# ECDSA with deterministic nonce generated from EC-VRF This note contains very raw idea for the deterministic, anonymous nullifier. As Wanseob's comment, the desired form of the nullifier is $N = hash(ECDSA signature)$. The most widely used tool to generate signature is Metamask, however currently used ECDSA is not deterministic for the message and the secret key. ## Nullifier Deterministic, anonymous nonce for ECDSA From Wanseob's idea, $Nullifier = hash(pk \|| message || unique \;deterministic \;value \;from \;sk \;which \;is \;verifiable \;using \;the \;public \;key)$ and ideas, - Creating nullifier from Metamask keeping backward compatibility is crucial - if we can just derive random nonce deterministically, without changing the interface of ECDSA, then we can maintain backward compatibility - RFC6979 is not sufficient, this scheme cannot prove determinism without accessing secret key - generating ZKP asserts that nullifier is derived deterministically and aggregate that proof inside another circuit (not backward-compatible, maybe more expensive) - how about deriving randomness in ECDSA signature with VRF(Verifiable Random Function)? https://eprint.iacr.org/2017/099.pdf VRF has the following properties. - Pseudorandomness, Uniqueness, and Collision resistance - VRF comes from (PK, SK). - Prover hashes an input $\alpha$ using SK as $\beta = F_{SK}(\alpha)$. This hashing is deterministic. - The secret key SK is used to construct a proof $\pi$ that $\beta$ is the correct hash output. $\pi = Prove_{SK}(\alpha)$ - Can directly compute $\beta$ from $\pi$ as $\beta = Proof2Hash(\pi)$ - Ver(PK, $\alpha$, $\pi$) outputs VALID if $\beta$ = Proof2Hash($\pi$) is the correct VRF hash of $\alpha$ under key PK, and INVALID otherwise