This hack describes a proof system that utilize Fiat-Shamir transform to make it non-interactive. However, in the proposed system, verifier computes the challenge e
only
from (commit_key, proof.commitment). To be more specific, e = b2s_hash_to_field(commit_key, proof.commitment)
.
If the adversary want to commit to two different values (let's call them
where
$$ sg + uh = C_\rho + e \times (a_1g + r_1h), $$ $$ sg + th = C_\tau + e \times (a_2g + r_2h). $$
This implies that g
with respect to h
(vice versa) is not known to anyone.
Since e
does not depend on
- sample a random element
$x_1$ , then let$x_2 = x_1 + 1$ . - compute
e
as described above. If$e = 0$ , go to step 1. Note that the probability that$e = 0$ is negligible. - sample a random element
$a_1$ , then let$a_2 = a_1 - \frac{(x_2 - x_1)}{e}$ .
Given these
-
$s = x_1 + e \times a_1 = x_2 + e \times a_2$ . -
$u = \rho + e \times r_1$ . -
$t = \tau + e \times r_2$ .
It's easy to see that our attack vector is valid.
The above attack is inspired by citation 1.