CDLS: Proving Knowledge of Committed Discrete Logarithms with Soundness

Sigma-protocols, a class of interactive two-party protocols, which are used as a framework to instantiate many other authentication schemes, are automatically a proof of knowledge (PoK) given that they satisfy the special-soundness property. This fact provides a convenient method to compose Sigma-protocols and PoKs for complex relations. However, composing in this manner can be error-prone. While they must satisfy specialsoundness, this is unfortunately not the case for many recently proposed composed practical schemes. Here we explore two schemes: ZKAttest’s [FLM22] and Agrawal et al.’s [AGM18], and show that their Σprotocol’s suffer from several security misdesigns which invalidate their security proofs, and state a practical cheap attack on ZKAttest’s implementation. By exploring and resolving their misdesigns, we propose CDLS, a sound and secure variant of their protocols.