Deterministic vs probabilistic adversaries in a proof-of-knowledge context

Question

In several security games, it is safe to replace probabilistic polynomial-time adversaries with deterministic ones without reducing the adversarial advantage. The relevant argument can be found here.

However, according to Bellare&Goldreich, the argument of fixing coins that maximize success probability fails in a proof-of-knowledge context where extraction procedures arise.

On the other hand, the authors claim that their paper bridges the gap between two classical formulations involving probabilistic and deterministic adversaries respectively.

Does their result mean that we can still confine ourselves to deterministic adversaries in a proof-of-knowledge context without reducing the adversarial advantage? This seems to be so, but i'm not able to follow their argument in detail. Thanks.

Answer 1

Yes, the result states that we can confine ourselves to deterministic adversaries in the context of proof of knowledge.

Theorem 3 (main result): Let $V$ be a restricted knowledge verifier for $R$ with knowledge error $\kappa$, where the length of the binary expansion of $\kappa(x)$ is polynomial in $|x|$. Suppose that the corresponding knowledge extractor, $K$, never outputs a wrong answer; that is, for every $x$ and strategy $\sigma$, it holds that $\mathsf{Pr}[K^{\sigma}(x) \notin R(x) \cup \{\bot\}] = 0$, where $\bot$ indicates halting without output. Then, $V$ is a knowledge verifier for $R$ with knowledge error $\kappa$.

The definition of a restricted knowledge verifier is that the strategies (provers) considered in the definition of proof of knowledge are deterministic (see definition 2 in the paper).

The proof involves constructing a knowledge extractor, $K'$, for a probabilistic strategy $\sigma'$ by running multiple knowledge extractors, $K_i$, in parallel (for specific durations) for the deterministic strategies $\sigma_{\omega_i}$. Here, $\sigma_{\omega_i}$ is $\sigma'$ with its random coins fixed to independently chosen random values $\omega_i$. One of these $K_i$ will return a valid witness with the desired probability.