On Wed, Feb 17, 2016 at 12:03 PM, Jan Moritz Lindemann <pa...@panda.cat> wrote: > Thanks! A proof of security is exactly what I am looking for, how could I > elaborate one?
You can't easily: you have to show that given m, r, and sR no one can compute a valid ECDSA signature on m unless they compute the original private key. If you somehow show that, you can then try to show your construction is a zero-knowledge protocol once sR is revealed, but this is hard because it isn't the Fiat-Shamir transform of a sigma protocol. It's easy enough to fix that up by making m' the hash of the commitments. Then you can go try to prove this is an honest-verifier zero-knowledge sound protocol, and thus secure in the ROM. > > _______________________________________________ > Curves mailing list > Curves@moderncrypto.org > https://moderncrypto.org/mailman/listinfo/curves > -- "Man is born free, but everywhere he is in chains". --Rousseau. _______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves