Forward security is an essential design goal of modern cryptographic protocols with a long body of literature in several application domains such as interactive key-establishment protocols (prominently, in TLS 1.3), digital signatures, search on encrypted data, updatable cryptography, mobile Cloud backups, decentralized contact tracing, new approaches to Tor, and even novel distributed protocols such as Dfinity’s Internet Computer, among others. The well-known benefit of forward security is the mitigation of key leakage by evolving secret keys over epochs and thereby revoking access to prior-epoch ciphertexts. Such a strong security guarantee is highly recognized by industry to be included into security products (e.g., by companies such as Google, Apple, Meta, Microsoft, and Cloudflare), particularly resulting in over 99% of Internet sites surveyed by Qualys SSL Labs support at least some form of forward security at the time of writing.

Green and Miers (S&P 2015) initiated the studies of puncturable encryption (PE) as a new cryptographic primitive towards the strong form of non-interactive forward-secure encryption (in particular, without the need of any pre-shared key material). Already several follow-up works showed the versatility of such a concept yielding a rich abstraction of forward security investigated in a variety of (data-in-transit and data-at-rest) application domains such as 0-RTT key exchange with replay protection for TLS (Eurocrypt’17, Eurocrypt’18, Asiacrypt’20, JoC’21), Google’s QUIC (Cans’20), Searchable Encryption (CCS’17, CCS’18, CCS’21), mobile Cloud backups (OSDI’20), Content Distribution Networks (Financial Crypto’21), Tor (PoPETS’20), and Updatable Encryption (ePrint’21).

Loosely speaking, Puncturable Encryption is a promising variant of public-key encryption that allows realizing the property of fine-grained and non-interactive forward security with several useful applications. Together with my colleagues Daniel Slamanig and Sebastian Ramacher, we wrote a series of blog posts on Puncturable Encryption within the PROFET project:

The overall goal was to make Puncturable Encryption more accessible to the general audience and industry in a developer-friendly way, and also presenting new insights and results.

Parts of this blog post were presented in a contributed talk at the Real World Crypto Symposium 2022 in Amsterdam.