Description | Publications | Technical Summary | Project Staff |

- Stanford
Pairings Based Crypto (PBC) library source code.

- An IBE toolkit is also
available from Voltage Security.

- MIRACL is a big number library that includes a pairing implementation.

The IBE email system has some nice properties such as:

- Senders can send mail to recipients who have not yet setup a public key,
- When sending email there is no need for an online lookup to obtain the recipient's certificate,
- Senders can send email that can only be read at some specified time in the future, and
- The system proactively refreshes the recipient's private key every short time period.

- Identity
based encryption from the Weil pairing by D. Boneh and M. Franklin

SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003.

Extended abstract in proc. of Crypto '2001, LNCS Vol. 2139, Springer-Verlag, pp. 213-229, 2001.

Since the problem was posed in 1984 there have been several proposals for IBE schemes. However, none of these are fully satisfactory. Some solutions require that users not collude. Other solutions require the PKG to spend a long time for each private key generation request. Some solutions require tamper resistant hardware. It is fair to say that, until now, constructing a usable IBE system was an open problem.

The IBE email system uses a new fully functional identity-based encryption
scheme. The performance of the cryptosystem is comparable to the performance
of ElGamal encryption. The security of the system is
based on a natural analogue of the computational Diffie-Hellman
assumption on elliptic curves. Based on this assumption we show that
the new system has chosen ciphertext security in the random oracle
model. Using standard techniques from threshold
cryptography the PKG in the system can be
distributed so that the *master-key* is never available in a
single location. This enhances security of the master-key stored
at the PKG.

One could potentially make this approach more granular by encrypting
e-mail for Bob using * bob@hotmail.com || current-date *. This
forces Bob to obtain a new private key every day. This might be feasible
in a corporate PKI where the PKG is maintained by the corporation. With
this approach key revocation is quite simple: when Bob leaves the company
and his key needs to be revoked, the corporate PKG is instructed to
stop issuing private keys for Bob's e-mail address.
The interesting property is that Alice does not need to communicate
with any third party to obtain Bob's daily public key. This approach
enables Alice to send messages into the future: Bob will only be able
to decrypt the e-mail on the date specified by Alice.

**Delegation to a laptop.** Suppose Alice encrypts mail to Bob
using the current date as the IBE encryption key (she uses Bob's
*params* as the IBE system parameters). Since Bob has the
*master-key* he can extract the private key corresponding to
this IBE encryption key and then decrypt the message. Now, suppose
Bob goes on a trip for seven days. Normally, Bob would put his private key
on his laptop. If the laptop is stolen the private key is compromised.
When using the IBE system Bob could simply install on his laptop the seven
private keys corresponding to the seven days of the trip. If the laptop
is stolen, only the private keys for those seven days are compromised. The
*master-key* is unharmed.

**Delegation of duties.** Suppose Alice encrypts mail
to Bob using the subject line as the IBE encryption key. Bob can
decrypt mail using his *master-key*. Now, suppose Bob has several
assistants each responsible for a different task (e.g. one is
`purchasing', another is `human-resources', etc.). Bob gives one
private key to each of his assistants corresponding to the assistant's
responsibility. Each assistant can then decrypt messages whose
subject line falls within its responsibilities, but it cannot decrypt
messages intended for other assistants. Note that Alice only obtains
a single public key from Bob (*params*) and she uses that public
key to send mail with any subject line of her choice. The mail can
only be read by the assistant responsible for that subject.

Applied crypto group

*
Last update:
Mon Apr 8 03:58:58 PDT 2002
blynn
*