This paper is about how to keep data for a finite time, and then make it unrecoverable after that. It is difficult to ensure that data is completely destroyed. To be available before expiration, it is desirable to create backup copies. Then absolute deletion becomes difficult, because even after explicitly deleting it, copies might remain on backup media, or in swap space, or be forensically recoverable. The obvious solution is to store the data encrypted, and then delete the key after expiration. The key is somewhat easier to manage, because it is smaller, but there is still the issue of needing to make the key reliably available for some time, and then reliably destroyed. It is dif-ficult enough for a user to manage one key, much less different keys for different data expiration times. The user could keep each key on a tamper-proof smart card with no copies, but then the data will be lost prematurely if the user loses the smart card. And smart cards are expensive. So the idea in this paper is to concentrate all the key management expense and expertise in one place, a server we call an “ephemerizer”. The ephemerizer creates keys, makes them available for encryption, aids in decryption, and destroys the keys at the appropriate time. The design in this paper ensures that even if a client’s machine gets compromised, and everything in stable storage (including long term user keys) is stolen, any data that has expired before the compromise remains unrecoverable. The paper starts with a description of an existing commercial scheme, and presents improvements to that scheme to eliminate the necessity for per-message state. Then it presents a new approach, based on public keys, and presents an initial design, and then a more efficient version using a new concept closely related to blind signatures, that we call “blind decryption”.

Anderson, R. (1997) Two remarks on public-key cryptology, Invited lecture, Fourth ACM Conference on Computer and Communications Security, April.

Bellare, M., and Miner, S.K. (1999) A Forward-secure digital signature scheme. Advances in Cryptology - CRYPTO ‘99 Lecture Notes in Computer Science. Vol 1666/1999. M. Wiener (Ed.). Springer-Verlag GmbH.

Camp, L. J. (1997) Web security & privacy: An American perspective. ACM SIGCAS CEPC ’97, Computer Ethics: Philosophical Inquiry, February.

Chaum, D., (1983) Blind signatures for Untraceable payments, Advances in Cryptology - pro-ceedings of Crypto 82.

Cronin, E., Jamin, S., Malkin, T., and McDaniel, P, (2003) On the performance, feasibility, and use of forward-secure signatures, Conference on Computer and Communications Security. Proceedings of the 10th ACM conference on Computer and communications security. Washington DC.

Diffie, W., and Hellman, M. (1976) “New directions in cryptography”, IEEE Transcations on Information Theory. IT-22: 644-654.

Disappearing, Inc., web site: http://www.specimenbox.com/di/ab/hwdi.html

Naor, M., and Yung, M., (1990) Public-Key Cryptosystems Provably Secure Against Chosen Ciphertext Attacks. 22nd Annual ACM Symposium on Theory of Computing.

Pohlig, S., and Hellman, M.(1978) “An Improved Algorithm for Computing Logarithms in GF(P) and Its Cryptographic Significance,” IEEE Transactions on Information Theory. 24(1).

Rivest, R., Shamir, A., and Adleman, L. (1978) “A method for obtaining digital signatures and public-key cryptosystems”, Communications of the ACM. 21(2): 120-126.