Generic group model
Encyclopedia
The generic group model
is an idealised cryptographic model, where the adversary is only given access to a randomly chosen encoding of a group
, instead of efficient encodings, such as those used by the finite field
or elliptic curve groups
used in practice.
The model includes an oracle
that executes the group
operation
. This oracle takes two encodings of group elements as input and outputs an encoding of a third element. If the group should allow for a pairing
operation this operation would be modeled as an additional oracle.
One of the main uses of the generic group model is to analyse computational hardness assumptions
. An analysis in the generic group model can answer the question: "What is the fastest generic algorithm for breaking a cryptographic hardness assumption". A generic algorithm is an algorithm that only makes use of the group operation, and does not consider the encoding of the group. This question was answered for the discrete logarithm problem by Victor Shoup
using the generic group model. Other results in the generic group model are for instance. The model can also be extended to other algebraic structurs, such as, e.g., rings
.
The generic group model suffers from some of the same problems as the random oracle model
. In particular, it has been shown using a similar argument as in that there exist cryptographic schemes which are provable secure in the generic group model, but which are trivially insecure once the random group encoding is replaced with any efficiently computable instantiation of the encoding function.
is an idealised cryptographic model, where the adversary is only given access to a randomly chosen encoding of a group
Group (mathematics)
In mathematics, a group is an algebraic structure consisting of a set together with an operation that combines any two of its elements to form a third element. To qualify as a group, the set and the operation must satisfy a few conditions called group axioms, namely closure, associativity, identity...
, instead of efficient encodings, such as those used by the finite field
Finite field
In abstract algebra, a finite field or Galois field is a field that contains a finite number of elements. Finite fields are important in number theory, algebraic geometry, Galois theory, cryptography, and coding theory...
or elliptic curve groups
Elliptic curve cryptography
Elliptic curve cryptography is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. The use of elliptic curves in cryptography was suggested independently by Neal Koblitz and Victor S...
used in practice.
The model includes an oracle
Oracle machine
In complexity theory and computability theory, an oracle machine is an abstract machine used to study decision problems. It can be visualized as a Turing machine with a black box, called an oracle, which is able to decide certain decision problems in a single operation. The problem can be of any...
that executes the group
Group (mathematics)
In mathematics, a group is an algebraic structure consisting of a set together with an operation that combines any two of its elements to form a third element. To qualify as a group, the set and the operation must satisfy a few conditions called group axioms, namely closure, associativity, identity...
operation
Binary operation
In mathematics, a binary operation is a calculation involving two operands, in other words, an operation whose arity is two. Examples include the familiar arithmetic operations of addition, subtraction, multiplication and division....
. This oracle takes two encodings of group elements as input and outputs an encoding of a third element. If the group should allow for a pairing
Pairing
The concept of pairing treated here occurs in mathematics.-Definition:Let R be a commutative ring with unity, and let M, N and L be three R-modules.A pairing is any R-bilinear map e:M \times N \to L...
operation this operation would be modeled as an additional oracle.
One of the main uses of the generic group model is to analyse computational hardness assumptions
Computational hardness assumptions
In cryptography, a major goal is to create cryptographic primitives with provable security. In some cases cryptographic protocols are found to have information theoretic security, the one-time pad is a common example. In many cases, information theoretic security cannot be achieved, and in such...
. An analysis in the generic group model can answer the question: "What is the fastest generic algorithm for breaking a cryptographic hardness assumption". A generic algorithm is an algorithm that only makes use of the group operation, and does not consider the encoding of the group. This question was answered for the discrete logarithm problem by Victor Shoup
Victor Shoup
Victor Shoup is a computer scientist and mathematician. He obtained a PhD in computer science from the University of Wisconsin–Madison in 1989, and he did his undergraduate work at the University of Wisconsin-Eau Claire. He is currently a professor at the Courant Institute of Mathematical Sciences...
using the generic group model. Other results in the generic group model are for instance. The model can also be extended to other algebraic structurs, such as, e.g., rings
Ring (mathematics)
In mathematics, a ring is an algebraic structure consisting of a set together with two binary operations usually called addition and multiplication, where the set is an abelian group under addition and a semigroup under multiplication such that multiplication distributes over addition...
.
The generic group model suffers from some of the same problems as the random oracle model
Random oracle
In cryptography, a random oracle is an oracle that responds to every query with a random response chosen uniformly from its output domain, except that for any specific query, it responds the same way every time it receives that query...
. In particular, it has been shown using a similar argument as in that there exist cryptographic schemes which are provable secure in the generic group model, but which are trivially insecure once the random group encoding is replaced with any efficiently computable instantiation of the encoding function.