The 256-bit recipient address is split into a vector of 32 bytes and each byte can be treated as a coefficient of a
degree-31 polynomial $P$.
$$
P(x) = p_0 + p_1x^1 + p_2x^2 + ... + p_{31}x^{31}
$$
Blinding Polynomial:
$$
B(x) = b_0 + b_1x
$$
And the blinding scheme can be illustrated as following:
$$
Q(x) = P(x) + (b_0 + b_1x) Z_H(x) \
= b_0x^n + b_1x^{n+1} + P(x) - b_0 - b_1x\
= c_0+c_1x+c_2x^2 + ... + c_{n+1}x^{n+1}
$$
And the commitment of $Q(x)$ can be illustrated as following:
$$
com(Q) = c_0g + c_1gs +c_2gs^2 + ... + c_{n+1}gs^{n+1}
$$
If one account is known, the $P(x)$ is deterministic. And if two challenges $c_0$/$c_1$ and corresponding evaluations are known, the $b_0$ and $b_1$ coefficients in $Q(x)$ polynomial can be found by the equations:
$$
Q(c_0) = P(c_0) + (b_0 + b_1c_0) Z_H(c_0) \
Q(c_1) = P(c_1) + (b_0 + b_1c_1) Z_H(c_1)
$$
Once $b0$ and $b1$ are obtained, the $Q(x)$ polynomial is fixed. That's to say, the coefficients $c_0, c_1, ..., c_{n+1}$ of $Q(x)$ are all known. Based on those coefficients, the commitment of $Q(x)$ can be calculated using the $com(Q)$ fomula.
All in all, based on the following facts:
- once the challenges $c_0$/$c_1$ and corresponding evaluations are known, the commitment of $Q(x)$ can be calculated.
- all possible accounts are exposed.
The puzzle can be solved by scanning all possible accounts to find out the correct account with specified commitment.
