Paper 2003/183

Certificate-Based Encryption and the Certificate Revocation Problem

Craig Gentry


We introduce the notion of certificate-based encryption. In this model, a certificate -- or, more generally, a signature -- acts not only as a certificate but also as a decryption key. To decrypt a message, a keyholder needs both its secret key and an up-to-date certificate from its CA (or a signature from an authorizer). Certificate-based encryption combines the best aspects of identity-based encryption (implicit certification) and public key encryption (no escrow). We demonstrate how certificate-based encryption can be used to construct an efficient PKI requiring less infrastructure than previous proposals, including Micali's Novomodo, Naor-Nissim and Aiello-Lodha-Ostrovsky.

Note: This is a version of the Eurocrypt 2003 paper, identical except for this comment and a correction in Section 3.2. I'm posting it online to make it more widely available, particularly since a couple of recent works propose essentially the same idea.

Available format(s)
Public-key cryptography
Publication info
Published elsewhere. Eurocrypt 2003
Contact author(s)
cgentry @ docomolabs-usa com
2003-09-06: received
Short URL
Creative Commons Attribution


      author = {Craig Gentry},
      title = {Certificate-Based Encryption and the Certificate Revocation Problem},
      howpublished = {Cryptology ePrint Archive, Paper 2003/183},
      year = {2003},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.