Forward-Security in Private-Key Cryptography

  • Mihir Bellare
  • Bennet Yee
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2612)


This paper provides a comprehensive treatment of forwardsecurity in the context of shared-key based cryptographic primitives, as a practical means to mitigate the damage caused by key-exposure. We provide definitions of security, practical proven-secure constructions, and applications for the main primitives in this area. We identify forwardsecure pseudorandom bit generators as the central primitive, providing several constructions and then showing how forward-secure message authentication schemes and symmetric encryption schemes can be built based on standard schemes for these problems coupled with forwardsecure pseudorandom bit generators. We then apply forward-secure message authentication schemes to the problem of maintaining secure access logs in the presence of break-ins.


Symmetric cryptography forward security pseudorandom bit generators message authentication proofs of security audit logs 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    M. Abdalla and M. Bellare, “Increasing the lifetime of a key: A comparative analysis of the security of rekeying techniques.” Advances in Cryptology-ASIACRYPT’ 00, Lecture Notes in Computer Science Vol. 1976, T. Okamoto ed., Springer-Verlag, 2000. 5, 14Google Scholar
  2. [3]
    R. Anderson, “Two Remarks on Public-Key Cryptology,” Manuscript, 2000, and Invited Lecture at the Fourth Annual Conference on Computer and Communications Security, Zurich, Switzerland, April 1997. 3, 4Google Scholar
  3. [4]
    D. Beaver and S. Haber, “Cryptographic protocols provably secure against dynamic adversaries,” Advances in Cryptology-EUROCRYPT’ 92, Lecture Notes in Computer Science Vol. 658, R. Rueppel ed., Springer-Verlag, 1992. 4Google Scholar
  4. [5]
    M. Bellare, R. Canetti and H. Krawczyk, “Keying hash functions for message authentication,” Advances in Cryptology-CRYPTO’ 96, Lecture Notes in Computer Science Vol. 1109, N. Koblitz ed., Springer-Verlag, 1996. 3, 11CrossRefGoogle Scholar
  5. [6]
    M. Bellare, A. Desai, E. Jokipii and P. Rogaway, “A concrete security treatment of symmetric encryption: Analysis of the DES modes of operation,” Proceedings of the 38th Symposium on Foundations of Computer Science, IEEE, 1997. 5, 6, 7Google Scholar
  6. [7]
    M. Bellare, J. Kilian and P. Rogaway, “The security of cipher block chaining,” Journal of Computer and System Sciences, Vol. 61, No. 3, Dec 2000, pp. 362–399. 5, 6, 7, 9, 12zbMATHCrossRefMathSciNetGoogle Scholar
  7. [8]
    M. Bellare and S. Miner, “A forward-secure digital signature scheme,” Advances in Cryptology-CRYPTO’ 99, Lecture Notes in Computer Science Vol. 1666, M. Wiener ed., Springer-Verlag, 1999. 3, 4, 12Google Scholar
  8. [9]
    M. Bellare and C. Namprempre, “Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm,” Advances in Cryptology-ASIACRYPT’ 00, Lecture Notes in Computer Science Vol. 1976, T. Okamoto ed., Springer-Verlag, 2000. 4Google Scholar
  9. [10]
    M. Bellare and B. Yee, “Forward-security in private-key cryptography,” Fullversion of this paper, available via 4,9, 14
  10. [11]
    J. Black, S. Halevi, H. Krawczyk, T. Krovetz and P. Rogaway,“UMAC: Fast and Secure Message Authentication,” Advances in Cryptology-CRYPTO’ 99, Lecture Notes in Computer Science Vol. 1666, M. Wiener ed.,Springer-Verlag, 1999. 3Google Scholar
  11. [12]
    L. Blum, M. Blum and M. Shub, “A simple unpredictable pseudo-randomnumber generator,” SIAM Journal on Computing Vol. 15, No. 2, 364–383, May 1986. 3, 11zbMATHCrossRefMathSciNetGoogle Scholar
  12. [13]
    M. Blum and S. Micali, “How to generate cryptographically strong sequencesof pseudo-random bits,” SIAM Journal on Computing, Vol. 13, No. 4, 850–864,November 1984. 2, 3, 5, 6, 11zbMATHCrossRefMathSciNetGoogle Scholar
  13. [14]
    R. Canetti and A. Herzberg, “Maintaining security in the presence of transientfaults,” Advances in Cryptology-CRYPTO’ 94, Lecture Notes in ComputerScience Vol. 839, Y. Desmedt ed., Springer-Verlag, 1994. 5Google Scholar
  14. [15]
    C.-S. Chow and A. Herzberg, “Network randomization protocol: A proactivepseudo-random generator,” Proceedings of the 5th Usenix Unix SecuritySymposium, June 1995. 5Google Scholar
  15. [16]
    A. Desai, A. Hevia and L. Yin, “A Practice-Oriented Treatment of Pseudorandom Number Generators,” Advances in Cryptology-EUROCRYPT’ 02, Lecture Notes in Computer Science Vol. 2332, L. Knudsen ed., Springer-Verlag, 2002. 5Google Scholar
  16. [17]
    Y. Desmedt, “Threshold cryptography,” European Trans. on Telecommunications,Vol. 5, No. 4, pp. 449–457, July–August 1994. 4MathSciNetCrossRefGoogle Scholar
  17. [18]
    W. Diffie, P. van Oorschot and M. Wiener, “Authentication and authenticatedkey exchanges”, Designs, Codes and Cryptography, 2, 1992, pp. 107–125.4CrossRefGoogle Scholar
  18. [19]
    O. Goldreich, S. Goldwasser and S. Micali, “How to construct randomfunctions,” Journal of the ACM, Vol. 33, No. 4, 1986, pp. 210–217. 9CrossRefMathSciNetGoogle Scholar
  19. [20]
    C. Günther, “An identity-based key-exchange protocol,” Advances in Cryptology-EUROCRYPT’ 89, Lecture Notes in Computer Science Vol. 434, J-J. Quisquater, J. Vandewille ed., Springer-Verlag, 1989. 4Google Scholar
  20. [21]
    H. Krawczyk, “Simple forward-secure signatures from any signature scheme,” Proceedings of the 7th Annual Conference on Computer and CommunicationsSecurity, ACM, 2000. 4Google Scholar
  21. [22]
    A. Herzberg, S. Jarecki, H. Krawczyk and M. Yung, “Proactive secretsharing, or: How to cope with perpetual leakage,” Advances in Cryptology-CRYPTO’ 95, Lecture Notes in Computer Science Vol. 963, D. Coppersmithed. ed., Springer-Verlag, 1995. 4Google Scholar
  22. [23]
    J. Katz, “A forward-secure public-key encryption scheme,” Cryptology ePrintArchive: Report 2002/060, May 2002, 4
  23. [24]
    U. S. National Institute of Standards and Technology, “Federal information processingstandards publication 140-1: Security requirements for cryptographicmodules”, January 1994. 5Google Scholar
  24. [25]
    B. Schneier and J. Kelsey, “Cryptographic support for secure logs on untrustedmachines,” ACM TISSEC, Vol. 2, 1999. Preliminary version in Proceedingsof the 7th USENIX Security Symposium, USENIX Press, 1998. 3, 16,17Google Scholar
  25. [26]
    A. Yao, “Theory and applications of trapdoor functions,” Proceedings of the23rd Symposium on Foundations of Computer Science, IEEE, 1982. 2, 5, 6Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Mihir Bellare
    • 1
  • Bennet Yee
    • 1
  1. 1.Dept. of Computer Science & EngineeringUniversity of CaliforniaLa JollaUSA

Personalised recommendations