International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Attention is still what you need: Another Round of Exploring Shoup’s GGM

Authors:
Taiyu Wang , The State Key Laboratory of Blockchain and Data Security, Zhejiang University
Cong Zhang , The State Key Laboratory of Blockchain and Data Security, Zhejiang University
Hong-Sheng Zhou , Virginia Commonwealth University
Xin Wang , Digital Technologies, Ant Group
Pengfei Chen , The State Key Laboratory of Blockchain and Data Security, Zhejiang University
Wenli Wang , The State Key Laboratory of Blockchain and Data Security, Zhejiang University
Kui Ren , The State Key Laboratory of Blockchain and Data Security, Zhejiang University
Chun Chen , The State Key Laboratory of Blockchain and Data Security, Zhejiang University
Download:
Search ePrint
Search Google
Conference: ASIACRYPT 2025
Abstract: The generic group model (GGM) is fundamental for evaluating the feasibility and limitations of group-based cryptosystems. Two prominent versions of the GGM exist in the literature: Shoup's GGM and Maurer's GGM. Zhandry (CRYPTO 2022) points out inherent limitations in Maurer's GGM by demonstrating that several textbook cryptographic primitives, which are provably secure in Shoup's GGM, cannot be proven secure in Maurer's model. In this work, we further investigate Shoup's GGM and identify novel limitations that have been previously overlooked. Specifically, to prevent generic algorithms from generating valid group elements without querying the oracle, the model typically employs sufficiently large encoding lengths. This leads to sparse encodings, a setting referred to as the sparse generic group model (sparse GGM). We emphasize that this sparseness introduces several constraints: --Groups with AE and Black-Box Separation: Shoup's GGM is typically instantiated with elliptic curve groups, which admit admissible encodings (AE)—functions mapping from Z_N to elliptic curve points. We establish a black-box separation, showing that the sparse GGM fails to capture cryptographic groups that are both (1) computational Diffie-Hellman (CDH) secure and (2) compatible with admissible encodings. --Comparison with EC-GGM: We examine the relationship between the sparse GGM and the Elliptic Curve Generic Group Model (EC-GGM) introduced by Groth and Shoup (EUROCRYPT 2022), which inherently yields CDH-secure groups with admissible encodings. Within the framework of indifferentiability, we prove that EC-GGM is strictly stronger than sparse GGM. --Dense Groups and Black-Box Separation: We revisit groups with dense encodings and establish a black-box separation between CDH-secure dense groups and the sparse GGM. --Extension to Bilinear Settings: Our results naturally extend to the sparse Generic Bilinear Group Model (GBM), demonstrating that the aforementioned constraints still hold. In conclusion, our findings indicate that both feasibility and impossibility results in Shoup's GGM should be reinterpreted in a fine-grained manner, encouraging further exploration of cryptographic constructions and black-box separations in EC-GGM or dense GGM.
BibTeX
@inproceedings{asiacrypt-2025-35946,
  title={Attention is still what you need: Another Round of Exploring Shoup’s GGM},
  publisher={Springer-Verlag},
  author={Taiyu Wang and Cong Zhang and Hong-Sheng Zhou and Xin Wang and Pengfei Chen and Wenli Wang and Kui Ren and Chun Chen},
  year=2025
}