Implementation and Evaluation of an Identity-based Encryption with Security Against the KGC

Abstract

In identity-based encryption (IBE), a key generation center (KGC) issues a secret key for an identity. Although any value can be used as a public key, the KGC has the potential to decrypt all ciphertexts even if it is not the actual destination. To solve this key escrow problem, Emura, Katsumata, and Watanabe (EKW) proposed an IBE scheme with security against the KGC (ESORICS 2019/TCS 2022) and proposed two schemes: a pairing-based construction by extending the Boneh-Franklin IBE scheme (CRYPTO 2001) and a lattice-based construction by extending the Gentry-Peikert-Vaikuntanathan (GPV) IBE scheme (STOC 2008), respectively. Though the KGC can issue a secret key without knowing the user's identity, an additional communication (between the user and the identity-certifying authority (ICA)) and computation by the KGC are required compared to the conventional IBE scheme. In this paper, we implement two EKW-IBE schemes and show that the additional costs are insignificant compared to the underlying IBE schemes. It should be noted that, instead of solving the key escrow problem, EKW-IBE required that an identity is sampled from a sufficiently high min-entropy source (e.g., a random value). Since any value (such as a name or an e-mail address) can be employed in IBE, this requirement detracts from the merit of IBE. Thus, we also consider an application of EKW-IBE schemes where the requirement does not cause a problem.