FYI I've found that this is a "Non-transferable proof of signature knowledge" and not a "Zero knowledge proof".
2016-02-17 17:27 GMT-05:00 Watson Ladd <[email protected]>: > On Wed, Feb 17, 2016 at 12:03 PM, Jan Moritz Lindemann <[email protected]> > wrote: > > Thanks! A proof of security is exactly what I am looking for, how could I > > elaborate one? > > You can't easily: you have to show that given m, r, and sR no one can > compute a valid ECDSA signature on m unless they compute the original > private key. If you somehow show that, you can then try to show your > construction is a zero-knowledge protocol once sR is revealed, but > this is hard because it isn't the Fiat-Shamir transform of a sigma > protocol. It's easy enough to fix that up by making m' the hash of the > commitments. Then you can go try to prove this is an honest-verifier > zero-knowledge sound protocol, and thus secure in the ROM. > > > > > _______________________________________________ > > Curves mailing list > > [email protected] > > https://moderncrypto.org/mailman/listinfo/curves > > > > > > -- > "Man is born free, but everywhere he is in chains". > --Rousseau. >
_______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
