Why would you want an identity-based signature?

| Comments (3) | COMSEC
One of the first rules of crypto is that if there's a crypto primitive that's possible to build, no matter how stupid, someone will eventually build it. Nothing wrong with that—that's what cryptographers are supposed to do. But just because something is possible doesn't mean it's useful. Case in point, identity-based signatures. You may have heard of Identity-Based Encryption, in which the public key and private key are derived from your identity (e.g., your email address). Anyone can compute the public key, but you need to get the private key from a key generating authority (KGA) which serves a similar role to the CA in a PKI system. The value proposition here is that you don't need a copy of someone's certificate in order to encrypt a message to them—you can compute their public key knowing only their identity (and which KGA they use). More on this here. This means that there's no need for a certificate directory, which has historically been one of the inconvenient parts of PKI.

Unsurprisingly, IBE has a signature variant, known as Identity-Based Signatures. The basic concept here is the same: the public key is derived from your identity and you get your private key from the KGA. The value proposition is the same too: anyone can verify your signature without having your certificate. The problem is that it doesn't really add much value. In a PKI system, when you send a signed message you send (Message, Signature, Certificate). In an IBS system, you sent (Message, Signature, Identity). Otherwise, the data flow is the same. Basically, IBS is just a fancy (OK, really fancy) way of compressing the signer's certificate. 1

So, why am I going on about this? Someone just suggested using IBA in the IETF SIP WG. (draft here, mailing list discussion here, starting with my review.).

1. Indeed, as Hovav Shacham pointed out to me, the difference between an ordinary PKI system and an IBS system is to some extent a matter of semantics. Think of the certificate as part of the signature and certificate verification as part of the signature verification. It's true that the signature isn't deterministic, but then plenty of signature schemes (e.g., DSA), aren't.


Don't forget the other difference:

in a PKI, the trusted third party is only trusted to verify identitity.

In a IBE, the trusted third party is trusted not to impersonate existing identitities.

(well, this is actually a feature of IBE in business use, not a bug...)

I would phrase it a little differently, namely:

- PKI systems may have a key escrow feature
- Key escrow is a basically an inseparable feature of IBE.

That said, the IBE systems I'm familiar with use ordinary certicates for authentication, but IBE for encryption, so you have escrow purely for confidentiality and not authentication.

My name is Olga and I work for a company that specializes in digital signatures.
If you're interested, there's some useful background (non-commercial) information about digital signatures at http://www.arx.com/digital-signatures-faq.php

Leave a comment