<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Correction:<div class=""><br class=""></div><div class="">DLEQ proves that two curve points P and Q share the _same_ discrete log with respect to two different bases:</div><div class=""><br class=""></div><div class="">P = x*G</div><div class="">Q = x*J</div><div class=""><br class=""></div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On 15 Feb 2017, at 15:48, Tony Arcieri <<a href="mailto:bascule@gmail.com" class="">bascule@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class="gmail_quote"><div dir="ltr" class="">Hello all,<div class=""><br class=""></div><div class="">We have just published a blog post on how we have attempted to harden a system we're developing (a "blockchain"-based money-moving system) against certain types of post-quantum attacks, and also provide a contingency plan for post-quantum attacks:</div><div class=""><br class=""></div><div class=""><a href="https://blog.chain.com/preparing-for-a-quantum-future-45535b316314#.jqhdrrmhi" target="_blank" class="">https://blog.chain.com/<wbr class="">preparing-for-a-quantum-<wbr class="">future-45535b316314#.jqhdrrmhi</a><br class=""></div><div class=""><br class=""></div><div class="">Personally I'm not too concerned about these sorts of attacks happening any time soon, but having a contingency plan that doesn't hinge on still shaky-seeming post-quantum algorithms seems like a good idea to me. If you have any feedback on this post, feel free to ping me off-list or start specific threads about anything we've claimed here that may be bogus.</div><div class=""><br class=""></div><div class="">One of the many things discussed in this post is non-interactive zero knowledge proofs of discrete log equivalence ("DLEQ"): proving that two curve points are ultimately different scalar multiples of the same curve point without revealing the common base point or the discrete logs themselves.</div><br class="">I was particularly curious if there were any papers about this idea. I had come across similar work (h/t Philipp Jovanovic) in this general subject area (I believe by EPFL?) but I have not specifically found any papers on this topic:<div class=""><br class=""></div><div class=""><a href="https://github.com/dedis/crypto/blob/master/proof/dleq.go#L104" target="_blank" class="">https://github.com/dedis/<wbr class="">crypto/blob/master/proof/dleq.<wbr class="">go#L104</a><br class=""><div class=""><div class=""><br class=""></div><div class="">If anyone knows of papers about this particular problem, I'd be very interested in reading them.</div><span class="HOEnZb"><font color="#888888" class=""><div class=""><br class=""></div>-- <br class=""><div class="m_-1496932572251443633gmail_signature">Tony Arcieri</div></font></span></div></div></div></div>
</div>
</div></blockquote></div><br class=""></div></body></html>