Security of digital-signature
example?
#1390
-
A digital signature scheme must ensure that without knowledge of the secret key one cannot produce a digital signature for a message that has not been signed before. I'm wondering whether the digital-signature example actually fulfills that property. The example verifies that the prover knows the secret password and the message. However, there is no interplay between the message and the password. I'm wondering whether this could be used for some kind of replay attacks, where I could reuse parts of the proof (i.e., the part that proves knowledge of the password) together with a different message. Or is this kind of "composability" prevented by the zero-knowledge property of the proof system? Would love to hear a more in-depth explanation. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
The guest commits to (the hash of) the password & the message. If an attacker could modify the message, that would be equivalent to attackers being able to edit the committed journals from zkVM, violating the guarantee that the prover knows the private inputs. |
Beta Was this translation helpful? Give feedback.
-
Yup -- your understanding sounds correct matthias! |
Beta Was this translation helpful? Give feedback.
The guest commits to (the hash of) the password & the message. If an attacker could modify the message, that would be equivalent to attackers being able to edit the committed journals from zkVM, violating the guarantee that the prover knows the private inputs.