A forward-secure public-key encryption scheme
Advances in Cryptology—EUROCRYPT 2003: International Conference on the Theory …, 2003•Springer
Cryptographic computations are often carried out on insecure devices for which the threat of
key exposure represents a serious and realistic concern. In an effort to mitigate the damage
caused by exposure of secret data (eg, keys) stored on such devices, the paradigm of
forward security was introduced. In a forward-secure scheme, secret keys are updated at
regular periods of time; furthermore, exposure of a secret key corresponding to a given time
period does not enable an adversary to “break” the scheme (in the appropriate sense) for …
key exposure represents a serious and realistic concern. In an effort to mitigate the damage
caused by exposure of secret data (eg, keys) stored on such devices, the paradigm of
forward security was introduced. In a forward-secure scheme, secret keys are updated at
regular periods of time; furthermore, exposure of a secret key corresponding to a given time
period does not enable an adversary to “break” the scheme (in the appropriate sense) for …
Abstract
Cryptographic computations are often carried out on insecure devices for which the threat of key exposure represents a serious and realistic concern. In an effort to mitigate the damage caused by exposure of secret data (e.g., keys) stored on such devices, the paradigm of forward security was introduced. In a forward-secure scheme, secret keys are updated at regular periods of time; furthermore, exposure of a secret key corresponding to a given time period does not enable an adversary to “break” the scheme (in the appropriate sense) for any prior time period. A number of constructions of forward-secure digital signature schemes, key-exchange protocols, and symmetric-key schemes are known.
We present the first constructions of a (non-interactive) forward-secure public-key encryption scheme. Our main construction achieves security against chosen plaintext attacks under the decisional bilinear Diffie-Hellman assumption in the standard model. It is practical, and all complexity parameters grow at most logarithmically with the total number of time periods. The scheme can also be extended to achieve security against chosen ciphertext attacks.
Springer