In R-puzzle, an ephemeral key k is never revealed. Instead r, the x coordinate of its corresponding public key, is revealed and from r along with the signature, the knowledge of k can be proved using existing checkSig. More information can be found in the R-Puzzle talk.

contract RPuzzle {
    Ripemd160 rhash;

    // extract r from DER-encoded signature
    static function extractRFromSig(Sig sig) : bytes {
        int rlen = unpack(sig[3 : 4]);
        return sig[4 : 4 + rlen];

    public function unlock(Sig sig, PubKey pubKey, Sig sigr) {
        require(this.rhash == hash160(extractRFromSig(sigr)));
        require(checkSig(sigr, pubKey));
        require(checkSig(sig, pubKey));