Consider the paper From Identification to Signatures via the Fiat-Shamir Transform: Minimizing Assumptions for Security and Forward-Security published by Abdalla, An, Bellare, Namprempre.
In their paper they give an exact characterization for when a signature scheme obtained by a Fiat-Shamir transformation of an ID-scheme is UF-CMA. That is
The signature is UF-CMA if and only if the ID-scheme is IMP-PA.
However, they claim (Section 1.2) that it is "easy to see" that so-called OO-secure ID schemes are IMP-PA. These OO-secure schemes are introduced here and essentially are sound and perfect HVZK. However, I am not able to derive this "easy" claim.
Even worse, studying the proof of Lemma 9 in latter paper brings me to the conclusion that soundness alone is sufficient for being IMP-PA. However, I do not think that this could be true as almost all IMP-PA proof I have seen so far rely on special soundness and HVZK.
Summarizing, my question is whether anyone could explain to me why OO-secure ID-schemes are IMP-PA? And where lies my mistake in my last conclusion studying the proof?
