Fact-checked by Grok 2 weeks ago

Identity-based encryption

Identity-based encryption (IBE) is a form of public-key encryption in which a user's public key is an arbitrary string derived from their identity, such as an email address or name, thereby eliminating the need for public key infrastructure and digital certificates.^[1] Introduced by Adi Shamir in 1984 within the broader framework of identity-based cryptosystems, IBE aims to simplify key management by allowing encryption directly using the recipient's identity information.^[2] The concept relies on a trusted authority known as the Private Key Generator (PKG), which computes and distributes private keys corresponding to user identities while maintaining a master secret key.^[1] The first practical and fully functional IBE scheme, achieving chosen-ciphertext security in the random oracle model, was proposed by Dan Boneh and Matthew Franklin in 2001, building on bilinear pairings from elliptic curve cryptography and assuming the hardness of a variant of the computational Diffie-Hellman problem.^[3] An IBE scheme operates through four core algorithms: Setup, which initializes public parameters and the PKG's master key; KeyGen (or Extract), which generates a private key from a user's identity string; Encrypt, which produces a ciphertext using the recipient's identity and system parameters; and Decrypt, which recovers the plaintext using the corresponding private key.^[1] This structure enables efficient encryption without prior key exchange, though it introduces challenges like key escrow, where the PKG can potentially decrypt any message, often addressed via threshold schemes distributing trust among multiple parties.^[3] IBE has significant applications in automated key distribution for email systems, secure group communications, and cloud services, reducing administrative overhead compared to traditional public-key systems.^[1] It has spurred advancements in related primitives, including hierarchical IBE for delegated key generation and attribute-based encryption for fine-grained access control.^[1] Ongoing research emphasizes post-quantum variants resistant to quantum attacks, with schemes based on lattice problems and other hardness assumptions emerging to ensure long-term security.^[4]

Introduction

Definition and Core Concepts

Identity-based encryption (IBE) is a variant of public-key encryption in which the public key for a user is an arbitrary string derived from the user's identity, such as an email address, name, or IP address, rather than a randomly generated value.^[3] This approach eliminates the need for users to generate and distribute their own public keys, simplifying key management in cryptographic systems. The concept was first proposed by Adi Shamir in 1984 as a way to facilitate secure communication without traditional certificate infrastructures.^[2] Central to IBE is the Private Key Generator (PKG), a trusted authority responsible for initializing the system and issuing private keys to users. The PKG performs a setup procedure to generate global public parameters and a master secret key, which remains private to it. Upon a user's request, authenticated via their identity, the PKG uses the master key to extract and provide a corresponding private decryption key.^[3] In the basic workflow, a sender encrypts a message solely using the recipient's identity string and the public parameters, producing a ciphertext. The recipient then obtains their private key from the PKG and uses it to decrypt the message, ensuring secure delivery without prior key exchange.^[3] Unlike standard public-key encryption (PKE), where users independently generate key pairs and public keys are certified through a public key infrastructure (PKI), IBE derives public keys directly from identities, centralizing key generation at the PKG and introducing inherent key escrow.^[3] The core algorithms of an IBE scheme operate abstractly as follows: Setup produces the public parameters and master key; Extract generates a private key from an identity using the master key; Encrypt creates a ciphertext from a message and identity; and Decrypt recovers the message from a ciphertext using the private key, maintaining consistency such that decryption inverts encryption correctly.^[3] This structure supports intuitive encryption based on human-readable identifiers while relying on the PKG's trustworthiness for security.^[2]

Historical Development

The concept of identity-based encryption (IBE) was first proposed by Adi Shamir in 1984 during his presentation at the CRYPTO conference, where he introduced the idea of using a user's identity as its public key to simplify key management in public-key cryptography, though he provided a full construction only for identity-based signatures and left encryption as an open problem.^[5] This open challenge remained unresolved for over a decade until 2001, when two independent constructions realized fully functional IBE schemes: the Boneh-Franklin scheme, which relied on bilinear pairings over elliptic curves for efficiency, and the Cocks scheme, which used quadratic residues modulo a composite number for a pairing-free alternative.^[3]^[6] In 2002, Horwitz and Lynn extended the Boneh-Franklin framework to propose hierarchical IBE (HIBE), allowing key delegation across multiple levels of a hierarchy to support scalable access control without requiring a fully trusted central authority.^[7] The mid-2000s saw further innovations building on these foundations, including the introduction of fuzzy IBE by Sahai and Waters in 2005, which tolerated partial matches in identities to enable applications like biometric encryption, and its generalization to attribute-based encryption (ABE) that allowed fine-grained access policies based on attributes rather than single identities.^[8] Entering the 2010s, research shifted toward post-quantum security amid growing concerns over quantum computing threats, with lattice-based IBE emerging around 2008 through Gentry, Peikert, and Vaikuntanathan's work on trapdoor functions that enabled the first such schemes in the random oracle model, followed by Agrawal, Boneh, and Boyen's 2010 construction achieving security in the standard model.^[9] This momentum accelerated after 2015, driven by the National Institute of Standards and Technology's (NIST) initiation of post-quantum cryptography standardization efforts in 2016, which prioritized lattice-based primitives like learning with errors (LWE) for their quantum resistance. In the 2020s, developments have focused on enhancing practicality for real-world deployment, including efficient revocable lattice-based IBE schemes; for instance, a 2024 LWE-based online/offline IBE construction reduced online computation overhead by up to 80% through precomputation.^[10] Additionally, IBE has been integrated with blockchain technologies for privacy-preserving applications, such as secure identity management in decentralized systems to prevent identity theft while maintaining data integrity.^[11]

Year	Milestone	Key Contributors	Reference
1984	Proposal of IBE concept (signatures only)	Adi Shamir	CRYPTO 1984
2001	First full IBE using bilinear pairings	Boneh, Franklin	CRYPTO 2001
2001	First full IBE using quadratic residues	Clifford Cocks	IMA 2001
2002	Introduction of hierarchical IBE (HIBE)	Horwitz, Lynn	Eurocrypt 2002
2005	Fuzzy IBE and path to ABE	Sahai, Waters	Eurocrypt 2005
2008	First lattice-based IBE (random oracle model)	Gentry, Peikert, Vaikuntanathan	STOC 2008
2010	Lattice-based IBE in standard model	Agrawal, Boneh, Boyen	Eurocrypt 2010
2016	NIST post-quantum standardization begins, boosting lattice IBE	NIST	NIST PQC
2024	Efficient LWE-based online/offline IBE	Zuo et al.	Information 2024

Applications and Comparisons

Practical Usage

Identity-based encryption (IBE) has found practical application in email systems, where it enables encryption directly to a recipient's identity, such as an email address like [email protected], eliminating the need for certificate distribution and management. This approach simplifies secure communication by allowing senders to use the recipient's email as the public key, with private keys generated by a trusted authority. Voltage Security, now part of OpenText, pioneered commercial IBE products in the early 2000s, including Voltage SecureMail, which powered email encryption for enterprises and was validated under NIST's Cryptographic Algorithm Validation Program for integration into applications.^[12]^[13] In Internet of Things (IoT) environments, IBE facilitates secure messaging by leveraging device identities, such as unique IDs or MAC addresses, as public keys for end-to-end encryption between constrained devices. This reduces overhead in resource-limited settings, enabling lightweight authentication and data protection without traditional public key infrastructure (PKI) complexities. For instance, IBE schemes have been implemented to secure communications among IoT objects, supporting scalable deployment in networks with thousands of devices.^[14]^[15] For cloud storage access control, IBE supports time-bound identities by incorporating expiration parameters into user identities, allowing encrypted data to be accessible only within specified periods without re-encryption. This is particularly useful for temporary sharing, where revocation mechanisms ensure keys expire automatically, enhancing data security in shared environments. Revocable IBE variants enable fine-grained control, such as outsourcing revocation computations to cloud servers to minimize the private key generator's (PKG) workload.^[16]^[17]^[18] In e-health and blockchain applications, IBE enables secure patient data sharing by encrypting records to healthcare provider identities, bypassing PKI for decentralized systems. Recent revocable IBE schemes, developed around 2025, integrate with blockchain for electronic health records in Internet of Medicine Things (IoMT), allowing patient-controlled access and efficient revocation without central certificate authorities. These pilots, inspired by NIST's post-quantum cryptography efforts, explore lattice-based IBE for quantum-resistant data sharing in smart healthcare. Additionally, as of July 2025, the Internet Computer blockchain platform integrated IBE via its vetKeys feature, allowing encryption to identities like principals or email addresses for secure decentralized applications.^[19]^[20]^[21]^[22]^[23] Practical key management in IBE relies on secure channels for delivering private keys from the PKG to users, often via out-of-band methods like secure email or hardware tokens to prevent interception. Outsourcing PKG operations, such as revocation and key generation, to cloud providers reduces computational burden on the central authority while maintaining security through verifiable computations, as demonstrated in cloud-integrated IBE deployments. Compared to traditional PKI, this simplifies deployment by avoiding certificate lifecycle management.^[24]^[25]^[26]

Comparison with Traditional PKI

Traditional public-key infrastructure (PKI) relies on a hierarchical system where users generate asymmetric key pairs, and certificate authorities (CAs) issue digital certificates to bind public keys to verified identities, ensuring authenticity and enabling trust.^[27] This setup necessitates ongoing management of certificates, including issuance, distribution via directories, and validation through protocols like the Online Certificate Status Protocol (OCSP) or Certificate Revocation Lists (CRLs) to handle compromised keys.^[28] Key distribution occurs through certificate repositories, while revocation involves publishing lists or querying CAs in real-time, which can impose significant computational and network overhead as the number of users grows.^[29] In contrast, identity-based encryption (IBE) eliminates the need for certificates by deriving public keys directly from user identities, such as email addresses, allowing encryption without prior key exchange or directory lookups.^[27] A private key generator (PKG), analogous to a CA but centralized, authenticates users and extracts corresponding private keys upon request, shifting key management from decentralized user responsibility to a trusted authority.^[30] This introduces key escrow, where the PKG holds the master secret and can potentially decrypt any ciphertext, unlike traditional PKI's separation of duties.^[29] Scalability in IBE improves enrollment by removing certificate issuance and verification steps, reducing administrative overhead for large systems; however, it centralizes trust in the PKG, creating a single point of failure or compromise risk not present in PKI's distributed hierarchy.^[27] For revocation, PKI employs CRLs—periodically updated lists of invalid certificates—or OCSP queries for on-demand status checks, both scaling linearly with user base and requiring sender-side verification.^[31] IBE revocation mechanisms differ, often incorporating time-based identities (e.g., appending expiration dates) for natural key expiry or hierarchical IBE (HIBE) for delegated revocation without full reissuance; advanced schemes use broadcast encryption or binary tree structures to update keys logarithmically for non-revoked users.^[32] Hybrid approaches integrate IBE with traditional PKI to mitigate weaknesses, such as using PKI for high-level trust anchors and IBE for user-level encryption to ease certificate management during transitions, or certificate-based encryption schemes that combine explicit authentication with identity-derived keys.^[29] These hybrids preserve PKI's non-repudiation while leveraging IBE's simplicity, though they introduce compatibility challenges in key binding and revocation synchronization.^[29]

Aspect	Traditional PKI	Identity-Based Encryption (IBE)
Key Generation	Users generate pairs; CA issues certificates after verification.	PKG generates private keys from identities after authentication; no user generation needed.
Key Distribution	Certificates published in directories; recipients validate via chains/CRLs.	Private keys delivered securely to users; public keys are identities (no distribution).
Revocation	CRLs (periodic lists) or OCSP (real-time queries); sender checks status.	Time-based identities, HIBE delegation, or tree-based updates; PKG manages without sender checks.

Technical Framework

Protocol Components

An identity-based encryption (IBE) scheme is defined by four core algorithms that enable the use of arbitrary strings as public keys while ensuring secure key delegation by a trusted authority known as the Private Key Generator (PKG). These algorithms—Setup, Extract, Encrypt, and Decrypt—form the operational backbone of any IBE system, allowing users to encrypt messages to identities without prior key exchange. The design ensures that private keys are efficiently derivable from identities and the PKG's master secret, maintaining compatibility with standard public-key primitives.^[3] Setup algorithm. This algorithm is run once by the PKG to initialize the IBE system. It takes a security parameter k as input and generates public parameters (params), which include cryptographic group descriptions (e.g., elliptic curve parameters, bilinear maps), hash functions tailored to the scheme (such as mappings from identities to group elements), and a public master key derived from a randomly chosen secret. It also outputs a master secret key (msk), which remains private to the PKG and enables private key generation for all users. The process ensures the parameters are consistent across all subsequent operations. Computationally, the setup runs in time polynomial in k, typically involving a constant number of group element generations and hash initializations, making it efficient for system deployment.^[3] Extract algorithm. Executed by the PKG upon user request, this algorithm derives a user-specific private key from an identity string ID (e.g., an email address). It takes as inputs the public parameters, the master secret key, and the identity ID, then outputs a private key d_{\text{ID}} that mathematically binds to ID. The derivation often involves hashing ID to a point in the cryptographic group and scaling it by the master secret, ensuring uniqueness and security under the scheme's assumptions. Users receive d_{\text{ID}} securely, typically offline, eliminating the need for certificate management. In terms of efficiency, extraction requires a constant number of group operations, such as one exponentiation, computable in O(\log^3 p) time for p-bit security in pairing-based constructions, supporting thousands of keys per second on standard hardware.^[3]^[33] Encrypt algorithm. Performed by the sender, this randomized algorithm encrypts a message M intended for recipient identity ID. It takes the public parameters, ID, and M as inputs, then produces a ciphertext C that can be sent over an insecure channel. The encryption leverages the public parameters and a hash of ID to create a binding without requiring the recipient's private key, often using techniques analogous to ElGamal encryption adapted for identities. The output ciphertext is typically compact, consisting of a few group elements and message components. Efficiency-wise, encryption involves a constant number of group exponentiations and hash evaluations, also in O(\log^3 p) time, enabling high-throughput message protection comparable to traditional public-key schemes.^[3]^[33] Decrypt algorithm. Run by the recipient, this deterministic algorithm recovers the plaintext from a ciphertext. It takes the public parameters, the ciphertext C, and the recipient's private key d_{\text{ID}} as inputs, then outputs the message M. The decryption computes pairings or maps involving d_{\text{ID}} to invert the encryption process, verifying the identity binding implicitly. Like encryption, it requires a constant number of group operations, achieving O(\log^3 p) time complexity and supporting decryption rates suitable for real-time applications.^[3]^[33] The IBE protocol satisfies a correctness constraint, ensuring reliable message recovery under valid keys. Formally, for all security parameters k, identities ID, messages M, public parameters params generated by Setup, and private keys d_{\text{ID}} from Extract,

\text{Decrypt}(\text{params}, \text{Encrypt}(\text{params}, \text{ID}, M), d_{\text{ID}}) = M

This property holds probabilistically over the randomness in encryption, guaranteeing identical plaintext recovery for legitimate decryptions. Proofs of correctness follow directly from the algebraic properties of the underlying groups and hash functions in specific constructions. Overall, these components achieve IND-CPA security under standard assumptions like the bilinear Diffie-Hellman problem, with efficiencies scaling well for practical deployments.^[3]

Security Models and Properties

The security of identity-based encryption (IBE) schemes is typically analyzed through formal models that capture adversaries' capabilities in extracting information from ciphertexts while interacting with the system. The standard security notion is indistinguishability under chosen-identity and chosen-plaintext attack (IND-ID-CPA), which ensures that an adversary cannot distinguish between encryptions of two equal-length messages for a target identity, even after adaptively querying the private key generator (PKG) for private keys of other identities and obtaining encryptions under chosen plaintexts.^[3] In this model, the adversary does not receive the private key for the challenge identity, but the PKG's master secret allows it to potentially decrypt any ciphertext, introducing a key escrow property inherent to IBE where the PKG acts as an escrow agent capable of recovering all users' private keys and thus decrypting any message in the system.^[34] The IND-ID-CPA security game is formally defined as a two-phase interaction between a challenger and an adversary \mathcal{A}. In the setup phase, the challenger runs the IBE key generation algorithm to produce system parameters and the PKG's master secret. The adversary then performs an adaptive phase, submitting queries for private keys corresponding to chosen identities (except the challenge one) and requesting encryptions of chosen plaintexts under any identities. In the challenge phase, \mathcal{A} selects a target identity ID^* (for which it has not queried the private key), two equal-length messages m_0, m_1, and a bit b; the challenger encrypts m_b under ID^* and sends the ciphertext to \mathcal{A}. Finally, in a guess phase, \mathcal{A} outputs a guess b' for b, succeeding if b' = b with non-negligible advantage over $1/2. Security requires this advantage to be negligible in the security parameter.^[3]^[35] Provable security for IBE schemes is established via reductions to well-studied computational assumptions. Pairing-based constructions, such as the seminal Boneh-Franklin scheme, achieve IND-ID-CPA security in the random oracle model under the bilinear Diffie-Hellman (BDH) assumption, where the reduction shows that any adversary breaking the IBE implies an algorithm solving BDH instances with advantage related to the adversary's success probability.^[3] Lattice-based IBE variants, designed for post-quantum security, reduce to the learning with errors (LWE) assumption or variants like inhomogeneous small integer solution (ISIS), ensuring IND-ID-CPA security without relying on pairings.^[10] These reductions typically involve simulators embedding the assumption's challenge into the IBE setup, answering queries consistently while bounding the adversary's advantage. Additional properties in IBE include collusion resistance in hierarchical extensions, where lower-level keys cannot be combined to forge higher-level master secrets, providing partial or total resistance depending on the depth.^[7] When extended to identity-based signatures, schemes achieve unforgeability under chosen-message attacks, often reduced to assumptions like computational Diffie-Hellman.^[36] Regarding quantum resistance, classical pairing-based IBE schemes are vulnerable to Shor's algorithm on quantum computers, as they rely on discrete logarithm problems over elliptic curves, whereas lattice-based variants offer security against quantum attacks due to the hardness of LWE even for quantum adversaries.^[37]

Specific Schemes

Pairing-Based Schemes

Pairing-based identity-based encryption (IBE) schemes leverage bilinear pairings on elliptic curves to enable efficient key generation and decryption tied to user identities. A bilinear pairing is a map e: \mathbb{G}_1 \times \mathbb{G}_1 \to \mathbb{G}_T, where \mathbb{G}_1 and \mathbb{G}_T are multiplicative groups of prime order q, typically constructed from elliptic curve points and a finite field extension.^[3] The pairing satisfies three key properties: bilinearity, e(aP, bQ) = e(P, Q)^{ab} for P, Q \in \mathbb{G}_1 and a, b \in \mathbb{Z}_q; non-degeneracy, ensuring e(P, P) generates \mathbb{G}_T when P generates \mathbb{G}_1 ; and computability, allowing efficient evaluation.^[3] These properties facilitate the delegation of trust from certificate authorities to a private key generator (PKG) by embedding the master secret into pairing computations.^[3] The seminal pairing-based IBE scheme, proposed by Boneh and Franklin in 2001, operates in the full identity model and supports messages in \mathbb{G}_T.^[3] In the Setup algorithm, given security parameter k, a bilinear group generator produces \mathbb{G}_1, \mathbb{G}_T, e, and q; a generator P \in \mathbb{G}_1 is selected, along with a random master secret s \in \mathbb{Z}_q^*, yielding public parameters including P_{pub} = sP and a hash function H_1: \{0,1\}^* \to \mathbb{G}_1^*.^[3] The Extract algorithm, run by the PKG for identity ID \in \{0,1\}^*, computes Q_{ID} = H_1(ID) and outputs the private key d_{ID} = s Q_{ID}.^[3] For Encrypt, given message M \in \mathbb{G}_T and ID, select random r \in \mathbb{Z}_q^*; the ciphertext is C = \langle rP, M \cdot e(Q_{ID}, P_{pub})^r \rangle.^[3] Decryption with C = \langle U, V \rangle and d_{ID} recovers M = V / e(d_{ID}, U), as e(d_{ID}, U) = e(s Q_{ID}, r P) = e(Q_{ID}, P_{pub})^r.^[3] This scheme achieves semantic security against chosen-plaintext attacks in the random oracle model, with a reduction to the bilinear Diffie-Hellman (BDH) assumption: given P, aP, bP, cP \in \mathbb{G}_1, computing e(P, P)^{abc} \in \mathbb{G}_T is hard.^[3] Efficiency is notable, with encryption and decryption each requiring a constant number of pairing operations—specifically, one pairing computation per operation—making it practical for deployment on elliptic curves like supersingular curves over finite fields.^[3] Variants address limitations of the original scheme, such as reliance on the random oracle model. Waters' 2005 construction provides the first efficient pairing-based IBE secure in the standard model without random oracles, achieving chosen-plaintext security under the decisional BDH assumption.^[38] It modifies key generation to use hashed identity components in the exponents, with setup producing public elements like g, g_1 = g^\alpha, g_2, and a vector of random group elements for identity bits; extraction yields a pair incorporating the master secret and a blinding factor, while encryption and decryption involve adjusted pairing checks for correctness.^[38] This improvement enhances provable security while maintaining comparable efficiency to the Boneh-Franklin scheme.^[38]

Quadratic Residue-Based Schemes

Quadratic residue-based identity-based encryption (IBE) schemes rely on the quadratic residuosity assumption, which states that given a composite modulus N = pq where p and q are distinct primes both congruent to 3 modulo 4 (a Blum integer), it is computationally infeasible to determine whether a given element x \in \mathbb{Z}_N^* is a quadratic residue modulo N without knowledge of the prime factors p and q.^[1] This assumption is believed to be as hard as the integer factorization problem.^[1] The seminal scheme in this category is the one proposed by Clifford Cocks in 2001, which provides a pairing-free construction for IBE using number-theoretic assumptions related to quadratic residues.^[39] In the setup phase, the private key generator (PKG) selects two large primes P and Q with P, Q \equiv 3 \pmod{4}, computes the modulus N = P \cdot Q, and publishes the public parameters consisting of N and suitable hash functions (modeled as random oracles). The master secret key is the factorization \langle P, Q \rangle, which remains private.^[39] User identities are treated as strings and hashed via a function H to elements a = H(\text{ID}) \in \mathbb{Z}_N^* such that the Jacobi symbol (a/N) = +1.^[39] For key generation, upon request for identity ID, the PKG computes a = H(\text{ID}) \mod N and derives a private key r satisfying either r^2 \equiv a \pmod{N} or r^2 \equiv -a \pmod{N}, using the master secret to efficiently find such a square root via the formula r = a^{(N+5-(P+Q))/8} \mod N.^[39] The choice of sign (type of root) is fixed for the identity, and the PKG provides r to the user as their private key. Encryption proceeds bit by bit, encoding each message bit m \in \{0,1\} as x = (-1)^m \in \{-1, +1\}. To encrypt x under ID, the sender selects a random t \in \mathbb{Z}_N^* such that the Jacobi symbol (t/N) = x, computes the inverse t^{-1} \mod N, and forms the ciphertext component c_1 = t + a \cdot t^{-1} \pmod{N}. If the root type for the recipient's key is unknown to the sender, a second component c_2 = t - a \cdot t^{-1} \pmod{N} is included to allow disambiguation.^[39] Decryption uses the private key r: assuming the root type is such that r^2 \equiv a \pmod{N}, the recipient computes s = c_1 + 2r \pmod{N} (or s = c_1 - 2r \pmod{N} for the other type) and evaluates the Jacobi symbol (s/N), which equals x due to the algebraic structure canceling non-residue terms while preserving the symbol of t. The recipient can then recover the bit m from x. If both ciphertext components are provided, the correct s is selected by checking which yields a consistent Jacobi symbol. This process leverages the factorization to compute square roots efficiently during key generation but requires only Jacobi symbol computations during decryption.^[39] Despite its theoretical significance as the first non-pairing-based IBE, the Cocks scheme suffers from significant practical limitations, primarily due to its bit-by-bit encryption mechanism. Each message bit requires a full modulus-sized ciphertext component (approximately \log_2 N bits), and including the second component doubles this overhead, resulting in a ciphertext expansion factor of up to 2 for short messages. For a 128-bit symmetric key encrypted with a 1024-bit N, the ciphertext size approaches 16 KB, rendering it inefficient for longer messages without hybrid use (e.g., encrypting only a session key).^[39] The scheme is proven secure against chosen-plaintext attacks in the identity-based setting under the quadratic residuosity assumption in the random oracle model, but its bandwidth inefficiency has limited adoption compared to more practical pairing-based alternatives.^[40]

Lattice-Based and Post-Quantum Schemes

Lattice-based and post-quantum identity-based encryption (IBE) schemes draw their security from the computational hardness of lattice problems, including the Learning With Errors (LWE) problem, the Short Integer Solution (SIS) problem, and the NTRU problem. The LWE problem posits that, given random vectors a_i \in \mathbb{Z}_q^n and scalars b_i = \langle a_i, s \rangle + e_i \pmod{q} for secret s and small error e_i, it is hard to recover s or distinguish from uniform random pairs. SIS requires finding short vectors x \in \mathbb{Z}^m such that A x = 0 \pmod{q} for full-rank A \in \mathbb{Z}_q^{n \times m}, with \|x\| below a bound. NTRU leverages the hardness of finding short vectors in lattice ideals over polynomial rings \mathbb{Z}/(x^N - 1). These problems underpin post-quantum security, as they resist attacks by both classical and quantum adversaries. The seminal framework for lattice-based IBE was established by Gentry, Peikert, and Vaikuntanathan in 2008, constructing IBE from LWE assumptions using trapdoor sampling on q-ary lattices.^[41] In this approach, the master public key consists of a random matrix A \in \mathbb{Z}_q^{n \times m}, and the master secret key is a short basis T for the q-ary lattice \Lambda^\perp(A) = \{ x \in \mathbb{Z}^m \mid A x = 0 \pmod{q} \}.^[41] Trapdoor generation produces A and T such that T has small Gram-Schmidt norms, typically \| \tilde{T} \| \leq O(\sqrt{m}), enabling efficient sampling while preserving hardness.^[41] For a user identity id, the private key is derived by computing the syndrome u = H(id) \in \mathbb{Z}_q^n via a hash function H, then sampling a short preimage sk_{id} \in \mathbb{Z}^m satisfying A \cdot sk_{id} = u \pmod{q} using the trapdoor T.^[41] This sampling employs discrete Gaussian distributions over the coset lattice \Lambda_u(A) = \{ x \in \mathbb{Z}^m \mid A x = u \pmod{q} \}, with density \rho_{s,c}(x) = \exp(-\pi \|x - c\|^2 / s^2) for width s = \omega(\sqrt{n \log n}) and center c, ensuring sk_{id} remains statistically close to the error distribution in LWE.^[41] Encryption uses A and u to mask the message under LWE, while decryption recovers it via the short sk_{id}. Security proofs reduce IND-ID-CPA security to the LWE problem with dimension n, modulus q, and error rate \alpha = 1/(\sqrt{m} \log n), assuming LWE is hard for quantum polynomial-time adversaries.^[41] Recent developments up to 2025 have enhanced efficiency and functionality in lattice-based IBE. Zuo et al. (2024) proposed an LWE-based online/offline IBE scheme supporting revocable keys through offline precomputation of partial ciphertexts, achieving 65-80% reduction in online encryption time while maintaining IND-ID-CPA security under LWE hardness.^[10] For compactness, a 2025 NTRU-based IBE construction utilizes hybrid sampling algorithms to generate private keys, resulting in shorter ciphertexts (under 2 KB for 128-bit security) and improved efficiency over standard LWE variants, with security proven under NTRU and LWE assumptions.^[42] Threshold variants have also advanced, with Lapiha and Prest (2025) constructing an IND-CCA-secure threshold key encapsulation mechanism (KEM) from lattice IBE via the BCHK transform (adapted with Fujisaki-Okamoto for consistency), relying on a threshold IBE built atop the Agrawal-Boneh-Boyen framework and recent threshold techniques like Plover.^[43] This enables distributed key generation among t-out-of-N parties without multi-party computation overhead, secure under the Coset-Hint-MLWE assumption.^[43] These schemes provide quantum resistance, contrasting with classical IBE reliant on quantum-vulnerable assumptions like bilinear pairings. Lattice-based IBE achieves shorter public keys and ciphertexts (often 1-4 KB) compared to hash-based post-quantum alternatives, facilitating practical adoption.^[41] Implementation benefits from hardware optimizations, such as FPGA-accelerated number-theoretic transforms (NTT) for ring-LWE polynomial operations, reducing multiplication latency by up to 50% in ring-NTRU variants.

Benefits and Limitations

Advantages

Identity-based encryption (IBE) eliminates the overhead associated with traditional public key infrastructure (PKI) by obviating the need for digital certificates, certificate directories, and revocation lists, which significantly reduces administrative and operational costs in cryptographic systems.^[1] This paradigm shift allows users to derive public keys directly from arbitrary identity strings, such as email addresses or names, streamlining the overall deployment without requiring complex certificate management processes.^[1] Key management in IBE is notably simplified, as private keys are generated by a trusted private key generator (PKG) based on user identities, thereby reducing enrollment procedures and eliminating the distribution of public key certificates.^[1] Identities can incorporate temporal elements, enabling automatic key expiration—such as on a weekly basis—without the need for additional revocation mechanisms, which further eases administrative burdens compared to PKI systems. Variants like hierarchical identity-based encryption (HIBE) offer potential for forward secrecy, where keys evolve over discrete time periods to ensure that compromise of a current key does not retroactively expose prior communications.^[44] In large-scale environments with a finite user base, the centralized PKG structure facilitates efficient operations, including workload distribution across hierarchical authorities and the ability to pre-generate keys for known users, enhancing scalability.^[1] IBE enhances privacy by allowing identities to be anonymized, role-based (e.g., "[email protected]"), or otherwise abstracted from personal details, minimizing unintended disclosure of user information during encryption.^[1] IBE reduces bandwidth usage in key exchanges by avoiding the transmission of certificates, leading to more efficient communication protocols.^[30] For instance, this benefit has been applied in secure email systems, where encryption proceeds directly using recipient identities without certificate overhead.

Drawbacks and Challenges

One of the primary drawbacks of identity-based encryption (IBE) is the inherent key escrow problem, where the private key generator (PKG) possesses the master secret key and can thus derive any user's private key, potentially enabling widespread decryption if the PKG is compromised.^[3] This central authority holds ultimate control over all private keys, raising concerns about mass surveillance or abuse by the PKG itself.^[45] The reliance on a trusted PKG introduces a single point of failure, as the system's security depends entirely on this entity's integrity, requiring rigorous auditing and secure operations to prevent insider threats or external breaches.^[46] While key escrow is an accepted property in standard IBE security models, it amplifies the need for the PKG to be a highly reliable, often government-backed or certified authority.^[47] User revocation in IBE presents significant challenges, as identities are tied to long-term attributes like email addresses, and revoking access often requires updating all affected keys or identities, which can disrupt ongoing communications.^[48] Solutions such as revocable IBE (RIBE) address this by incorporating revocation lists or time-based keys, but they introduce substantial computational overhead at the PKG during revocation events.^[32] Distributing private keys securely remains a logistical hurdle, as users must obtain their keys from the PKG via confidential channels, frequently requiring in-person delivery or trusted couriers to avoid interception.^[49] This process complicates large-scale deployment and increases vulnerability during key handover. Classical IBE schemes, particularly those based on bilinear pairings, are susceptible to quantum attacks via Shor's algorithm, which can efficiently solve the underlying discrete logarithm problems.^[50] Lattice-based IBE schemes offer post-quantum resistance by relying on the learning with errors problem, but they incur higher performance costs, including larger key sizes and slower encryption/decryption operations compared to pairing-based alternatives.^[51] Potential mitigations include threshold PKG schemes, where the master key is distributed across multiple parties requiring a quorum to generate user keys, thereby reducing single-point risks.^[52] Short-lived keys, periodically regenerated with limited validity, can also limit the impact of escrow or compromise, though they demand frequent PKG interactions.^[53]

References

[1]
[PDF] A Survey on ID-Based Cryptographic Primitives
Abstract. ID-based cryptosystem has been, for a few years, the most active area of research and currently is of great interest to the cryptographic society.
[2]
IDENTITY-BASED CRYPTOSYSTEMS AND SIGNATURE ...
IDENTITY-BASED CRYPTOSYSTEMS AND SIGNATURE SCHEMES. Adi Shamir. Department of Applied Mathematics. The Weizmann Institute of Science. Rehovot, 76100 Israel. THE ...
[3]
[PDF] Identity-Based Encryption from the Weil Pairing
Shamir, “Identity-based cryptosystems and signature schemes”, in Advances in Cryptology. – Crypto '84, Lecture Notes in Computer Science, Vol. 196, Springer ...
[4]
[PDF] A Note on the Post-Quantum Security of Identity-Based Encryption ...
Identity-Based Encryption (IBE) offers a compelling alternative to traditional Public Key Infrastructures by simplifying key management, but most classical IBE ...Missing: history | Show results with:history
[5]
Identity-Based Cryptosystems and Signature Schemes - SpringerLink
Download book PDF ... Shamir, A. (1985). Identity-Based Cryptosystems and Signature Schemes. In: Blakley, G.R., Chaum, D. (eds) Advances in Cryptology. CRYPTO ...
[6]
An Identity Based Encryption Scheme Based on Quadratic Residues
Dec 4, 2001 · © 2001 Springer-Verlag Berlin Heidelberg. About this paper. Cite this paper. Cocks, C. (2001). An Identity Based Encryption Scheme Based on ...
[7]
[PDF] Toward Hierarchical Identity-Based Encryption - Stanford CS Theory
We introduce the concept of hierarchical identity-based en- cryption (HIBE) schemes, give precise definitions of their security and mention some applications. A ...
[8]
[PDF] Fuzzy Identity-Based Encryption - Cryptology ePrint Archive
In Fuzzy IBE we view an identity as set of descriptive attributes. A. Fuzzy IBE scheme allows for a private key for an identity, ω, to decrypt a ciphertext ...
[9]
[PDF] Efficient Lattice (H)IBE in the Standard Model*
We construct an efficient identity based encryption system based on the standard learning with errors (LWE) problem. Our security proof holds in the standard ...
[10]
Identity-Based Online/Offline Encryption Scheme from LWE - MDPI
Sep 4, 2024 · We construct an identity-based online/offline encryption (IBOOE) scheme from LWE with G -trapdoor, improve the efficiency of online encryption while achieving ...
[11]
Blockchain and the Identity based Encryption Scheme for High Data ...
The Identity based Management system allows the encryption of the user's data as well as their identity and thus preventing them from Identity theft and fraud.
[12]
[PDF] The Identity-Based Encryption Advantage
IBE Technology powers products from Voltage Security as well as leading industry service, cloud and software providers including 7 of 10 top US Banks, 6 of 8 ...
[13]
Cryptographic Algorithm Validation Program CAVP
The Voltage IBE Developers' Toolkit enables any application to utilize Identity Based Encryption (IBE) in combination with common algorithms.
[14]
Identity-Based Encryption in the Internet of Things - IEEE Xplore
In this study, an identity-based encryption system has been proposed for secure communication between objects included in the Internet of Things.
[15]
A lattice-based forward secure IBE scheme for Internet of things
In this work, we investigate the well-known encryption scheme called identity-based encryption (IBE) for IoT-oriented applications.
[16]
Identity-Based Cloud Storage Auditing for Data Sharing With Access ...
Oct 21, 2021 · We design a novel cloud storage auditing protocol to support sensitive information hiding without the need of a third-party sanitizer.
[17]
[PDF] Revocable Storage Identity-Based Encryption for Secure Cloud Data ...
access control on the data we store and exchange in the cloud is crucial. Constructing a reliable system for sharing information, identity-based encryption is a.
[18]
Identity-Based Encryption with Outsourced Revocation in Cloud ...
Identity-Based Encryption (IBE) which simplifies the public key and certificate management at Public Key Infrastructure (PKI) is an important alternative to ...
[19]
Secure Data Sharing Scheme using Identity-based Encryption for e ...
Identity-based encryption (IBE) is one of the appropriate security solutions to protect eHealth record data. The IBE algorithm addresses the problems inherent ...
[20]
Using Identity-Based Cryptography as a Foundation for an Effective ...
In this paper, we propose a novel algorithm along with implementation details as an effective and secure E-health cloud model using identity-based cryptography.
[21]
An efficient lattice-based integrated revocable identity ... - Nature
May 14, 2025 · Recently, Zuo et al. proposed an LWE-based identity-based online/offline encryption scheme with offline precomputation, achieving 65-80% faster ...
[22]
Toward blockchain based electronic health record management with ...
Oct 3, 2025 · FHIRChain, a system similar to MedRec, uses cryptographic techniques to encrypt and securely share data among clinicians. Another framework ...
[23]
(PDF) Identity-Based Encryption with Outsourced Revocation in ...
Aug 7, 2025 · However, one of the main efficiency drawbacks of IBE is the overhead computation at Private Key Generator (PKG) during user revocation.
[24]
An IBE Scheme with Verifiable Outsourced Key Generation Based ...
Sep 11, 2018 · Our contributions: In this paper, we introduce the concept of verifiable computation into the identity-based encryption scheme, and then propose ...
[25]
Identity-based encryption with outsourced equality test in cloud ...
Jan 20, 2016 · In order to simplify certificate management of PKEET, we firstly combine the concepts of public key encryption with equality test (PKEET) and ...
[26]
[PDF] A Tapestry of Identity-Based Encryption: Practical Frameworks ...
Abstract: This paper surveys the practical benefits and drawbacks of several identity- based encryption schemes based on bilinear pairings.
[27]
What is a Certificate Revocation List (CRL) vs OCSP? - Keyfactor
Nov 27, 2020 · A CRL is a list of revoked certificates, while OCSP requests certificate status from the CA's server, using a digitally signed response.
[28]
[PDF] Towards a Hybrid Public Key Infrastructure (PKI): A Review
Public key infrastructure (PKI) and public key cryptography (PKC) [12] ... Identity-based encryption with effi- cient revocation. In Proceedings of the ...
[29]
None
### Summary of Comparisons Between IBC/IBE and Traditional PKI
[30]
OCSP vs CRL: What Each Is & Why Browsers Prefer One Over the ...
Oct 26, 2023 · OCSP is a real-time method using servers, while CRL is a blacklist of revoked certificates. OCSP reveals browsing history, CRLs are more ...
[31]
[PDF] Identity-based Encryption with Efficient Revocation
Identity-based encryption (IBE) is an exciting alternative to public-key encryption, as IBE eliminates the need for a Public Key Infrastructure (PKI). Any ...
[32]
[PDF] A Performance Analysis of Identity-Based Encryption Schemes
An identity-based encryption scheme is composed by the four following algo- rithms: Setup, Extract, Encrypt and Decrypt [3]: 1. Setup: gets a security ...
[33]
Remove key Escrow from the Identity-Based Encryption System
Key escrow is an inherent property in the current proposed Identity-Based Encryption (IBE) systems. However the key escrow is not always a good property ...
[34]
[PDF] Relations Among Notions of Security for Identity Based Encryption ...
Abstract. Identity based encryption (IBE) schemes have been flourishing since the very beginning of this century. In IBE it is widely believed that proving the ...<|control11|><|separator|>
[35]
[PDF] How to Construct Identity-Based Signatures without the Key Escrow ...
The existing solution for mitigating the key escrow problem is by adopting multiple Private Key Generators (PKGs).
[36]
What is Lattice-Based Cryptography? A Beginner's Guide to Post ...
Lattice-based cryptography provides quantum-resistant security by relying on mathematical problems that are computationally infeasible to solve. These difficult ...
[37]
[PDF] Efficient Identity-Based Encryption Without Random Oracles
We present the first efficient Identity-Based Encryption scheme that is fully secure without random oracles. The proof of our scheme makes use of an algebraic ...
[38]
[PDF] An Identity Based Encryption Scheme based on Quadratic Residues
An Identity Based Encryption Scheme based on. Quadratic Residues. Clifford Cocks. Communications-Electronics Security Group, PO Box 144, Cheltenham GL52 5UE.
[39]
[PDF] On Anonymization of Cocks' Identity-based Encryption Scheme
The first pairing-free IBE scheme was proposed by Cocks and it is based on quadratic residues [8]. The scheme is IND-ID-CPA secure in the ran- dom oracle model ...<|control11|><|separator|>
[40]
Trapdoors for Hard Lattices and New Cryptographic Constructions
Trapdoors for Hard Lattices and New Cryptographic Constructions. Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Abstract. We show how to construct a ...Missing: IBE LWE
[41]
https://eprint.iacr.org/2007/432
[42]
A Lattice-Based IND-CCA Threshold KEM from the BCHK+ Transform
We present a simple IND-CCA lattice-based threshold KEM. At a high level, our design is based on the BCHK transform (Canetti et al., EUROCRYPT 2004), which ...
[43]
[PDF] ID-Based Encryption for Complex Hierarchies with Applications to ...
Forward security has several unique requirements in hierarchical identity-based encryption (HIBE) scheme: (1) users join dynamically; (2) encryption is joining- ...
[44]
How to construct identity-based signatures without the key escrow ...
The inherent key escrow problem is one of the main reasons for the slow adoption of identity-based cryptography. The existing solution for mitigating the ...Missing: drawbacks | Show results with:drawbacks<|separator|>
[45]
[PDF] Reducing Trust in the PKG in Identity Based Cryptosystems
[Sha84]. A. Shamir. Identity Based Cryptosystems and Signature Schemes. In Advances in Cryp- tology – CRYPTO, volume 196 of LNCS, pages 37–53.
[46]
Improving User Privacy in Identity-Based Encryption Environments
Nov 9, 2022 · This paper proposes a separation architecture that instantiates several intermediate CAs (ICAs), rather than one (as in previous work).
[47]
Identity-based encryption with efficient revocation - ACM Digital Library
Any setting, PKI- or identity-based, must provide a means to revoke users from the system. Efficient revocation is a well-studied problem in the traditional PKI ...Abstract · Information & Contributors · Published InMissing: challenges | Show results with:challenges
[48]
Key management in Identity Based Encryption schemes | IEEE ...
An inherent problem of this system is key escrow. It also requires a secure channel between users and the PKG to deliver private keys. This paper describes ...Missing: drawbacks | Show results with:drawbacks
[49]
[PDF] A New Efficient Identity-Based Encryption Without Pairing
In this manner, to send an encrypted message to Bob, or to verify his signature on a message, other users require only Bob's identity and the KGC's public key.
[50]
[PDF] Identity-Based Encryption from Lattices with More Compactness in ...
In this work, we introduce a new. IBE construction from NTRU lattices in the standard model, based on the framework proposed by Agrawal, Boneh, and Boyen ( ...
[51]
[PDF] IDENTITY BASED ENCRYPTION:A KEY TO DATA PRIVACY IN ...
In this literature survey, we delve into seminal works and recent advancements in blockchain technology, smart contracts, and identity- based encryption (IBE) ...
[52]
[PDF] EXPLORING ID-BASED AND ATTRIBUTE-BASED CRYPTOGRAPHY
Challenges include centralized server requirements, secure channel needs, key escrow, complexity, performance overhead, attribute revocation, and security ...
[53]
Accountable identity-based encryption with distributed private key ...
We extend our scheme to capture the indistinguishable security against chosen ciphertext attack (IND-ID-CCA security) without breaking the main construction.
[54]
[PDF] Adaptive-ID Secure Revocable Identity-Based Encryption - HAL Inria
One of the cited reasons for the slow adoption of the IBE technology among standards is its lack of support for identity revocation. Since only the PKG's public ...<|separator|>