ECDLP is still the discrete logarithm problem, since you have a group with an operation (addition on EC) applied to itself n times, and you're trying to find the value $x$ given $B$ and $Y$, where $xB$ = $Y$. This is the same as in a prime field (which is a group with an operation that is multiplication) trying to find $x$ given $g$ and $y$ were $g^x$ = $y$.
However, elliptical curves aren't fields, which means the methods that are efficient at solving discrete logarithm on fields aren't accelerated.
proofs based on simulation vs proofs based on games
a technique for taking an interactive proof of knowledge and creating a digital signature based on it.
This way, some fact (for example, knowledge of a certain secret number) can be publicly proven without revealing underlying information.
For the method to work, the original interactive proof must have the property of being public-coin, i.e. verifier's random coins are made public throughout the proof protocol.
yields a non-interactive zero-knowledge argument in the random oracle model
only secure in the random oracle model.
The Fiat-Shamir heuristic may also be viewed as converting a public-coin interactive proof of knowledge into a non-interactive proof of knowledgel (in random oracle model).
The Fiat-Shamir transformation takes an interactive public coin argument and replaces the challenges with the output of a cryptographic hash function.
Public coin protocol
The verifier must show the prover all the random bits it uses in its computation. The result is that the verifier cannot "hide" anything from the prover, because the prover is powerful enough to simulate everything the verifier does if it knows what random bits it used.
The problem of computing n-th residue classes is believed to be computationally difficult. The decisional composite residuosity assumption is the intractability hypothesis upon which this cryptosystem is based.
partial homomorphic encryption scheme
Any probabilistic, polynomial-time algorithm (PPTA) that is given the ciphertext of a certain message $m$ (taken from any distribution of messages), and the message's length, cannot determine any partial information on the message with probability non-negligibly higher than all other PPTA's that only have access to the message length (and not the ciphertext).
和 香农 的 perfect secrecy 同义：
the ciphertext reveals no information at all about the plaintext
implies that any information cannot be feasibly extracted