On 2011-02-16 03:28, James A. Donald wrote: > On 2011-02-16 10:04 AM, David-Sarah Hopwood wrote: >> Note that a disadvantage of such protocols relative to >> multi-round ones is that, as far as I know, they cannot >> achieve forward secrecy. > > In that if either party to the protocol described loses > control of his secret key, all messages can be retroactively > decrypted.
That's correct for static Diffie-Hellman. For the Encrypt-then-Sign protocol I gave, messages can be retroactively decrypted if-and-only-if the recipient's decryption key is compromised. For a given message, the sender's decryption key is not used (and compromise of its signing key does not allow decrypting past messages). > I was unaware that any half round protocols had been > described, though you proceed to describe one blow. Ian Brown and Adam Back's suggestion is another, which appears equally secure. It also has the property that messages can be retroactively decrypted if-and-only-if the recipient's decryption key is compromised. > It would seem that forward secrecy inherently requires at > least one and a half round trips, since the recipient of the > message has to have a transient secret. If the sender of the message is the protocol initiator, yes. If the receiver is the protocol initiator (which is unusual, but possible if the receiver is polling for messages), then I think it only requires one round-trip. > This problem can be somewhat mitigated by caching shared > secrets for a moderate period. Yes. -- David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
signature.asc
Description: OpenPGP digital signature
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
