[curves] Non-interactive zero knowledge proofs of discrete log equivalence

Tony Arcieri bascule at gmail.com
Fri Feb 24 20:45:13 PST 2017

On Thu, Feb 23, 2017 at 5:31 PM, isis agora lovecruft <
isis at patternsinthevoid.net> wrote:

> Schnorr notes in his original paper that "the protocol is not zero
> knowledge
> because the tripel" (W',R,C) "may be a particular solution to the equation"
> W' = g R + h C, however, with randomly chosen basepoints each time the
> protocol is run (i.e. the prover chooses a new g and h each time and sends
> these along with the proof), I don't see the issue.  (I might just be
> missing
> something obvious.)
> Another paper worth reading is (1988) "Zero Knowledge Proofs of Identity"
> by
> Feige, Fiat, and Shamir. [1]
> Hopefully that helps!

Awesome, thanks for the pointers, Iris!

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20170224/1e944ebe/attachment.html>

More information about the Curves mailing list