An Improved Protocol for Demonstrating Possession of Discrete Logarithms and Some Generalizations
 102 Citations
 3 Mentions
 2.5k Downloads
Abstract
A new protocol is presented that allows A to convince B that she knows a solution to the Discrete Log Problem—i.e. that she knows an x such that α ^{x} ≡ β (mod N) holds—without revealing anything about x to B. Protocols are given both for N prime and for N composite.

multiple discrete logarithms to the same base at the same time, i.e. knowing x _{1}, . . . , x _{K} such that \( \alpha ^{x_1 } \equiv \beta _1 ,...,\alpha ^{x_K } \equiv \beta _K \);

several discrete logarithms to different bases at the same time, i.e. knowing x _{1}, . . . , x _{K} such that the product \( \alpha _1^{x_1 } \alpha _2^{x_2 } \cdot \cdot \cdot \alpha _K^{x_K } \equiv \beta \);

a discrete logarithm that is the simultaneous solution of several different instances, i.e. knowing x such that α _{1} ^{x} ≡β_{1},...α _{K} ^{x} ≡β_{K}.
We can prove that the sequential versions of these protocols do not reveal any “knowledge” about the discrete logarithm(s) in a welldefined sense, provided that A knows (a multiple of) the order of α.
Keywords
Elliptic Curve Discrete Logarithm Cryptographic Protocol Random Tape Probabilistic Polynomial Time AlgorithmReferences
 [BKP85]R. Berger, S. Kannan, and R. Peralta, “A Framework for the Study of Cryptographic Protocols,” Proc. CRYPTO 85, pp. 87–103 H.C. Williams, ed., Lecture Notes in Computer Science 218, Springer Verlag, Berlin etc., (1986).Google Scholar
 [Bl82]M. Blum, “Coin Flipping by Telephone,” Proc. IEEE COMPCON, pp. 133–137, (1982).Google Scholar
 [BrCr86]G. Brassard, and C. Crépeau, “ZeroKnowledge Simulation of Boolean Circuits,” Proc. CRYPTO 86, pp. 223–233, A.M. Odlyzko, ed., Lecture Notes in Computer Science 263, Springer Verlag, Berlin etc., (1987).CrossRefGoogle Scholar
 [Ch86]D. Chaum, “Demonstrating that a Public Predicate can be Satisfied Without Revealing Any Information About How,” Proc. CRYPTO 86, pp. 195–199.Google Scholar
 [Ch87]D. Chaum, “Blinding for unanticipated signatures,” To appear in proc. EUROCRYPT 87.Google Scholar
 [CEGP86]D. Chaum, J.H. Evertse, J. van de Graaf, and R. Peralta, “Demonstrating possession of a discrete logarithm without revealing it,” Proc. CRYPTO 86, pp. 200–212.Google Scholar
 [Fish86]A. Fiat, and A. Shamir, “How to prove yourself: Practical solutions to identification and signature problems,” Proc. CRYPTO 86, pp. 186–194.Google Scholar
 [GMR85]S. Goldwasser, S. Micali, and C. Rackoff, “The Knowledge Complexity of Interactive Roof Systems,” Proc. 17th Annual ACM Symp. on Theory of Computing pp. 291–304, (1985).Google Scholar
 [GMW86]O. Goldreich, S. Micali, and A. Wigderson, “How to Prove all NPstatements in ZeroKnowledge, and a Methodology of Cryptographic Protocol Design,” Proc. CRYPTO 86, pp. 171–185.Google Scholar
 [Mi85]V. Miller, “Elliptic curves and cryptography,” Proc. CRYPTO 85, pp. 417–428.Google Scholar