Abstract. Cryptographic computations (decryption, signature generation, etc.) are often performed on a relatively insecure device (e.g., a mobile device or an Internet-connected host) which cannot be trusted to maintain secrecy of the private key. We propose and investigate the notion of key-insulated security whose goal is to minimize the damage caused by secret-key exposures. In our model, the secret key(s) stored on the insecure device are refreshed at discrete time periods via interaction with a physically-secure -but computationally-limiteddevice which stores a "master key". All cryptographic computations are still done on the insecure device, and the public key remains unchanged. In a (t, N )-keyinsulated scheme, an adversary who compromises the insecure device and obtains secret keys for up to t periods of his choice is unable to violate the security of the cryptosystem for any of the remaining N − t periods. Furthermore, the scheme remains secure (for all time periods) against an adversary who compromises only the physically-secure device.We focus primarily on key-insulated public-key encryption. We construct a (t, N )-key-insulated encryption scheme based on any (standard) public-key encryption scheme, and give a more ef£cient construction based on the DDH assumption. The latter construction is then extended to achieve chosen-ciphertext security.