An Improved Protocol for Demonstrating Possession of Discrete Logarithms and Some Generalizations

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 304)


A new protocol is presented that allows A to convince B that she knows a solution to the Discrete Log Problem—i.e. that she knows an x such that α xβ (mod N) holds—without revealing anything about x to B. Protocols are given both for N prime and for N composite.

We also give protocols for extensions of the Discrete Log problem allowing A to show possession of:
  • multiple discrete logarithms to the same base at the same time, i.e. knowing x 1, . . . , x K such that \( \alpha ^{x_1 } \equiv \beta _1 ,...,\alpha ^{x_K } \equiv \beta _K \);

  • several discrete logarithms to different bases at the same time, i.e. knowing x 1, . . . , x K such that the product \( \alpha _1^{x_1 } \alpha _2^{x_2 } \cdot \cdot \cdot \alpha _K^{x_K } \equiv \beta \);

  • a discrete logarithm that is the simultaneous solution of several different instances, i.e. knowing x such that α 1 x ≡β1,...α K x ≡βK.

We can prove that the sequential versions of these protocols do not reveal any “knowledge” about the discrete logarithm(s) in a well-defined sense, provided that A knows (a multiple of) the order of α.


Elliptic Curve Discrete Logarithm Cryptographic Protocol Random Tape Probabilistic Polynomial Time Algorithm 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [BKP85]
    R. Berger, S. Kannan, and R. Peralta, “A Framework for the Study of Cryptographic Protocols,” Proc. CRYPTO 85, pp. 87–103 H.C. Williams, ed., Lecture Notes in Computer Science 218, Springer Verlag, Berlin etc., (1986).Google Scholar
  2. [Bl82]
    M. Blum, “Coin Flipping by Telephone,” Proc. IEEE COMPCON, pp. 133–137, (1982).Google Scholar
  3. [BrCr86]
    G. Brassard, and C. Crépeau, “Zero-Knowledge Simulation of Boolean Circuits,” Proc. CRYPTO 86, pp. 223–233, A.M. Odlyzko, ed., Lecture Notes in Computer Science 263, Springer Verlag, Berlin etc., (1987).CrossRefGoogle Scholar
  4. [Ch86]
    D. Chaum, “Demonstrating that a Public Predicate can be Satisfied Without Revealing Any Information About How,” Proc. CRYPTO 86, pp. 195–199.Google Scholar
  5. [Ch87]
    D. Chaum, “Blinding for unanticipated signatures,” To appear in proc. EUROCRYPT 87.Google Scholar
  6. [CEGP86]
    D. Chaum, J.-H. Evertse, J. van de Graaf, and R. Peralta, “Demonstrating possession of a discrete logarithm without revealing it,” Proc. CRYPTO 86, pp. 200–212.Google Scholar
  7. [Fish86]
    A. Fiat, and A. Shamir, “How to prove yourself: Practical solutions to identification and signature problems,” Proc. CRYPTO 86, pp. 186–194.Google Scholar
  8. [GMR85]
    S. Goldwasser, S. Micali, and C. Rackoff, “The Knowledge Complexity of Interactive Roof Systems,” Proc. 17th Annual ACM Symp. on Theory of Computing pp. 291–304, (1985).Google Scholar
  9. [GMW86]
    O. Goldreich, S. Micali, and A. Wigderson, “How to Prove all NP-statements in Zero-Knowledge, and a Methodology of Cryptographic Protocol Design,” Proc. CRYPTO 86, pp. 171–185.Google Scholar
  10. [Mi85]
    V. Miller, “Elliptic curves and cryptography,” Proc. CRYPTO 85, pp. 417–428.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1988

Authors and Affiliations

  1. 1.Centre for Mathematics and Computer ScienceAmsterdamThe Netherlands

Personalised recommendations