The Sakai–Kasahara scheme, also known as the Sakai–Kasahara key encryption algorithm (SAKKE), is an identity-based encryption (IBE) system proposed by Ryuichi Sakai and Masao Kasahara in 2003. Alongside the Boneh–Franklin scheme, this is one of a small number of commercially implemented identity-based encryption schemes. It is an application of pairings over elliptic curves and finite fields. A security proof for the algorithm was produced in 2005 by Chen and Cheng. SAKKE is described in Internet Engineering Task Force (IETF) RFC 6508.
Contents
- Description of Scheme
- Preliminaries
- Key Generation
- Encryption
- Decryption
- Demonstration of Algorithmic Correctness
- Standardisation
- Cryptographic Libraries and Implementations
- References
As a specific method for identity-based encryption, the primary use case is to allow anyone to encrypt a message to a user when the sender only knows the public identity (e.g. email address) of the user. In this way, this scheme removes the requirement for users to share public certificates for the purpose of encryption.
Description of Scheme
The Sakai–Kasahara scheme allows the encryption of a message
As part of the scheme, both the sender and receiver must trust a Private Key Generator (PKG), also known as a Key Management Server (KMS). The purpose of the PKG is to create the receiver's private key,
Preliminaries
The scheme uses two multiplicative groups
Frequently,
Two hash functions are also required,
Key Generation
The PKG has a master secret
Encryption
To encrypt a non-repeating message
- Create:
i d = H 1 ( I D U ) - The sender generates
r usingr = H 1 ( M | | i d ) - Generate the point
R inE : - Create the masked message:
- The encrypted output is:
( R , S )
Note that messages may not repeat, as a repeated message to the same identity results in a repeated ciphertext. There is an extension to the protocol should messages potentially repeat.
Decryption
To decrypt a message encrypted to
- Compute
i d = H 1 ( I D U ) - Receive the encrypted message:
( R , S ) . - Compute:
- Extract the message:
- To verify the message, compute
r = H 1 ( M | | i d ) , and only accept the message if:
Demonstration of Algorithmic Correctness
The following equations demonstrate the correctness of the algorithm:
By the bilinear property of the map:
As a result:
Standardisation
There are two standards relating to this protocol:
Cryptographic Libraries and Implementations
The scheme is part of the MIRACL cryptographic library.