Security evaluation of a key management scheme based on bilinear maps on elliptic curves

In recent years, many applications of elliptic curves to cryptography have been developed. Cryptosystems based on groups of rational points on elliptic curves allow more efficient alternatives to finite field cryptography, which usually requires groups with larger cardinality and lower efficiency. The existence of non-degenerate, bilinear maps on elliptic curves, called pairings, allow the construction of many efficient cryptosystems; however, their security must be carefully studied. We will study the security of a key menagement scheme introduced by Boneh, Gentry and Waters in 2005, which is based on the decisional version of the l-BDHE problem. This is a variant of the classical Diffie-Hellman problem, specifically constructed for pairing-based cryptography. Its hardness, is still a research topic and only some theoretical evidence exists. The aim of this work is to investigate the security of this broadcast encryption system, taking in account a model that proves the hardness of the l-BDHE problem, under strong assumptions. Drawbacks of this approach will be discussed: its main weakness is the system's behaviour during attack simulations, which is far from real. The main result of this thesis is a lower bound on the running time of an adversary solving the above problem. Moreover, also the elliptic curve choice, when implementing an encryption scheme, could affect its security. We will review the main criteria for this choice and we will investigate the existence of elliptic curves suitable for the system of our interest

On generic groups and related bilinear problems

Groups with pairing are now considered as standard building blocks for cryptographic primitives. The security of schemes based on such groups relies on hypotheses related to the discrete logarithm problem. As these hypotheses are not proved, one would like to have some positive security argument for them. It is usual to assess their security in the so called generic group model introduced by Nechaev and Shoup. Over the time, this model has been extended in different directions to cover new features. The relevance of this model is nevertheless subject to criticisms: in particular, the fact that the answer to any fresh query is a random bit string is not what one expects from a usual group law. In this chapter, we first present the original model of Nechaev and Shoup as well as some classical extensions, with a focus on ideas rather than formal correctness. Then, we develop rigorously a generic group model with pairing which generalizes all models seen so far in the literature. We provide a general framework in order to prove difficulty assumptions in this setting. In order to improve the realism of this model, we introduce the notion of pseudo-random families of groups.We show how to reduce the security of a problem in such a family to the security of the same problem in the generic group model and to the security of an underlying strong pseudo-random family of permutations