 Okay, so suppose that you come up with a new cryptographic scheme, okay? And now you would like to prove the scheme secure Guess is a situation that most of us here can relate to so the first question that you have to ask is in what kind of model Do you prove security? So ideally? We would like to conduct any proof in the standard model, which is basically to prove it without any simplifying assumptions But in many cases, this is going to be very difficult and in some cases even impossible Okay, and whenever this happens then we have to resort to idealized models instead Okay, so idealizing the real world But how? So in some sense the goal is to abstract away as many non essential properties of the real world as possible Okay, and once we've done this then we can prove statements in this simplified and idealized model And of course the intuition is that if we manage to do this Idealization in a non-trivial and non oversimplifying way then Proves that we carry out in this model will also hold some meaning for the real world So here are some notable examples of idealized models Okay, the first one is of course the random oracle model, which is a model that idealizes hash functions So in this model any hash function is treated as a completely random function that returns uniformly random values when it sees fresh inputs and the second Idealized model is the generic loop model introduced by Schupe, which basically idealizes cyclic groups Okay, and this is going to be the main or is going to be a very important model for this talk Okay, so for this reason I would actually like to Explain a bit about the the models that are about the algorithms that are considered in the generic group model Okay, so the generic group model basically models all algorithms as generic algorithms So what is a generic algorithm a generic algorithm is an algorithm that? Computes over a group G as as follows it only computes in the following two ways If you give it two elements a and b then it can use this abstract group operation Which I have denoted here with a circle to compute a new group element c from these two elements Okay, this is the first thing that it can do and the second thing that it can do is it can check By comparison whether two elements are equal or not. Okay, and these are the only two things that a generic algorithm can do Okay, so here are some pros of generic group algorithms So the first one is that they work in every cyclic group and even more so they have They take the same number of steps to compute the same problem over every group, but this is a very nice property Okay, a second very nice property of these algorithms is that Due to their simplistic nature It's actually possible to prove information theoretic lower bounds on them So you can prove how many steps it takes to compute solutions to certain cryptographic Assumptions like discrete logarithm problems CDH, CDH and actually many many more important assumptions That's also a very nice property Okay, lastly Actually, we know some elliptic curves for which we don't know any algorithms which are which perform better than the generic ones So there this seems to be a very fitting abstraction Okay, but of course these Algorithms or this class of algorithms also has some drawbacks. Okay, so the first main drawback is that for many groups They're actually representation based exploits So for example, if you have a group in which the group elements are represented as integers, then you can do all sort of Stuff that you can't do over an elliptic curve for example So for example, you could compute Jacobi symbols. You can run index calculus based attacks And these things tend to work work much faster than generic algorithms other groups For example admit to compute pairings to gain additional information So there is a lot of stuff that you can do over non-generic groups Okay, then a second sort of con of the generic group model is that deriving these lower bounds takes combinatorially arguments which are usually very complicated and it's tedious to carry them out and Even more so these bounds are sort of not modular That means that if you come up with a new cryptographic scheme and now you want to prove It's a cure then you have to do these bounds all over which is also sort of tedious Okay, so this talk will be about a new Idealized model which we call the algebraic group model. I will just abbreviate this as AGM from Okay, so this model makes strictly weaker model assumptions than the generic group model as I will show And as such it lies between the generic group model and the standard model We hope that because of this it actually Sort of improves our approximation of reality because it makes Less strong assumptions than the generic group model Okay, and finally what's also a very nice property that this model has and I will also try to show this in some examples Towards the end of the talk it allows for very easy reduction based proofs Okay, so now let's look at the main type of algorithm that we will consider in this model This type of algorithm is called an algebraic algorithm So what is an algebraic algorithm? An algebraic algorithm is an algorithm that takes a list of group elements. I've noted it here with this List L of group elements L0 to Lk So it takes these group elements and it computes a new group element and it returns this So X here would be the new group element that the algorithm a computes And whenever it outputs a newly computed group element, then it also outputs a representation vector z Okay, and this representation vector z is up the following form It allows us to write X as the product of these group elements li from the input raised to the powers of z i Okay, so basically an algebraic algorithm always tells us how it computes new group elements. That's the main idea Okay, so here's some background on algebraic algorithms So they were first introduced in the formalization or vaguely the same formalization that I just showed you by paillet and vernier in 2005 and So they're actually a very well-studied class of of algorithms and So far, however, they have been used mostly to derive impossibility results Okay, and these impossibility results usually look as follows. So you would say you have some cryptographic scheme Which you want to prove security for and you have an underlying hardness assumption Okay, and then you show by the meter reduction technique that there cannot be An algebraic reduction between these two things because otherwise you could break the underlying hardness assumption efficiently This is a contradiction. So this is the way that these Class of algorithms had a have actually been looked at so far mostly There there are some exceptions though So Abdullah at all that in a paper at S&P 2015 also consider an algebraic adversary in one of their security proofs and This is also the key idea of our new model. Okay, so in our model Similar to the generic group model all our algorithms will be treated as algebraic algorithms Okay, and this means in particular that we also consider all adversaries in Security games as algebraic algorithms Okay, so I will now show in the in the following slides that this actually gives a strictly weaker model assumptions than what we have in the generic group model Okay, so here's the argument. It's very simple actually. So as I said basically The class of algebraic algorithms is the class of algorithms that we can watch while they're working So we see how they compute new group elements from all of their inputs and of course This is in particular true For a for a generic group algorithm Why because all a generic algorithm can do is it can take two elements from its input and it can combine them via the generic group operation and Whenever it does this and outputs such a group element then of course we see how it computed them And this is why we get the representation vector here for free So this means that every generic algorithm is also an algebraic algorithm Okay, so another very nice property that we have here is that bounds from the generic group model Compose with reductions that we carry out in the algebraic group model So let me show what I mean by this. So we have a composition theorem that says the following So suppose that we have Some kind of lower bound on the computational problem s in the generic group model So we have some kind of bound that says it takes this many steps to compute a solution with the certain probability for this problem s And now we manage to prove a reduction in the AGM from some problem t to the problem s Okay, and I'll suppose that this reduction is actually by means of a generic algorithm Okay, and then our composition theorem says that We also derive in this manner Fresh or new bound for the computational problem t in the generic group model without having to go through the Prove in the actual generic group model. So this is a very nice thing Okay Okay, so here's just a very short intermediate summary in the generic group model We use combinatorial arguments to derive lower bound on the number of steps It takes to solve a problem But in the AGM we use reductions and this is actually what I want to show now in the second half of my talk Like how do we use the AGM now that I've sort of I hope that I motivated it enough now So but now I want to show you how to actually use it in that I also want to show you that it is simple to use okay, so Somehow the goal is to make use of this representation vector z because this is what we get for free in the algebraic group model And we don't get in the standard model. So that's sort of going to be the road map Okay, so here's a very simple example of A lemma that we can prove in the algebraic group model, which basically says that breaking CDH algebraically is As hard as solving the discrete logarithm problem Okay, so we have a lemma that reduces the discrete logarithm problem to the CDH problem tightly Okay, so just as a quick reminder the CDH problem is to compute g to the x y given g to the x and g to the y Whereas the discrete logarithm problem is given g to the u compute u Okay, so here is a sketch of the reduction So we have on the left hand side Solver for the discrete logarithm problem So it wants to compute this u in the exponent here on the right hand side We have an algebraic adversary which solves the CDH problem Okay, so now in some way that I will shortly explain this Discrete logarithm solver will come up with these elements g g to the x and g to the y and it will send them to the algebraic algorithm Now the algebraic algorithm Computes its solution g to the x y and it sends back the solution. Okay That's the second arrow, but of course because it's an algebraic adversary It also includes this representation vector z with the components a b and c Okay, so these components a b and c will be such that g to the x y can be written as g to the x Race to the power of a g to the y raised to the power of b times g to the c Okay, so now denoting p as the prime group order of this group We can directly translate this into a modular equation. Okay, so it's x y Modular p is equal to x a plus y b plus c Okay, now, so let's rearrange the terms here and Then we get this equation which we can solve for x So we can always solve this equation for x unless the adversary Manages to set y equal to a then we get a zero here in the denominator and we cannot solve this so the idea now is to Or for the discrete logarithm solvers to do the following it will take It's a discrete logarithm challenge you and with probability one half It will either hide it into g to the x or into g to the y Okay, and the trick is of course that the adversary on the right side doesn't see the difference Okay, because the discrete logarithm solver can just choose the other element uniformly at random and these distributions will look totally identical Okay, so that's the idea So now in the first case When y is not equal to a then with probability one half the discrete logarithm solver will have hidden It's a discrete logarithm challenge in g to the x and then we can solve for x and find the discrete logarithm in this way But in the case where y equals a then with probability one half again the discrete logarithm solver will have hidden its Discrete logarithm challenge into g to the y and have chosen the other element uniformly at random and then Basically the adversary returns the solution a equals y for free Okay, so this reduction always works with probability one half times the probability of the algebraic adversary solving CDH Okay, so here is another example of something that we approve here So we also prove a similar reduction from the discrete logarithm problems to the strong Diffy-Helman assumption Okay, so this assumption is a bit more complicated here. The adversary also gets a DDH oracle to some sort of fixed basis kind of So so the DH oracle is slightly restricted here So one of the of the elements in this DDH triple will always be set to g to the x from the CDH assumption okay, so this Makes it a slightly weaker Assumption than the related gap Diffy-Helman assumption So this assumption is used for DH IES hashtag a month and actually also in some other places And as I said, we can also prove here a reduction between the discrete logarithm problem and the strong Diffy-Helman problem So just as another example of something we can prove Okay, and then actually we can go even further. So here you have the LRSW assumption So it doesn't really matter how this assumption works, but it's a very interactive assumption. So The adversary in this assumption gets to query an oracle many times and every time it queries this oracle the oracle returns three group elements to the adversary and Finally the adversary has to output Well, it's a signature game basically it has to output a forgery, which is also a group element But because it has seen so many different group elements over the course of this game It has a lot of freedom to compute this group element in its output. Okay, and this makes the reduction Very complicated, but we still manage to do it and if you're interested then you can read how to do it in our paper So this assumption is very important because it forms the basis of Kamehnich-Lichenskaya signatures, which are used in RFID tax Anonymous credentials and in some other places as well And here we also managed to prove a reduction between the discrete logarithm problem in this problem here Okay, so just very shortly we have some more results One of them is a tight reduction of the BLS signature scheme, which is a short pairing based signature scheme Also to the discrete logarithm problem So this is actually quite interesting because there is a theorem by Coran that prohibits such a tight reduction because the signature scheme is a unique signature scheme and the reason that we can sort of circumvent this impossibility result in the AGM is because In the AGM we have non-black box access to the algebraic solver Okay, and Coran's theorem only works if the reduction is a black box reduction So this is why we can circumvent this impossibility result here Then we also have a reduction from the CCA1 security of the algomal cryptosystem to a Q-type variant of the H And similarly we have a very nice proof of zero-knowledge snark by Grot from Eurocrypt 2016 to a Q-type variant of the discrete logarithm problem okay, so Some other candidates that we could analyze are basically any kind of candidates that we would now analyze in the generic group model So if instead you can analyze them in the algebraic group model, then it's actually good because you're proving something stronger Okay, and so ideal kind of Primitives to analyze here would of course be structure preserving signatures or also like in the last slide zero-knowledge slarks Okay, so Let me just give a summary of my talk here So I introduced the AGM which lies in between the generic group model and the standard model of computation Okay, so it's production-based and it's easy to work with as I showed you It captures a very broad class of important algorithms and It circumvents some impossibility results for black box reductions Okay, and as a very nice Sort of side property Results from the AGM also carry over to the GGM because it's more general in the GGM and also we have this composition theorem, which is very nice So I would like to conclude with some open questions So the first open question is can we maybe prove some meter theorems? Which reduce a broader class of assumptions to maybe another class of assumptions? So right now we played around with the model of it We tried to find some reductions between some computational assumptions and we have some results But maybe they're like a general statement that can be made here Also, can we maybe find automated proof tools which work in the AGM? So there are certain tools that can be used to analyze Security properties for example of signature schemes in a generic group model Maybe it's also possible to extend this idea to the algebraic group model Then maybe can we prove some possibility results along the lines of Alexander Dent at Asia Crip 2002? So basically what he shows is that there are some schemes that are secure in the generic group model But are insecure pathologically when instantiated in the real world So maybe it's also possible to come up with such schemes, which are which can be proven secure in the algebraic group model instead This would be interesting then actually Non-trivial extension is to make this work also for composite order groups. So here the argument becomes a bit more complicated and So we also want to look at this in the future and finally This is sort of the main open question is is it possible to maybe extend also the algebraic group model to reasonably? Capture also decisional assumptions because right now it is really tailored mostly to cover computational assumptions if the algebraic algorithm doesn't return a group element at the end of the game Then we can't really harness anything from this model, right? So it would be nice if maybe we could reasonably capture also decisional assumptions along the same lines Okay, that's all I have. Thank you for listening