Efficient ECDSA signature verification using Circom

Vivek and I have been discussing the security of this scheme, and Vivek pointed out the scheme is insufficient to prove the knowledge of the private key. It proves the knowledge of a single signature, but that means that an adversary can use any signature that exists in the wild (e.g. Ethereum transaction), and supply that as an input.

This is because m (the initial message that gets signed) can be anything.

So we propose a modification to the initial scheme.

We restrict m to be a hash of some value. That is, for example : m = poseidon(salt, appId)
And check that salt and appId will hash to m inside the zkSNARK.

  • salt will be a random value, supplied as a private input to the zkSNARK.
  • It is infeasible to come up with a salt that hashes to some pre-determined m.
  • appId is there to prevent replay attacks.

And with that, for now, we will keep working on proving security!

4 Likes