good uses for IBE -- non-interactive forward secrecy (Re: Identity-based public key cryptography)

Adam Back adam at cypherspace.org
Tue, 18 Dec 2001 14:14:31 +0000 

Ben wrote:
> There's also the issue that if N is ever revealed (N being the public
> modulus), then _all_ private keys are immediately compromised.

Presumably you mean if the factorization of N were revealed.  I
wouldn't want to use IBE for the reason that Brian gives: it's a
public key scheme with inherent and unavoidable key-escrow built in.

> And, exactly how does basing PKC on identity help, anyway? It still
> leaves open the question of what my identity is and how that is
> verified - seems to me that the problem has simply been pushed from
> binding the key to a trusted identity to verifying the trusted
> identity - no improvement in verifiability or management, but a
> massive retrograde step in security.

On the claims on the page of having invented the first non-theoretical
IBE in 1998:

| ID-PKC remained a theoretical concept until 1998 when Cliff Cocks
| proposed the first practical solution.  (A second ID-PKC solution
| has recently been discovered by academics in the USA.)

It should be noted for clarity that candidate ID-PKC schemes had been
published in the literature at least as early as 1991 viz Maurer and
Yacobi's 1991 paper [1].  However Maurer and Yacobi's scheme has a
quite inefficient computation of private keys for the identity server,
and as a consequence the public keys for practical server compute time
are undesirably small.

I presume the reference to academics in USA paper is [2].

So, why should we be interested in IBE: we shouldn't directly, because
it is another form of key-escrow, not unlike the holoway scheme of a
few years back, but IBE schemes have interesting alternate uses: they
can be used to build non-interactive forward secure schemes if you use
the construct but remove the third party, playing that part yourself
during a setup-phase.

Non-interactive forward secrecy is interesting for email security as
traditional forward secrecy providing protocols such as ephemeral DH
key negotiation don't work for that application.

See:

http://www.cypherspace.org/~adam/nifs/

for a description of how to use general IBE for general NIFS.

I'm interested to see the Cocks paper when it appears for that reason.

At least the Cocks IBE scheme seems computationally efficient if
somewhat communication inefficient.  But I'm not finding the slides
overly clear.  It looks at one point as if the recipient has to
interact with the server to decrypt the message, meaning the sender
can be offline from the identity server, but the recipient hsa to be
online with it.  If this interpretation is correct, the scheme is not
interesting.  (Anyone else managed to interpret the slides to
comment?)

Adam

[1] U Maurer and Y Yacobi "Non-interactive public key cryptography",
Advances in Cryptology, Eurocrypt 91 (LNCS 547), 498-507, 1991

[2] Dan Boneh and Matt Franklin, "Identity based encryption from the
Weil pairing", Crypto 2001 (LNCS 2139), 213-229, 2001

http://crypto.stanford.edu/~dabo/abstracts/ibe.html