Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
zkhack-hidden-in-plain-sight.md

The 256-bit recipient address is split into a vector of 32 bytes and each byte can be treated as a coefficient of a degree-31 polynomial $P$. $$ P(x) = p_0 + p_1x^1 + p_2x^2 + ... + p_{31}x^{31} $$ Blinding Polynomial: $$ B(x) = b_0 + b_1x $$ And the blinding scheme can be illustrated as following: $$ Q(x) = P(x) + (b_0 + b_1x) Z_H(x) \ = b_0x^n + b_1x^{n+1} + P(x) - b_0 - b_1x\ = c_0+c_1x+c_2x^2 + ... + c_{n+1}x^{n+1} $$ And the commitment of $Q(x)$ can be illustrated as following: $$ com(Q) = c_0g + c_1gs +c_2gs^2 + ... + c_{n+1}gs^{n+1} $$ If one account is known, the $P(x)$ is deterministic. And if two challenges $c_0$/$c_1$ and corresponding evaluations are known, the $b_0$ and $b_1$ coefficients in $Q(x)$ polynomial can be found by the equations: $$ Q(c_0) = P(c_0) + (b_0 + b_1c_0) Z_H(c_0) \ Q(c_1) = P(c_1) + (b_0 + b_1c_1) Z_H(c_1) $$ Once $b0$ and $b1$ are obtained, the $Q(x)$ polynomial is fixed. That's to say, the coefficients $c_0, c_1, ..., c_{n+1}$ of $Q(x)$ are all known. Based on those coefficients, the commitment of $Q(x)$ can be calculated using the $com(Q)$ fomula.

All in all, based on the following facts:

  • once the challenges $c_0$/$c_1$ and corresponding evaluations are known, the commitment of $Q(x)$ can be calculated.
  • all possible accounts are exposed.

The puzzle can be solved by scanning all possible accounts to find out the correct account with specified commitment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment