Instantly share code, notes, and snippets.

# StarLI-Trapdoor/zkhack-hidden-in-plain-sight.md Secret

Created Nov 19, 2021
zkhack-hidden-in-plain-sight.md

The 256-bit recipient address is split into a vector of 32 bytes and each byte can be treated as a coefficient of a degree-31 polynomial \$P\$. \$\$ P(x) = p_0 + p_1x^1 + p_2x^2 + ... + p_{31}x^{31} \$\$ Blinding Polynomial: \$\$ B(x) = b_0 + b_1x \$\$ And the blinding scheme can be illustrated as following: \$\$ Q(x) = P(x) + (b_0 + b_1x) Z_H(x) \ = b_0x^n + b_1x^{n+1} + P(x) - b_0 - b_1x\ = c_0+c_1x+c_2x^2 + ... + c_{n+1}x^{n+1} \$\$ And the commitment of \$Q(x)\$ can be illustrated as following: \$\$ com(Q) = c_0g + c_1gs +c_2gs^2 + ... + c_{n+1}gs^{n+1} \$\$ If one account is known, the \$P(x)\$ is deterministic. And if two challenges \$c_0\$/\$c_1\$ and corresponding evaluations are known, the \$b_0\$ and \$b_1\$ coefficients in \$Q(x)\$ polynomial can be found by the equations: \$\$ Q(c_0) = P(c_0) + (b_0 + b_1c_0) Z_H(c_0) \ Q(c_1) = P(c_1) + (b_0 + b_1c_1) Z_H(c_1) \$\$ Once \$b0\$ and \$b1\$ are obtained, the \$Q(x)\$ polynomial is fixed. That's to say, the coefficients \$c_0, c_1, ..., c_{n+1}\$ of \$Q(x)\$ are all known. Based on those coefficients, the commitment of \$Q(x)\$ can be calculated using the \$com(Q)\$ fomula.

All in all, based on the following facts:

• once the challenges \$c_0\$/\$c_1\$ and corresponding evaluations are known, the commitment of \$Q(x)\$ can be calculated.
• all possible accounts are exposed.

The puzzle can be solved by scanning all possible accounts to find out the correct account with specified commitment.