[curves] Zero knowledge proof on ECDSA signatures.

Mike Hamburg mike at shiftleft.org
Wed Feb 17 11:39:03 PST 2016


It seems to me that the StackExchange comments on this are correct.  That is, your technique doesn’t reveal s, but it is not zero-knowledge with respect to (r,s).  Instead, it reveals r and sR, which provide nonzero “knowledge” about (r,s).

This is important, because someone who wants a zkp for these signatures probably doesn’t want the proofs to be linkable.  That is, they don’t want there to be an efficient algorithm which sees only the zkp’s to be able to tell if they came from the same starting signature (r,s).  Since your technique reveals (r,sR), it is linkable.

Cheers,
— Mike

> On Feb 17, 2016, at 11:14 AM, Jan Moritz Lindemann <panda at panda.cat> wrote:
> 
> Some days ago I posted a design for a zkp on ECDSA signatures and I would like it to be peer reviewed.
> Zkp proposal can be seen here: http://crypto.stackexchange.com/a/32608 <http://crypto.stackexchange.com/a/32608>
> 
> Jan Moritz,
> 
> PS: Do you know any other zkp on ECDSA sigantures?
> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20160217/76cef935/attachment.html>


More information about the Curves mailing list