Generic group model

The generic group model ^{[1] [2]} is an idealised cryptographic model, where the adversary is only given access to a randomly chosen encoding of a group, instead of efficient encodings, such as those used by the finite field or elliptic curve groups used in practice.

The model includes an oracle that executes the group operation. This oracle takes two encodings of group elements as input and outputs an encoding of a third element. If the group should allow for a pairing operation this operation would be modeled as an additional oracle.

One of the main uses of the generic group model is to analyse computational hardness assumptions. An analysis in the generic group model can answer the question: "What is the fastest generic algorithm for breaking a cryptographic hardness assumption". A generic algorithm is an algorithm that only makes use of the group operation, and does not consider the encoding of the group. This question was answered for the discrete logarithm problem by Victor Shoup using the generic group model ^[3]. Other results in the generic group model are for instance ^[4]. The model can also be extended to other algebraic structurs, such as, e.g., rings ^[5].

The generic group model suffers from some of the same problems as the random oracle model. In particular, it has been shown ^[6] using a similar argument as in ^[7] that there exist cryptographic schemes which are provable secure in the generic group model, but which are trivially insecure once the random group encoding is replaced with any efficiently computable instantiation of the encoding function.

References[]

See also[]

• Random oracle
• Schwartz–Zippel lemma

Template:Crypto-stub