<buttonid="sidebar-toggle"class="icon-button"type="button"title="Toggle Table of Contents"aria-label="Toggle Table of Contents"aria-controls="sidebar">
<inputtype="search"id="searchbar"name="searchbar"placeholder="Search this book ..."aria-controls="searchresults-outer"aria-describedby="searchresults-header">
will write groups additively, i.e. the identity is <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6833em;"></span><spanclass="mord mathcal"style="margin-right:0.02778em;">O</span></span></span></span> and the group operation
is <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6667em;vertical-align:-0.0833em;"></span><spanclass="mord">+</span></span></span></span>.</p>
means that the problem of finding a discrete logarithm of a group element <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6833em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">P</span></span></span></span> to a given
base <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6833em;"></span><spanclass="mord mathnormal">G</span></span></span></span>, i.e. finding <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.4306em;"></span><spanclass="mord mathnormal">x</span></span></span></span> such that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6833em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">P</span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord mathnormal">x</span><spanclass="mclose">]</span><spanclass="mord mathnormal">G</span></span></span></span>, is hard in general.</p>
<p>The Pedersen commitment [<ahref="https://link.springer.com/content/pdf/10.1007%2F3-540-46766-1_9.pdf#page=3">P99</a>] is a way to commit to a secret message in a verifiable
way. It uses two random public generators <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8778em;vertical-align:-0.1944em;"></span><spanclass="mord mathnormal">G</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.8833em;vertical-align:-0.1944em;"></span><spanclass="mord mathbb">G</span><spanclass="mpunct">,</span></span></span></span> where <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6889em;"></span><spanclass="mord mathbb">G</span></span></span></span> is a
cryptographic group of order <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.1944em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">q</span></span></span></span>. A random secret <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.4306em;"></span><spanclass="mord mathnormal"style="margin-right:0.02778em;">r</span></span></span></span> is chosen in <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.975em;vertical-align:-0.2861em;"></span><spanclass="mord"><spanclass="mord mathbb">Z</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.1514em;"><spanstyle="top:-2.55em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03588em;">q</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.2861em;"><span></span></span></span></span></span></span></span></span></span>, and the
message to commit to <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.4306em;"></span><spanclass="mord mathnormal">m</span></span></span></span> is from any subset of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.975em;vertical-align:-0.2861em;"></span><spanclass="mord"><spanclass="mord mathbb">Z</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.1514em;"><spanstyle="top:-2.55em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03588em;">q</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.2861em;"><span></span></span></span></span></span></span></span></span></span>. The commitment is </p>
<p>To open the commitment, the committer reveals <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.4306em;"></span><spanclass="mord mathnormal">m</span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.1944em;"></span><spanclass="mord mathnormal"style="margin-right:0.02778em;">r</span><spanclass="mpunct">,</span></span></span></span> thus allowing anyone to verify
that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.4306em;"></span><spanclass="mord mathnormal">c</span></span></span></span> is indeed a commitment to <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.4306em;"></span><spanclass="mord mathnormal">m</span><spanclass="mord">.</span></span></span></span></p>
<li><strong>hiding</strong>: the adversary chooses messages <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.1944em;"></span><spanclass="mord"><spanclass="mord mathnormal">m</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.3011em;"><spanstyle="top:-2.55em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">0</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mord"><spanclass="mord mathnormal">m</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.3011em;"><spanstyle="top:-2.55em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">1</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mord">.</span></span></span></span> The committer commits to one of
these messages <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.4306em;"></span><spanclass="mord mathnormal">c</span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord text"><spanclass="mord">Commit</span></span><spanclass="mopen">(</span><spanclass="mord"><spanclass="mord mathnormal">m</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.3361em;"><spanstyle="top:-2.55em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">b</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mord mathnormal"style="margin-right:0.02778em;">r</span><spanclass="mclose">)</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mord mathnormal">b</span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">{</span><spanclass="mord">0</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mord">1</span><spanclass="mclose">}</span><spanclass="mord">.</span></span></span></span> Given <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.1944em;"></span><spanclass="mord mathnormal">c</span><spanclass="mpunct">,</span></span></span></span> the probability of
the adversary guessing the correct <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6944em;"></span><spanclass="mord mathnormal">b</span></span></span></span> is no more than <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.1901em;vertical-align:-0.345em;"></span><spanclass="mord"><spanclass="mopen nulldelimiter"></span><spanclass="mfrac"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8451em;"><spanstyle="top:-2.655em;"><spanclass="pstrut"style="height:3em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">2</span></span></span></span><spanstyle="top:-3.23em;"><spanclass="pstrut"style="height:3em;"></span><spanclass="frac-line"style="border-bottom-width:0.04em;"></span></span><spanstyle="top:-3.394em;"><spanclass="pstrut"style="height:3em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">1</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.345em;"><span></span></span></span></span></span><spanclass="mclose nulldelimiter"></span></span></span></span></span>.</li>
<li><strong>binding</strong>: the adversary cannot pick two different messages <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8889em;vertical-align:-0.1944em;"></span><spanclass="mord"><spanclass="mord mathnormal">m</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.3011em;"><spanstyle="top:-2.55em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">0</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel"><spanclass="mrel"><spanclass="mord vbox"><spanclass="thinbox"><spanclass="rlap"><spanclass="strut"style="height:0.8889em;vertical-align:-0.1944em;"></span><spanclass="inner"><spanclass="mord"><spanclass="mrel"></span></span></span><spanclass="fix"></span></span></span></span></span><spanclass="mrel">=</span></span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.1944em;"></span><spanclass="mord"><spanclass="mord mathnormal">m</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.3011em;"><spanstyle="top:-2.55em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">1</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mpunct">,</span></span></span></span> and
once, <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.4444em;"></span><spanclass="mord mathbf">m</span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord"><spanclass="mord mathnormal">m</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.3011em;"><spanstyle="top:-2.55em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">0</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="minner">⋯</span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mord"><spanclass="mord mathnormal">m</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.3011em;"><spanstyle="top:-2.55em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight">n</span><spanclass="mbin mtight">−</span><spanclass="mord mtight">1</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.2083em;"><span></span></span></span></span></span></span><spanclass="mclose">)</span></span></span></span>. This time, we'll have to sample a corresponding
number of random public generators <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6861em;"></span><spanclass="mord mathbf">G</span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord"><spanclass="mord mathnormal">G</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.3011em;"><spanstyle="top:-2.55em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">0</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="minner">⋯</span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mord"><spanclass="mord mathnormal">G</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.3011em;"><spanstyle="top:-2.55em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight">n</span><spanclass="mbin mtight">−</span><spanclass="mord mtight">1</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.2083em;"><span></span></span></span></span></span></span><spanclass="mclose">)</span><spanclass="mpunct">,</span></span></span></span> along with a
single random generator <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6833em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> as before (for use in hiding). Then, our commitment scheme is:</p>
<li>Alice and Bob publicly agree on two prime numbers, <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.1944em;"></span><spanclass="mord mathnormal">p</span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8778em;vertical-align:-0.1944em;"></span><spanclass="mord mathnormal">G</span><spanclass="mpunct">,</span></span></span></span> where <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.1944em;"></span><spanclass="mord mathnormal">p</span></span></span></span> is large and
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6833em;"></span><spanclass="mord mathnormal">G</span></span></span></span> is a primitive root <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0em;"></span><spanclass="mspace allowbreak"></span><spanclass="mspace"style="margin-right:0.4444em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord"><spanclass="mord"><spanclass="mord mathrm">mod</span></span></span><spanclass="mspace"style="margin-right:0.3333em;"></span><spanclass="mord mathnormal">p</span><spanclass="mclose">)</span><spanclass="mord">.</span></span></span></span> (Note that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.1944em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">g</span></span></span></span> is a generator of the group
<li>Alice chooses a large random number <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.4306em;"></span><spanclass="mord mathnormal">a</span></span></span></span> as her private key. She computes her public key
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6833em;"></span><spanclass="mord mathnormal">A</span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord mathnormal">a</span><spanclass="mclose">]</span><spanclass="mord mathnormal">G</span><spanclass="mspace allowbreak"></span><spanclass="mspace"style="margin-right:0.4444em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord"><spanclass="mord"><spanclass="mord mathrm">mod</span></span></span><spanclass="mspace"style="margin-right:0.3333em;"></span><spanclass="mord mathnormal">p</span><spanclass="mclose">)</span><spanclass="mpunct">,</span></span></span></span> and sends <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6833em;"></span><spanclass="mord mathnormal">A</span></span></span></span> to Bob.</li>
<li>Similarly, Bob chooses a large random number <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6944em;"></span><spanclass="mord mathnormal">b</span></span></span></span> as his private key. He computes his
public key <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6833em;"></span><spanclass="mord mathnormal"style="margin-right:0.05017em;">B</span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord mathnormal">b</span><spanclass="mclose">]</span><spanclass="mord mathnormal">G</span><spanclass="mspace allowbreak"></span><spanclass="mspace"style="margin-right:0.4444em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord"><spanclass="mord"><spanclass="mord mathrm">mod</span></span></span><spanclass="mspace"style="margin-right:0.3333em;"></span><spanclass="mord mathnormal">p</span><spanclass="mclose">)</span><spanclass="mpunct">,</span></span></span></span> and sends <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6833em;"></span><spanclass="mord mathnormal"style="margin-right:0.05017em;">B</span></span></span></span> to Alice.</li>
<li>Now both Alice and Bob compute their shared key <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6833em;"></span><spanclass="mord mathnormal"style="margin-right:0.07153em;">K</span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord mathnormal">ab</span><spanclass="mclose">]</span><spanclass="mord mathnormal">G</span><spanclass="mspace allowbreak"></span><spanclass="mspace"style="margin-right:0.4444em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord"><spanclass="mord"><spanclass="mord mathrm">mod</span></span></span><spanclass="mspace"style="margin-right:0.3333em;"></span><spanclass="mord mathnormal">p</span><spanclass="mclose">)</span><spanclass="mpunct">,</span></span></span></span> which Alice
<p>A potential eavesdropper would need to derive <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6833em;"></span><spanclass="mord mathnormal"style="margin-right:0.07153em;">K</span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord mathnormal">ab</span><spanclass="mclose">]</span><spanclass="mord mathnormal"style="margin-right:0.03588em;">g</span><spanclass="mspace allowbreak"></span><spanclass="mspace"style="margin-right:0.4444em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord"><spanclass="mord"><spanclass="mord mathrm">mod</span></span></span><spanclass="mspace"style="margin-right:0.3333em;"></span><spanclass="mord mathnormal">p</span><spanclass="mclose">)</span></span></span></span> knowing only
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8778em;vertical-align:-0.1944em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">g</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mord mathnormal">p</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mord mathnormal">A</span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord mathnormal">a</span><spanclass="mclose">]</span><spanclass="mord mathnormal">G</span><spanclass="mpunct">,</span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6833em;"></span><spanclass="mord mathnormal"style="margin-right:0.05017em;">B</span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord mathnormal">b</span><spanclass="mclose">]</span><spanclass="mord mathnormal">G</span></span></span></span>: in other words, they would need to either get the
discrete logarithm <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.4306em;"></span><spanclass="mord mathnormal">a</span></span></span></span> from <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6833em;"></span><spanclass="mord mathnormal">A</span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord mathnormal">a</span><spanclass="mclose">]</span><spanclass="mord mathnormal">G</span></span></span></span> or <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6944em;"></span><spanclass="mord mathnormal">b</span></span></span></span> from <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6833em;"></span><spanclass="mord mathnormal"style="margin-right:0.05017em;">B</span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord mathnormal">b</span><spanclass="mclose">]</span><spanclass="mord mathnormal">G</span><spanclass="mpunct">,</span></span></span></span> which we assume to be