Forward security is an essential design goal of modern cryptographic protocols with a long body of literature in several application domains such as interactive key-establishment protocols (prominently, in TLS 1.3), digital signatures, search on encrypted data, updatable cryptography, mobile Cloud backups, decentralized contact tracing, new approaches to Tor, and even novel distributed protocols such as Dfinity’s Internet Computer, among others. The well-known benefit of forward security is the mitigation of key leakage by evolving secret keys over epochs and thereby revoking access to prior-epoch ciphertexts. Such a strong security guarantee is highly recognized by industry to be included into security products (e.g., by companies such as Google, Apple, Meta, Microsoft, and Cloudflare), particularly resulting in over 99% of Internet sites surveyed by Qualys SSL Labs (https://www.ssllabs.com/ssl-pulse) support at least some form of forward security at the time of writing.
Green and Miers (S&P 2015) initiated the studies of puncturable encryption (PE) as a new cryptographic primitive towards the strong form of non-interactive forward-secure encryption (in particular, without the need of any pre-shared key material). Already several follow-up works showed the versatility of such a concept yielding a rich abstraction of forward security investigated in a variety of (data-in-transit and data-at-rest) application domains such as 0-RTT key exchange with replay protection for TLS (Eurocrypt’17, Eurocrypt’18, Asiacrypt’20, JoC’21), Google’s QUIC (Cans’20), Searchable Encryption (CCS’17, CCS’18, NDSS’21), mobile Cloud backups (OSDI’20), Content Distribution Networks (Financial Crypto’21), Tor (PoPETS’20), and Updatable Encryption (ePrint’21).
Loosely speaking, PE is a promising variant of public-key encryption that allows realizing the property of fine-grained and non-interactive forward security with several useful applications. This talk provides an exhausting overview to the concept of PE with motivation, presents state-of-the-art research on PE schemes, and discusses applications (such as 0-RTT key exchange with forward security and replay protection, and forward security for Content Delivery Networks). The overall goal is to make PE more accessible to the general audience and industry in a developer-friendly way, and also presenting new insights and results.
The presentation builds on an existing blog post with the same title (https://profet.at/blog/pe).