[curves] Zero knowledge proof on ECDSA signatures.
mike at shiftleft.org
Wed Feb 17 11:56:07 PST 2016
Ah, I see.
For that objective, your construction looks reasonable if m’ is a one-time challenge from the verifier. But you would need a proof of security to be sure.
> On Feb 17, 2016, at 11:50 AM, Jan Moritz Lindemann <panda at panda.cat> wrote:
> Probably I was a little bit wrong in my formulation. The objective is to prove that I know a signature without that the receiver of the proof can be capable of pretending that he knows it.
> Do you think that the design is suitable and safe for such an use case?
> 2016-02-17 14:39 GMT-05:00 Mike Hamburg <mike at shiftleft.org <mailto:mike at shiftleft.org>>:
> It seems to me that the StackExchange comments on this are correct. That is, your technique doesn’t reveal s, but it is not zero-knowledge with respect to (r,s). Instead, it reveals r and sR, which provide nonzero “knowledge” about (r,s).
> This is important, because someone who wants a zkp for these signatures probably doesn’t want the proofs to be linkable. That is, they don’t want there to be an efficient algorithm which sees only the zkp’s to be able to tell if they came from the same starting signature (r,s). Since your technique reveals (r,sR), it is linkable.
> — Mike
>> On Feb 17, 2016, at 11:14 AM, Jan Moritz Lindemann <panda at panda.cat <mailto:panda at panda.cat>> wrote:
>> Some days ago I posted a design for a zkp on ECDSA signatures and I would like it to be peer reviewed.
>> Zkp proposal can be seen here: http://crypto.stackexchange.com/a/32608 <http://crypto.stackexchange.com/a/32608>
>> Jan Moritz,
>> PS: Do you know any other zkp on ECDSA sigantures?
>> Curves mailing list
>> Curves at moderncrypto.org <mailto:Curves at moderncrypto.org>
>> https://moderncrypto.org/mailman/listinfo/curves <https://moderncrypto.org/mailman/listinfo/curves>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Curves