On Thu, Jul 4, 2013 at 11:33 AM, Adam Back <a...@cypherspace.org> wrote: > > Not completely by this counterexample: generate k, suffer from an enemy >> copy of system state including k, let k'=H(k), delete k', use k' in >> dangerous confidence. I mean the textbook PFS definition is not satisfied >> by k'=H(k). >> > > I think you are confusing forward secrecy (aka backward security) with > backward secrecy (forward security). Ross Anderson tried to improve things > with his forward secure/backward secure alternative terminology: > > http://www.cypherspace.org/**adam/nifs/refs/forwardsecure.**pdf<http://www.cypherspace.org/adam/nifs/refs/forwardsecure.pdf> > > Forward secrecy is a bad term from a mnemonic point of view, I think > Anderson's forward/backward security terms are better. EDH provides both, > k'=H(k) provides only backward security (aka forward secrecy).
Good distinction but this terminology is all pretty bad. What about something more self-explanatory, like "back-decryption resistance" / "forward-decryption resistance"? Trevor
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
