1149:
binary format like X.509). When the receiver contacts the PKG to retrieve the private key for this public key, the PKG can evaluate the identifier and decline the extraction if the expiration date has passed. Generally, embedding data in the ID corresponds to opening an additional channel between sender and PKG with authenticity guaranteed through the dependency of the private key on the identifier.
98:
messages, the authorized user must obtain the appropriate private key from the PKG. A caveat of this approach is that the PKG must be highly trusted, as it is capable of generating any user's private key and may therefore decrypt (or sign) messages without authorization. Because any user's private key can be generated through the use of the third party's secret, this system has inherent
1005:
121:
35:
of a user is some unique information about the identity of the user (e.g. a user's email address). This means that a sender who has access to the public parameters of the system can encrypt a message using e.g. the text-value of the receiver's name or email address as a key. The receiver obtains its
97:
As a result, parties may encrypt messages (or verify signatures) with no prior distribution of keys between individual participants. This is extremely useful in cases where pre-distribution of authenticated keys is inconvenient or infeasible due to technical restraints. However, to decrypt or sign
1121:
One of the major advantages of any identity-based encryption scheme is that if there are only a finite number of users, after all users have been issued with keys the third party's secret can be destroyed. This can take place because this system assumes that, once issued, keys are always valid (as
1148:
Apart from these aspects, IBE offers interesting features emanating from the possibility to encode additional information into the identifier. For instance, a sender might specify an expiration date for a message. He appends this timestamp to the actual recipient's identity (possibly using some
767:
1197:-like connection is a common solution for a large-scale system. It is important to observe that users that hold accounts with the PKG must be able to authenticate themselves. In principle, this may be achieved through username, password or through public key pairs managed on smart cards.
1158:
If a
Private Key Generator (PKG) is compromised, all messages protected over the entire lifetime of the public–private key pair used by that server are also compromised. This makes the PKG a high-value target to adversaries. To limit the exposure due to a compromised server, the master
1384:
ACSW Frontiers 2004, 2004 ACSW Workshops – the
Australasian Information Security Workshop (AISW2004), the Australasian Workshop on Data Mining and Web Intelligence (DMWI2004), and the Australasian Workshop on Software Internationalisation (AWSI2004), Dunedin, New Zealand, January
1173:
system, wherein private keys are usually generated on the user's computer. Depending on the context key escrow can be seen as a positive feature (e.g., within
Enterprises). A number of variant systems have been proposed which remove the escrow including
86:). Given the master public key, any party can compute a public key corresponding to the identity by combining the master public key with the identity value. To obtain a corresponding private key, the party authorized to use the identity
1000:{\displaystyle \forall m\in {\mathcal {M}},ID\in \left\{0,1\right\}^{*}:\mathrm {Decrypt} \left(\mathrm {Extract} \left({\mathcal {P}},K_{m},ID\right),{\mathcal {P}},\mathrm {Encrypt} \left({\mathcal {P}},m,ID\right)\right)=m}
147:: This algorithm is run by the PKG one time for creating the whole IBE environment. The master key is kept secret and used to derive users' private keys, while the system parameters are made public. It accepts a
1404:
Advances in
Cryptology – ASIACRYPT 2003, 9th International Conference on the Theory and Application of Cryptology and Information Security, Taipei, Taiwan, November 30 – December 4, 2003, Proceedings
600:
435:
1159:
private-public key pair could be updated with a new independent key pair. However, this introduces a key-management problem where all users must have the most recent public key for the server.
750:
718:
632:
546:
1506:
1162:
Because the
Private Key Generator (PKG) generates private keys for users, it may decrypt and/or sign any message without authorization. This implies that IBS systems cannot be used for
686:
514:
352:
260:
234:
201:
1455:
Advances in
Cryptology – EUROCRYPT 2004, International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, May 2–6, 2004, Proceedings
381:
292:
482:
660:
457:
326:
170:
1355:
Advances in
Cryptology – EUROCRYPT 2003, International Conference on the Theory and Applications of Cryptographic Techniques, Warsaw, Poland, May 4–8, 2003, Proceedings
75:
1166:. This may not be an issue for organizations that host their own PKG and are willing to trust their system administrators and do not require non-repudiation.
74:
Identity-based systems allow any party to generate a public key from a known identity value such as an ASCII string. A trusted third party, called the
208:
1123:
204:
1193:
A secure channel between a user and the
Private Key Generator (PKG) is required for transmitting the private key on joining the system. Here, a
1223:
78:(PKG), generates the corresponding private keys. To operate, the PKG first publishes a master public key, and retains the corresponding
1133:
of the public keys is guaranteed implicitly as long as the transport of the private keys to the corresponding user is kept secure (
1129:
Moreover, as public keys are derived from identifiers, IBE eliminates the need for a public key distribution infrastructure. The
1074:. Thus it is highly inefficient and impractical for sending all but the shortest messages, such as a session key for use with a
551:
386:
1496:
1526:
1055:, the security proof rests on relatively new assumptions about the hardness of problems in certain elliptic curve groups.
723:
691:
605:
519:
1521:
1253:
Advances in
Cryptology, Proceedings of CRYPTO '84, Santa Barbara, California, USA, August 19–22, 1984, Proceedings
1486:
1183:
107:
665:
493:
331:
239:
213:
180:
36:
decryption key from a central authority, which needs to be trusted as it generates secret keys for every user.
1325:
Cryptography and Coding, 8th IMA International
Conference, Cirencester, UK, December 17–19, 2001, Proceedings
1067:
1187:
1175:
302:: This algorithm is run by the PKG when a user requests his private key. Note that the verification of the
111:
103:
1501:
1218:
44:
24:
1482:
Seminar 'Cryptography and Security in Banking'/'Alternative Cryptology', Ruhr University Bochum, Germany
1228:
51:
1251:(1984). "Identity-Based Cryptosystems and Signature Schemes". In Blakley, G. R.; Chaum, David (eds.).
357:
268:
1481:
1379:
1285:
1170:
1099:
1093:
55:
1323:(2001). "An identity based encryption scheme based on quadratic residues". In Honary, Bahram (ed.).
1040:
462:
643:
440:
309:
153:
1134:
1378:
Lee, Byoungcheon; Boyd, Colin; Dawson, Ed; Kim, Kwangjo; Yang, Jeongmo; Yoo, Seungjae (2004).
1126:). The majority of derivatives of this system which have key revocation lose this advantage.
90:
contacts the PKG, which uses the master private key to generate the private key for identity
28:
1306:
1200:
IBE solutions may rely on cryptographic techniques that are insecure against code breaking
1194:
1071:
8:
1491:
1280:
1205:
1048:
1036:
137:
1044:
148:
1110:
1052:
63:
1458:
1407:
1358:
1328:
1294:
1256:
1201:
1075:
1063:
102:. A number of variant systems have been proposed which remove the escrow including
59:
120:
1463:
1457:. Lecture Notes in Computer Science. Vol. 3027. Springer. pp. 223–238.
1412:
1406:. Lecture Notes in Computer Science. Vol. 2894. Springer. pp. 452–473.
1382:. In Hogan, James M.; Montague, Paul; Purvis, Martin K.; Steketee, Chris (eds.).
1357:. Lecture Notes in Computer Science. Vol. 2656. Springer. pp. 272–293.
1327:. Lecture Notes in Computer Science. Vol. 2260. Springer. pp. 360–363.
1302:
1163:
1142:
1020:
1451:"Efficient selective-ID secure identity based encryption without random oracles"
1320:
1179:
1138:
1130:
1059:
303:
1298:
1255:. Lecture Notes in Computer Science. Vol. 196. Springer. pp. 47–53.
1515:
1363:
1332:
1261:
1015:
The most efficient identity-based encryption schemes are currently based on
328:
are problems with which IBE protocols do not try to deal. It takes as input
1346:
1028:
1024:
1248:
99:
40:
32:
1446:
1351:"Certificate-based encryption and the certificate revocation problem"
1276:
1032:
133:
47:. Identity-based encryption remained an open problem for many years.
1450:
1428:
1399:
1387:. CRPIT. Vol. 32. Australian Computer Society. pp. 69–74.
1350:
1089:
The following lists practical identity-based encryption algorithms
761:
In order for the whole system to work, one has to postulate that:
140:
defined a set of four algorithms that form a complete IBE system:
1169:
The issue of implicit key escrow does not exist with the current
1016:
1070:) but encrypts messages one bit at a time with a high degree of
1058:
Another approach to identity-based encryption was proposed by
43:
in 1984. He was however only able to give an instantiation of
1283:(2003). "Identity-based encryption from the Weil pairing".
1487:
RFC 5091 - the IETF RFC defining two common IBE algorithms
1502:
The Voltage Security Network - IBE encryption web service
1081:
A third approach to IBE is through the use of lattices.
1429:"ID Based cryptosystems with pairing on elliptic curve"
1084:
1031:
pairings. The first of these schemes was developed by
595:{\displaystyle \textstyle ID\in \left\{0,1\right\}^{*}}
430:{\displaystyle \textstyle ID\in \left\{0,1\right\}^{*}}
727:
695:
669:
647:
609:
555:
523:
497:
466:
444:
390:
361:
335:
313:
272:
243:
217:
184:
157:
770:
726:
694:
668:
646:
608:
554:
522:
496:
465:
443:
389:
360:
334:
312:
271:
242:
216:
183:
156:
1398:Al-Riyami, Sattam S.; Paterson, Kenneth G. (2003).
999:
744:
712:
680:
654:
626:
594:
540:
508:
476:
451:
429:
375:
346:
320:
286:
254:
228:
195:
164:
1397:
172:(i.e. binary length of key material) and outputs:
1513:
1377:
117:The steps involved are depicted in this diagram:
1453:. In Cachin, Christian; Camenisch, Jan (eds.).
1224:Identity-based conditional proxy re-encryption
745:{\displaystyle \textstyle m\in {\mathcal {M}}}
713:{\displaystyle \textstyle c\in {\mathcal {C}}}
627:{\displaystyle \textstyle c\in {\mathcal {C}}}
541:{\displaystyle \textstyle m\in {\mathcal {M}}}
1426:
1380:"Secure key issuing in ID-based cryptography"
1275:
306:of the requestor and the secure transport of
124:ID Based Encryption: Offline and Online Steps
1507:Analyst report on the cost of IBE versus PKI
1445:
1066:is based on well-studied assumptions (the
39:Identity-based encryption was proposed by
1462:
1411:
1400:"Certificateless public key cryptography"
1362:
1260:
756:
681:{\displaystyle \textstyle {\mathcal {P}}}
509:{\displaystyle \textstyle {\mathcal {P}}}
347:{\displaystyle \textstyle {\mathcal {P}}}
255:{\displaystyle \textstyle {\mathcal {C}}}
229:{\displaystyle \textstyle {\mathcal {M}}}
196:{\displaystyle \textstyle {\mathcal {P}}}
1427:Sakai, Ryuichi; Kasahara, Masao (2003).
1241:
119:
1514:
1345:
1247:
1319:
1010:
128:
66:both solved the IBE problem in 2001.
1122:this basic system lacks a method of
1085:Identity-based encryption algorithms
203:of system parameters, including the
13:
1043:of arbitrary ciphertexts using an
961:
950:
947:
944:
941:
938:
935:
932:
923:
886:
875:
872:
869:
866:
863:
860:
857:
847:
844:
841:
838:
835:
832:
829:
782:
771:
736:
704:
672:
618:
532:
500:
338:
246:
220:
187:
14:
1538:
1475:
23:), is an important primitive of
1068:quadratic residuosity assumption
376:{\displaystyle \textstyle K_{m}}
287:{\displaystyle \textstyle K_{m}}
1497:The Pairing-Based Crypto Lounge
1184:secure key issuing cryptography
108:secure key issuing cryptography
1439:
1420:
1391:
1371:
1339:
1313:
1269:
1:
1234:
1116:
477:{\displaystyle \textstyle ID}
1464:10.1007/978-3-540-24676-3_14
1413:10.1007/978-3-540-40061-5_29
1188:certificateless cryptography
1176:certificate-based encryption
1152:
1047:-like approach. Though the
655:{\displaystyle \textstyle d}
452:{\displaystyle \textstyle d}
437:and returns the private key
321:{\displaystyle \textstyle d}
165:{\displaystyle \textstyle k}
112:certificateless cryptography
104:certificate-based encryption
7:
1527:Identity-based cryptography
1433:Cryptography ePrint Archive
1402:. In Laih, Chi-Sung (ed.).
1219:Identity-based cryptography
1212:
602:and outputs the encryption
25:identity-based cryptography
10:
1543:
1229:Attribute-based encryption
1109:All these algorithms have
27:. As such it is a type of
1299:10.1137/S0097539701398521
1286:SIAM Journal on Computing
60:Cocks's encryption scheme
45:identity-based signatures
17:Identity-based encryption
1492:HP Role-Based Encryption
1449:; Boyen, Xavier (2004).
1364:10.1007/3-540-39200-9_17
1333:10.1007/3-540-45325-3_32
1041:probabilistic encryption
69:
1522:Public-key cryptography
1353:. In Biham, Eli (ed.).
1262:10.1007/3-540-39568-7_5
1001:
757:Correctness constraint
746:
714:
682:
656:
628:
596:
542:
510:
478:
453:
431:
377:
348:
322:
288:
256:
230:
197:
166:
125:
1105:Boneh–Boyen (BB-IBE).
1049:Boneh-Franklin scheme
1039:(2001), and performs
1002:
747:
715:
683:
657:
629:
597:
543:
511:
479:
454:
432:
378:
349:
323:
289:
257:
231:
198:
167:
123:
76:Private Key Generator
56:Boneh–Franklin scheme
29:public-key encryption
1072:ciphertext expansion
768:
724:
692:
666:
644:
606:
552:
520:
494:
463:
441:
387:
358:
332:
310:
269:
240:
214:
181:
154:
1037:Matthew K. Franklin
138:Matthew K. Franklin
1321:Cocks, Clifford C.
1011:Encryption schemes
997:
742:
741:
710:
709:
678:
677:
652:
651:
624:
623:
592:
591:
538:
537:
506:
505:
474:
473:
449:
448:
427:
426:
383:and an identifier
373:
372:
344:
343:
318:
317:
284:
283:
252:
251:
226:
225:
193:
192:
162:
161:
149:security parameter
129:Protocol framework
126:
80:master private key
64:quadratic residues
1281:Franklin, Matthew
1017:bilinear pairings
1534:
1469:
1468:
1466:
1443:
1437:
1436:
1424:
1418:
1417:
1415:
1395:
1389:
1388:
1375:
1369:
1368:
1366:
1343:
1337:
1336:
1317:
1311:
1310:
1273:
1267:
1266:
1264:
1245:
1206:Shor's algorithm
1202:quantum computer
1076:symmetric cipher
1064:Cocks IBE scheme
1006:
1004:
1003:
998:
990:
986:
985:
981:
965:
964:
953:
927:
926:
917:
913:
903:
902:
890:
889:
878:
850:
824:
823:
818:
814:
786:
785:
751:
749:
748:
743:
740:
739:
719:
717:
716:
711:
708:
707:
687:
685:
684:
679:
676:
675:
661:
659:
658:
653:
633:
631:
630:
625:
622:
621:
601:
599:
598:
593:
590:
589:
584:
580:
547:
545:
544:
539:
536:
535:
515:
513:
512:
507:
504:
503:
483:
481:
480:
475:
458:
456:
455:
450:
436:
434:
433:
428:
425:
424:
419:
415:
382:
380:
379:
374:
371:
370:
353:
351:
350:
345:
342:
341:
327:
325:
324:
319:
293:
291:
290:
285:
282:
281:
261:
259:
258:
253:
250:
249:
235:
233:
232:
227:
224:
223:
209:ciphertext space
202:
200:
199:
194:
191:
190:
171:
169:
168:
163:
82:(referred to as
1542:
1541:
1537:
1536:
1535:
1533:
1532:
1531:
1512:
1511:
1478:
1473:
1472:
1444:
1440:
1425:
1421:
1396:
1392:
1376:
1372:
1344:
1340:
1318:
1314:
1274:
1270:
1246:
1242:
1237:
1215:
1164:non-repudiation
1155:
1143:confidentiality
1119:
1111:security proofs
1087:
1053:provably secure
1021:elliptic curves
1013:
960:
959:
958:
954:
931:
922:
921:
898:
894:
885:
884:
883:
879:
856:
855:
851:
828:
819:
804:
800:
799:
781:
780:
769:
766:
765:
759:
735:
734:
725:
722:
721:
703:
702:
693:
690:
689:
671:
670:
667:
664:
663:
645:
642:
641:
617:
616:
607:
604:
603:
585:
570:
566:
565:
553:
550:
549:
531:
530:
521:
518:
517:
499:
498:
495:
492:
491:
464:
461:
460:
442:
439:
438:
420:
405:
401:
400:
388:
385:
384:
366:
362:
359:
356:
355:
337:
336:
333:
330:
329:
311:
308:
307:
277:
273:
270:
267:
266:
245:
244:
241:
238:
237:
219:
218:
215:
212:
211:
186:
185:
182:
179:
178:
155:
152:
151:
131:
72:
12:
11:
5:
1540:
1530:
1529:
1524:
1510:
1509:
1504:
1499:
1494:
1489:
1484:
1477:
1476:External links
1474:
1471:
1470:
1438:
1419:
1390:
1370:
1338:
1312:
1293:(3): 586–615.
1268:
1239:
1238:
1236:
1233:
1232:
1231:
1226:
1221:
1214:
1211:
1210:
1209:
1198:
1191:
1180:secret sharing
1167:
1160:
1154:
1151:
1124:key revocation
1118:
1115:
1107:
1106:
1103:
1100:Sakai–Kasahara
1097:
1094:Boneh–Franklin
1086:
1083:
1062:in 2001. The
1060:Clifford Cocks
1023:, such as the
1012:
1009:
1008:
1007:
996:
993:
989:
984:
980:
977:
974:
971:
968:
963:
957:
952:
949:
946:
943:
940:
937:
934:
930:
925:
920:
916:
912:
909:
906:
901:
897:
893:
888:
882:
877:
874:
871:
868:
865:
862:
859:
854:
849:
846:
843:
840:
837:
834:
831:
827:
822:
817:
813:
810:
807:
803:
798:
795:
792:
789:
784:
779:
776:
773:
758:
755:
754:
753:
738:
733:
730:
706:
701:
698:
674:
650:
635:
620:
615:
612:
588:
583:
579:
576:
573:
569:
564:
561:
558:
534:
529:
526:
502:
485:
472:
469:
447:
423:
418:
414:
411:
408:
404:
399:
396:
393:
369:
365:
340:
316:
296:
295:
280:
276:
263:
248:
222:
189:
174:
173:
160:
130:
127:
71:
68:
9:
6:
4:
3:
2:
1539:
1528:
1525:
1523:
1520:
1519:
1517:
1508:
1505:
1503:
1500:
1498:
1495:
1493:
1490:
1488:
1485:
1483:
1480:
1479:
1465:
1460:
1456:
1452:
1448:
1442:
1434:
1430:
1423:
1414:
1409:
1405:
1401:
1394:
1386:
1381:
1374:
1365:
1360:
1356:
1352:
1348:
1347:Gentry, Craig
1342:
1334:
1330:
1326:
1322:
1316:
1308:
1304:
1300:
1296:
1292:
1288:
1287:
1282:
1278:
1272:
1263:
1258:
1254:
1250:
1244:
1240:
1230:
1227:
1225:
1222:
1220:
1217:
1216:
1207:
1204:attacks (see
1203:
1199:
1196:
1192:
1189:
1185:
1181:
1177:
1172:
1168:
1165:
1161:
1157:
1156:
1150:
1146:
1144:
1140:
1136:
1132:
1127:
1125:
1114:
1112:
1104:
1101:
1098:
1095:
1092:
1091:
1090:
1082:
1079:
1077:
1073:
1069:
1065:
1061:
1056:
1054:
1050:
1046:
1042:
1038:
1034:
1030:
1026:
1022:
1018:
994:
991:
987:
982:
978:
975:
972:
969:
966:
955:
928:
918:
914:
910:
907:
904:
899:
895:
891:
880:
852:
825:
820:
815:
811:
808:
805:
801:
796:
793:
790:
787:
777:
774:
764:
763:
762:
731:
728:
699:
696:
648:
639:
636:
613:
610:
586:
581:
577:
574:
571:
567:
562:
559:
556:
527:
524:
489:
486:
470:
467:
445:
421:
416:
412:
409:
406:
402:
397:
394:
391:
367:
363:
314:
305:
301:
298:
297:
278:
274:
265:a master key
264:
210:
206:
205:message space
176:
175:
158:
150:
146:
143:
142:
141:
139:
135:
122:
118:
115:
113:
109:
105:
101:
95:
93:
89:
85:
81:
77:
67:
65:
61:
57:
53:
48:
46:
42:
37:
34:
31:in which the
30:
26:
22:
18:
1454:
1441:
1432:
1422:
1403:
1393:
1383:
1373:
1354:
1341:
1324:
1315:
1290:
1284:
1271:
1252:
1243:
1147:
1135:authenticity
1131:authenticity
1128:
1120:
1108:
1088:
1080:
1057:
1014:
760:
720:and returns
637:
516:, a message
487:
304:authenticity
299:
144:
132:
116:
96:
91:
87:
83:
79:
73:
49:
38:
20:
16:
15:
1249:Shamir, Adi
1516:Categories
1447:Boneh, Dan
1277:Boneh, Dan
1235:References
1117:Advantages
640:: Accepts
100:key escrow
84:master key
41:Adi Shamir
33:public key
1153:Drawbacks
1139:integrity
1102:(SK-IBE).
1096:(BF-IBE).
1033:Dan Boneh
821:∗
797:∈
778:∈
772:∀
732:∈
700:∈
614:∈
587:∗
563:∈
528:∈
459:for user
422:∗
398:∈
134:Dan Boneh
62:based on
1349:(2003).
1213:See also
490:: Takes
1307:2001745
1045:Elgamal
638:Decrypt
488:Encrypt
300:Extract
54:-based
52:pairing
1305:
177:A set
145:Setup
70:Usage
1385:2004
1186:and
1035:and
1029:Tate
1025:Weil
688:and
548:and
236:and
207:and
136:and
110:and
58:and
50:The
1459:doi
1408:doi
1359:doi
1329:doi
1295:doi
1257:doi
1195:SSL
1171:PKI
1145:).
1051:is
1027:or
1019:on
21:IBE
1518::
1431:.
1303:MR
1301:.
1291:32
1289:.
1279:;
1208:).
1182:,
1178:,
1141:,
1137:,
1113:.
1078:.
662:,
354:,
114:.
106:,
94:.
92:ID
88:ID
1467:.
1461::
1435:.
1416:.
1410::
1367:.
1361::
1335:.
1331::
1309:.
1297::
1265:.
1259::
1190:.
995:m
992:=
988:)
983:)
979:D
976:I
973:,
970:m
967:,
962:P
956:(
951:t
948:p
945:y
942:r
939:c
936:n
933:E
929:,
924:P
919:,
915:)
911:D
908:I
905:,
900:m
896:K
892:,
887:P
881:(
876:t
873:c
870:a
867:r
864:t
861:x
858:E
853:(
848:t
845:p
842:y
839:r
836:c
833:e
830:D
826::
816:}
812:1
809:,
806:0
802:{
794:D
791:I
788:,
783:M
775:m
752:.
737:M
729:m
705:C
697:c
673:P
649:d
634:.
619:C
611:c
582:}
578:1
575:,
572:0
568:{
560:D
557:I
533:M
525:m
501:P
484:.
471:D
468:I
446:d
417:}
413:1
410:,
407:0
403:{
395:D
392:I
368:m
364:K
339:P
315:d
294:.
279:m
275:K
262:,
247:C
221:M
188:P
159:k
19:(
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.