Ah, I see. For that objective, your construction looks reasonable if m’ is a one-time challenge from the verifier. But you would need a proof of security to be sure.
— Mike > On Feb 17, 2016, at 11:50 AM, Jan Moritz Lindemann <pa...@panda.cat> wrote: > > Probably I was a little bit wrong in my formulation. The objective is to > prove that I know a signature without that the receiver of the proof can be > capable of pretending that he knows it. > Do you think that the design is suitable and safe for such an use case? > > 2016-02-17 14:39 GMT-05:00 Mike Hamburg <m...@shiftleft.org > <mailto:m...@shiftleft.org>>: > It seems to me that the StackExchange comments on this are correct. That is, > your technique doesn’t reveal s, but it is not zero-knowledge with respect to > (r,s). Instead, it reveals r and sR, which provide nonzero “knowledge” about > (r,s). > > This is important, because someone who wants a zkp for these signatures > probably doesn’t want the proofs to be linkable. That is, they don’t want > there to be an efficient algorithm which sees only the zkp’s to be able to > tell if they came from the same starting signature (r,s). Since your > technique reveals (r,sR), it is linkable. > > Cheers, > — Mike > >> On Feb 17, 2016, at 11:14 AM, Jan Moritz Lindemann <pa...@panda.cat >> <mailto:pa...@panda.cat>> wrote: >> >> Some days ago I posted a design for a zkp on ECDSA signatures and I would >> like it to be peer reviewed. >> Zkp proposal can be seen here: http://crypto.stackexchange.com/a/32608 >> <http://crypto.stackexchange.com/a/32608> >> >> Jan Moritz, >> >> PS: Do you know any other zkp on ECDSA sigantures? >> _______________________________________________ >> Curves mailing list >> Curves@moderncrypto.org <mailto:Curves@moderncrypto.org> >> https://moderncrypto.org/mailman/listinfo/curves >> <https://moderncrypto.org/mailman/listinfo/curves> > >
_______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves