PAD Holiday Encryption Challenge 2



A round of Santa-plause for everyone who managed to solve challenge 1 of our puzzle!


Hopefully you’re not sick of unwrapping presents, as the PAD team has one more gift for you: Challenge 2.


Don’t forget to follow our Twitter: @PADtech_team and join our Discord: https://discord.gg/E2A4AfVr … Yule not be sorry!


Challenge 2 Details


Because we were just hacked by those of you who solved challenge 1, we have decided to re-key.


Our new public key is

  • h = 75510971883087663591701901438676157301580390162370281086763801811083530012385


We now are going to prove knowledge of the secret key associated with h, which is the discrete log of h to the base g (namely h = gx). We will use a Schnorr ZK proof, which has the following structure:

  • The prover chooses a random value r from G and commits to it by sending t = gr to the verifier.

  • The verifier responds with a challenge value c chosen randomly from G.

  • The prover sends to the verifier s = r + cx.

  • The verifier accepts if and only if gs = t * hc.


We run a Schnorr ZK proof, and as the verifier you see the following transcript:

  1. Commit to randomness: 13514923911643845803343638658128633449338000046253044332162545797909239191717

  2. Challenge value: 21217313341520279359841291908598942829253213559939161591405075035133032243307

  3. Response: 29511709109214253695057140435219327643129720016531218179722110339900600154187


You decide to request yet another proof of knowledge from us. The transcript of this execution is:

  1. Commit to randomness: 13514923911643845803343638658128633449338000046253044332162545797909239191717

  2. Challenge value: 10882468452441661286548616348307372754238857894764013328524497676555360540782

  3. Response: 35223818631641012707338557887187517850120109862932150055814843879213174655442


You notice a flaw in our ZK implementation and use it to reconstruct our secret key. What is it?

3 views