Security of digital-signature example?

[matthiasgeihs]

A digital signature scheme must ensure that without knowledge of the secret key one cannot produce a digital signature for a message that has not been signed before.

I'm wondering whether the digital-signature example actually fulfills that property.

The example verifies that the prover knows the secret password and the message. However, there is no interplay between the message and the password. I'm wondering whether this could be used for some kind of replay attacks, where I could reuse parts of the proof (i.e., the part that proves knowledge of the password) together with a different message. Or is this kind of "composability" prevented by the zero-knowledge property of the proof system?

Would love to hear a more in-depth explanation.

[it09]

The guest commits to (the hash of) the password & the message. If an attacker could modify the message, that would be equivalent to attackers being able to edit the committed journals from zkVM, violating the guarantee that the prover knows the private inputs.

[matthiasgeihs]

I guess I was thinking about this from a different perspective. I was thinking of the proofs being just proofs of knowledge (of the secret key).

However, if I understand correctly now, these are more like proofs of computation. The guarantees of the zkVM are so that a valid receipt guarantees that a corresponding computation has happened. Even if it is just copying an input to an output.

So the signature receipt proves that the signature guest has been called with the given public key preimage and message as input, which you could only do if you knew secret key. Moreover, nothing beyond that fact is leaked. So you could not use that receipt and alter it to come up with a similar receipt for a different message.

Does that make sense?

[pdg744]

Yup -- your understanding sounds correct matthias!