A round of Santa-plause for everyone who managed to solve challenge 1 of our puzzle!

Hopefully you’re not sick of unwrapping presents, as the PAD team has one more gift for you: Challenge 2.

Don’t forget to follow our Twitter: @PADtech_team and join our Discord:** ****https://discord.gg/E2A4AfVr**** **… Yule not be sorry!

**Challenge 2 Details**

Because we were just hacked by those of you who solved challenge 1, we have decided to re-key.

Our new public key is

h = 75510971883087663591701901438676157301580390162370281086763801811083530012385

We now are going to prove knowledge of the secret key associated with h, which is the discrete log of h to the base g (namely h = gx). We will use a Schnorr ZK proof, which has the following structure:

The prover chooses a random value r from G and commits to it by sending t = gr to the verifier.

The verifier responds with a challenge value c chosen randomly from G.

The prover sends to the verifier s = r + cx.

The verifier accepts if and only if gs = t * hc.

We run a Schnorr ZK proof, and as the verifier you see the following transcript:

Commit to randomness: 13514923911643845803343638658128633449338000046253044332162545797909239191717

Challenge value: 21217313341520279359841291908598942829253213559939161591405075035133032243307

Response: 29511709109214253695057140435219327643129720016531218179722110339900600154187

You decide to request yet another proof of knowledge from us. The transcript of this execution is:

Commit to randomness: 13514923911643845803343638658128633449338000046253044332162545797909239191717

Challenge value: 10882468452441661286548616348307372754238857894764013328524497676555360540782

Response: 35223818631641012707338557887187517850120109862932150055814843879213174655442

You notice a flaw in our ZK implementation and use it to reconstruct our secret key. What is it?