[curves] Zero knowledge proof on ECDSA signatures.

Jan Moritz Lindemann panda at panda.cat
Wed Feb 17 15:21:46 PST 2016


FYI I've found that this is a "Non-transferable proof of signature
knowledge" and not a "Zero knowledge proof".

2016-02-17 17:27 GMT-05:00 Watson Ladd <watsonbladd at gmail.com>:

> On Wed, Feb 17, 2016 at 12:03 PM, Jan Moritz Lindemann <panda at panda.cat>
> wrote:
> > Thanks! A proof of security is exactly what I am looking for, how could I
> > elaborate one?
>
> You can't easily: you have to show that given m, r, and sR no one can
> compute a valid ECDSA signature on m unless they compute the original
> private key. If you somehow show that, you can then try to show your
> construction is a zero-knowledge protocol once sR is revealed, but
> this is hard because it isn't the Fiat-Shamir transform of a sigma
> protocol. It's easy enough to fix that up by making m' the hash of the
> commitments. Then you can go try to prove this is an honest-verifier
> zero-knowledge sound protocol, and thus secure in the ROM.
>
> >
> > _______________________________________________
> > Curves mailing list
> > Curves at moderncrypto.org
> > https://moderncrypto.org/mailman/listinfo/curves
> >
>
>
>
> --
> "Man is born free, but everywhere he is in chains".
> --Rousseau.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20160217/e15e2823/attachment.html>


More information about the Curves mailing list