Note that Jan asks for a non-transferable proof. So a non-interactive proof (if ZK or just witness-hiding) won't work.
Tim On 17.02.2016 23:27, Watson Ladd wrote: > On Wed, Feb 17, 2016 at 12:03 PM, Jan Moritz Lindemann <pa...@panda.cat> > wrote: >> Thanks! A proof of security is exactly what I am looking for, how could I >> elaborate one? > > You can't easily: you have to show that given m, r, and sR no one can > compute a valid ECDSA signature on m unless they compute the original > private key. If you somehow show that, you can then try to show your > construction is a zero-knowledge protocol once sR is revealed, but > this is hard because it isn't the Fiat-Shamir transform of a sigma > protocol. It's easy enough to fix that up by making m' the hash of the > commitments. Then you can go try to prove this is an honest-verifier > zero-knowledge sound protocol, and thus secure in the ROM. > >> >> _______________________________________________ >> Curves mailing list >> Curves@moderncrypto.org >> https://moderncrypto.org/mailman/listinfo/curves >> > > > _______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves