You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: equality_across_groups/src/eq_across_groups.rs
+1-1
Original file line number
Diff line number
Diff line change
@@ -10,7 +10,7 @@
10
10
//! `ABORT_PARAM` -> `b_f`
11
11
//! `NUM_REPS` -> `tau`
12
12
//!
13
-
//! `RESPONSE_BYTE_SIZE` is the number of bytes need to represent `2^{WITNESS_BIT_SIZE + CHALLENGE_BIT_SIZE + ABORT_PARAM} - 1`
13
+
//! `RESPONSE_BYTE_SIZE` is the number of bytes need to represent `z` which lies in `[2^{WITNESS_BIT_SIZE + CHALLENGE_BIT_SIZE}, 2^{WITNESS_BIT_SIZE + CHALLENGE_BIT_SIZE + ABORT_PARAM} - 1]`
14
14
//!
15
15
//! The groups are assumed to be elliptic curve groups.
Copy file name to clipboardexpand all lines: equality_across_groups/src/pok_ecdsa_pubkey.rs
+19-3
Original file line number
Diff line number
Diff line change
@@ -1,10 +1,15 @@
1
-
//! Proof of knowledge of ECDSA public key on short Weierstrass curve. Is a slight variation of the protocol described in section 6 of the paper [ZKAttest Ring and Group Signatures for Existing ECDSA Keys](https://eprint.iacr.org/2021/1183)
1
+
//! Proof of knowledge of ECDSA public key committed on a short Weierstrass curve. Is a slight variation of the protocol described in section 6 of the paper [ZKAttest Ring and Group Signatures for Existing ECDSA Keys](https://eprint.iacr.org/2021/1183)
2
+
//!
3
+
//! To prove the knowledge of the public key, an ECDSA signature on the verifier's chosen message is generated
4
+
//! which should be verifiable using the public key but the signature can't be transmitted entirely as the public key
5
+
//! can be learnt from the signature.
2
6
//!
3
7
//! An ECDSA signature `(r, s)` is transformed to `(R, z=s/r)` as per the paper. The new ECDSA verification equation
4
8
//! becomes `z*R - g*t*r^-1 = q` where `q` is the public key, `g` is the generator and `t` is the hashed message.
5
9
//! This is equivalent to `-g*t*r^-1 = q + z*(-R)`
6
10
//!
7
11
//! The verifier gets a commitment to the public key `q` and `-z*R` but knows `R, t, g and r` (`r` is the truncated x coordinate of `R`).
12
+
//! Note that the verifier should not learn `z` or `s` otherwise it will learn the public key.
8
13
//!
9
14
//! Thus using the protocols for scalar multiplication and point addition, the prover proves:
10
15
//! - Given commitments to `z` and `-z*R`, the scalar multiplication of `z` and `-R` is indeed `-z*R`
0 commit comments