From fd60d8eded89a80cce0bfb9aefd3ac7d0469bdc8 Mon Sep 17 00:00:00 2001
From: Andrew Toth <andrewstoth@gmail.com>
Date: Sat, 21 Dec 2024 16:11:12 -0500
Subject: [PATCH] Add description of proof

---
 bip-DLEQ.mediawiki | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/bip-DLEQ.mediawiki b/bip-DLEQ.mediawiki
index 8d717731..c5412b2f 100644
--- a/bip-DLEQ.mediawiki
+++ b/bip-DLEQ.mediawiki
@@ -32,6 +32,29 @@ By producing a DLEQ proof for the generated ECDH shared secrets, the signing ent
 
 All conventions and notations are used as defined in [https://github.com/bitcoin/bips/blob/master/bip-0327.mediawiki#user-content-Notation BIP327].
 
+=== Description ===
+
+The basic proof generation uses a random scalar ''k'', the secret ''a'', and the point being proven ''C = a⋅B''.
+
+* Let ''R<sub>1</sub> = k⋅G''.
+* Let ''R<sub>2</sub> = k⋅B''.
+* Let ''e = hash(R<sub>1</sub> || R<sub>2</sub>)''.
+* Let ''s = (k + e⋅a)''.
+
+Providing only the point being proven ''C'', and ''e'' and ''s'' as a proof does not reveal ''a'' or ''k''.
+
+Verifying the proof involves recreating ''R<sub>1</sub>'' and ''R<sub>2</sub>'' with only ''e'' and ''s'' as follows:
+
+* Let ''R<sub>1</sub> = s⋅G - e⋅A''.
+* Let ''R<sub>2</sub> = s⋅B - e⋅C''.
+
+This can be verified by substituing ''s = (k + e⋅a)'':
+
+* ''s⋅G - e⋅A = (k + e⋅a)⋅G - e⋅A = k⋅G + e⋅(a⋅G) - e⋅A = k⋅G + e⋅A - e⋅A = k⋅G''.
+* ''s⋅B - e⋅C = (k + e⋅a)⋅B - e⋅C = k⋅B + e⋅(a⋅B) - e⋅C = k⋅B + e⋅C - e⋅C = k⋅B''.
+
+Thus verifying ''e = hash(R<sub>1</sub> || R<sub>2</sub>)'' proves the discrete logarithm equivalency of ''A'' and ''C''.
+
 === DLEQ Proof Generation ===
 
 The following generates a proof that the result of ''a⋅B'' and the result of ''a⋅G'' are both generated from the same scalar ''a'' without having to reveal ''a''.