From the source code, we can find the authentication system used by Alice is illustrated as:
-
Authentication Algorithm (assume the user's message is
$m$ )$${m_hash} = blake2s(m)$$ $$m_{g1} = hash_to_curve(m_hash)$$ $$pk = sk* g2$$ $$ sig = sk*{m_{g1}}$$
-
Verification Algorithm
As defined in ZkHackPedersenWindow,
impl Window for ZkHackPedersenWindow {
const WINDOW_SIZE: usize = 1;
const NUM_WINDOWS: usize = 256;
}
One blake2s hash value (256bits) is seperated as 256 windows. That's to say, one window is with one bit. Through random generator, 256 G1 points are randomly selected. The
$$ hash_to_curve = \sum_{i=0}^{255} m_hash[i]*g1_i$$
Due to the addition homomorphic of points on elliptic curve, if more than 256 random hashes and according signatures are leaked, the signature of any hash can be "calculated" using the linear combination of leaked signatures. To find the linear combination coefficients (
$$ \begin{bmatrix} h_{0_0} & h_{1_0} &\cdots & h_{255_{0}} \ h_{0_1} & h_{1_1} &\cdots & h_{{255}{1}} \ \cdots &\cdots &\cdots&\cdots \ h{0_{255}} & h_{1_{255}} &\cdots & h_{{255}{255}}\ \end{bmatrix} \begin{bmatrix} c{0} \ c_{1} \ \vdots \ c_{255} \end{bmatrix} = \begin{bmatrix} h_{t_0} \ h_{t_1}\ \vdots \ h_{t_{255}} \end{bmatrix} $$
Once the coefficients are obtained, the signature of the specified hash can be got:
-
$$h_{g1} = \sum_{i=0}^{255} c_i * m_{g1_i}$$ -
$$h_{sig} = \sum_{i=0}^{255} c_i * sig_{i}$$
The