@waxwing i wasn't even considering prover as adversary... what i was referring to is in page 749, section 19.5.4 A Sigma protocol for the pre-image of a homomorphism, but it's about same order:

> We can even set H_2 := G_1 × G_2 with g ∈ G_1, u ∈ G_2, and |G_1| = |G_2|. Then for a given
> (v, w) ∈ G1×G2, proving knowledge of a ψ2 preimage of (v, w) proves equality of discrete-logs
> Dlog g
(v) = Dlog u (w) in distinct groups G_1 and G_2."

@waxwing if the fields are not of (almost) the same size then i think it gets more complicated... i've heard bit decomposition mentioned in this context, so this reduces to proving equivalence of bit commitments, but i don't see how this addresses the problem

also if there's a significant difference and one key is known to be uniformly sampled WRT the smaller field i think that reveals to the verifier that the top bits are fixed = 0, which if i'm not mistaken makes lattice attacks easy

@waxwing for similar sized curves with generators G_1, G_2, P_i = x G_i, you can use conjunctive composition of Schnorr proof apparently.

prover commits:

k <- Z_p
R_i = k G_i

and then responds to challenge e with v = k + x*e

cryptobook discusses these generalizations of Schnorr identity if i recall correctly