This invention is related to the construction of cryptographic systems, in particular, key exchange (KE) systems, key distribution (KD) systems and identity-based-encryption (IBE) systems, which are based on essentially the same mathematical principle, pairing with errors.
In our modern communication systems like Internet, cell phone, and etc, to protect the secrecy of the information concerned, we need to encrypt the message. There are two different ways to do this. In the first case, we use symmetric cryptosystems to perform this task, where the sender uses the same key to encrypt the message as the key that the receiver uses to decrypt the message. Symmetric systems demand that the sender and the receiver have a way to exchange such a shared key securely. In an open communication channel without any central authority, like wireless communication, this demands a way to perform such a key exchange (KE) in the open between two parties. In a system with a central server, like a cell phone system within one cell company, this demands an efficient and scalable key distribution (KD) system such that any two users can derive a shared key via the key distribution (KD) system established by the central server. Therefore it is important and desirable that we have secure and efficient KE systems and KD systems. The first KE system was proposed by Diffie and Hellman [DiHe], whose security is based on the hardness of discrete logarithm problems. This system can be broken by future quantum computers as showed in the work of Shor [SHO]. There are many key-distribution systems including the system using pairing over quadratic forms [BSHKVY], and the one based on bilinear paring over elliptic curves by Boneh and Boyen (in U.S. Pat. No. 7,590,236). But the existing systems have either the problem of computation efficiency or scalability. For instance, the bilinear paring over elliptic curves is very computationally intensive.
In the second case, we use asymmetric systems, namely public key cryptographic systems, for encryption, where the receiver has a set of a public key and a private key, and the sender has only the public key. The sender uses the public key to encrypt messages, the receiver uses the private key to decrypt the messages and only the entity who has the private key can decrypt the messages. In an usual public key system, we need to make sure the authenticity of the public keys and therefore each public key needs to have a certificate, which is a digital signature provided by a trusted central authority. The certificate is used to verify that the public key belongs to the legitimate user, the receiver of a message. To make public key encryption system fully work, we need to use such a system, which is called a public key infrastructure (PKI) system.
In 1984, Shamir proposed another kind of public key encryption system [SHA]. In this new system, a person or an entity's public key is generated with a public algorithm from the information that can identify the person or the entity uniquely. For example, in the case of a person, the information may include the person's name, residential address, birthday, finger print information, e-mail address, social security number and etc. Since the public key is determined by the public information that can identify the person, this type of public key cryptosystem is called an identity-based encryption (IBE) system.
There are a few Identity-based-encryption (IBE) public key cryptosystems, and currently, the (best) one being practically used is the IBE system based on bilinear paring over elliptic curves invented by Boneh and Franklin (in U.S. Pat. No. 7,113,594). In IBE systems, a sender encrypts a message for a given receiver using the receiver's public key based on the identity of the receiver. The receiver decrypts the message using the receiver's private key. The receiver obtains the private key from a central server, which has a system to generate and distribute the IBE private key for the legitimate user securely. An IBE system does not demand the sender to search for the receiver's public key, but rather, a sender in an IBE system derives any receiver's corresponding public key using an algorithm on the information that identifies the receiver, for example, an email address, an ID number or other information. Current IBE systems are very complicated and not efficient in terms of computations, since the bilinear paring over elliptic curves is very computationally intensive. These systems based on pairing over elliptic curves can also be broken efficiently if we have a quantum computer as showed in the work of Shor [SHO]. There are also constructions based on lattices, but those are also rather complicated systems for applications [ABB] [ABVVW] [BKPW]. Therefore it is important and desirable that we have secure and efficient IBE systems.
Clearly, there are still needs for more efficient and secure KE, KD and IBE systems for practical applications.