As far as I know, the difference between proof system and argument system is whether the adversary is computationally unbounded. My question is, in the definition of special soundness in Sigma protocol (e.g. Schnorr protocol), is the adversary computationally unbounded? (or probability polynomial-time?)
1 Answer
$\begingroup$ $\endgroup$
1 It depends upon the computational assumptions — Schnorr's proof of exponent achieves perfect zero knowledge, whereas it achieves only computational soundness as discrete log is a computationally bounded assumption.
And it depends upon the definition of the adversary (i.e computationally bounded or unbounded) — the proof system is either called proof or argument system.
- 1$\begingroup$ Sorry, but this answer is completely wrong. Schnorr's proof of knowledge of a discrete logarithm achieves statistical soundness. The sentence "discrete log is a computationally bounded assumption" makes no sense (what would not be a computationally bounded assumption?). I previously addressed similar misunderstandings here, I recommend checking that for more discussions. $\endgroup$Geoffroy Couteau– Geoffroy Couteau2025-09-11 23:34:32 +00:00Commented Sep 11 at 23:34