 Welcome to the Asia-Crypt 2021 Recorded Talk of our work on Timelock Cryptographic Assumptions in Avelian Hidden Order Groups. My name is Arno van Baarsen, and this is a joint work with Mark Statens. What are Hidden Order Groups? A Hidden Order Group is a finite group G, such that it is hard to compute a multiple of the order of the group. And preferably, we can sample these groups without the need for a trusted setup. Perhaps the most well-known examples of Hidden Order Groups are RSA groups and imaginary quadratic class groups. In an RSA group, computing a multiple of the order is equivalent to the problem of factoring the modulus n, which is believed to be a hard problem. And the fastest known classical method is the general norm of its shape. On the other hand, imaginary quadratic class groups are historically less studied compared to RSA groups. And the problem of computing a multiple of the order does not reduce to some well-studied computational problem. The fastest known classical method of computing the order is the multiple polynomial quadratic shape. One positive aspect of imaginary quadratic class groups is that they do not need a trusted setup, whereas RSA groups do need a trusted setup. Some applications of Hidden Order Groups are verifiable delays functions and diagonal cryptographic constructions built upon verifiable delay functions. Recently, it has been shown that verifiable delay functions can be built based on the hardness of computing x to the power 2 to the power t for a random element of the group G with less than T sequential operations. However, if the order of the group is known, we can reduce this exponent to the power t modulated group order, and can compute this explanation in cost algorithmic in the group order. So, for these verifiable delay functions, we need the group order to be hidden. Moreover, if the order of a group is known, it's easy to compute eat foods where when E is co-prime to the group order. This can be done simply by inverting E, once you load the order of the group and raising the element X to the power D, where D is the modular inversion E. This relates to the hardness of the eat root problem, the strong root problem, and the adaptive root problem. In RSA groups, the E root problem is related to the RSA problem, and the strong root problem is related to the strong RSA problem. These assumptions are important for cryptographic accumulators, serial knowledge arguments, and the soundness of the PDF constructions that I discussed about. One thing to note is that these reductions hold up analogously if only a multiple of the group order is known. Since this work focus on Abelian hidden order groups, we want to stress some of the difference between cyclic and Abelian groups. A group is Abelian if its group action is commuted. If a group is cyclic, if there is a single element that generates the entire group, and more precisely for a cyclic group and end the order of this group, there are phi of n such generators, for phi is the order of phi function. And so a single uniformly random element is going to be a generator with probability phi n over n. If the order of the group is prime p, then this uniformly sampled element is going to be a generator with probability 1 minus 1 over p, which is very close to 1 is a large prime. On the other hand, in the Abelian setting, there exists multiple elements such that the group is generated by these elements since we are dealing with a finite group. This holds for n, the number of elements need to generate the group equal to the logarithm of the group order, but often a smaller n is going to be sufficient. Moreover, it can be shown that two n uniformly random elements generate the group with probability at least one minus one over n. We specifically study Abelian in order groups in this work. Going back to the example of RSA groups, we see that if we pick two safe primes, p and q, then the subgroup of quadratic residues in this RSA group as composite order, and it's going to be cyclic. If we pick a random element in RSA group, then the square of this element is going to be a generator of the quadratic residues subgroup with overwhelming probability. However, as I mentioned before, RSA groups require a trusted setup. This is because we need the primes p and q to generate the modulus and to be able to work in a group. In other words, we want to forget these primes p and q because the order of the group needs to be hidden in order for some hidden order group assumptions to hold. Imaginary quadratic class groups on the other hand can be sampled without a trusted setup by picking a random fundamental discriminant. And knowing this discriminant does not leak any information about the group order except for its parity. If we pick the discriminant in such a way that the class group is always that the order of the class group is always going to be odd, and still that the discriminant does not leak any information about the group order. However, class groups are also going to be cyclic with high probability by the Cohen-Lenzfeld heuristics, but sampling a random class group, we have no efficient way to check if it is cyclic. But this motivates the study of non-cyclic Abelian hidden order groups. Historically, non-cyclic groups have received far less attention in cryptologic research compared to cyclic groups. So this motivated our work and the needs for new methods to be developed. One main goal of this work is to study and define the Abelian hidden order group setting. To do this, we defined this Abelian hidden order standard model, which is just the normal standard model. But in the definition of our games, a random group is sampled from some large group family and random group elements are sampled to act as generators. Moreover, we propose the Abelian hidden order algebraic group model as a generalization of the algebraic group model, where adversaries need to provide an algebraic relation for every output group element. And moreover, just as in Abelian hidden order standard model, adversaries receive an explicit group description and random set of generators in their input. We also generalize the strong algebraic group model to the Abelian hidden order setting. The strong algebra group model is similar to the algebra group model, but here adversaries have many algebraic rounds in which they have to output a representation of the output group elements in terms of some elementary algebraic relations, which I'll explain more about later. In the above two models, the adversaries receive some explicit group description and a random set of generators as their input. We adapted the definitions of cryptographic problems to the Abelian hidden order setting to be able to study them, since often cryptographic problems either depend explicitly on the order being known or are explicitly defined for either cyclic groups or cyclic groups of prime order, for instance. Finally, we study relations between cryptographic problems and Abelian groups in order in these three newly generalized models. So which cryptographic problems do we study in our work? First of all, we study the multiple order and hidden order problem, which are simply the problems of computing either the exact group order or a multiple group order. Moreover, the low order problem, which is the problem of finding a non-trivial element in a group, which has low order. And the ETH root problem, which is the problem of computing an ETH root of a random element X, which is sampled from the subgroup of ETH powers. The strong root problem, which is the problem of finding a non-trivial root of some random group element. And the adaptive root problem, which is the problem of finding a prime root for an element of the adversaries choice, where the random prime exponent is sampled after the adversary fix the group element. The repeated squaring problem, which is the problem of computing X to the power 2 to the power t faster than t squareings for a random group element. So we study the delock one problem, which is the generalization of the normal discrete logarithm problem to the setting where we have multiple generators. So it's a problem of giving a representation of a random group element X in terms of some generators g1 up to gn. The delock 2 problem, which is just the regular cyclic discrete logarithm problem, but now in random cyclic subgroups of this abelian group g. And similarly, the CDH2 problem, which is the computational Diffie-Hellman problem in again random cyclic subgroups of this abelian group. So in this diagram, we see an overview of the reductions that we prove in our work. The green cells are sent for new results or new reductions in either the standard model, algebra group model or the strong algebra group model. The yellow cells then for partial results are either for these reductions from the e root problems. We need to condition that e is co-prime with the group order, or for these reduction from the low order problem, we need to condition that. And there is some oracle which provide us with a small prime subdefizor of the group order with non-negligible probability. The red cells stand for that there is no generic reduction possible from this problem to the other problem. These mostly follow from the impossibility results for a generic computation of discrete logarithms, which is proven by Schrupp in 1997. On the other hand, we see that most of the results, most of the new results we proved are reductions from the multiple order problem to almost all of the other problems that we consider in this work. And composing these new reductions with no reductions from, for instance, the repeat the screen problem to the multiple order problem, the strong root problem to the multiple order problem, and the adaptive root problem to the multiple order problem. We obtain this whole green block of problems which are equivalent to the multiple order problem in either the algebra group model or the strong algebra group model. In this work related work, Dungart and Koprausky proved in 2002 the hardness of the strong root problem and the e-root problem in the generic group model. They also consider these problems in the hidden order setting where they sampled the random group according to some hard group family. But however, since their results are in the generic group model, the techniques they use are mostly incomparable to the, or fully incomparable to the techniques that we use in this work. So, Scott's Lawson Q showed in 2020 that the hardness of factoring implies the hardness of the repeated screen problem in RSA groups in the strong algebraic group model. And it was also in this work that they introduced the strong algebraic group model as sort of the right model to consider this repeated screen. Looking a little bit more closely at their result, we can see that there's a straightforward generalization of their reduction to reduction of the multiple order problem to the repeated screen problem for cyclic groups. And this coincides with the results for RSA groups since factoring is equivalent to the hidden order problem which is equivalent to the multiple order problem for RSA groups specifically. Finally, Rotham-Sagev and Chahath and Rotham-Sagev proved that delay functions require hidden order groups in the generic group model for cyclic groups and that generically speeding up repeated squaring in RSA groups is equivalent to factoring in the generic ring model. Again, since the results are in the generic group model and the generic ring model, the methods they use are incomparable to ours. The algebraic group model was introduced by Fuchs-Bauer Kieltsen-Loss in 2018 and it's defined as follows. And the tertiary is called algebraic for all of the group elements that it outputs. It also outputs some representation such that it says output group element X can be written as a product of input group elements to the power of these representation coefficients. And originally in the original paper, the algebraic group model was introduced for cyclic groups of known prime order and they consider games where an tertiary receives a description of a group G of a cyclic group G together with some generator and the prime order P. And most of the time this group generator and order were fixed. So the generalize this to the abelian setting for groups of unknown order as follows. At the start of a game G, an tertiary receives a group randomly drawn from some group family together with N random elements which will generate the group with overwhelming probability by assuming that this N is large enough. The algebraic group model was introduced by Kielts-Loss and Kieltsen-Loss in 2020 and it's defined as follows. And its tertiary is called strongly algebraic if it has one or more output rounds in which for each of the elements that it outputs in this round, it also outputs some sort of elementary representation of this element. The elementary representation is either a representation as X of a product, X1 times X2, or a representation of X as X1 inverse, where X1 and X2 are elements that the adversary either receives in an earlier round or computed itself in an earlier round. Originally, this model was introduced for cyclic groups of unknown semi-prime order as I said before for RSA groups. And so in computational game G, an adversary receives the modulus N where this modulus is sampled from some modulus generating algorithm and then that gives the adversary the ability to work in this RSA group. We generalised this model to obedient groups of arbitrary unknown order in the same way as we did for the HM such that an adversary at the start of a game receives a random group drawn from some group family and a random set of elements which will generate the group with overwhelming probability. Since most of the reductions that we prove in this work are reductions from the problem of computing a multiple of the group order to some other computational problem. For the rest of this presentation, mostly focus on the main steps that we took in proving these reductions. And the main ingredient in these reductions is the concept of relations and relations are an important concept in, for instance, order computation algorithms for finite a billion groups. So if we have a finite a billion group G with some system of generators G1 of the GN, then the factor E1 of the EN out of the integers is called a relation for the system of generators. So if raising each generator to the power E, so G1 to the power EN times G2 to the power E2 all the way up to GN to the power EN multiplies out to the identity in the group. Then we call such a factor a relation and the relation for a system of generators for an integer lattice, which we call the relationship lattice. An example of this is how a D log one adversary naturally gives rise to relations. So if we sample a random group element with some known representation with respect to this system of generators, and we query the D log adversary on the system of generators and this randomly sampled element. Then if this adversary is successful, then we can just take our representation of this group element and subtract the answer of the adversary from this, and in this way obtain a relation with respect to this system of generators relationship for a given system of generators can also be seen as the kernel of the surjective morphism which maps from Z to the power and to the group G as a factor E to G to the power E. Then, if B is a basis for the relationship lattice, then we see in this way that Z and moded out by this basis time set to the power and is isomorphic to the group G. And in particular, that the determinant of this of this basis, the lattice is going to be equal to the order of the group. The order is true. And for this from the spin normal form of this basis, one can obtain generators, each one of the HK of the group, which have order and one of the NK, such that we can write G as a direct product of the cyclic subgroups generated by these generators, each one of the HK and such that N1 divides N2 divides and etc all the way up to NK. So we get from the spin normal form of this relation lattice, the decomposition of this a billion group in terms of its So this gives us the idea to obtain relations from an adversary solving a given computational problem and then try to find in this way a basis for the relationship lattice such that this allows us to compute the group order and even the entire structure of this group. However, there's no known efficient way to check if we have in fact found a basis for the full relationship lattice. For this problem, we found the following workaround. If we have a finite to be in group G with some system of generators, small G, and the relationship lattice with respect to the system of generators has rank N, then any in linearly independent set relations are one of our N is going to form a full rank subletters of this relationship lattice. And in this case we can also show that the absolute value of the determinant of this system of relations are is going to be an instant multiple of the group G. So in this way, we can use an adversary solving some given computational problem G to obtain an in linearly independent relations with respect to some system of generators, and in this way, obtain a multiple of the order of G, and so solve the multiple of the problem. And checking if some system of relations is linearly independent over the reals or over the over the rational is easier than checking whether we have found a basis for the entire relationship lattice. So we can try to turn this idea of collecting linearly independent relations from an adversary solving a computational problem G into an adversary which computes a multiple of the order into a more formal sketch of a production. Now here as I said before is to obtain an linearly independent relations with respect to some system of generators from an adversary solving a computational problem G. And then, as we've seen in the previous slide, the determinant of this system of relations is going to be a multiple of the order of G. So the challenges in proving this reduction are all the first one we need to show that we can extract relations from an adversary successfully solving the instance of this computational problem. One of the challenges is we need to randomize instances of this game, such that the adversary succeeds with independent and identical success probability on each instance, such that the adversary succeeds on, and out of capital and instances with sufficiently large probability. That end of the successfully extracted relations will be linearly independent with overwhelming probability. Before we show a bit more formally how we can tackle these challenges for the reduction of ammo to some computational game G, we first need to introduce some more notation. So all computational games G, which we consider are defined with respect to a group family, which is indexed by the security parameter, or yeah. And then for every security parameter, we assume that there exists some group order upper bounds, such that for all security parameters and all groups in the group family, the order of the group is upper bounded by this upper bounds UK. Furthermore, we assume that the logarithm of this upper bound is polynomial and that one over this upper bound is negligible, and it's reasonable to assume that such an upper bound exists, because if we have some upper bound on representations of the, of the group as, as bits for instance, then, well to to the power that upper bound on the size of these representations is going to be some other bounds on the order of the group. Furthermore, we assume that there exists some random group generator count, which polynomial and security parameter, such that if we sample and uniformly random elements from the group. We can get the group with overwhelming probability, and we've already seen in the beginning of this presentation that this in particularly holds for and equal to two times the log of the group order, which, which is polynomial by our first assumption on the group above. Furthermore, we introduce the notation, where for some n times n matrix a we, we can raise a system of generators to the power this matrix, by which we mean the tuple which consists of the elements we obtain by raising the system of generators separately to the rows, or the, yeah, to the rows of this matrix. We denote with square brackets, X square brackets, subscript G1 up to GL for representation of some group element X with respect to some other group elements G1 up to GL, and that is some integer representation as for instance an algebra group or some other group of random variable, asversary outputs. And finally, from here on we assume that the security parameter kappa is fixed and we often omit it for for gravity. So the first challenge for proving our reduction, we're showing that we can extract relations from an assertory so things of computational game. And the leading example will take for the rest of the presentation is an assertory a solving the strong root problem, which, which is defined as follows a random group element is sampled which is given to the assertory together with some system of generators or some randomly sample system of generators, and it's virtually outputs a group element y together with some integer e. And the adversary wins the game if this e is greater than one, and if y is an e root of the element X. So if we have an algebraic adversary solving the strong root problem, then we can construct a relation sampler as follows, we sample some random factor are in the interval one up to you cubed, and create a group element X with one representation are from the system of generators G that we have, then we query the adversary on input the system of generators G, and this group element X, and it returns us an integer e and some group element y together with a representation of y in terms of G and X, and we simply call this representation B, C for future reference here. Now, if the adversary succeeds and correctly outputs an e root of the element X, then we can write all the elements and X in terms of this system of group elements G, and in this way, return some relation R times one minus C times e minus B times e, with respect to this system of group elements G, and if the adversary does not succeed, the relation sampler simply aborts. Now we see that the relation sampler succeeds with, with probability, equal to the success probability of the adversary in the strong root game, conditioned on the group G, and the system of generators G being sampled on a single call, but it's not really anything about repeated calls with respect to the same group and the same system of generators. So we have to do some extra tricks to, to get multiple relations out of an adversary solving this strong root problem. So what we can do is we can define the following randomized relation sampler for some algebraic strong root adversary A. Again, the relation sampler takes input group G out of this group family and some system of group elements, G. Now, next to sampling some random element X, with respect to this system of elements G, it also samples some random new system of generators G tilde with respect to this system of group elements G. And it gives this new randomized system generators together with this random group elements to the adversary and sort of does the same steps that our previous relation sampler does. And in this way, obtains, again, a relation with respect to this original system of elements G. Now what we can see is that, well, if we let the prime subscript group G system generator G, with the success probability of the relation sampler on this specific group and system of elements, then if the group is indeed generated by this system of elements, then we see that, or then we can show that G tilde and X are negligible statistical distance to the uniform distribution over this group. And so because of this, we know that, well, if G tilde and X are indeed uniformly distributed, then they are exactly the same way that instances in this game, in the strong root game are distributed. And so we see that the success probability P prime subscript G G is negligibly close to the average success probability of the strong root adversary, conditioned on the group G. And the event that the group G is not generated by this system of elements G only happens with negligible probability over the random sampling of a group from the group family and a system of elements from the group. And so we will later see that we can ignore this event most of the time, and still obtain a sufficient success probability over multiple calls. So in particular, we see that if the group G is generated by the system of elements G, then each call of the relation sampler has independent and identical success probability and this is something that we can later use to bound success probability of the relation sampler over multiple calls. Next, we want to determine the total number of calls that we need to call the relation sampler on to obtain and relations with sufficiently large probability. So in other words, if we let P be the average success probability of the first week a, we define capital and to be SN over P, then what is the probability of that to obtain and relations with respect to the system of generators G from capital and calls to the first week on randomized instances from the group G. Well, the first observation is that the number of successful calls to this relation sampler has binomial distribution with and samples and success probability P prime. And on the previous slide, we saw that if this these elements G in fact generate the whole group, then we saw that this probability P prime was negligibly close to this probability P sub G. And since we're only doing a polynomial number capital N of calls these binomial distributions also have negligible so this conditions to each other. So in the lemma 2.6 for work we show using a turn off bound that if we have a random variable, which is distributed binomially with ensembles and success probability PG and the probability over random choice of G that we sample and successes from this binomial distribution is greater or equal to be over two times one minus e to the power minus and time CS or CS is this expression in as which is positive and grows as as as corrects. So finally, using this, we see, we can conclude that out of SN over P randomized calls to our adversary a, we can successfully extract and relations with probability greater equal to be over two times one minus e to the power e to the power minus and time CS minus some negligible difference. So it remains to show is that and successfully extracted relations will be linearly independent with overwhelming probability. So again at the relation samples that we obtained for this algebraic strong root adversary a, we see that if the adversary outputs an element why, which is an e to the element x, then we accept, then we obtain relations is for our times one minus C e minus be a e with respect to the system and so looking at these coordinate wise for the generator g j, we get the following expression. And now, if we split these random coefficients are j that we sampled to generate our random element x, which is the challenge element we gave to the adversary a. And we see that if we split this element r j as the residue of r j modulo the order of the generator, plus the multiples of the order of the generator that are present in this coefficient r j. We see that all the group elements that we give to the adversary a, only depend on this residue are prime j. And so finally, the output of this adversary is going to be independent of the our prime prime j, or independent of the multiples of this order of this generator that are present in this, in this random coefficient. The idea here is that if we sample these r j from some large enough interval, and our prime prime j randomly shift the relationship coefficients along this relationship left us. And so we can use this to show that the relations we ultimately the obtained from this adversary will be distributed close to uniform. And to show that these relationship coefficients are in indeed going to be distributed randomly we can do the following, we can pick a prime between the group order divided by two, and the group order which is co prime to have these one minus and since the adversary needs to output a non trivial route, it needs to output an e greater than one so these terms one minus CE are going to be unequal to one. Then we can expand these relationship coefficients as the term our prime prime j times something which is co prime to this prime, plus our prime j times something that is independent of our prime prime j. And then we show in our work that sampling these coefficients randomly uniformly from some large enough interval, you cubed, then the distribution of these are prime prime modulo this prime be a conditioned on any value of the r primes in the integral zero up to the order of this generator. Then this distribution has negligible statistical distance to the uniform distribution on that be to the power n. So what we can see is that since these are prime prime j are going to be negligibly close to the uniform distribution, then if these were distributed uniform, and we would multiply them by something co prime and add some independent terms to it, and yeah, at some independent terms to it, then these relationship coefficients will still be distributed. Uniform module OP. So if our prime prime j is distributed close to uniform module OP, then these whole relationship coefficients will also be distributed negligibly close to uniform module OP. So, ultimately, we obtain some relation d one up to the end, such that the reduction of this relation module OP is distributed negligibly close to the uniform distribution on that be to the power and So now we have shown that we can obtain relations d one up to the end, which is distributed negligibly close to uniform module OP, or some prime P which lies between the group order and the group order divided by two. In other words, we can deduce that the probability that the determinant of these of these relations of this system of relations is going to be going into zero module OP is smaller than N over P, plus some negligible, some negligible statistical distance, because this is uniformly distributed d one up to the end, the probability that the determinant is going to be going into zero module OP can easily be shown to be smaller than N over P. And since we picked this prime P greater than g over two, we see that this probability is smaller than two and over the order of the group, plus some negligible distance. And since we assumed N to be polynomial, and the order of the group is super polynomial, this probability is going to be at most negligible. And what we can use now is that the probability that the determinant of the system of relations is going to be equal to zero is smaller equal than the probability that the determinant of the system of relations is going to be congruent to zero module OP. So we see that finally see that and successfully extracted relations are going to be linearly independent with overwhelming probability which is exactly what we wanted to show. So coming back to the overview of our reduction sketch for the reduction of the multiple order problem to some computational problem G, we have shown to our example of a strong root of reduction of MO to the strong root problem that we can tackle all of these challenges for this particular for for a particular strong root adversary, but in fact, all of our reductions for other computational problems follow a very similar sort of template as as I've shown in this presentation, and only on some specific parts of the challenges. There are some some individual details that are different for each problem and where we have to pay a bit of attention to show that everything goes well. So, what we have shown now finally, is that we can obtain a multiple of the group order with probability greater than the average success probability of the adversary a times this term one minus e to the bar minus and time CS over to up to some negligible terms, and then we can do so in time at most SN over P times the average running time of the adversary a up to some significant terms. So we succeeded in showing this is reduction of the multiple order problem to to in this case this strong root problem. And so now we have shown that we can obtain a multiple of the order from from certain adversaries solving computational problems G. It's a natural to question to ask, in which cases we can also obtain the exact order of the group from these and what we show in our work is that for cyclic groups of in order, we can obtain the exact order from some standard model adversary, solving the discrete logarithm problem. And that is that the hidden order problem reduces to the deal of problem in this case. And to prove this we use a technical theorem which prove, which we prove, which, which has something about the greatest common divisor of some uniformly distributed random variables which are a shifted by some some some integer shifts, and that, in this case, still the, these, these shifted random variables are going to be are going to be co prime with large probability. Now, it's still an open question if this reduction in fact generalizes to a billion groups or if you can show that the hidden order problem reduces to for instance the D log one, or the D log two problems for a billion groups of hidden order. And if furthermore know that for computational problems G, which actually reduced to the multiple order problem, we do not expect a reduction from the hidden order problem to this particular problem G to be possible. And this is before because any adversary that can solve the G can solve this problem G by always restricting to a strict sub lettuce of the relationship lettuce. And, and the other hand, knowledge of the full lettuce is required to solve this hidden order problem. So, this is a bit of the intuition that we have why this isn't possible but this isn't really something that we made formal in our work. In the recap, in our work we formalized the, the abelian hidden order standard model of the hidden order algebra group model and abelian hidden order strong algebra group model. So that these computational models are suitable for the study of billion groups of hidden order. So the part of this was to adapt the definition of cryptographic problems to sample a random group from a group family and a random set of generators at the start of the game. And of course, to not give the order of the group to any adversary playing a particular game. So before we studied relations between cryptographic problems in abelian hidden groups, and abelian groups of hidden order in these models. And so in the being in order standard model, we've shown that the multiple order problem reduces to the deal of one and the deal of two problem, and it follows from shoes impossibility result that no efficient generic reductions exist in the opposite in the abelian hidden order algebraic group model. We've shown that the multiple order problem is equivalent to the E root problem the LO problem, the strong problem and the adaptive root problem. And we've shown that the MO problem reduces to the CDH two problem. And all of these we've shown using our new template for extracting random independent relations from algebraic adversaries, which I gave a sketch of in the earlier part of this presentation. And then finally, we've shown in that we didn't him order strong algebraic group model that the multiple order problem is equivalent to the repeated squaring problem. And the way to show this is similar to how we showed the other reductions in the algebraic group model, but using that, at first we use some bounded depth algebraic circuit, instead of an algebraic representation for its output group elements. And then finally, for some open questions, an open question I mentioned before is, is it possible to reduce the hidden order problem to deal of one and deal of two for abelian groups. And so some questions that arise here are, is there a way to check that the obtained relations actually generate the full lattice in an efficient way, or can we guarantee that several independently obtained multiples of the order have great distribution of the divisor equal to the exact order with high probability, and that is sort of the approach that worked for us in the, in the cyclic case but which is still open in the abelian case. And moreover, an interesting question to look at is when a reduction of the log to CDH is possible in the hidden order of the right group model. And some examples showed that this is possible for cyclic groups of non-prime order in the AGM. And some seminal words by modern wolf in 1998 showed that this is possible for cyclic groups of known order in the generic group model, if all multiple prime factors of the group order of polynomial in the of the group order. And they also showed that no generic reduction exists when the group is cyclic, and the group order is divisible by p squared for some large prime p. Thanks a lot for tuning into this recorded talk. And if you're interested to learn more about the work I want to refer you to your full version which is up on eprint. If you have any questions remaining feel free to send me an email at my CWI email address which is mentioned here. Thanks.