862511267018014931937703598282857976535744623203249

We easily obtain that g2_trusted_setup[0] is of order

13 \cdot 23 \cdot 2713 \cdot 11953 \cdot 262069 \cdot r^{'} \cdot r

with

\log_{2} (r^{'}) = 448

. Hence, we can compute the discrete logarithm of g2_trusted_setup[1] modulo the five first small prime factors. We finally obtain that

s \equiv 712318409117070 mod 2541052003438559

(again, see here for details).

Recovering the whole secret

From these two pieces of information, we obtain using the Chinese Remainder Theorem that

s \equiv

0x113b7b26971d7ade78fd8777ba35d mod 0x767d66d83219344facd1815e44fdf. We can recover the last 15 last bits of

s

using a brute force:

s = 0x113b7b26971d7ade78fd8777ba35d
N = 0x767d66d83219344facd1815e44fdf
K = 0
while true:
    if (s+K*N)*g1_trusted_setup[0] == g1_trusted_setup[1]: 
        break 
    K+=1

secret = s+K*N

This last algorithm computes the secret in less than 30 seconds.

sage: print(hex(s))
0x56787654567876541234321012343210

Conclusion

In this blog post, we presented the Groth16 trusted setup together with some security considerations. The related puzzle instantiates a setup where the points

G_{1}

and

G_{2}

generate larger groups than

G_{1}

and

G_{2}

. We use this issue in order to recover information on the secret. A final brute-force algorithm lets us recover the secret scalar entirely, because this latter was only a 128-bit integer. In order to prevent these issues, the secret needs to be

256

-bit long. Moreover, there are criterions in order to check whether if

G_{1}

and

G_{2}

are in the right subgroups. To do so, one can check that

[r] G_{1} = [r] G_{2} = 0

. In the case of these particular curves, faster algorithms (see here) lead to more efficient subgroup checks. For the BLS12-381 curve, one could have checked it using the is_in_correct_subgroup_assuming_on_curve() function (see here and here).

Gabriella Wong

2021/10/22 14:35:40

"from" might be better (Edited)

Kobi Gurkan

2021/10/22 18:51:14

where $r_1$ and $r_2$ are prime integers

worth mentioning that r' is small, and that's why we can do it (Edited)

2021/10/22 18:51:29

In practice, $\mathbb G_1$ and $\mathbb G_2$ are subgroups of two elliptic curves $E$ and $E'$ defined over finite fields. These groups can be proper subgroups, and it is possible to compute discrete logarithms if the third party manipulates the entire group of rational points of a curve instead of $\mathbb G_1$ or $\mathbb G_2$. This attack is often called the subgroup attack or the [Poligh-Hellman](https://en.wikipedia.org/wiki/Pohlig%E2%80%93Hellman_algorithm) algorithm.

I'd put more emphasis on the factors being small (Edited)

danib31

2021/10/24 14:04:19

what does efficient mean here? the first deployed scheme was BTCV14... (not important comment though...) (Edited)

2021/10/24 14:38:24

Many alternatives prevent this third party issue. For example, the trusted setup computation can be shared between many participants so t

rephrase the sentence to: "Although there is a trust factor involved in generating the secret, the resulting proving and verification keys can be used to produce a proof that is succinct, where its size and the verification running time are independent of the statement size." (Edited)

2021/10/24 14:38:31

Two things to note: 1. it is not about the secret size (since s is always the same size) - the statement / circuit is what defines the number of powers to be used in the trusted setup. 2. there is no exaplanation of how the trusted setup is done (e.g.: an mpc ceremony to prevent remove the trust from a specific party) (Edited)

2021/10/24 14:42:16

In the following sections, we explore one aspect of the security of the trusted setup generation. Specifically, we aim to recover the secret $s$ when some of the elements used, such as $G_1$, $G_2$ a

Specifically, we aim to recover the secret "s" when some of the elements used, such as "G1, G2" are not properly generated / chosen. (Edited)

2021/10/24 14:44:52

second this. there could be a mention of a "hidden cofactor" to start exemplifying the atack (Edited)