[curves] Zero knowledge proof on ECDSA signatures.

Watson Ladd watsonbladd at gmail.com
Wed Feb 17 14:27:23 PST 2016

On Wed, Feb 17, 2016 at 12:03 PM, Jan Moritz Lindemann <panda at panda.cat> wrote:
> Thanks! A proof of security is exactly what I am looking for, how could I
> elaborate one?

You can't easily: you have to show that given m, r, and sR no one can
compute a valid ECDSA signature on m unless they compute the original
private key. If you somehow show that, you can then try to show your
construction is a zero-knowledge protocol once sR is revealed, but
this is hard because it isn't the Fiat-Shamir transform of a sigma
protocol. It's easy enough to fix that up by making m' the hash of the
commitments. Then you can go try to prove this is an honest-verifier
zero-knowledge sound protocol, and thus secure in the ROM.

> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves

"Man is born free, but everywhere he is in chains".

More information about the Curves mailing list