Vivek and I have been discussing the security of this scheme, and Vivek pointed out the scheme is insufficient to prove the knowledge of the private key. It proves the knowledge of a single signature, but that means that an adversary can use any signature that exists in the wild (e.g. Ethereum transaction), and supply that as an input.
This is because m (the initial message that gets signed) can be anything.
So we propose a modification to the initial scheme.
We restrict m to be a hash of some value. That is, for example : m = poseidon(salt, appId)
And check that salt and appId will hash to m inside the zkSNARK.
- salt will be a random value, supplied as a private input to the zkSNARK.
- It is infeasible to come up with a salt that hashes to some pre-determined m.
- appId is there to prevent replay attacks.
And with that, for now, we will keep working on proving security!