David Hopwood writes:

Forward-secure public-key encryption has been discussed here, on sci.crypt, and elsewhere. To recap - the goal is that an adversary who breaks into your computer today can't read messages sent/received yesterday. In the interactive case, you use ephermal Diffie-Hellman. The non-interactive case is more complicated and has had some ideas considered by Ross Anderson, Adam Back, and David Hopwood (among others). Cypherpunks relevance: forward security is nice for remailers.

Anyway, there's a new eprint up which shows how to construct such a scheme starting from an ID-based encryption scheme by Boneh + Franklin.

"A Forward-Secure Public-Key Encryption Scheme" Jonathan Katz http://eprint.iacr.org/2002/060/

It's worth noting that the scheme this is based on has code available. http://crypto.stanford.edu/ibe/download.html

Adam Back noted several years ago that identity-based encryption systems could be converted into forward-secure PK encryption methods. At the time it did not appear that any of the identity-based encryption systems were very secure. In the past few years a number of cryptographic results have been achieved by using the Weil and Tate pairings, which are mappings among groups associated with supersingular elliptic curves. These mappings have special mathematical properties which give a new slant to a number of cryptographic problems. For example it can be shown that in the appropriate group, the Decision Diffie-Hellman problem is easy while the Diffie-Hellman problem is still thought to be hard. On coderpunks this was discussed as a possible approach to ecash. The Weil pairing can also be used to create short signatures, only 20 bytes long for the same security as a DSA sig taking 40 bytes. At Crypto 2001, Boneh and Franklin showed how to use the Weil pairing to create an identity based PK system. Unlike earlier constructions, this one seems to have a good security margin. Following Adam Back's earlier idea, this means a forward-secure PKCS can be constructed, and the new paper does so, using the Weil and Tate pairings. One concern is that these mathematical techniques are new in cryptography and so it is possible that new attacks will be found against them. While the underlying math is old, the specific application is new and so weaknesses may still be discovered. Another problem is that the math is really advanced and not many implementors or users are likely to understand it very well. Sure we've got a library but the kind of people who want forward security would like to understand the principles a little better.