I have been reading the paper Identity-Based Encryption from the Weil Pairing by Boneh and Franklin. It presents a particular technical solution to a challenge posed by Shamir in 1984. By way of introduction it also spells out briefly what such a solution provides.

Identity-Based Encryption, (IBE), is somewhat like public key technology in that there are public and private keys. With RSA the person who will own the private key generates it and concomitantly produces the related public key as a byproduct. He distributes the public key to whom ever he would like to receive secure messages from. He may put it in a trusted public directory, PD, of public keys. The trust here is that it is infeasible for an attacker to put a bogus key in the PD that claims to be for the victim, when in fact the attacker holds the related private key. With RSA there are other possible means of distribution for the public key such as PGP’s Web of Trust. A key’s fingerprint is much smaller than the key and can be conveyed in place of the public key by word of mouth or other conventional trusted means. The PD is not then trusted to reject bogus entries, merely to convey the bulky public key from its fingerprint. It is easy to check that a public key matches a fingerprint.

In common with public key crypto, Identity-Based Encryption, IBE, presumes some string of bits, a public key, for an individual. It is assumed that:

With IBE a recipient’s public key is computed from The distinguished name might be an e-mail address, a street address or a registered company name. IBE posits a trusted agent, the Private Key Generator (PKG), that holds a global master key PKGx, by which a distinguished name can be transformed into a secret key. There is new math behind this calculation that I have not studied yet. The math provides a one-way function which yields the public PKGk from the secret PKGx. The significant thing here is that a message can be enciphered to someone who has not yet generated a key pair. The recipient must, however, have a distinguished name well enough associated with him that the sender will know the recipient’s distinguished name and that no attacker will be able to convince the PKG that he is associated with the distinguished name. If the recipient wants to read the message and has not yet learned his private key he must convince the PKG that he matches the distinguished name, which presumably accompanies the message.

The private key is not calculated until this demand is made of the PKG. It is predetermined by and depends on some public data created and published when the PKG was established, and also on the universal master key which only the PKG knows. There is enough published data for a sender to generate a public key from the distinguished name.


The PKG is in effect an escrow agent. It is only the PKG’s policy that precludes revealing any private key to anyone. Only the IBE keys are thus escrowed.

In place of a distinguished name, a date which implicitly instructs the PKG to not reveal the corresponding private key until that date. Other descriptive phrases may be used in place of or along with a distinguished name.

There is no great loss if you lose your private key. Presumably you can get it again like you did the first time. The PKG has the same problems, and more, as the Certificate authority.

There are proposals for splitting the authority and responsibility of the PKG into several parts where from some quorum is required to gain the secret key. I suppose this is like Shamir secret sharing.

Some Math

Master secret: PKGx = random
Public key generator: PKGk = f(PKGx).
For any DN: d(h(DN, PKGx), e(gpk(DN, PKGk), message)) = message

Sender computes recipients public key, gpk(DN, PKGk) and enciphers message. Recipient convinces PKG, who holds PKGx, that his name is indeed DN, whereupon PKG computes h(DN, PKGx), the recipient’s private key, and returns it to recipient. Recipient can now apply d to decipher message.