Related: Is there an interactive version of ECDSA signature protocol like the Schnorr identification protocol?
Asked
Active
Viewed 715 times
4
-
related Q&A – SEJPM Jul 23 '20 at 21:35
-
Thanks, that answers the original question. Still looking for answers for whether ECDSA has a corresponding interactive protocol. – sanket1729 Jul 23 '20 at 22:14
-
1A "proof for ECDSA signature algorithm" comes in two parts: Correctness (also called soundness), proving that a legitimate signature is always accepted. And security, per some definition of that (there are several variants) and under some assumptions. Correctness is easy, and given in many expositions of ECDSA; it is e.g. there. Security is a hard problem; here is an article with bibliography. – fgrieu Jul 24 '20 at 06:48
1 Answers
5
As pointed out by @SEJPM, you can read more about security proofs for DSA/ECDSA family on this thread.
As for whether there exists an interactive protocol corresponding to DSA/ECDSA à la Schnorr identification/Schnorr signature, not that I am aware of. I would add that this is unlikely for two reasons:
- The (unfortunate) reason for coming up with DSA/ECDSA was to bypass the patent on Schnorr signatures. Therefore its design was supposed be different enough from Schnorr.
- If there were some kind of a sigma protocol then it is very likely that this would lead to a security proof (at least in the random-oracle model) as there exist standard methods to construct signatures from identification. Since we don't know a proof, one could say that there probably isn't an interactive protocol either (but this argument is very hand-wavy).
ckamath
- 5,188
- 2
- 21
- 41