This paper on semi-generic algorithms considers
"non-standard properties of the employed hash function".
For BLS signatures whose main group is $G$, I'm curious what can
be shown when the hash function is a $G$-valued random oracle.
Is there a known semi-generic attack that is faster than just
ignoring the signing oracle and solving for the private key?
Is there a known lower bound for generic attacks that is better than the
bound that follows from the reduction to computational Diffie-Hellman?
