forward secure via offline sub-epoch keys - There are
arguments for generating fresh keys representing new epochs
periodically so that forward-security is recovered in event of
undetected private key compromise. (Recall a compromised current
private key compromises all future private keys). However this
practice is typically manual and inconvenient, and other steps can be
taken to assure forward-security: if the cryptosystem can be used to
function as a forward secure NIFS cryptosystem.
The framework would be to have a main epoch (possibly of unlimited
length in the case of setup-free NIFS), and a set of sub-epochs with a
offline store of a set of private keys one for each sub-epoch. When
one transitions from which one sub-epoch to the next, the offline
store must be accessed for the corresponding new sub-epoch private
key.
- forward secure with setup NIFS - With an NIFS cryptosystem with a
setup-phase this is easy. Just store the private keys for a
sub-epoch encrypted with the offline stored sub-epoch key.
- forward secure with setup-free NIFS - With a setup-free
NIFS cryptosystem there appears to be no generic mechanism. The
scheme would have to be modified if possible to require the use
of the sub-epoch key to generate the first private key of the
next sub-epoch. It may be desirable also for the offline
sub-epoch keys to be in a sequence such that one can compute
them in a sequence like a hash-chain as this is a more compact
representation, and doesn't impose any limit on the number of
sub-epochs that can be used.