Identity-based encryption (IBE) allows a sender to encrypt to a recipient using only their identity (email address, phone number) as the public key — no certificate lookup needed. A trusted Key Generation Center (KGC) holds a master secret key and derives private keys from identities. Boneh and Franklin (2001) gave the first efficient IBE construction using bilinear pairings on elliptic curves. IBE simplifies key management (no PKI needed) but introduces key escrow (the KGC can decrypt all messages). IBE also enables advanced features like fuzzy/attribute-based encryption and hierarchical delegation.
Traditional public-key encryption requires the sender to know the recipient's public key, which means obtaining and verifying a certificate — the entire PKI infrastructure of certificate authorities, revocation lists, and trust chains. Identity-Based Encryption (IBE), conceived by Adi Shamir in 1984 and first efficiently realized by Boneh and Franklin in 2001, eliminates this requirement. In IBE, the recipient's public key IS their identity — their email address, phone number, employee ID, or any arbitrary string. Anyone can encrypt to "[email protected]" using only this string and the system's public parameters, without any certificate.
The scheme requires a Key Generation Center (KGC) that holds a master secret key. During setup, the KGC publishes system-wide public parameters. When Alice wants to decrypt, she authenticates to the KGC and receives her private key, derived from her identity and the master secret. The mathematical magic that makes this work is bilinear pairings on elliptic curves: a function e: G1 x G2 → GT satisfying e(aP, bQ) = e(P, Q)^{ab}. This bilinearity creates algebraic bridges between the identity-derived public key and the master-secret-derived private key that enable encryption and decryption to work, while the hardness of the Bilinear Diffie-Hellman (BDH) problem prevents anyone without the private key from decrypting.
The most notable feature and the most significant limitation of IBE are two sides of the same coin: key escrow. Since the KGC generates all private keys, it can decrypt any message in the system. This is unacceptable for many applications (users expect end-to-end privacy from everyone, including the system operator), but it is actually desirable in enterprise environments where the organization legitimately needs the ability to decrypt employee communications (legal compliance, departing employees, regulatory audits). For organizations that already have centralized authority over their users' cryptographic credentials, IBE offers dramatic simplification over PKI.
IBE's impact extends well beyond its direct use case. It demonstrated that bilinear pairings could solve long-standing open problems in cryptography, spawning an entire field of pairing-based cryptography that includes short signatures (Boneh-Lynn-Shacham), attribute-based encryption, functional encryption, and efficient non-interactive zero-knowledge proofs. Hierarchical IBE (HIBE) allows delegation of key generation authority, mirroring organizational structures. Fuzzy IBE (Sahai-Waters) allows decryption when the identity matches "approximately" — if the encryption identity and the key identity share enough attributes — which is the conceptual precursor to attribute-based encryption. The line of research from IBE through ABE to general functional encryption represents the progressive expansion of what "access control through cryptography" can achieve.