[snip]
Hello Toni,

Oleg's description is correct.

The particular scheme I think you're looking for is also sometimes referred
to as a Schnorr sigma protocol, and it's described in a 1989 paper with the
not-so-helpful title: "Efficient Identification and Signatures for
Smartcards." [0]

A scheme I'm working on right now for Tor bridge distribution with Henry de
Valence also needs DLEQ for proving knowledge of a signature, as does George
Tankersley for proving that a user has already recently solved Cloudflare's
CAPTCHAs.

The Schorr sigma protocol is variously spread throughout the paper, it's
kind of the "Identification Protocol" in §2 and kind of the signature
protocol that's later on. The non-interactive form of that protocol in
ECDLP for a curve E(𝔜_q) with additive notation is NIPK(x; h = g x (mod q))
for some group generators g and h, and x, a scalar in 𝕫/l𝕫 where l is the
order of the basepoint:

To create a proof, one takes w, a random element of prime-order group G with
order q, and multiplies by (some group generator, see below for impact of
choice) g to create point W

W ← g w

Then, set

state ← (g,h,m,W),

where m is the message. (The message in the context of (EC)DLEQ is usually
an empty string.) Next one hashes the state:

C ← H(state) (mod q).

Finally, the prover creates

R ← w - C x (mod q),

where x is the scalar one wants to prove knowledge of; the proof is then (C, R).
The verifier checks by doing

W' ← g R + h C,

and creates

state' ← (g,h,m,W')

and hashes it:

C' ← H(state') (mod q),

then checks that C == C', thus proving h = g^x without knowledge of x.
Proof that C = C' iff h = g^x (mod q):

H(s) = H(s')
s = s' [assuming second-preimage resistance]
(g,h,m,W) = (g,h,m,W')
W = W'
gw = g R + h C
= g(w - x C) + h C
= g w - g x C + h C
= g w - g x H(s) + h H(s)
= g w - g x H(s) + g x H(s) [assuming h = g x]
= g w

Schnorr notes in his original paper that "the protocol is not zero knowledge
because the tripel" (W',R,C) "may be a particular solution to the equation"
W' = g R + h C, however, with randomly chosen basepoints each time the
protocol is run (i.e. the prover chooses a new g and h each time and sends
these along with the proof), I don't see the issue. (I might just be missing
something obvious.)

Another paper worth reading is (1988) "Zero Knowledge Proofs of Identity" by
Feige, Fiat, and Shamir. [1]

Hopefully that helps!

[0]: https://github.com/isislovecruft/library--/blob/master/cryptography%20%26%20mathematics/zero%20knowledge/Efficient%20Identification%20and%20Signatures%20for%20Smart%20Cards%20(1989)%20-%20Schnorr.pdf
[1]: https://github.com/isislovecruft/library--/blob/master/cryptography%20%26%20mathematics/zero%20knowledge/Zero-Knowledge%20Proofs%20of%20Identity%20%281988%29%20-%20Feige%2C%20Fiat%2C%20Shamir.pdf

Best regards,

On Thu, Feb 16, 2017 at 12:43 AM, Philipp Jovanovic
[...]
This is the "Chaum-Pedersen" idea used by discrete-log VRFs
("Verifiable Random Functions") or "unique signatures", based on a
generator g and key pair (x, g^x):
- map some input to a generator h
- calculate an output = h^x
- calculate an accompanying Schnorr-style
proof-of-discrete-log-equivalence between g^x and h^x

So in that form, this is part of proposals like CONIKS [1], VXEdDSA
[2], and NSEC5 [3].

Philipp had some good references, here's a couple more:

"Efficient Signature Schemes with Tight Reductions to the
Diffie-Hellman Problem" [4]

"Proof Systems for General Statements about Discrete Logarithms" [5].

Trevor

[1] https://coniks.cs.princeton.edu/research.html
[2] https://whispersystems.org/docs/specifications/xeddsa/
[3] https://eprint.iacr.org/2016/083.pdf
[4] https://www.cs.umd.edu/~jkatz/papers/dh-sigs-full.pdf
[5] ftp://ftp.inf.ethz.ch/pub/crypto/publications/CamSta97b.pdf