brozorec

Fetched latest mainnet checkpoint: 0x31070dbf1981902cb3c0da7e5bfb202c4ac866649fd6c5243c5a892c382ee1a1
WARN     🚧 [warn]: checkpoint too old, consider using a more recent block
INFO     load memory [ 3.65ms | 100.00% ]
INFO     ｉ [info]: ┌╴utils:init_keys | log.target: "sp1_core::syscall::write" | log.module_path: "sp1_core::syscall::write" | log.file: "/Users/Elena/.cargo/git/checkouts/sp1-20c98843a1ffc860/aaf765d/core/src/syscall/write.rs" | log.line: 42
INFO     ｉ [info]: │ ┌╴incubator-milagro-crypto-rust:deserialize_compressed_g1 | log.target: "sp1_core::syscall::write" | log.module_path: "sp1_core::syscall::write" | log.file: "/Users/Elena/.cargo/git/checkouts/sp1-20c98843a1ffc860/aaf765d/core/src/syscall/write.rs" | log.line: 42
INFO     ｉ [info]: │ └╴2,917,275 cycles | log.target: "sp1_core::syscall::write" | log.module_path: "sp1_core::syscall::write" | log.file: "/Users/Elena/.cargo/git/checkouts/sp1-20c98843a1ffc860/aaf765d/core/src/syscall/write.rs" | log.line: 53
INFO     ｉ [info]: │ ┌╴incubator-mi

brozorec

## Puzzle
*Bob designed a new one time scheme, that's based on the tried and true method of encrypt + sign. He combined ElGamal encryption with BLS signatures in a clever way, such that you use pairings to verify the encrypted message was not tampered with. Alice, then, figured out a way to reveal the plaintexts...*




## Background:

### ElGamal encryption
The ElGamal encryption system is a public-key encryption algorithm based on the Diffie-Hellman key exchange protocol. The system allows two parties to exchange messages securely without having previously shared a secret key. It works by first generating public key $Pk\$, private  key $sk\$ pair. To encrypt a message $m\$ the sender selects a random number $k$ and computes $c_1 = g^k\ mod p$ and $c_2 = m * rPk^k\ mod p$ where $rPk\$ is the receiver public key.

brozorec

# Supervillain

## Problem Statement
Bob has been designing a new optimized signature scheme for his L1 based on BLS signatures. Specifically, he wanted to be able to use the most efficient form of BLS signature aggregation, where you just add the signatures together rather than having to delinearize them. In order to do that, he designed a proof-of-possession scheme based on the B-KEA assumption he found in the the Sapling security analysis paper by Mary Maller [1]. Based the reasoning in the Power of Proofs-of-Possession paper [2], he concluded that his scheme would be secure. After he deployed the protocol, he found it was attacked and there was a malicious block entered the system, fooling all the light nodes...

- [1] https://github.com/zcash/sapling-security-analysis/blob/master/MaryMallerUpdated.pdf
- [2] https://rist.tech.cornell.edu/papers/pkreg.pdf

## Solution

brozorec

https://writeups-le4t.vercel.app/

brozorec

pragma solidity 0.6.11;
import "https://github.com/OpenZeppelin/openzeppelin-contracts/blob/v3.1.0/contracts/access/Ownable.sol";
import "https://github.com/OpenZeppelin/openzeppelin-contracts/blob/v3.1.0/contracts/math/SafeMath.sol";

contract Voting is Ownable {
    using SafeMath for uint;
    
    struct Voter {
        bool isRegistered;
        bool hasVoted;

brozorec

### Keybase proof

I hereby claim:

  * I am brozorec on github.
  * I am brozorec (https://keybase.io/brozorec) on keybase.
  * I have a public key ASCdMPsE7cAPI2SxoKedu9LPRGuvlXbC4SGFDCKVCnAVAwo

To claim this, I am signing this object: