[messaging] IBE for Service Sub-Keys?

Trevor Perrin trevp at trevp.net
Thu Aug 28 23:58:54 PDT 2014

On Thu, Aug 28, 2014 at 6:43 PM, Tom Ritter <tom at ritter.vg> wrote:
> So I'm not claiming to have studied IBE in depth, but....
> While thinking about PGP and subkeys today, I started wondering about
> an IBE-like or BIP-32-like system, where if you have a public key, you
> can generate a new public key for a 'tag', and given a private key and
> a tag you can generate the tag's private key.

Yes, this exists with IBE ("forward-secure public-key encryption").
Matt Green's pointed out:


You could evolve the ephemeral-ish public key every X days (week or
month or so - there's no point in evolving it too quickly, since the
recipient needs to hold onto old private keys until all possible
messages sent based on them have arrived, so you have to consider
worst-case transport delays due to bounces, etc).

It's not obvious this is better than just posting a new key every week:
 - it requires time sync, which just posting a new key does not
 - if someone compromises the recipient's master private key, they get
all future private keys, so this doesn't have the "future secrecy" or
"self-healing" benefits of fresh keys
 - more exotic crypto


More information about the Messaging mailing list