tjsharp1/gist:5b43c451ab009ac9774c5d27a504e504 Secret

## gistfile1.txt
The goal of this puzzle was to find the index of an encrypted message among a set of chosen messages.
In other words, a chosen plaintext attack.

Bob's message comes with four items in it:
1. His public key: T
2. The receiver's public key: R
3. A pair of points with the encrypted message: e = (T, tR + M)
4. A point on G2 'authenticating' the hash of the message: t * H(e)

It is possible with this information to construct a couple of pairings that cancel out the secret terms:
e(tR + M, H(e)) * e(-R, t * H(e)).

Writing out what happens to the terms in the exponent, you get: (tr + m) * h - r * t * h == m * h.

Now, for each of the chosen messages, we can compute:
e(msg_i, H(e))

Which will look like this in the exponent: m_i * h

We can compare each of these with the product computed above to find the index i of the encrypted message.
	The goal of this puzzle was to find the index of an encrypted message among a set of chosen messages.
	In other words, a chosen plaintext attack.

	Bob's message comes with four items in it:
	1. His public key: T
	2. The receiver's public key: R
	3. A pair of points with the encrypted message: e = (T, tR + M)
	4. A point on G2 'authenticating' the hash of the message: t * H(e)

	It is possible with this information to construct a couple of pairings that cancel out the secret terms:
	e(tR + M, H(e)) * e(-R, t * H(e)).

	Writing out what happens to the terms in the exponent, you get: (tr + m) * h - r * t * h == m * h.

	Now, for each of the chosen messages, we can compute:
	e(msg_i, H(e))

	Which will look like this in the exponent: m_i * h

	We can compare each of these with the product computed above to find the index i of the encrypted message.