The Generic Group Model is one where the adversary can only perform group operations thru an oracle, which is hypothetized to respect the group axioms. Attacks that apply in the Generic Group Model thus apply to actual groups, but not necessarily the other way around.
Questions tagged [ggm]
9 questions
10
votes
2 answers
Is the one-more discrete log problem hard in the Generic Group Model?
In the Generic Group Model (GGM), a concrete cyclic group of (known) order $n$ is replaced with an idealized version: a random encoding for group elements is chosen, and the adversary only gets access to the encoded form of any input group elements…
Pieter Wuille
- 425
- 2
- 12
7
votes
1 answer
Difference between Generic Group Models
I'm trying to understand the difference between the (classical) Generic Group Model as it is described by Shoup [Shoup] and the somewhat restricted Generic Group Model as it is described by Schnorr and Jakobsson in [SJ00].
For clarity, I'm going to…
einsteinwein
- 379
- 1
- 6
6
votes
1 answer
Polynomial Breakdown in proof of lower bounds on Discrete Log in the Generic Group
In Shoup's proof of the hardness of discrete log in the generic group in this paper, he mentions that:
At any step in the game, the algorithm has computed a list $F_1,\dots,F_k$ of linear polynomials in $Z/p^t[X]$ along with a list of values…
Poseidon23
- 61
- 1
5
votes
1 answer
Generic group model: use of polynomials in the proof of the master theorem
I've been looking at the paper of Boneh, Boyen, Goh Hierarchical Identity Based Encryption with Constant Size Ciphertext
which contains a general theorem (Theorem A.2) about the advantage of an attacker in the generic group model. It seems to be…
JT1
- 395
- 2
- 8
2
votes
1 answer
Reduction from factoring to RSA and the Oracle RSA problem
Recently I read some papers related to RSA Brown16,AM09,BNPS01 and I learned that there is a variant problem of RSA is The oracle RSA problem (or one more RSA Problem) is $m+1$ copies of the classic RSA problem except that the solver gets $m$…
constantine
- 311
- 2
- 12
1
vote
1 answer
Does generic group black box model prohibit MSB of discrete logarithm?
Black box generic models prohibit calculation of discrete logarithm in groups of order $q=2p+1$ where $p,q$ are random primes to $\Omega(\sqrt{p})$ steps (refer Discrete Logarithm in the generic group model is hard - Theorem by Shoup).
Do the black…
Turbo
- 1,045
- 6
- 15
1
vote
1 answer
Discrete Logarithm in the generic group model is hard - Theorem by Shoup
In Shoups well-known paper Lower bounds for Discrete Logarithms and Related Problems he proves that the Discrete Logarithm Problem is hard in the generic group model (if group operation and inverse are the only computations that can be performed on…
einsteinwein
- 379
- 1
- 6
1
vote
1 answer
Proof Dlog is hard in generic group model
I want to know a proof for why the dlog problem is hard in the generic group model. But i can't find any resources online. Can someone please provide me a link or an explanation?
SuppenGeist
- 19
- 2
0
votes
1 answer
assumption needed to work in Generic Group Model
KZG poly-commitment & QAP linear PCP can be proved sound under Knowledge of Exponent assumption or Generic Group Model (I take it for granted from lecture 6 and 9 of ZK-MOOC https://zk-learning.org/), and it seems to me GGM is the preferred one…
baro77
- 790
- 4
- 10