%0 Journal Article %J Advances in Cryptology—Eurocrypt 2002 %D 2002 %T Key-insulated public key cryptosystems %A Dodis,Y. %A Katz, Jonathan %A Xu,S. %A Yung,M. %X Cryptographic computations (decryption, signature generation, etc.) are often performed on a relatively insecure device (e.g., a mobile device or an Internet-connected host) which cannot be trusted to maintain secrecy of the private key. We propose and investigate the notion of key-insulated security whose goal is to minimize the damage caused by secret-key exposures. In our model, the secret key(s) stored on the insecure device are refreshed at discrete time periods via inter-action with a physically-secure - but computationally-limited - device which stores a “master key”. All cryptographic computations are still done on the insecure device, and the public key remains unchanged. In a (t, N)-key-insulated scheme, an adversary who compromises the insecure device and obtains secret keys for up to t periods of his choice is unable to violate the security of the cryptosystem for any of the remaining N - t periods. Furthermore, the scheme remains secure (for all time periods) against an adversary who compromises only the physically-secure device. We focus primarily on key-insulated public-key encryption. We construct a (t, N)-key-insulated encryption scheme based on any (standard) public-key encryption scheme, and give a more efficient construction based on the DDH assumption. The latter construction is then extended to achieve chosen-ciphertext security. %B Advances in Cryptology—Eurocrypt 2002 %P 65 - 82 %8 2002/// %G eng %R 10.1007/3-540-46035-7_5