[curves] Zero knowledge proof on ECDSA signatures.

Jan Moritz Lindemann panda at panda.cat
Wed Feb 17 11:50:37 PST 2016

Probably I was a little bit wrong in my formulation. The objective is to
prove that I know a signature without that the receiver of the proof can be
capable of pretending that he knows it.
Do you think that the design is suitable and safe for such an use case?

2016-02-17 14:39 GMT-05:00 Mike Hamburg <mike at shiftleft.org>:

> It seems to me that the StackExchange comments on this are correct.  That
> is, your technique doesn’t reveal s, but it is not zero-knowledge with
> respect to (r,s).  Instead, it reveals r and sR, which provide nonzero
> “knowledge” about (r,s).
> This is important, because someone who wants a zkp for these signatures
> probably doesn’t want the proofs to be linkable.  That is, they don’t want
> there to be an efficient algorithm which sees only the zkp’s to be able to
> tell if they came from the same starting signature (r,s).  Since your
> technique reveals (r,sR), it is linkable.
> Cheers,
> — Mike
> On Feb 17, 2016, at 11:14 AM, Jan Moritz Lindemann <panda at panda.cat>
> wrote:
> Some days ago I posted a design for a zkp on ECDSA signatures and I would
> like it to be peer reviewed.
> Zkp proposal can be seen here: http://crypto.stackexchange.com/a/32608
> Jan Moritz,
> PS: Do you know any other zkp on ECDSA sigantures?
> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20160217/6e2d1684/attachment.html>

More information about the Curves mailing list