[curves] Non-interactive zero knowledge proofs of discrete log equivalence
Philipp Jovanovic
philipp at jovanovic.io
Thu Feb 16 00:43:37 PST 2017
Hi Toni,
> On 16 Feb 2017, at 00:05, Tony Arcieri <bascule at gmail.com> wrote:
>
> Hello all,
>
> We have just published a blog post on how we have attempted to harden a system we're developing (a "blockchain"-based money-moving system) against certain types of post-quantum attacks, and also provide a contingency plan for post-quantum attacks:
>
> https://blog.chain.com/preparing-for-a-quantum-future-45535b316314#.jqhdrrmhi
>
> Personally I'm not too concerned about these sorts of attacks happening any time soon, but having a contingency plan that doesn't hinge on still shaky-seeming post-quantum algorithms seems like a good idea to me. If you have any feedback on this post, feel free to ping me off-list or start specific threads about anything we've claimed here that may be bogus.
Interesting idea, thanks for sharing!
> One of the many things discussed in this post is non-interactive zero knowledge proofs of discrete log equivalence ("DLEQ"): proving that two curve points are ultimately different scalar multiples of the same curve point without revealing the common base point or the discrete logs themselves.
>
> I was particularly curious if there were any papers about this idea. I had come across similar work (h/t Philipp Jovanovic) in this general subject area (I believe by EPFL?) but I have not specifically found any papers on this topic:
>
> https://github.com/dedis/crypto/blob/master/proof/dleq.go#L104
Thanks for the advertisement. :) And yes I am at EPFL.
>
> If anyone knows of papers about this particular problem, I'd be very interested in reading them.
To provide some context: We’ve been using NIZK DLEQ proofs for our decentralized randomness beacon project [1] (to be presented at IEEE S&P’17 in May), which in particular uses public verifiable secret sharing (PVSS) [2] as one core building block. In my investigations around that project, I found three papers that are relevant for NIZK DLEQ proofs (mostly by the usual suspects):
- Wallet Databases with Observers - David Chaum and Torben Pryds Pedersen [3]
- How To Prove Yourself: Practical Solutions to Identification and Signature Problems - Amos Fiat and Adi Shamir [4]
- Unique Ring Signatures: A Practical Construction - Matthew Franklin and Haibin Zhang [5]
In particular, [5] gives a summary of NIZK DLEQ proofs in Section 3 (also referring to Chaum’s paper) that I used as a basis for the above code.
Hope this helps.
All the best,
Philipp
[1] https://eprint.iacr.org/2016/1067
[2] https://www.win.tue.nl/~berry/papers/crypto99.pdf
[3] http://www.cs.elte.hu/~rfid/chaum_pedersen.pdf
[4] http://www.math.uni-frankfurt.de/~dmst/teaching/SS2012/Vorlesung/Fiat.Shamir.pdf
[5] http://fc13.ifca.ai/proc/5-1.pdf
More information about the Curves
mailing list