A forward-secure public-key encryption scheme

Ran Canetti*, Shai Halevi, Jonathan Katz

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review


Cryptographic computations are often carried out on insecure devices for which the threat of key exposure represents a serious concern. Forward security allows one to mitigate the damage caused by exposure of secret keys. In a forward-secure scheme, secret keys are updated at regular periods of time; exposure of the secret key corresponding to a given time period does not enable an adversary to "break" the scheme (in the appropriate sense) for any prior time period. We present the first constructions of (non-interactive) forward-secure public-key encryption schemes. Our main construction achieves security against chosen-plaintext attacks in the standard model, and all parameters of the scheme are poly-logarithmic in the total number of time periods. Some variants and extensions of this scheme are also given. We also introduce the notion of binary tree encryption and construct a binary tree encryption scheme in the standard model. Our construction implies the first hierarchical identity-based encryption scheme in the standard model. (The notion of security we achieve, however, is slightly weaker than that achieved by some previous constructions in the random oracle model.)

Original languageEnglish
Pages (from-to)265-294
Number of pages30
JournalJournal of Cryptology
Issue number3
StatePublished - Jul 2007
Externally publishedYes


  • Forward sercurity
  • Identity-based encryption
  • Public-key encryption


Dive into the research topics of 'A forward-secure public-key encryption scheme'. Together they form a unique fingerprint.

Cite this