Review of identity-based encryption by Sanjit Chattarjee and Palash Sarkar
暂无分享,去创建一个
Public-key encryption allows two parties, a sender and a receiver, to communicate privately without having previously shared any information. When using a “standard” public-key encryption scheme, the receiver begins by generating a pair of keys: the public key pk along with the corresponding secret key sk. The public key is transmitted (over a public channel!) to the sender, while the private key is stored secretly by the receiver. The sender can encrypt a message m using the public key obtained from the receiver, and then send the resulting ciphertext Encpk(m) to the receiver over the same public channel. Finally, the receiver recovers the message m by decrypting the ciphertext using its secret key. If the encryption scheme is secure, an eavesdropper who watches all the communication between the sender and receiver (and so sees both the public key and the ciphertext) cannot deduce anything whatsoever about m. (The fact that public-key encryption is possible is not at all obvious, and its invention in the 1970s was quite surprising.) To use public-key encryption in practice, say, for sending an encrypted email to a colleague, we see that the sender must first obtain a (legitimate) copy of the intended receiver’s public key. Since the receiver may not be on-line when the sender wants to encrypt a message, there must be some additional mechanism that enables the sender to do this. While there are many possibilities (e.g., the sender can look for the public key on the receiver’s webpage, or search for the receiver’s public key in some public directory), they all add an extra step to the process of sending an email. Moreover, the sender also needs to verify the validity of the public key it obtains before using it to encrypt, adding yet another step. Identity-based encryption (IBE) aims to do away with the above and thus simplify key management. At a high level, in an IBE scheme a user’s identity is their public key; more to the point, a receiver’s identity (along with some global information) is all that is needed in order to encrypt a message for that receiver. A bit more formally: a trusted authority first generates some master parameters MPK that will be made public, along with an associated master secret key MSK. A user with identity id can, after authenticating its identity to the authority, obtain a personal secret key skid from the authority. Any sender who knows MPK and the intended receiver’s identity id can now encrypt a message to that recipient. The receiver, who holds skid, will be able to decrypt the resulting ciphertext; moreover, an eavesdropper — even one who knows secret keys skid1 , . . . , skidn for several other identities — learns no information about the message. The idea of identity-based cryptography was suggested by Shamir in 1984, but for many years there were no satisfying realizations of identity-based encryption. (In contrast, identity-based signatures are much easier to construct.) This changed dramatically in 2001 when two different IBE schemes were proposed: one by Cocks (published, interestingly enough, in a second-tier conference