Schnorr-Type Proofs of Possession for ECDSA Device Binding
draft-cllz-cfrg-ecdsa-pop-00
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Authors | Sofia Celi , Anja Lehmann , Shai Levin , Alexandros Zacharakis | ||
| Last updated | 2026-07-02 | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-cllz-cfrg-ecdsa-pop-00
Crypto Forum Research Group S. Celi
Internet-Draft Brave Software / University of Bristol
Intended status: Informational A. Lehmann
Expires: 3 January 2027 Hasso Plattner Institute
S. Levin
Chalmers University of Technology / University of Gothenburg
A. Zacharakis
Hasso Plattner Institute
2 July 2026
Schnorr-Type Proofs of Possession for ECDSA Device Binding
draft-cllz-cfrg-ecdsa-pop-00
Abstract
This document specifies a Schnorr-type, circuit-free zero-knowledge
proof of possession (PoP) of an ECDSA signature produced under a
committed public key over the NIST P-256 (secp256r1) curve. The PoP
lets a credential holder prove, in zero knowledge, that it can
produce a fresh ECDSA signature under a device public key without
revealing that key, thereby providing device binding for privacy-
preserving credentials whose presentation must remain unlinkable.
The construction is built exclusively from Sigma protocols as it
decomposes the ECDSA verification equation into a scalar-
multiplication relation and a point-addition relation over P-256,
each proved with a dedicated Sigma protocol over a companion ("Tom")
curve whose scalar field equals the base field of P-256. It is
designed to be expressed using the interfaces of the CFRG Sigma-
protocols specification and to serve as the device-binding sub-proof
of the modular BBS / JSON Web Proofs construction. SNARK-based
realizations of the same relation are out of scope.
About This Document
This note is to be removed before publishing as an RFC.
The latest revision of this draft can be found at
https://levanin.github.io/cllz-cfrg-ecdsa-pop/draft-cllz-cfrg-ecdsa-
pop.html. Status information for this document may be found at
https://datatracker.ietf.org/doc/draft-cllz-cfrg-ecdsa-pop/.
Discussion of this document takes place on the Crypto Forum Research
Group mailing list (mailto:cfrg@ietf.org), which is archived at
https://mailarchive.ietf.org/arch/browse/cfrg/. Subscribe at
https://www.ietf.org/mailman/listinfo/cfrg/.
Celi, et al. Expires 3 January 2027 [Page 1]
Internet-Draft ECDSA-PoP July 2026
Source for this draft and an issue tracker can be found at
https://github.com/levanin/cllz-cfrg-ecdsa-pop.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 3 January 2027.
Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2. Relationship to Other Specifications . . . . . . . . . . 4
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 5
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Parameters and Encodings . . . . . . . . . . . . . . . . . . 7
4.1. Curves and Generators . . . . . . . . . . . . . . . . . . 7
4.2. Committing to a P-256 Public Key . . . . . . . . . . . . 8
5. Commitment Transfer . . . . . . . . . . . . . . . . . . . . . 8
5.1. Protocol . . . . . . . . . . . . . . . . . . . . . . . . 9
6. Reduction to Curve Operations . . . . . . . . . . . . . . . . 11
7. Scalar-Multiplication Proof . . . . . . . . . . . . . . . . . 11
7.1. Protocol . . . . . . . . . . . . . . . . . . . . . . . . 12
8. Point-Addition Proof . . . . . . . . . . . . . . . . . . . . 14
8.1. Affine Addition Constraints . . . . . . . . . . . . . . . 14
Celi, et al. Expires 3 January 2027 [Page 2]
Internet-Draft ECDSA-PoP July 2026
8.2. Protocol . . . . . . . . . . . . . . . . . . . . . . . . 14
8.3. Expressing PA via the Sigma-Protocols Interface . . . . . 16
9. Non-Interactive Proofs (Fiat-Shamir) . . . . . . . . . . . . 17
10. Integration with Modular BBS . . . . . . . . . . . . . . . . 18
11. Implementation Status . . . . . . . . . . . . . . . . . . . . 19
12. Security Considerations . . . . . . . . . . . . . . . . . . . 19
13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20
14. References . . . . . . . . . . . . . . . . . . . . . . . . . 20
14.1. Normative References . . . . . . . . . . . . . . . . . . 21
14.2. Informative References . . . . . . . . . . . . . . . . . 21
Note on Authorship . . . . . . . . . . . . . . . . . . . . . . . 23
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 23
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23
1. Introduction
Anonymous credentials enable privacy-preserving authentication: a
holder presents an issuer-attested credential to a relying party
while revealing only the minimum necessary information and remaining
unlinkable across presentations. BBS signatures are a leading basis
for such credentials and are being adopted in several standardization
efforts [BBS][BLIND-BBS][W3CBBS]. These efforts are of relevance to
the European Union Digital Identity (EUDI) wallet [EUDI-ARF], which
is mandated to implement user authentication with strong privacy
guarantees, including selective disclosure and unlinkability.
A central requirement for credentials used in digital-identity
deployments is non-transferability: a credential must be usable only
by its legitimate holder, and not be shared, or copied. The standard
way to enforce this is device binding. The credential is tied to a
key held in a secure element (SE) on the user's device, and at
presentation time the holder produces a fresh signature -- a proof of
possession (PoP) -- under the corresponding secret key, which never
leaves the SE. Because the key is non-exportable, the credential
cannot be used without the device that holds it.
The EUDI architecture mandates device binding to a secure element,
but consumer-device secure elements are, in practice, restricted to
ECDSA over P-256 and do not expose the pairing-friendly operations
required by native anonymous-credential device binding. The lack of
an efficient and robust device-binding mechanism for anonymous
credentials on legacy hardware was a key reason such credentials were
not used in the initial EUDI deployment, which instead relies on
batch-issued one-time-use credentials [DEROSA].
Here, we address the gap by specifying how to prove possession of an
ECDSA signature under a committed device public key, so that ECDSA
device binding can be composed with a pairing-based credential layer
Celi, et al. Expires 3 January 2027 [Page 3]
Internet-Draft ECDSA-PoP July 2026
such as BBS. Our solution is based on Schnorr-type proofs, providing
a robust, well-understood approach that avoids the implementation and
interoperability challenges of circuit-based constructions.
1.1. Scope
This document specifies only the _Schnorr-type_ (Sigma-protocol-
based) PoP. This is the most conservative construction in [PAPER]:
it uses no arithmetic circuits and no general-purpose proof system,
relying solely on Sigma protocols and Pedersen commitments. SNARK /
circuit-based realizations of the same statement (the "foreign-field"
and "native circuit" constructions of [PAPER], and the Committed
Schnorr reduction used by them) are explicitly out of scope.
The proof is interactive as described, and is made non-interactive
with the Fiat-Shamir transform (Section 9). Sigma protocols are
composed using the interfaces of [SIGMA], and the non-interactive
transform and its codec are taken from the companion specification
[FIAT-SHAMIR].
1.2. Relationship to Other Specifications
This document is designed to compose with two CFRG / IETF efforts:
* [SIGMA] (Sigma protocols). The sub-protocols specified here are
Sigma protocols and are described, where possible, using the
Group, LinearRelation, and SigmaProtocol abstractions of [SIGMA].
In particular, the point-addition proof of Section 8 is a batch of
linear relations whose group bases include commitments drawn from
the statement, and is therefore expressible through the
LinearRelation interface; the scalar-multiplication proof of
Section 7 is a custom SigmaProtocol (a bit-challenge proof run
with parallel repetition) that internally invokes the point-
addition proof.
* [MODULAR-BBS] (modular BBS sub-proofs). The PoP specified here is
intended to instantiate the ecdsa-p256-db device-binding sub-proof
of [MODULAR-BBS], which exposes the holder's P-256 public key as
four committed BBS messages carrying its 128-bit limbs (at indices
[0, 1, 2, 3]) and binds the sub-proof to a challenge derived from
the presentation headers. Section 10 describes this binding.
Celi, et al. Expires 3 January 2027 [Page 4]
Internet-Draft ECDSA-PoP July 2026
2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
The following terms are used throughout.
ECDSA curve (P-256): The curve secp256r1 / NIST P-256
[FIPS186-5][SEC1]. G_p denotes its group of points (prime order
n_p), P a fixed generator, F_q its base field, and F_np its scalar
field.
Tom curve (Tom-256): A curve forming a "2-chain" with P-256: its
scalar field equals the base field F_q of P-256 (see [ZKATTEST]).
G_t denotes its group of points. Arithmetic over F_q -- i.e.
arithmetic on P-256 coordinates -- is therefore _native_ in the
scalar field of G_t, which is what makes the Sigma-protocol proofs
efficient.
Credential curve: The pairing-friendly curve used by the credential
layer (e.g., BLS12-381 for BBS), with scalar field F_s.
Commitments produced by the credential layer live over this curve.
Pedersen commitment: For a group G with independent generators (g,
h) (and, for vectors, (g_1,...,g_k, h)), the commitment to message
m with randomness rho is Commit(m; rho) = m*g + rho*h (resp. sum_i
m_i*g_i + rho*h). Pedersen commitments used here are perfectly
hiding and computationally binding under the discrete-log
assumption in G.
Throughout, lowercase letters denote scalars and uppercase letters
denote group elements. x*P denotes scalar multiplication and A + B
denotes group addition. H(.) is a hash into F_np (SHA-256 reduced
mod n_p, as in ECDSA), and F: G_p -> F_np is the ECDSA conversion
function mapping a point to the integer reduction mod n_p of its
x-coordinate.
3. Overview
In this system there are three parties: a holder, who holds a
credential and possesses an ECDSA-based device key pair; an issuer,
who issues credentials; and a verifier, who verifies credentials and
their binding to devices. The holder has a device ECDSA key pair
(private_key = x, public_key = Q), where Q = x*P over P-256. This
public key is included in the holder's credential (e.g., as a
Celi, et al. Expires 3 January 2027 [Page 5]
Internet-Draft ECDSA-PoP July 2026
committed BBS message). The public key MAY be carried into the
credential as a committed message via blind issuance ([BLIND-BBS]),
that is, in hidden form, so that the issuer signs over Q without
learning it. This case requires the additional functionality
described in Section 5. When presenting a credential, the verifier
supplies a fresh nonce. The holder uses the secure element to
produce an ECDSA signature over nonce with the device key pair, then
proves in zero knowledge that it knows a valid signature under the
committed key Q, without revealing Q.
In order to instantiate this functionality, we rewrite how ECDSA
signatures (which are of the form (r, s)) look like. As shown in
[ZKATTEST], an ECDSA signature on a message msg can be rewritten as a
pair (K, z) with r = F(K), and z = r^{-1} * s mod n_p. The
verification then reduces to checking (where P is a fixed generator):
z*K = H(msg) * r^{-1} * P + Q
Because the signature is fresh and single-use, the value K MAY be
revealed without harming unlinkability; only the long-lived device
public key Q must stay hidden. The purpose now is to prove that one
knows a valid signature of the form above without revealing the
underlying Q (this is the purpose of our PoP). By setting:
alpha = H(nonce) * F(K)^{-1} mod n_p (a public scalar)
Hpt = alpha * P (a public P-256 point)
the statement to be proved becomes: knowledge of a scalar z and an
opening of the commitment to Q such that
z*K = Hpt + Q (Eq. POP)
The computation is over P-256. K, Hpt are public; z and Q are
secret.
The PoP for (Eq. POP) can be interpreted as three functionalities,
each run between prover (holder) and verifier (relying party):
1. Commitment transfer (Section 5). Transfer the commitment to Q
from the credential curve to the Tom curve, where P-256
coordinate arithmetic is native. After this step Q = (x, y) is
committed as two Tom Pedersen commitments C_x = Commit(x; rho_x)
(to the x coordinate), C_y = Commit(y; rho_y) (to the y
coordinate).
Celi, et al. Expires 3 January 2027 [Page 6]
Internet-Draft ECDSA-PoP July 2026
2. Reduction to curve operations (Section 6). Set Z = z*K and
commit to it to generate C_Z. Then, split Eq. POP into two
statements: i. a scalar-multiplication statement (Z = z*K) and
ii. a point-addition statement (Z = Hpt + Q).
3. Curve-operation proofs. Prove the two statements with the Sigma
protocols of Section 7 (scalar multiplication, SM) and Section 8
(point addition, PA), run in parallel.
Symbolically, with x denoting parallel (AND) composition and o
sequential composition of functionalities (see [RoK]), our PoP is:
PoP = ( SM x PA ) o group o transfer
Each functionality is an honest-verifier zero-knowledge reduction.
This composition in the reduction of knowledge framework is then made
non-interactive by applying the Fiat-Shamir transform (Section 9),
deriving every verifier challenge from the transcript; the exact per-
challenge transcript inputs remain to be specified (see Section 9).
The result is a non-interactive zero-knowledge proof of knowledge for
(Eq. POP).
4. Parameters and Encodings
4.1. Curves and Generators
An instantiation of this PoP fixes:
* the ECDSA curve P-256, with generator P, group order n_p, base
field F_q;
* the Tom curve Tom-256 with group G_t whose scalar field is F_q,
with two independent Pedersen generators (G_t, H_t);
* the credential-layer commitment scheme (e.g., Pedersen over
BLS12-381) and its generators, as fixed by the credential profile
(e.g. [MODULAR-BBS]).
The generators (G_t, H_t) MUST be sampled verifiably (e.g., via hash-
to-curve from fixed domain-separation strings) so that no party knows
their relative discrete logarithm. The concrete instantiation of
such parameters should be resolved by future standardisation efforts.
Celi, et al. Expires 3 January 2027 [Page 7]
Internet-Draft ECDSA-PoP July 2026
4.2. Committing to a P-256 Public Key
A P-256 public key is a point Q = (x, y) in F_q^2. Because the
credential-layer commitment commits to scalars of the credential
curve (F_s), each coordinate is encoded as a fixed number of limbs in
F_s, and the limbs are committed with Pedersen.
This document adopts the approach of [PAPER], where each of x and y
is split into two 128-bit little-endian limbs, i.e.
x = x_0 + 2^128 * x_1, 0 <= x_i < 2^128
and likewise for y. This matches the four 128-bit limb commitments
(at indices [0, 1, 2, 3]) now used by the ecdsa-p256-db device
binding of [MODULAR-BBS], which adopted this layout to align with
[PAPER]. The 128-bit limb size guarantees 112 bits of security for
the transfer of Section 5 -- sufficient for this application -- and
is chosen for efficiency and for interoperability with [MODULAR-BBS];
the proofs below are otherwise agnostic to the limb size (see
Section 5).
The credential layer is responsible, at issuance, for guaranteeing
that (a) each limb lies in its declared range and (b) (x, y) is a
valid P-256 point. This PoP assumes those facts hold a priori and
does not re-prove them.
5. Commitment Transfer
The PoP operates over the Tom curve, but the credential layer commits
Q over the credential curve. The transfer step re-expresses the
commitment to Q as commitments over Tom-256, preserving the committed
value. Following [PAPER], it is structured as a _reduction of
knowledge_ ([RoK]): a public-coin interactive reduction that maps a
committed statement under the credential-curve scheme to the _same_
statement under the Tom-curve scheme, after which the curve-operation
proofs of Section 6 take over.
Let Commit be the credential-curve commitment scheme and Commit~ the
Tom-curve scheme. Generically, for each committed value m_i with
credential-curve commitment C_i, the prover produces a fresh Tom
commitment C~_i = Commit~(m_i; rho~_i) and proves, with a public-coin
proof of knowledge EQ, the relation
R_eq = { (C_i, C~_i ; m_i, rho_i, rho~_i) :
C_i = Commit (m_i; rho_i) AND
C~_i = Commit~(m_i; rho~_i) }
Celi, et al. Expires 3 January 2027 [Page 8]
Internet-Draft ECDSA-PoP July 2026
i.e. that C_i and C~_i open to the same value. All instances of EQ
run in parallel.
For Pedersen-to-Pedersen transfer across the credential and Tom
curves, EQ MUST be instantiated with a cross-group equality-of-
opening proof for small-integer messages (the technique of [OKMZ]);
the limb encoding of Section 4.2 guarantees the small-message
precondition.
5.1. Protocol
Unrolling the reduction of [PAPER] with EQ instantiated by the cross-
group proof of [OKMZ] gives the following per-limb, public-coin
protocol. It is run in parallel over all committed limbs, sharing a
single challenge c. Write (g, h) for the credential-curve Pedersen
generators and (G_t, H_t) for the Tom generators (Section 4.2), and
let b_m, b_c, b_f be the [OKMZ] message-bound, challenge, and slack
widths, with
b_m + b_c + b_f < log2( min(|F_s|, |F_q|) )
so that every value below stays an integer in both scalar fields (no
wraparound).
Celi, et al. Expires 3 January 2027 [Page 9]
Internet-Draft ECDSA-PoP July 2026
Prover P Verifier V
inputs: m_i, rho_i (0 <= m_i < 2^b_m) inputs: C_i = m_i*g + rho_i*h
# 1. new commitment: reduce the statement to Tom
rho~_i <- F_q
C~_i = m_i*G_t + rho~_i*H_t
--- C~_i --->
# 2. announcement: bounded masks in both groups
k_i <- { 0, ..., 2^(b_m + b_c + b_f) - 1 }
t_i <- F_s; t~_i <- F_q
A_i = k_i*g + t_i*h
A~_i = k_i*G_t + t~_i*H_t
--- A_i, A~_i --->
<--- c <- {0,...,2^b_c - 1} ---
# 3. bounded response (z_i over the integers)
z_i = k_i + c*m_i
s_i = t_i + c*rho_i (in F_s)
s~_i = t~_i + c*rho~_i (in F_q)
if z_i outside the admissible range R: abort and restart
--- z_i, s_i, s~_i --->
Verifier checks (per limb i):
(1) z_i*g + s_i*h == A_i + c*C_i # open, cred curve
(2) z_i*G_t + s~_i*H_t == A~_i + c*C~_i # open, Tom curve
(3) z_i in R # range: no wraparound
The abort in step 3 is the rejection sampling of [OKMZ]; the
admissible range R and the exact bound widths are those of [OKMZ], to
which implementations MUST conform. On acceptance, both parties use
Pedersen homomorphism to fold the per-limb Tom commitments C~_i,
weighted by the appropriate powers of 2^b_m, into the two single-
scalar coordinate commitments
C_x = Commit~(x; rho_x), C_y = Commit~(y; rho_y)
These two commitments, together denoted C_Q, are the output statement
of the reduction and the committed form of Q used by the remaining
proofs.
This document adopts 128-bit limbs (and the parameters b_m = 128, b_c
= 112, b_f = 8) for the transfer, as in [PAPER]: this minimizes the
number of cross-group instances, and with the [OKMZ] parameters
achieves 112-bit security. Smaller limbs (e.g. 64-bit) work equally
well -- they leave more headroom below min(|F_s|, |F_q|) and so can
reach higher soundness -- at the cost of proportionally more cross-
group instances; profiles with stricter requirements SHOULD adjust
the limb size and repetition accordingly.
Celi, et al. Expires 3 January 2027 [Page 10]
Internet-Draft ECDSA-PoP July 2026
6. Reduction to Curve Operations
After transfer, the statement is (Eq. POP) with Q committed over Tom
as C_Q, K and Hpt public. The group reduction introduces the point Z
= z*K and splits (Eq. POP) into independent scalar-multiplication and
point-addition statements.
Inputs:
statement: (C_Q, K, Hpt) witness: (z, Q, rho_Q)
relation: z*K = Hpt + Q
Protocol:
1. P computes Z = z*K, samples randomness rho_Z, and sends C_Z =
Commit~(Z; rho_Z) (a Tom commitment to the P-256 point Z).
2. Both parties compute C_H = Commit~(Hpt; 0), the (deterministic,
zero-randomness) commitment to the public point Hpt.
3. The reduction outputs two statements:
* Scalar multiplication: statement_SM = (C_Z, K), witness_SM =
(Z, rho_Z, z), asserting Z = z*K.
* Point addition: statement_PA = (C_Q, C_H, C_Z), witness_PA the
openings of the three commitments, asserting Q + Hpt = Z
(equivalently Z = Hpt + Q, Eq. POP).
Note that C_Q = (C_x, C_y) is a pair of coordinate commitments; the
point-addition proof of Section 8 operates per coordinate. Likewise
C_Z and C_H are coordinate-commitment pairs.
The two output statements are then proved in a parallel composition:
SM x PA.
7. Scalar-Multiplication Proof
This section specifies the Sigma protocol SM proving the relation
R_SM = { ((C_Z, K) ; Z, rho_Z, z) :
C_Z = Commit~(Z; rho_Z) AND Z = z*K }
where K is a public P-256 point, z a secret scalar, and Z a P-256
point committed over Tom.
Celi, et al. Expires 3 January 2027 [Page 11]
Internet-Draft ECDSA-PoP July 2026
SM is the scalar-multiplication proof of CDLS [CDLS], used here with
one modification from [PAPER]: the original protocol additionally
committed to the scalar, whereas here z is a free (uncommitted)
witness, which improves efficiency.
It is a bit-challenge Schnorr-type proof: a single execution uses a
one-bit verifier challenge and has knowledge-soundness error 1/2. To
reach error 2^-lambda, lambda independent executions are run in
parallel (lambda = 128 is RECOMMENDED). In one execution, the prover
derives from its witness an auxiliary ("combined") instance using
fresh randomness, sends the corresponding commitments, the verifier
replies with a challenge bit, and the prover opens one of two related
committed instances according to that bit; the point relation among
the committed instances is established by invoking the point-addition
proof internally. The per-execution protocol is that of [CDLS]
(Construction for R_SM), with the scalar treated as a free witness as
noted above.
7.1. Protocol
The following is one execution, between prover P and verifier V;
lambda such executions run in parallel and share a single Fiat-Shamir
transcript (Section 9). F_np is the scalar field of P-256, and
Commit~ the Tom commitment scheme of Section 5. As in Section 6 and
Section 8, each Commit~ to a P-256 point is a pair of coordinate
commitments -- one to the x and one to the y coordinate -- so C_Z,
C', and C'' are coordinate-commitment pairs, and the openings (rho_Z,
rho', rho'', tau) and check (2) are taken per coordinate.
Celi, et al. Expires 3 January 2027 [Page 12]
Internet-Draft ECDSA-PoP July 2026
Prover P Verifier V
inputs: Z, z, rho_Z (Z = z*K) inputs: C_Z, K
# sample a fresh "combined" instance
omega <- F_np \ {0, z, 2z}
Z' = omega*K # public-scalar multiples of K
Z'' = (omega - z)*K
rho', rho'' <- Tom randomness
C' = Commit~(Z'; rho')
C'' = Commit~(Z''; rho'')
# point-addition instance over the committed points,
# asserting Z + Z'' = Z' :
# statement_PA = (C_Z, C'', C')
# witness_PA = (Z, rho_Z, Z'', rho'', Z', rho')
# PA is run with the C[2]-opening dropped (see {{point-addition}})
msg_1 = announcement of PA on statement_PA
--- C', C'', msg_1 --->
<--- b <- {0,1} ---
msg_2 = response of PA under challenge b
if b = 0: (alpha, tau) = (omega, rho')
if b = 1: (alpha, tau) = (omega - z, rho'')
--- alpha, tau, msg_2 --->
Verifier checks:
(1) PA on (C_Z, C'', C') accepts the transcript (msg_1, b, msg_2)
(2) if b = 0: C' == Commit~(alpha*K; tau)
if b = 1: C'' == Commit~(alpha*K; tau)
Because Z' = omega*K and Z'' = (omega - z)*K are public-scalar
multiples of K, the committed points satisfy Z + Z'' = z*K + (omega -
z)*K = omega*K = Z'; the point-addition proof PA (Section 8)
establishes this relation among C_Z, C'', C', and is run here with
the one-bit challenge b, which it shares with the opening (its
announcement and response are msg_1 and msg_2). Inside this
composition PA drops its C[2] opening proof (the lines flagged omit
in SM in Section 8), since the opening of C_Z is recovered from the
two openings revealed across the b = 0 and b = 1 transcripts. The
exclusion of {0, z, 2z} when sampling omega keeps Z, Z', Z'' non-
identity and pairwise non-opposite, so the non-degeneracy
precondition of Section 8 holds. An extractor with accepting
responses for both b = 0 and b = 1 recovers alpha_0 = omega and
alpha_1 = omega - z, hence z = alpha_0 - alpha_1 and the opening of
C_Z as Z = z*K; revealing only one opening per execution gives
(statistical) honest-verifier zero knowledge.
Celi, et al. Expires 3 January 2027 [Page 13]
Internet-Draft ECDSA-PoP July 2026
When expressed via [SIGMA], SM is a custom SigmaProtocol (not a plain
LinearRelation): its challenge is a single bit and the protocol is
run as lambda parallel repetitions. Its zero-knowledge simulator
follows the standard simulation for bit-challenge Sigma protocols
(sample the challenge bit, then produce a consistent commitment and
response).
8. Point-Addition Proof
This section specifies the Sigma protocol PA proving the relation
R_PA = { ((C_1, C_2, C_3) ; P_1, P_2, P_3, openings) :
C_i = Commit~(P_i; rho_i) AND P_1 + P_2 = P_3 }
over Tom commitments to the affine coordinates of P_1 = (a_x, a_y),
P_2 = (b_x, b_y), P_3 = (t_x, t_y), under the promise P_1 != +-P_2
and P_1, P_2 != identity (guaranteed by the callers in this
document). Each C_i is a pair of coordinate commitments; we write
C_1 = (C[1], C[2]), C_2 = (C[3], C[4]), C_3 = (C[5], C[6]),
committing to a_x, a_y, b_x, b_y, t_x, t_y respectively, all over Tom
with generators (G, H) = (G_t, H_t).
8.1. Affine Addition Constraints
For P_3 = P_1 + P_2 with tau = (b_y - a_y) / (b_x - a_x) over F_q,
the affine addition law is equivalent to the three constraints
(C1) tau * (b_x - a_x) = b_y - a_y
(C2) tau^2 = a_x + b_x + t_x
(C3) tau * (a_x - t_x) = a_y + t_y
together with b_x - a_x != 0 (which enforces P_1 != +-P_2). PA
proves knowledge of openings of the coordinate commitments and of a
commitment to tau satisfying (C1)-(C3).
8.2. Protocol
Both parties first recompute, by Pedersen homomorphism, the derived
commitments
C_f1 = C[3] - C[1] # commits to (b_x - a_x) : factor of (C1)
C_p1 = C[4] - C[2] # commits to (b_y - a_y) : product of (C1)
C_p2 = C[1] + C[3] + C[5] # (a_x + b_x + t_x) : product of (C2)
C_f3 = C[1] - C[5] # commits to (a_x - t_x) : factor of (C3)
C_p3 = C[2] + C[6] # commits to (a_y + t_y) : product of (C3)
Celi, et al. Expires 3 January 2027 [Page 14]
Internet-Draft ECDSA-PoP July 2026
(Here C_f_i, C_p_i are the "factor" and "product" commitments of the
i-th constraint.) The prover commits to tau as C_tau = tau*G +
r_tau*H.
The protocol is a three-move public-coin Sigma protocol: the prover
sends a commitment message, the verifier replies with a uniform
challenge c in F_q, and the prover sends a response. The verifier
accepts iff all checks below hold.
Prover P Verifier V
inputs: a_x,a_y,b_x,b_y,t_x,t_y, r_1..r_6
inputs: C[1..6]
tau = (b_y - a_y)/(b_x - a_x); r_tau <- F_q
C_tau = tau*G + r_tau*H
# masks
a_tau, a_rtau, a_f1, a_rf1, a_e1, a_e2 <- F_q
a_f3, a_rf3, a_e3 <- F_q
a_2, a_r2 <- F_q # omit in SM (opening of C[2])
beta_2, beta_3, beta_4 <- F_q; beta_1 <- F_q \ {0}
T1 = a_tau*G + a_rtau*H
T2 = a_f1*G + a_rf1*H
T3 = a_tau*C_f1 + a_e1*H
T4 = a_tau*C_tau + a_e2*H
T5 = a_f3*G + a_rf3*H
T6 = a_f3*C_tau + a_e3*H
T7 = a_2*G + a_r2*H # omit in SM
U1 = (beta_1*(b_x - a_x))*G
U2 = beta_2*C_f1 + beta_3*H
U3 = beta_4*G
--- C_tau, T1..T6, T7, U1..U3 ---> # T7: omit in SM
<--- c <- F_q ---
z_tau = a_tau + c*tau
z_rtau = a_rtau + c*r_tau
z_f1 = a_f1 + c*(b_x - a_x)
z_rf1 = a_rf1 + c*(r_3 - r_1)
z_e1 = a_e1 + c*((r_4 - r_2) - (r_3 - r_1)*tau)
z_e2 = a_e2 + c*((r_1 + r_3 + r_5) - r_tau*tau)
z_f3 = a_f3 + c*(a_x - t_x)
z_rf3 = a_rf3 + c*(r_1 - r_5)
z_e3 = a_e3 + c*((r_2 + r_6) - r_tau*(a_x - t_x))
z_2 = a_2 + c*a_y # omit in SM
z_r2 = a_r2 + c*r_2 # omit in SM
v_1 = beta_2 + c*beta_1
v_2 = beta_3 - c*beta_1*(r_3 - r_1)
v_3 = beta_4 + c*beta_1*(b_x - a_x)
Celi, et al. Expires 3 January 2027 [Page 15]
Internet-Draft ECDSA-PoP July 2026
--- z_*, v_1, v_2, v_3 --->
Verifier checks:
(1) z_tau*G + z_rtau*H == T1 + c*C_tau
(2) z_f1*G + z_rf1*H == T2 + c*C_f1
(3) z_tau*C_f1 + z_e1*H == T3 + c*C_p1
(4) z_tau*C_tau + z_e2*H == T4 + c*C_p2
(5) z_f3*G + z_rf3*H == T5 + c*C_f3
(6) z_f3*C_tau + z_e3*H == T6 + c*C_p3
(7) z_2*G + z_r2*H == T7 + c*C[2] # omit in SM
(8) U1 != identity
(9) c*U1 + U3 == v_3*G
(10) c*U1 + U2 == v_1*C_f1 + v_2*H
Checks (1)-(2) and (5) are openings; checks (3)-(4) and (6) prove the
multiplicative / squaring constraints (C1)-(C3) (check (4) is a
squaring proof realizing constraint (C2)); check (7) is the opening
proof of C[2], the y-coordinate commitment of P_1; and checks
(8)-(10) are the non-zero proof for C_f1, establishing b_x - a_x != 0
and hence P_1 != +-P_2.
The lines flagged omit in SM -- the masks a_2, a_r2, the announcement
T7, the responses z_2, z_r2, and check (7) -- together form the
opening proof of C[2]. They are REQUIRED when PA is used standalone,
as in the SM x PA composition of Section 6 that proves Z = Hpt + Q.
They are dropped when PA is composed inside SM (Section 7): there the
opening of C[2] is instead extracted from the two colliding
transcripts of the bit-challenge execution (Optimisation 3 of
[PAPER]), so proving it again would be redundant.
Note on further optimizations (from [PAPER]): constraint (C2) uses
a dedicated squaring proof rather than a generic multiplication
proof, and the mask (a_tau, a_rtau) of C_tau is shared across the
three coordinate proofs.
8.3. Expressing PA via the Sigma-Protocols Interface
Each of checks (1)-(7) and (9)-(10) has the form linear_map(response)
== commitment + challenge * image, i.e. a [SIGMA] LinearRelation
whose group bases are G, H, and statement commitments (C_f1, C_tau).
An implementation MAY therefore realize PA by allocating the scalar
witnesses (tau, the coordinate values, and the opening randomizers)
and elements (G, H, the C_* commitments) with allocate_scalars /
allocate_elements, encoding (C1)-(C3) and the opening relations with
append_equation and set_elements, and running the resulting batch as
a single Sigma protocol. The multiplicative and squaring checks
(3),(4),(6) use statement commitments (C_f1, C_tau) as bases -- bound
to allocated elements via set_elements -- rather than fixed
Celi, et al. Expires 3 January 2027 [Page 16]
Internet-Draft ECDSA-PoP July 2026
generators; this is the standard Sigma technique for multiplication
of committed values, and it stays within the LinearRelation
interface.
The non-zero proof for C_f1 (masks beta_1..beta_4, elements U1, U2,
U3, responses v_1, v_2, v_3, and checks (8)-(10)) is a distinct
gadget of [CDLS] and does not reduce to a plain LinearRelation. Its
relations (9)-(10) are linear (over bases G, H, C_f1, with the
prover-sent U1 as image), but the defining ingredient is check (8),
U1 != identity -- a non-identity test on a prover message, not a
linear relation. Because U1 = (beta_1*(b_x - a_x))*G for a uniform
nonzero mask beta_1, U1 is the identity exactly when b_x - a_x = 0;
check (8) thus certifies b_x - a_x != 0 (hence P_1 != +-P_2). An
implementation MUST perform check (8) explicitly, outside the batched
LinearRelation.
9. Non-Interactive Proofs (Fiat-Shamir)
The interactive protocols above are public-coin and are made non-
interactive with the Fiat-Shamir transform specified in the companion
document [FIAT-SHAMIR], applied to the Sigma protocols composed via
[SIGMA]: each verifier challenge -- the equality-proof challenge of
Section 5, the bit-challenge b of Section 7, and the challenge c of
Section 8 -- is derived by absorbing, into the [FIAT-SHAMIR] codec
(duplex sponge), a transcript that includes a protocol/version domain
separator, the ciphersuite identifier, the full statement, and all
prior prover messages.
Implementations MUST use the codec and challenge-derivation of
[FIAT-SHAMIR] and MUST include the following in the Fiat-Shamir
transcript:
* a fixed domain-separation label for this PoP and its version;
* the public statement of (Eq. POP): K, nonce (or Hpt), and the
committed key C_Q (and, after transfer, the Tom commitments);
* for the bound presentation context, the challenge octets supplied
by the calling protocol (see Section 10).
Celi, et al. Expires 3 January 2027 [Page 17]
Internet-Draft ECDSA-PoP July 2026
The exact Fiat-Shamir binding for the composed protocol is not yet
fixed by this document. In particular, the precise inputs absorbed
before each challenge -- the domain separator, the credential- and
Tom-curve commitments and announcements of the transfer (Section 5),
the prover messages of SM and PA, and the [OKMZ] bound parameters --
remain to be specified, and MUST be pinned down (consistent with
[FIAT-SHAMIR]) before this profile is interoperable. The move
structure of the sub-protocols is normative; the exact byte-level
Fiat-Shamir inputs and complete composed protocol specification are
deferred to a future revision.
10. Integration with Modular BBS
When used as the ecdsa-p256-db sub-proof of [MODULAR-BBS]:
* The holder's P-256 public key occupies four committed BBS messages
carrying its 128-bit limbs, encoded as in Section 4.2. The sub-
proof carries alg = "ecdsa-p256-db" and takes no inputs beyond the
base sub-proof fields; its i field MUST be [0, 1, 2, 3], naming
the four indices that hold these limbs. The BBS core proof
(CoreProofGen) exposes the four messages as Pedersen commitments
over the credential curve; these are the inputs C_i to the
transfer of Section 5.
* The four messages MAY be populated at issuance as committed
messages using blind BBS issuance ([BLIND-BBS]): the holder sends
the issuer a commitment to its device public key (with the holder-
held blinding scalar) and a proof of its correctness, and the
issuer blindly signs without learning Q. This keeps the device
secret key bound to the holder's secure element and unknown to the
issuer, and the issuance-time commitment to Q is reused as the
transfer input above.
* The message signed by the secure element is not transmitted; both
parties recompute it as db_msg = "JWP-BBS-DB-CHAL" ||
presentation_header_octets, where "JWP-BBS-DB-CHAL" is the literal
ASCII string. Because db_msg binds presentation_header_octets
(which carries the nonce and aud), it is fresh per presentation.
db_msg is the ECDSA message of the PoP: it plays the role of nonce
in Section 3, so alpha and Hpt are formed from H(db_msg).
* The proof bytes are the serialized non-interactive PoP
(Section 9): a zero-knowledge proof of knowledge of (Q, (r, s))
such that the four commitments at the indices in i open to the
128-bit limbs of Q, and (r, s) is a valid ECDSA P-256 signature on
db_msg under Q.
Celi, et al. Expires 3 January 2027 [Page 18]
Internet-Draft ECDSA-PoP July 2026
* The verifier accepts iff the four indices in i are all committed
in the core proof and the sub-proof verifies against the four
commitments and the locally recomputed db_msg. This meets the
[MODULAR-BBS] requirement that a sub-proof bind to commitments
attested by the core proof, since the transfer of Section 5 ties
the Tom commitments C_Q to the credential-curve commitments
produced by CoreProofGen.
The PoP itself is agnostic to the credential scheme: any scheme that
can expose a Pedersen commitment to the device public key over a
curve supported by the transfer of Section 5 can use this sub-proof.
11. Implementation Status
Note to the RFC Editor: please remove this section before
publication.
A public, benchmarked reference implementation of the complete
Schnorr-type PoP specified here -- the ( SM x PA ) o group o transfer
composition of Section 3, including the [OKMZ] style commitment
transfer of Section 5 and the Tom-256 scalar-multiplication and
point-addition proofs -- is available at
https://github.com/hpicrypto/ecdsa_pops
(https://github.com/hpicrypto/ecdsa_pops). It is written in Rust and
underlies the measurements reported in [PAPER].
[PAPER] gives three realizations of the same ECDSA-device-binding
relation -- the Schnorr-type proof specified in this document and two
circuit-based variants that are out of scope here (see Section 1.1)
-- and earlier variants of the Schnorr-type approach appear in
[UBIQUE]. The repository above is the specific implementation that
matches this document's Schnorr-type protocol and parameter choices.
12. Security Considerations
Knowledge soundness. The composed protocol is a proof of knowledge
for (Eq. POP) (see [PAPER] for the analysis in the reductions-of-
knowledge framework). SM has soundness error 2^-lambda after
lambda parallel repetitions; PA has the 2^-lambda soundness error
of a Sigma protocol over F_q. At the moment, we set lambda = 128,
but since the commitment linking protocol Section 5 achieves 112
bits of soundness for our proposed parameters, we may update to
lambda = 112 in future revisions. Soundness of the overall PoP
additionally relies on the binding of all Pedersen commitments,
i.e. on the discrete-log assumption in both the credential curve
and the Tom curve, and on the small-message soundness precondition
of the transfer proof (Section 5).
Celi, et al. Expires 3 January 2027 [Page 19]
Internet-Draft ECDSA-PoP July 2026
Zero knowledge / unlinkability. Each sub-protocol is honest-verifier
zero-knowledge; with Fiat-Shamir over a random oracle the
composition is non-interactive zero-knowledge. The device public
key Q is the only long-lived value and remains perfectly hidden by
the Pedersen commitments, so presentations are unlinkable. The
ephemeral value K is fresh per signature and per presentation;
revealing it does not link presentations. Implementations MUST
use fresh randomness for every commitment and every proof; reuse
of the per-execution randomness in SM, of commitment randomizers,
or of the per-presentation nonce can leak the secret key or link
presentations.
Secure-element trust. This PoP assumes the device secret key never
leaves the secure element and that the element produces signatures
only on inputs presented to it; the holder cannot extract the key.
Revealing K as part of the statement is sound for proof of
possession only under the honest-secure-element assumption
discussed in [PAPER].
Choice of the Tom curve. Using the Tom curve introduces a discrete-
log assumption over an additional, less-studied curve.
Deployments unwilling to take this assumption should use a
circuit-based realization instead (out of scope here). (G_t, H_t)
and all credential-curve generators MUST be nothing-up-my-sleeve /
verifiably random so no party knows discrete-log relations among
them.
Non-degeneracy. The point-addition proof is sound only under P_1 !=
+-P_2 and P_1, P_2 != identity. The callers in this document
guarantee these: SM excludes the degenerate scalars when forming
its auxiliary instances (per [CDLS]), and the group reduction
fixes the operands structurally. Other callers MUST establish
these preconditions independently.
Post-quantum. As with all discrete-log Sigma protocols, these proofs
provide (statistical) zero-knowledge against unbounded adversaries
but are not sound against quantum adversaries.
13. IANA Considerations
This document has no IANA actions of its own. It defines the
construction behind the ecdsa-p256-db sub-proof algorithm whose
registration is requested by [MODULAR-BBS] in that document's sub-
proof algorithm registry; this document does not create a new
registry.
14. References
Celi, et al. Expires 3 January 2027 [Page 20]
Internet-Draft ECDSA-PoP July 2026
14.1. Normative References
[FIAT-SHAMIR]
OrrĂ¹, M., "Fiat-Shamir Transformation", Work in Progress,
Internet-Draft, draft-irtf-cfrg-fiat-shamir-02, 2 March
2026, <https://datatracker.ietf.org/doc/html/draft-irtf-
cfrg-fiat-shamir-02>.
[FIPS186-5]
National Institute of Standards and Technology, "Digital
Signature Standard (DSS)", FIPS PUB 186-5, 2023,
<https://doi.org/10.6028/NIST.FIPS.186-5>.
[MODULAR-BBS]
Bormann, C. and B. Zundel, "BBS and Modular Sub-proofs
with JSON Web Proofs", Work in Progress, Internet-Draft,
draft-bormann-jwp-modular-bbs, 2025,
<https://c2bo.github.io/draft-bormann-jwp-modular-bbs/
draft-bormann-jwp-modular-bbs.html>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
[SEC1] Standards for Efficient Cryptography Group, "SEC 1:
Elliptic Curve Cryptography, Version 2.0", 2009,
<https://www.secg.org/sec1-v2.pdf>.
[SIGMA] OrrĂ¹, M. and C. Yun, "Interactive Sigma Proofs", Work in
Progress, Internet-Draft, draft-irtf-cfrg-sigma-protocols-
02, 2 March 2026, <https://datatracker.ietf.org/doc/html/
draft-irtf-cfrg-sigma-protocols-02>.
14.2. Informative References
[BBS] Looker, T., Kalos, V., Whitehead, A., and M. Lodder, "The
BBS Signature Scheme", Work in Progress, Internet-Draft,
draft-irtf-cfrg-bbs-signatures-10, 8 January 2026,
<https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-
bbs-signatures-10>.
Celi, et al. Expires 3 January 2027 [Page 21]
Internet-Draft ECDSA-PoP July 2026
[BLIND-BBS]
Kalos, V. and G. M. Bernstein, "Blind BBS Signatures",
Work in Progress, Internet-Draft, draft-irtf-cfrg-bbs-
blind-signatures-03, 26 June 2026,
<https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-
bbs-blind-signatures-03>.
[CDLS] Celi, S., Levin, S., and J. Rowell, "CDLS: Proving
Knowledge of Committed Discrete Logarithms with
Soundness", AFRICACRYPT 2024, 2024.
[DEROSA] Rosa, P. D., "Discussion comment on Cryptographers'
Feedback on the EU Digital Identity's ARF #211", 2024,
<https://github.com/eu-digital-identity-wallet/eudi-doc-
architecture-and-reference-framework/
discussions/211/#discussioncomment-9882388>.
[EUDI-ARF] European Commission, "EU Digital Identity Wallet --
Architecture and Reference Framework", 2026,
<https://eudi.dev/2.4.0/>.
[LSZ] Lehmann, A., Sidorenko, A., and A. Zacharakis, "Vision: A
Modular Framework for Anonymous Credential Systems",
SSR 2025, 2026,
<https://doi.org/10.1007/978-3-032-19567-8_3>.
[OKMZ] Orru, M., Kadianakis, G., Maller, M., and G. Zaverucha,
"Beyond the Circuit: How to Minimize Foreign Arithmetic in
ZKP Circuits", CiC 2025, 2025.
[PAPER] Celi, S., Lehmann, A., Levin, S., and A. Zacharakis,
"Device Binding for Anonymous Credentials on Legacy
Phones", 2025.
[RoK] Kothapalli, A. and B. Parno, "Algebraic Reductions of
Knowledge", CRYPTO 2023, 2023.
[UBIQUE] Ubique, "BBS+ Device Binding via ECDSA (EUDI Innovation
Competition prototype)", 2024.
[W3CBBS] World Wide Web Consortium (W3C), "Data Integrity BBS
Cryptosuites v1.0", 2025,
<https://www.w3.org/TR/vc-di-bbs/>.
[ZKATTEST] Faz-Hernandez, A., Ladd, W., and D. Maram, "ZKAttest: Ring
and Group Signatures on top of existing ECDSA keys",
SAC 2021, 2021.
Celi, et al. Expires 3 January 2027 [Page 22]
Internet-Draft ECDSA-PoP July 2026
Note on Authorship
The authors are listed in alphabetical order by surname and
contributed equally to this work; the ordering does not denote a lead
or corresponding author. The document name uses the authors'
combined initials ("cllz") rather than any single surname. The "et
al." form that appears in running headers is an artifact of the RFC
document format and carries no such connotation here.
Acknowledgments
This specification is derived from the construction and analysis in
[PAPER]. The Schnorr-type proof of possession formalizes and
optimizes the ECDSA-device-binding approach of [UBIQUE] and the CDLS
/ zkAttest proofs of [CDLS] and [ZKATTEST], composed through the
modular credential framework of [LSZ] and the reductions-of-knowledge
framework of [RoK].
Authors' Addresses
Sofia Celi
Brave Software / University of Bristol
Email: cherenkov@riseup.net
Anja Lehmann
Hasso Plattner Institute
Email: anja.lehmann@hpi.de
Shai Levin
Chalmers University of Technology / University of Gothenburg
Email: shai.levin@chalmers.se
Alexandros Zacharakis
Hasso Plattner Institute
Email: alexandros.zacharakis@hpi.de
Celi, et al. Expires 3 January 2027 [Page 23]