Non-Interactive Forward Secrecy

A Non-Interactive Forward-Secret Cryptosystem (NIFS) has a single public key which a sequence of public keys can be derived from. There is a corresponding sequence of private keys which can be deleted after use. To use one would make each public key valid for a time interval and delete the private key after that time interval has expired. It must not be possible to compute previous private keys from current ones.

NIFS Cryptosystems and Identity-based Cryptosystems

It is possible to construct NIFS schemes from ID-based schemes, but the converse is not true. Here is the generic method to use an ID-based cryptosystem as an NIFS cryptosystem:

Generic ID-based approach -- user acts as his own identity based CA, and during setup user creates multiple identities corresponding to day of epoch and their corresponding private keys. At end of setup user deletes ID-based CA's private keys. Encryption proceeds as per the ID-based scheme, user deletes per day private key at end of day.

There are at least two weaker requirements which make NIFS schemes potentially simpler than ID-based schemes.

no chosen identities - NIFS cryptosystem public keys do not need to encode chosen strings (chosen identities); instead you just have the simpler requirement that the sequence of public keys have a compact (preferably fixed sized) representation, and that the public keys be computable efficiently from the base public key
only need forward chained security for private keys - with ID-based cryptosystems the scheme would be considered broken if users could compute each others private keys; with NIFS the scheme would be considered broken under weaker constraints: if current and future private keys can be used to compute past (deleted) private it is broken, but if past (deleted) private keys can compute future public keys that is ok, as it is anyway necessary to delete past private keys.

Additional desirable features:

setup-free scheme using only forward chained security of private keys - NIFS cryptosystem based on the generic ID based has a setup phase after which the ID-based CA private keys are deleted. It would be desirable to be able to build a setup-free NIFS cryptosystem which did not have a setup phase, and instead the system is designed so that current private keys can generate future private keys, but private keys can not be used to recover prior private keys. This is safe, as private keys are deleted after use. It is also desirable for two reasons:
- more efficient key generation - this will tend to reduce the cost of NIFS key generation, only the first private key needs to be chosen at setup time; later private keys can be computed based on earlier private keys on demand (prior to the deletion of the private key needed to derive the next key).
- unlimited epoch - it is also desirable because there can be an unlimited number of keys in an epoch, enabling finer grained validity intervals, and longer lived base public keys (potentially for-ever as one epoch suffices for a life-time).
forward secure via offline sub-epoch keys - There are arguments for generating fresh keys representing new epochs periodically so that forward-security is recovered in event of undetected private key compromise. (Recall a compromised current private key compromises all future private keys). However this practice is typically manual and inconvenient, and other steps can be taken to assure forward-security: if the cryptosystem can be used to function as a forward secure NIFS cryptosystem.
The framework would be to have a main epoch (possibly of unlimited length in the case of setup-free NIFS), and a set of sub-epochs with a offline store of a set of private keys one for each sub-epoch. When one transitions from which one sub-epoch to the next, the offline store must be accessed for the corresponding new sub-epoch private key.
- forward secure with setup NIFS - With an NIFS cryptosystem with a setup-phase this is easy. Just store the private keys for a sub-epoch encrypted with the offline stored sub-epoch key.
- forward secure with setup-free NIFS - With a setup-free NIFS cryptosystem there appears to be no generic mechanism. The scheme would have to be modified if possible to require the use of the sub-epoch key to generate the first private key of the next sub-epoch. It may be desirable also for the offline sub-epoch keys to be in a sequence such that one can compute them in a sequence like a hash-chain as this is a more compact representation, and doesn't impose any limit on the number of sub-epochs that can be used.

Other applications:

delegation - Boneh and Franklin propose to delegate decryption for a limited time, to copy onto a laptop sufficient private keys for the planned duration of a trip, if the laptop is stolen only those seven day's keys are lost. An NIFS scheme is sufficient, though they propose it in the context of applications for ID-based systems. (What they propose is basically a different application of NIFS as they already propose that Bob could be his own ID-based CA for this application.)
offline revocation - Boneh and Franklin propose to have the ID-based CA issue a private key each day. To revoke a key the CA need only stop sending the user further private keys. The sender does not need to discover that the user's keys have been revoked via CRLs etc, the effect is instead that the user will not be able to decrypt the mail. This application works with NIFS also, as the identity aspect is not required.
- offline revocation without escrow - One can make such a scheme where the ID-based CA is not able to read the users mail: the sender would super-encrypt in addition with a key pair with a private key generated by the user and the public key certified by the same ID-based CA. Traditional worries about ID-based CA necessarily being able to decrypt mail (so-called escrow like functionality) are in fact unfounded, one can have offline revocation while avoiding the escrow problem.
- NIFS and offline verification without escrow - one could use two NIFS schemes, one controlled by the revocation CA for offline revocation, the other by the user for forward secrecy to have both user controlled forward secrecy and offline revocation.

NIFS Schemes

Generic NIFS based on ID-based cryptosystem
other -- not ID-based?

Chronological NIFS References

Chronological list of references to the NIFS problem:

6 Sep 1996 - Adam Back - NIFS first statement of problem
17 Apr 1997 - Adam Back - of historical reference value only broken early scheme and the break
1997 - Ross Anderson - gave talk on Forward Secure Encryption and Signatures
31 May 1998 - Adam Back - observation that Identity Based Crypto Schemes can be used for NIFS
Sep 2000 - Ross Anderson - write up of 1997 talk, [local copy]

Identity-Based Crypto Literature

1984 - Adi Shamir - "Identity-based cryptosystems and signature schemes", Proceedings of Crypto 1984, pp 47-53
Nov 1996 - U M Maurer and Y Yacobi - "A Non-interactive Public-Key Distribution System", Designs, Codes and Cryptography vol 9 no. 3 pp 305-316
2000 - Detlef Huhnlein, Michael Jacobson, Jr. and D. Weber - "Towards Practical Non-interactive Public Key Cryptosystems using Non-maximal Imaginary Quadratic Orders", to appear in Proceedings of Selected Areas in Cryptography 2000, Springer-Verlag Jacob's publications page, [ .ps], [local], [ .pdf], [local].
2001 - Dan Boneh and Matt Franklin - "Identity based encryption from the Weil pairing", to appear in Crypto 2001 abstract and paper
2002 - Jonathan Katz - "A Forward-Secure Public-Key Encryption Scheme", Cryptology ePrint Archive: Report 2002/060 abstract and paper

Other terms people have used for Identity-Based Crypto:

Non-interactive Public Key Distribution
Non-interactive Public Key Cryptosystems

Related Work

Forward Secure Signatures - Ross Anderson proposed a forward secure digital signature. A practical implementation was found -- FSIG.

Comments, html bugs to me (Adam Back) at <adam@cypherspace.org>