This invention relates to cryptographic systems, and more particularly, to identity-based-encryption extensions of identity-based encryption schemes that support secure communications.
It is often desirable to encrypt sensitive electronic communications such as email messages. With symmetric key cryptographic arrangements, the sender of a message uses the same key to encrypt the message that the recipient of the message uses to decrypt the message. Symmetric key systems require that each sender and recipient exchange a shared key in a secure manner.
With public key cryptographic systems, two types of keys are used—public keys and private keys. Senders may encrypt messages using the public keys of recipients. Each recipient has a private key that is used to decrypt the messages for that recipient.
To ensure the authenticity of the public keys in traditional public key systems and thereby defeat possible man-in-the-middle attacks, public keys may be provided to senders with a certificate signed by a trusted certificate authority. The certificate may be used to verify that the public key belongs to the intended recipient of the sender's message. Public key encryption systems that use this type of traditional approach are said to use the public key infrastructure (PKI) and are referred to as PKI cryptographic systems.
Identity-based-encryption (IBE) public key cryptographic systems have also been proposed. As with PKI cryptographic systems, a sender in an IBE system may encrypt a message for a given recipient using the recipient's public key. The recipient may then decrypt the message using the recipient's corresponding private key. The recipient can obtain the private key from an IBE private key generator.
Unlike PKI schemes, IBE schemes generally do not require the sender to look up the recipient's public key. Rather, a sender in an IBE system may generate a given recipient's IBE public key based on known rules. For example, a message recipient's email address or other identity-based information may be used as the recipient's public key. This allows a sender to create the IBE public key of a recipient by simply determining the recipient's identity.
Several practical IBE schemes have been demonstrated based on bilinear pairings. These bilinear-pairing-based IBE schemes fall into three classes: 1) full domain hash IBE, 2) exponent inversion IBE, and 3) commutative blinding IBE. Each of these classes of IBE scheme allows an identity-based public key to be used to encrypt data and allows a corresponding IBE private key to be used to decrypt data.
In some situations, it may be desirable to extend the capabilities of a basic IBE system. For example, in the context of the so-called Boneh-Franklin IBE scheme (which is an example of a full domain hash IBE system), a hierarchical IBE extension has been developed in which child private keys can be derived from parent private keys (“hierarchical IBE”). Another extension to the Boneh-Franklin IBE scheme that has been developed relates to dividing the IBE master secret into multiple shares (“threshold IBE”). In the context of the so-called Boneh-Boyen IBE scheme (which is an example of a commutative blinding IBE scheme), extensions have been developed for generating attribute-based private keys (“attribute-based IBE”), error-tolerant attribute-based private keys (“fuzzy IBE”), and private keys that can evolve forward, but not backward in time (“forward-secure IBE”). Threshold IBE and hierarchical IBE extensions to the Boneh-Boyen scheme have also been demonstrated.
The IBE extensions that have been proposed in recent years share a common goal of extending the notion of identity from its original atomic meaning (i.e., identity is indivisible and has no internal structures), to complex constructs of identity components on which certain operations can be performed. As described above, some proposed IBE extensions have known implementations. However, to temper this optimism, it should be noted that most of these extensions have been implemented in the context of only one IBE scheme (Boneh-Boyen), despite the availability of alternative IBE schemes on which to base IBE extensions. In particular, an entire family of very efficient IBE schemes (exponent inversion IBE schemes) has no previously known extensions.
It would therefore be desirable to be able to provide IBE extensions to the exponent inversion class of IBE schemes and to be able to generically construct IBE extensions for other IBE schemes.