[FoRK] Re: identity-based encryption
Dr. Robert J. Harley
harley at argote.ch
Mon Feb 9 09:54:53 PST 2004
Ken Meltsner wrote:
>Interesting stuff, although I suspect it's protected by patents (or
>patents pending). The problem of identifying a given user to the key
>server is glossed over, and I'm not sure whether the typical encryption
>fan will appreciate the "inherent key escrow" provided by IBE.
IBE is based on the Weil (or Tate) pairing on elliptic curves, well
known to EC gurus. The pairings enable some very elegant "stuff" that
one would "like to do" in many situations, but that cannot be done
efficiently in other contexts. Basically, this was an elegant
solution looking for a problem, and some cryptographers went looking
for the latter.
The best example, IMO, is Antoine Joux's "one round tripartite
Diffie-Hellman" (ANTS 4): beautiful. Another is IBE. IMO, the main
advantage of IBE is facilitating a network effect: you can send
encrypted mail to somebody and they will be motivated to
download/install/configure software to decrypt; whereas normally you
have to ask them to download/install/configure before you can send
them encrypted mail so it just doesn't happen. The main disadvantage
is that it requires a trusted party to operate public/private key
generation. Once you allow that, lots of things become easy anyway.
Also I (and many others) just don't trust third parties. And you need
to authenticate yourself to them which is a whole 'nother source of
complexity. So the elegance is built on ugliness and isn't nearly so
elegant after all.
There is a patent on IBE although I gather it is purely defensive and
is available for use on reasonable terms.
More information about the FoRK