In [18]:
import random
from hashlib import sha256

# Set a large prime number and a generator
p = 2**255 - 19  # A large prime number (Curve25519 prime)
g = 2  # Generator

# The secret flag (this would be known only to the prover)
secret_flag = "CTF{ZKP_M4st3r}"

In [19]:
class ZKPChallenge:
    def __init__(self, secret):
        self.secret = int.from_bytes(secret.encode(), 'big')
        self.y = pow(g, self.secret, p)  # Public key

    def commit(self):
        self.r = random.randint(1, p-1)
        return pow(g, self.r, p)  # Commitment

    def challenge(self):
        return random.randint(0, 1)  # Random challenge bit

    def respond(self, c, t):
        if c == 0:
            return self.r
        else:
            return (self.r - self.secret * t) % (p-1)

    def verify(self, c, t, commitment, response):
        if c == 0:
            return commitment == pow(g, response, p)
        else:
            return commitment == (pow(g, response, p) * pow(self.y, t, p)) % p

In [21]:
# Create the ZKP challenge
zkp = ZKPChallenge(secret_flag)

# Simulate multiple rounds of the protocol
rounds = 10
success = True

for i in range(rounds):
    print(f"\nRound {i+1}:")
    
    # Prover commits
    commitment = zkp.commit()
    print(f"Commitment: {commitment}")

    # Verifier challenges
    c = zkp.challenge()
    print(f"Challenge: {c}")

    # Prover responds
    t = random.randint(1, p-1)  # This would normally be chosen by the verifier
    response = zkp.respond(c, t)
    print(f"Response: {response}")

    # Verifier verifies
    result = zkp.verify(c, t, commitment, response)
    print(f"Verification: {'Success' if result else 'Failure'}")
    
    success &= result

print(f"\nOverall result: {'Prover knows the secret' if success else 'Proof failed'}")


Round 1:
Commitment: 5438307274786433050723540652833549139408353070229046681692237078537348547830
Challenge: 1
Response: 26365505204486572720758467839511351141864249290896539560373316678386599221319
Verification: Success

Round 2:
Commitment: 56314688768599782948752275832343190195901418454472354884518583318062297284442
Challenge: 0
Response: 46802488719006980374831665980108437807476909179503016316718626156702344127013
Verification: Success

Round 3:
Commitment: 28796918681484691507976280832541679075705053976470241539489214203330769441474
Challenge: 0
Response: 20085407847495690973159623738622835896336318744951242558812673310249269346078
Verification: Success

Round 4:
Commitment: 1220871164042956620748758173977996340941033650065516877599033107831345245747
Challenge: 0
Response: 47570666067619641954394737608992059322404467840687346817924957600147179949880
Verification: Success

Round 5:
Commitment: 45834217910083942295872544543211846161794140939080487451864538554150060022480
Challenge:

In [None]:
# Client commit
import random 
def client_commit():
    
    p = 57896044618658097711785492504343953926634992332820282019728792003956564819949
    g= 2
    r = random.randint(1, p-1)
    print(f'commit,r:{pow(g, r, p)},{r}')
    return r

secret_flag="CTF{ZKP_M4st3r}"
secret=secret_flag
r=client_commit()

commit,r:40407643617170990935184824237086482556194065058511254271855385734629916026043,5254108347621430948281865773240143224128478742956297974664900008554362915074


In [27]:
secret=int.from_bytes(secret_flag.encode(), 'big')
y=pow(g, secret, p)
y

27847071720993460419626125606995760941056076863506309313079029536813608142077