How to calculate soundness error of a sigma protocol?

Question

How do I calculate the soundness error of a sigma protocol, such as Schnorr's interactive protocol for knowledge of a discrete logarithm?

Answer 1

As far as I know, a general answer depends on protocol under analysis (as Schnorr) being a Proof of Knowledge (PoK) and not necessarily being a Sigma Protocol.

---

PRELIMINARIES

A Knowledge Extractor (KE) exists, implied by the protocol being a PoK, and roughly defined as:

an entity capable -outside the constraints of proof execution- of extracting the Witness W of the Prover’s knowledge, only $\forall$Prover* s.t. $P [$Verifier is convinced$]$ > $\eta$

where Prover* is a Prover with ANY strategy (so also a cheating one, not necessarily the one prescribed by the protocol).

It seems reasonable to define $\eta$ as "KE error", a threshold below which KE cannot extract W.

---

THESIS

The soundness error is $=\eta$

---

PROOF

KE extract W $\Longrightarrow$ statement is TRUE (because W is an evidence of the protocol's statement)

taking the contrapositive:

statement is FALSE $\Longrightarrow$ KE never extracts W

but from KE definition:

KE never extracts W $\Longrightarrow$ $\forall$Prover* $P [$Verifier is convinced$]$ $\leq$ $\eta$

chaining the two implications:

statement is FALSE $\Longrightarrow$ $\forall$Prover* $P [$Verifier is convinced$]$ $\leq$ $\eta$

which is exactly the soundness definition

---

CONCLUSIVE REMARKS

if $\eta$ = 0 we get perfect soundness , and $\eta$ < 1/2 leads to protocol statistical soundness by protocol repetition and majority voting ; when $\eta \geq$ 1/2 we are in the quite common case in which a satisfying PoK is obtained only by $n$ sequential repetitions of the original one: the resulting protocol can be proved to have KE Error = $\eta^n$, permitting again statistical soundness for a large enough $n$.

If you need more context you could try this: https://github.com/baro77/ZKbasicsCS (mine) or a lot of much better resources out there.

Hope I have helped you a bit

Answer 2

For a $\Sigma$ protocol with a challenge space $\mathcal C$, the soundness error is $1/c$ where $c = |\mathcal C|$. Alternatively, the error is $2^{-t}$ for a $t$-bit challenge.

The proof that I still don't fully understand is given in the paper "On $\Sigma$-protocols" by Ivan Damgård. But I think the intuition goes as follows:

If a cheating prover succeeds with probability more than $1/c$; therefore, they can answer more than one challenge. In turn, one can use the 2-extractability of the sigma protocols to extract the witness. This is probably not a very good summary of the proof so better look at the paper.