[curves] Non-interactive zero knowledge proofs of discrete log equivalence

Tony Arcieri bascule at gmail.com
Wed Feb 15 15:05:20 PST 2017

Hello all,

We have just published a blog post on how we have attempted to harden a
system we're developing (a "blockchain"-based money-moving system) against
certain types of post-quantum attacks, and also provide a contingency plan
for post-quantum attacks:


Personally I'm not too concerned about these sorts of attacks happening any
time soon, but having a contingency plan that doesn't hinge on still
shaky-seeming post-quantum algorithms seems like a good idea to me. If you
have any feedback on this post, feel free to ping me off-list or start
specific threads about anything we've claimed here that may be bogus.

One of the many things discussed in this post is non-interactive zero
knowledge proofs of discrete log equivalence ("DLEQ"): proving that two
curve points are ultimately different scalar multiples of the same curve
point without revealing the common base point or the discrete logs

I was particularly curious if there were any papers about this idea. I had
come across similar work (h/t Philipp Jovanovic) in this general subject
area (I believe by EPFL?) but I have not specifically found any papers on
this topic:


If anyone knows of papers about this particular problem, I'd be very
interested in reading them.

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20170215/9dacdce0/attachment.html>

More information about the Curves mailing list