{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,29]],"date-time":"2026-01-29T21:38:46Z","timestamp":1769722726613,"version":"3.49.0"},"reference-count":59,"publisher":"Oxford University Press (OUP)","issue":"4","license":[{"start":{"date-parts":[[2020,8,24]],"date-time":"2020-08-24T00:00:00Z","timestamp":1598227200000},"content-version":"vor","delay-in-days":0,"URL":"http:\/\/creativecommons.org\/licenses\/by-nc\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100005416","name":"Research Council of Norway","doi-asserted-by":"publisher","award":["248166"],"award-info":[{"award-number":["248166"]}],"id":[{"id":"10.13039\/501100005416","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001659","name":"German Research Foundation","doi-asserted-by":"publisher","award":["JA 2445\/2-1"],"award-info":[{"award-number":["JA 2445\/2-1"]}],"id":[{"id":"10.13039\/501100001659","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2021,4,19]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>Forward security ensures that compromise of entities today does not impact the security of cryptographic primitives employed in the past. Such a form of security is regarded as increasingly important in the modern world due to the existence of adversaries with mass storage capabilities and powerful infiltration abilities. Although the idea of forward security has been known for over 30 years, current understanding of what it really should mean is limited due to the prevalence of new techniques and inconsistent terminology. We survey existing methods for achieving forward security for different cryptographic primitives and propose new definitions and terminology aimed at a unified treatment of the notion.<\/jats:p>","DOI":"10.1093\/comjnl\/bxaa104","type":"journal-article","created":{"date-parts":[[2020,7,12]],"date-time":"2020-07-12T11:06:51Z","timestamp":1594552011000},"page":"639-652","source":"Crossref","is-referenced-by-count":26,"title":["A Modern View on Forward Security"],"prefix":"10.1093","volume":"64","author":[{"given":"Colin","family":"Boyd","sequence":"first","affiliation":[{"name":"NTNU, Norwegian University of Science and Technology, 7491 Trondheim, Norway"}]},{"given":"Kai","family":"Gellert","sequence":"additional","affiliation":[{"name":"Bergische Universit\u00e4t Wuppertal, 42119 Wuppertal, Germany"}]}],"member":"286","published-online":{"date-parts":[[2020,8,24]]},"reference":[{"key":"2021041913134880500_ref1","article-title":"The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446. IETF","author":"Rescorla","year":"2018"},{"key":"2021041913134880500_ref2","first-page":"120","article-title":"A method for obtaining digital signatures and public-key cryptosystems","volume":"21","author":"Rivest","year":"1978","journal-title":"Comm. Assoc. Comput. Mach."},{"key":"2021041913134880500_ref3","doi-asserted-by":"crossref","first-page":"644","DOI":"10.1109\/TIT.1976.1055638","article-title":"New directions in cryptography","volume":"22","author":"Diffie","year":"1976","journal-title":"IEEE Trans. Inf. Theory"},{"key":"2021041913134880500_ref4","first-page":"254","article-title":"Non-interactive key exchange","volume-title":"PKC 2013","author":"Freire","year":"2013"},{"key":"2021041913134880500_ref5","article-title":"The GNU privacy guard","author":"Koch"},{"key":"2021041913134880500_ref6","article-title":"Secure\/multipurpose internet mail extensions (S\/MIME) version 3.1 certificate handling. RFC3850","author":"Ramsdell","year":"2004"},{"key":"2021041913134880500_ref7","article-title":"Secure\/multipurpose internet mail extensions (S\/MIME) version 3.1 message specification. RFC3851","author":"Ramsdell","year":"2004"},{"key":"2021041913134880500_ref8","article-title":"Signal messenger website","author":"Messenger","year":"2019"},{"key":"2021041913134880500_ref9","article-title":"QUIC crypto","author":"Chang","year":"2014"},{"key":"2021041913134880500_ref10","article-title":"Building zero protocol for fast, secure mobile connections","author":"Iyengar","year":"2017"},{"key":"2021041913134880500_ref11","first-page":"301","article-title":"Privacy, discovery, and authentication for the internet of things","volume-title":"ESORICS 2016, Part II","author":"Wu","year":"2016"},{"key":"2021041913134880500_ref12","article-title":"[TLS] 0-RTT security considerations (was OPTLS)","author":"Williams","year":"2014"},{"key":"2021041913134880500_ref13","doi-asserted-by":"crossref","first-page":"33","DOI":"10.1007\/s10207-012-0185-2","article-title":"Fully non-interactive onion routing with forward secrecy","volume":"12","author":"Catalano","year":"2013","journal-title":"Int. J. Inf. Secur."},{"key":"2021041913134880500_ref14","first-page":"151","article-title":"Certificateless onion routing","volume-title":"ACM CCS 2009","author":"Catalano","year":"2009"},{"key":"2021041913134880500_ref15","first-page":"29:1","article-title":"Pairing-based onion routing with improved forward secrecy","volume-title":"ACM Trans. Inf. Syst. Secur.","author":"Kate","year":"2010"},{"key":"2021041913134880500_ref16","doi-asserted-by":"crossref","first-page":"519","DOI":"10.1007\/978-3-319-56617-7_18","article-title":"0-RTT key exchange with full forward secrecy","volume-title":"EUROCRYPT 2017, Part III","author":"G\u00fcnther","year":"2017"},{"key":"2021041913134880500_ref17","doi-asserted-by":"crossref","first-page":"117","DOI":"10.1007\/978-3-030-17656-3_5","article-title":"Session resumption protocols and efficient forward security for TLS 1.3 0-RTT","volume-title":"EUROCRYPT 2019, Part II","author":"Aviram","year":"2019"},{"key":"2021041913134880500_ref18","first-page":"336","article-title":"T0RTT: non-interactive immediate forward-secret single-pass circuit construction","volume-title":"Proc. Privacy Enhanc. Technol.","author":"Lauer","year":"2020"},{"key":"2021041913134880500_ref19","doi-asserted-by":"crossref","first-page":"134","DOI":"10.1007\/978-3-030-29962-0_7","article-title":"Forward-secure puncturable identity-based encryption for securing cloud emails","volume-title":"Computer Security\u2013ESORICS 2019","author":"Wei","year":"2019"},{"key":"2021041913134880500_ref20","first-page":"993","article-title":"Using encryption for authentication in large networks of computers","volume":"21","author":"Needham","year":"1978","journal-title":"Comm. Assoc. Comput. Mach."},{"key":"2021041913134880500_ref21","article-title":"IT security techniques\u2014key management\u2014part 2: mechanisms using symmetric techniques","author":"ISO","year":"2018"},{"key":"2021041913134880500_ref22","doi-asserted-by":"crossref","first-page":"1484","DOI":"10.1137\/S0097539795293172","article-title":"Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer","volume":"26","author":"Shor","year":"1997","journal-title":"SIAM J. Comput."},{"key":"2021041913134880500_ref23","doi-asserted-by":"crossref","first-page":"29","DOI":"10.1007\/3-540-46885-4_5","article-title":"An identity-based key-exchange protocol","volume-title":"EUROCRYPT \u201989","author":"G\u00fcnther","year":"1990"},{"key":"2021041913134880500_ref24","first-page":"433","article-title":"Forward secrecy and its application to future mobile communications security","volume-title":"PKC 2000","author":"Park","year":"2000"},{"key":"2021041913134880500_ref25","first-page":"219","article-title":"Identity based authenticated key agreement protocols from pairings","volume-title":"16th IEEE Computer Security Foundations Workshop (CSFW-16)","author":"Chen","year":"2003"},{"key":"2021041913134880500_ref26","first-page":"1","article-title":"Forward-security in private-key cryptography","volume-title":"CT-RSA 2003","author":"Bellare","year":"2003"},{"key":"2021041913134880500_ref27","first-page":"21","article-title":"Tor: the second-generation onion router","volume-title":"Proc. 13th Conf. USENIX Security Symposium","author":"Dingledine","year":"2004"},{"key":"2021041913134880500_ref28","volume-title":"Two remarks on public key cryptology","author":"Anderson","year":"2002"},{"key":"2021041913134880500_ref29","doi-asserted-by":"crossref","first-page":"255","DOI":"10.1007\/3-540-39200-9_16","article-title":"A forward-secure public-key encryption scheme","volume-title":"EUROCRYPT 2003","author":"Canetti","year":"2003"},{"key":"2021041913134880500_ref30","doi-asserted-by":"crossref","first-page":"265","DOI":"10.1007\/s00145-006-0442-5","article-title":"A forward-secure public-key encryption scheme","volume":"20","author":"Canetti","year":"2007","journal-title":"J. Cryptol."},{"key":"2021041913134880500_ref31","first-page":"431","article-title":"A forward-secure digital signature scheme","volume-title":"CRYPTO \u201999","author":"Bellare","year":"1999"},{"key":"2021041913134880500_ref32","doi-asserted-by":"crossref","first-page":"257","DOI":"10.1007\/3-540-46416-6_22","article-title":"Group signatures","volume-title":"EUROCRYPT \u201991","author":"Chaum","year":"1991"},{"key":"2021041913134880500_ref33","first-page":"225","article-title":"Practical forward secure group signature schemes","volume-title":"ACM CCS 2001","author":"Song","year":"2001"},{"key":"2021041913134880500_ref34","doi-asserted-by":"crossref","first-page":"552","DOI":"10.1007\/3-540-45682-1_32","article-title":"How to leak a secret","volume-title":"ASIACRYPT 2001","author":"Rivest","year":"2001"},{"key":"2021041913134880500_ref35","first-page":"170","article-title":"Solutions to key exposure problem in ring signature","volume":"6","author":"Liu","year":"2008","journal-title":"IJ Netw. Secur."},{"key":"2021041913134880500_ref36","first-page":"199","article-title":"Blind signatures for untraceable payments","volume-title":"CRYPTO \u201982","author":"Chaum","year":"1982"},{"key":"2021041913134880500_ref37","first-page":"11","article-title":"A forward-secure blind signature scheme based on the strong RSA assumption","volume-title":"ICICS 03","author":"Duc","year":"2003"},{"key":"2021041913134880500_ref38","doi-asserted-by":"crossref","first-page":"305","DOI":"10.1109\/SP.2015.26","article-title":"Forward secure asynchronous messaging from puncturable encryption","volume-title":"2015 IEEE Symposium on Security and Privacy","author":"Green","year":"2015"},{"key":"2021041913134880500_ref39","doi-asserted-by":"crossref","first-page":"425","DOI":"10.1007\/978-3-319-78372-7_14","article-title":"Bloom filter encryption and applications to efficient forward-secret 0-RTT key exchange","volume-title":"EUROCRYPT 2018, Part III","author":"Derler","year":"2018"},{"key":"2021041913134880500_ref40","article-title":"Bloom filter encryption and applications to efficient forward-secret 0-RTT key exchange. Cryptology ePrint Archive, Report 2018\/199","author":"Derler","year":"2018"},{"key":"2021041913134880500_ref41","article-title":"I want to forget: fine-grained encryption with full forward secrecy in the distributed setting. Cryptology ePrint Archive, Report 2019\/912","author":"Derler","year":"2019"},{"key":"2021041913134880500_ref42","first-page":"309","article-title":"Public-key puncturable encryption: modular and compact constructions","volume-title":"Public Key Cryptography (1)","author":"Sun","year":"2020"},{"key":"2021041913134880500_ref43","doi-asserted-by":"crossref","first-page":"242","DOI":"10.1145\/996943.996946","article-title":"Just fast keying: key agreement in a hostile internet","volume":"7","author":"Aiello","year":"2004","journal-title":"ACM Trans. Inf. Syst. Secur."},{"key":"2021041913134880500_ref44","article-title":"The X3DH key agreement protocol","author":"Marlinspike","year":"2016"},{"key":"2021041913134880500_ref45","doi-asserted-by":"crossref","first-page":"80","DOI":"10.1145\/1966913.1966925","article-title":"Examining indistinguishability-based security models for key exchange protocols: the case of CK, CK-HMQV, and eCK","volume-title":"ASIACCS 11","author":"Cremers","year":"2011"},{"key":"2021041913134880500_ref46","first-page":"45","article-title":"Lest we remember: cold boot attacks on encryption keys","volume-title":"USENIX Security 2008","author":"Halderman","year":"2008"},{"key":"2021041913134880500_ref47","first-page":"494","article-title":"Interactive encryption and message authentication","volume-title":"SCN 14","author":"Dodis","year":"2014"},{"key":"2021041913134880500_ref48","first-page":"763","article-title":"Practical backward-secure searchable encryption from symmetric puncturable encryption","volume-title":"ACM CCS 2018","author":"Sun","year":"2018"},{"key":"2021041913134880500_ref49","first-page":"21","article-title":"Forward secure non-interactive key exchange","volume-title":"SCN 14","author":"Pointcheval","year":"2014"},{"key":"2021041913134880500_ref50","first-page":"421","article-title":"How to avoid obfuscation using witness PRFs","volume-title":"TCC 2016-A, Part II","author":"Zhandry","year":"2016"},{"key":"2021041913134880500_ref51","article-title":"TLS session resumption: full-speed and secure","author":"Lin","year":"2015"},{"key":"2021041913134880500_ref52","article-title":"Anonymity and one-way authentication in key exchange protocols","volume":"67","author":"Goldberg","year":"2012","journal-title":"Design. Code. Cryptograph."},{"key":"2021041913134880500_ref53","doi-asserted-by":"crossref","first-page":"164","DOI":"10.1109\/CSF.2016.19","article-title":"On post-compromise security","volume-title":"IEEE 29th Computer Security Foundations Symposium, CSF 2016","author":"Cohn-Gordon","year":"2016"},{"key":"2021041913134880500_ref54","doi-asserted-by":"crossref","first-page":"232","DOI":"10.1109\/SP.2015.22","article-title":"SoK: secure messaging","volume-title":"2015 IEEE Symposium on Security and Privacy","author":"Unger","year":"2015"},{"key":"2021041913134880500_ref55","first-page":"134","article-title":"Improving efficiency and simplicity of tor circuit establishment and hidden services","volume-title":"PET 2007","author":"\u00d8verlier","year":"2007"},{"key":"2021041913134880500_ref56","doi-asserted-by":"crossref","first-page":"139","DOI":"10.1007\/3-540-45539-6_11","article-title":"Authenticated key exchange secure against dictionary attacks","volume-title":"EUROCRYPT 2000","author":"Bellare","year":"2000"},{"key":"2021041913134880500_ref57","doi-asserted-by":"crossref","first-page":"546","DOI":"10.1007\/11535218_33","article-title":"HMQV: a high-performance secure Diffie-Hellman protocol","volume-title":"CRYPTO 2005","author":"Krawczyk","year":"2005"},{"key":"2021041913134880500_ref58","first-page":"220","article-title":"One-round protocols for two-party authenticated key exchange","volume-title":"ACNS 04","author":"Jeong","year":"2004"},{"key":"2021041913134880500_ref59","doi-asserted-by":"crossref","first-page":"321","DOI":"10.1007\/3-540-46035-7_21","article-title":"Dynamic group Diffie\u2013Hellman key exchange under standard assumptions","volume-title":"EUROCRYPT 2002","author":"Bresson","year":"2002"}],"container-title":["The Computer Journal"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/academic.oup.com\/comjnl\/article-pdf\/64\/4\/639\/37161647\/bxaa104.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"http:\/\/academic.oup.com\/comjnl\/article-pdf\/64\/4\/639\/37161647\/bxaa104.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,4,20]],"date-time":"2021-04-20T03:12:15Z","timestamp":1618888335000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/comjnl\/article\/64\/4\/639\/5896207"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,8,24]]},"references-count":59,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2020,8,24]]},"published-print":{"date-parts":[[2021,4,19]]}},"URL":"https:\/\/doi.org\/10.1093\/comjnl\/bxaa104","relation":{},"ISSN":["0010-4620","1460-2067"],"issn-type":[{"value":"0010-4620","type":"print"},{"value":"1460-2067","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2021,4]]},"published":{"date-parts":[[2020,8,24]]}}}