[7015] in cryptography@c2.net mail archive
RE: Perfect Forward Security def wanted
daemon@ATHENA.MIT.EDU (Mike Just)
Fri May 5 12:57:42 2000
Message-ID: <ED026032A3FCD211AEDA00105A9C4696017C0F60@sothmxs05.entrust.com>
From: Mike Just <mike.just@entrust.com>
To: "'David Jablon'" <dpj@world.std.com>,
lcs Mixmaster Remailer <mix@anon.lcs.mit.edu>
Cc: cryptography@c2.net
Date: Fri, 5 May 2000 08:53:56 -0400
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
The "perfect" was also dropped in
M. Just, S. Vaudenay
"Authenticated Multi-Party Key Agreement"
Proceedings of Asiacrypt '96
Spring-Verlag.
Here, we define it as "A key agreement protocol provides forward secrecy if
the loss of any long-term secret keying material does not allow the
compromise of keys from previously wire-tapped sessions." Not very
technical, but it gets the point across.
The earliest definitions for "perfect forward secrecy" that we found were
from
(apologies, but I don't have copies of these last two references here)
C. Gunther,
"An Identity-Based Key Exchange Protocol"
Proceedings of Eurocrypt '89,
Springer-Verlag.
and
W. Diffie, P.C. van Oorschot, M.J. Wiener,
"Authentication and Authenticated Key Exchanges"
Design, Codes and Cryptography,
Vol 2, 1992.
Mike Just.
> -----Original Message-----
> From: David Jablon [mailto:dpj@world.std.com]
> Sent: Thursday, May 04, 2000 5:06 PM
> To: lcs Mixmaster Remailer
> Cc: cryptography@c2.net
> Subject: Re: Perfect Forward Security def wanted
>
>
> I recall a P1363 meeting which discussed the issue of confusion over
> multiple interpretations (or misinterpretations) of "perfect
> forward secrecy".
> I and others suggested dropping the word "perfect" for the
> reason you discuss.
>
> PFS was defined in
> <http://www.IntegritySciences.com/links.html#DvOW92>,
> and variations of FS are defined in the latest draft of P1363
> Appendix D. <http://grouper.ieee.org/groups/1363/P1363/draft.html>.
>
> At 07:40 PM 5/4/00 -0000, lcs Mixmaster Remailer wrote:
> >What is the difference (if any) between "perfect" forward secrecy and
> >just plain old ordinary forward secrecy?
> >
> >Forward secrecy sounds like it means secrecy against attacks forward
> >(later) in time. When you burn your one time pad after use you have
> >forward secrecy, because afterwards there is no way to reconstruct
> >the message. Likewise a DH exchange produces forward
> secrecy once the
> >secret exponents are destroyed, because again the
> information necessary
> >to reconstruct the result is lost.
> >
> >Usually in cryptography "perfect" refers to information theoretic
> >security, as distinguished from computational security.
> >
> >By this definition, the burned OTP would provide perfect
> forward secrecy.
> >The DH exchange would not, because computational attacks could in
> >principle recover the secret.
> >
> >However DH is widely stated to provide PFS. Therefore "perfect" must
> >mean something else in this context. Can anyone shed light on the
> >distinction between PFS and FS?
>
> As far as I know, PFS is approximately equal to FS, and
> wasn't meant to
> refer to information theoretic security. I'll leave it to
> others more familiar
> with the latter field correct me as needed.
>
> ---------------------------------------------------
> David P. Jablon
> Integrity Sciences, Inc.
> +1 508 898 9024
> dpj@IntegritySciences.com
> www.IntegritySciences.com
>
>
