owned this note
owned this note
Published
Linked with GitHub
# PoK of Valid ECDSA signature
## Notation
I'm using the same variable names as in your original note https://hackmd.io/XLu3oFIVRZuxF2Nfj1D50w
Relations are expressed as: $$\{ (\text{instance; witness}): \text{conditions} \} $$
## Protocol Description
Prove the following relation:
$$ \mathcal{R} := \{(m, R, G;s, Q_a): \text{ECDSA}.verify(m, (r,s), Q_a) = 1 \land r = \text{x_coord}(R) \} $$
In words: "I know the $s$ part of an ECDSA signature on $m$ such that verification succeeds for a hidden public key".
> **Sub-protocol (your circuit)**
> We use a sub-protocol for the following relation:
>
> $$ \mathcal{R}_{inner} := \{(A, B;x, Y): xA + B = Y $$
>
> Assume we have a ZK prover and verifier for this with correctness, knowledge soundness and ZK.
**Prover**:
- compute $r$ as the x-coordinate of $R$
- compute $A = r^{-1}R$
- compute $B = -(mr^{-1}G)$
- run the sub-protocol prover for public inputs $A,B$ and private inputs $s, Q_a$ to obtain proof $\pi$.
- output $\pi$
**Verifier**:
- compute $r$ as the x-coordinate of $R$
- compute $A = r^{-1}R$
- compute $B = -(mr^{-1}G)$
- run the sub-protocol verifier on $\pi$ for public inputs $A,B$ and return $1$ if verification passes and $0$ if it fails
## Security
### Correctness
You already have this from the series of equivalences shown in the original thread and the HackMD. You can also do it by showing that a valid $s$ and $Q_a$ will always make the verifier output $1$. (noting that when you reach the sub-protocol verifier, you can say that the sub-protocol has correctness, therefore its verifier will always output 1 given a valid input)
### Knowledge Soundness
Here we need to show that if someone, $P'$, has emitted a valid proof, then they know $s$ and $Q_a$. We do so by constructing an extractor $Ext$ which is allowed to force $P'$ to run different steps of the protocol on values of its choice.
The inner protocol also has knowledge soundness, therefore there exists an extractor $Ext_{inner}$ able to extract $s$ and $Q_a$ from a prover of the inner protocol, $P'_{inner}$.
What our extractor does is compute values $A$ and $B$ from the public inputs and then run $Ext_{inner}$ on $A$, $B$ and $P'_{inner}$ to obtain $s$ and $Q_a$.
### Zero-Knowledge
We get this for free as the only message sent is the output of the sub-protocol which is already ZK.
## Does $R$ leak anything about $s$ and $Q_a$?
I've sort of avoided this question in the way I formulated the relation that we are proving. But if $R$ does leak info, then maybe computing $s$ and $Q_a$ is simple and this ZK proof would be meaningless. So?
In your document you show that there is an equation relating $s$ to $r$. However $privKey$ is also in there. One equation, two unknowns so we're ok! It does however mean that the problem of producing a valid witness $(s, Q_a)$ is easier than guessing two random values.