The "perfect" was also dropped in
M. Just, S. Vaudenay
"Authenticated Multi-Party Key Agreement"
Proceedings of Asiacrypt '96
Spring-Verlag.
Here, we define it as "A key agreement protocol provides forward secrecy if
the loss of any long-term secret keying material does not allow the
compromise of keys from previously wire-tapped sessions." Not very
technical, but it gets the point across.
The earliest definitions for "perfect forward secrecy" that we found were
from
(apologies, but I don't have copies of these last two references here)
C. Gunther,
"An Identity-Based Key Exchange Protocol"
Proceedings of Eurocrypt '89,
Springer-Verlag.
and
W. Diffie, P.C. van Oorschot, M.J. Wiener,
"Authentication and Authenticated Key Exchanges"
Design, Codes and Cryptography,
Vol 2, 1992.
Mike Just.
> -----Original Message-----
> From: David Jablon [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 04, 2000 5:06 PM
> To: lcs Mixmaster Remailer
> Cc: [EMAIL PROTECTED]
> Subject: Re: Perfect Forward Security def wanted
>
>
> I recall a P1363 meeting which discussed the issue of confusion over
> multiple interpretations (or misinterpretations) of "perfect
> forward secrecy".
> I and others suggested dropping the word "perfect" for the
> reason you discuss.
>
> PFS was defined in
> <http://www.IntegritySciences.com/links.html#DvOW92>,
> and variations of FS are defined in the latest draft of P1363
> Appendix D. <http://grouper.ieee.org/groups/1363/P1363/draft.html>.
>
> At 07:40 PM 5/4/00 -0000, lcs Mixmaster Remailer wrote:
> >What is the difference (if any) between "perfect" forward secrecy and
> >just plain old ordinary forward secrecy?
> >
> >Forward secrecy sounds like it means secrecy against attacks forward
> >(later) in time. When you burn your one time pad after use you have
> >forward secrecy, because afterwards there is no way to reconstruct
> >the message. Likewise a DH exchange produces forward
> secrecy once the
> >secret exponents are destroyed, because again the
> information necessary
> >to reconstruct the result is lost.
> >
> >Usually in cryptography "perfect" refers to information theoretic
> >security, as distinguished from computational security.
> >
> >By this definition, the burned OTP would provide perfect
> forward secrecy.
> >The DH exchange would not, because computational attacks could in
> >principle recover the secret.
> >
> >However DH is widely stated to provide PFS. Therefore "perfect" must
> >mean something else in this context. Can anyone shed light on the
> >distinction between PFS and FS?
>
> As far as I know, PFS is approximately equal to FS, and
> wasn't meant to
> refer to information theoretic security. I'll leave it to
> others more familiar
> with the latter field correct me as needed.
>
> ---------------------------------------------------
> David P. Jablon
> Integrity Sciences, Inc.
> +1 508 898 9024
> [EMAIL PROTECTED]
> www.IntegritySciences.com
>
>