What type of soundness/knowledge soundness does Schnorr's proof of knowledge of a DLOG have?

George Herbert

12/24/23, 4:51 PM

For clarification, the protocol works as follows: $P$ wants to convince $V$ that he knows $x$ such that $g^x=y$, where $g,y\in\mathbb{G}$ of order $p$; they perform the following steps:

$P$ samples $k\stackrel{R}\leftarrow\mathbb{Z}/p\mathbb{Z}$ uniformly at random, computes commitment $r\leftarrow g^k$, and sends $r$ to $V$.
$V$ samples a challenge $e\stackrel{R}\leftarrow\mathcal{C}$ from a challenge set $\mathcal{C}$ (e.g. $\mathcal{C}=\mathbb{Z}/p\mathbb{Z}$) and sends $e$ to $P$.
$P$ computes a response $s\leftarrow k+e\cdot x$ and sends $s$ to $V$.

$V$ then determines whether they accept the transcript $(r,e,s)$ by checking $r\stackrel?=g^s\cdot y^{-e}$.

I know the protocol is special sound, since from two transcripts $(r,e,s)$ and $(r,e',s'$) such that $e\ne e'$ we can extract $x$ via: $$ x\leftarrow\frac{s-s'}{e-e'} $$ I read Ivan Damgard's paper (https://www.cs.au.dk/~ivan/Sigma.pdf ), which I believe proves that Sigma protocols (with special soundness) have knowledge soundness with knowledge error $\kappa=|\mathcal{C}|^{-1}$. In other words, a cheating prover $P^*$ can only convince the verifier they know $x$ with probability $\kappa$ if they do not.

This is where my first question comes in: is the knowledge soundness statistical or computational? In theory, a computationally unbound cheating prover could produce an accepting transcript $(r,e,s$) with advantage $\epsilon$, they could solve the discrete logarithm problem with advantage $\epsilon-\frac{\epsilon^2}{p}$ (Theorem 19.1 in https://toc.cryptobook.us/book.pdf). So in that sense, does the knowledge soundness of the protocol rely on the hardness of the discrete logarithm problem. If so, is it therefore computational?

My second question is similar, but regards the regular soundness of the protocol. Since the protocol is special sound, we know that for a given commitment $r$, if there are two accepting transactions $(r,e,s)$ and $(r,e',s')$ where $e\ne e'$ then we can extract $x$. Therefore if we have an invalid statement (i.e. a statement with no witnes), the probability of proving the invalid statement is at most $|\mathcal{C}|^{-1}$, since there exists only one $e$ that could produce an accepting statement for every possible commitment $r$. Therefore, even a computationally unbound prover could not hope to break soundness with an advantage greater than $|\mathcal{C}|^{-1}$. So in that sense, is the soundness statistical?

236

1 + 2

zero-knowledge-proofs

schnorr-identification

baro77

12/25/23, 6:39 PM

To offer to other readers a bit more context on this question, I guess it derives from me not being convincing or correct here: https://crypto.stackexchange.com/questions/103339/how-to-calculate-soundness-error-of-a-sigma-protocol I hope to also improve my knowledge from this new question

ckamath

12/25/23, 8:44 PM

Schnorr's interactive protocol is a *proof of knowledge*, that is the (knowledge) soundness guarantee holds against unbounded adversaries: see [Geoffroy's explanation](https://crypto.stackexchange.com/a/56325/11441). Plain soundness is vacuous for the discrete logarithm relation since it is total, i.e., $\forall y\exists x:g^x=y$: explanation [here](https://crypto.stackexchange.com/a/79930/11441).

Score:3

Crypto

Geoffroy Couteau

12/27/23, 10:02 AM

I answered the first part of the question here: Schnorr is a statistical proof of knowledge, with knowledge error $1/p$ (or $1/|C|$ if you pick the challenge from $C$). That is, one can always extract the challenge, even against an unbounded prover, and no cryptographic assumption is required to prove the success of extraction.

As for the second question: for Schnorr, there is no notion of invalid statements. If $\mathbb{G}$ is a prime-order cyclic group with generator $g$, every element $h$ of $\mathbb{G}$ has a discrete logarithm in base $g$. In other words, the language is trivial: $\mathsf{L} = \{h \;:\; \exists x \in \mathbb{Z}_p, h = g^x\} = \mathbb{G}$. This is not an issue, precisely because the proof is a proof of knowledge: there is always a witness, but knowing the witness is non-trivial.

+ 3

George Herbert

12/27/23, 1:20 PM

Thank you for your answer. With regards to there being no notion of invalid statements, suppose a malicious prover $P^*$ chose $g=1$ and $y\ne 1$ from some prime-order cyclic group $\mathbb{Z}/p\mathbb{Z}$. Would this not be considered an invalid statement, or do we simply not "allow it" at all in the relation $\mathcal{R}$?

Geoffroy Couteau

12/27/23, 6:35 PM

We simply don't allow it, since we insist that $g$ is a generator. Note that $\mathbb{Z}/p\mathbb{Z}$ is only a prime order cyclic group if you view it as an *additive* group, in which case $1$ is indeed a generator, and the relation becomes $\{y:\exists x \in \mathbb{Z}, y = x\cdot 1\}$, which is again trivial (but my previous point still stands if you consider instead a prime-order multiplicative subgroup of $\mathbb{Z}/p\mathbb{Z}$).

George Herbert

12/27/23, 7:14 PM

Makes perfect sense, thank you very much.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: What type of soundness/knowledge soundness does Schnorr's proof of knowledge of a DLOG have?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.