Correction: DLEQ proves that two curve points P and Q share the _same_ discrete log with respect to two different bases:
P = x*G Q = x*J > On 15 Feb 2017, at 15:48, Tony Arcieri <basc...@gmail.com> wrote: > > Hello all, > > We have just published a blog post on how we have attempted to harden a > system we're developing (a "blockchain"-based money-moving system) against > certain types of post-quantum attacks, and also provide a contingency plan > for post-quantum attacks: > > https://blog.chain.com/preparing-for-a-quantum-future-45535b316314#.jqhdrrmhi > <https://blog.chain.com/preparing-for-a-quantum-future-45535b316314#.jqhdrrmhi> > > Personally I'm not too concerned about these sorts of attacks happening any > time soon, but having a contingency plan that doesn't hinge on still > shaky-seeming post-quantum algorithms seems like a good idea to me. If you > have any feedback on this post, feel free to ping me off-list or start > specific threads about anything we've claimed here that may be bogus. > > One of the many things discussed in this post is non-interactive zero > knowledge proofs of discrete log equivalence ("DLEQ"): proving that two curve > points are ultimately different scalar multiples of the same curve point > without revealing the common base point or the discrete logs themselves. > > I was particularly curious if there were any papers about this idea. I had > come across similar work (h/t Philipp Jovanovic) in this general subject area > (I believe by EPFL?) but I have not specifically found any papers on this > topic: > > https://github.com/dedis/crypto/blob/master/proof/dleq.go#L104 > <https://github.com/dedis/crypto/blob/master/proof/dleq.go#L104> > > If anyone knows of papers about this particular problem, I'd be very > interested in reading them. > > -- > Tony Arcieri
_______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves