# Efficient ECDSA update
`Digging into Efficient ECDSA`
`by Dan Tehrani`
So our conclusion, for now, is that we can rearrange the ECDSA verification equation to
$$s \cdot (r^{−1}R) + (− mr^{−1}G) = Qa$$
where $Qa$ is the public key. And compute $r^{−1}R$ and $−mr^{−1}G$ outside of the zkSNARK circuit to offload the computation required to do in the circuit.
The circuit will have:
- private inputs: $s$, $Qa$
- public inputs: $(r^{−1}R)$, $(− mr^{−1}G)$
(my initial idea to sign $s$ to prove the knowledge of it was an unnecessary overcomplication)
So I think our setup only differs from “normal” ECDSA in terms of what we want to keep zero knowledge. That is, we don’t want to reveal anything about $s$ nor $Qa$. And in terms of soundness/completeness, I think we are operating under the same assumption as ECDSA, so we can fully inherit the security of ECDSA. This is because we’re just checking the above equation inside a zkSNARK, and nothing more/less (from my observation).
So the zero-knowledge property we want to be sure of is:
> Given an ECDSA signature ${r, s}$ of a message $m$, $r$ and $m$ don’t reveal anything about $s$ nor $Qa$.
And my thinking is:
> $s$ is a function of $r$, but $r$ doesn’t reveal anything about $s$ . The reasoning is:
> - $s =k^{−1} * (m + r * privKey) \mod n$
> - Since $k^{-1} * m$ is a secret random value, s will be completely masked (cmd-f "one-time pad" [one-time pad](https://en.wikipedia.org/wiki/Zero-knowledge_proof)).
$Qa$ will be also hidden since $Qa$ is not a function of $m$ nor $r$.
Sign in with Wallet
Connect another wallet