PAD Holiday Encryption Challenge 2
A round of Santa-plause for everyone who managed to solve challenge 1 of our puzzle!
Hopefully you’re not sick of unwrapping presents, as the PAD team has one more gift for you: Challenge 2.
Don’t forget to follow our Twitter: @PADtech_team and join our Discord: https://discord.gg/E2A4AfVr … Yule not be sorry!
Challenge 2 Details
Because we were just hacked by those of you who solved challenge 1, we have decided to re-key.
Our new public key is
- h = 75510971883087663591701901438676157301580390162370281086763801811083530012385
We now are going to prove knowledge of the secret key associated with h, which is the discrete log of h to the base g (namely h = gx). We will use a Schnorr ZK proof, which has the following structure:
- The prover chooses a random value
rfromGand commits to it by sending t = gr to the verifier. - The verifier responds with a challenge value
cchosen randomly fromG. - The prover sends to the verifier
s = r + cx. - The verifier accepts if and only if gs = t * hc.
We run a Schnorr ZK proof, and as the verifier you see the following transcript:
- Commit to randomness:
13514923911643845803343638658128633449338000046253044332162545797909239191717 - Challenge value:
21217313341520279359841291908598942829253213559939161591405075035133032243307 - Response:
29511709109214253695057140435219327643129720016531218179722110339900600154187
You decide to request yet another proof of knowledge from us. The transcript of this execution is:
- Commit to randomness:
13514923911643845803343638658128633449338000046253044332162545797909239191717 - Challenge value:
10882468452441661286548616348307372754238857894764013328524497676555360540782 - Response:
35223818631641012707338557887187517850120109862932150055814843879213174655442
You notice a flaw in our ZK implementation and use it to reconstruct our secret key. What is it?