Identity-Based Encryption from the Weil Pairing
Dan Boneh
∗
Matthew Franklin
†
dabo@cs.stanford.edu franklin@cs.ucdavis.edu
Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this
paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages
213–229, Springer-Verlag, 2001.
Abstract
We propose a fully functional identity-based encryption scheme (IBE). The scheme has chosen
ciphertext security in the random oracle model assuming a variant of the computational Diffie-
Hellman problem. Our system is based on bilinear maps between groups. The Weil pairing on
elliptic curves is an example of such a map. We give precise definitions for secure identity based
encryption schemes and give several applications for such systems.
1 Introduction
In 1984 Shamir [41] asked for a public key encryption scheme in which the public key can be an arbitrary
string. In such a scheme there are four algorithms: (1) setup generates global system parameters and
a master-key, (2) extract uses the master-key to generate the private key corresponding to an arbitrary
public key string ID ∈ {0, 1}
∗
, (3) encrypt encrypts messages using the public key ID, and (4) decrypt
decrypts messages using the corresponding private key.
Shamir’s original motivation for identity-based encryption was to simplify certificate management
in e-mail systems. When Alice sends mail to Bob at bob@company.com she simply encrypts her message
using the public key string “bob@company.com”. There is no need for Alice to obtain Bob’s public key
certificate. When Bob receives the encrypted mail he contacts a third party, which we call the Private
Key Generator (PKG). Bob authenticates himself to the PKG in the same way he would authenticate
himself to a CA and obtains his private key from the PKG. Bob can then read his e-mail. Note that
unlike the existing secure e-mail infrastructure, Alice can send encrypted mail to Bob even if Bob
has not yet setup his public key certificate. Also note that key escrow is inherent in identity-based
e-mail systems: the PKG knows Bob’s private key. We discuss key revocation, as well as several new
applications for IBE schemes in the next section.
Since the problem was posed in 1984 there have been several proposals for IBE schemes [11, 45,
44, 31, 25] (see also [33, p. 561]). However, none of these are fully satisfactory. Some solutions require
that users not collude. Other solutions require the PKG to spend a long time for each private key
generation request. Some solutions require tamper resistant hardware. It is fair to say that until
the results in [5] constructing a usable IBE system was an open problem. Interestingly, the related
notions of identity-based signature and authentication schemes, also introduced by Shamir [41], do
have satisfactory solutions [15, 14].
In this paper we propose a fully functional identity-based encryption scheme. The performance
of our system is comparable to the performance of ElGamal encryption in F
∗
p
. The security of our
system is based on a natural analogue of the computational Diffie-Hellman assumption. Based on
∗
Supported by DARPA contract F30602-99-1-0530, NSF, and the Packard Foundation.
†
Supported by an NSF Career Award and the Packard Foundation.
1