A Classification of Computational Assumptions in the Algebraic Group Model

Abstract: We give a taxonomy of computational assumptions in the algebraic group model (AGM). We first analyze Boyen's Uber assumption family for bilinear groups and then extend it in several ways to cover assumptions as diverse as Gap Diffie-Hellman and LRSW. We show that in the AGM every member of these families is implied by the q-discrete logarithm (DL) assumption, for some q that depends on the degrees of the polynomials defining the Uber assumption. Using the meta-reduction technique, we then separate (q + 1)-DL f… Show more

“…Then, we define its advantage as Adv G G,A alg = Pr[G G,A alg = 1]. According to [4], the algebraic algorithm for a type-3 bilinear group BG can be defined by setting G ∈ {G 1 , G 2 , G T }. An important fact is that elements in G 2 and G T are not helpful to produce an element in G 1 for this type of bilinear group as no efficiently computable isomorphism is known between these groups.…”

“…Proof. Borrowing the proof strategy in [4], we show that a non-zero polynomial yields the DL solution as one of its roots, given the adversary's representations. Let (g, g z ) be a DL instance.…”

“…Regarding any polynomial P, we hereafter use P(x) = 0 to mean that the polynomial evaluates zero at the point x, and use P[ X] = 0 to mean that the polynomial in variables X is the zero-polynomial (of which all coefficients are zero). Based on these notations, we refer to the following lemma from [4].…”

“…The public parameter is pp = (BG, H, h), which is publicly verifiable. 4 IKg. The issuer key generation works as follows:…”

Practical dynamic group signatures without knowledge extractors

“…Then, we define its advantage as Adv G G,A alg = Pr[G G,A alg = 1]. According to [4], the algebraic algorithm for a type-3 bilinear group BG can be defined by setting G ∈ {G 1 , G 2 , G T }. An important fact is that elements in G 2 and G T are not helpful to produce an element in G 1 for this type of bilinear group as no efficiently computable isomorphism is known between these groups.…”

“…Proof. Borrowing the proof strategy in [4], we show that a non-zero polynomial yields the DL solution as one of its roots, given the adversary's representations. Let (g, g z ) be a DL instance.…”

“…Regarding any polynomial P, we hereafter use P(x) = 0 to mean that the polynomial evaluates zero at the point x, and use P[ X] = 0 to mean that the polynomial in variables X is the zero-polynomial (of which all coefficients are zero). Based on these notations, we refer to the following lemma from [4].…”

“…The public parameter is pp = (BG, H, h), which is publicly verifiable. 4 IKg. The issuer key generation works as follows:…”

Practical dynamic group signatures without knowledge extractors

“…This model is strictly stronger than the GGM; for example, index-calculus algorithms that apply to certain classes of groups are algebraic and hence allowed in the AGM, even though they are ruled out in the GGM by known lower bounds on the hardness of the discrete-logarithm problem in that model. The AGM has been used to show equivalence of various number-theoretic assumptions [5,6,18] and to prove security of SNARKs [16,18,26] and blind signatures [19]. An extension called the strong AGM has recently been used to prove hardness of the repeated squaring assumption underlying timed commitments and related primitives [23].…”

Algebraic Adversaries in the Universal Composability Framework

Algebraic Distinguishers: From Discrete Logarithms to Decisional Uber Assumptions