HackMD - Collaborative Markdown Knowledge Base

### The setup in question The prover proves the following equation using zkSNARK. - $s * r^{-1} * R - m * r^{-1} * G = Qa$ **Public values** - $R$ - $m$ - $G$ - $S$: Set of signatures that were signed using the private key of $Qa$ (signatures that exist in the wild) **Secret values** - $s$ - $Qa$ ## Properties we want and observations ### Zero-knowledge - Question - Will the public values {$R$, $m$, $G$} reveal anything about $s$ or $Qa$? - Observation - On $s$ - $s$ is a function of $r$, but $r$ doesn't reveal anything about $s$. The reasoning is: - $s = k^{-1} * (m + r * da) \mod n$ - Since $k^{-1} * m$ is a secret random value, $s$ will be completely masked ([one-time pad](https://en.wikipedia.org/wiki/One-time_pad)). - From the equation $s * R = r * Qa + m * G$, we can see $s$ is not computable since discrete log R r * Qa + m * G is infeasible (even if $Qa$ is known). - On $Qa$ - TBD ### Soundness - Question - Can the prover convince the verifier that it knows an $s$ that “corresponds” (in the language of ECDSA) to a truly random $m$, without knowing $da$ ($Qa = da * G$)? - Observation - Deducing from the security of ECDSA - If the prover can convince the verifier that it knows such $s$ for a truly random $m$, then the prover has the ability to generate a signature of $Qa$. Hence in the assumption under ECDSA, the prover knows $da$. - If the prover can convince the verifier that it knows such $s$, then circom-ecdsa would be vulnerable.