This invention relates to systems for signing and encrypting data, and more particularly, to identity-based-encryption (IBE) signcryption systems.
A variety of cryptographic techniques are used to encrypt data and to create digital signatures. With symmetric key cryptographic systems, a pair of users who desire to exchange data securely use a shared “symmetric” key. With this type of approach, a sender of a message uses the same key to encrypt the message that a recipient of the message uses to decrypt the message. Symmetric key systems require that each sender and recipient exchange the shared key in a secure manner.
Public key systems may also be used to exchange messages securely. With public-key cryptographic systems, two types of keys are used—public keys and private keys. A sender of a message may encrypt the message using the public key of a recipient. The recipient may use a corresponding private key to decrypt the message.
One conventional public-key cryptographic system that is in use is the RSA cryptographic system. Each user in this system has a unique public key and a unique private key. A sender may obtain the public key of a given recipient from a key server over the Internet. To ensure the authenticity of the public key and thereby defeat possible man-in-the-middle attacks, the public key may be provided to the sender with a certificate signed by a trusted certificate authority. The certificate may be used to verify that the public key belongs to the intended recipient of the sender's message. Public key encryption systems such as the RSA system that use this type of traditional approach are referred to herein as PKI (public-key infrastructure) cryptographic systems.
Identity-based-encryption (IBE or IB) public-key cryptographic systems have also been proposed. As with PKI cryptographic systems, a sender in an IBE cryptosystem may encrypt a message for a given recipient using the recipient's public key. The recipient may then decrypt the message using the recipient's corresponding private key. The recipient can obtain the private key from a private key generator associated with the recipient.
Unlike PKI schemes, IBE schemes generally do not require the sender to look up the recipient's public key. Rather, a sender in an IBE system may generate a given recipient's IBE public key based on known rules. For example, a message recipient's email address or other identity-based information may be used as the recipient's public key, so that a sender may create the IBE public key of a recipient by simply determining the recipient's email address.
Public key cryptographic systems may be used to produce digital signatures. A recipient of a message that has been digitally signed can use the digital signature to verify the identity of the message's sender and to confirm that the message has not been altered during transit.
In a typical digital signature arrangement, a sender uses a cryptographic hash function to produce a message digest. The message digest is much smaller than the original message, but is still unique to the message for practical purposes. The sender then uses the sender's private key to sign the message digest. The process of signing the message digest uses a mathematical operation that can only be performed by the sender who possesses the private key. The message and signed message digest (the “digital signature”) may then be sent to a recipient.
The recipient can apply the same hash function to the received message to produce a message digest. Using the public key of the sender, the recipient can attempt to verify the signed version of the message digest that the recipient has received from the sender. The verification procedure uses the sender's public key in a mathematical operation to determine whether the signature was indeed created from the same message digest using the correct private key. If the verification function is successful, the signed version of the message digest will be proven to originate from the message digest that the recipient has produced by applying the hash function directly to the message. A successful verification operation therefore allows the recipient to confirm the true authorship of the message and to confirm that the message has not been altered.
By using both public key signatures and public key encryption, messages can be sent securely and authorship and message authenticity can be verified. Schemes for digitally signing and encrypting messages are sometimes referred to as signcryption schemes.