A Forward-Secure Public-Key Encryption Scheme

  • Ran Canetti
  • Shai Halevi
  • Jonathan Katz
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2656)


Cryptographic computations are often carried out on insecure devices for which the threat of key exposure represents a serious and realistic concern. In an effort to mitigate the damage caused by exposure of secret data (e.g., keys) stored on such devices, the paradigm of forward security was introduced. In a forward-secure scheme, secret keys are updated at regular periods of time; furthermore, exposure of a secret key corresponding to a given time period does not enable an adversary to “break” the scheme (in the appropriate sense) for any prior time period. A number of constructions of forward-secure digital signature schemes, key-exchange protocols, and symmetric-key schemes are known.

We present the first constructions of a (non-interactive) forward-secure public-key encryption scheme. Our main construction achieves security against chosen plaintext attacks under the decisional bilinear Diffie-Hellman assumption in the standard model. It is practical, and all complexity parameters grow at most logarithmically with the total number of time periods. The scheme can also be extended to achieve security against chosen ciphertext attacks.


Bilinear Diffie-Hellman Encryption Forward security Key exposure 


  1. 1.
    M. Abdalla and L. Reyzin. A new forward-secure digital signature scheme. Asiacrypt’00, LNCS vol. 1976, pp. 116–129, Springer-Verlag, 2000.Google Scholar
  2. 2.
    A. Aho, J. Hopcroft, and J. Ullman. The Design and Analysis of Computer Algorithms. Addison-Wesley, 1975.Google Scholar
  3. 3.
    R. Anderson. Two remarks on public key cryptology. Invited Lecture, ACM-CCS’97.
  4. 4.
    D. Beaver and S. Haber. Cryptographic protocols provably secure against dynamic adversaries. In Eurocrypt’ 92, LNCS vol. 658, pp. 307–323, Springer-Verlag, 1992.Google Scholar
  5. 5.
    D. Beaver, Plug and play encryption, Advances in Cryptology — Crypto’ 97, LNCS vol. 1294, pp. 75–89, Springer-Verlag, 1997.CrossRefGoogle Scholar
  6. 6.
    M. Bellare and S. K. Miner. A forward-secure digital signature scheme. Advances in Cryptology — Crypto’ 99, LNCS vol. 1666, pp. 431–448, Springer-Verlag, 1999.Google Scholar
  7. 7.
    M. Bellare and B. Yee. Forward security in private-key cryptography. Topics in Cryptology — CT-RSA 2003, to appear. Preliminary version at
  8. 8.
    M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway, Relations Among Notions of Security for Public-Key Encryption Schemes, Advances in Cryptology — Crypto’98, Lecture Notes in Computer Science Vol. 1462, pp. 26–45, Springer-Verlag, 1998.CrossRefGoogle Scholar
  9. 9.
    D. Boneh and M. Franklin. Identity based encryption from the Weil pairing. Advances in Cryptology — Crypto 2001, LNCS vol. 2139, pp. 213–229, Springer-Verlag, 2001. Full version to appear in SIAM J. Computing and available at Scholar
  10. 10.
    D. Boneh, B. Lynn, and H. Shacham. Short signatures from the Weil pairing. Asiacrypt’ 01, LNCS vol. 2248, pp. 514–532, Springer-Verlag, 2001.Google Scholar
  11. 11.
    R. Canetti, U. Feige, O. Goldreich and M. Naor, Adaptively Secure Computation, STOC’ 96, pp. 639–648, ACM, 1996. Also MIT-LCS-TR #682, 1996.Google Scholar
  12. 12.
    I. Damgaard and J. B. Nielsen, Improved non-committing encryption schemes based on general complexity assumption, Advances in Cryptology — Crypto’ 00, LNCS vol. 1880, pp. 432–450, Springer-Verlag, 2000.CrossRefGoogle Scholar
  13. 13.
    Y. Desmedt and Y. Frankel. Threshold cryptosystems. Advances in Cryptology — Crypto’ 89, LNCS vol. 435, pp. 307–315, Springer-Verlag, 1989.Google Scholar
  14. 14.
    W. Diffie, P. C. Van-Oorschot, and M. J. Weiner. Authentication and authenticated key exchanges. Designs, Codes, and Cryptography 2:107–125, 1992.CrossRefGoogle Scholar
  15. 15.
    D. Dolev, C. Dwork and M. Naor, Non-malleable cryptography, SIAM. J. Computing, Vol. 30, No. 2, 2000, pp. 391–437. Preliminary version in 23rd Symposium on Theory of Computing (STOC), ACM, 1991.zbMATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    E. Fujisaki and T. Okamoto. Secure integration of asymmetric and symmetric encryption schemes. Crypto’ 99, LNCS 1666, pp. 537–554, Springer-Verlag, 1999.Google Scholar
  17. 17.
    C. Gentry and A. Silverberg. Hierarchical identity-based cryptography. Asiacrypt 2002, LNCS vol. 2501, pp. 548–566, Springer-Verlag, 2002.CrossRefGoogle Scholar
  18. 18.
    C. G. Günther. An identity-based key-exchange protocol. Advances in Cryptology — Eurocrypt’ 89, LNCS vol. 434, pp. 29–37, Springer-Verlag, 1989.Google Scholar
  19. 19.
    S. Goldwasser, S. Micali, and R. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Computing, 17(2):281–308, April 1988.zbMATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    A. Herzberg, M. Jakobson, S. Jarecki, H. Krawczyk, and M. Yung. Proactive public key and signature systems. Proceedings of 4th Conference on Computer and Communications Security, pp. 100–110, ACM, 1997.Google Scholar
  21. 21.
    J. Horwitz and B. Lynn. Toward hierarchical identity-based encryption. Eurocrypt’02, LNCS vol. 2332, pp. 466–481, Springer-Verlag, 2002.Google Scholar
  22. 22.
    G. Itkis and L. Reyzin. Forward-secure signatures with optimal signing and verifying. Crypto’ 01, LNCS vol. 2139, pp. 499–514, Springer-Verlag, 2001.Google Scholar
  23. 23.
    A. Joux. A one round protocol for tripartite Diffie-Hellman. 4th International Symposium on Algorithmic Number Theory, LNCS vol. 1838, pp. 385–394, Springer-Verlag, 2000.CrossRefGoogle Scholar
  24. 24.
    A. Joux and K. Nguyen. Separating decision diffie-hellman from diffie-hellman in cryptographic groups. Manuscript, January 2001. Available at
  25. 25.
    A. Kozlov and L. Reyzin. Forward-secure signatures with fast key update. Proc. 3rd Conference on Security in Communication Networks, LNCS vol. 2576, pp. 247–262, Springer-Verlag, 2002.Google Scholar
  26. 26.
    H. Krawczyk. Simple forward-secure signatures from any signature scheme. Proc. 7th ACM-CCS, pp. 108–115, ACM, 2000.Google Scholar
  27. 27.
    T. Malkin, D. Micciancio, and S. K. Miner. Efficient generic forward-secure signatures with an unbounded number of time periods. Advances in Cryptology — Eurocrypt 2002, LNCS vol. 2332, pp. 400–417, Springer-Verlag, 2002.CrossRefGoogle Scholar
  28. 28.
    M. Naor and M. Yung, Public key cryptosystems provably secure against chosen ciphertext attacks, 22nd STOC, 427–437, 1990.Google Scholar
  29. 29.
    J. B. Nielsen. Separating random oracle proofs from complexity theoretic proofs: The non-committing encryption case. Crypto’ 02, LNCS vol. 2442, pp. 111–126, Springer-Verlag, 2002.Google Scholar
  30. 30.
    R. Ostrovsky and M. Yung. How to withstand mobile virus attacks. 10th Annual Symposium on Principles of Distributed Computing, pages 51–59, ACM, 1991.Google Scholar
  31. 31.
    C. Rackoff and D. Simon, Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack, Crypto’ 91, LNCS vol. 576, pp. 433–444, Springer-Verlag, 1991.Google Scholar
  32. 32.
    A. Sahai. Non-malleable non-interactive zero-knowledge and adaptive chosenciphertext security. Proc. of the 40th Annual Symposium on Foundations of Computer Science, pages 543–553, IEEE, 1999.Google Scholar
  33. 33.
    A. Shamir. How to share a secret. Comm. of the ACM 22(11):612–613, 1979.zbMATHCrossRefMathSciNetGoogle Scholar
  34. 34.
    E. R. Verheul. Self-blindable credential certificates from the Weil pairing. Asiacrypt 2001, LNCS vol. 2248, pp. 533–551, Springer-Verlag, 2001.CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2003

Authors and Affiliations

  • Ran Canetti
    • 1
  • Shai Halevi
    • 1
  • Jonathan Katz
    • 2
  1. 1.IBM T.J. Watson Research CenterHawthorne
  2. 2.Dept. of Computer ScienceUniversity of MarylandCollege Park

Personalised recommendations