Shamir's Identity Based Encryption -- consensus
in [Cryptography]
|
Prev: Explicit Encapsulation Within the Ciphertext or Implicit Markup Database.
Next: Are online password managers safe to use?
From: Argo on 20 Apr 2010 07:42 Back in 1978 Adi Shamir described something he called Identity Based Encryption (IBE). He stated three characteristics that I paraphrase here: 1. Create a secure communications without (external key exchanges) communications 2. No directories (this excludes certificates) 3. No third parties (I assume he means a key distribution center) Turn now to modern Identity Based Encryption based on pairing, a subject of considerable interest in the crypto research community. Here is my questions: In the current IBE it is necessary to put the Private Key Generator (PKG) in its own secure node because it uses the secret system master key to generate private keys from public keys. I think this violates Shamir's #3. Describing the current IBE as a model of what Shamir had in mind is not precisely correct, or is it? Whats you opinion? Thanks Sincerely Argo_Pollis(a)hotmail.com Ref: Adi Shamir, "Identity-Based Cryptosystems and Signature Schemes" for info on IBE see http://crypto.stanford.edu/ibe/
From: Scott Fluhrer on 20 Apr 2010 09:59
"Argo" <argo_pollis(a)hotmail.com> wrote in message news:65f215f6-fb87-4aaf-8f2d-23290f50422a(a)f17g2000vbd.googlegroups.com... > Back in 1978 Adi Shamir described something he called Identity Based > Encryption (IBE). > He stated three characteristics that I paraphrase here: > > 1. Create a secure communications without (external key exchanges) > communications > 2. No directories (this excludes certificates) Nit: certificates do not require directories. When Shamir first wrote the document, people were thinking that we'd have directories of certificates (sort of a security white pages); it turns out we haven't actually gone in that direction. Instead, if you need Bob's certificate, you ask Bob for a copy. > 3. No third parties (I assume he means a key distribution center) > > Turn now to modern Identity Based Encryption based on pairing, a > subject of considerable interest > in the crypto research community. Here is my questions: > > In the current IBE it is necessary to put the Private Key Generator > (PKG) in its own secure node > because it uses the secret system master key to generate private keys > from public keys. > > I think this violates Shamir's #3. Describing the current IBE as a > model of what Shamir had in mind is not precisely correct, or is it? > Whats you opinion? Well, if you go through Shamir's original document carefully, he does acknowledge that there will be a need to be a centralized authority. In particular, at one point he states: "The separate key channel between the users is completely eliminated, and is replaced by a single interaction with the key generation center when the recipient first joins the network" It is not hard to see why the system has this constraint: if Alice encrypts a message with the public key 'Bob', how is it that the real Bob is the only one that is able to decrypt it? If Bob himself could convert the 'Bob' public key into a private one, well, so could Carol. In IBE (both in Shamir's original conception and the current understanding), there is a centralized trusted entity that has the secret sauce for converting public keys into private ones. Bob talks to this centralized authority, convinces him that he is indeed 'Bob', and then the centralized authority passes him the Bob private key. This centralized authority won't pass Bob's private keys to anyone else, and so Carol can't read Bob's email. -- poncho |