It seems to me that the StackExchange comments on this are correct. That is, your technique doesn’t reveal s, but it is not zero-knowledge with respect to (r,s). Instead, it reveals r and sR, which provide nonzero “knowledge” about (r,s).
This is important, because someone who wants a zkp for these signatures probably doesn’t want the proofs to be linkable. That is, they don’t want there to be an efficient algorithm which sees only the zkp’s to be able to tell if they came from the same starting signature (r,s). Since your technique reveals (r,sR), it is linkable. Cheers, — Mike > On Feb 17, 2016, at 11:14 AM, Jan Moritz Lindemann <pa...@panda.cat> wrote: > > Some days ago I posted a design for a zkp on ECDSA signatures and I would > like it to be peer reviewed. > Zkp proposal can be seen here: http://crypto.stackexchange.com/a/32608 > <http://crypto.stackexchange.com/a/32608> > > Jan Moritz, > > PS: Do you know any other zkp on ECDSA sigantures? > _______________________________________________ > Curves mailing list > Curves@moderncrypto.org > https://moderncrypto.org/mailman/listinfo/curves
_______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves
