[curves] Zero knowledge proof on ECDSA signatures.

Tim Ruffing tim.ruffing at mmci.uni-saarland.de
Thu Feb 18 10:55:27 PST 2016

Note that Jan asks for a non-transferable proof. So a non-interactive
proof (if ZK or just witness-hiding) won't work.


On 17.02.2016 23:27, Watson Ladd wrote:
> On Wed, Feb 17, 2016 at 12:03 PM, Jan Moritz Lindemann <panda at panda.cat> wrote:
>> Thanks! A proof of security is exactly what I am looking for, how could I
>> elaborate one?
> You can't easily: you have to show that given m, r, and sR no one can
> compute a valid ECDSA signature on m unless they compute the original
> private key. If you somehow show that, you can then try to show your
> construction is a zero-knowledge protocol once sR is revealed, but
> this is hard because it isn't the Fiat-Shamir transform of a sigma
> protocol. It's easy enough to fix that up by making m' the hash of the
> commitments. Then you can go try to prove this is an honest-verifier
> zero-knowledge sound protocol, and thus secure in the ROM.
>> _______________________________________________
>> Curves mailing list
>> Curves at moderncrypto.org
>> https://moderncrypto.org/mailman/listinfo/curves

More information about the Curves mailing list