Attention is still what you need: Another Round of Exploring Shoup’s GGM
摘要
The generic group model (GGM) is fundamental for evaluating the feasibility and limitations of group-based cryptosystems. Two prominent versions of the GGM exist in the literature: Shoup’s GGM and Maurer’s GGM. Zhandry (CRYPTO 2022) points out inherent limitations in Maurer’s GGM by demonstrating that several textbook cryptographic primitives, which are provably secure in Shoup’s GGM, cannot be proven secure in Maurer’s model. In this work, we further investigate Shoup’s GGM and identify novel limitations that have been previously overlooked. Specifically, to prevent generic algorithms from generating valid group elements without querying the oracle, the model typically employs sufficiently large encoding lengths. This leads to sparse encodings, a setting referred to as the sparse generic group model (sparse GGM). We emphasize that this sparseness introduces several constraints: In conclusion, our findings indicate that both feasibility and impossibility results in Shoup’s GGM should be reinterpreted in a fine-grained manner, encouraging further exploration of cryptographic constructions and black-box separations in EC-GGM or dense GGM.