Sakai–Kasahara scheme

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

The Sakai–Kasahara scheme, also known as the Sakai–Kasahara key encryption algorithm (SAKKE), is an identity-based encryption (IBE) system proposed by Ryuichi Sakai and Masao Kasahara in 2003.[1] Alongside the Boneh–Franklin scheme, this is one of a small number of commercially implemented identity-based encryption schemes. It is an application of pairings over elliptic curves and finite fields. A security proof for the algorithm was produced in 2005 by Chen and Cheng.[2] SAKKE is described in Internet Engineering Task Force (IETF) RFC 6508.[3]

As a specific method for identity-based encryption, the primary use case is to allow anyone to encrypt a message to a user when the sender only knows the public identity (e.g. email address) of the user. In this way, this scheme removes the requirement for users to share public certificates for the purpose of encryption.

Description of scheme[edit]

The Sakai–Kasahara scheme allows the encryption of a message to an receiver with a specific identity, . Only the entity with the private key, , associated to the identity, , will be capable of decrypting the message.

As part of the scheme, both the sender and receiver must trust a Private Key Generator (PKG), also known as a Key Management Server (KMS). The purpose of the PKG is to create the receiver's private key, , associated to the receiver's identity, . The PKG must securely deliver the identity-specific private key to the receiver, and PKG-specific public parameter, , to all parties. These distribution processes are not considered as part of the definition of this cryptographic scheme.


The scheme uses two multiplicative groups and . It is assumed:

  • The Diffie-Hellman problem is hard in . Meaning that given two members of the group and , it is hard to find such that .
  • The Diffie-Hellman problem is hard in . Meaning that given two members of the group and , it is hard to find such that .
  • There is a bilinear map, a Tate-Lichtenbaum pairing, from E to G. This means that for a member of and for a member of :

Frequently, is a supersingular elliptic curve, such as (over a finite field of prime order ). A generator of prime order is chosen in . The group is the image due to the pairing of the group generated by (in the extension field of degree 2 of the finite field of order p).

Two hash functions are also required, and . outputs a positive integer, , such that . outputs bits, where is the length of the message .

Key generation[edit]

The PKG has a master secret where , and a public key which is a point on . The PKG generates the private key, , for the user with identity as follows:


To encrypt a non-repeating message , the sender requires receiver's identity, and the public PGK value . The sender performs the following operation.

  1. Create:
  2. The sender generates using
  3. Generate the point in :
  4. Create the masked message:
  5. The encrypted output is:

Note that messages may not repeat, as a repeated message to the same identity results in a repeated ciphertext. There is an extension to the protocol should messages potentially repeat.


To decrypt a message encrypted to , the receiver requires the private key, from the PKG and the public value . The decryption procedure is as follows:

  1. Compute
  2. Receive the encrypted message: .
  3. Compute:
  4. Extract the message:
  5. To verify the message, compute , and only accept the message if:

Demonstration of algorithmic correctness[edit]

The following equations demonstrate the correctness of the algorithm:

By the bilinear property of the map:

As a result:


There are two standards relating to this protocol:

  • Initial standardisation of scheme was begun by IEEE in 2006.[4]
  • The scheme was standardised by the IETF in 2012 within RFC 6508. The scheme is used as part of the MIKEY-SAKKE protocol, defined in RFC 6509.

Cryptographic libraries and implementations[edit]

The scheme is part of the MIRACL cryptographic library.

See also[edit]


  1. ^ Sakai, Ryuichi; Kasahara, Masao (2003). "ID Based cryptosystems with pairing on elliptic curve" (PDF). Cryptography ePrint Archive. 2003/054.
  2. ^ Chen, L.; Cheng, Z. "Security proof of Sakai-Kasahara's identity-based encryption scheme" (PDF). Cryptography ePrint Archive. 2005/226.
  3. ^ Groves, M. (February 2012). Sakai-Kasahara Key Encryption (SAKKE). IETF. doi:10.17487/RFC6508. RFC 6508. 
  4. ^ Barbosa, M. (June 2006). "SK-KEM: An Identity-Based KEM" (PDF). IEEE. P1363.3.