Abstract
A new protocol is presented that allows A to convince B that she knows a solution to the Discrete Log Problem—i.e. that she knows an x such that α x ≡ β (mod N) holds—without revealing anything about x to B. Protocols are given both for N prime and for N composite.
We also give protocols for extensions of the Discrete Log problem allowing A to show possession of:
-
multiple discrete logarithms to the same base at the same time, i.e. knowing x 1, . . . , x K such that \( \alpha ^{x_1 } \equiv \beta _1 ,...,\alpha ^{x_K } \equiv \beta _K \);
-
several discrete logarithms to different bases at the same time, i.e. knowing x 1, . . . , x K such that the product \( \alpha _1^{x_1 } \alpha _2^{x_2 } \cdot \cdot \cdot \alpha _K^{x_K } \equiv \beta \);
-
a discrete logarithm that is the simultaneous solution of several different instances, i.e. knowing x such that α x1 ≡β1,...α xK ≡βK.
We can prove that the sequential versions of these protocols do not reveal any “knowledge” about the discrete logarithm(s) in a well-defined sense, provided that A knows (a multiple of) the order of α.
Chapter PDF
References
R. Berger, S. Kannan, and R. Peralta, “A Framework for the Study of Cryptographic Protocols,” Proc. CRYPTO 85, pp. 87–103 H.C. Williams, ed., Lecture Notes in Computer Science 218, Springer Verlag, Berlin etc., (1986).
M. Blum, “Coin Flipping by Telephone,” Proc. IEEE COMPCON, pp. 133–137, (1982).
G. Brassard, and C. Crépeau, “Zero-Knowledge Simulation of Boolean Circuits,” Proc. CRYPTO 86, pp. 223–233, A.M. Odlyzko, ed., Lecture Notes in Computer Science 263, Springer Verlag, Berlin etc., (1987).
D. Chaum, “Demonstrating that a Public Predicate can be Satisfied Without Revealing Any Information About How,” Proc. CRYPTO 86, pp. 195–199.
D. Chaum, “Blinding for unanticipated signatures,” To appear in proc. EUROCRYPT 87.
D. Chaum, J.-H. Evertse, J. van de Graaf, and R. Peralta, “Demonstrating possession of a discrete logarithm without revealing it,” Proc. CRYPTO 86, pp. 200–212.
A. Fiat, and A. Shamir, “How to prove yourself: Practical solutions to identification and signature problems,” Proc. CRYPTO 86, pp. 186–194.
S. Goldwasser, S. Micali, and C. Rackoff, “The Knowledge Complexity of Interactive Roof Systems,” Proc. 17th Annual ACM Symp. on Theory of Computing pp. 291–304, (1985).
O. Goldreich, S. Micali, and A. Wigderson, “How to Prove all NP-statements in Zero-Knowledge, and a Methodology of Cryptographic Protocol Design,” Proc. CRYPTO 86, pp. 171–185.
V. Miller, “Elliptic curves and cryptography,” Proc. CRYPTO 85, pp. 417–428.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1988 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Chaum, D., Evertse, JH., van de Graaf, J. (1988). An Improved Protocol for Demonstrating Possession of Discrete Logarithms and Some Generalizations. In: Chaum, D., Price, W.L. (eds) Advances in Cryptology — EUROCRYPT’ 87. EUROCRYPT 1987. Lecture Notes in Computer Science, vol 304. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-39118-5_13
Download citation
DOI: https://doi.org/10.1007/3-540-39118-5_13
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-19102-5
Online ISBN: 978-3-540-39118-0
eBook Packages: Springer Book Archive