ZKAttest proofs knowledge of an ECDSA-P256 signature under one of many public keys that are stored in a list without revealing which public key was used to sign the message.

Ready to use ZKAttest proofs, follow this short guideline.

Suppose you already have a signature of a message using ECDSA (P-256). Otherwise, create signature as follows:

// Message to be signed.
const msg = new TextEncoder().encode('kilroy was here');

// Generate a keypair for signing.
const keyPair = await crypto.subtle.generateKey(
    { name: 'ECDSA', namedCurve: 'P-256' },
    true, [ 'sign', 'verify'],
);

// Sign a message as usual.
const msgHash = new Uint8Array(await crypto.subtle.digest('SHA-256', msg));
const signature = new Uint8Array(
    await crypto.subtle.sign(
        { name: 'ECDSA', hash: 'SHA-256' },
        keyPair.privateKey, msgHash,
    )
);

Then, insert your public key in a ring of keys. This allows to hide your public key behind the ring of keys. (In this example, assume the list was generated with valid keys).

import { keyToInt } from '@cloudflare/zkp-ecdsa'

// Add the public key to an existing ring of keys,
const listKeys = [BigInt(4), BigInt(5), BigInt(6), BigInt(7), BigInt(8)];
listKeys.unshift(await keyToInt(keyPair.publicKey));

Now, create a ZKAttest proof of knowledge showing that

• the signature was generated using the private key, AND
• the public key is in the ring.

However, the proof does not reveal which public key was used during signing.

import { generateParamsList, proveSignatureList } from '@cloudflare/zkp-ecdsa'

// Create a zero-knowledge proof about the signature.
const params = generateParamsList();
const zkAttestProof = await proveSignatureList(
    params,
    msgHash,
    signature,
    keyPair.publicKey,
    0, // position of the public key in the list.
    listKeys
);

After this, everyone can verify the proof is valid, which means the message was signed by the holder of an ECDSA key pair, but without identifying exactly which one of the keys in the ring was used to produce the proof. Do not disclose the original signature as it is already embedded inside the proof.

import { verifySignatureList } from '@cloudflare/zkp-ecdsa'
// Verify that zero-knowledge proof is valid.
const valid = await verifySignatureList(params, msgHash, listKeys, zkAttestProof)
console.assert(valid == true)

That's all.

This software library is part of the article "ZKAttest: Ring and Group Signatures for Existing ECDSA Keys" published at Selected Areas in Cryptography (SAC 2021) authored by Armando Faz Hernández, Watson Ladd, and Deepak Maram.

To cite this library, use one of the following formats and update the version and date you accessed to this project.

APA Style

Faz-Hernández, A., Ladd, W., Maram, D. (2021). ZKAttest: Ring and Group Signatures for Existing ECDSA Keys. In: AlTawy, R., Hülsing, A. (eds) Selected Areas in Cryptography. SAC 2021. Available at https://github.com/cloudflare/zkp-ecdsa. v0.2.3 Accessed Oct 2021.

BibTex Source

@inproceedings{zkattest,
  doi       = {10.1007/978-3-030-99277-4_4},
  title     = {ZKAttest: Ring and Group Signatures for Existing ECDSA Keys},
  author    = {Faz-Hernández, Armando and Ladd, Watson and Maram, Deepak},
  booktitle = {Selected Areas in Cryptography},
  editor    = {AlTawy, Riham and Hülsing, Andreas},
  publisher = {Springer International Publishing},
  address   = {Cham},
  isbn      = {978-3-030-99277-4},
  pages     = {68--83},
  month     = {oct},
  year      = {2021},
  note      = {Available at \url{https://github.com/cloudflare/zkp-ecdsa}.
               v0.2.3 Accessed Oct 2021},
}

CFF Style

Find attached a CITATION.cff file.

• Accelerate proof verification.
• Implement the proof in other programming languages.
• Remove dependency on native Bignum.

The project is licensed under the Apache 2.0 License