Questions tagged [soundness]

Soundness is a property of proof systems that requires no prover can make the verifier accept a wrong statement except with some small probability. The upper bound of this probability is referred to as the soundness error of a proof system.

Soundness is a property of proof systems that requires that no prover can make the verifier accept for a wrong statement except with some small probability. The upper bound of this probability is referred to as the soundness error of a proof system.

An interactive or non-interactive protocol is said to be sound for a language $\mathcal{L}$ if it is "hard" for a (malicious) prover $\textsf{P}$ to convince a verifier $\textsf{V}$ of a statement $I\not\in\mathcal{L}$. Depending on how "hard" it actually is for $\textsf{P}$ to cheat, we either get a (interactive or non-interactive) proof system (when $\textsf{P}$ is computationally unbounded) or an argument system (when $\textsf{P}$ is computationally bounded).

This answer goes into more detail.

In logic, more precisely in deductive reasoning, an argument is sound if it is both valid in form and its premises are true. Soundness also has a related meaning in mathematical logic, wherein logical systems are sound if and only if every formula that can be proved in the system is logically valid with respect to the semantics of the system.

23 questions

votes

1 answer

what is the difference between proofs and arguments of knowledge?

What is the difference between proofs and arguments of knowledge in the context of zero-knowledge? I have read this sentence in this ePrint: It is useful to distinguish between zero-knowledge proofs, with statistical soundness, and zero-knowledge…

zero-knowledge-proofs soundness

asked Apr 22 '16 at 08:14

MH Samadani

votes

1 answer

What does it mean to be "sound"?

I've been reading this in many places and I still don't properly understand what it means to be "sound". As an example of what I am asking for: The Fiat-Shamir transfrom is sound in the Random Oracle Model (ROM), where hash functions are assumed to…

terminology random-oracle-model fiat-shamir soundness

asked Aug 13 '20 at 14:18

Bean Guy

votes

2 answers

Relation between Knowledge extractor and soundness in ZKPoK

Reading Why Zk-SNARKs are Argument of Knowledge if a Knowledge Extractor exists? I feel confused by OP first statement: From what I know, proving the existance of a Knowledge Extractor implies perfect soundness. Answer focuses on soundness not…

zero-knowledge-proofs soundness

asked Apr 02 '22 at 22:10

baro77

votes

0 answers

2 different definitions of Special Soundness

There are 2 different definitions of special soundness in the literature: (1) can be found in Damgard: We say that a Sigma-protocol $\Pi$ satisfies special soundness, if there exists a PPT extractor $\mathcal{E}$, such that given any pair of…

zero-knowledge-proofs provable-security security-definition soundness

asked Aug 27 '21 at 11:46

jvdh

votes

1 answer

When knowledge soundness implies soundness

In the work of Bellare–Goldreich that defines knowledge soundness BG92, the discussion of Section 4.5 specifically decouples knowledge soundness from soundness. That is, proving knowledge soundness for some verifier $V$ says nothing about the…

security-definition soundness

asked Nov 03 '20 at 12:40

E. Postlethwaite

votes

0 answers

In the original VOLE-in-the-Head paper, why can we avoid "code-switching" in the small-field case?

In Figure 6, Section 6.1 of this paper by Baum et al. (citation given below), essentially 4 rounds are added due to the generation of the challenge $\Delta'$. Then in Figure 7, Section 6.2, this step is eliminated. I gather from the soundness proofs…

zero-knowledge-proofs protocol-design soundness

asked Jun 23 '25 at 12:33

58761

votes

0 answers

How to extract witness from a non-interactive lattice-based proof?

I'm trying to figure out how to construct an extractor for a non-interactive lattice-based proof. Specifically, I'm curious about the Fiat-Shamir transform applied to a five-move interactive protocol. Can you please explain to me what strategy…

zero-knowledge-proofs lattice-crypto fiat-shamir soundness

asked Mar 02 '22 at 10:34

pintor

votes

1 answer

Dishonest verifier running a concurrent zero-knowledge protocol

Suppose Alice and Bob are engaged in the graph 3-colorability Zero-knowledge protocol in which Alice permutes a coloring $\varphi:V\rightarrow \{1,2,3\}$ for a graph $G(V,E)$, and then sends a commitment of each vertex $v$, $\{\pi(\varphi(v))\}_k$…

zero-knowledge-proofs attack commitments man-in-the-middle soundness

asked Apr 20 '21 at 21:53

Mateo

votes

2 answers

Soundness and honest-verifier zero-knowledge implies EUF-CMA using Fiat-Shamir?

I am originally a mathematician but I have started to examine the security properties of the PQC Isogeny-based protocols SQIsign and SQIsignHD. In various papers I came across various implications of security properties, and as I am relatively knew…

zero-knowledge-proofs security-definition indistinguishability isogeny soundness

asked Nov 27 '24 at 20:36

HyperPro

vote

1 answer

Impact of super-polynomial extractors on the security of a zero-knowledge proof

Interactive zero-knowledge arguments are proven to be secure in three parts: completeness (the verifier accepts if the prover is honest) soundness (a dishonest prover cannot convince a verifier) zero-knowledgeness (the proof does not leak any…

zero-knowledge-proofs fiat-shamir soundness

asked Feb 19 '21 at 15:29

Ruben De Smet

2,530
15
27

vote

1 answer

Show that there is an efficient zero knowledge proof for any language $L \in NP$

Let $(P,V)$ be an efficient zero-knowledge interactive proof for some language $A \in NP$ that is $(T,\epsilon)-\text{sound}$ and $(T,\epsilon)-\text{ZK}$. I want to show that for every language $L$ that is reducible to $A$ there is also such an…

zero-knowledge-proofs complexity soundness

asked Jan 01 '21 at 21:13

Gabi G

vote

1 answer

Small proofs for large sums

Suppose we have $n$ public elements $x_1,\ldots,x_n$, say elements of an elliptic curve $E$ (but maybe also $\mathbb{F}_p^*$ or $\mathbb{Z}_N^*$ with multiplication instead of sum), and an element $x$ assumed to be equal to the sum $x_1+\ldots+x_n$…

zero-knowledge-proofs interactive-proofs soundness

asked Aug 28 '24 at 10:35

Kolja

vote

1 answer

Showing special soundness for Dilithiums underlying $\Sigma$-protocol

I'm trying to prove the security of Dilithiums underlying $\Sigma$-protocol using the following theorem. Let $\Sigma=\left(\mathcal{P},\mathcal{V}\right)$ be a $\Sigma$-protocol on an effective relation $\mathcal{R}$ and let $G$ be the key…

post-quantum-cryptography sigma-protocol dilithium soundness

asked May 07 '24 at 11:41

limeeattack

vote

1 answer

Special Soundness $\Sigma$-Protocols

About the characterizations of Special Soundness, from Staking Sigmas we have that: ''A $\Sigma$-protocol $\Pi=(A,Z,\phi)$ is said to have ${\it special\ soundness}$ if there exists a PPT extractor $\mathcal{E}$, such that given any two transcripts…

soundness sigma-protocol

asked Sep 29 '23 at 12:20

Cristian Baeza

vote

1 answer

Why I always obtain this soundness bound in parallel repetition of interactive proof systems

Fix an interactive proof system $(P,V)$ and denote by $(P_k,V_k)$ an interactive proof system in which the parties play in parallel $k$ copies of $(P,V)$ and for which $V_k$ accepts if and only if $V$ would have accepted in all $k$ copies. The…

soundness interactive-proofs

asked Dec 21 '22 at 15:42

Bean Guy

2 Next