Fact-checked by Grok 2 weeks ago

Identity-based cryptography

Identity-based cryptography (IBC) is a form of in which a user's public key is derived directly from their identity information, such as an , name, or other arbitrary string, allowing and signatures without the need for separate public key certificates or extensive . The concept was first proposed by in 1984 to address the complexities of in traditional systems by enabling a trusted to generate private keys based on public identities. In IBC systems, a central Private Key Generator (PKG) or Key Generation Center (KGC) initializes the system by creating a master public key and a corresponding master secret key. For each user, the extracts a private key from the master secret and the user's string, which the user receives securely; this private key is then used for decryption or signing, while the identity itself serves as the public key for or verification. Practical implementations emerged in 2001 with the development of (IBE) schemes, including the pairing-based construction by and Matthew Franklin, which achieves chosen-ciphertext security under the bilinear Diffie-Hellman assumption in the model, and ' independent quadratic residuosity-based approach. IBC offers significant advantages in simplifying and enabling direct to identities that may not yet possess keys, making it suitable for applications like secure email, wireless networks, and in mobile ad hoc networks (MANETs). However, it introduces challenges such as —where the PKG holds ultimate control over all private keys—and reliance on a trusted , which could become a if compromised. Extensions like hierarchical IBC and mediated schemes have addressed some limitations, supporting delegated and revocable identities while maintaining security properties.

Background

Public Key Cryptography Context

(PKC), also referred to as , enables and without the need for parties to share a secret key in advance. It relies on a pair of mathematically related keys: a , which can be freely distributed, and a corresponding private key, kept secret by its owner. The is used for encrypting messages or verifying digital , while the private key decrypts messages or generates signatures, ensuring that only the intended recipient can access the or that the signature originates from the claimed signer. To associate public keys with specific entities, such as users or devices, traditional PKC employs (PKI), where digital certificates bind a public key to an identity. These certificates are issued and digitally signed by trusted certificate authorities (CAs), which act as third parties to verify the binding and maintain trust chains. The standard defines the format and management of these certificates, enabling verification through certificate chains leading back to a root CA. Despite its advantages, traditional PKC introduces significant challenges in and management. Certificate management requires ongoing processes for issuance, renewal, and distribution, often involving complex hierarchies and validation protocols to prevent man-in-the-middle attacks. Additionally, handling certificate revocation—through mechanisms like certificate revocation lists (CRLs) or (OCSP)—poses scalability issues, as revoked certificates must be efficiently disseminated and checked without compromising or . The conceptual foundations of PKC were established in 1976 with the publication of "New Directions in Cryptography" by and , introducing key agreement protocols that eliminated the need for prior shared secrets. This was soon followed in 1978 by the algorithm, developed by Ronald Rivest, , and , which provided a practical public-key based on the difficulty of . Identity-based systems later emerged as a refinement to address some of PKC's complexities by deriving keys directly from user identities.

Motivation for Identity-Based Approaches

Traditional relies on certificate-based systems to bind public keys to their owners' identities, but this introduces significant overhead in storage, distribution, and verification of certificates. Users and systems must manage large numbers of certificates, perform frequent validity checks including revocation lists, and handle expiration and renewal processes, which can be computationally and administratively burdensome. Additionally, these systems remain vulnerable to man-in-the-middle attacks during initial key exchanges if certificates are not properly authenticated or if there are flaws in the chain. A key motivation for identity-based approaches stems from the desire to use human-readable strings, such as email addresses or names, directly as public keys rather than opaque random bit strings. This makes public keys intuitive and easy to remember or communicate, eliminating the need for users to handle or distribute complex key values separately from their identities. In email systems, for instance, a sender could simply use the recipient's address as the public key without consulting directories or verifying separate keys. Early discussions in envisioned using public directories to associate keys directly with known user information, such as names and addresses, thereby enabling without prior shared secrets. However, these conceptual ideas, such as deriving keys from identifying attributes without full cryptographic realization, fell short of providing a complete system until Shamir's 1984 formally addressed the motivation.

History

Shamir's Original Proposal

In 1984, introduced the concept of identity-based cryptosystems in his seminal paper presented at CRYPTO '84, proposing a novel cryptographic framework where public keys could be derived directly from arbitrary strings representing user identities, such as names, email addresses, or network identifiers, thereby eliminating the need for users to generate and distribute their own public keys. This approach aimed to simplify by leveraging a , referred to as a key generation center, which would hold a master secret and compute personalized private keys for each user based on their chosen identity string. Central to Shamir's proposal was the role of this trusted Private Key Generator (PKG), which uses its master secret—such as knowledge of the of a large —to derive private keys without revealing the master information to users, allowing secure distribution via mechanisms like smart cards. Shamir emphasized that the system assumes the existence of such trusted centers to issue these keys, enabling users to encrypt messages or verify using only the recipient's or signer's public . While the primary focus was on identity-based signature schemes, for which Shamir sketched concrete implementations, he also outlined as a potential extension, noting that it would require similar key derivation but without providing specific constructions at the time. Shamir highlighted several open challenges in realizing practical identity-based systems, including the development of efficient protocols for private key extraction that do not compromise the master secret and the selection of identity strings that are resistant to collisions, ensuring uniqueness without relying on predefined directories. These unresolved issues underscored the conceptual nature of the proposal, which laid the groundwork for future advancements, later enabled by like bilinear pairings.

Development of Practical Schemes

Following Shamir's 1984 proposal, the period from 1984 to 2000 saw limited progress in identity-based cryptography, with most efforts focusing on signatures and key agreement protocols rather than full systems, often hampered by inefficiencies or security weaknesses. For example, Guillou and Quisquater introduced an identity-based signature scheme in 1988 based on zero-knowledge proofs, but it was limited in efficiency for broader applications. A major breakthrough occurred in 2001, when practical (IBE) schemes were independently developed, enabling efficient implementation. and Matthew Franklin proposed the first fully functional IBE system using bilinear pairings on elliptic curves, achieving chosen-ciphertext security in the model and addressing the long-standing . Simultaneously, presented an alternative IBE construction based on quadratic residues modulo an RSA composite, providing a pairing-free option with security reducible to the quadratic residuosity assumption. These works, along with a precursor by , Ohgishi, and Kasahara in 2000 exploring pairings for IBE, marked the transition to viable systems. Building on this foundation, subsequent developments in the early 2000s extended IBE's applicability. In 2002, Jeremy Horwitz and Ben Lynn introduced hierarchical IBE (HIBE), allowing structured delegation of key generation across identity hierarchies while maintaining security against collusion. During the mid-2000s, attribute-based encryption (ABE) emerged as a generalization, originating with and Brent Waters' 2005 fuzzy IBE scheme, which enabled based on attribute sets rather than exact identities. Standardization gained traction in the 2020s, with the (ETSI) releasing 103 719 in 2022 as a comprehensive guide to IBC algorithms, including performance comparisons to established schemes like ECDSA and , to facilitate integration in secure communications. As of 2025, ongoing research emphasizes post-quantum secure variants of IBC, such as lattice-based IBE schemes resistant to quantum attacks, amid growing concerns over quantum threats to classical .

Core Components

Private Key Generator Role

In identity-based cryptography (IBC), the Private Key Generator (PKG) serves as a trusted third party responsible for holding a master secret key and generating private keys for users based on their identities. This entity eliminates the need for traditional certificate authorities by directly deriving user-specific private keys from public identities, such as email addresses or domain names, ensuring seamless key management within the system. During the setup phase, the PKG initializes the system by selecting a security parameter, such as the bit length for operations, to generate the public system parameters and the corresponding master secret key. These parameters, including the master key, are published for use in and operations, while the master secret key remains securely held by the PKG to enable private key extraction for verified users. The trust model assumes the PKG operates in an honest-but-curious manner, correctly following the protocol but potentially attempting to learn additional information from observed data. Typically, a single PKG manages a defined to ensure unique mappings and prevent collisions across users. To address the inherent in a centralized PKG, researchers have explored through schemes, where is distributed among multiple parties such that a is required to produce private keys, or via distributed protocols that share the master secret without ever reconstructing it fully. These approaches mitigate risks while preserving the core functionality of identity-linked extraction.

Identity Derivation and Key Extraction

In identity-based cryptography, the public key is directly derived from an arbitrary-length identity string, such as an like "[email protected]", eliminating the need for separate public key distribution. In pairing-based schemes, which form the basis for most practical implementations, this string is hashed using a to produce a fixed-length value, which is then mapped deterministically to a point on an , often via the MapToPoint or HashToPoint function. For instance, in the Boneh-Franklin scheme, the identity ID is first hashed to an element in a excluding a bad set, and then encoded to a point Q_{ID} in the group G_1 of prime order q, ensuring the mapping is efficient and suitable for elliptic curve operations. Alternative constructions, such as ' quadratic residuosity-based scheme, map the identity to an element a a composite M such that the (a/M) = +1, without elliptic curves. The key extraction protocol begins with the user submitting their to the Private Key Generator () over a . The PKG then computes the corresponding private key as a of the identity and its master secret, typically d_{ID} = s \cdot Q_{ID}, where s is the randomly chosen master secret and Q_{ID} is the hashed identity point. This yields a private key point in the group, which is delivered to the user without exposing the master secret, relying on the PKG's trusted computation. Efficiency in key extraction is paramount for practical deployment, as the process must support rapid generation for numerous users; elliptic curve scalar multiplication, the core operation here, is computationally lightweight and scales well with hardware optimizations. The protocol is designed to be non-interactive from the user's perspective post-request, with the PKG performing all heavy lifting securely. Optionally, users can verify private key validity against public parameters using pairing-based checks, though this is not always required in basic schemes. Collision resistance is ensured through the use of strong cryptographic functions in the identity-to-point mapping, making it computationally infeasible for an adversary to find distinct identities that to the same point, which would otherwise allow attacks. This property underpins the uniqueness of public keys derived from identities, maintaining the integrity of the system even for human-readable strings of varying lengths.

Identity-Based Encryption

Basic IBE Algorithms

Identity-based encryption (IBE) is a type of -key encryption where the public key for a user is derived directly from a unique string, such as an or name, allowing the recipient of a to be specified by this without needing traditional public key certificates. In this framework, a called the Private Key Generator (PKG) issues private s to users based on their identities, simplifying compared to conventional -key systems. A basic IBE scheme comprises four main probabilistic polynomial-time (PPT) algorithms: Setup, Extract, Encrypt, and Decrypt. The Setup algorithm is executed by the PKG, taking as input a security parameter k and outputting public system parameters (including a description of the message space) and a master secret key. The Extract algorithm, also run by the PKG, takes the master secret key and an identity string ID to generate a private key d_{ID} corresponding to that identity. The Encrypt algorithm takes the public parameters, a message M from the message space, and a recipient identity ID to produce a ciphertext C. The Decrypt algorithm takes the private key d_{ID} and ciphertext C to recover the original message M. These algorithms ensure that encryption can be performed publicly using only the , while decryption requires the identity-specific private key issued by the PKG. In the generic operational flow of IBE, the sender first computes a public value from the recipient's , typically Q_{ID} = H(ID) where H is a mapping identities to a suitable mathematical group, and uses this value along with the public parameters to encrypt the . Decryption then pairs the corresponding private key d_{ID} with the ciphertext to recover the , ensuring the scheme's functionality relies on the secure extraction process. The foundational security notion for basic IBE algorithms is IND-ID-CPA (indistinguishability under , ), which models an adversary's ability to query private keys for chosen identities and encrypt chosen messages under chosen identities, while ensuring it cannot distinguish ciphertexts of two equal-length messages under a target . A prominent concrete of this generic structure is the Boneh-Franklin scheme, which achieves IND-ID-CPA security in the model based on the bilinear Diffie-Hellman assumption.

Boneh-Franklin Scheme Details

The Boneh-Franklin scheme, introduced in 2001, represents the first fully practical (IBE) construction, relying on bilinear pairings for key derivation and message processing. The basic version achieves IND-ID-CPA (chosen-plaintext) security in the model under the bilinear Diffie-Hellman (BDH) assumption. The full version achieves chosen-ciphertext () security by incorporating additional components. The scheme operates over groups G_1 and G_2 of prime order q, with a bilinear map \hat{e}: G_1 \times G_1 \to G_2 based on the Weil pairing on supersingular elliptic curves over finite fields. This pairing satisfies bilinearity (\hat{e}(aP, bQ) = \hat{e}(P, Q)^{ab}), non-degeneracy, and computability, allowing identities to be mapped directly to points in G_1. In the setup phase, given a security parameter k, the private key generator (PKG) selects a large prime q and constructs groups G_1 and G_2 with a generator P \in G_1. A random master secret s \in \mathbb{Z}_q^* is chosen, and the corresponding public value is computed as P_{pub} = sP. Cryptographic hash functions are defined: H_1: \{0,1\}^* \to G_1^* to map identities to group elements, and H_2: G_2 \to \{0,1\}^n for message blinding, where n is the message length in bits. The public parameters are \langle q, G_1, G_2, \hat{e}, P, P_{pub}, H_1, H_2 \rangle, while the master key remains s. This setup ensures that public keys are derivable from identities without certificates. Key extraction for a user with identity ID proceeds as follows: compute Q_{ID} = H_1(ID) \in G_1, then generate the private key d_{ID} = s Q_{ID} \in G_1. The PKG securely distributes d_{ID} to the user, enabling decryption without traditional . Encryption of a M \in \{0,1\}^n to identity ID involves computing Q_{ID} = H_1(ID) and selecting a random r \in \mathbb{Z}_q^*. The is formed as C = \langle U = rP, V = M \oplus H_2(\hat{e}(Q_{ID}, P_{pub})^r) \rangle, where \oplus denotes bitwise XOR. This structure blinds the message using the pairing value raised to r, leveraging the bilinearity to align with the recipient's private key. Decryption, given ciphertext C = \langle U, V \rangle and private key d_{ID}, computes \hat{e}(d_{ID}, U) = \hat{e}(s Q_{ID}, rP) = \hat{e}(Q_{ID}, P_{pub})^r due to bilinearity, then recovers M = V \oplus H_2(\hat{e}(d_{ID}, U)). For enhanced against chosen-ciphertext attacks, a full version incorporates additional hashes H_3 and H_4 to include a random [\sigma](/page/Sigma) and verification step, ensuring malleation resistance. The scheme's efficiency stems from requiring only one pairing computation each for encryption and decryption, comparable to ElGamal in terms of group operations, with ciphertext overhead limited to two elements of G_1 plus a bit . Its reduces to the hardness of the BDH problem: given \langle P, aP, bP, cP \rangle \in G_1^4, it is computationally infeasible to compute \hat{e}(P, P)^{abc} \in G_2.

Identity-Based Signatures

IBS Construction Principles

Identity-based signatures (IBS) are schemes in which the signer's is directly derived from an identifiable string representing their identity, such as an or name, allowing verification without the need for (PKI) certificates. This approach, first proposed by in 1984, enables users to authenticate messages and prove authorship while relying on a trusted authority for . The primary benefit is simplified , as identities serve as public keys, reducing overhead in distributed systems. A standard IBS scheme comprises four probabilistic polynomial-time algorithms. The Setup algorithm, on input a security parameter $1^k, outputs a master public key mpk and a master secret key msk. The Key Extraction (or KeyDer) algorithm uses msk and an identity id to derive a user secret key usk. The Sign algorithm takes usk and a message M to produce a signature \sigma. The Verify algorithm accepts mpk, id, M, and \sigma, outputting 1 if the signature is valid and 0 otherwise. These components mirror those in identity-based encryption but adapt them for signature generation and verification rather than encryption and decryption. The security of IBS schemes is formalized by the existential unforgeability under chosen-identity and chosen-message attacks (EUF-ID-CMA) model. In this model, an adversary \mathcal{A} interacts with oracles for key extraction on identities and signature generation on messages, aiming to forge a valid signature \sigma^* on a new message M^* for a previously unqueried identity id^*. The scheme is secure if \mathcal{A}'s success probability is negligible in the security parameter k. This model, introduced by Bellare, Namprempre, and Neven in 2004, ensures robustness against adaptive adversaries who can choose identities and messages dynamically. At their core, IBS constructions bind messages to identities using cryptographic mechanisms like hash functions or bilinear pairings, ensuring that only the legitimate holder of the identity-derived private key can produce valid , thereby providing . Many practical IBS rely on bilinear pairings for efficient verification, leveraging pairing-friendly elliptic curves to compute signature validity without explicit public keys. The key generation center (KGC) holds the master secret, introducing inherent but enabling seamless identity-based authentication. In contrast to (IBE), which focuses on confidentiality by allowing to arbitrary identities and secure decryption, IBS prioritizes resistance and malleability to enforce and . While IBE schemes emphasize against chosen-ciphertext attacks, IBS constructions target unforgeability, often under weaker computational assumptions, leading to more diverse and practical realizations since Shamir's original proposal. This distinction highlights IBS's suitability for scenarios where verification efficiency is paramount over secrecy.

Waters Signature Scheme

The Waters signature scheme, introduced by Brent Waters in 2006, is a prominent identity-based signature (IBS) construction that leverages bilinear pairings for efficient operation and provable security. It builds on the Waters identity-based encryption framework but adapts it for signatures, using hash functions F and H to map identities and messages, respectively, to points in G. This approach enables short signatures consisting of three group elements and supports full security without random oracles, distinguishing it from earlier random oracle-based schemes. The scheme has had high impact, serving as a foundation for hierarchical and aggregate signatures. The setup algorithm takes a security parameter k and generates a bilinear group G of prime order p > 2^k with pairing e: G × G → G_T. A generator g is chosen, random α ∈ Z_p is selected, and g1 = g^α is computed. A random g2 ∈ G is chosen, along with random u' ∈ G and vectors U = (u_1, ..., u_n) ∈ G^n for hashing n-bit identities, and random m' ∈ G and vector M = (m_1, ..., m_l) ∈ G^l for hashing l-bit messages. The public parameters are (G, e, p, g, g1, g2, u', U, m', M), and the master secret key is g2^α ∈ G. The hash functions are defined as F(ID) = u' ∏{i: ID_i=1} u_i ∈ G for identity ID ∈ {0,1}^n and H(M) = m' ∏{j: M_j=1} m_j ∈ G for message M ∈ {0,1}^l. Key extraction for an identity ID computes the point P = F(ID) ∈ G. The private key generator chooses random r ∈ Z_p and outputs the private key d_ID = (g2^α · P^r, g^r) ∈ G × G. This pair allows the user to generate signatures for messages while embedding the identity information. The process requires one exponentiation in G per key, making it efficient for the PKG. To sign a message M under identity ID, the signer uses its private key d_ID = (A, B) = (g2^α · P^r, g^r), where P = F(ID). Compute Q = H(M) ∈ G. Choose random r_m ∈ Z_p and compute V = A · Q^{r_m} ∈ G, R1 = B ∈ G, R2 = g^{r_m} ∈ G. The signature is σ = (V, R1, R2). This signing process involves one exponentiation in G for Q^{r_m} and one multiplication, resulting in constant-time computation independent of message length. Verification of σ = (V, R1, R2) on M under ID checks the equation e(V, g) \stackrel{?}{=} e(g2, g1) \cdot e(F(ID), R1) \cdot e(Q, R2) where Q = H(M). This requires three pairing computations and four group multiplications in G, confirming the signer's possession of d_ID without revealing it. The equation holds by bilinearity: the left side is e(g, V) = e(g, g2)^α · e(g, F(ID))^r · e(g, Q)^{r_m}, which equals the right side e(g2, g1) · e(F(ID), g^r) · e(Q, g^{r_m}). The scheme's security is proven existentially unforgeable under chosen-message and chosen-identity attacks in the , with a tight reduction to the computational Diffie-Hellman assumption in . The proof constructs a simulator that embeds a CDH instance (g, g^a, g^b) into g2 = g^a (simulating the master secret) and handles extract and sign queries by reprogramming the points or using zero-knowledge techniques to maintain . No setup assumptions are required beyond standard bilinear groups, and the reduction loses only a constant factor. Key advantages include signature size of three group (constant regardless of or length), provable without random oracles, and compatibility with hierarchical extensions for advanced applications like broadcast . These features have made it a seminal construction in pairing-based IBS, influencing subsequent works on short and signatures.

Security Foundations

Security Models and Definitions

Security models for identity-based cryptography (IBC) are formalized using game-based definitions that capture the capabilities of adversaries attempting to break the or of schemes. For (IBE), the standard notion is indistinguishability under chosen-identity and (IND-ID-CPA), where an adversary interacts with a in a two- game. In 1, the adversary adaptively selects and queries the private key generator () for corresponding private keys, excluding a target . The then selects a random bit b and provides encryptions of one of two chosen plaintexts under the target to the adversary. In 2, the adversary continues key queries for non-target and must guess b with advantage negligible in the . This model ensures against chosen-identity attacks, where the adversary chooses arbitrary but cannot obtain the target private key. To achieve stronger chosen-ciphertext attack (CCA) security (IND-ID-CCA), the IND-ID-CPA game is extended with decryption oracle access, allowing the adversary to submit ciphertexts (except the challenge) for decryption, while maintaining restrictions on the target identity. Constructions often enhance CPA-secure IBE to CCA security using chameleon hash functions, which enable malleability under a trapdoor to simulate consistent collisions without revealing information, or message authentication codes (MACs) for integrity checks on ciphertexts. These techniques prevent adaptive chosen-ciphertext attacks by ensuring invalid or tampered ciphertexts are rejected without leaking decryption details. IBC security models distinguish between adaptive-ID security, where the adversary selects the target identity after initial queries, and selective-ID security, where the adversary commits to the target identity upfront before any interaction. Selective-ID models are weaker and easier to achieve, often implying adaptive-ID security via complexity leveraging, but adaptive-ID provides stronger protection against fully flexible adversaries. In hierarchical identity-based encryption (HIBE), models incorporate key delegation oracles, allowing the adversary to request partial private keys from lower hierarchy levels, simulating delegation while excluding the target identity path to prevent full key extraction. For identity-based signatures (IBS), the core security notion is existential unforgeability under chosen-message and chosen-identity attack (EUF-ID-CMA), formalized as a game where the adversary adaptively queries signatures and private keys for various identities and messages, then outputs a forgery: a valid signature on a previously unsigned message-identity pair. Success requires the forgery to be non-negligible in probability, ensuring no polynomial-time adversary can produce such a signature. This model captures chosen-identity attacks and supports multi-user settings with collusion resistance, where the adversary controls multiple corrupt users but cannot forge signatures for honest ones beyond queried information. Standard notations bound adversaries by query complexity q, such as q-bounded security where advantages are analyzed for at most q key or signature queries, facilitating reductions to underlying assumptions like the bilinear Diffie-Hellman problem.

Underlying Mathematical Assumptions

Identity-based cryptography (IBC) predominantly relies on the hardness of problems involving bilinear s for its security foundations. A bilinear pairing is a map e: \mathbb{G}_1 \times \mathbb{G}_2 \to \mathbb{G}_T, where \mathbb{G}_1, \mathbb{G}_2, and \mathbb{G}_T are multiplicative cyclic groups of prime order q, typically constructed from elliptic curves such as the Weil or pairing. The pairing satisfies three key properties: bilinearity, meaning e(aP, bQ) = e(P, Q)^{ab} for all scalars a, b \in \mathbb{Z}_q and points P \in \mathbb{G}_1, Q \in \mathbb{G}_2; non-degeneracy, ensuring e(P, Q) \neq 1 for generators P and Q; and efficient computability, allowing the map to be evaluated in polynomial time. These properties enable the direct use of identities in cryptographic operations without certificate management, as seen in foundational schemes. The primary hardness assumption for pairing-based IBC is the Bilinear Diffie-Hellman (BDH) problem. In the symmetric setting where \mathbb{G}_1 = \mathbb{G}_2 = \mathbb{G}, the BDH assumption states that, given a generator P \in \mathbb{G} and elements aP, bP, cP \in \mathbb{G} for random a, b, c \in \mathbb{Z}_q, it is computationally infeasible to compute e(P, P)^{abc} \in \mathbb{G}_T. For asymmetric pairings, where \mathbb{G}_1 \neq \mathbb{G}_2, a variant known as the BDH2 assumption applies similarly, positing the hardness of computing e(P_1, P_2)^{abc} from P_1 \in \mathbb{G}_1, P_2 \in \mathbb{G}_2, aP_1, bP_1, and cP_2. These assumptions underpin the security reductions for many IBC protocols, ensuring that breaking the scheme implies solving the BDH problem. Not all IBC schemes depend on pairings; introduced a pairing-free identity-based encryption scheme based on the Quadratic Residuosity Assumption (QRA) in \mathbb{Z}_n^*, where n = pq with large primes p and q both congruent to 3 4. The QRA posits that, given a composite n and an element x \in \mathbb{Z}_n^*, it is computationally hard to determine whether x is a n without knowledge of the factorization of n. This assumption allows encryption directly using identities interpreted as elements in \mathbb{Z}_n^*, leveraging the for decryption. Pairing-based IBC faces significant post-quantum challenges, as the underlying problem is vulnerable to quantum attacks via . Emerging alternatives include lattice-based constructions, such as those relying on the (LWE) problem, which offer quantum resistance; for instance, the first standard-model lattice-based scheme was proposed in 2009 using LWE hardness. Research in the has further advanced compact and efficient lattice-based IBC variants, addressing efficiency concerns in post-quantum settings. Many security proofs for IBC schemes, including the Boneh-Franklin construction, are conducted in the random oracle model (ROM), where hash functions are idealized as random oracles—perfectly random functions accessible to all parties. In ROM, proofs demonstrate security by reducing scheme breakage to the underlying hardness assumptions, such as BDH, through oracle reprogramming techniques; however, this model assumes idealized hashing, which may not hold for real hash functions.

Applications

Practical Use Cases

Identity-based cryptography (IBC) finds application in (IoT) environments, particularly for constrained devices where traditional (PKI) introduces excessive overhead from certificate management. By deriving public keys directly from device identities, such as serial numbers or network addresses, IBC enables lightweight authentication protocols suitable for resource-limited networks like smart grids, reducing computational and storage demands while maintaining security. In scenarios, IBC supports secure and by leveraging user identities (e.g., email addresses) as public keys, eliminating the need for certificate exchanges. Experimental prototypes from the 2010s, such as Private WebMail integrated with , demonstrated this capability, allowing seamless and decryption tied to natural identifiers for enhanced usability in distributed storage and collaboration systems. For vehicular networks, identity-based signatures facilitate vehicle-to-vehicle (V2V) communication by enabling rapid message with minimal latency, critical for safety applications like collision avoidance. These schemes verify signatures using vehicle identities without relying on certificate revocation lists, supporting high-mobility environments in vehicular ad-hoc networks (VANETs). Emerging research prototypes incorporate IBC into systems for identity-linked transactions, where user identities bind to contracts for verifiable, decentralized exchanges without central authorities. The Technical Report 103 719 from 2022 outlines IBC's potential in advanced , such as mission-critical communications, to streamline and . As of 2025, IBC adoption remains predominantly academic and research-oriented. This limited deployment stems from ongoing challenges in management, though it offers simplified key handling over PKI in these contexts.

Advantages in Modern Systems

Identity-based cryptography (IBC) eliminates the need for digital certificates in public key infrastructure (PKI), as public keys are directly derived from user identities such as email addresses or domain names, thereby removing requirements for certificate distribution, storage, and validation processes. This also obviates the need for certificate revocation lists (CRLs), which in traditional PKI can consume substantial network resources for dissemination and checking, leading to significant bandwidth savings in large-scale deployments. For instance, systems handling millions of users avoid the overhead of maintaining and querying extensive certificate directories, streamlining operations without compromising security. A key usability benefit arises from the intuitive key generation process, where users do not need to generate or manage key pairs; instead, the private key is extracted by a trusted using the user's , enabling seamless setups like encrypting to an without prior . This user-centric approach reduces setup complexity and errors common in PKI, where enrollment and often require technical expertise, making IBC particularly suitable for non-expert environments. In terms of scalability, the centralized private key generator (PKG) in IBC simplifies enterprise-wide key management by handling all extractions from a master secret, while hierarchical extensions allow delegation to subdomain authorities, distributing load without proliferating trusted entities. This structure supports efficient delegation in organizational hierarchies, such as departments generating keys for subordinates, enhancing manageability for large networks compared to the decentralized certificate authorities in PKI. IBC integrates readily with modern identity management systems, such as , by leveraging existing identity providers for key derivation, which shortens authentication protocols in resource-constrained settings like wireless and sensor networks. For example, in deployments, this facilitates lightweight secure communications without the full PKI stack. (IBE) and signatures (IBS) provide security levels comparable to and ECDSA under standard assumptions, but in pairing-optimized hardware—such as GPUs or with dedicated bilinear pairing accelerators—they exhibit lower overall computational overhead due to streamlined key usage and reduced protocol steps.

Limitations

Key Escrow and Trust Concerns

One of the primary challenges in identity-based cryptography (IBC) is the key escrow problem, where the private key generator (PKG) possesses the master secret key and can thus compute the private key for any user's identity. This capability allows the PKG to decrypt any ciphertext intended for that user or forge signatures on their behalf, creating a single point of compromise that undermines user privacy and security. The inherent nature of IBC, as introduced by Shamir in 1984 and realized in practical schemes like Boneh-Franklin in 2001, necessitates complete trust in the PKG, as it controls all private key generation without user involvement. To address these risks, IBC trust models often incorporate a separation between an offline component holding the master secret key—kept air-gapped and rarely used—and an online key extraction that generates keys using partial derived from the master key. This design mitigates some threats by limiting exposure of the master key to routine operations, though it does not eliminate insider attacks, where a malicious operator could misuse the system to extract and distribute keys undetected. Compromise of the , such as through master key theft or , could enable widespread decryption or impersonation, amplifying risks in scenarios with a global or centralized serving diverse . Mitigation strategies include threshold-based multi-PKG systems, where the master secret is shared among multiple parties using schemes like , requiring a (e.g., t+1 out of n) to reconstruct keys and preventing any single entity from escrowing them; these build on 1990s proposals like Pedersen's but introduce complexity in coordination and asynchronous protocols. Hybrid approaches, such as certificateless cryptography, combine IBC with user-generated partial keys to eliminate full , allowing users to contribute to their private keys while retaining identity-based public keys, though they increase computational overhead. Regulatory concerns arise in privacy-sensitive domains, where key escrow may conflict with principles like data minimization and user control under regulations such as the EU's (GDPR). This escrow model also contrasts with emerging (SSI) paradigms, which emphasize user-centric control and decentralized key management to avoid central authorities' overreach. To date, no major historical incidents of PKG compromise have been publicly reported in deployed IBC systems, reflecting their limited large-scale adoption; however, theoretical risks are heightened in global PKG deployments, where a single breach could affect millions, underscoring the need for robust mitigations.

Revocation and Scalability Issues

One significant challenge in identity-based cryptography (IBC) is user , as standard schemes lack an efficient mechanism to revoke compromised identities without re-issuing private keys for all remaining users or relying on broadcast encryption extensions. In basic (IBE), typically requires updating the system's master secret or incorporating time-based identities, such as appending an to the user's identity string (e.g., "[email protected]|2025-12-31"), which forces periodic key re-extraction but limits flexibility for immediate per-user . To address this, Boldyreva, Goyal, and Kumar introduced revocable IBE in 2008, enabling efficient by combining IBE with broadcast encryption techniques, where revoked users are excluded via subset difference methods without affecting non-revoked keys, though this increases ciphertext size for large revocation lists. Scalability issues arise primarily from the private key generator (PKG), which serves as a central for key extraction requests in large-scale deployments involving millions of users, as each extraction demands direct interaction with the PKG and computation of user-specific private keys from the master secret. Hierarchical identity-based encryption (HIBE), proposed by Horwitz and Lynn in 2002, mitigates this by distributing across a of PKGs, where lower-level domains generate keys for their users using delegated partial secrets, improving in organizational settings like enterprises but introducing added complexity in key delegation and potential risks among hierarchical nodes. Despite these advancements, the PKG's ongoing role in initial setup and updates can still strain resources in global systems. Performance overhead in IBC stems from the reliance on bilinear computations, which are significantly slower than standard operations on legacy hardware, equivalent to approximately seven point multiplications on certain resource-constrained devices due to the intensive field arithmetic involved in pairing evaluations. This computational burden is particularly acute in resource-constrained environments, limiting IBC's for high-throughput applications. Additionally, the of pairing-based schemes to quantum attacks necessitates to post-quantum alternatives, such as -based constructions, which replace pairings with harder-to-compute problems but may introduce their own overhead in key sizes and encryption times. Deployment barriers further hinder IBC's practical use, including the absence of fully ratified international standards beyond preliminary technical reports, such as TR 103 719 (2022), which provides guidance on IBC primitives but lacks binding specifications for . This results in compatibility challenges with existing public key infrastructures (PKI), where IBC's elimination of certificates conflicts with legacy systems requiring formats, exacerbating integration costs in hybrid environments. Related trust issues, like key escrow at the , compound these barriers by amplifying concerns over centralized control. Ongoing research addresses these limitations through enhanced revocable IBE schemes and scalable lattice-based variants; for instance, Boldyreva et al.'s framework has inspired constant-size key updates in revocable systems, while 2025 developments in lattice-based IBE, such as adaptively secure constructions with reduced modulus sizes, promise quantum-resistant without pairing overhead. These efforts focus on integrated revocation models that maintain constant key sizes and workload, paving the way for broader deployment in and contexts.

References

  1. [1]
    [PDF] Identity-Based Encryption from the Weil Pairing
    Shamir, “Identity-based cryptosystems and signature schemes”, in Advances in Cryptology. – Crypto '84, Lecture Notes in Computer Science, Vol. 196, Springer ...<|separator|>
  2. [2]
    Identity-Based Cryptosystems and Signature Schemes - SpringerLink
    Download book PDF · Advances in Cryptology ... About this paper. Cite this paper. Shamir, A. (1985). Identity-Based Cryptosystems and Signature Schemes.
  3. [3]
    [PDF] TR 103 719 - V1.1.1 - Guide to Identity-Based Cryptography - ETSI
    Mar 18, 2022 · The present document describes the use and application of Identity-Based Cryptography (IBC) applied to both encryption, as Identity-Based ...
  4. [4]
    [PDF] Identity Based Cryptography A Technical Review - IEOM
    This Paper aims to have a comprehensive discussion on identity-based cryptography and aims to have a detail explanation on its technical aspect.
  5. [5]
    [PDF] Hierarchical ID-Based Cryptography
    Shamir [15] proposed the idea of identity-based cryptography in 1984, and described an identity-based signature scheme in the same article. However, practical ...
  6. [6]
    New directions in cryptography | IEEE Journals & Magazine
    This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide ...
  7. [7]
    [PDF] Introduction to public key technology and the federal PKI infrastructure
    Sep 13, 2021 · PKI integrates digital certificates, public key cryptography, and certification authorities into a complete enterprise-wide network security ...
  8. [8]
    RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and ...
    1. Authority Key Identifier The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign ...
  9. [9]
    [PDF] A Framework for Designing Cryptographic Key Management Systems
    Section 11 Security Assessment discusses the security assessment of a CKMS. Section 12 Technology Challenges briefly discusses the technical challenges provided.
  10. [10]
    A method for obtaining digital signatures and public-key cryptosystems
    Feb 1, 1978 · PDF. References. [1]. Diffie, W., and Hellman, M. New directions in cryptography. IEEE Trans. Inform. Theory IT-22, 6 (Nov. 1976), 644-654.<|control11|><|separator|>
  11. [11]
    [PDF] Identity-based Encryption Gone Wild - Cryptology ePrint Archive
    Dec 3, 2006 · ii. Page 3. 1 Introduction. The concept of identity based cryptography was introduced by Shamir as early as in 1984 [Sha85]. How- ever, it took ...
  12. [12]
    [PDF] Identity-Based Cryptosystems
    Shamir A ( ) Identity based cryptosystems and signature schemes. In: Advances in cryptology – Crypto ' . Lecture notes in computer science, vol ...
  13. [13]
    [PDF] New Directions in Cryptography - Stanford University
    [5] W. Diffie and M. E. Hellman, “Multiuser cryptographic techniques,” presented at National Computer Conference, New York, June 7-10,. 1976 ...
  14. [14]
    [PDF] Toward Hierarchical Identity-Based Encryption - Stanford CS Theory
    We introduce the concept of hierarchical identity-based en- cryption (HIBE) schemes, give precise definitions of their security and mention some applications. A ...
  15. [15]
    A Note on the Post-Quantum Security of Identity-Based Encryption ...
    Aug 7, 2025 · The development of cryptographic schemes which remain secure in the post-quantum era is an urgent challenge, particularly in light of the ...
  16. [16]
    [PDF] Reducing Trust in the PKG in Identity Based Cryptosystems
    [Sha84]. A. Shamir. Identity Based Cryptosystems and Signature Schemes. In Advances in Cryp- tology – CRYPTO, volume 196 of LNCS, pages 37–53.
  17. [17]
    [PDF] Domain-Based Administration of Identity-Based Cryptosystems for ...
    “master secret” – a global system secret held by a trusted third party known as a Private Key Generator, or PKG. Given the master secret, the PKG can derive ...
  18. [18]
    [PDF] Distributed Private-Key Generators for Identity-Based Cryptography*
    Further, a distributed PKG has not been considered for any other IBE scheme. In this paper, we design distributed PKG setup and private key extraction pro-.
  19. [19]
    RFC 5091 - Identity-Based Cryptography Standard (IBCS) #1
    This document describes the algorithms that implement Boneh-Franklin (BF) and Boneh-Boyen (BB1) Identity-based Encryption.
  20. [20]
    [PDF] Identity-Based Encryption from the Weil Pairing
    We propose a fully functional identity-based encryption scheme (IBE). The scheme has chosen ciphertext security in the random oracle model assuming an elliptic ...
  21. [21]
    [PDF] Identity-Based Signatures
    This chapter gives an overview of the literature on identity- based signature (IBS) schemes, from Shamir's seminal scheme to the current state-of-the-art.
  22. [22]
    [PDF] Identity-based cryptosystems and signature schemes - of Luca Giuzzi
    IDENTITY-BASED CRYPTOSYSTEMS AND SIGNATURE SCHEMES. THE IDEA. Adi Shamir. Department of Applied Mathematics. The Weizmann Institute of Science. Rehovot, 76100 ...
  23. [23]
    [PDF] Security Proofs for Identity-Based Identification and Signature ...
    The late eighties and early nineties saw the proposal of many IBI and IBS schemes. These include the Fiat-Shamir IBI and IBS schemes [FS86], the Guillou- ...Missing: Tatebayashi | Show results with:Tatebayashi
  24. [24]
    Efficient Identity-Based Encryption Without Random Oracles
    We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles.
  25. [25]
    Efficient Identity-Based Signatures Secure in the Standard Model
    Our scheme is obtained from a modification of Waters' recently proposed identity-based encryption scheme. ... Hess, F.: Efficient identity based signature schemes ...
  26. [26]
    [PDF] Security Notions for Identity Based Encryption
    Abstract. Identity Based Encryption (IBE) has attracted a lot of attention since the publica- tion of the scheme by Boneh and Franklin.
  27. [27]
    [PDF] Chosen-Ciphertext Security from Identity-Based Encryption
    This paper proposes a simple, efficient construction of CCA-secure public-key encryption from any CPA-secure identity-based encryption (IBE) scheme.
  28. [28]
    [PDF] Boneh-Franklin Identity Based Encryption Revisited
    Abstract. The first practical identity based encryption (IBE) scheme was proposed by Boneh and Franklin in [BF03]. In this work we point.Missing: derivation | Show results with:derivation
  29. [29]
    [PDF] Efficient Identity-based Signatures Secure in the Standard Model
    [Sha84]. Adi Shamir. Identity-based cryptosystems and signature schemes. In CRYPTO 84, pages 47–53,. 1984. [Wat05]. Brent Waters. Efficient identity-based ...
  30. [30]
    [PDF] An Identity Based Encryption Scheme based on Quadratic Residues
    Clifford Cocks. Communications-Electronics Security Group, PO Box 144 ... This paper describes an identity based cryptosystem which uses quadratic ...
  31. [31]
    [PDF] Lattice-based Cryptography
    Jul 22, 2008 · In this chapter we describe some of the recent progress in lattice-based cryptography. Lattice-based cryp- tographic constructions hold a ...
  32. [32]
    [PDF] Identity-Based Encryption from Lattices in the Standard Model
    We construct an Identity-Based Encryption (IBE) system without random oracles from hard problems on random integer lattices. The system is anonymous, with ...
  33. [33]
    [PDF] Towards Compact Identity-based Encryption on Ideal Lattices
    This paper proposes a compact IBE on ideal lattices, addressing the inefficiency of existing schemes by introducing a modified gadget and efficient preimage ...Missing: original | Show results with:original
  34. [34]
    [PDF] Identity and Access Management for IoT in Smart Grid
    Abstract A smart grid (SG) is a complex system that comprises distributed servers and Internet-of-Things (IoT) devices. IoT devices are resource-constrained ...
  35. [35]
    A provably secure identity-based access control scheme for ...
    Dec 30, 2024 · Tanveer et al. [12] presents a novel access control protocol aiming to enhance the security of resource-constrained IoT-enabled smart grid ...
  36. [36]
    [PDF] A Comparative Usability Study of Key Management in Secure Email
    Aug 14, 2018 · We previously created Private WebMail (Pwm) [27], a secure email system that tightly integrates with Gmail and uses identity-based encryption ( ...
  37. [37]
    [PDF] Identity-Based Cryptography for Cloud Security
    Then, Identity-Based Encryption (IBE) and Identity-Based Signature (IBS) for cloud computing are proposed. Finally, an Authentication Protocol for Cloud.Missing: Google prototypes<|separator|>
  38. [38]
    A V2V Identity Authentication and Key Agreement Scheme Based on ...
    Jan 3, 2023 · The V2V communication needs a low-bandwidth and low-latency security scheme [10]. ... Security in vehicular ad-hoc network with Identity-Based ...
  39. [39]
    Blockchain-Enabled Identity Based Authentication Scheme ... - MDPI
    IBC provides an identity-based encryption solution that reduces management overhead by directly generating public keys through the Key Generation Center (KGC), ...4. Authentication And Key... · 5.1. Blockchain Node Module... · 7. Experimental Evaluation
  40. [40]
    Privacy-preserving attribute-based access control using ...
    Jan 22, 2025 · This paper reviews the ABAC, homomorphic encryption (HE), and zero-knowledge proof (ZKP) approaches, confirming the gap in privacy preservation in ABAC.
  41. [41]
    Advances in authentication and security protocols for 5G networks
    Jul 4, 2025 · We thoroughly analyze authentication and security mechanisms created expressly for 5G networks in this study.
  42. [42]
    [PDF] Identity-Based Encryption - CSRC
    Identity-Based Encryption from the Weil Pairing. •. D. Boneh and M. Franklin. In Proceedings of. Crypto 2001, Lecture Notes in Computer. Science, Vol 2139, ...<|control11|><|separator|>
  43. [43]
    Identity-based Cryptography - Thales
    In 1984, Shamir proposed the idea of identity-based cryptography (IBC) where a user's public key can be his meaningful identities like names and email addresses ...Missing: motivation problems
  44. [44]
    [PDF] Hierarchical ID-Based Cryptography
    Keywords: identity-based cryptography, hierarchical identity-based cryptography, elliptic curves, pairings ... Improving efficiency of encryption: Levels 0 ...
  45. [45]
    Protocol-Based and Hybrid Access Control for the IoT: Approaches ...
    In this approach, identity-based cryptography (IBC) and attribute-based ... It integrates existing open standards (e.g., OAuth 2.0) and the device's ...
  46. [46]
    Identity-Based Cryptography on IoT devices: balancing security and ...
    Identity-Based Cryptography on IoT devices: balancing security and efficiency for modern use cases | IEEE Conference Publication | IEEE Xplore ...
  47. [47]
    [PDF] A New Efficient Identity-Based Encryption Without Pairing
    To compare the efficiency of the proposed scheme, we add our results to the ... Simple Identity-Based Cryptography with Mediated. RSA. In Cryptographers ...
  48. [48]
    High-Performance Implementation of the Identity-Based Signature ...
    Identity-based signature schemes usually contain bilinear pairings and elliptic curve arithmetic, which turn out to be the performance bottleneck in ...
  49. [49]
    [PDF] Reducing Trust in the PKG in Identity Based Cryptosystems
    [Sha84]. A. Shamir. Identity Based Cryptosystems and Signature Schemes. In Advances in Cryp- tology – CRYPTO, volume 196 of LNCS, pages 37–53.
  50. [50]
    [PDF] How to Construct Identity-Based Signatures without the Key Escrow ...
    In these identity-based cryptosystems, there is a trusted party called the private key gen- erator (PKG) who generates the secret key for each user identity.
  51. [51]
    [PDF] Asynchronous Distributed Private-Key Generators for Identity-Based ...
    Jun 29, 2010 · Distributed (shared) key generation is the most important com- ponent for distributed private-key generation in identity-based cryptography.
  52. [52]
    [PDF] Certificateless Public Key Signature Schemes from Standard ...
    CL-PKC is designed to have succinct public key management without certificates at the same time remove the key-escrow property embedded in the IBC. In CL-PKC, a ...
  53. [53]
    [PDF] SoK: Trusting Self-Sovereign Identity
    This lack of control raises concerns about potential privacy violations, misuse of identity data, and the possibility of the central author- ity gaining access ...Missing: regulations | Show results with:regulations
  54. [54]
    https://inria.hal.science/inria-00417807/document
  55. [55]
    [PDF] Identity-based Encryption with Efficient Revocation
    The private keys of the users are issued by a trusted third party called the private key generator (PKG). Ideas of identity-based cryptography go back to 1984 ...
  56. [56]
    [PDF] Adaptive-ID Secure Revocable Identity-Based Encryption - HAL Inria
    Abstract. Identity-Based Encryption (IBE) offers an interesting alternative to PKI-enabled en- cryption as it eliminates the need for digital certificates.
  57. [57]
    Identity-based encryption with efficient revocation - ACM Digital Library
    Identity-based encryption (IBE) is an exciting alternative to public-key encryption, as IBE eliminates the need for a Public Key Infrastructure (PKI).Missing: incidents | Show results with:incidents
  58. [58]
    [PDF] Identity-based Encryption with Efficient Revocation
    Taking scal- ability of IBE deployment into account, we observe that for a very large number of users this may become a bottleneck. We note that alternatively, ...
  59. [59]
    An efficient and lightweight identity-based scheme for secure ...
    Therefore, IBC schemes based on pairing are considered slow and increase a computation overhead for sensor nodes compared with IBC schemes based on the elliptic ...
  60. [60]
    Adaptively Secure IBE from Lattices with Asymptotically Better ...
    Feb 17, 2025 · A new adaptively secure IBE scheme from lattices in the standard model, which improves the state-of-the-art construction proposed by Abla et al. (TCC 2021)
  61. [61]
    Revisiting Adaptively Secure IBE from Lattices with Smaller Modulus
    Aug 12, 2025 · In this paper, we propose a novel framework for adaptively secure lattice-based IBE in the standard model, that removes this quadratic ...
  62. [62]
    An efficient lattice-based integrated revocable identity ... - Nature
    May 14, 2025 · This paper introduces an integrated revocation model that maintains both the workload for the KGC and the size of the secret keys at a constant level.