How Voltage Security Identity-Based Encryption Works

Information Encryption for Email, Files, Documents and Databases

Identity-Based Encryption (IBE) dramatically simplifies the process of securing sensitive communications. For example, the following diagram illustrates how Alice would send a secure email to Bob using IBE:

Step 1: Alice encrypts the email using Bob’s e-mail address, "bob@b.com", as the public key.

Step 2: When Bob receives the message, he contacts the key server. The key server contacts a directory or other external authentication source to authenticate Bob’s identity and establish any other policy elements.

Step 3: After authenticating Bob, the key server then returns his private key, with which Bob can decrypt the message. This private key can be used to decrypt all future messages received by Bob.

Note that private keys need to be generated only once, upon initial receipt of an encrypted message. All subsequent communications corresponding to the same public key can be decrypted using the same private key, even if the user is offline. Also, because the public key is generated using only Bob's email address, Bob does not need to have downloaded any software before Alice can send him a secure message.

The Math Behind IBE

The mathematical foundation of IBE is a special type of function called a “bilinear map.” A bilinear map is a pairing that has the property:

Pair( a • X, b • Y ) = Pair( b • X, a • Y )

The operator “•” is multiplication of a point on an elliptic curve by integers. While multiplication itself (e.g., calculating a•X) is easy, the inverse operation (finding a given X and a•X) is practically impossible. Two examples of bilinear maps are the Weil Pairing and the Tate Pairing.

The IBE algorithm consists of four operations:

Setup, which initializes a key server
Encrypt, which encrypts a message for a given user
Key Generation, which generates a private key for a given user
Decrypt, which given a private key, decrypts a message

IBE continued - building applications with IBE